From 4cbabe57a81c8767457ef695bab472bca86a6dbe Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 15:34:46 +0800
Subject: [PATCH 01/17] Implement identity and authenticator backend actions
 for account management

---
 pkg/auth/wire_gen.go                          | 310 +++++++-----------
 pkg/lib/accountmanagement/service.go          |  31 +-
 pkg/lib/accountmanagement/service_identity.go | 258 ++++++++++-----
 pkg/lib/accountmanagement/token_test.go       |   5 +-
 pkg/lib/deps/deps_common.go                   |   4 +-
 5 files changed, 320 insertions(+), 288 deletions(-)

diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
index 3841296759..7c3d6f1520 100644
--- a/pkg/auth/wire_gen.go
+++ b/pkg/auth/wire_gen.go
@@ -80188,41 +80188,66 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Logger: jsonResponseWriterLogger,
 	}
 	handle := appProvider.AppDatabase
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	secretConfig := config.SecretConfig
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	appredisHandle := appProvider.Redis
 	clockClock := _wireSystemClockValue
-	store := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
 	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
+	identityConfig := appConfig.Identity
+	secretConfig := config.SecretConfig
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	loginIDConfig := identityConfig.LoginID
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
 	}
-	rawQueries := &user.RawQueries{
-		Store: store,
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
 	}
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
 	authenticationConfig := appConfig.Authentication
-	identityConfig := appConfig.Identity
 	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -80233,7 +80258,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	loginIDConfig := identityConfig.LoginID
 	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
@@ -80245,9 +80269,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Config:             loginIDConfig,
 		TypeCheckerFactory: typeCheckerFactory,
 	}
-	normalizerFactory := &loginid.NormalizerFactory{
-		Config: loginIDConfig,
-	}
 	provider := &loginid.Provider{
 		Store:             loginidStore,
 		Config:            loginIDConfig,
@@ -80285,7 +80306,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -80376,9 +80396,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	normalizer := &stdattrs.Normalizer{
-		LoginIDNormalizerFactory: normalizerFactory,
-	}
 	ldapProvider := &ldap.Provider{
 		Store:                        ldapStore,
 		Clock:                        clockClock,
@@ -80661,42 +80678,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Database: handle,
 	}
 	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
-	redisStore := &accountmanagement.RedisStore{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-		Clock:   clockClock,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -80777,6 +80758,21 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
@@ -80901,39 +80897,12 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	identityFacade := &facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	messageSender := &otp.MessageSender{
-		AppID:           appID,
-		Translation:     translationService,
-		Endpoints:       endpointsEndpoints,
-		Sender:          sender,
-		WhatsappService: whatsappService,
-	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
 	accountmanagementService := &accountmanagement.Service{
-		Database:                  handle,
-		Config:                    appConfig,
-		Users:                     userProvider,
-		Store:                     redisStore,
-		OAuthProvider:             oAuthProviderFactory,
-		Identities:                identityFacade,
-		Events:                    eventService,
-		OTPSender:                 messageSender,
-		OTPCodeService:            otpService,
-		Authenticators:            authenticatorFacade,
-		AuthenticationInfoService: authenticationinfoStoreRedis,
-		PasskeyService:            passkeyService,
-		Verification:              verificationService,
-		UIInfoResolver:            uiService,
+		Database:      handle,
+		Store:         redisStore,
+		OAuthProvider: oAuthProviderFactory,
+		Identities:    identityFacade,
+		Events:        eventService,
 	}
 	accountManagementV1IdentificationHandler := &api.AccountManagementV1IdentificationHandler{
 		JSON:    jsonResponseWriter,
@@ -80950,41 +80919,66 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Logger: jsonResponseWriterLogger,
 	}
 	handle := appProvider.AppDatabase
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	secretConfig := config.SecretConfig
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	appredisHandle := appProvider.Redis
 	clockClock := _wireSystemClockValue
-	store := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
 	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
+	identityConfig := appConfig.Identity
+	secretConfig := config.SecretConfig
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	loginIDConfig := identityConfig.LoginID
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
 	}
-	rawQueries := &user.RawQueries{
-		Store: store,
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
 	}
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
 	authenticationConfig := appConfig.Authentication
-	identityConfig := appConfig.Identity
 	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -80995,7 +80989,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	loginIDConfig := identityConfig.LoginID
 	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
@@ -81007,9 +81000,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Config:             loginIDConfig,
 		TypeCheckerFactory: typeCheckerFactory,
 	}
-	normalizerFactory := &loginid.NormalizerFactory{
-		Config: loginIDConfig,
-	}
 	provider := &loginid.Provider{
 		Store:             loginidStore,
 		Config:            loginIDConfig,
@@ -81047,7 +81037,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -81138,9 +81127,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	normalizer := &stdattrs.Normalizer{
-		LoginIDNormalizerFactory: normalizerFactory,
-	}
 	ldapProvider := &ldap.Provider{
 		Store:                        ldapStore,
 		Clock:                        clockClock,
@@ -81423,42 +81409,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Database: handle,
 	}
 	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
-	redisStore := &accountmanagement.RedisStore{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-		Clock:   clockClock,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -81539,6 +81489,21 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
@@ -81663,39 +81628,12 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	identityFacade := &facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	messageSender := &otp.MessageSender{
-		AppID:           appID,
-		Translation:     translationService,
-		Endpoints:       endpointsEndpoints,
-		Sender:          sender,
-		WhatsappService: whatsappService,
-	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
 	accountmanagementService := &accountmanagement.Service{
-		Database:                  handle,
-		Config:                    appConfig,
-		Users:                     userProvider,
-		Store:                     redisStore,
-		OAuthProvider:             oAuthProviderFactory,
-		Identities:                identityFacade,
-		Events:                    eventService,
-		OTPSender:                 messageSender,
-		OTPCodeService:            otpService,
-		Authenticators:            authenticatorFacade,
-		AuthenticationInfoService: authenticationinfoStoreRedis,
-		PasskeyService:            passkeyService,
-		Verification:              verificationService,
-		UIInfoResolver:            uiService,
+		Database:      handle,
+		Store:         redisStore,
+		OAuthProvider: oAuthProviderFactory,
+		Identities:    identityFacade,
+		Events:        eventService,
 	}
 	accountManagementV1IdentificationOAuthHandler := &api.AccountManagementV1IdentificationOAuthHandler{
 		JSON:    jsonResponseWriter,
diff --git a/pkg/lib/accountmanagement/service.go b/pkg/lib/accountmanagement/service.go
index 716617afb3..5a59b10261 100644
--- a/pkg/lib/accountmanagement/service.go
+++ b/pkg/lib/accountmanagement/service.go
@@ -76,7 +76,7 @@ type PasskeyService interface {
 	ConsumeAttestationResponse(attestationResponse []byte) (err error)
 }
 
-type UIInfoResolver interface {
+type SettingsDeleteAccountSuccessUIInfoResolver interface {
 	SetAuthenticationInfoInQuery(redirectURI string, e *authenticationinfo.Entry) string
 }
 
@@ -110,7 +110,7 @@ type Service struct {
 	AuthenticationInfoService AuthenticationInfoService
 	PasskeyService            PasskeyService
 	Verification              VerificationService
-	UIInfoResolver            UIInfoResolver
+	UIInfoResolver            SettingsDeleteAccountSuccessUIInfoResolver
 }
 
 type StartAddingInput struct {
@@ -259,6 +259,19 @@ func (s *Service) FinishAdding(input *FinishAddingInput) (*FinishAddingOutput, e
 	return &FinishAddingOutput{}, nil
 }
 
+func (s *Service) GetToken(resolvedSession session.ResolvedSession, tokenString string) (*Token, error) {
+	userID := resolvedSession.GetAuthenticationInfo().UserID
+	token, err := s.Store.GetToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+	err = token.CheckUser(userID)
+	if err != nil {
+		return nil, err
+	}
+	return token, nil
+}
+
 func (s *Service) ResendOTPCode(resolvedSession session.ResolvedSession, tokenString string) (err error) {
 	userID := resolvedSession.GetAuthenticationInfo().UserID
 
@@ -286,12 +299,14 @@ func (s *Service) ResendOTPCode(resolvedSession session.ResolvedSession, tokenSt
 		panic(fmt.Errorf("accountmanagement: unexpected token in resend otp code"))
 	}
 
-	err = s.sendOTPCode(
-		userID,
-		channel,
-		target,
-		true,
-	)
+	err = s.Database.WithTx(func() error {
+		return s.sendOTPCode(
+			userID,
+			channel,
+			target,
+			true,
+		)
+	})
 	if err != nil {
 		return err
 	}
diff --git a/pkg/lib/accountmanagement/service_identity.go b/pkg/lib/accountmanagement/service_identity.go
index 8ec9d61f0d..766265b50f 100644
--- a/pkg/lib/accountmanagement/service_identity.go
+++ b/pkg/lib/accountmanagement/service_identity.go
@@ -177,13 +177,24 @@ func (s *Service) StartAddIdentityEmail(resolvedSession session.ResolvedSession,
 			return err
 		}
 
-		verified, err := s.checkIdentityVerified(info)
+		verified, err := s.CheckIdentityVerified(info)
 		if err != nil {
 			return err
 		}
 		needVerification = !verified
-
-		if !verified {
+		if needVerification {
+			channel, target := info.LoginID.ToChannelTarget()
+			err = s.sendOTPCode(userID, channel, target, false)
+			if err != nil {
+				return err
+			}
+			token, err = s.Store.GenerateToken(GenerateTokenOptions{
+				UserID: userID,
+				Email:  info.LoginID.LoginID,
+			})
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -203,21 +214,6 @@ func (s *Service) StartAddIdentityEmail(resolvedSession session.ResolvedSession,
 		return nil, err
 	}
 
-	if needVerification {
-		channel, target := info.LoginID.ToChannelTarget()
-		err = s.sendOTPCode(userID, channel, target, false)
-		if err != nil {
-			return nil, err
-		}
-		token, err = s.Store.GenerateToken(GenerateTokenOptions{
-			UserID: userID,
-			Email:  info.LoginID.LoginID,
-		})
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	return &StartAddIdentityEmailOutput{
 		IdentityInfo:     info,
 		NeedVerification: needVerification,
@@ -307,7 +303,8 @@ type StartUpdateIdentityEmailInput struct {
 }
 
 type StartUpdateIdentityEmailOutput struct {
-	IdentityInfo     *identity.Info
+	OldInfo          *identity.Info
+	NewInfo          *identity.Info
 	NeedVerification bool
 	Token            string
 }
@@ -322,7 +319,8 @@ func (s *Service) StartUpdateIdentityEmail(resolvedSession session.ResolvedSessi
 		return nil, err
 	}
 
-	var info *identity.Info
+	var oldInfo *identity.Info
+	var newInfo *identity.Info
 	var token string
 	var needVerification bool
 	err = s.Database.WithTx(func() error {
@@ -330,15 +328,27 @@ func (s *Service) StartUpdateIdentityEmail(resolvedSession session.ResolvedSessi
 		if err != nil {
 			return err
 		}
-		info = newInfo
 
-		verified, err := s.checkIdentityVerified(newInfo)
+		verified, err := s.CheckIdentityVerified(newInfo)
 		if err != nil {
 			return err
 		}
 		needVerification = !verified
 
-		if !verified {
+		if needVerification {
+			channel, target := newInfo.LoginID.ToChannelTarget()
+			err = s.sendOTPCode(userID, channel, target, false)
+			if err != nil {
+				return err
+			}
+			token, err = s.Store.GenerateToken(GenerateTokenOptions{
+				UserID:     userID,
+				Email:      newInfo.LoginID.LoginID,
+				IdentityID: newInfo.ID,
+			})
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -358,24 +368,9 @@ func (s *Service) StartUpdateIdentityEmail(resolvedSession session.ResolvedSessi
 		return nil, err
 	}
 
-	if needVerification {
-		channel, target := info.LoginID.ToChannelTarget()
-		err = s.sendOTPCode(userID, channel, target, false)
-		if err != nil {
-			return nil, err
-		}
-		token, err = s.Store.GenerateToken(GenerateTokenOptions{
-			UserID:     userID,
-			Email:      info.LoginID.LoginID,
-			IdentityID: info.ID,
-		})
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	return &StartUpdateIdentityEmailOutput{
-		IdentityInfo:     info,
+		OldInfo:          oldInfo,
+		NewInfo:          newInfo,
 		NeedVerification: needVerification,
 		Token:            token,
 	}, nil
@@ -387,7 +382,8 @@ type ResumeUpdateIdentityEmailInput struct {
 }
 
 type ResumeUpdateIdentityEmailOutput struct {
-	IdentityInfo *identity.Info
+	OldInfo *identity.Info
+	NewInfo *identity.Info
 }
 
 func (s *Service) ResumeUpdateIdentityEmail(resolvedSession session.ResolvedSession, tokenString string, input *ResumeUpdateIdentityEmailInput) (output *ResumeUpdateIdentityEmailOutput, err error) {
@@ -417,24 +413,24 @@ func (s *Service) ResumeUpdateIdentityEmail(resolvedSession session.ResolvedSess
 		return
 	}
 
-	var info *identity.Info
+	var oldInfo *identity.Info
+	var newInfo *identity.Info
 	err = s.Database.WithTx(func() error {
-		oldInfo, newInfo, err := s.prepareUpdateIdentity(userID, token.Identity.IdentityID, spec)
+		oldInfo, newInfo, err = s.prepareUpdateIdentity(userID, token.Identity.IdentityID, spec)
 		if err != nil {
 			return err
 		}
-		info = newInfo
 
 		err = s.updateIdentity(oldInfo, newInfo)
 		if err != nil {
 			return err
 		}
 
-		claimName, ok := model.GetLoginIDKeyTypeClaim(info.LoginID.LoginIDType)
+		claimName, ok := model.GetLoginIDKeyTypeClaim(newInfo.LoginID.LoginIDType)
 		if !ok {
 			panic(fmt.Errorf("accountmanagement: unexpected login ID key"))
 		}
-		err = s.markClaimVerified(userID, claimName, info.LoginID.LoginID)
+		err = s.markClaimVerified(userID, claimName, newInfo.LoginID.LoginID)
 		if err != nil {
 			return err
 		}
@@ -452,11 +448,54 @@ func (s *Service) ResumeUpdateIdentityEmail(resolvedSession session.ResolvedSess
 	}
 
 	output = &ResumeUpdateIdentityEmailOutput{
-		IdentityInfo: info,
+		OldInfo: oldInfo,
+		NewInfo: newInfo,
 	}
 	return
 }
 
+type ResumeAddOrUpdateIdentityEmailInput struct {
+	LoginIDKey string
+	Code       string
+}
+
+type ResumeAddOrUpdateIdentityEmailOutput struct {
+	OldInfo *identity.Info
+	NewInfo *identity.Info
+}
+
+func (s *Service) ResumeAddOrUpdateIdentityEmail(resolvedSession session.ResolvedSession, tokenString string, input *ResumeAddOrUpdateIdentityEmailInput) (*ResumeAddOrUpdateIdentityEmailOutput, error) {
+	token, err := s.Store.GetToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	if token.Identity.IdentityID == "" {
+		output, err := s.ResumeAddIdentityEmail(resolvedSession, tokenString, &ResumeAddIdentityEmailInput{
+			LoginIDKey: input.LoginIDKey,
+			Code:       input.Code,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &ResumeAddOrUpdateIdentityEmailOutput{
+			NewInfo: output.IdentityInfo,
+		}, nil
+	}
+
+	output, err := s.ResumeUpdateIdentityEmail(resolvedSession, tokenString, &ResumeUpdateIdentityEmailInput{
+		LoginIDKey: input.LoginIDKey,
+		Code:       input.Code,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &ResumeAddOrUpdateIdentityEmailOutput{
+		OldInfo: output.OldInfo,
+		NewInfo: output.NewInfo,
+	}, nil
+}
+
 type DeleteIdentityEmailInput struct {
 	IdentityID string
 }
@@ -525,13 +564,25 @@ func (s *Service) StartAddIdentityPhone(resolvedSession session.ResolvedSession,
 			return err
 		}
 
-		verified, err := s.checkIdentityVerified(info)
+		verified, err := s.CheckIdentityVerified(info)
 		if err != nil {
 			return err
 		}
 		needVerification = !verified
 
-		if !verified {
+		if needVerification {
+			channel, target := info.LoginID.ToChannelTarget()
+			err = s.sendOTPCode(userID, channel, target, false)
+			if err != nil {
+				return err
+			}
+			token, err = s.Store.GenerateToken(GenerateTokenOptions{
+				UserID:      userID,
+				PhoneNumber: info.LoginID.LoginID,
+			})
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -551,21 +602,6 @@ func (s *Service) StartAddIdentityPhone(resolvedSession session.ResolvedSession,
 		return nil, err
 	}
 
-	if needVerification {
-		channel, target := info.LoginID.ToChannelTarget()
-		err = s.sendOTPCode(userID, channel, target, false)
-		if err != nil {
-			return nil, err
-		}
-		token, err = s.Store.GenerateToken(GenerateTokenOptions{
-			UserID:      userID,
-			PhoneNumber: info.LoginID.LoginID,
-		})
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	return &StartAddIdentityPhoneOutput{
 		IdentityInfo:     info,
 		NeedVerification: needVerification,
@@ -680,13 +716,25 @@ func (s *Service) StartUpdateIdentityPhone(resolvedSession session.ResolvedSessi
 		}
 		info = newInfo
 
-		verified, err := s.checkIdentityVerified(newInfo)
+		verified, err := s.CheckIdentityVerified(newInfo)
 		if err != nil {
 			return err
 		}
 		needVerification = !verified
-
-		if !verified {
+		if needVerification {
+			channel, target := info.LoginID.ToChannelTarget()
+			err = s.sendOTPCode(userID, channel, target, false)
+			if err != nil {
+				return err
+			}
+			token, err = s.Store.GenerateToken(GenerateTokenOptions{
+				UserID:      userID,
+				PhoneNumber: info.LoginID.LoginID,
+				IdentityID:  info.ID,
+			})
+			if err != nil {
+				return err
+			}
 			return nil
 		}
 
@@ -706,22 +754,6 @@ func (s *Service) StartUpdateIdentityPhone(resolvedSession session.ResolvedSessi
 		return nil, err
 	}
 
-	if needVerification {
-		channel, target := info.LoginID.ToChannelTarget()
-		err = s.sendOTPCode(userID, channel, target, false)
-		if err != nil {
-			return nil, err
-		}
-		token, err = s.Store.GenerateToken(GenerateTokenOptions{
-			UserID:      userID,
-			PhoneNumber: info.LoginID.LoginID,
-			IdentityID:  info.ID,
-		})
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	return &StartUpdateIdentityPhoneOutput{
 		IdentityInfo:     info,
 		NeedVerification: needVerification,
@@ -735,7 +767,8 @@ type ResumeUpdateIdentityPhoneInput struct {
 }
 
 type ResumeUpdateIdentityPhoneOutput struct {
-	IdentityInfo *identity.Info
+	OldInfo *identity.Info
+	NewInfo *identity.Info
 }
 
 func (s *Service) ResumeUpdateIdentityPhone(resolvedSession session.ResolvedSession, tokenString string, input *ResumeUpdateIdentityPhoneInput) (output *ResumeUpdateIdentityPhoneOutput, err error) {
@@ -765,24 +798,24 @@ func (s *Service) ResumeUpdateIdentityPhone(resolvedSession session.ResolvedSess
 		return
 	}
 
-	var info *identity.Info
+	var oldInfo *identity.Info
+	var newInfo *identity.Info
 	err = s.Database.WithTx(func() error {
 		oldInfo, newInfo, err := s.prepareUpdateIdentity(userID, token.Identity.IdentityID, spec)
 		if err != nil {
 			return err
 		}
-		info = newInfo
 
 		err = s.updateIdentity(oldInfo, newInfo)
 		if err != nil {
 			return err
 		}
 
-		claimName, ok := model.GetLoginIDKeyTypeClaim(info.LoginID.LoginIDType)
+		claimName, ok := model.GetLoginIDKeyTypeClaim(newInfo.LoginID.LoginIDType)
 		if !ok {
 			panic(fmt.Errorf("accountmanagement: unexpected login ID key"))
 		}
-		err = s.markClaimVerified(userID, claimName, info.LoginID.LoginID)
+		err = s.markClaimVerified(userID, claimName, newInfo.LoginID.LoginID)
 		if err != nil {
 			return err
 		}
@@ -800,11 +833,54 @@ func (s *Service) ResumeUpdateIdentityPhone(resolvedSession session.ResolvedSess
 	}
 
 	output = &ResumeUpdateIdentityPhoneOutput{
-		IdentityInfo: info,
+		OldInfo: oldInfo,
+		NewInfo: newInfo,
 	}
 	return
 }
 
+type ResumeAddOrUpdateIdentityPhoneInput struct {
+	LoginIDKey string
+	Code       string
+}
+
+type ResumeAddOrUpdateIdentityPhoneOutput struct {
+	OldInfo *identity.Info
+	NewInfo *identity.Info
+}
+
+func (s *Service) ResumeAddOrUpdateIdentityPhone(resolvedSession session.ResolvedSession, tokenString string, input *ResumeAddOrUpdateIdentityPhoneInput) (*ResumeAddOrUpdateIdentityPhoneOutput, error) {
+	token, err := s.Store.GetToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	if token.Identity.IdentityID == "" {
+		output, err := s.ResumeAddIdentityPhone(resolvedSession, tokenString, &ResumeAddIdentityPhoneInput{
+			LoginIDKey: input.LoginIDKey,
+			Code:       input.Code,
+		})
+		if err != nil {
+			return nil, err
+		}
+		return &ResumeAddOrUpdateIdentityPhoneOutput{
+			NewInfo: output.IdentityInfo,
+		}, nil
+	}
+
+	output, err := s.ResumeUpdateIdentityPhone(resolvedSession, tokenString, &ResumeUpdateIdentityPhoneInput{
+		LoginIDKey: input.LoginIDKey,
+		Code:       input.Code,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &ResumeAddOrUpdateIdentityPhoneOutput{
+		OldInfo: output.OldInfo,
+		NewInfo: output.NewInfo,
+	}, nil
+}
+
 type DeleteIdentityPhoneInput struct {
 	IdentityID string
 }
@@ -813,7 +889,7 @@ type DeleteIdentityPhoneOutput struct {
 	IdentityInfo *identity.Info
 }
 
-func (s *Service) DeleteIdentityPhone(resolvedSession session.ResolvedSession, input *DeleteIdentityEmailInput) (*DeleteIdentityPhoneOutput, error) {
+func (s *Service) DeleteIdentityPhone(resolvedSession session.ResolvedSession, input *DeleteIdentityPhoneInput) (*DeleteIdentityPhoneOutput, error) {
 	userID := resolvedSession.GetAuthenticationInfo().UserID
 	identityID := input.IdentityID
 
@@ -1083,7 +1159,7 @@ func (s *Service) prepareDeleteIdentity(userID string, identityID string) (*iden
 	return info, nil
 }
 
-func (s *Service) checkIdentityVerified(info *identity.Info) (bool, error) {
+func (s *Service) CheckIdentityVerified(info *identity.Info) (bool, error) {
 	claims, err := s.Verification.GetIdentityVerificationStatus(info)
 	if err != nil {
 		return false, err
diff --git a/pkg/lib/accountmanagement/token_test.go b/pkg/lib/accountmanagement/token_test.go
index 98655978ac..9a6868ba00 100644
--- a/pkg/lib/accountmanagement/token_test.go
+++ b/pkg/lib/accountmanagement/token_test.go
@@ -14,7 +14,10 @@ func TestTokenCheckUser(t *testing.T) {
 		err := token.CheckUser("")
 		So(errors.Is(err, ErrAccountManagementTokenNotBoundToUser), ShouldBeTrue)
 
-		err = token.CheckUser("user")
+		err = token.CheckUser_OAuth("")
+		So(errors.Is(err, ErrOAuthTokenNotBoundToUser), ShouldBeTrue)
+
+		err = token.CheckUser_OAuth("user")
 		So(err, ShouldBeNil)
 	})
 }
diff --git a/pkg/lib/deps/deps_common.go b/pkg/lib/deps/deps_common.go
index c1e7b385ef..f877b859ac 100644
--- a/pkg/lib/deps/deps_common.go
+++ b/pkg/lib/deps/deps_common.go
@@ -116,7 +116,6 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(authenticationflow.ServiceUIInfoResolver), new(*authenticationinfo.UIService)),
 		wire.Bind(new(webapp.SelectAccountUIInfoResolver), new(*authenticationinfo.UIService)),
 		wire.Bind(new(handlerwebappauthflowv2.SelectAccountUIInfoResolver), new(*authenticationinfo.UIService)),
-		wire.Bind(new(accountmanagement.UIInfoResolver), new(*authenticationinfo.UIService)),
 	),
 
 	wire.NewSet(
@@ -284,6 +283,7 @@ var CommonDependencySet = wire.NewSet(
 
 		identitybiometric.DependencySet,
 		wire.Bind(new(interaction.BiometricIdentityProvider), new(*identitybiometric.Provider)),
+		wire.Bind(new(handlerwebappauthflowv2.BiometricIdentityProvider), new(*identitybiometric.Provider)),
 
 		identitysiwe.DependencySet,
 
@@ -337,8 +337,8 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(session.UserQuery), new(*user.Queries)),
 		wire.Bind(new(interaction.UserService), new(*user.Provider)),
 		wire.Bind(new(workflow.UserService), new(*user.Provider)),
-		wire.Bind(new(authenticationflow.UserService), new(*user.Provider)),
 		wire.Bind(new(accountmanagement.UserService), new(*user.Provider)),
+		wire.Bind(new(authenticationflow.UserService), new(*user.Provider)),
 		wire.Bind(new(oidc.UserProvider), new(*user.Queries)),
 		wire.Bind(new(featurestdattrs.UserQueries), new(*user.RawQueries)),
 		wire.Bind(new(featurestdattrs.UserStore), new(*user.Store)),

From ce6ddfb22246ba0856662022eeef8ad00f108963 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 17:42:02 +0800
Subject: [PATCH 02/17] Implement count device tokens

---
 pkg/lib/authn/mfa/service.go                  |  5 ++++
 pkg/lib/authn/mfa/store_device_token_redis.go | 26 +++++++++++++++----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/pkg/lib/authn/mfa/service.go b/pkg/lib/authn/mfa/service.go
index 2106934678..9bb60bbb04 100644
--- a/pkg/lib/authn/mfa/service.go
+++ b/pkg/lib/authn/mfa/service.go
@@ -23,6 +23,7 @@ type StoreDeviceToken interface {
 	Create(token *DeviceToken) error
 	DeleteAll(userID string) error
 	HasTokens(userID string) (bool, error)
+	Count(userID string) (int, error)
 }
 
 type StoreRecoveryCode interface {
@@ -131,6 +132,10 @@ func (s *Service) HasDeviceTokens(userID string) (bool, error) {
 	return s.DeviceTokens.HasTokens(userID)
 }
 
+func (s *Service) CountDeviceTokens(userID string) (int, error) {
+	return s.DeviceTokens.Count(userID)
+}
+
 func (s *Service) GenerateRecoveryCodes() []string {
 	codes := make([]string, s.Config.RecoveryCode.Count)
 	for i := range codes {
diff --git a/pkg/lib/authn/mfa/store_device_token_redis.go b/pkg/lib/authn/mfa/store_device_token_redis.go
index 9bba0bd67e..3a99ec99e5 100644
--- a/pkg/lib/authn/mfa/store_device_token_redis.go
+++ b/pkg/lib/authn/mfa/store_device_token_redis.go
@@ -21,6 +21,8 @@ type StoreDeviceTokenRedis struct {
 	Clock clock.Clock
 }
 
+var _ StoreDeviceToken = &StoreDeviceTokenRedis{}
+
 func (s *StoreDeviceTokenRedis) Get(userID string, token string) (*DeviceToken, error) {
 	var deviceToken *DeviceToken
 	err := s.Redis.WithConn(func(conn redis.Redis_6_0_Cmdable) error {
@@ -108,24 +110,38 @@ func (s *StoreDeviceTokenRedis) DeleteAll(userID string) error {
 }
 
 func (s *StoreDeviceTokenRedis) HasTokens(userID string) (bool, error) {
-	hasTokens := false
+	count, err := s.Count(userID)
+	if err != nil {
+		return false, err
+	}
+	hasTokens := count > 0
+	return hasTokens, nil
+}
+
+func (s *StoreDeviceTokenRedis) Count(userID string) (int, error) {
+	count := 0
 
 	err := s.Redis.WithConn(func(conn redis.Redis_6_0_Cmdable) error {
 		ctx := context.Background()
 		key := redisDeviceTokensKey(s.AppID, userID)
-		_, err := conn.Get(ctx, key).Bytes()
+		data, err := conn.Get(ctx, key).Bytes()
 		if err != nil {
 			if errors.Is(err, goredis.Nil) {
-				hasTokens = false
 				return nil
 			}
 			return err
 		}
-		hasTokens = true
+
+		tokens := map[string]*DeviceToken{}
+		if err := json.Unmarshal(data, &tokens); err != nil {
+			return err
+		}
+
+		count = len(tokens)
 		return nil
 	})
 
-	return hasTokens, err
+	return count, err
 }
 
 func (s *StoreDeviceTokenRedis) saveTokens(conn redis.Redis_6_0_Cmdable, key string, tokens map[string]*DeviceToken, ttl time.Duration) error {

From b953c11c2cbda1be56b09653bf7838da552cd686 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 17:44:47 +0800
Subject: [PATCH 03/17] Implement settings v2 handlers for homepage, manage
 identities and mfa password

---
 authui/src/authflowv2.ts                      |     5 +
 authui/src/authflowv2/base.css                |     4 +
 authui/src/authflowv2/components.css          |     5 +
 .../src/authflowv2/components/body-text.css   |     2 +-
 .../src/authflowv2/components/otp-input.css   |     1 +
 .../authflowv2/components/primary-button.css  |     7 +
 .../components/settings-action-item.css       |   115 +
 .../components/settings-description.css       |     7 +
 .../authflowv2/components/settings-dialog.css |    15 +
 .../components/settings-headline.css          |    30 +
 .../authflowv2/components/settings-item.css   |    40 +-
 .../components/settings-link-button.css       |    95 +
 .../components/settings-text-color.css        |     9 +
 authui/src/authflowv2/settingsDialog.ts       |    16 +
 pkg/auth/deps.go                              |     2 +
 pkg/auth/handler/webapp/account_status.go     |     2 +-
 pkg/auth/handler/webapp/authflowv2/deps.go    |    28 +
 .../handler/webapp/authflowv2/not_found.go    |     2 +-
 .../webapp/authflowv2/reset_password.go       |     2 +-
 pkg/auth/handler/webapp/authflowv2/routes.go  |    26 +
 .../webapp/authflowv2/select_account.go       |     4 +-
 .../handler/webapp/authflowv2/settings.go     |    14 +-
 .../webapp/authflowv2/settings_advanced.go    |    55 +
 .../webapp/authflowv2/settings_biometric.go   |   122 +
 .../authflowv2/settings_change_password.go    |   123 +
 .../authflowv2/settings_delete_account.go     |   131 +
 .../settings_delete_account_success.go        |    87 +
 .../authflowv2/settings_identity_add_email.go |   130 +
 .../authflowv2/settings_identity_add_phone.go |   129 +
 .../settings_identity_change_primary_email.go |   151 +
 .../settings_identity_change_primary_phone.go |   146 +
 .../settings_identity_edit_email.go           |   153 +
 .../settings_identity_edit_phone.go           |   155 +
 .../settings_identity_edit_username.go        |   127 +
 .../settings_identity_list_email.go           |   132 +
 .../settings_identity_list_phone.go           |   132 +
 .../settings_identity_list_username.go        |   101 +
 .../settings_identity_new_username.go         |   115 +
 .../settings_identity_verify_email.go         |   189 +
 .../settings_identity_verify_phone.go         |   194 +
 .../settings_identity_view_email.go           |   201 +
 .../settings_identity_view_phone.go           |   201 +
 .../settings_identity_view_username.go        |   138 +
 .../handler/webapp/authflowv2/settings_mfa.go |    73 +
 .../settings_mfa_create_password.go           |   111 +
 .../authflowv2/settings_mfa_password.go       |    72 +
 .../webapp/authflowv2/settings_oob_otp.go     |    90 +
 .../webapp/authflowv2/settings_passkey.go     |   157 +
 .../webapp/authflowv2/settings_profile.go     |     2 +-
 .../authflowv2/settings_profile_edit.go       |    23 +-
 .../webapp/authflowv2/settings_sessions.go    |   177 +
 .../webapp/authflowv2/settings_totp.go        |    83 +
 .../webapp/authflowv2/verify_login_link.go    |     2 +-
 pkg/auth/handler/webapp/change_password.go    |     2 +-
 .../webapp/change_secondary_password.go       |     2 +-
 .../confirm_terminate_other_sessions.go       |     2 +-
 .../handler/webapp/confirm_web3_account.go    |     2 +-
 pkg/auth/handler/webapp/controller.go         |    28 +-
 pkg/auth/handler/webapp/create_passkey.go     |     2 +-
 pkg/auth/handler/webapp/create_password.go    |     2 +-
 pkg/auth/handler/webapp/enter_login_id.go     |     2 +-
 pkg/auth/handler/webapp/enter_oob_otp.go      |     2 +-
 pkg/auth/handler/webapp/enter_password.go     |     2 +-
 .../handler/webapp/enter_recovery_code.go     |     2 +-
 pkg/auth/handler/webapp/enter_totp.go         |     2 +-
 pkg/auth/handler/webapp/error.go              |     2 +-
 .../handler/webapp/error_feature_disabled.go  |     2 +-
 pkg/auth/handler/webapp/forgot_password.go    |     2 +-
 .../handler/webapp/forgot_password_success.go |     2 +-
 pkg/auth/handler/webapp/login.go              |     2 +-
 pkg/auth/handler/webapp/login_link_otp.go     |     2 +-
 pkg/auth/handler/webapp/logout.go             |     2 +-
 .../handler/webapp/missing_web3_wallet.go     |     2 +-
 pkg/auth/handler/webapp/not_found.go          |     2 +-
 pkg/auth/handler/webapp/promote.go            |     2 +-
 .../handler/webapp/prompt_create_passkey.go   |     2 +-
 pkg/auth/handler/webapp/reauth.go             |     2 +-
 pkg/auth/handler/webapp/reset_password.go     |     2 +-
 .../handler/webapp/reset_password_success.go  |     2 +-
 pkg/auth/handler/webapp/return.go             |     2 +-
 pkg/auth/handler/webapp/select_account.go     |     4 +-
 pkg/auth/handler/webapp/settings.go           |     2 +-
 pkg/auth/handler/webapp/settings_biometric.go |     2 +-
 .../webapp/settings_change_password.go        |     2 +-
 .../settings_change_secondary_password.go     |     2 +-
 .../handler/webapp/settings_delete_account.go |     2 +-
 .../webapp/settings_delete_account_success.go |     4 +-
 pkg/auth/handler/webapp/settings_identity.go  |     2 +-
 pkg/auth/handler/webapp/settings_mfa.go       |     2 +-
 pkg/auth/handler/webapp/settings_oob_otp.go   |     2 +-
 pkg/auth/handler/webapp/settings_passkey.go   |     2 +-
 pkg/auth/handler/webapp/settings_profile.go   |     2 +-
 .../handler/webapp/settings_profile_edit.go   |     2 +-
 .../handler/webapp/settings_recovery_code.go  |     2 +-
 pkg/auth/handler/webapp/settings_sessions.go  |     2 +-
 pkg/auth/handler/webapp/settings_totp.go      |     2 +-
 .../handler/webapp/setup_login_link_otp.go    |     2 +-
 pkg/auth/handler/webapp/setup_oob_otp.go      |     2 +-
 .../handler/webapp/setup_recovery_code.go     |     2 +-
 pkg/auth/handler/webapp/setup_totp.go         |     2 +-
 pkg/auth/handler/webapp/setup_whatsapp_otp.go |     2 +-
 pkg/auth/handler/webapp/signup.go             |     2 +-
 pkg/auth/handler/webapp/sso_callback.go       |     2 +-
 pkg/auth/handler/webapp/tester.go             |     2 +-
 pkg/auth/handler/webapp/use_passkey.go        |     2 +-
 pkg/auth/handler/webapp/verify_identity.go    |     2 +-
 .../handler/webapp/verify_identity_success.go |     2 +-
 pkg/auth/handler/webapp/verify_login_link.go  |     2 +-
 .../handler/webapp/viewmodels/settings.go     |     7 +-
 pkg/auth/handler/webapp/wechat_auth.go        |     2 +-
 pkg/auth/handler/webapp/wechat_callback.go    |     2 +-
 pkg/auth/handler/webapp/whatsapp_otp.go       |     2 +-
 pkg/auth/routes.go                            |    66 +-
 pkg/auth/wire_gen.go                          | 43404 +++++++++++++---
 pkg/auth/wire_handler.go                      |   196 +
 pkg/lib/web/html.go                           |     4 +
 .../authgear/templates/en/translation.json    |   121 +-
 .../templates/en/web/authflowv2/__error.html  |    12 +-
 .../web/authflowv2/__new_password_field.html  |     2 +
 .../en/web/authflowv2/__otp_input.html        |     1 +
 .../en/web/authflowv2/__password_input.html   |    18 +-
 .../en/web/authflowv2/__select_input.html     |     2 +-
 .../authflowv2/__settings_action_item.html    |    61 +
 .../en/web/authflowv2/__settings_dialog.html  |    90 +
 .../en/web/authflowv2/__settings_item.html    |    14 +-
 .../templates/en/web/authflowv2/settings.html |    27 +-
 .../en/web/authflowv2/settings_advanced.html  |    24 +
 .../en/web/authflowv2/settings_biometric.html |    77 +
 .../authflowv2/settings_change_password.html  |   122 +
 .../authflowv2/settings_delete_account.html   |    45 +
 .../settings_delete_account_success.html      |    35 +
 .../settings_identity_add_email.html          |    49 +
 .../settings_identity_add_phone.html          |    58 +
 ...ettings_identity_change_primary_email.html |    55 +
 ...ettings_identity_change_primary_phone.html |    56 +
 .../settings_identity_edit_email.html         |    64 +
 .../settings_identity_edit_phone.html         |    74 +
 .../settings_identity_edit_username.html      |    59 +
 .../settings_identity_list_email.html         |    86 +
 .../settings_identity_list_phone.html         |    86 +
 .../settings_identity_list_username.html      |    41 +
 .../settings_identity_new_username.html       |    52 +
 .../settings_identity_verify_email.html       |    76 +
 .../settings_identity_verify_phone.html       |    76 +
 .../settings_identity_view_email.html         |   126 +
 .../settings_identity_view_phone.html         |   123 +
 .../settings_identity_view_username.html      |    78 +
 .../en/web/authflowv2/settings_mfa.html       |   151 +
 .../settings_mfa_create_password.html         |    96 +
 .../web/authflowv2/settings_mfa_password.html |    79 +
 .../en/web/authflowv2/settings_oob_otp.html   |    70 +
 .../en/web/authflowv2/settings_passkey.html   |   103 +
 .../en/web/authflowv2/settings_profile.html   |    54 +-
 .../settings_profile_edit_address.html        |     2 +-
 .../settings_profile_edit_birthdate.html      |     2 +-
 .../settings_profile_edit_custom.html         |   196 +
 .../settings_profile_edit_locale.html         |     2 +-
 .../settings_profile_edit_name.html           |     2 +-
 .../settings_profile_edit_zoneinfo.html       |     2 +-
 .../en/web/authflowv2/settings_sessions.html  |   121 +
 .../en/web/authflowv2/settings_totp.html      |    57 +
 161 files changed, 42289 insertions(+), 8414 deletions(-)
 create mode 100644 authui/src/authflowv2/components/settings-action-item.css
 create mode 100644 authui/src/authflowv2/components/settings-dialog.css
 create mode 100644 authui/src/authflowv2/components/settings-headline.css
 create mode 100644 authui/src/authflowv2/components/settings-link-button.css
 create mode 100644 authui/src/authflowv2/components/settings-text-color.css
 create mode 100644 authui/src/authflowv2/settingsDialog.ts
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_advanced.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_biometric.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_change_password.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_delete_account.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_add_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_add_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_edit_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_edit_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_edit_username.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_list_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_list_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_list_username.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_new_username.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_verify_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_verify_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_view_email.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_view_phone.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_identity_view_username.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa_password.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_oob_otp.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_passkey.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_sessions.go
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_totp.go
 create mode 100644 resources/authgear/templates/en/web/authflowv2/__settings_action_item.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/__settings_dialog.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_advanced.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_biometric.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_change_password.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_delete_account.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_delete_account_success.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_add_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_add_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_edit_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_edit_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_edit_username.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_list_username.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_new_username.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_verify_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_verify_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa_create_password.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa_password.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_passkey.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_sessions.html
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_totp.html

diff --git a/authui/src/authflowv2.ts b/authui/src/authflowv2.ts
index 9458870cac..d300f93311 100644
--- a/authui/src/authflowv2.ts
+++ b/authui/src/authflowv2.ts
@@ -50,6 +50,8 @@ import { DialogController } from "./authflowv2/dialog";
 import { BotProtectionStandalonePageController } from "./authflowv2/botprotection/botProtectionStandalonePage";
 import { ImagePickerController } from "./imagepicker";
 import { SelectInputController } from "./authflowv2/selectInput";
+import { SettingsDialogController } from "./authflowv2/settingsDialog";
+import { AccountDeletionController } from "./accountdeletion";
 
 axios.defaults.withCredentials = true;
 
@@ -96,6 +98,7 @@ Stimulus.register("image-picker", ImagePickerController);
 
 Stimulus.register("text-field", TextFieldController);
 Stimulus.register("dialog", DialogController);
+Stimulus.register("settings-dialog", SettingsDialogController);
 Stimulus.register("overlay", OverlayController);
 Stimulus.register("loading", LoadingController);
 Stimulus.register("new-password-field", NewPasswordFieldController);
@@ -135,4 +138,6 @@ Stimulus.register("bot-protection", BotProtectionController);
 Stimulus.register("bot-protection-dialog", BotProtectionDialogController);
 Stimulus.register("select-input", SelectInputController);
 
+Stimulus.register("account-deletion", AccountDeletionController);
+
 injectCSSAttrs(document.documentElement);
diff --git a/authui/src/authflowv2/base.css b/authui/src/authflowv2/base.css
index 15d6bbbb94..4d9c7f2f11 100644
--- a/authui/src/authflowv2/base.css
+++ b/authui/src/authflowv2/base.css
@@ -51,6 +51,10 @@
     /* --color-primary-theme-lighter: #d8e6fd; */
     /* --color-primary-theme-lighter-alt: #f5f9fe; */
 
+    /* secondary */
+    --color-secondary-theme-primary: #ff295b;
+    --color-secondary-theme-dark: #c4003d;
+
     /* Neutral colors is tonal palette */
     /* https://m3.material.io/styles/color/system/how-the-system-works#395813c8-b314-48d1-bb55-266f421eb3a4 */
     /* neutral */
diff --git a/authui/src/authflowv2/components.css b/authui/src/authflowv2/components.css
index a5c7a48b0a..8cc6ed6adf 100644
--- a/authui/src/authflowv2/components.css
+++ b/authui/src/authflowv2/components.css
@@ -33,6 +33,7 @@
 @import "./components/dialog.css";
 @import "./components/watermark.css";
 @import "./components/settings-content.css";
+@import "./components/settings-headline.css";
 @import "./components/settings-title.css";
 @import "./components/settings-description.css";
 @import "./components/settings-item.css";
@@ -41,3 +42,7 @@
 @import "./components/settings-user-profile-pic.css";
 @import "./components/select-input.css";
 @import "./components/direct-access-layout.css";
+@import "./components/settings-link-button.css";
+@import "./components/settings-text-color.css";
+@import "./components/settings-action-item.css";
+@import "./components/settings-dialog.css";
diff --git a/authui/src/authflowv2/components/body-text.css b/authui/src/authflowv2/components/body-text.css
index ef2a0c9f5f..18adff7f18 100644
--- a/authui/src/authflowv2/components/body-text.css
+++ b/authui/src/authflowv2/components/body-text.css
@@ -18,7 +18,7 @@
     --body-text__letter-spacing--sm: var(
       --typography-body-small__letter-spacing
     );
-    --body-text__font-weight--sm: var(--typography-body-medium__font-weight);
+    --body-text__font-weight--sm: var(--typography-body-small__font-weight);
 
     /* sm link */
     --body-text__font-family--link-sm: var(
diff --git a/authui/src/authflowv2/components/otp-input.css b/authui/src/authflowv2/components/otp-input.css
index e8f73fd172..93315ebf52 100644
--- a/authui/src/authflowv2/components/otp-input.css
+++ b/authui/src/authflowv2/components/otp-input.css
@@ -80,6 +80,7 @@
     @apply items-stretch;
     @apply gap-x-[var(--otp-input\_\_spacing)];
     @apply pointer-events-none;
+    @apply justify-center;
   }
 
   .otp-input__digit {
diff --git a/authui/src/authflowv2/components/primary-button.css b/authui/src/authflowv2/components/primary-button.css
index 9d3a92732c..55e6828c5a 100644
--- a/authui/src/authflowv2/components/primary-button.css
+++ b/authui/src/authflowv2/components/primary-button.css
@@ -104,4 +104,11 @@
   .primary-btn--success {
     background-color: var(--color-success);
   }
+
+  .primary-btn--destructive {
+    @apply primary-btn;
+    --primary-btn__bg-color: var(--color-secondary-theme-primary);
+    --primary-btn__bg-color--hover: var(--color-secondary-theme-dark);
+    --primary-btn__bg-color--active: var(--color-secondary-theme-dark);
+  }
 }
diff --git a/authui/src/authflowv2/components/settings-action-item.css b/authui/src/authflowv2/components/settings-action-item.css
new file mode 100644
index 0000000000..b28f592c5e
--- /dev/null
+++ b/authui/src/authflowv2/components/settings-action-item.css
@@ -0,0 +1,115 @@
+@layer components {
+  :root {
+    --settings-action-item__description-color: var(--body-text__text-color);
+    --settings-action-item__description-font-family: var(
+      --body-text__font-family--md
+    );
+    --settings-action-item__description-font-size: var(
+      --body-text__font-size--md
+    );
+    --settings-action-item__description-line-height: var(
+      --body-text__line-height--md
+    );
+    --settings-action-item__description-letter-spacing: var(
+      --body-text__letter-spacing--md
+    );
+    --settings-action-item__description-font-weight: var(
+      --body-text__font-weight--md
+    );
+
+    --settings-action-item__icon-color--pale: var(--color-neutral-200);
+  }
+
+  .settings-action-item__container {
+    @apply flex;
+    --settings-action-item-padding-x: 0.5rem;
+    --settings-action-item-padding-y: 1rem;
+    color: var(--settings-item__text-color);
+    border-color: var(--settings-item__border-color);
+    border-bottom-width: 1px;
+    border-style: solid;
+
+    --icon-placeholder-display: none;
+    --icon-size: 1.5rem;
+    &.settings-action-item__container-with-icon {
+      --icon-placeholder-display: block;
+    }
+  }
+
+  .settings-action-item__container {
+    &.settings-action-item__container-with-extra-content {
+      .settings-action-item__content-container {
+        @apply pb-2;
+      }
+    }
+  }
+
+  .settings-action-item__content-container {
+    @apply block;
+    @apply px-[var(--settings-action-item-padding-x)];
+    @apply py-[var(--settings-action-item-padding-y)];
+  }
+
+  .settings-action-item__label-container {
+    @apply flex gap-x-2;
+  }
+
+  .settings-action-item__description-container {
+    @apply text-start;
+    @apply flex gap-x-2 items-center justify-start;
+    @apply mt-1;
+    &::before {
+      content: "";
+      width: var(--icon-size);
+      display: var(--icon-placeholder-display);
+    }
+
+    color: var(--settings-action-item__description-color);
+    font-family: var(--settings-action-item__description-font-family);
+    font-size: var(--settings-action-item__description-font-size);
+    line-height: var(--settings-action-item__description-line-height);
+    letter-spacing: var(--settings-action-item__description-letter-spacing);
+    font-weight: var(--settings-action-item__description-font-weight);
+  }
+
+  .settings-action-item__extra-content-container {
+    @apply flex gap-x-2 items-center;
+    @apply px-[var(--settings-action-item-padding-x)];
+    @apply pb-[var(--settings-action-item-padding-y)];
+    &::before {
+      content: "";
+      width: var(--icon-size);
+      display: var(--icon-placeholder-display);
+    }
+  }
+
+  .settings-action-item__icon {
+    @apply settings-item-icon;
+  }
+
+  .settings-action-item__action-button-container {
+    @apply py-[var(--settings-action-item-padding-y)];
+  }
+
+  .settings-action-item__arrow-container {
+    @apply flex flex-none items-center;
+    @apply py-[var(--settings-action-item-padding-y)];
+  }
+
+  .settings-action-item__label {
+    @apply settings-item__label;
+    @apply break-all;
+  }
+
+  .settings-action-item__icon--pale {
+    @apply settings-item-icon;
+    line-height: normal;
+    color: var(--settings-action-item__icon-color--pale);
+  }
+
+  .settings-action-item__icon--pale {
+    @apply settings-item-icon;
+    line-height: normal;
+    color: var(--settings-action-item__icon-color--pale);
+  }
+}
diff --git a/authui/src/authflowv2/components/settings-description.css b/authui/src/authflowv2/components/settings-description.css
index 8d115a31c5..e3d9c2bcb2 100644
--- a/authui/src/authflowv2/components/settings-description.css
+++ b/authui/src/authflowv2/components/settings-description.css
@@ -14,6 +14,8 @@
       --typography-title-medium__font-weight
     );
     --settings-description__text-color: var(--color-neutral-400);
+
+    --settings-description__text-color--primary: var(--color-link);
   }
   :root.dark {
     --settings-description__text-color: var(--color-neutral-200);
@@ -27,4 +29,9 @@
     font-weight: var(--settings-description__font-weight);
     color: var(--settings-description__text-color);
   }
+
+  .settings-description--primary-color {
+    @apply settings-description;
+    color: var(--settings-description__text-color--primary);
+  }
 }
diff --git a/authui/src/authflowv2/components/settings-dialog.css b/authui/src/authflowv2/components/settings-dialog.css
new file mode 100644
index 0000000000..0d57bd7469
--- /dev/null
+++ b/authui/src/authflowv2/components/settings-dialog.css
@@ -0,0 +1,15 @@
+@layer components {
+  :root {
+    --settings-dialog__description-text--highlight-color: var(
+      --color-neutral-700
+    );
+  }
+
+  .settings-dialog {
+    @apply p-8 tablet:p-10;
+  }
+
+  .settings-dialog__description-text--highlight {
+    color: var(--settings-dialog__description-text--highlight-color);
+  }
+}
diff --git a/authui/src/authflowv2/components/settings-headline.css b/authui/src/authflowv2/components/settings-headline.css
new file mode 100644
index 0000000000..844d26a060
--- /dev/null
+++ b/authui/src/authflowv2/components/settings-headline.css
@@ -0,0 +1,30 @@
+@layer components {
+  :root {
+    --settings-headlien__font-family: var(
+      --typography-headline-small__font-family
+    );
+    --settings-headline__font-size: var(--typography-headline-small__font-size);
+    --settings-headline__line-height: var(
+      --typography-headline-small__line-height
+    );
+    --settings-headline__letter-spacing: var(
+      --typography-headline-small__letter-spacing
+    );
+    --settings-headline__font-weight: var(
+      --typography-headline-small__font-weight
+    );
+    --settings-headline__text-color: var(--color-neutral-700);
+  }
+  :root.dark {
+    --settings-headline__text-color: var(--color-neutral-100);
+  }
+
+  .settings-headline {
+    font-family: var(--settings-headline__font-family);
+    font-size: var(--settings-headline__font-size);
+    line-height: var(--settings-headline__line-height);
+    letter-spacing: var(--settings-headline__letter-spacing);
+    font-weight: var(--settings-headline__font-weight);
+    color: var(--settings-headline__text-color);
+  }
+}
diff --git a/authui/src/authflowv2/components/settings-item.css b/authui/src/authflowv2/components/settings-item.css
index 7566edd841..952f3b09d5 100644
--- a/authui/src/authflowv2/components/settings-item.css
+++ b/authui/src/authflowv2/components/settings-item.css
@@ -25,6 +25,20 @@
     --settings-item__ring-width--active: var(--settings-item__ring-width);
     --settings-item__ring-color--active: var(--settings-item__ring-color);
 
+    --settings-item__note-font-family: var(
+      --typography-body-medium__font-family
+    );
+    --settings-item__note-font-size: var(--typography-body-medium__font-size);
+    --settings-item__note-line-height: var(
+      --typography-body-medium__line-height
+    );
+    --settings-item__note-letter-spacing: var(
+      --typography-body-medium__letter-spacing
+    );
+    --settings-item__note-font-weight: var(
+      --typography-body-medium__font-weight
+    );
+
     --settings-item__forward-arrow-font-size: 1.125rem;
 
     --settings-item__forward-arrow-color: var(--color-neutral-200);
@@ -44,8 +58,7 @@
   }
 
   .settings-item {
-    @apply grid;
-    @apply gap-x-2;
+    @apply grid gap-x-2 gap-y-1;
     @apply items-center text-start;
 
     background-color: var(--settings-item__bg-color);
@@ -79,6 +92,13 @@
       grid-template-columns: var(--settings-item__grid-col-icon-width) auto 1.125rem;
     }
 
+    &.with-note {
+      grid-template-areas:
+        "icon title arrow"
+        ".    note  arrow";
+      grid-template-columns: var(--settings-item__grid-col-icon-width) auto 1.125rem;
+    }
+
     &:hover {
       background-color: var(--settings-item__bg-color--hover);
       color: var(--settings-item__text-color--hover);
@@ -96,19 +116,27 @@
     }
   }
 
-  .settings-item > .settings-item_icon-container {
+  .settings-item_icon-container {
     grid-area: icon;
     @apply flex items-center;
   }
-  .settings-item > .settings-item__label {
+  .settings-item__label {
     grid-area: title;
   }
-  .settings-item > .settings-item__description {
+  .settings-item__content {
     grid-area: content;
   }
-  .settings-item > .settings-item__forward_arrow {
+  .settings-item__forward_arrow {
     grid-area: arrow;
   }
+  .settings-item__note {
+    grid-area: note;
+    font-family: var(--settings-item__note-font-family);
+    font-size: var(--settings-item__note-font-size);
+    line-height: var(--settings-item__note-line-height);
+    letter-spacing: var(--settings-item__note-letter-spacing);
+    font-weight: var(--settings-item__note-font-weight);
+  }
 }
 
 .settings-item__label {
diff --git a/authui/src/authflowv2/components/settings-link-button.css b/authui/src/authflowv2/components/settings-link-button.css
new file mode 100644
index 0000000000..2eb896d00f
--- /dev/null
+++ b/authui/src/authflowv2/components/settings-link-button.css
@@ -0,0 +1,95 @@
+@layer components {
+  :root {
+    --settings-link-btn-bg-color: var(--link-btn-bg-color);
+    --settings-link-btn-text-color: var(--link-btn-text-color);
+    --settings-link-btn-border-radius: var(--link-btn-border-radius);
+
+    --settings-link-btn-font-family: var(--typography-label-large__font-family);
+    --settings-link-btn-font-size: var(--typography-label-large__font-size);
+    --settings-link-btn-line-height: var(--typography-label-large__line-height);
+    --settings-link-btn-letter-spacing: var(
+      --typography-label-large__letter-spacing
+    );
+    --settings-link-btn-font-weight: var(--typography-label-large__font-weight);
+    --settings-link-btn-ring-width: var(--link-btn-ring-width);
+    --settings-link-btn-ring-color: var(--link-btn-ring-color);
+
+    --settings-link-btn-bg-color--hover: var(--link-btn-bg-color--hover);
+    --settings-link-btn-text-color--hover: var(--link-btn-text-color--hover);
+    --settings-link-btn-ring-width--hover: var(--settings-link-btn-ring-width);
+    --settings-link-btn-ring-color--hover: var(--settings-link-btn-ring-color);
+
+    --settings-link-btn-bg-color--active: var(--link-btn-bg-color--active);
+    --settings-link-btn-text-color--active: var(--link-btn-text-color--active);
+    --settings-link-btn-ring-width--active: var(--settings-link-btn-ring-width);
+    --settings-link-btn-ring-color--active: var(--settings-link-btn-ring-color);
+
+    --settings-link-btn-bg-color--disabled: var(--link-btn-bg-color--disabled);
+    --settings-link-btn-text-color--disabled: var(
+      --link-btn-text-color--disabled
+    );
+    --settings-link-btn-ring-width--disabled: var(
+      --settings-link-btn-ring-width
+    );
+    --settings-link-btn-ring-color--disabled: var(
+      --settings-link-btn-ring-color
+    );
+  }
+
+  :root.dark {
+    --settings-link-btn-text-color--disabled: var(
+      --link-btn-text-color--disabled
+    );
+
+    --settings-link-btn-text-color--hover: var(--link-btn-text-color--hover);
+    --settings-link-btn-text-color--active: var(--link-btn-text-color--active);
+  }
+
+  .settings-link-btn {
+    @apply text-center;
+
+    background-color: var(--settings-link-btn-bg-color);
+    color: var(--settings-link-btn-text-color);
+    border-radius: var(--settings-link-btn-border-radius);
+    font-family: var(--settings-link-btn-font-family);
+    font-size: var(--settings-link-btn-font-size);
+    line-height: var(--settings-link-btn-line-height);
+    letter-spacing: var(--settings-link-btn-letter-spacing);
+    font-weight: var(--settings-link-btn-font-weight);
+    @apply ring-inset
+      ring-[length:var(--settings-link-btn-ring-width)]
+      ring-[color:var(--settings-link-btn-ring-color)];
+    padding: var(--settings-link-btn-py) var(--link-btn-px);
+
+    &:hover {
+      background-color: var(--settings-link-btn-bg-color--hover);
+      color: var(--settings-link-btn-text-color--hover);
+      @apply ring-inset
+        ring-[length:var(--settings-link-btn-ring-width--hover)]
+        ring-[color:var(--settings-link-btn-ring-color--hover)];
+    }
+
+    &:active {
+      background-color: var(--settings-link-btn-bg-color--active);
+      color: var(--settings-link-btn-text-color--active);
+      @apply ring-inset
+        ring-[length:var(--settings-link-btn-ring-width--active)]
+        ring-[color:var(--settings-link-btn-ring-color--active)];
+    }
+
+    &:disabled {
+      background-color: var(--settings-link-btn-bg-color--disabled);
+      color: var(--settings-link-btn-text-color--disabled);
+      @apply ring-inset
+        ring-[length:var(--settings-link-btn-ring-width--disabled)]
+        ring-[color:var(--settings-link-btn-ring-color--disabled)];
+    }
+  }
+
+  .settings-link-btn--destructive {
+    @apply settings-link-btn;
+    --settings-link-btn-text-color: var(--color-secondary-theme-primary);
+    --settings-link-btn-text-color--hover: var(--color-secondary-theme-dark);
+    --settings-link-btn-text-color--active: var(--color-secondary-theme-dark);
+  }
+}
diff --git a/authui/src/authflowv2/components/settings-text-color.css b/authui/src/authflowv2/components/settings-text-color.css
new file mode 100644
index 0000000000..eb7f3045d0
--- /dev/null
+++ b/authui/src/authflowv2/components/settings-text-color.css
@@ -0,0 +1,9 @@
+@layer components {
+  .settings-text-color-success {
+    color: var(--color-success);
+  }
+
+  .settings-text-color-failure {
+    color: var(--color-error);
+  }
+}
diff --git a/authui/src/authflowv2/settingsDialog.ts b/authui/src/authflowv2/settingsDialog.ts
new file mode 100644
index 0000000000..0b8c7335f7
--- /dev/null
+++ b/authui/src/authflowv2/settingsDialog.ts
@@ -0,0 +1,16 @@
+import { Controller } from "@hotwired/stimulus";
+import { dispatchDialogOpen } from "./dialog";
+
+/**
+ * Dispatch a custom event to set settings dialog open
+ */
+export function dispatchSettingsDialogOpen(dialogID: string) {
+  dispatchDialogOpen(dialogID);
+}
+
+export class SettingsDialogController extends Controller {
+  open = (e: Event) => {
+    const dialogID: string = (e as any).params.dialogid;
+    dispatchSettingsDialogOpen(dialogID);
+  };
+}
diff --git a/pkg/auth/deps.go b/pkg/auth/deps.go
index 95a3c0c73b..82e92d23cf 100644
--- a/pkg/auth/deps.go
+++ b/pkg/auth/deps.go
@@ -222,6 +222,7 @@ var DependencySet = wire.NewSet(
 	wire.Bind(new(handlerwebapp.MeterService), new(*meter.Service)),
 	wire.Bind(new(handlerwebapp.ErrorService), new(*webapp.ErrorService)),
 	wire.Bind(new(handlerwebapp.PasskeyCreationOptionsService), new(*featurepasskey.CreationOptionsService)),
+	wire.Bind(new(handlerwebappauthflowv2.PasskeyCreationOptionsService), new(*featurepasskey.CreationOptionsService)),
 	wire.Bind(new(handlerwebapp.PasskeyRequestOptionsService), new(*featurepasskey.RequestOptionsService)),
 	wire.Bind(new(handlerwebapp.WorkflowWebsocketEventStore), new(*workflow.EventStoreImpl)),
 	wire.Bind(new(handlerwebapp.AuthenticationFlowWebsocketEventStore), new(*authenticationflow.WebsocketEventStore)),
@@ -248,6 +249,7 @@ var DependencySet = wire.NewSet(
 	wire.Bind(new(api.JSONResponseWriter), new(*httputil.JSONResponseWriter)),
 	wire.Bind(new(authenticationflow.JSONResponseWriter), new(*httputil.JSONResponseWriter)),
 	wire.Bind(new(accountmanagement.RateLimitMiddlewareJSONResponseWriter), new(*httputil.JSONResponseWriter)),
+	wire.Bind(new(accountmanagement.SettingsDeleteAccountSuccessUIInfoResolver), new(*authenticationinfo.UIService)),
 
 	wire.Bind(new(handlerwebapp.PanicMiddlewareUIImplementationService), new(*web.UIImplementationService)),
 	wire.Bind(new(handlerwebapp.CSRFMiddlewareUIImplementationService), new(*web.UIImplementationService)),
diff --git a/pkg/auth/handler/webapp/account_status.go b/pkg/auth/handler/webapp/account_status.go
index 5ce4ea9c5e..390a288185 100644
--- a/pkg/auth/handler/webapp/account_status.go
+++ b/pkg/auth/handler/webapp/account_status.go
@@ -44,7 +44,7 @@ func (h *AccountStatusHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		graph, err := ctrl.InteractionGet()
diff --git a/pkg/auth/handler/webapp/authflowv2/deps.go b/pkg/auth/handler/webapp/authflowv2/deps.go
index 19741e3776..3a671f4869 100644
--- a/pkg/auth/handler/webapp/authflowv2/deps.go
+++ b/pkg/auth/handler/webapp/authflowv2/deps.go
@@ -44,4 +44,32 @@ var DependencySet = wire.NewSet(
 	wire.Struct(new(AuthflowV2SettingsHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsProfileHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsProfileEditHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsChangePasswordHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsChangePasskeyHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsBiometricHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsSessionsHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFAHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsAdvancedSettingsHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsDeleteAccountHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsDeleteAccountSuccessHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFACreatePasswordHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFAPasswordHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsTOTPHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsOOBOTPHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityAddEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityEditEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityVerifyEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityListEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityViewEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityChangePrimaryEmailHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityListPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityViewPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityAddPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityEditPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityChangePrimaryPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityVerifyPhoneHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityListUsernameHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityNewUsernameHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityViewUsernameHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsIdentityEditUsernameHandler), "*"),
 )
diff --git a/pkg/auth/handler/webapp/authflowv2/not_found.go b/pkg/auth/handler/webapp/authflowv2/not_found.go
index d3cbd28da1..e5e2bd737e 100644
--- a/pkg/auth/handler/webapp/authflowv2/not_found.go
+++ b/pkg/auth/handler/webapp/authflowv2/not_found.go
@@ -32,7 +32,7 @@ func (h *AuthflowV2NotFoundHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/authflowv2/reset_password.go b/pkg/auth/handler/webapp/authflowv2/reset_password.go
index 4385132c26..f3872a303d 100644
--- a/pkg/auth/handler/webapp/authflowv2/reset_password.go
+++ b/pkg/auth/handler/webapp/authflowv2/reset_password.go
@@ -125,7 +125,7 @@ func (h *AuthflowV2ResetPasswordHandler) serveHTTPNonAuthflow(w http.ResponseWri
 		return
 	}
 
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetNonAuthflowData(w, r)
diff --git a/pkg/auth/handler/webapp/authflowv2/routes.go b/pkg/auth/handler/webapp/authflowv2/routes.go
index 7f96a600b4..9fb6d90e79 100644
--- a/pkg/auth/handler/webapp/authflowv2/routes.go
+++ b/pkg/auth/handler/webapp/authflowv2/routes.go
@@ -71,6 +71,8 @@ const (
 
 	SettingsV2RouteSettingsProfileGenderEdit = "/settings/profile/gender/edit"
 
+	SettingsV2RouteAdvancedSettings = "/settings/advanced_settings"
+
 	// The following routes are dead ends.
 	AuthflowV2RouteAccountStatus   = "/authflow/v2/account_status"
 	AuthflowV2RouteNoAuthenticator = "/authflow/v2/no_authenticator"
@@ -78,6 +80,30 @@ const (
 	AuthflowV2RouteFinishFlow = "/authflow/v2/finish"
 
 	AuthflowV2RouteSettingsProfile = "/settings/v2/profile"
+	AuthflowV2RouteSettingsMFA     = "/settings/mfa"
+	// nolint: gosec
+	AuthflowV2RouteSettingsMFACreatePassword = "/settings/mfa/create_password"
+	// nolint: gosec
+	AuthflowV2RouteSettingsMFAPassword = "/settings/mfa/password"
+
+	AuthflowV2RouteSettingsIdentityListEmail          = "/settings/identity/email"
+	AuthflowV2RouteSettingsIdentityAddEmail           = "/settings/identity/add_email"
+	AuthflowV2RouteSettingsIdentityEditEmail          = "/settings/identity/edit_email"
+	AuthflowV2RouteSettingsIdentityViewEmail          = "/settings/identity/view_email"
+	AuthflowV2RouteSettingsIdentityChangePrimaryEmail = "/settings/identity/change_primary_email"
+	AuthflowV2RouteSettingsIdentityVerifyEmail        = "/settings/identity/verify_email"
+
+	AuthflowV2RouteSettingsIdentityListPhone          = "/settings/identity/phone"
+	AuthflowV2RouteSettingsIdentityAddPhone           = "/settings/identity/add_phone"
+	AuthflowV2RouteSettingsIdentityEditPhone          = "/settings/identity/edit_phone"
+	AuthflowV2RouteSettingsIdentityViewPhone          = "/settings/identity/view_phone"
+	AuthflowV2RouteSettingsIdentityChangePrimaryPhone = "/settings/identity/change_primary_phone"
+	AuthflowV2RouteSettingsIdentityVerifyPhone        = "/settings/identity/verify_phone"
+
+	AuthflowV2RouteSettingsIdentityListUsername = "/settings/identity/username"
+	AuthflowV2RouteSettingsIdentityNewUsername  = "/settings/identity/new_username"
+	AuthflowV2RouteSettingsIdentityViewUsername = "/settings/identity/view_username"
+	AuthflowV2RouteSettingsIdentityEditUsername = "/settings/identity/edit_username"
 )
 
 type AuthflowV2NavigatorEndpointsProvider interface {
diff --git a/pkg/auth/handler/webapp/authflowv2/select_account.go b/pkg/auth/handler/webapp/authflowv2/select_account.go
index cf8ebf4606..e56f011546 100644
--- a/pkg/auth/handler/webapp/authflowv2/select_account.go
+++ b/pkg/auth/handler/webapp/authflowv2/select_account.go
@@ -240,9 +240,9 @@ func (h *AuthflowV2SelectAccountHandler) ServeHTTP(w http.ResponseWriter, r *htt
 		h.continueFlow(w, r, "/reauth")
 	}
 
-	// ctrl.Serve() always write response.
+	// ctrl.ServeWithDBTx() always write response.
 	// So we have to put http.Redirect before it.
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		// When promote anonymous user, the end-user should not see this page.
diff --git a/pkg/auth/handler/webapp/authflowv2/settings.go b/pkg/auth/handler/webapp/authflowv2/settings.go
index 8c9cdb610c..61a99676c4 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings.go
@@ -5,6 +5,7 @@ import (
 
 	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
 	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/config"
 	"github.com/authgear/authgear-server/pkg/lib/session"
 	"github.com/authgear/authgear-server/pkg/util/httproute"
 	"github.com/authgear/authgear-server/pkg/util/template"
@@ -21,6 +22,10 @@ func ConfigureSettingsV2Route(route httproute.Route) httproute.Route {
 		WithPathPattern(SettingsV2RouteSettings)
 }
 
+type SettingsAccountDeletionViewModel struct {
+	AccountDeletionAllowed bool
+}
+
 type AuthflowV2SettingsHandler struct {
 	ControllerFactory        handlerwebapp.ControllerFactory
 	BaseViewModel            *viewmodels.BaseViewModeler
@@ -29,6 +34,7 @@ type AuthflowV2SettingsHandler struct {
 	SettingsProfileViewModel *viewmodels.SettingsProfileViewModeler
 	Identities               handlerwebapp.SettingsIdentityService
 	Renderer                 handlerwebapp.Renderer
+	AccountDeletion          *config.AccountDeletionConfig
 }
 
 func (h *AuthflowV2SettingsHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
@@ -62,6 +68,12 @@ func (h *AuthflowV2SettingsHandler) GetData(r *http.Request, rw http.ResponseWri
 	authenticationViewModel := h.AuthenticationViewModel.NewWithCandidates(candidates, r.Form)
 	viewmodels.Embed(data, authenticationViewModel)
 
+	// Account Deletion
+	accountDeletionViewModel := SettingsAccountDeletionViewModel{
+		AccountDeletionAllowed: h.AccountDeletion.ScheduledByEndUserEnabled,
+	}
+	viewmodels.Embed(data, accountDeletionViewModel)
+
 	return data, nil
 }
 
@@ -71,7 +83,7 @@ func (h *AuthflowV2SettingsHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_advanced.go b/pkg/auth/handler/webapp/authflowv2/settings_advanced.go
new file mode 100644
index 0000000000..9705b42764
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_advanced.go
@@ -0,0 +1,55 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsV2AdvancedSettingsHTML = template.RegisterHTML(
+	"web/authflowv2/settings_advanced.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsAdvancedSettingsHandler struct {
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func ConfigureSettingsV2AdvancedSettingsRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "GET", "POST").
+		WithPathPattern(SettingsV2RouteAdvancedSettings)
+}
+
+func (h *AuthflowV2SettingsAdvancedSettingsHandler) GetData(r *http.Request, w http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsAdvancedSettingsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return nil
+		}
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2AdvancedSettingsHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_biometric.go b/pkg/auth/handler/webapp/authflowv2/settings_biometric.go
new file mode 100644
index 0000000000..4e1a424b79
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_biometric.go
@@ -0,0 +1,122 @@
+package authflowv2
+
+import (
+	"net/http"
+	"time"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httputil"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsV2BiometricHTML = template.RegisterHTML(
+	"web/authflowv2/settings_biometric.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type BiometricIdentity struct {
+	ID          string
+	DisplayName string
+	CreatedAt   time.Time
+}
+
+type SettingsBiometricViewModel struct {
+	BiometricIdentities []*BiometricIdentity
+}
+
+type BiometricIdentityProvider interface {
+	List(userID string) ([]*identity.Biometric, error)
+}
+
+type AuthflowV2SettingsBiometricHandler struct {
+	Database                 *appdb.Handle
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	Renderer                 handlerwebapp.Renderer
+	Identities               handlerwebapp.SettingsIdentityService
+	BiometricProvider        BiometricIdentityProvider
+	AccountManagementService *accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsBiometricHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	userID := session.GetUserID(r.Context())
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	// BiometricViewModel
+	var biometricIdentityInfos []*identity.Biometric
+	err := h.Database.WithTx(func() (err error) {
+		biometricIdentityInfos, err = h.BiometricProvider.List(*userID)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	biometricViewModel := SettingsBiometricViewModel{}
+
+	for _, biometricInfo := range biometricIdentityInfos {
+		displayName := biometricInfo.FormattedDeviceInfo()
+		biometricViewModel.BiometricIdentities = append(biometricViewModel.BiometricIdentities, &BiometricIdentity{
+			ID:          biometricInfo.ID,
+			DisplayName: displayName,
+			CreatedAt:   biometricInfo.CreatedAt,
+		})
+	}
+
+	viewmodels.Embed(data, biometricViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsBiometricHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2BiometricHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("remove", func() error {
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+
+		input := &accountmanagement.DeleteIdentityBiometricInput{
+			IdentityID: identityID,
+		}
+		_, err = h.AccountManagementService.DeleteIdentityBiometric(s, input)
+		if err != nil {
+			return err
+		}
+
+		redirectURI := httputil.HostRelative(r.URL).String()
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_change_password.go b/pkg/auth/handler/webapp/authflowv2/settings_change_password.go
new file mode 100644
index 0000000000..d90c1577ba
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_change_password.go
@@ -0,0 +1,123 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	pwd "github.com/authgear/authgear-server/pkg/util/password"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsV2ChangePasswordHTML = template.RegisterHTML(
+	"web/authflowv2/settings_change_password.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsChangePasswordSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_old_password": { "type": "string" },
+			"x_new_password": { "type": "string" },
+			"x_confirm_password": { "type": "string" }
+		},
+		"required": ["x_old_password", "x_new_password", "x_confirm_password"]
+	}
+`)
+
+type AuthflowV2SettingsChangePasswordHandler struct {
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	Renderer                 handlerwebapp.Renderer
+	AccountManagementService *accountmanagement.Service
+	PasswordPolicy           handlerwebapp.PasswordPolicy
+}
+
+func (h *AuthflowV2SettingsChangePasswordHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := make(map[string]interface{})
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	passwordPolicyViewModel := viewmodels.NewPasswordPolicyViewModel(
+		h.PasswordPolicy.PasswordPolicy(),
+		h.PasswordPolicy.PasswordRules(),
+		baseViewModel.RawError,
+		viewmodels.GetDefaultPasswordPolicyViewModelOptions(),
+	)
+	viewmodels.Embed(data, passwordPolicyViewModel)
+
+	viewmodels.Embed(data, handlerwebapp.ChangePasswordViewModel{
+		Force: false,
+	})
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2ChangePasswordHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		err := AuthflowV2SettingsChangePasswordSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		oldPassword := r.Form.Get("x_old_password")
+		newPassword := r.Form.Get("x_new_password")
+		confirmPassword := r.Form.Get("x_confirm_password")
+
+		err = pwd.ConfirmPassword(newPassword, confirmPassword)
+		if err != nil {
+			return err
+		}
+
+		s := session.GetSession(r.Context())
+		webappSession := webapp.GetSession(r.Context())
+		var oAuthSessionID string
+		redirectURI := SettingsV2RouteSettings
+		if webappSession != nil {
+			oAuthSessionID = webappSession.OAuthSessionID
+			redirectURI = webappSession.RedirectURI
+		}
+
+		input := &accountmanagement.ChangePasswordInput{
+			OAuthSessionID: oAuthSessionID,
+			RedirectURI:    redirectURI,
+			OldPassword:    oldPassword,
+			NewPassword:    newPassword,
+		}
+
+		changePasswordOutput, err := h.AccountManagementService.ChangePassword(s, input)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: changePasswordOutput.RedirectURI}
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_delete_account.go b/pkg/auth/handler/webapp/authflowv2/settings_delete_account.go
new file mode 100644
index 0000000000..6155009f0d
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_delete_account.go
@@ -0,0 +1,131 @@
+package authflowv2
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/authgear/authgear-server/pkg/api/apierrors"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/authn/authenticationinfo"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/oauth/oauthsession"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/lib/successpage"
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsV2DeleteAccountHTML = template.RegisterHTML(
+	"web/authflowv2/settings_delete_account.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsDeleteAccountViewModel struct {
+	ExpectedAccountDeletionTime time.Time
+}
+
+type AuthflowV2SettingsDeleteAccountHandler struct {
+	ControllerFactory         handlerwebapp.ControllerFactory
+	BaseViewModel             *viewmodels.BaseViewModeler
+	Renderer                  handlerwebapp.Renderer
+	Clock                     clock.Clock
+	Cookies                   handlerwebapp.CookieManager
+	Users                     handlerwebapp.SettingsDeleteAccountUserService
+	Sessions                  handlerwebapp.SettingsDeleteAccountSessionStore
+	OAuthSessions             handlerwebapp.SettingsDeleteAccountOAuthSessionService
+	AccountDeletion           *config.AccountDeletionConfig
+	AuthenticationInfoService handlerwebapp.SettingsDeleteAccountAuthenticationInfoService
+}
+
+func (h *AuthflowV2SettingsDeleteAccountHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	now := h.Clock.NowUTC()
+	deletionTime := now.Add(h.AccountDeletion.GracePeriod.Duration())
+	deleteAccountViewModel := AuthflowV2SettingsDeleteAccountViewModel{
+		ExpectedAccountDeletionTime: deletionTime,
+	}
+	viewmodels.Embed(data, deleteAccountViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsDeleteAccountHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithDBTx()
+
+	currentSession := session.GetSession(r.Context())
+	redirectURI := "/settings/delete_account/success"
+	webSession := webapp.GetSession(r.Context())
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2DeleteAccountHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("delete", func() error {
+		confirmation := r.Form.Get("delete")
+		isConfirmed := confirmation == "DELETE"
+		if !isConfirmed {
+			return apierrors.NewInvalid("confirmation is required to delete account")
+		}
+
+		err := h.Users.ScheduleDeletionByEndUser(currentSession.GetAuthenticationInfo().UserID)
+		if err != nil {
+			return err
+		}
+
+		if webSession != nil && webSession.OAuthSessionID != "" {
+			// delete account triggered by sdk via settings action
+			// handle settings action result here
+
+			authInfoEntry := authenticationinfo.NewEntry(currentSession.CreateNewAuthenticationInfoByThisSession(), webSession.OAuthSessionID, "")
+			err := h.AuthenticationInfoService.Save(authInfoEntry)
+			if err != nil {
+				return err
+			}
+			webSession.Extra["authentication_info_id"] = authInfoEntry.ID
+			err = h.Sessions.Update(webSession)
+			if err != nil {
+				return err
+			}
+
+			entry, err := h.OAuthSessions.Get(webSession.OAuthSessionID)
+			if err != nil {
+				return err
+			}
+
+			entry.T.SettingsActionResult = oauthsession.NewSettingsActionResult()
+			err = h.OAuthSessions.Save(entry)
+			if err != nil {
+				return err
+			}
+		}
+
+		// set success page path cookie before visiting success page
+		result := webapp.Result{
+			RedirectURI: redirectURI,
+			Cookies: []*http.Cookie{
+				h.Cookies.ValueCookie(successpage.PathCookieDef, redirectURI),
+			},
+		}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go b/pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go
new file mode 100644
index 0000000000..eb424fedd3
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_delete_account_success.go
@@ -0,0 +1,87 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsV2DeleteAccountSuccessHTML = template.RegisterHTML(
+	"web/authflowv2/settings_delete_account_success.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsDeleteAccountSuccessHandler struct {
+	ControllerFactory         handlerwebapp.ControllerFactory
+	BaseViewModel             *viewmodels.BaseViewModeler
+	Renderer                  handlerwebapp.Renderer
+	AccountDeletion           *config.AccountDeletionConfig
+	Clock                     clock.Clock
+	UIInfoResolver            handlerwebapp.SettingsDeleteAccountSuccessUIInfoResolver
+	AuthenticationInfoService handlerwebapp.SettingsDeleteAccountSuccessAuthenticationInfoService
+}
+
+func (h *AuthflowV2SettingsDeleteAccountSuccessHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	// DeleteAccountViewModel
+	now := h.Clock.NowUTC()
+	deletionTime := now.Add(h.AccountDeletion.GracePeriod.Duration())
+	deleteAccountViewModel := AuthflowV2SettingsDeleteAccountViewModel{
+		ExpectedAccountDeletionTime: deletionTime,
+	}
+	viewmodels.Embed(data, deleteAccountViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsDeleteAccountSuccessHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	webSession := webapp.GetSession(r.Context())
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return nil
+		}
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2DeleteAccountSuccessHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		redirectURI := "/login"
+		if webSession != nil && webSession.RedirectURI != "" {
+			// delete account triggered by sdk via settings action
+			// redirect to oauth callback
+			redirectURI = webSession.RedirectURI
+			if authInfoID, ok := webSession.Extra["authentication_info_id"].(string); ok {
+				authInfo, err := h.AuthenticationInfoService.Get(authInfoID)
+				if err != nil {
+					return err
+				}
+				redirectURI = h.UIInfoResolver.SetAuthenticationInfoInQuery(redirectURI, authInfo)
+			}
+		}
+
+		result := webapp.Result{
+			RedirectURI: redirectURI,
+		}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_add_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_add_email.go
new file mode 100644
index 0000000000..f22a627b47
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_add_email.go
@@ -0,0 +1,130 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityAddEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_add_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityAddEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" }
+		},
+		"required": ["x_login_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityAddEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityAddEmail)
+}
+
+type AuthflowV2SettingsIdentityAddEmailViewModel struct {
+	LoginIDKey string
+}
+
+type AuthflowV2SettingsIdentityAddEmailHandler struct {
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	AccountManagement accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsIdentityAddEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	vm := AuthflowV2SettingsIdentityAddEmailViewModel{
+		LoginIDKey: loginIDKey,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityAddEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityAddEmailHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsIdentityAddEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartAddIdentityEmail(s, &accountmanagement.StartAddIdentityEmailInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+		})
+		if err != nil {
+			return err
+		}
+
+		var redirectURI *url.URL
+		if output.NeedVerification {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityVerifyEmail)
+			if err != nil {
+				return err
+			}
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+			q.Set("q_token", output.Token)
+
+			redirectURI.RawQuery = q.Encode()
+		} else {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityListEmail)
+			if err != nil {
+				return err
+			}
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+
+			redirectURI.RawQuery = q.Encode()
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_add_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_add_phone.go
new file mode 100644
index 0000000000..d6351e6756
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_add_phone.go
@@ -0,0 +1,129 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityAddPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_add_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityAddPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" }
+		},
+		"required": ["x_login_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityAddPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityAddPhone)
+}
+
+type AuthflowV2SettingsIdentityAddPhoneViewModel struct {
+	LoginIDKey string
+}
+
+type AuthflowV2SettingsIdentityAddPhoneHandler struct {
+	ControllerFactory   handlerwebapp.ControllerFactory
+	BaseViewModel       *viewmodels.BaseViewModeler
+	Renderer            handlerwebapp.Renderer
+	AuthenticatorConfig *config.AuthenticatorConfig
+	AccountManagement   accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsIdentityAddPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	vm := AuthflowV2SettingsIdentityAddPhoneViewModel{
+		LoginIDKey: loginIDKey,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityAddPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityAddPhoneHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsIdentityAddPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartAddIdentityPhone(s, &accountmanagement.StartAddIdentityPhoneInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+		})
+		if err != nil {
+			return err
+		}
+
+		var redirectURI *url.URL
+		if output.NeedVerification {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityVerifyPhone)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+			q.Set("q_token", output.Token)
+
+			redirectURI.RawQuery = q.Encode()
+		} else {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityListPhone)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+
+			redirectURI.RawQuery = q.Encode()
+		}
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_email.go
new file mode 100644
index 0000000000..67e3157d39
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_email.go
@@ -0,0 +1,151 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+	"sort"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/authn/stdattrs"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsIdentityChangePrimaryEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_change_primary_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsIdentityChangePrimaryEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityChangePrimaryEmail)
+}
+
+type AuthflowV2SettingsIdentityChangePrimaryEmailViewModel struct {
+	LoginIDKey      string
+	EmailIdentities []*identity.LoginID
+}
+
+type AuthflowV2SettingsIdentityChangePrimaryEmailHandler struct {
+	Database                 *appdb.Handle
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	SettingsProfileViewModel *viewmodels.SettingsProfileViewModeler
+	Renderer                 handlerwebapp.Renderer
+	Users                    handlerwebapp.SettingsProfileEditUserService
+	StdAttrs                 handlerwebapp.SettingsProfileEditStdAttrsService
+	Identities               *identityservice.Service
+}
+
+func (h *AuthflowV2SettingsIdentityChangePrimaryEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	identities, err := h.Identities.LoginID.List(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	settingsProfileViewModel, err := h.SettingsProfileViewModel.ViewModel(*userID)
+	if err != nil {
+		return nil, err
+	}
+	viewmodels.Embed(data, *settingsProfileViewModel)
+
+	var emailIdentities []*identity.LoginID
+	for _, identity := range identities {
+		if identity.LoginIDType == model.LoginIDKeyTypeEmail {
+			emailIdentities = append(emailIdentities, identity)
+		}
+	}
+
+	sort.Slice(emailIdentities, func(i, j int) bool {
+		return emailIdentities[i].UpdatedAt.Before(emailIdentities[j].UpdatedAt)
+	})
+
+	vm := AuthflowV2SettingsIdentityListEmailViewModel{
+		LoginIDKey:      loginIDKey,
+		EmailIdentities: emailIdentities,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityChangePrimaryEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityChangePrimaryEmailHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("save", func() error {
+		userID := *session.GetUserID(r.Context())
+		m := handlerwebapp.JSONPointerFormToMap(r.Form)
+
+		err := h.Database.WithTx(func() error {
+			u, err := h.Users.GetRaw(userID)
+			if err != nil {
+				return err
+			}
+
+			attrs, err := stdattrs.T(u.StandardAttributes).MergedWithForm(m)
+			if err != nil {
+				return err
+			}
+
+			err = h.StdAttrs.UpdateStandardAttributes(config.RoleEndUser, userID, attrs)
+			if err != nil {
+				return err
+			}
+
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListEmail)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_phone.go
new file mode 100644
index 0000000000..a403582d8f
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_change_primary_phone.go
@@ -0,0 +1,146 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/authn/stdattrs"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsIdentityChangePrimaryPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_change_primary_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsIdentityChangePrimaryPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityChangePrimaryPhone)
+}
+
+type AuthflowV2SettingsIdentityChangePrimaryPhoneViewModel struct {
+	LoginIDKey      string
+	PhoneIdentities []*identity.LoginID
+}
+
+type AuthflowV2SettingsIdentityChangePrimaryPhoneHandler struct {
+	Database                 *appdb.Handle
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	SettingsProfileViewModel *viewmodels.SettingsProfileViewModeler
+	Renderer                 handlerwebapp.Renderer
+	Users                    handlerwebapp.SettingsProfileEditUserService
+	StdAttrs                 handlerwebapp.SettingsProfileEditStdAttrsService
+	Identities               *identityservice.Service
+}
+
+func (h *AuthflowV2SettingsIdentityChangePrimaryPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	identities, err := h.Identities.LoginID.List(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	settingsProfileViewModel, err := h.SettingsProfileViewModel.ViewModel(*userID)
+	if err != nil {
+		return nil, err
+	}
+	viewmodels.Embed(data, *settingsProfileViewModel)
+
+	var phoneIdentities []*identity.LoginID
+	for _, identity := range identities {
+		if identity.LoginIDType == model.LoginIDKeyTypePhone {
+			phoneIdentities = append(phoneIdentities, identity)
+		}
+	}
+
+	vm := AuthflowV2SettingsIdentityListPhoneViewModel{
+		LoginIDKey:      loginIDKey,
+		PhoneIdentities: phoneIdentities,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityChangePrimaryPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityChangePrimaryPhoneHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("save", func() error {
+		userID := *session.GetUserID(r.Context())
+		m := handlerwebapp.JSONPointerFormToMap(r.Form)
+
+		err := h.Database.WithTx(func() error {
+			u, err := h.Users.GetRaw(userID)
+			if err != nil {
+				return err
+			}
+
+			attrs, err := stdattrs.T(u.StandardAttributes).MergedWithForm(m)
+			if err != nil {
+				return err
+			}
+
+			err = h.StdAttrs.UpdateStandardAttributes(config.RoleEndUser, userID, attrs)
+			if err != nil {
+				return err
+			}
+
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListPhone)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_email.go
new file mode 100644
index 0000000000..dc70503a64
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_email.go
@@ -0,0 +1,153 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityEditEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_edit_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityEditEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_login_id", "x_identity_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityEditEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityEditEmail)
+}
+
+type AuthflowV2SettingsIdentityEditEmailViewModel struct {
+	LoginIDKey string
+	Target     *identity.LoginID
+}
+
+type AuthflowV2SettingsIdentityEditEmailHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	AccountManagement accountmanagement.Service
+	Identities        *identityservice.Service
+}
+
+func (h *AuthflowV2SettingsIdentityEditEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	identityID := r.Form.Get("q_identity_id")
+
+	userID := session.GetUserID(r.Context())
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	target, err := h.Identities.LoginID.Get(*userID, identityID)
+	if err != nil {
+		return nil, err
+	}
+
+	vm := AuthflowV2SettingsIdentityEditEmailViewModel{
+		LoginIDKey: loginIDKey,
+		Target:     target,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityEditEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err = h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityEditEmailHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsIdentityEditEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartUpdateIdentityEmail(s, &accountmanagement.StartUpdateIdentityEmailInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+			IdentityID: identityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		var redirectURI *url.URL
+		if output.NeedVerification {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityVerifyEmail)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+			q.Set("q_token", output.Token)
+
+			redirectURI.RawQuery = q.Encode()
+		} else {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityListEmail)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+
+			redirectURI.RawQuery = q.Encode()
+		}
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_phone.go
new file mode 100644
index 0000000000..f7de237d3b
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_phone.go
@@ -0,0 +1,155 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityEditPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_edit_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityEditPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_login_id", "x_identity_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityEditPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityEditPhone)
+}
+
+type AuthflowV2SettingsIdentityEditPhoneViewModel struct {
+	LoginIDKey string
+	Target     *identity.LoginID
+}
+
+type AuthflowV2SettingsIdentityEditPhoneHandler struct {
+	Database            *appdb.Handle
+	ControllerFactory   handlerwebapp.ControllerFactory
+	BaseViewModel       *viewmodels.BaseViewModeler
+	Renderer            handlerwebapp.Renderer
+	AuthenticatorConfig *config.AuthenticatorConfig
+	AccountManagement   accountmanagement.Service
+	Identities          *identityservice.Service
+}
+
+func (h *AuthflowV2SettingsIdentityEditPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	identityID := r.Form.Get("q_identity_id")
+
+	userID := session.GetUserID(r.Context())
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	target, err := h.Identities.LoginID.Get(*userID, identityID)
+	if err != nil {
+		return nil, err
+	}
+
+	vm := AuthflowV2SettingsIdentityEditPhoneViewModel{
+		LoginIDKey: loginIDKey,
+		Target:     target,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityEditPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err = h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityEditPhoneHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsIdentityEditPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartUpdateIdentityPhone(s, &accountmanagement.StartUpdateIdentityPhoneInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+			IdentityID: identityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		var redirectURI *url.URL
+		if output.NeedVerification {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityVerifyPhone)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+			q.Set("q_token", output.Token)
+
+			redirectURI.RawQuery = q.Encode()
+		} else {
+			redirectURI, err = url.Parse(AuthflowV2RouteSettingsIdentityListPhone)
+
+			q := redirectURI.Query()
+			q.Set("q_login_id_key", loginIDKey)
+
+			redirectURI.RawQuery = q.Encode()
+		}
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_username.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_username.go
new file mode 100644
index 0000000000..bd1386a819
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_edit_username.go
@@ -0,0 +1,127 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateSettingsIdentityEditUsernameTemplate = template.RegisterHTML(
+	"web/authflowv2/settings_identity_edit_username.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityEditUsernameSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id_key": { "type": "string" },
+			"x_login_id": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_login_id_key", "x_login_id", "x_identity_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityEditUsername(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityEditUsername)
+}
+
+type AuthflowV2SettingsIdentityEditUsernameViewModel struct {
+	Identity *identity.LoginID
+}
+
+type AuthflowV2SettingsIdentityEditUsernameHandler struct {
+	Database          *appdb.Handle
+	AccountManagement *accountmanagement.Service
+	Identities        *identityservice.Service
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityEditUsernameHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+	loginID := r.Form.Get("q_login_id")
+	usernameIdentity, err := h.Identities.LoginID.Get(*userID, loginID)
+	if err != nil {
+		return nil, err
+	}
+
+	vm := AuthflowV2SettingsIdentityEditUsernameViewModel{
+		Identity: usernameIdentity,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityEditUsernameHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateSettingsIdentityEditUsernameTemplate, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		err := AuthflowV2SettingsIdentityEditUsernameSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+		identityID := r.Form.Get("x_identity_id")
+		loginIDKey := r.Form.Get("x_login_id_key")
+		loginID := r.Form.Get("x_login_id")
+		resolvedSession := session.GetSession(r.Context())
+		_, err = h.AccountManagement.UpdateIdentityUsername(resolvedSession, &accountmanagement.UpdateIdentityUsernameInput{
+			IdentityID: identityID,
+			LoginIDKey: loginIDKey,
+			LoginID:    loginID,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListUsername)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_list_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_email.go
new file mode 100644
index 0000000000..807d6b37c8
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_email.go
@@ -0,0 +1,132 @@
+package authflowv2
+
+import (
+	"net/http"
+	"sort"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/feature/verification"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsIdentityListEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_list_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsIdentityListEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityListEmail)
+}
+
+type AuthflowV2SettingsIdentityListEmailViewModel struct {
+	LoginIDKey      string
+	PrimaryEmail    *identity.LoginID
+	EmailIdentities []*identity.LoginID
+	Verifications   map[string][]verification.ClaimStatus
+	CreateDisabled  bool
+}
+
+type AuthflowV2SettingsIdentityListEmailHandler struct {
+	Database                 *appdb.Handle
+	LoginIDConfig            *config.LoginIDConfig
+	Identities               *identityservice.Service
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	Verification             handlerwebapp.SettingsVerificationService
+	SettingsProfileViewModel *viewmodels.SettingsProfileViewModeler
+	Renderer                 handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityListEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	identities, err := h.Identities.LoginID.List(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	settingsProfileViewModel, err := h.SettingsProfileViewModel.ViewModel(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	var primary *identity.LoginID
+	var emailIdentities []*identity.LoginID
+	var emailInfos []*identity.Info
+	for _, identity := range identities {
+		if identity.LoginIDType == model.LoginIDKeyTypeEmail {
+			if loginIDKey == "" || identity.LoginIDKey == loginIDKey {
+				emailIdentities = append(emailIdentities, identity)
+				emailInfos = append(emailInfos, identity.ToInfo())
+				if identity.LoginID == settingsProfileViewModel.Email {
+					primary = identity
+				}
+			}
+		}
+	}
+
+	sort.Slice(emailIdentities, func(i, j int) bool {
+		return emailIdentities[i].UpdatedAt.Before(emailIdentities[j].UpdatedAt)
+	})
+
+	verifications, err := h.Verification.GetVerificationStatuses(emailInfos)
+	if err != nil {
+		return nil, err
+	}
+
+	createDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(loginIDKey); ok {
+		createDisabled = *loginIDConfig.CreateDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityListEmailViewModel{
+		LoginIDKey:      loginIDKey,
+		EmailIdentities: emailIdentities,
+		Verifications:   verifications,
+		CreateDisabled:  createDisabled,
+		PrimaryEmail:    primary,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityListEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityListEmailHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_list_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_phone.go
new file mode 100644
index 0000000000..721d6019c9
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_phone.go
@@ -0,0 +1,132 @@
+package authflowv2
+
+import (
+	"net/http"
+	"sort"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/feature/verification"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsIdentityListPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_list_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsIdentityListPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityListPhone)
+}
+
+type AuthflowV2SettingsIdentityListPhoneViewModel struct {
+	LoginIDKey      string
+	PrimaryPhone    *identity.LoginID
+	PhoneIdentities []*identity.LoginID
+	Verifications   map[string][]verification.ClaimStatus
+	CreateDisabled  bool
+}
+
+type AuthflowV2SettingsIdentityListPhoneHandler struct {
+	Database                 *appdb.Handle
+	LoginIDConfig            *config.LoginIDConfig
+	Identities               *identityservice.Service
+	ControllerFactory        handlerwebapp.ControllerFactory
+	BaseViewModel            *viewmodels.BaseViewModeler
+	Verification             handlerwebapp.SettingsVerificationService
+	SettingsProfileViewModel *viewmodels.SettingsProfileViewModeler
+	Renderer                 handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityListPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	identities, err := h.Identities.LoginID.List(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	settingsProfileViewModel, err := h.SettingsProfileViewModel.ViewModel(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	var primary *identity.LoginID
+	var phoneIdentities []*identity.LoginID
+	var phoneInfos []*identity.Info
+	for _, identity := range identities {
+		if identity.LoginIDType == model.LoginIDKeyTypePhone {
+			if loginIDKey == "" || identity.LoginIDKey == loginIDKey {
+				phoneIdentities = append(phoneIdentities, identity)
+				phoneInfos = append(phoneInfos, identity.ToInfo())
+				if identity.LoginID == settingsProfileViewModel.PhoneNumber {
+					primary = identity
+				}
+			}
+		}
+	}
+
+	sort.Slice(phoneIdentities, func(i, j int) bool {
+		return phoneIdentities[i].UpdatedAt.Before(phoneIdentities[j].UpdatedAt)
+	})
+
+	verifications, err := h.Verification.GetVerificationStatuses(phoneInfos)
+	if err != nil {
+		return nil, err
+	}
+
+	createDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(loginIDKey); ok {
+		createDisabled = *loginIDConfig.CreateDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityListPhoneViewModel{
+		LoginIDKey:      loginIDKey,
+		PhoneIdentities: phoneIdentities,
+		Verifications:   verifications,
+		CreateDisabled:  createDisabled,
+		PrimaryPhone:    primary,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityListPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityListPhoneHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_list_username.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_username.go
new file mode 100644
index 0000000000..43106ce536
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_list_username.go
@@ -0,0 +1,101 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateSettingsIdentityListUsernameTemplate = template.RegisterHTML(
+	"web/authflowv2/settings_identity_list_username.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsIdentityListUsername(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityListUsername)
+}
+
+type AuthflowV2SettingsIdentityListUsernameViewModel struct {
+	LoginIDKey         string
+	UsernameIdentities []*identity.LoginID // Expect to be all username login id
+	CreateDisabled     bool
+}
+
+type AuthflowV2SettingsIdentityListUsernameHandler struct {
+	Database          *appdb.Handle
+	LoginIDConfig     *config.LoginIDConfig
+	Identities        *identityservice.Service
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityListUsernameHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	loginIDKey := r.Form.Get("q_login_id_key")
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	identities, err := h.Identities.LoginID.List(*userID)
+	if err != nil {
+		return nil, err
+	}
+
+	var usernameIdentities []*identity.LoginID
+	for _, identity := range identities {
+		if identity.LoginIDType == model.LoginIDKeyTypeUsername {
+			if loginIDKey == "" || identity.LoginIDKey == loginIDKey {
+				usernameIdentities = append(usernameIdentities, identity)
+			}
+		}
+	}
+
+	createDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(loginIDKey); ok {
+		createDisabled = *loginIDConfig.CreateDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityListUsernameViewModel{
+		LoginIDKey:         loginIDKey,
+		UsernameIdentities: usernameIdentities,
+		CreateDisabled:     createDisabled,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityListUsernameHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateSettingsIdentityListUsernameTemplate, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_new_username.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_new_username.go
new file mode 100644
index 0000000000..058c1110d1
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_new_username.go
@@ -0,0 +1,115 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateSettingsIdentityNewUsernameTemplate = template.RegisterHTML(
+	"web/authflowv2/settings_identity_new_username.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityNewUsernameSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id_key": { "type": "string" },
+			"x_login_id": { "type": "string" }
+		},
+		"required": ["x_login_id_key", "x_login_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityNewUsername(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityNewUsername)
+}
+
+type AuthflowV2SettingsIdentityNewUsernameViewModel struct {
+	LoginIDKey string
+}
+
+type AuthflowV2SettingsIdentityNewUsernameHandler struct {
+	Database          *appdb.Handle
+	AccountManagement *accountmanagement.Service
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityNewUsernameHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	vm := AuthflowV2SettingsIdentityNewUsernameViewModel{
+		LoginIDKey: loginIDKey,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityNewUsernameHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateSettingsIdentityNewUsernameTemplate, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		err := AuthflowV2SettingsIdentityNewUsernameSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+		loginIDKey := r.Form.Get("x_login_id_key")
+		loginID := r.Form.Get("x_login_id")
+		resolvedSession := session.GetSession(r.Context())
+		_, err = h.AccountManagement.AddIdentityUsername(resolvedSession, &accountmanagement.AddIdentityUsernameInput{
+			LoginIDKey: loginIDKey,
+			LoginID:    loginID,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListUsername)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_email.go
new file mode 100644
index 0000000000..82731480cd
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_email.go
@@ -0,0 +1,189 @@
+package authflowv2
+
+import (
+	"math"
+	"net/http"
+	"net/url"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/otp"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/infra/mail"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityVerifyEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_verify_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityVerifyEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id_key": { "type": "string" },
+			"q_token": { "type": "string" },
+			"x_code": { "type": "string" }
+		},
+		"required": ["x_login_id_key", "q_token", "x_code"]
+	}
+`)
+
+var AuthflowV2SettingsIdentityResendEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"q_token": { "type": "string" }
+		},
+		"required": ["q_token"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityVerifyEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityVerifyEmail)
+}
+
+type AuthflowV2SettingsIdentityVerifyEmailViewModel struct {
+	LoginIDKey string
+	LoginID    string
+	Token      string
+
+	CodeLength                     int
+	MaskedClaimValue               string
+	ResendCooldown                 int
+	FailedAttemptRateLimitExceeded bool
+}
+
+type AuthflowV2SettingsIdentityVerifyEmailHandler struct {
+	Database            *appdb.Handle
+	ControllerFactory   handlerwebapp.ControllerFactory
+	BaseViewModel       *viewmodels.BaseViewModeler
+	OTPCodeService      handlerwebapp.OTPCodeService
+	Renderer            handlerwebapp.Renderer
+	AccountManagement   accountmanagement.Service
+	Clock               clock.Clock
+	Config              *config.AppConfig
+	AuthenticatorConfig *config.AuthenticatorConfig
+}
+
+func (h *AuthflowV2SettingsIdentityVerifyEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	tokenString := r.Form.Get("q_token")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	s := session.GetSession(r.Context())
+	token, err := h.AccountManagement.GetToken(s, tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	vm := AuthflowV2SettingsIdentityVerifyEmailViewModel{
+		LoginIDKey: loginIDKey,
+		LoginID:    token.Identity.Email,
+		Token:      tokenString,
+
+		CodeLength:       6,
+		MaskedClaimValue: mail.MaskAddress(token.Identity.Email),
+	}
+
+	state, err := h.OTPCodeService.InspectState(otp.KindVerification(h.Config, model.AuthenticatorOOBChannelEmail), token.Identity.Email)
+	if err != nil {
+		return nil, err
+	}
+	cooldown := int(math.Ceil(state.CanResendAt.Sub(h.Clock.NowUTC()).Seconds())) // Use ceil, because int conversion truncates decimal and can lead to Please Wait Before Resending error.
+	if cooldown < 0 {
+		vm.ResendCooldown = 0
+	} else {
+		vm.ResendCooldown = cooldown
+	}
+
+	vm.FailedAttemptRateLimitExceeded = state.TooManyAttempts
+
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityVerifyEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityVerifyEmailHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("submit", func() error {
+		err := AuthflowV2SettingsIdentityVerifyEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("x_login_id_key")
+		tokenString := r.Form.Get("q_token")
+
+		code := r.Form.Get("x_code")
+
+		s := session.GetSession(r.Context())
+		_, err = h.AccountManagement.ResumeAddOrUpdateIdentityEmail(s, tokenString, &accountmanagement.ResumeAddOrUpdateIdentityEmailInput{
+			LoginIDKey: loginIDKey,
+			Code:       code,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListEmail)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("resend", func() error {
+		err := AuthflowV2SettingsIdentityResendEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		tokenString := r.Form.Get("q_token")
+		err = h.AccountManagement.ResendOTPCode(session.GetSession(r.Context()), tokenString)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_phone.go
new file mode 100644
index 0000000000..cb0ab0b55f
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_verify_phone.go
@@ -0,0 +1,194 @@
+package authflowv2
+
+import (
+	"math"
+	"net/http"
+	"net/url"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/otp"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/phone"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityVerifyPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_verify_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityVerifyPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id_key": { "type": "string" },
+			"x_code": { "type": "string" }
+		},
+		"required": ["x_login_id_key", "x_code"]
+	}
+`)
+
+var AuthflowV2SettingsIdentityResendPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"q_token": { "type": "string" }
+		},
+		"required": ["q_token"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityVerifyPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityVerifyPhone)
+}
+
+type AuthflowV2SettingsIdentityVerifyPhoneViewModel struct {
+	LoginIDKey string
+	LoginID    string
+	Token      string
+
+	CodeLength                     int
+	MaskedClaimValue               string
+	ResendCooldown                 int
+	FailedAttemptRateLimitExceeded bool
+}
+
+type AuthflowV2SettingsIdentityVerifyPhoneHandler struct {
+	Database            *appdb.Handle
+	ControllerFactory   handlerwebapp.ControllerFactory
+	BaseViewModel       *viewmodels.BaseViewModeler
+	OTPCodeService      handlerwebapp.OTPCodeService
+	Renderer            handlerwebapp.Renderer
+	AccountManagement   accountmanagement.Service
+	Clock               clock.Clock
+	Config              *config.AppConfig
+	AuthenticatorConfig *config.AuthenticatorConfig
+}
+
+func (h *AuthflowV2SettingsIdentityVerifyPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	tokenString := r.Form.Get("q_token")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	s := session.GetSession(r.Context())
+	token, err := h.AccountManagement.GetToken(s, tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	var channel model.AuthenticatorOOBChannel
+	if h.AuthenticatorConfig.OOB.SMS.PhoneOTPMode.IsWhatsappEnabled() {
+		channel = model.AuthenticatorOOBChannelWhatsapp
+	} else {
+		channel = model.AuthenticatorOOBChannelSMS
+	}
+
+	vm := AuthflowV2SettingsIdentityVerifyPhoneViewModel{
+		LoginIDKey: loginIDKey,
+		LoginID:    token.Identity.PhoneNumber,
+		Token:      tokenString,
+
+		CodeLength:       6,
+		MaskedClaimValue: phone.Mask(token.Identity.PhoneNumber),
+	}
+
+	state, err := h.OTPCodeService.InspectState(otp.KindVerification(h.Config, channel), token.Identity.PhoneNumber)
+	if err != nil {
+		return nil, err
+	}
+	cooldown := int(math.Ceil(state.CanResendAt.Sub(h.Clock.NowUTC()).Seconds())) // Use ceil, because int conversion truncates decimal and can lead to Please Wait Before Resending error.
+	if cooldown < 0 {
+		vm.ResendCooldown = 0
+	} else {
+		vm.ResendCooldown = cooldown
+	}
+
+	vm.FailedAttemptRateLimitExceeded = state.TooManyAttempts
+
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityVerifyPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityVerifyPhoneHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("submit", func() error {
+		err := AuthflowV2SettingsIdentityVerifyPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("x_login_id_key")
+		token := r.Form.Get("q_token")
+		code := r.Form.Get("x_code")
+
+		s := session.GetSession(r.Context())
+		_, err = h.AccountManagement.ResumeAddOrUpdateIdentityPhone(s, token, &accountmanagement.ResumeAddOrUpdateIdentityPhoneInput{
+			LoginIDKey: loginIDKey,
+			Code:       code,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListPhone)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("resend", func() error {
+		err := AuthflowV2SettingsIdentityResendPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		tokenString := r.Form.Get("q_token")
+		err = h.AccountManagement.ResendOTPCode(session.GetSession(r.Context()), tokenString)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_view_email.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_email.go
new file mode 100644
index 0000000000..fd269ababb
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_email.go
@@ -0,0 +1,201 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/feature/verification"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityViewEmailHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_view_email.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityUpdateVerificationEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_login_id", "x_identity_id"]
+	}
+`)
+
+var AuthflowV2SettingsRemoveIdentityEmailSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_identity_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityViewEmailRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityViewEmail)
+}
+
+type AuthflowV2SettingsIdentityViewEmailViewModel struct {
+	LoginIDKey     string
+	EmailIdentity  *identity.LoginID
+	Verified       bool
+	Verifications  map[string][]verification.ClaimStatus
+	UpdateDisabled bool
+	DeleteDisabled bool
+}
+
+type AuthflowV2SettingsIdentityViewEmailHandler struct {
+	Database          *appdb.Handle
+	LoginIDConfig     *config.LoginIDConfig
+	Identities        *identityservice.Service
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Verification      verification.Service
+	Renderer          handlerwebapp.Renderer
+	AccountManagement accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsIdentityViewEmailHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	identityID := r.Form.Get("q_identity_id")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	emailIdentity, err := h.Identities.LoginID.Get(*userID, identityID)
+	if err != nil {
+		return nil, err
+	}
+
+	verified, err := h.AccountManagement.CheckIdentityVerified(emailIdentity.ToInfo())
+	if err != nil {
+		return nil, err
+	}
+
+	updateDisabled := true
+	deleteDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(loginIDKey); ok {
+		updateDisabled = *loginIDConfig.UpdateDisabled
+		deleteDisabled = *loginIDConfig.DeleteDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityViewEmailViewModel{
+		LoginIDKey:     loginIDKey,
+		EmailIdentity:  emailIdentity,
+		Verified:       verified,
+		UpdateDisabled: updateDisabled,
+		DeleteDisabled: deleteDisabled,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityViewEmailHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityViewEmailHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("remove", func() error {
+		err := AuthflowV2SettingsRemoveIdentityEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		IdentityID := r.Form.Get("x_identity_id")
+		_, err = h.AccountManagement.DeleteIdentityEmail(session.GetSession(r.Context()), &accountmanagement.DeleteIdentityEmailInput{
+			IdentityID: IdentityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListEmail)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("verify", func() error {
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsIdentityUpdateVerificationEmailSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartUpdateIdentityEmail(s, &accountmanagement.StartUpdateIdentityEmailInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+			IdentityID: identityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityVerifyEmail)
+
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		q.Set("q_token", output.Token)
+
+		redirectURI.RawQuery = q.Encode()
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_view_phone.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_phone.go
new file mode 100644
index 0000000000..6e4b2529b4
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_phone.go
@@ -0,0 +1,201 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsIdentityViewPhoneHTML = template.RegisterHTML(
+	"web/authflowv2/settings_identity_view_phone.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsUpdateIdentityVerificationPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_login_id", "x_identity_id"]
+	}
+`)
+
+var AuthflowV2SettingsRemoveIdentityPhoneSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_identity_id"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityViewPhoneRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityViewPhone)
+}
+
+type AuthflowV2SettingsIdentityViewPhoneViewModel struct {
+	LoginIDKey     string
+	PhoneIdentity  *identity.LoginID
+	Verified       bool
+	UpdateDisabled bool
+	DeleteDisabled bool
+}
+
+type AuthflowV2SettingsIdentityViewPhoneHandler struct {
+	Database            *appdb.Handle
+	LoginIDConfig       *config.LoginIDConfig
+	Identities          *identityservice.Service
+	ControllerFactory   handlerwebapp.ControllerFactory
+	BaseViewModel       *viewmodels.BaseViewModeler
+	Verification        handlerwebapp.SettingsVerificationService
+	Renderer            handlerwebapp.Renderer
+	AuthenticatorConfig *config.AuthenticatorConfig
+	AccountManagement   accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsIdentityViewPhoneHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	loginIDKey := r.Form.Get("q_login_id_key")
+	identityID := r.Form.Get("q_identity_id")
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+
+	phoneIdentity, err := h.Identities.LoginID.Get(*userID, identityID)
+	if err != nil {
+		return nil, err
+	}
+
+	verified, err := h.AccountManagement.CheckIdentityVerified(phoneIdentity.ToInfo())
+	if err != nil {
+		return nil, err
+	}
+
+	updateDisabled := true
+	deleteDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(loginIDKey); ok {
+		updateDisabled = *loginIDConfig.UpdateDisabled
+		deleteDisabled = *loginIDConfig.DeleteDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityViewPhoneViewModel{
+		LoginIDKey:     loginIDKey,
+		PhoneIdentity:  phoneIdentity,
+		Verified:       verified,
+		UpdateDisabled: updateDisabled,
+		DeleteDisabled: deleteDisabled,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityViewPhoneHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(r, w)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsIdentityViewPhoneHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("remove", func() error {
+		err := AuthflowV2SettingsRemoveIdentityPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		removeID := r.Form.Get("x_identity_id")
+
+		_, err = h.AccountManagement.DeleteIdentityPhone(session.GetSession(r.Context()), &accountmanagement.DeleteIdentityPhoneInput{
+			IdentityID: removeID,
+		})
+		if err != nil {
+			return err
+		}
+
+		loginIDKey := r.Form.Get("q_login_id_key")
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListPhone)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("verify", func() error {
+		loginIDKey := r.Form.Get("q_login_id_key")
+
+		err := AuthflowV2SettingsUpdateIdentityVerificationPhoneSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		loginID := r.Form.Get("x_login_id")
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartUpdateIdentityPhone(s, &accountmanagement.StartUpdateIdentityPhoneInput{
+			LoginID:    loginID,
+			LoginIDKey: loginIDKey,
+			IdentityID: identityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityVerifyPhone)
+
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		q.Set("q_token", output.Token)
+
+		redirectURI.RawQuery = q.Encode()
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_identity_view_username.go b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_username.go
new file mode 100644
index 0000000000..3814e759f5
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_identity_view_username.go
@@ -0,0 +1,138 @@
+package authflowv2
+
+import (
+	"net/http"
+	"net/url"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateSettingsIdentityViewUsernameTemplate = template.RegisterHTML(
+	"web/authflowv2/settings_identity_view_username.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsIdentityDeleteUsernameSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_login_id_key": { "type": "string" },
+			"x_identity_id": { "type": "string" }
+		},
+		"required": ["x_identity_id", "x_login_id_key"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsIdentityViewUsername(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsIdentityViewUsername)
+}
+
+type AuthflowV2SettingsIdentityViewUsernameViewModel struct {
+	LoginIDKey     string
+	Identity       *identity.LoginID
+	UpdateDisabled bool
+	DeleteDisabled bool
+}
+
+type AuthflowV2SettingsIdentityViewUsernameHandler struct {
+	Database          *appdb.Handle
+	AccountManagement *accountmanagement.Service
+	LoginIDConfig     *config.LoginIDConfig
+	Identities        *identityservice.Service
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func (h *AuthflowV2SettingsIdentityViewUsernameHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+	loginID := r.Form.Get("q_login_id")
+	usernameIdentity, err := h.Identities.LoginID.Get(*userID, loginID)
+	if err != nil {
+		return nil, err
+	}
+
+	updateDisabled := true
+	deleteDisabled := true
+	if loginIDConfig, ok := h.LoginIDConfig.GetKeyConfig(usernameIdentity.LoginIDKey); ok {
+		updateDisabled = *loginIDConfig.UpdateDisabled
+		deleteDisabled = *loginIDConfig.DeleteDisabled
+	}
+
+	vm := AuthflowV2SettingsIdentityViewUsernameViewModel{
+		LoginIDKey:     usernameIdentity.LoginIDKey,
+		Identity:       usernameIdentity,
+		UpdateDisabled: updateDisabled,
+		DeleteDisabled: deleteDisabled,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsIdentityViewUsernameHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateSettingsIdentityViewUsernameTemplate, data)
+		return nil
+	})
+
+	ctrl.PostAction("remove", func() error {
+		err := AuthflowV2SettingsIdentityDeleteUsernameSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+		identityID := r.Form.Get("x_identity_id")
+		loginIDKey := r.Form.Get("x_login_key")
+
+		resolvedSession := session.GetSession(r.Context())
+		_, err = h.AccountManagement.DeleteIdentityUsername(resolvedSession, &accountmanagement.DeleteIdentityUsernameInput{
+			IdentityID: identityID,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsIdentityListUsername)
+		if err != nil {
+			return err
+		}
+		q := redirectURI.Query()
+		q.Set("q_login_id_key", loginIDKey)
+		redirectURI.RawQuery = q.Encode()
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa.go
new file mode 100644
index 0000000000..95aa6f82f1
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa.go
@@ -0,0 +1,73 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/authn/mfa"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsMFAHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsMFAHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	SettingsViewModel *viewmodels.SettingsViewModeler
+	Renderer          handlerwebapp.Renderer
+	MFA               *mfa.Service
+}
+
+func (h *AuthflowV2SettingsMFAHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		userID := session.GetUserID(r.Context())
+
+		data := map[string]interface{}{}
+
+		err := h.Database.WithTx(func() error {
+			baseViewModel := h.BaseViewModel.ViewModel(r, w)
+			viewmodels.Embed(data, baseViewModel)
+
+			viewModelPtr, err := h.SettingsViewModel.ViewModel(*userID)
+			if err != nil {
+				return err
+			}
+			viewmodels.Embed(data, *viewModelPtr)
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFAHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("revoke_device", func() error {
+		userID := session.GetUserID(r.Context())
+		err := h.MFA.InvalidateAllDeviceTokens(*userID)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
new file mode 100644
index 0000000000..404605eabf
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
@@ -0,0 +1,111 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	pwd "github.com/authgear/authgear-server/pkg/util/password"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsMFACreatePasswordHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa_create_password.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsMFACreatePasswordSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_password": { "type": "string" },
+			"x_confirm_password": { "type": "string" }
+		},
+		"required": ["x_password", "x_confirm_password"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsMFACreatePassword(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsMFACreatePassword)
+}
+
+type AuthflowV2SettingsMFACreatePasswordHandler struct {
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	SettingsViewModel *viewmodels.SettingsViewModeler
+	PasswordPolicy    handlerwebapp.PasswordPolicy
+	Renderer          handlerwebapp.Renderer
+
+	AccountManagementService *accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsMFACreatePasswordHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := make(map[string]interface{})
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	passwordPolicyViewModel := viewmodels.NewPasswordPolicyViewModel(
+		h.PasswordPolicy.PasswordPolicy(),
+		h.PasswordPolicy.PasswordRules(),
+		baseViewModel.RawError,
+		viewmodels.GetDefaultPasswordPolicyViewModelOptions(),
+	)
+	viewmodels.Embed(data, passwordPolicyViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsMFACreatePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFACreatePasswordHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("", func() error {
+		err := AuthflowV2SettingsMFACreatePasswordSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		newPassword := r.Form.Get("x_password")
+		confirmPassword := r.Form.Get("x_confirm_password")
+
+		err = pwd.ConfirmPassword(newPassword, confirmPassword)
+		if err != nil {
+			return err
+		}
+
+		s := session.GetSession(r.Context())
+		err = h.AccountManagementService.CreateAdditionalPassword(s, accountmanagement.CreateAdditionalPasswordInput{
+			PlainPassword: newPassword,
+		})
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: AuthflowV2RouteSettingsMFA}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_password.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_password.go
new file mode 100644
index 0000000000..eee8da1650
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_password.go
@@ -0,0 +1,72 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsMFAPasswordHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa_password.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsMFAPasswordHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	SettingsViewModel *viewmodels.SettingsViewModeler
+	Renderer          handlerwebapp.Renderer
+}
+
+func ConfigureAuthflowV2SettingsMFAPassword(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsMFAPassword)
+}
+
+func (h *AuthflowV2SettingsMFAPasswordHandler) GetData(r *http.Request, w http.ResponseWriter) (map[string]interface{}, error) {
+	userID := session.GetUserID(r.Context())
+	data := map[string]interface{}{}
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	err := h.Database.WithTx(func() error {
+		viewModelPtr, err := h.SettingsViewModel.ViewModel(*userID)
+		if err != nil {
+			return err
+		}
+		viewmodels.Embed(data, *viewModelPtr)
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return data, nil
+
+}
+
+func (h *AuthflowV2SettingsMFAPasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return nil
+		}
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFAPasswordHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_oob_otp.go b/pkg/auth/handler/webapp/authflowv2/settings_oob_otp.go
new file mode 100644
index 0000000000..39af3b5846
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_oob_otp.go
@@ -0,0 +1,90 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
+	authenticatorservice "github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsOOBOTPHTML = template.RegisterHTML(
+	"web/authflowv2/settings_oob_otp.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsOOBOTPViewModel struct {
+	OOBOTPType           string
+	OOBOTPAuthenticators []*authenticator.OOBOTP
+}
+
+type AuthflowV2SettingsOOBOTPHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	Authenticators    authenticatorservice.Service
+}
+
+func (h *AuthflowV2SettingsOOBOTPHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	oc := httproute.GetParam(r, "channel")
+
+	userID := session.GetUserID(r.Context())
+	t, err := model.GetOOBAuthenticatorType(model.AuthenticatorOOBChannel(oc))
+	if err != nil {
+		return nil, err
+	}
+	authenticators, err := h.Authenticators.List(
+		*userID,
+		authenticator.KeepKind(authenticator.KindSecondary),
+		authenticator.KeepType(t),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	var OOBOTPAuthenticators []*authenticator.OOBOTP
+	for _, a := range authenticators {
+		OOBOTPAuthenticators = append(OOBOTPAuthenticators, a.OOBOTP)
+	}
+	vm := AuthflowV2SettingsOOBOTPViewModel{
+		OOBOTPType:           oc,
+		OOBOTPAuthenticators: OOBOTPAuthenticators,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsOOBOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsOOBOTPHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_passkey.go b/pkg/auth/handler/webapp/authflowv2/settings_passkey.go
new file mode 100644
index 0000000000..e6c3b695cb
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_passkey.go
@@ -0,0 +1,157 @@
+package authflowv2
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/go-webauthn/webauthn/protocol"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	identityservice "github.com/authgear/authgear-server/pkg/lib/authn/identity/service"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httputil"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateSettingsV2PasskeyHTML = template.RegisterHTML(
+	"web/authflowv2/settings_passkey.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsPasskeyViewModel struct {
+	PasskeyIdentities   []*identity.Info
+	CreationOptionsJSON string
+}
+
+type PasskeyCreationOptionsService interface {
+	MakeCreationOptions(userID string) (*model.WebAuthnCreationOptions, error)
+}
+
+type AuthflowV2SettingsChangePasskeyHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	Identities        identityservice.Service
+	AccountManagement *accountmanagement.Service
+	Passkey           PasskeyCreationOptionsService
+}
+
+func (h *AuthflowV2SettingsChangePasskeyHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	userID := session.GetUserID(r.Context())
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	// PasskeyViewModel
+	var passkeyIdentities []*identity.Info
+	var creationOptionsJSON string
+	err := h.Database.WithTx(func() (err error) {
+		identities, err := h.Identities.Passkey.List(*userID)
+		if err != nil {
+			return err
+		}
+		for _, i := range identities {
+			passkeyIdentities = append(passkeyIdentities, i.ToInfo())
+		}
+
+		creationOptions, err := h.Passkey.MakeCreationOptions(*userID)
+		if err != nil {
+			return err
+		}
+		creationOptionsJSONBytes, err := json.Marshal(creationOptions)
+		if err != nil {
+			return err
+		}
+		creationOptionsJSON = string(creationOptionsJSONBytes)
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	passkeyViewModel := AuthflowV2SettingsPasskeyViewModel{
+		PasskeyIdentities:   passkeyIdentities,
+		CreationOptionsJSON: creationOptionsJSON,
+	}
+	viewmodels.Embed(data, passkeyViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsChangePasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+		h.Renderer.RenderHTML(w, r, TemplateSettingsV2PasskeyHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("add", func() error {
+		attestationResponseStr := r.Form.Get("x_attestation_response")
+
+		var creationResponse protocol.CredentialCreationResponse
+		err := json.Unmarshal([]byte(attestationResponseStr), &creationResponse)
+		if err != nil {
+			return err
+		}
+
+		s := session.GetSession(r.Context())
+
+		input := &accountmanagement.AddPasskeyInput{
+			CreationResponse: &creationResponse,
+		}
+
+		_, err = h.AccountManagement.AddPasskey(s, input)
+		if err != nil {
+			return err
+		}
+
+		redirectURI := httputil.HostRelative(r.URL).String()
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+
+		return nil
+
+	})
+
+	ctrl.PostAction("remove", func() error {
+		identityID := r.Form.Get("x_identity_id")
+
+		s := session.GetSession(r.Context())
+
+		input := &accountmanagement.DeletePasskeyInput{
+			IdentityID: identityID,
+		}
+
+		_, err = h.AccountManagement.DeletePasskey(s, input)
+		if err != nil {
+			return err
+		}
+
+		redirectURI := httputil.HostRelative(r.URL).String()
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_profile.go b/pkg/auth/handler/webapp/authflowv2/settings_profile.go
index 61d27fca5f..131aedac03 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings_profile.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings_profile.go
@@ -27,7 +27,7 @@ func (h *AuthflowV2SettingsProfileHandler) ServeHTTP(w http.ResponseWriter, r *h
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		userID := session.GetUserID(r.Context())
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_profile_edit.go b/pkg/auth/handler/webapp/authflowv2/settings_profile_edit.go
index ce31ba90be..0cd71b9a59 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings_profile_edit.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings_profile_edit.go
@@ -45,6 +45,10 @@ func init() {
 		"web/authflowv2/settings_profile_edit_zoneinfo.html",
 		handlerwebapp.SettingsComponents...,
 	)
+	settingsProfileEditVariantToTemplate["custom_attributes"] = template.RegisterHTML(
+		"web/authflowv2/settings_profile_edit_custom.html",
+		handlerwebapp.SettingsComponents...,
+	)
 }
 
 var settingsProfileEditVariantToTemplate map[string]*template.HTML
@@ -71,6 +75,7 @@ func (h *AuthflowV2SettingsProfileEditHandler) GetData(r *http.Request, rw http.
 	userID := session.GetUserID(r.Context())
 
 	data := map[string]interface{}{}
+	data["Pointer"] = r.Form.Get("pointer")
 
 	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
 	viewmodels.Embed(data, baseViewModel)
@@ -84,7 +89,7 @@ func (h *AuthflowV2SettingsProfileEditHandler) GetData(r *http.Request, rw http.
 	return data, nil
 }
 
-func (h *AuthflowV2SettingsProfileEditHandler) isAttributeEditable(attributeVariant string) bool {
+func (h *AuthflowV2SettingsProfileEditHandler) isAttributeEditable(attributeVariant string, isAlreadyPointer bool) bool {
 	accessControl := h.UserProfileConfig.StandardAttributes.GetAccessControl().MergedWith(
 		h.UserProfileConfig.CustomAttributes.GetAccessControl(),
 	)
@@ -109,7 +114,11 @@ func (h *AuthflowV2SettingsProfileEditHandler) isAttributeEditable(attributeVari
 		}
 		return false
 	default:
-		return isEditable("/" + attributeVariant)
+		if isAlreadyPointer {
+			return isEditable(attributeVariant)
+		} else {
+			return isEditable("/" + attributeVariant)
+		}
 	}
 }
 
@@ -119,7 +128,7 @@ func (h *AuthflowV2SettingsProfileEditHandler) ServeHTTP(w http.ResponseWriter,
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
@@ -135,7 +144,13 @@ func (h *AuthflowV2SettingsProfileEditHandler) ServeHTTP(w http.ResponseWriter,
 			return nil
 		}
 
-		hasPermissionToEdit := h.isAttributeEditable(variant)
+		hasPermissionToEdit := false
+		if variant == "custom_attributes" {
+			attribute := r.Form.Get("pointer")
+			hasPermissionToEdit = h.isAttributeEditable(attribute, true)
+		} else {
+			hasPermissionToEdit = h.isAttributeEditable(variant, false)
+		}
 
 		if !hasPermissionToEdit {
 			h.Renderer.RenderHTML(w, r, TemplateSettingsProfileNoPermission, data)
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_sessions.go b/pkg/auth/handler/webapp/authflowv2/settings_sessions.go
new file mode 100644
index 0000000000..69846f5958
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_sessions.go
@@ -0,0 +1,177 @@
+package authflowv2
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/authgear/authgear-server/pkg/api/apierrors"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/config"
+	"github.com/authgear/authgear-server/pkg/lib/oauth"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/lib/sessionlisting"
+	"github.com/authgear/authgear-server/pkg/util/httputil"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsV2SessionsHTML = template.RegisterHTML(
+	"web/authflowv2/settings_sessions.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type Authorization struct {
+	ID                    string
+	ClientID              string
+	ClientName            string
+	Scope                 []string
+	CreatedAt             time.Time
+	HasFullUserInfoAccess bool
+}
+
+type SettingsSessionsViewModel struct {
+	CurrentSessionID string
+	Sessions         []*sessionlisting.Session
+	Authorizations   []Authorization
+}
+
+type AuthflowV2SettingsSessionsHandler struct {
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	Sessions          handlerwebapp.SettingsSessionManager
+	Authorizations    handlerwebapp.SettingsAuthorizationService
+	OAuthConfig       *config.OAuthConfig
+	SessionListing    handlerwebapp.SettingsSessionListingService
+}
+
+func (h *AuthflowV2SettingsSessionsHandler) GetData(r *http.Request, rw http.ResponseWriter, s session.ResolvedSession) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	// BaseViewModel
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	// SettingsSessionsViewModel
+	userID := s.GetAuthenticationInfo().UserID
+	settingsSessionsViewModel := SettingsSessionsViewModel{}
+
+	ss, err := h.Sessions.List(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	sessionModels, err := h.SessionListing.FilterForDisplay(ss, s)
+	if err != nil {
+		return nil, err
+	}
+	settingsSessionsViewModel.Sessions = sessionModels
+
+	// Get third party app authorization
+	clientNameMap := map[string]string{}
+	for _, c := range h.OAuthConfig.Clients {
+		clientNameMap[c.ClientID] = c.ClientName
+	}
+	filter := oauth.NewKeepThirdPartyAuthorizationFilter(h.OAuthConfig)
+	authorizations, err := h.Authorizations.ListByUser(userID, filter)
+	if err != nil {
+		return nil, err
+	}
+	authzs := []Authorization{}
+	for _, authz := range authorizations {
+		clientName := clientNameMap[authz.ClientID]
+		authzs = append(authzs, Authorization{
+			ID:                    authz.ID,
+			ClientID:              authz.ClientID,
+			ClientName:            clientName,
+			Scope:                 authz.Scopes,
+			CreatedAt:             authz.CreatedAt,
+			HasFullUserInfoAccess: authz.IsAuthorized([]string{oauth.FullUserInfoScope}),
+		})
+	}
+
+	settingsSessionsViewModel.Authorizations = authzs
+
+	settingsSessionsViewModel.CurrentSessionID = s.SessionID()
+	viewmodels.Embed(data, settingsSessionsViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsSessionsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithDBTx()
+
+	currentSession := session.GetSession(r.Context())
+	redirectURI := httputil.HostRelative(r.URL).String()
+
+	ctrl.Get(func() error {
+		data, err := h.GetData(r, w, currentSession)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsV2SessionsHTML, data)
+
+		return nil
+	})
+
+	ctrl.PostAction("revoke", func() error {
+		sessionID := r.Form.Get("x_session_id")
+		if sessionID == currentSession.SessionID() {
+			return apierrors.NewInvalid("cannot revoke current session")
+		}
+
+		s, err := h.Sessions.Get(sessionID)
+		if err != nil {
+			return err
+		}
+
+		err = h.Sessions.RevokeWithEvent(s, true, false)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("revoke_all", func() error {
+		userID := currentSession.GetAuthenticationInfo().UserID
+		err := h.Sessions.TerminateAllExcept(userID, currentSession, false)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+		return nil
+	})
+
+	ctrl.PostAction("remove_authorization", func() error {
+		authorizationID := r.Form.Get("x_authorization_id")
+		authz, err := h.Authorizations.GetByID(authorizationID)
+		if err != nil {
+			return err
+		}
+
+		if authz.UserID != currentSession.GetAuthenticationInfo().UserID {
+			return apierrors.NewForbidden("cannot remove authorization")
+		}
+
+		err = h.Authorizations.Delete(authz)
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: redirectURI}
+		result.WriteResponse(w, r)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_totp.go b/pkg/auth/handler/webapp/authflowv2/settings_totp.go
new file mode 100644
index 0000000000..1760f8b272
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_totp.go
@@ -0,0 +1,83 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	"github.com/authgear/authgear-server/pkg/api/model"
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
+	authenticatorservice "github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsTOTPHTML = template.RegisterHTML(
+	"web/authflowv2/settings_totp.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+type AuthflowV2SettingsTOTPViewModel struct {
+	TOTPAuthenticators []*authenticator.TOTP
+}
+
+type AuthflowV2SettingsTOTPHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+	Authenticators    authenticatorservice.Service
+}
+
+func (h *AuthflowV2SettingsTOTPHandler) GetData(w http.ResponseWriter, r *http.Request) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+	baseViewModel := h.BaseViewModel.ViewModel(r, w)
+	viewmodels.Embed(data, baseViewModel)
+
+	userID := session.GetUserID(r.Context())
+	authenticators, err := h.Authenticators.List(
+		*userID,
+		authenticator.KeepKind(authenticator.KindSecondary),
+		authenticator.KeepType(model.AuthenticatorTypeTOTP),
+	)
+
+	if err != nil {
+		return nil, err
+	}
+
+	var totpAuthenticators []*authenticator.TOTP
+	for _, a := range authenticators {
+		totpAuthenticators = append(totpAuthenticators, a.TOTP)
+	}
+
+	vm := AuthflowV2SettingsTOTPViewModel{
+		TOTPAuthenticators: totpAuthenticators,
+	}
+	viewmodels.Embed(data, vm)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		var data map[string]interface{}
+		err := h.Database.WithTx(func() error {
+			data, err = h.GetData(w, r)
+			return err
+		})
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsTOTPHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/verify_login_link.go b/pkg/auth/handler/webapp/authflowv2/verify_login_link.go
index 7016c76090..3204c5efc7 100644
--- a/pkg/auth/handler/webapp/authflowv2/verify_login_link.go
+++ b/pkg/auth/handler/webapp/authflowv2/verify_login_link.go
@@ -108,7 +108,7 @@ func (h *AuthflowV2VerifyLoginLinkOTPHandler) ServeHTTP(w http.ResponseWriter, r
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	finishWithState := func(state LoginLinkOTPPageQueryState) {
 		url := url.URL{}
diff --git a/pkg/auth/handler/webapp/change_password.go b/pkg/auth/handler/webapp/change_password.go
index 856f029f79..0c3bae4395 100644
--- a/pkg/auth/handler/webapp/change_password.go
+++ b/pkg/auth/handler/webapp/change_password.go
@@ -68,7 +68,7 @@ func (h *ForceChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Re
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		// Ensure there is an ongoing web session.
diff --git a/pkg/auth/handler/webapp/change_secondary_password.go b/pkg/auth/handler/webapp/change_secondary_password.go
index a37fca5282..268e8b1dac 100644
--- a/pkg/auth/handler/webapp/change_secondary_password.go
+++ b/pkg/auth/handler/webapp/change_secondary_password.go
@@ -67,7 +67,7 @@ func (h *ForceChangeSecondaryPasswordHandler) ServeHTTP(w http.ResponseWriter, r
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		// Ensure there is an ongoing web session.
diff --git a/pkg/auth/handler/webapp/confirm_terminate_other_sessions.go b/pkg/auth/handler/webapp/confirm_terminate_other_sessions.go
index e10550853a..6f28bfcd88 100644
--- a/pkg/auth/handler/webapp/confirm_terminate_other_sessions.go
+++ b/pkg/auth/handler/webapp/confirm_terminate_other_sessions.go
@@ -61,7 +61,7 @@ func (h *ConfirmTerminateOtherSessionsHandler) ServeHTTP(w http.ResponseWriter,
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/confirm_web3_account.go b/pkg/auth/handler/webapp/confirm_web3_account.go
index f533af547d..10c432a6c2 100644
--- a/pkg/auth/handler/webapp/confirm_web3_account.go
+++ b/pkg/auth/handler/webapp/confirm_web3_account.go
@@ -92,7 +92,7 @@ func (h *ConnectWeb3AccountHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	opts := webapp.SessionOptions{
 		RedirectURI: ctrl.RedirectURI(),
diff --git a/pkg/auth/handler/webapp/controller.go b/pkg/auth/handler/webapp/controller.go
index 9462426eb7..f18d4f7ff7 100644
--- a/pkg/auth/handler/webapp/controller.go
+++ b/pkg/auth/handler/webapp/controller.go
@@ -151,7 +151,23 @@ func (c *Controller) DeleteSession(id string) error {
 	return c.Page.DeleteSession(id)
 }
 
-func (c *Controller) Serve() {
+func (c *Controller) ServeWithoutDBTx() {
+	c.serve(serveOption{
+		withDBTx: false,
+	})
+}
+
+func (c *Controller) ServeWithDBTx() {
+	c.serve(serveOption{
+		withDBTx: true,
+	})
+}
+
+type serveOption struct {
+	withDBTx bool
+}
+
+func (c *Controller) serve(option serveOption) {
 	var err error
 	fns := [](func() error){
 		func() error {
@@ -176,7 +192,7 @@ func (c *Controller) Serve() {
 		http.Error(c.response, "Invalid request method", http.StatusMethodNotAllowed)
 	}
 
-	err = c.Database.WithTx(func() error {
+	handleFunc := func() error {
 		for _, fn := range fns {
 			err := fn()
 			if err != nil {
@@ -184,7 +200,13 @@ func (c *Controller) Serve() {
 			}
 		}
 		return nil
-	})
+	}
+
+	if option.withDBTx {
+		err = c.Database.WithTx(handleFunc)
+	} else {
+		err = handleFunc()
+	}
 
 	if err != nil {
 		if apierrors.IsAPIError(err) {
diff --git a/pkg/auth/handler/webapp/create_passkey.go b/pkg/auth/handler/webapp/create_passkey.go
index 3f3067edb7..17f7bf0008 100644
--- a/pkg/auth/handler/webapp/create_passkey.go
+++ b/pkg/auth/handler/webapp/create_passkey.go
@@ -49,7 +49,7 @@ func (h *CreatePasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/create_password.go b/pkg/auth/handler/webapp/create_password.go
index 6b533a50b6..9c00a6209c 100644
--- a/pkg/auth/handler/webapp/create_password.go
+++ b/pkg/auth/handler/webapp/create_password.go
@@ -103,7 +103,7 @@ func (h *CreatePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/enter_login_id.go b/pkg/auth/handler/webapp/enter_login_id.go
index ec3ba27a6f..2081190ca7 100644
--- a/pkg/auth/handler/webapp/enter_login_id.go
+++ b/pkg/auth/handler/webapp/enter_login_id.go
@@ -140,7 +140,7 @@ func (h *EnterLoginIDHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	userID := ctrl.RequireUserID()
 
diff --git a/pkg/auth/handler/webapp/enter_oob_otp.go b/pkg/auth/handler/webapp/enter_oob_otp.go
index ee8052f73d..5ffcde1654 100644
--- a/pkg/auth/handler/webapp/enter_oob_otp.go
+++ b/pkg/auth/handler/webapp/enter_oob_otp.go
@@ -157,7 +157,7 @@ func (h *EnterOOBOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/enter_password.go b/pkg/auth/handler/webapp/enter_password.go
index ee45e73123..221abddf9a 100644
--- a/pkg/auth/handler/webapp/enter_password.go
+++ b/pkg/auth/handler/webapp/enter_password.go
@@ -114,7 +114,7 @@ func (h *EnterPasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/enter_recovery_code.go b/pkg/auth/handler/webapp/enter_recovery_code.go
index 5105f061cf..25e022d374 100644
--- a/pkg/auth/handler/webapp/enter_recovery_code.go
+++ b/pkg/auth/handler/webapp/enter_recovery_code.go
@@ -64,7 +64,7 @@ func (h *EnterRecoveryCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/enter_totp.go b/pkg/auth/handler/webapp/enter_totp.go
index 6d66512fc4..6f86a911f0 100644
--- a/pkg/auth/handler/webapp/enter_totp.go
+++ b/pkg/auth/handler/webapp/enter_totp.go
@@ -64,7 +64,7 @@ func (h *EnterTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/error.go b/pkg/auth/handler/webapp/error.go
index 12f546221a..04f1c8ae5c 100644
--- a/pkg/auth/handler/webapp/error.go
+++ b/pkg/auth/handler/webapp/error.go
@@ -38,7 +38,7 @@ func (h *ErrorHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/error_feature_disabled.go b/pkg/auth/handler/webapp/error_feature_disabled.go
index 29916fe2d5..68a7fada4a 100644
--- a/pkg/auth/handler/webapp/error_feature_disabled.go
+++ b/pkg/auth/handler/webapp/error_feature_disabled.go
@@ -39,7 +39,7 @@ func (h *FeatureDisabledHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/forgot_password.go b/pkg/auth/handler/webapp/forgot_password.go
index 3b57a7a7d9..c8ac650f01 100644
--- a/pkg/auth/handler/webapp/forgot_password.go
+++ b/pkg/auth/handler/webapp/forgot_password.go
@@ -72,7 +72,7 @@ func (h *ForgotPasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	opts := webapp.SessionOptions{
 		KeepAfterFinish: true,
diff --git a/pkg/auth/handler/webapp/forgot_password_success.go b/pkg/auth/handler/webapp/forgot_password_success.go
index bad0ae3b1f..d92c89c1ee 100644
--- a/pkg/auth/handler/webapp/forgot_password_success.go
+++ b/pkg/auth/handler/webapp/forgot_password_success.go
@@ -53,7 +53,7 @@ func (h *ForgotPasswordSuccessHandler) ServeHTTP(w http.ResponseWriter, r *http.
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/login.go b/pkg/auth/handler/webapp/login.go
index 8a33282ce6..00ef028b67 100644
--- a/pkg/auth/handler/webapp/login.go
+++ b/pkg/auth/handler/webapp/login.go
@@ -99,7 +99,7 @@ func (h *LoginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	h.FormPrefiller.Prefill(r.Form)
 
diff --git a/pkg/auth/handler/webapp/login_link_otp.go b/pkg/auth/handler/webapp/login_link_otp.go
index dc5ac8d8c5..d086a91821 100644
--- a/pkg/auth/handler/webapp/login_link_otp.go
+++ b/pkg/auth/handler/webapp/login_link_otp.go
@@ -115,7 +115,7 @@ func (h *LoginLinkOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/logout.go b/pkg/auth/handler/webapp/logout.go
index bf44103b9a..7ab1228030 100644
--- a/pkg/auth/handler/webapp/logout.go
+++ b/pkg/auth/handler/webapp/logout.go
@@ -66,7 +66,7 @@ func (h *LogoutHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		baseViewModel := h.BaseViewModel.ViewModel(r, w)
diff --git a/pkg/auth/handler/webapp/missing_web3_wallet.go b/pkg/auth/handler/webapp/missing_web3_wallet.go
index 1f64c33bda..d6f21097b8 100644
--- a/pkg/auth/handler/webapp/missing_web3_wallet.go
+++ b/pkg/auth/handler/webapp/missing_web3_wallet.go
@@ -74,7 +74,7 @@ func (h *MissingWeb3WalletHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/not_found.go b/pkg/auth/handler/webapp/not_found.go
index 3742e1207a..51d49ecb24 100644
--- a/pkg/auth/handler/webapp/not_found.go
+++ b/pkg/auth/handler/webapp/not_found.go
@@ -31,7 +31,7 @@ func (h *NotFoundHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/promote.go b/pkg/auth/handler/webapp/promote.go
index be38c18348..1ffaaed84e 100644
--- a/pkg/auth/handler/webapp/promote.go
+++ b/pkg/auth/handler/webapp/promote.go
@@ -94,7 +94,7 @@ func (h *PromoteHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	h.FormPrefiller.Prefill(r.Form)
 
diff --git a/pkg/auth/handler/webapp/prompt_create_passkey.go b/pkg/auth/handler/webapp/prompt_create_passkey.go
index ba31dc1ac9..55f6ef2992 100644
--- a/pkg/auth/handler/webapp/prompt_create_passkey.go
+++ b/pkg/auth/handler/webapp/prompt_create_passkey.go
@@ -43,7 +43,7 @@ func (h *PromptCreatePasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Re
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/reauth.go b/pkg/auth/handler/webapp/reauth.go
index b9a4257020..ebba4e0dbe 100644
--- a/pkg/auth/handler/webapp/reauth.go
+++ b/pkg/auth/handler/webapp/reauth.go
@@ -25,7 +25,7 @@ func (h *ReauthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	webSession := webapp.GetSession(r.Context())
 	userIDHint := ""
diff --git a/pkg/auth/handler/webapp/reset_password.go b/pkg/auth/handler/webapp/reset_password.go
index 61e1eed3ec..b124c0b234 100644
--- a/pkg/auth/handler/webapp/reset_password.go
+++ b/pkg/auth/handler/webapp/reset_password.go
@@ -80,7 +80,7 @@ func (h *ResetPasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	opts := webapp.SessionOptions{
 		KeepAfterFinish: true,
diff --git a/pkg/auth/handler/webapp/reset_password_success.go b/pkg/auth/handler/webapp/reset_password_success.go
index abc8f8dccb..45d952f5a0 100644
--- a/pkg/auth/handler/webapp/reset_password_success.go
+++ b/pkg/auth/handler/webapp/reset_password_success.go
@@ -38,7 +38,7 @@ func (h *ResetPasswordSuccessHandler) ServeHTTP(w http.ResponseWriter, r *http.R
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/return.go b/pkg/auth/handler/webapp/return.go
index 8496310b4f..07411422cd 100644
--- a/pkg/auth/handler/webapp/return.go
+++ b/pkg/auth/handler/webapp/return.go
@@ -38,7 +38,7 @@ func (h *ReturnHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/select_account.go b/pkg/auth/handler/webapp/select_account.go
index 901e4f81b3..04f8867772 100644
--- a/pkg/auth/handler/webapp/select_account.go
+++ b/pkg/auth/handler/webapp/select_account.go
@@ -224,9 +224,9 @@ func (h *SelectAccountHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		h.continueFlow(w, r, "/reauth")
 	}
 
-	// ctrl.Serve() always write response.
+	// ctrl.ServeWithDBTx() always write response.
 	// So we have to put http.Redirect before it.
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		// When promote anonymous user, the end-user should not see this page.
diff --git a/pkg/auth/handler/webapp/settings.go b/pkg/auth/handler/webapp/settings.go
index a4d4008a0e..66d3920a14 100644
--- a/pkg/auth/handler/webapp/settings.go
+++ b/pkg/auth/handler/webapp/settings.go
@@ -137,7 +137,7 @@ func (h *SettingsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	identityID := r.Form.Get("q_identity_id")
diff --git a/pkg/auth/handler/webapp/settings_biometric.go b/pkg/auth/handler/webapp/settings_biometric.go
index 4e84a27a50..18c1e6dd47 100644
--- a/pkg/auth/handler/webapp/settings_biometric.go
+++ b/pkg/auth/handler/webapp/settings_biometric.go
@@ -81,7 +81,7 @@ func (h *SettingsBiometricHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	userID := ctrl.RequireUserID()
 
diff --git a/pkg/auth/handler/webapp/settings_change_password.go b/pkg/auth/handler/webapp/settings_change_password.go
index 99773365c6..b231e1607a 100644
--- a/pkg/auth/handler/webapp/settings_change_password.go
+++ b/pkg/auth/handler/webapp/settings_change_password.go
@@ -60,7 +60,7 @@ func (h *SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/settings_change_secondary_password.go b/pkg/auth/handler/webapp/settings_change_secondary_password.go
index cb0fc26ef1..5d75f5726f 100644
--- a/pkg/auth/handler/webapp/settings_change_secondary_password.go
+++ b/pkg/auth/handler/webapp/settings_change_secondary_password.go
@@ -58,7 +58,7 @@ func (h *SettingsChangeSecondaryPasswordHandler) ServeHTTP(w http.ResponseWriter
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/settings_delete_account.go b/pkg/auth/handler/webapp/settings_delete_account.go
index 7de1f6035b..bbb541a28a 100644
--- a/pkg/auth/handler/webapp/settings_delete_account.go
+++ b/pkg/auth/handler/webapp/settings_delete_account.go
@@ -87,7 +87,7 @@ func (h *SettingsDeleteAccountHandler) ServeHTTP(w http.ResponseWriter, r *http.
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	currentSession := session.GetSession(r.Context())
 	redirectURI := "/settings/delete_account/success"
diff --git a/pkg/auth/handler/webapp/settings_delete_account_success.go b/pkg/auth/handler/webapp/settings_delete_account_success.go
index eb9da11072..e22da0995c 100644
--- a/pkg/auth/handler/webapp/settings_delete_account_success.go
+++ b/pkg/auth/handler/webapp/settings_delete_account_success.go
@@ -63,7 +63,7 @@ func (h *SettingsDeleteAccountSuccessHandler) ServeHTTP(w http.ResponseWriter, r
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	webSession := webapp.GetSession(r.Context())
 
@@ -78,7 +78,7 @@ func (h *SettingsDeleteAccountSuccessHandler) ServeHTTP(w http.ResponseWriter, r
 	})
 
 	ctrl.PostAction("", func() error {
-		redirectURI := ""
+		redirectURI := "/login"
 		if webSession != nil && webSession.RedirectURI != "" {
 			// delete account triggered by sdk via settings action
 			// redirect to oauth callback
diff --git a/pkg/auth/handler/webapp/settings_identity.go b/pkg/auth/handler/webapp/settings_identity.go
index 6874211e68..dcc65f26c9 100644
--- a/pkg/auth/handler/webapp/settings_identity.go
+++ b/pkg/auth/handler/webapp/settings_identity.go
@@ -78,7 +78,7 @@ func (h *SettingsIdentityHandler) ServeHTTP(w http.ResponseWriter, r *http.Reque
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	providerAlias := r.Form.Get("x_provider_alias")
diff --git a/pkg/auth/handler/webapp/settings_mfa.go b/pkg/auth/handler/webapp/settings_mfa.go
index b6d582a931..bbbeeaa429 100644
--- a/pkg/auth/handler/webapp/settings_mfa.go
+++ b/pkg/auth/handler/webapp/settings_mfa.go
@@ -44,7 +44,7 @@ func (h *SettingsMFAHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	authenticatorID := r.Form.Get("x_authenticator_id")
diff --git a/pkg/auth/handler/webapp/settings_oob_otp.go b/pkg/auth/handler/webapp/settings_oob_otp.go
index c7e5f7bbf7..11b928ab41 100644
--- a/pkg/auth/handler/webapp/settings_oob_otp.go
+++ b/pkg/auth/handler/webapp/settings_oob_otp.go
@@ -76,7 +76,7 @@ func (h *SettingsOOBOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 		http.Error(w, "404 page not found", http.StatusNotFound)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	authenticatorID := r.Form.Get("x_authenticator_id")
diff --git a/pkg/auth/handler/webapp/settings_passkey.go b/pkg/auth/handler/webapp/settings_passkey.go
index d070f0c4ec..8446dff10c 100644
--- a/pkg/auth/handler/webapp/settings_passkey.go
+++ b/pkg/auth/handler/webapp/settings_passkey.go
@@ -70,7 +70,7 @@ func (h *SettingsPasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	userID := ctrl.RequireUserID()
diff --git a/pkg/auth/handler/webapp/settings_profile.go b/pkg/auth/handler/webapp/settings_profile.go
index 5999a14018..f5307c8942 100644
--- a/pkg/auth/handler/webapp/settings_profile.go
+++ b/pkg/auth/handler/webapp/settings_profile.go
@@ -33,7 +33,7 @@ func (h *SettingsProfileHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		userID := session.GetUserID(r.Context())
diff --git a/pkg/auth/handler/webapp/settings_profile_edit.go b/pkg/auth/handler/webapp/settings_profile_edit.go
index 8e4c6cb593..316fb17097 100644
--- a/pkg/auth/handler/webapp/settings_profile_edit.go
+++ b/pkg/auth/handler/webapp/settings_profile_edit.go
@@ -75,7 +75,7 @@ func (h *SettingsProfileEditHandler) ServeHTTP(w http.ResponseWriter, r *http.Re
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/settings_recovery_code.go b/pkg/auth/handler/webapp/settings_recovery_code.go
index cbe87fc807..5f98e582fe 100644
--- a/pkg/auth/handler/webapp/settings_recovery_code.go
+++ b/pkg/auth/handler/webapp/settings_recovery_code.go
@@ -67,7 +67,7 @@ func (h *SettingsRecoveryCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.R
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	userID := ctrl.RequireUserID()
diff --git a/pkg/auth/handler/webapp/settings_sessions.go b/pkg/auth/handler/webapp/settings_sessions.go
index 6350fc21a9..b764110d97 100644
--- a/pkg/auth/handler/webapp/settings_sessions.go
+++ b/pkg/auth/handler/webapp/settings_sessions.go
@@ -106,7 +106,7 @@ func (h *SettingsSessionsHandler) ServeHTTP(w http.ResponseWriter, r *http.Reque
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	currentSession := session.GetSession(r.Context())
 	redirectURI := httputil.HostRelative(r.URL).String()
diff --git a/pkg/auth/handler/webapp/settings_totp.go b/pkg/auth/handler/webapp/settings_totp.go
index 3f0a83d1bd..0c63cacac4 100644
--- a/pkg/auth/handler/webapp/settings_totp.go
+++ b/pkg/auth/handler/webapp/settings_totp.go
@@ -63,7 +63,7 @@ func (h *SettingsTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	redirectURI := httputil.HostRelative(r.URL).String()
 	authenticatorID := r.Form.Get("x_authenticator_id")
diff --git a/pkg/auth/handler/webapp/setup_login_link_otp.go b/pkg/auth/handler/webapp/setup_login_link_otp.go
index 93e8b6353d..3648088e20 100644
--- a/pkg/auth/handler/webapp/setup_login_link_otp.go
+++ b/pkg/auth/handler/webapp/setup_login_link_otp.go
@@ -62,7 +62,7 @@ func (h *SetupLoginLinkOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/setup_oob_otp.go b/pkg/auth/handler/webapp/setup_oob_otp.go
index 842662c952..cddab916b1 100644
--- a/pkg/auth/handler/webapp/setup_oob_otp.go
+++ b/pkg/auth/handler/webapp/setup_oob_otp.go
@@ -121,7 +121,7 @@ func (h *SetupOOBOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "404 page not found", http.StatusNotFound)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/setup_recovery_code.go b/pkg/auth/handler/webapp/setup_recovery_code.go
index f4e796e231..5ec13707f6 100644
--- a/pkg/auth/handler/webapp/setup_recovery_code.go
+++ b/pkg/auth/handler/webapp/setup_recovery_code.go
@@ -72,7 +72,7 @@ func (h *SetupRecoveryCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.Requ
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		graph, err := ctrl.InteractionGet()
diff --git a/pkg/auth/handler/webapp/setup_totp.go b/pkg/auth/handler/webapp/setup_totp.go
index ca12aaae52..bf866f102c 100644
--- a/pkg/auth/handler/webapp/setup_totp.go
+++ b/pkg/auth/handler/webapp/setup_totp.go
@@ -134,7 +134,7 @@ func (h *SetupTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/setup_whatsapp_otp.go b/pkg/auth/handler/webapp/setup_whatsapp_otp.go
index f04cc844e4..319b970284 100644
--- a/pkg/auth/handler/webapp/setup_whatsapp_otp.go
+++ b/pkg/auth/handler/webapp/setup_whatsapp_otp.go
@@ -58,7 +58,7 @@ func (h *SetupWhatsappOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Reque
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/signup.go b/pkg/auth/handler/webapp/signup.go
index 41a1c34c1b..719215414f 100644
--- a/pkg/auth/handler/webapp/signup.go
+++ b/pkg/auth/handler/webapp/signup.go
@@ -86,7 +86,7 @@ func (h *SignupHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	h.FormPrefiller.Prefill(r.Form)
 
diff --git a/pkg/auth/handler/webapp/sso_callback.go b/pkg/auth/handler/webapp/sso_callback.go
index d61468c70e..f75f635d3e 100644
--- a/pkg/auth/handler/webapp/sso_callback.go
+++ b/pkg/auth/handler/webapp/sso_callback.go
@@ -54,7 +54,7 @@ func (h *SSOCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
 		}
-		defer ctrl.Serve()
+		defer ctrl.ServeWithDBTx()
 
 		data := InputOAuthCallback{
 			ProviderAlias: httproute.GetParam(r, "alias"),
diff --git a/pkg/auth/handler/webapp/tester.go b/pkg/auth/handler/webapp/tester.go
index 009a1d41e5..4c0a69c20e 100644
--- a/pkg/auth/handler/webapp/tester.go
+++ b/pkg/auth/handler/webapp/tester.go
@@ -271,7 +271,7 @@ func (h *TesterHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		token := r.URL.Query().Get("token")
diff --git a/pkg/auth/handler/webapp/use_passkey.go b/pkg/auth/handler/webapp/use_passkey.go
index ac213df1ab..2cc7c939d1 100644
--- a/pkg/auth/handler/webapp/use_passkey.go
+++ b/pkg/auth/handler/webapp/use_passkey.go
@@ -49,7 +49,7 @@ func (h *UsePasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/verify_identity.go b/pkg/auth/handler/webapp/verify_identity.go
index 343667c1d7..3c1ecd0c04 100644
--- a/pkg/auth/handler/webapp/verify_identity.go
+++ b/pkg/auth/handler/webapp/verify_identity.go
@@ -157,7 +157,7 @@ func (h *VerifyIdentityHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	inputFn := func() (input interface{}, err error) {
 		err = VerifyIdentitySchema.Validator().ValidateValue(FormToJSON(r.Form))
diff --git a/pkg/auth/handler/webapp/verify_identity_success.go b/pkg/auth/handler/webapp/verify_identity_success.go
index 886850db26..27235d2b49 100644
--- a/pkg/auth/handler/webapp/verify_identity_success.go
+++ b/pkg/auth/handler/webapp/verify_identity_success.go
@@ -38,7 +38,7 @@ func (h *VerifyIdentitySuccessHandler) ServeHTTP(w http.ResponseWriter, r *http.
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		data, err := h.GetData(r, w)
diff --git a/pkg/auth/handler/webapp/verify_login_link.go b/pkg/auth/handler/webapp/verify_login_link.go
index 4dac937207..225639fa86 100644
--- a/pkg/auth/handler/webapp/verify_login_link.go
+++ b/pkg/auth/handler/webapp/verify_login_link.go
@@ -87,7 +87,7 @@ func (h *VerifyLoginLinkOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Req
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	finishWithState := func(state LoginLinkOTPPageQueryState) {
 		url := url.URL{}
diff --git a/pkg/auth/handler/webapp/viewmodels/settings.go b/pkg/auth/handler/webapp/viewmodels/settings.go
index 048ae4ed2c..b9dcaea51b 100644
--- a/pkg/auth/handler/webapp/viewmodels/settings.go
+++ b/pkg/auth/handler/webapp/viewmodels/settings.go
@@ -9,6 +9,7 @@ import (
 
 type SettingsViewModel struct {
 	Authenticators           []*authenticator.Info
+	NumberOfDeviceTokens     int
 	HasDeviceTokens          bool
 	ListRecoveryCodesAllowed bool
 	ShowBiometric            bool
@@ -38,7 +39,7 @@ type SettingsAuthenticatorService interface {
 }
 
 type SettingsMFAService interface {
-	HasDeviceTokens(userID string) (bool, error)
+	CountDeviceTokens(userID string) (int, error)
 }
 
 type SettingsViewModeler struct {
@@ -60,10 +61,11 @@ func (m *SettingsViewModeler) ViewModel(userID string) (*SettingsViewModel, erro
 		authenticator.KeepPrimaryAuthenticatorCanHaveMFA,
 	)) > 0
 
-	hasDeviceTokens, err := m.MFA.HasDeviceTokens(userID)
+	numberOfDeviceTokens, err := m.MFA.CountDeviceTokens(userID)
 	if err != nil {
 		return nil, err
 	}
+	hasDeviceTokens := numberOfDeviceTokens > 0
 
 	hasSecondaryTOTP := false
 	hasSecondaryOOBOTPEmail := false
@@ -148,6 +150,7 @@ func (m *SettingsViewModeler) ViewModel(userID string) (*SettingsViewModel, erro
 
 	viewModel := &SettingsViewModel{
 		Authenticators:           authenticators,
+		NumberOfDeviceTokens:     numberOfDeviceTokens,
 		HasDeviceTokens:          hasDeviceTokens,
 		ListRecoveryCodesAllowed: !*m.Authentication.RecoveryCode.Disabled && m.Authentication.RecoveryCode.ListEnabled,
 		ShowBiometric:            showBiometric,
diff --git a/pkg/auth/handler/webapp/wechat_auth.go b/pkg/auth/handler/webapp/wechat_auth.go
index c38d90fe1c..f4cb094563 100644
--- a/pkg/auth/handler/webapp/wechat_auth.go
+++ b/pkg/auth/handler/webapp/wechat_auth.go
@@ -96,7 +96,7 @@ func (h *WechatAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/handler/webapp/wechat_callback.go b/pkg/auth/handler/webapp/wechat_callback.go
index 6ba1b6900d..7a2b2c5549 100644
--- a/pkg/auth/handler/webapp/wechat_callback.go
+++ b/pkg/auth/handler/webapp/wechat_callback.go
@@ -58,7 +58,7 @@ func (h *WechatCallbackHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	stateToken := r.Form.Get("state")
 	code := r.Form.Get("code")
diff --git a/pkg/auth/handler/webapp/whatsapp_otp.go b/pkg/auth/handler/webapp/whatsapp_otp.go
index b7867766c9..17e50574c4 100644
--- a/pkg/auth/handler/webapp/whatsapp_otp.go
+++ b/pkg/auth/handler/webapp/whatsapp_otp.go
@@ -125,7 +125,7 @@ func (h *WhatsappOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
-	defer ctrl.Serve()
+	defer ctrl.ServeWithDBTx()
 
 	ctrl.Get(func() error {
 		session, err := ctrl.InteractionSession()
diff --git a/pkg/auth/routes.go b/pkg/auth/routes.go
index 517a195544..f33e4fad36 100644
--- a/pkg/auth/routes.go
+++ b/pkg/auth/routes.go
@@ -439,7 +439,10 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) *h
 
 	router.Add(webapphandler.ConfigureForgotPasswordSuccessRoute(webappSuccessPageRoute), p.Handler(newWebAppForgotPasswordSuccessHandler))
 	router.Add(webapphandler.ConfigureResetPasswordSuccessRoute(webappSuccessPageRoute), p.Handler(newWebAppResetPasswordSuccessHandler))
-	router.Add(webapphandler.ConfigureSettingsDeleteAccountSuccessRoute(webappSuccessPageRoute), p.Handler(newWebAppSettingsDeleteAccountSuccessHandler))
+	router.Add(webapphandler.ConfigureSettingsDeleteAccountSuccessRoute(webappSuccessPageRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsDeleteAccountSuccessHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsDeleteAccountSuccessHandler),
+	})
 
 	router.Add(webapphandler.ConfigureLogoutRoute(webappAuthenticatedRoute), p.Handler(newWebAppLogoutHandler))
 	router.Add(webapphandler.ConfigureEnterLoginIDRoute(webappAuthenticatedRoute), p.Handler(newWebAppEnterLoginIDHandler))
@@ -456,17 +459,62 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) *h
 		SettingV1: p.Handler(newWebAppSettingsProfileEditHandler),
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsProfileEditHandler),
 	})
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityChangePrimaryEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityChangePrimaryEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityAddEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityAddEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityEditEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityEditEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityListEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityListEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityVerifyEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityVerifyEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityViewEmailRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityViewEmailHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityAddPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityAddPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityChangePrimaryPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityChangePrimaryPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityEditPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityEditPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityListPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityListPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityViewPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityViewPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityVerifyPhoneRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityVerifyPhoneHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityListUsername(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityListUsernameHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityNewUsername(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityNewUsernameHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityViewUsername(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityViewUsernameHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsIdentityEditUsername(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsIdentityEditUsernameHandler))
 	router.Add(webapphandler.ConfigureSettingsIdentityRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsIdentityHandler))
-	router.Add(webapphandler.ConfigureSettingsBiometricRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsBiometricHandler))
-	router.Add(webapphandler.ConfigureSettingsMFARoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsMFAHandler))
-	router.Add(webapphandler.ConfigureSettingsTOTPRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsTOTPHandler))
-	router.Add(webapphandler.ConfigureSettingsPasskeyRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsPasskeyHandler))
-	router.Add(webapphandler.ConfigureSettingsOOBOTPRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsOOBOTPHandler))
+	router.Add(webapphandler.ConfigureSettingsBiometricRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsBiometricHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsBiometricHandler),
+	})
+	router.Add(webapphandler.ConfigureSettingsMFARoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsMFAHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsMFAHandler),
+	})
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFACreatePassword(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFACreatePasswordHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFAPassword(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFAPasswordHandler))
+	router.Add(webapphandler.ConfigureSettingsTOTPRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsTOTPHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsTOTPHandler),
+	})
+	router.Add(webapphandler.ConfigureSettingsPasskeyRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsPasskeyHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsChangePasskeyHandler),
+	})
+	router.Add(webapphandler.ConfigureSettingsOOBOTPRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsOOBOTPHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsOOBOTPHandler),
+	})
 	router.Add(webapphandler.ConfigureSettingsRecoveryCodeRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsRecoveryCodeHandler))
-	router.Add(webapphandler.ConfigureSettingsSessionsRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsSessionsHandler))
-	router.Add(webapphandler.ConfigureSettingsChangePasswordRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsChangePasswordHandler))
+	router.Add(webapphandler.ConfigureSettingsSessionsRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsSessionsHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsSessionsHandler),
+	})
+	router.Add(webapphandler.ConfigureSettingsChangePasswordRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsChangePasswordHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsChangePasswordHandler),
+	})
+
 	router.Add(webapphandler.ConfigureSettingsChangeSecondaryPasswordRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsChangeSecondaryPasswordHandler))
-	router.Add(webapphandler.ConfigureSettingsDeleteAccountRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppSettingsDeleteAccountHandler))
+	router.Add(webapphandler.ConfigureSettingsDeleteAccountRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
+		SettingV1: p.Handler(newWebAppSettingsDeleteAccountHandler),
+		SettingV2: p.Handler(newWebAppAuthflowV2SettingsDeleteAccountHandler),
+	})
+
+	router.Add(webapphandlerauthflowv2.ConfigureSettingsV2AdvancedSettingsRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsAdvancedSettingsHandler))
 
 	router.Add(webapphandler.ConfigureTesterRoute(webappTesterRouter), p.Handler(newWebAppTesterHandler))
 
diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
index 7c3d6f1520..c2bbebdc9f 100644
--- a/pkg/auth/wire_gen.go
+++ b/pkg/auth/wire_gen.go
@@ -44395,6 +44395,7 @@ func newWebAppAuthflowV2SettingsHandler(p *deps.RequestProvider) http.Handler {
 		SettingsProfileViewModel: settingsProfileViewModeler,
 		Identities:               serviceService,
 		Renderer:                 responseRenderer,
+		AccountDeletion:          accountDeletionConfig,
 	}
 	return authflowV2SettingsHandler
 }
@@ -49141,10 +49142,10 @@ func newWebAppSettingsBiometricHandler(p *deps.RequestProvider) http.Handler {
 	return settingsBiometricHandler
 }
 
-func newWebAppSettingsMFAHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsBiometricHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -50068,24 +50069,44 @@ func newWebAppSettingsMFAHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	biometricConfig := identityConfig.Biometric
-	settingsViewModeler := &viewmodels.SettingsViewModeler{
-		Authenticators: service3,
-		MFA:            mfaService,
-		Authentication: authenticationConfig,
-		Biometric:      biometricConfig,
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
 	}
-	settingsMFAHandler := &webapp.SettingsMFAHandler{
-		ControllerFactory: controllerFactory,
-		BaseViewModel:     baseViewModeler,
-		SettingsViewModel: settingsViewModeler,
-		Renderer:          responseRenderer,
-		MFA:               mfaService,
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
 	}
-	return settingsMFAHandler
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsBiometricHandler := &authflowv2.AuthflowV2SettingsBiometricHandler{
+		Database:                 handle,
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		Renderer:                 responseRenderer,
+		Identities:               serviceService,
+		BiometricProvider:        biometricProvider,
+		AccountManagementService: accountmanagementService,
+	}
+	return authflowV2SettingsBiometricHandler
 }
 
-func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsMFAHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -51012,19 +51033,27 @@ func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsTOTPHandler := &webapp.SettingsTOTPHandler{
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	settingsMFAHandler := &webapp.SettingsMFAHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
-		Authenticators:    service3,
+		MFA:               mfaService,
 	}
-	return settingsTOTPHandler
+	return settingsMFAHandler
 }
 
-func newWebAppSettingsPasskeyHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsMFAHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -51948,16 +51977,25 @@ func newWebAppSettingsPasskeyHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsPasskeyHandler := &webapp.SettingsPasskeyHandler{
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	authflowV2SettingsMFAHandler := &authflowv2.AuthflowV2SettingsMFAHandler{
+		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
-		Identities:        serviceService,
+		MFA:               mfaService,
 	}
-	return settingsPasskeyHandler
+	return authflowV2SettingsMFAHandler
 }
 
-func newWebAppSettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsMFACreatePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -52884,19 +52922,53 @@ func newWebAppSettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsOOBOTPHandler := &webapp.SettingsOOBOTPHandler{
-		ControllerFactory: controllerFactory,
-		BaseViewModel:     baseViewModeler,
-		Renderer:          responseRenderer,
-		Authenticators:    service3,
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
 	}
-	return settingsOOBOTPHandler
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsMFACreatePasswordHandler := &authflowv2.AuthflowV2SettingsMFACreatePasswordHandler{
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		SettingsViewModel:        settingsViewModeler,
+		PasswordPolicy:           passwordChecker,
+		Renderer:                 responseRenderer,
+		AccountManagementService: accountmanagementService,
+	}
+	return authflowV2SettingsMFACreatePasswordHandler
 }
 
-func newWebAppSettingsRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsMFAPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -53820,17 +53892,24 @@ func newWebAppSettingsRecoveryCodeHandler(p *deps.RequestProvider) http.Handler
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsRecoveryCodeHandler := &webapp.SettingsRecoveryCodeHandler{
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	authflowV2SettingsMFAPasswordHandler := &authflowv2.AuthflowV2SettingsMFAPasswordHandler{
+		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
-		Authentication:    authenticationConfig,
-		MFA:               mfaService,
 	}
-	return settingsRecoveryCodeHandler
+	return authflowV2SettingsMFAPasswordHandler
 }
 
-func newWebAppSettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -54757,42 +54836,19 @@ func newWebAppSettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
-	}
-	authorizationService := &oauth2.AuthorizationService{
-		AppID:               appID,
-		Store:               authorizationStore,
-		Clock:               clockClock,
-		OAuthSessionManager: sessionManager,
-		OfflineGrantService: oauthOfflineGrantService,
-		OfflineGrantStore:   store,
-	}
-	sessionListingService := &sessionlisting.SessionListingService{
-		OAuthConfig:   oAuthConfig,
-		IDPSessions:   idpsessionProvider,
-		OfflineGrants: oauthOfflineGrantService,
-	}
-	settingsSessionsHandler := &webapp.SettingsSessionsHandler{
+	settingsTOTPHandler := &webapp.SettingsTOTPHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
-		Sessions:          manager2,
-		Authorizations:    authorizationService,
-		OAuthConfig:       oAuthConfig,
-		SessionListing:    sessionListingService,
+		Authenticators:    service3,
 	}
-	return settingsSessionsHandler
+	return settingsTOTPHandler
 }
 
-func newWebAppForceChangePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -55716,24 +55772,31 @@ func newWebAppForceChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
+	service4 := service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
 	}
-	forceChangePasswordHandler := &webapp.ForceChangePasswordHandler{
-		ControllerFactory:       controllerFactory,
-		BaseViewModel:           baseViewModeler,
-		ChangePasswordViewModel: changePasswordViewModeler,
-		Renderer:                responseRenderer,
-		PasswordPolicy:          passwordChecker,
+	authflowV2SettingsTOTPHandler := &authflowv2.AuthflowV2SettingsTOTPHandler{
+		Database:          handle,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Authenticators:    service4,
 	}
-	return forceChangePasswordHandler
+	return authflowV2SettingsTOTPHandler
 }
 
-func newWebAppSettingsChangePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -56657,16 +56720,28 @@ func newWebAppSettingsChangePasswordHandler(p *deps.RequestProvider) http.Handle
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsChangePasswordHandler := &webapp.SettingsChangePasswordHandler{
+	service4 := service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	authflowV2SettingsOOBOTPHandler := &authflowv2.AuthflowV2SettingsOOBOTPHandler{
+		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
-		PasswordPolicy:    passwordChecker,
+		Authenticators:    service4,
 	}
-	return settingsChangePasswordHandler
+	return authflowV2SettingsOOBOTPHandler
 }
 
-func newWebAppForceChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsPasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -57593,24 +57668,19 @@ func newWebAppForceChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	changePasswordViewModeler := viewmodels.ChangePasswordViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-	}
-	forceChangeSecondaryPasswordHandler := &webapp.ForceChangeSecondaryPasswordHandler{
-		ControllerFactory:       controllerFactory,
-		BaseViewModel:           baseViewModeler,
-		ChangePasswordViewModel: changePasswordViewModeler,
-		Renderer:                responseRenderer,
-		PasswordPolicy:          passwordChecker,
+	settingsPasskeyHandler := &webapp.SettingsPasskeyHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Identities:        serviceService,
 	}
-	return forceChangeSecondaryPasswordHandler
+	return settingsPasskeyHandler
 }
 
-func newWebAppSettingsChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsChangePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -58534,16 +58604,63 @@ func newWebAppSettingsChangeSecondaryPasswordHandler(p *deps.RequestProvider) ht
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsChangeSecondaryPasswordHandler := &webapp.SettingsChangeSecondaryPasswordHandler{
+	service4 := service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	authflowV2SettingsChangePasskeyHandler := &authflowv2.AuthflowV2SettingsChangePasskeyHandler{
+		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
-		PasswordPolicy:    passwordChecker,
+		Identities:        service4,
+		AccountManagement: accountmanagementService,
+		Passkey:           creationOptionsService,
 	}
-	return settingsChangeSecondaryPasswordHandler
+	return authflowV2SettingsChangePasskeyHandler
 }
 
-func newWebAppSettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -59470,27 +59587,16 @@ func newWebAppSettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	settingsDeleteAccountHandler := &webapp.SettingsDeleteAccountHandler{
-		ControllerFactory:         controllerFactory,
-		BaseViewModel:             baseViewModeler,
-		Renderer:                  responseRenderer,
-		AccountDeletion:           accountDeletionConfig,
-		Clock:                     clockClock,
-		Users:                     userFacade,
-		Cookies:                   cookieManager,
-		OAuthSessions:             oauthsessionStoreRedis,
-		Sessions:                  sessionStoreRedis,
-		SessionCookie:             sessionCookieDef,
-		AuthenticationInfoService: authenticationinfoStoreRedis,
+	settingsOOBOTPHandler := &webapp.SettingsOOBOTPHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Authenticators:    service3,
 	}
-	return settingsDeleteAccountHandler
+	return settingsOOBOTPHandler
 }
 
-func newWebAppSettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -60417,19 +60523,17 @@ func newWebAppSettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsDeleteAccountSuccessHandler := &webapp.SettingsDeleteAccountSuccessHandler{
-		ControllerFactory:         controllerFactory,
-		BaseViewModel:             baseViewModeler,
-		Renderer:                  responseRenderer,
-		AccountDeletion:           accountDeletionConfig,
-		Clock:                     clockClock,
-		UIInfoResolver:            uiService,
-		AuthenticationInfoService: authenticationinfoStoreRedis,
+	settingsRecoveryCodeHandler := &webapp.SettingsRecoveryCodeHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Authentication:    authenticationConfig,
+		MFA:               mfaService,
 	}
-	return settingsDeleteAccountSuccessHandler
+	return settingsRecoveryCodeHandler
 }
 
-func newWebAppAccountStatusHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -61356,15 +61460,39 @@ func newWebAppAccountStatusHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	accountStatusHandler := &webapp.AccountStatusHandler{
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	authorizationService := &oauth2.AuthorizationService{
+		AppID:               appID,
+		Store:               authorizationStore,
+		Clock:               clockClock,
+		OAuthSessionManager: sessionManager,
+		OfflineGrantService: oauthOfflineGrantService,
+		OfflineGrantStore:   store,
+	}
+	sessionListingService := &sessionlisting.SessionListingService{
+		OAuthConfig:   oAuthConfig,
+		IDPSessions:   idpsessionProvider,
+		OfflineGrants: oauthOfflineGrantService,
+	}
+	settingsSessionsHandler := &webapp.SettingsSessionsHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
+		Sessions:          manager2,
+		Authorizations:    authorizationService,
+		OAuthConfig:       oAuthConfig,
+		SessionListing:    sessionListingService,
 	}
-	return accountStatusHandler
+	return settingsSessionsHandler
 }
 
-func newWebAppLogoutHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -62291,23 +62419,6 @@ func newWebAppLogoutHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	samlConfig := appConfig.SAML
-	samlslosessionStoreRedis := &samlslosession.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	samlEnvironmentConfig := environmentConfig.SAML
-	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
-	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
 	oauthOfflineGrantService := &oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
@@ -62315,55 +62426,32 @@ func newWebAppLogoutHandler(p *deps.RequestProvider) http.Handler {
 		ClientResolver: resolver,
 		OfflineGrants:  store,
 	}
-	samlService := &saml.Service{
-		Clock:                       clockClock,
-		AppID:                       appID,
-		SAMLEnvironmentConfig:       samlEnvironmentConfig,
-		SAMLConfig:                  samlConfig,
-		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
-		SAMLSpSigningMaterials:      samlSpSigningMaterials,
-		Endpoints:                   endpointsEndpoints,
-		UserInfoProvider:            idTokenIssuer,
-		IDPSessionProvider:          idpsessionProvider,
-		OfflineGrantSessionProvider: oauthOfflineGrantService,
-	}
-	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
-	samlBindingHTTPRedirectWriter := &samlbinding.SAMLBindingHTTPRedirectWriter{
-		Signer: samlService,
-	}
-	sloService := &saml.SLOService{
-		SAMLService:               samlService,
-		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
-		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
+	authorizationService := &oauth2.AuthorizationService{
+		AppID:               appID,
+		Store:               authorizationStore,
+		Clock:               clockClock,
+		OAuthSessionManager: sessionManager,
+		OfflineGrantService: oauthOfflineGrantService,
+		OfflineGrantStore:   store,
 	}
-	logoutHandler := &webapp.LogoutHandler{
-		ControllerFactory:     controllerFactory,
-		Database:              handle,
-		TrustProxy:            trustProxy,
-		OAuth:                 oAuthConfig,
-		UIConfig:              uiConfig,
-		SAMLConfig:            samlConfig,
-		SessionManager:        manager2,
-		BaseViewModel:         baseViewModeler,
-		Renderer:              responseRenderer,
-		OAuthClientResolver:   resolver,
-		SAMLSLOSessionService: samlslosessionStoreRedis,
-		SAMLSLOService:        sloService,
+	sessionListingService := &sessionlisting.SessionListingService{
+		OAuthConfig:   oAuthConfig,
+		IDPSessions:   idpsessionProvider,
+		OfflineGrants: oauthOfflineGrantService,
 	}
-	return logoutHandler
-}
-
-func newWebAppAppStaticAssetsHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	appContext := appProvider.AppContext
-	manager := appContext.Resources
-	appStaticAssetsHandler := &webapp.AppStaticAssetsHandler{
-		Resources: manager,
+	authflowV2SettingsSessionsHandler := &authflowv2.AuthflowV2SettingsSessionsHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Sessions:          manager2,
+		Authorizations:    authorizationService,
+		OAuthConfig:       oAuthConfig,
+		SessionListing:    sessionListingService,
 	}
-	return appStaticAssetsHandler
+	return authflowV2SettingsSessionsHandler
 }
 
-func newWebAppReturnHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppForceChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -63290,15 +63378,21 @@ func newWebAppReturnHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	returnHandler := &webapp.ReturnHandler{
-		ControllerFactory: controllerFactory,
-		BaseViewModel:     baseViewModeler,
-		Renderer:          responseRenderer,
+	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
 	}
-	return returnHandler
+	forceChangePasswordHandler := &webapp.ForceChangePasswordHandler{
+		ControllerFactory:       controllerFactory,
+		BaseViewModel:           baseViewModeler,
+		ChangePasswordViewModel: changePasswordViewModeler,
+		Renderer:                responseRenderer,
+		PasswordPolicy:          passwordChecker,
+	}
+	return forceChangePasswordHandler
 }
 
-func newWebAppErrorHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -64225,28 +64319,50 @@ func newWebAppErrorHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	errorHandler := &webapp.ErrorHandler{
+	settingsChangePasswordHandler := &webapp.SettingsChangePasswordHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
+		PasswordPolicy:    passwordChecker,
 	}
-	return errorHandler
+	return settingsChangePasswordHandler
 }
 
-func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -64259,45 +64375,46 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -64361,19 +64478,20 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -64411,14 +64529,14 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -64533,17 +64651,17 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -64569,7 +64687,7 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -64613,14 +64731,14 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -64637,7 +64755,7 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -64710,16 +64828,16 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -64728,26 +64846,11 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -64775,7 +64878,7 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -64790,21 +64893,21 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -64826,12 +64929,27 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -64840,32 +64958,21 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -64877,7 +64984,7 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -64885,19 +64992,15 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -64936,23 +65039,15 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -64960,8 +65055,28 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -64980,257 +65095,104 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
 	uiFeatureConfig := featureConfig.UI
 	forgotPasswordConfig := appConfig.ForgotPassword
 	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
 	flashMessage := &httputil.FlashMessage{
 		Cookies: cookieManager,
 	}
@@ -65255,34 +65217,114 @@ func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 		SupportedLanguageTags:             supportedLanguageTags,
 		AuthUISentryDSN:                   authUISentryDSN,
 		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
+		OAuthClientResolver:               resolver,
 		Logger:                            baseLogger,
 	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ErrorHandler := &authflowv2.AuthflowV2ErrorHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	return authflowV2ErrorHandler
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsChangePasswordHandler := &authflowv2.AuthflowV2SettingsChangePasswordHandler{
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		Renderer:                 responseRenderer,
+		AccountManagementService: accountmanagementService,
+		PasswordPolicy:           passwordChecker,
+	}
+	return authflowV2SettingsChangePasswordHandler
 }
 
-func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppForceChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -65295,45 +65337,46 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	secretConfig := config.SecretConfig
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -65397,19 +65440,20 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -65447,14 +65491,14 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -65569,17 +65613,17 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -65605,7 +65649,7 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -65649,14 +65693,14 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -65673,7 +65717,7 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -65746,16 +65790,16 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -65764,26 +65808,11 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -65811,7 +65840,7 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -65826,21 +65855,21 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -65862,12 +65891,27 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -65876,32 +65920,21 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -65913,7 +65946,7 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -65921,19 +65954,15 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -65972,23 +66001,15 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -65996,8 +66017,28 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -66016,257 +66057,104 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
 	uiFeatureConfig := featureConfig.UI
 	forgotPasswordConfig := appConfig.ForgotPassword
 	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
 	flashMessage := &httputil.FlashMessage{
 		Cookies: cookieManager,
 	}
@@ -66291,48 +66179,86 @@ func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler
 		SupportedLanguageTags:             supportedLanguageTags,
 		AuthUISentryDSN:                   authUISentryDSN,
 		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
+		OAuthClientResolver:               resolver,
 		Logger:                            baseLogger,
 	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	csrfErrorInstructionHandler := &webapp.CSRFErrorInstructionHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	return csrfErrorInstructionHandler
-}
-
-func newWebAppNotFoundHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
-	handle := appProvider.AppDatabase
-	appredisHandle := appProvider.Redis
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	serviceLogger := webapp2.NewServiceLogger(factory)
-	request := p.Request
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: appredisHandle,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	authenticationConfig := appConfig.Authentication
-	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	changePasswordViewModeler := viewmodels.ChangePasswordViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+	}
+	forceChangeSecondaryPasswordHandler := &webapp.ForceChangeSecondaryPasswordHandler{
+		ControllerFactory:       controllerFactory,
+		BaseViewModel:           baseViewModeler,
+		ChangePasswordViewModel: changePasswordViewModeler,
+		Renderer:                responseRenderer,
+		PasswordPolicy:          passwordChecker,
+	}
+	return forceChangeSecondaryPasswordHandler
+}
+
+func newWebAppSettingsChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
 		RedisHandle: appredisHandle,
 		Cookies:     cookieManager,
 	}
@@ -67232,15 +67158,16 @@ func newWebAppNotFoundHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	notFoundHandler := &webapp.NotFoundHandler{
+	settingsChangeSecondaryPasswordHandler := &webapp.SettingsChangeSecondaryPasswordHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
+		PasswordPolicy:    passwordChecker,
 	}
-	return notFoundHandler
+	return settingsChangeSecondaryPasswordHandler
 }
 
-func newWebAppAuthflowV2NotFoundHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -68167,45 +68094,40 @@ func newWebAppAuthflowV2NotFoundHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	authflowV2NotFoundHandler := &authflowv2.AuthflowV2NotFoundHandler{
-		ControllerFactory: controllerFactory,
-		BaseViewModel:     baseViewModeler,
-		Renderer:          responseRenderer,
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
 	}
-	return authflowV2NotFoundHandler
-}
-
-func newWebAppWebsocketHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	factory := appProvider.LoggerFactory
-	handle := appProvider.Redis
-	publisher := webapp.NewPublisher(appID, handle)
-	websocketHandler := &webapp.WebsocketHandler{
-		AppID:         appID,
-		LoggerFactory: factory,
-		RedisHandle:   handle,
-		Publisher:     publisher,
+	settingsDeleteAccountHandler := &webapp.SettingsDeleteAccountHandler{
+		ControllerFactory:         controllerFactory,
+		BaseViewModel:             baseViewModeler,
+		Renderer:                  responseRenderer,
+		AccountDeletion:           accountDeletionConfig,
+		Clock:                     clockClock,
+		Users:                     userFacade,
+		Cookies:                   cookieManager,
+		OAuthSessions:             oauthsessionStoreRedis,
+		Sessions:                  sessionStoreRedis,
+		SessionCookie:             sessionCookieDef,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
 	}
-	return websocketHandler
+	return settingsDeleteAccountHandler
 }
 
-func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	serviceLogger := webapp2.NewServiceLogger(factory)
-	request := p.Request
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
 	appID := appConfig.ID
-	handle := appProvider.Redis
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
 	sessionStoreRedis := &webapp2.SessionStoreRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	sessionCookieDef := webapp2.NewSessionCookieDef()
 	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
@@ -68220,7 +68142,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	errorService := &webapp2.ErrorService{
 		AppID:       appID,
 		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
+		RedisHandle: appredisHandle,
 		Cookies:     cookieManager,
 	}
 	oAuthConfig := appConfig.OAuth
@@ -68249,8 +68171,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	logger := interaction.NewLogger(factory)
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
 	redisLogger := redis.NewLogger(factory)
@@ -68259,7 +68180,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	store := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -68343,7 +68264,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -68394,14 +68315,14 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -68516,17 +68437,17 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -68552,7 +68473,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -68693,11 +68614,11 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -68711,11 +68632,11 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -68743,7 +68664,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -68765,7 +68686,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -68823,7 +68744,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
@@ -68837,7 +68758,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		CookieDef: cookieDef2,
 	}
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -68849,7 +68770,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -68909,7 +68830,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
@@ -68925,7 +68846,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
 		Context: contextContext,
 		AppID:   appID,
-		Redis:   handle,
+		Redis:   appredisHandle,
 	}
 	oAuthProviderFactory := &sso.OAuthProviderFactory{
 		IdentityConfig:               identityConfig,
@@ -68937,7 +68858,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	webappoauthStore := &webappoauth.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaFacade := &facade.MFAFacade{
@@ -68967,7 +68888,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -68977,7 +68898,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	manager2 := &session.Manager{
@@ -68987,7 +68908,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 	}
 	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	interactionContext := &interaction.Context{
@@ -69030,7 +68951,7 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		MFADeviceTokenCookie:            cookieDef,
 	}
 	interactionStoreRedis := &interaction.StoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	interactionService := &interaction.Service{
@@ -69054,38 +68975,105 @@ func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handle
 		OAuthClientResolver:  resolver,
 		Graph:                interactionService,
 	}
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
 	}
-	passkeyCreationOptionsHandler := &webapp.PasskeyCreationOptionsHandler{
-		Page:     webappService2,
-		Database: appdbHandle,
-		JSON:     jsonResponseWriter,
-		Passkey:  creationOptionsService,
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
 	}
-	return passkeyCreationOptionsHandler
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	authflowV2SettingsDeleteAccountHandler := &authflowv2.AuthflowV2SettingsDeleteAccountHandler{
+		ControllerFactory:         controllerFactory,
+		BaseViewModel:             baseViewModeler,
+		Renderer:                  responseRenderer,
+		Clock:                     clockClock,
+		Cookies:                   cookieManager,
+		Users:                     userFacade,
+		Sessions:                  sessionStoreRedis,
+		OAuthSessions:             oauthsessionStoreRedis,
+		AccountDeletion:           accountDeletionConfig,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+	}
+	return authflowV2SettingsDeleteAccountHandler
 }
 
-func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppSettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	serviceLogger := webapp2.NewServiceLogger(factory)
-	request := p.Request
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
 	appID := appConfig.ID
-	handle := appProvider.Redis
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
 	sessionStoreRedis := &webapp2.SessionStoreRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	sessionCookieDef := webapp2.NewSessionCookieDef()
 	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
@@ -69100,7 +69088,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	errorService := &webapp2.ErrorService{
 		AppID:       appID,
 		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
+		RedisHandle: appredisHandle,
 		Cookies:     cookieManager,
 	}
 	oAuthConfig := appConfig.OAuth
@@ -69129,8 +69117,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	logger := interaction.NewLogger(factory)
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
 	redisLogger := redis.NewLogger(factory)
@@ -69139,7 +69126,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	store := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -69223,7 +69210,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -69274,14 +69261,14 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -69396,17 +69383,17 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -69432,7 +69419,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -69573,11 +69560,11 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -69591,11 +69578,11 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -69623,7 +69610,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -69645,7 +69632,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -69703,7 +69690,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
@@ -69717,7 +69704,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		CookieDef: cookieDef2,
 	}
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -69729,7 +69716,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -69789,7 +69776,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
@@ -69805,7 +69792,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
 		Context: contextContext,
 		AppID:   appID,
-		Redis:   handle,
+		Redis:   appredisHandle,
 	}
 	oAuthProviderFactory := &sso.OAuthProviderFactory{
 		IdentityConfig:               identityConfig,
@@ -69817,7 +69804,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	webappoauthStore := &webappoauth.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaFacade := &facade.MFAFacade{
@@ -69847,7 +69834,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -69857,7 +69844,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	manager2 := &session.Manager{
@@ -69867,7 +69854,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 	}
 	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	interactionContext := &interaction.Context{
@@ -69910,7 +69897,7 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		MFADeviceTokenCookie:            cookieDef,
 	}
 	interactionStoreRedis := &interaction.StoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	interactionService := &interaction.Service{
@@ -69934,25 +69921,85 @@ func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler
 		OAuthClientResolver:  resolver,
 		Graph:                interactionService,
 	}
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
 	}
-	passkeyRequestOptionsHandler := &webapp.PasskeyRequestOptionsHandler{
-		Page:     webappService2,
-		Database: appdbHandle,
-		JSON:     jsonResponseWriter,
-		Passkey:  requestOptionsService,
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
 	}
-	return passkeyRequestOptionsHandler
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	settingsDeleteAccountSuccessHandler := &webapp.SettingsDeleteAccountSuccessHandler{
+		ControllerFactory:         controllerFactory,
+		BaseViewModel:             baseViewModeler,
+		Renderer:                  responseRenderer,
+		AccountDeletion:           accountDeletionConfig,
+		Clock:                     clockClock,
+		UIInfoResolver:            uiService,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+	}
+	return settingsDeleteAccountSuccessHandler
 }
 
-func newWebAppConnectWeb3AccountHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -70879,25 +70926,19 @@ func newWebAppConnectWeb3AccountHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	authenticationViewModeler := &viewmodels.AuthenticationViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-	}
-	alternativeStepsViewModeler := &viewmodels.AlternativeStepsViewModeler{
-		AuthenticationConfig: authenticationConfig,
-	}
-	connectWeb3AccountHandler := &webapp.ConnectWeb3AccountHandler{
+	authflowV2SettingsDeleteAccountSuccessHandler := &authflowv2.AuthflowV2SettingsDeleteAccountSuccessHandler{
 		ControllerFactory:         controllerFactory,
 		BaseViewModel:             baseViewModeler,
-		AuthenticationViewModel:   authenticationViewModeler,
-		AlternativeStepsViewModel: alternativeStepsViewModeler,
 		Renderer:                  responseRenderer,
-		AuthenticationConfig:      authenticationConfig,
+		AccountDeletion:           accountDeletionConfig,
+		Clock:                     clockClock,
+		UIInfoResolver:            uiService,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
 	}
-	return connectWeb3AccountHandler
+	return authflowV2SettingsDeleteAccountSuccessHandler
 }
 
-func newWebAppMissingWeb3WalletHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsAdvancedSettingsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -71824,16 +71865,15 @@ func newWebAppMissingWeb3WalletHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	missingWeb3WalletHandler := &webapp.MissingWeb3WalletHandler{
-		ControllerFactory:    controllerFactory,
-		BaseViewModel:        baseViewModeler,
-		Renderer:             responseRenderer,
-		AuthenticationConfig: authenticationConfig,
+	authflowV2SettingsAdvancedSettingsHandler := &authflowv2.AuthflowV2SettingsAdvancedSettingsHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
 	}
-	return missingWeb3WalletHandler
+	return authflowV2SettingsAdvancedSettingsHandler
 }
 
-func newWebAppFeatureDisabledHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAccountStatusHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
@@ -72760,23 +72800,23 @@ func newWebAppFeatureDisabledHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	featureDisabledHandler := &webapp.FeatureDisabledHandler{
+	accountStatusHandler := &webapp.AccountStatusHandler{
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
 		Renderer:          responseRenderer,
 	}
-	return featureDisabledHandler
+	return accountStatusHandler
 }
 
-func newWebAppTesterHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppLogoutHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
 	appID := appConfig.ID
-	factory := appProvider.LoggerFactory
-	handle := appProvider.AppDatabase
-	appredisHandle := appProvider.Redis
 	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
 	sessionStoreRedis := &webapp2.SessionStoreRedis{
@@ -73695,30 +73735,15 @@ func newWebAppTesterHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	globalredisHandle := appProvider.GlobalRedis
-	testerStore := &tester.TesterStore{
+	samlConfig := appConfig.SAML
+	samlslosessionStoreRedis := &samlslosession.StoreRedis{
 		Context: contextContext,
-		Redis:   globalredisHandle,
-	}
-	appDomains := appContext.Domains
-	oAuthFeatureConfig := featureConfig.OAuth
-	oAuthClientCredentials := deps.ProvideOAuthClientCredentials(secretConfig)
-	tokenHandlerLogger := handler.NewTokenHandlerLogger(factory)
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
-	}
-	authorizationService := &oauth2.AuthorizationService{
-		AppID:               appID,
-		Store:               authorizationStore,
-		Clock:               clockClock,
-		OAuthSessionManager: sessionManager,
-		OfflineGrantService: oauthOfflineGrantService,
-		OfflineGrantStore:   store,
+		Redis:   appredisHandle,
+		AppID:   appID,
 	}
+	samlEnvironmentConfig := environmentConfig.SAML
+	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
+	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
 	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
 	idTokenIssuer := &oidc.IDTokenIssuer{
 		Secrets:        oAuthKeyMaterials,
@@ -73727,190 +73752,148 @@ func newWebAppTesterHandler(p *deps.RequestProvider) http.Handler {
 		RolesAndGroups: queries,
 		Clock:          clockClock,
 	}
-	facadeIdentityFacade := &facade.IdentityFacade{
-		Coordinator: coordinator,
-	}
-	accessTokenEncoding := oauth2.AccessTokenEncoding{
-		Secrets:       oAuthKeyMaterials,
-		Clock:         clockClock,
-		IDTokenIssuer: idTokenIssuer,
-		BaseURL:       endpointsEndpoints,
-		Events:        eventService,
-		Identities:    facadeIdentityFacade,
-	}
-	accessGrantService := &oauth2.AccessGrantService{
-		AppID:             appID,
-		AccessGrants:      store,
-		AccessTokenIssuer: accessTokenEncoding,
-		Clock:             clockClock,
-	}
-	preAuthenticatedURLTokenServiceImpl := &handler.PreAuthenticatedURLTokenServiceImpl{
-		Clock:                     clockClock,
-		PreAuthenticatedURLTokens: store,
-		AccessGrantService:        accessGrantService,
-		OfflineGrantService:       oauthOfflineGrantService,
-	}
-	oauthAccessTokenEncoding := &oauth2.AccessTokenEncoding{
-		Secrets:       oAuthKeyMaterials,
-		Clock:         clockClock,
-		IDTokenIssuer: idTokenIssuer,
-		BaseURL:       endpointsEndpoints,
-		Events:        eventService,
-		Identities:    facadeIdentityFacade,
-	}
-	tokenGenerator := _wireTokenGeneratorValue
-	oauthAccessGrantService := oauth2.AccessGrantService{
-		AppID:             appID,
-		AccessGrants:      store,
-		AccessTokenIssuer: accessTokenEncoding,
-		Clock:             clockClock,
-	}
-	tokenService := &handler.TokenService{
-		RemoteIP:            remoteIP,
-		UserAgentString:     userAgentString,
-		AppID:               appID,
-		Config:              oAuthConfig,
-		Authorizations:      authorizationStore,
-		OfflineGrants:       store,
-		AccessGrants:        store,
-		OfflineGrantService: offlineGrantService,
-		AccessEvents:        eventProvider,
-		AccessTokenIssuer:   oauthAccessTokenEncoding,
-		GenerateToken:       tokenGenerator,
-		Clock:               clockClock,
-		Users:               userQueries,
-		AccessGrantService:  oauthAccessGrantService,
-	}
-	app2appProvider := &app2app.Provider{
-		Clock: clockClock,
-	}
-	codeGrantService := handler.CodeGrantService{
-		AppID:         appID,
-		CodeGenerator: tokenGenerator,
-		Clock:         clockClock,
-		CodeGrants:    store,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
+	samlService := &saml.Service{
+		Clock:                       clockClock,
+		AppID:                       appID,
+		SAMLEnvironmentConfig:       samlEnvironmentConfig,
+		SAMLConfig:                  samlConfig,
+		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
+		SAMLSpSigningMaterials:      samlSpSigningMaterials,
+		Endpoints:                   endpointsEndpoints,
+		UserInfoProvider:            idTokenIssuer,
+		IDPSessionProvider:          idpsessionProvider,
+		OfflineGrantSessionProvider: oauthOfflineGrantService,
 	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      resolver,
+	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
+	samlBindingHTTPRedirectWriter := &samlbinding.SAMLBindingHTTPRedirectWriter{
+		Signer: samlService,
 	}
-	scopesValidator := _wireScopesValidatorValue
-	tokenHandler := &handler.TokenHandler{
-		Context:                         contextContext,
-		AppID:                           appID,
-		AppDomains:                      appDomains,
-		HTTPProto:                       httpProto,
-		HTTPOrigin:                      httpOrigin,
-		OAuthFeatureConfig:              oAuthFeatureConfig,
-		IdentityFeatureConfig:           identityFeatureConfig,
-		OAuthClientCredentials:          oAuthClientCredentials,
-		Logger:                          tokenHandlerLogger,
-		Authorizations:                  authorizationService,
-		CodeGrants:                      store,
-		SettingsActionGrantStore:        store,
-		IDPSessions:                     idpsessionProvider,
-		OfflineGrants:                   store,
-		AppSessionTokens:                store,
-		OfflineGrantService:             oauthOfflineGrantService,
-		PreAuthenticatedURLTokenService: preAuthenticatedURLTokenServiceImpl,
-		Graphs:                          interactionService,
-		IDTokenIssuer:                   idTokenIssuer,
-		Clock:                           clockClock,
-		TokenService:                    tokenService,
-		Events:                          eventService,
-		SessionManager:                  manager2,
-		App2App:                         app2appProvider,
-		Challenges:                      challengeProvider,
-		CodeGrantService:                codeGrantService,
-		ClientResolver:                  resolver,
-		UIInfoResolver:                  uiInfoResolver,
-		RemoteIP:                        remoteIP,
-		UserAgentString:                 userAgentString,
-		ValidateScopes:                  scopesValidator,
+	sloService := &saml.SLOService{
+		SAMLService:               samlService,
+		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
+		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
 	}
-	appSessionTokenService := &oauth2.AppSessionTokenService{
-		AppSessions:         store,
-		AppSessionTokens:    store,
-		OfflineGrantService: oauthOfflineGrantService,
-		Cookies:             cookieManager,
-		Clock:               clockClock,
+	logoutHandler := &webapp.LogoutHandler{
+		ControllerFactory:     controllerFactory,
+		Database:              handle,
+		TrustProxy:            trustProxy,
+		OAuth:                 oAuthConfig,
+		UIConfig:              uiConfig,
+		SAMLConfig:            samlConfig,
+		SessionManager:        manager2,
+		BaseViewModel:         baseViewModeler,
+		Renderer:              responseRenderer,
+		OAuthClientResolver:   resolver,
+		SAMLSLOSessionService: samlslosessionStoreRedis,
+		SAMLSLOService:        sloService,
 	}
-	testerHandler := &webapp.TesterHandler{
-		AppID:                   appID,
-		ControllerFactory:       controllerFactory,
-		OauthEndpointsProvider:  endpointsEndpoints,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TesterService:           testerStore,
-		TesterTokenIssuer:       tokenHandler,
-		OAuthClientResolver:     resolver,
-		AppSessionTokenService:  appSessionTokenService,
-		CookieManager:           cookieManager,
-		Renderer:                responseRenderer,
-		BaseViewModel:           baseViewModeler,
-		UserInfoProvider:        idTokenIssuer,
-		OfflineGrants:           oauthOfflineGrantService,
+	return logoutHandler
+}
+
+func newWebAppAppStaticAssetsHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	appContext := appProvider.AppContext
+	manager := appContext.Resources
+	appStaticAssetsHandler := &webapp.AppStaticAssetsHandler{
+		Resources: manager,
 	}
-	return testerHandler
+	return appStaticAssetsHandler
 }
 
-func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppReturnHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	handle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -73922,7 +73905,6 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -73973,7 +73955,6 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -73981,16 +73962,14 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -74231,14 +74210,14 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -74255,7 +74234,7 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -74337,7 +74316,7 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -74348,22 +74327,7 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		Service:  elasticsearchService,
 		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -74408,7 +74372,7 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
@@ -74422,7 +74386,7 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -74444,12 +74408,27 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -74464,24 +74443,13 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -74503,31 +74471,15 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -74569,13 +74521,11 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
@@ -74584,8 +74534,28 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -74604,190 +74574,261 @@ func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
 	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	workflowStoreImpl := &workflow.StoreImpl{
-		Redis:   appredisHandle,
-		AppID:   appID,
-		Context: contextContext,
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
-	dependencies := &workflow.Dependencies{
-		Config:               appConfig,
-		FeatureConfig:        featureConfig,
-		Clock:                clockClock,
-		RemoteIP:             remoteIP,
-		HTTPRequest:          request,
-		Users:                userProvider,
-		Identities:           identityFacade,
-		Authenticators:       authenticatorFacade,
-		MFA:                  mfaFacade,
-		StdAttrsService:      stdattrsService,
-		CustomAttrsService:   customattrsService,
-		OTPCodes:             otpService,
-		OTPSender:            messageSender,
-		Verification:         workflowVerificationFacade,
-		ForgotPassword:       forgotpasswordService,
-		ResetPassword:        forgotpasswordService,
-		AccountMigrations:    accountmigrationService,
-		Captcha:              captchaProvider,
-		IDPSessions:          idpsessionProvider,
-		Sessions:             manager2,
-		AuthenticationInfos:  authenticationinfoStoreRedis,
-		SessionCookie:        cookieDef,
-		MFADeviceTokenCookie: mfaCookieDef,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
 		Cookies:              cookieManager,
-		Events:               eventService,
-		RateLimiter:          limiter,
-		WorkflowEvents:       eventStoreImpl,
-		OfflineGrants:        redisStore,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	workflowServiceLogger := workflow.NewServiceLogger(factory)
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	workflowService := &workflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  workflowServiceLogger,
-		Store:                   workflowStoreImpl,
-		Database:                handle,
-		UIInfoResolver:          uiService,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
 	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
 	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
 	}
-	workflowNewHandler := &api.WorkflowNewHandler{
-		JSON:           jsonResponseWriter,
-		Cookies:        cookieManager,
-		Workflows:      workflowService,
-		OAuthSessions:  oauthsessionStoreRedis,
-		UIInfoResolver: uiInfoResolver,
+	returnHandler := &webapp.ReturnHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
 	}
-	return workflowNewHandler
+	return returnHandler
 }
 
-func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppErrorHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	featureConfig := config.FeatureConfig
-	clockClock := _wireSystemClockValue
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	handle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -74799,7 +74840,6 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -74850,7 +74890,6 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -74858,16 +74897,14 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -75108,14 +75145,14 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -75132,7 +75169,7 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -75214,7 +75251,7 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -75225,22 +75262,7 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		Service:  elasticsearchService,
 		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -75285,7 +75307,7 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
@@ -75299,7 +75321,7 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -75321,12 +75343,27 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -75341,26 +75378,13 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -75382,31 +75406,15 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -75448,13 +75456,11 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
@@ -75463,8 +75469,28 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -75483,132 +75509,220 @@ func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
 	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	workflowStoreImpl := &workflow.StoreImpl{
-		Redis:   appredisHandle,
-		AppID:   appID,
-		Context: contextContext,
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
-	dependencies := &workflow.Dependencies{
-		Config:               appConfig,
-		FeatureConfig:        featureConfig,
-		Clock:                clockClock,
-		RemoteIP:             remoteIP,
-		HTTPRequest:          request,
-		Users:                userProvider,
-		Identities:           identityFacade,
-		Authenticators:       authenticatorFacade,
-		MFA:                  mfaFacade,
-		StdAttrsService:      stdattrsService,
-		CustomAttrsService:   customattrsService,
-		OTPCodes:             otpService,
-		OTPSender:            messageSender,
-		Verification:         workflowVerificationFacade,
-		ForgotPassword:       forgotpasswordService,
-		ResetPassword:        forgotpasswordService,
-		AccountMigrations:    accountmigrationService,
-		Captcha:              captchaProvider,
-		IDPSessions:          idpsessionProvider,
-		Sessions:             manager2,
-		AuthenticationInfos:  authenticationinfoStoreRedis,
-		SessionCookie:        cookieDef,
-		MFADeviceTokenCookie: mfaCookieDef,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
 		Cookies:              cookieManager,
-		Events:               eventService,
-		RateLimiter:          limiter,
-		WorkflowEvents:       eventStoreImpl,
-		OfflineGrants:        redisStore,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	workflowServiceLogger := workflow.NewServiceLogger(factory)
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	workflowService := &workflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  workflowServiceLogger,
-		Store:                   workflowStoreImpl,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
 		Database:                handle,
-		UIInfoResolver:          uiService,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
 	}
-	workflowGetHandler := &api.WorkflowGetHandler{
-		JSON:      jsonResponseWriter,
-		Workflows: workflowService,
-		Cookies:   cookieManager,
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
 	}
-	return workflowGetHandler
+	errorHandler := &webapp.ErrorHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return errorHandler
 }
 
-func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ErrorHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
 	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	featureConfig := config.FeatureConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	clockClock := _wireSystemClockValue
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	handle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -75639,7 +75753,6 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -75690,10 +75803,9 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -75706,9 +75818,6 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -75746,14 +75855,14 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -75868,17 +75977,17 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -75904,7 +76013,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -76045,11 +76154,11 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -76063,9 +76172,9 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -76082,7 +76191,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -76110,7 +76219,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -76132,7 +76241,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -76175,14 +76284,12 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
+		Redis:  handle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -76193,7 +76300,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       appredisHandle,
+		Redis:       handle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -76202,7 +76309,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -76214,7 +76321,7 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           appredisHandle,
+		Redis:           handle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -76222,18 +76329,6 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -76285,6 +76380,12 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -76348,6 +76449,11 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -76358,6 +76464,51 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -76365,129 +76516,249 @@ func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	workflowStoreImpl := &workflow.StoreImpl{
-		Redis:   appredisHandle,
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
 		AppID:   appID,
 		Context: contextContext,
 	}
-	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
-	dependencies := &workflow.Dependencies{
-		Config:               appConfig,
-		FeatureConfig:        featureConfig,
-		Clock:                clockClock,
-		RemoteIP:             remoteIP,
-		HTTPRequest:          request,
-		Users:                userProvider,
-		Identities:           identityFacade,
-		Authenticators:       authenticatorFacade,
-		MFA:                  mfaFacade,
-		StdAttrsService:      stdattrsService,
-		CustomAttrsService:   customattrsService,
-		OTPCodes:             otpService,
-		OTPSender:            messageSender,
-		Verification:         workflowVerificationFacade,
-		ForgotPassword:       forgotpasswordService,
-		ResetPassword:        forgotpasswordService,
-		AccountMigrations:    accountmigrationService,
-		Captcha:              captchaProvider,
-		IDPSessions:          idpsessionProvider,
-		Sessions:             manager2,
-		AuthenticationInfos:  authenticationinfoStoreRedis,
-		SessionCookie:        cookieDef,
-		MFADeviceTokenCookie: mfaCookieDef,
-		Cookies:              cookieManager,
-		Events:               eventService,
-		RateLimiter:          limiter,
-		WorkflowEvents:       eventStoreImpl,
-		OfflineGrants:        redisStore,
-	}
-	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	workflowService := &workflow.Service{
+	authenticationflowService := &authenticationflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  workflowServiceLogger,
-		Store:                   workflowStoreImpl,
-		Database:                handle,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
 		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
 	}
-	workflowInputHandler := &api.WorkflowInputHandler{
-		JSON:      jsonResponseWriter,
-		Workflows: workflowService,
-		Cookies:   cookieManager,
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
-	return workflowInputHandler
-}
-
-func newAPIWorkflowWebsocketHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	storeImpl := &workflow.StoreImpl{
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
 		Redis:   handle,
 		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
 		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
-	eventStoreImpl := workflow.NewEventStore(appID, handle, storeImpl)
-	factory := appProvider.LoggerFactory
-	httpConfig := appConfig.HTTP
-	oAuthConfig := appConfig.OAuth
-	samlConfig := appConfig.SAML
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	corsAllowedOrigins := environmentConfig.CORSAllowedOrigins
-	corsMatcher := &middleware.CORSMatcher{
-		Config:             httpConfig,
-		OAuthConfig:        oAuthConfig,
-		SAMLConfig:         samlConfig,
-		CORSAllowedOrigins: corsAllowedOrigins,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	workflowWebsocketHandler := &api.WorkflowWebsocketHandler{
-		Events:        eventStoreImpl,
-		LoggerFactory: factory,
-		RedisHandle:   handle,
-		OriginMatcher: corsMatcher,
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
 	}
-	return workflowWebsocketHandler
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2ErrorHandler := &authflowv2.AuthflowV2ErrorHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2ErrorHandler
 }
 
-func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
+func newWebAppCSRFErrorInstructionHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
 	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
-	clockClock := _wireSystemClockValue
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	handle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -76518,7 +76789,6 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -76569,10 +76839,9 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -76585,9 +76854,6 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -76625,14 +76891,14 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -76747,17 +77013,17 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -76783,7 +77049,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -76924,11 +77190,11 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -76942,9 +77208,9 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -76961,7 +77227,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -76989,7 +77255,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -77011,7 +77277,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -77054,7 +77320,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
+		Redis:  handle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
@@ -77070,7 +77336,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       appredisHandle,
+		Redis:       handle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -77079,7 +77345,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -77091,7 +77357,7 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           appredisHandle,
+		Redis:           handle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -77099,18 +77365,6 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -77162,6 +77416,12 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -77225,6 +77485,11 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -77235,6 +77500,51 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -77242,74 +77552,97 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	workflowStoreImpl := &workflow.StoreImpl{
-		Redis:   appredisHandle,
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
 		AppID:   appID,
 		Context: contextContext,
 	}
-	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
-	dependencies := &workflow.Dependencies{
-		Config:               appConfig,
-		FeatureConfig:        featureConfig,
-		Clock:                clockClock,
-		RemoteIP:             remoteIP,
-		HTTPRequest:          request,
-		Users:                userProvider,
-		Identities:           identityFacade,
-		Authenticators:       authenticatorFacade,
-		MFA:                  mfaFacade,
-		StdAttrsService:      stdattrsService,
-		CustomAttrsService:   customattrsService,
-		OTPCodes:             otpService,
-		OTPSender:            messageSender,
-		Verification:         workflowVerificationFacade,
-		ForgotPassword:       forgotpasswordService,
-		ResetPassword:        forgotpasswordService,
-		AccountMigrations:    accountmigrationService,
-		Captcha:              captchaProvider,
-		IDPSessions:          idpsessionProvider,
-		Sessions:             manager2,
-		AuthenticationInfos:  authenticationinfoStoreRedis,
-		SessionCookie:        cookieDef,
-		MFADeviceTokenCookie: mfaCookieDef,
-		Cookies:              cookieManager,
-		Events:               eventService,
-		RateLimiter:          limiter,
-		WorkflowEvents:       eventStoreImpl,
-		OfflineGrants:        redisStore,
-	}
-	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	workflowService := &workflow.Service{
+	authenticationflowService := &authenticationflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  workflowServiceLogger,
-		Store:                   workflowStoreImpl,
-		Database:                handle,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
 		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
 	}
 	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	promptResolver := &oauth2.PromptResolver{
 		Clock: clockClock,
 	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
 	oauthOfflineGrantService := &oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
@@ -77331,65 +77664,178 @@ func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 		Cookies:             cookieManager,
 		ClientResolver:      oauthclientResolver,
 	}
-	workflowV2Handler := &api.WorkflowV2Handler{
-		JSON:           jsonResponseWriter,
-		Cookies:        cookieManager,
-		Workflows:      workflowService,
-		OAuthSessions:  oauthsessionStoreRedis,
-		UIInfoResolver: uiInfoResolver,
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
-	return workflowV2Handler
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	csrfErrorInstructionHandler := &webapp.CSRFErrorInstructionHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return csrfErrorInstructionHandler
 }
 
-func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppNotFoundHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	handle := appProvider.Redis
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -77401,7 +77847,6 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -77454,19 +77899,20 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -77504,14 +77950,14 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -77626,17 +78072,17 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -77662,7 +78108,7 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -77706,14 +78152,14 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -77730,7 +78176,7 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -77803,16 +78249,16 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -77821,26 +78267,11 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -77868,7 +78299,7 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -77883,21 +78314,21 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -77919,12 +78350,27 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -77933,32 +78379,21 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -77970,7 +78405,7 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -77978,31 +78413,15 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -78041,23 +78460,15 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -78065,8 +78476,28 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -78085,266 +78516,261 @@ func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handl
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
 	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
 	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	authenticationFlowV1CreateHandler := &api.AuthenticationFlowV1CreateHandler{
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
 		LoggerFactory:  factory,
-		RedisHandle:    handle,
-		JSON:           jsonResponseWriter,
-		Cookies:        cookieManager,
-		Workflows:      authenticationflowService,
-		OAuthSessions:  oauthsessionStoreRedis,
-		UIInfoResolver: uiInfoResolver,
+		ControllerDeps: controllerDeps,
 	}
-	return authenticationFlowV1CreateHandler
+	notFoundHandler := &webapp.NotFoundHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return notFoundHandler
 }
 
-func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2NotFoundHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	handle := appProvider.Redis
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -78356,7 +78782,6 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -78409,19 +78834,20 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -78459,14 +78885,14 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -78581,17 +79007,17 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -78617,7 +79043,7 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -78661,14 +79087,14 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -78685,7 +79111,7 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -78758,16 +79184,16 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -78776,26 +79202,11 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -78823,7 +79234,7 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -78838,21 +79249,21 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -78874,12 +79285,27 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -78888,32 +79314,21 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -78925,7 +79340,7 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -78933,31 +79348,15 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -78996,23 +79395,15 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -79020,8 +79411,28 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -79040,233 +79451,279 @@ func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handle
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	authenticationFlowV1InputHandler := &api.AuthenticationFlowV1InputHandler{
-		LoggerFactory: factory,
-		RedisHandle:   handle,
-		JSON:          jsonResponseWriter,
-		Cookies:       cookieManager,
-		Workflows:     authenticationflowService,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	return authenticationFlowV1InputHandler
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	authflowV2NotFoundHandler := &authflowv2.AuthflowV2NotFoundHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return authflowV2NotFoundHandler
 }
 
-func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppWebsocketHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
 	factory := appProvider.LoggerFactory
 	handle := appProvider.Redis
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
+	publisher := webapp.NewPublisher(appID, handle)
+	websocketHandler := &webapp.WebsocketHandler{
+		AppID:         appID,
+		LoggerFactory: factory,
+		RedisHandle:   handle,
+		Publisher:     publisher,
 	}
+	return websocketHandler
+}
+
+func newWebAppPasskeyCreationOptionsHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	featureConfig := config.FeatureConfig
-	clockClock := _wireSystemClockValue
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	secretConfig := config.SecretConfig
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	appID := appConfig.ID
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
 		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
 	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -79278,7 +79735,6 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
-	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -79336,14 +79792,15 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -79583,14 +80040,14 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -79607,7 +80064,7 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -79689,7 +80146,7 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -79700,22 +80157,7 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		Service:  elasticsearchService,
 		Database: appdbHandle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: handle,
 		AppID: appID,
@@ -79760,7 +80202,7 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
@@ -79774,7 +80216,7 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -79796,12 +80238,27 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -79816,26 +80273,13 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: handle,
 		AppID: appID,
@@ -79857,31 +80301,15 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -79920,23 +80348,15 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
 		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -79944,8 +80364,28 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -79964,291 +80404,207 @@ func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
 		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		AppID:   appID,
 		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
+		AppID:   appID,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   handle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: handle,
+		AppID: appID,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authenticationFlowV1GetHandler := &api.AuthenticationFlowV1GetHandler{
-		LoggerFactory: factory,
-		RedisHandle:   handle,
-		JSON:          jsonResponseWriter,
-		Workflows:     authenticationflowService,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	return authenticationFlowV1GetHandler
-}
-
-func newAPIAuthenticationFlowV1WebsocketHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
-	handle := appProvider.Redis
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	httpConfig := appConfig.HTTP
-	oAuthConfig := appConfig.OAuth
-	samlConfig := appConfig.SAML
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	corsAllowedOrigins := environmentConfig.CORSAllowedOrigins
-	corsMatcher := &middleware.CORSMatcher{
-		Config:             httpConfig,
-		OAuthConfig:        oAuthConfig,
-		SAMLConfig:         samlConfig,
-		CORSAllowedOrigins: corsAllowedOrigins,
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
 	}
-	appID := appConfig.ID
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	storeImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
 	}
-	websocketEventStore := authenticationflow.NewWebsocketEventStore(appID, handle, storeImpl)
-	authenticationFlowV1WebsocketHandler := &api.AuthenticationFlowV1WebsocketHandler{
-		LoggerFactory: factory,
-		RedisHandle:   handle,
-		OriginMatcher: corsMatcher,
-		Events:        websocketEventStore,
+	passkeyCreationOptionsHandler := &webapp.PasskeyCreationOptionsHandler{
+		Page:     webappService2,
+		Database: appdbHandle,
+		JSON:     jsonResponseWriter,
+		Passkey:  creationOptionsService,
 	}
-	return authenticationFlowV1WebsocketHandler
+	return passkeyCreationOptionsHandler
 }
 
-func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppPasskeyRequestOptionsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
-	}
-	handle := appProvider.AppDatabase
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
 	appID := appConfig.ID
-	appredisHandle := appProvider.Redis
-	clockClock := _wireSystemClockValue
-	redisStore := &accountmanagement.RedisStore{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-		Clock:   clockClock,
-	}
-	identityConfig := appConfig.Identity
-	secretConfig := config.SecretConfig
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	loginIDConfig := identityConfig.LoginID
-	normalizerFactory := &loginid.NormalizerFactory{
-		Config: loginIDConfig,
-	}
-	normalizer := &stdattrs.Normalizer{
-		LoginIDNormalizerFactory: normalizerFactory,
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
 	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
 	trustProxy := environmentConfig.TrustProxy
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
-	localizationConfig := appConfig.Localization
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	store := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
 		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
 	}
-	rawQueries := &user.RawQueries{
-		Store: store,
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
 	}
-	authenticationConfig := appConfig.Authentication
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -80258,7 +80614,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	uiConfig := appConfig.UI
+	loginIDConfig := identityConfig.LoginID
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -80269,6 +80625,9 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Config:             loginIDConfig,
 		TypeCheckerFactory: typeCheckerFactory,
 	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
 	provider := &loginid.Provider{
 		Store:             loginidStore,
 		Config:            loginIDConfig,
@@ -80308,21 +80667,19 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -80361,14 +80718,14 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -80396,6 +80753,9 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
 	ldapProvider := &ldap.Provider{
 		Store:                        ldapStore,
 		Clock:                        clockClock,
@@ -80480,17 +80840,17 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -80516,7 +80876,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -80560,14 +80920,14 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -80584,7 +80944,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -80657,16 +81017,16 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -80675,11 +81035,11 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -80707,7 +81067,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -80722,21 +81082,21 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -80759,7 +81119,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Translation: translationService,
 	}
 	rawCommands := &user.RawCommands{
-		Store: store,
+		Store: userStore,
 		Clock: clockClock,
 	}
 	userCommands := &user.Commands{
@@ -80778,7 +81138,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -80787,34 +81147,21 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
+		Redis:  handle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	store5 := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -80826,7 +81173,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           appredisHandle,
+		Redis:           handle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -80834,31 +81181,15 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  store5,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   store5,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -80894,62 +81225,31 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	identityFacade := &facade.IdentityFacade{
+	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	accountmanagementService := &accountmanagement.Service{
-		Database:      handle,
-		Store:         redisStore,
-		OAuthProvider: oAuthProviderFactory,
-		Identities:    identityFacade,
-		Events:        eventService,
-	}
-	accountManagementV1IdentificationHandler := &api.AccountManagementV1IdentificationHandler{
-		JSON:    jsonResponseWriter,
-		Service: accountmanagementService,
-	}
-	return accountManagementV1IdentificationHandler
-}
-
-func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
-	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
-	jsonResponseWriter := &httputil.JSONResponseWriter{
-		Logger: jsonResponseWriterLogger,
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
 	}
-	handle := appProvider.AppDatabase
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	appredisHandle := appProvider.Redis
-	clockClock := _wireSystemClockValue
-	redisStore := &accountmanagement.RedisStore{
+	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
+		Redis:   handle,
 		AppID:   appID,
-		Redis:   appredisHandle,
 		Clock:   clockClock,
 	}
-	identityConfig := appConfig.Identity
-	secretConfig := config.SecretConfig
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	loginIDConfig := identityConfig.LoginID
-	normalizerFactory := &loginid.NormalizerFactory{
-		Config: loginIDConfig,
-	}
-	normalizer := &stdattrs.Normalizer{
-		LoginIDNormalizerFactory: normalizerFactory,
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
 	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
 	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
 		Context: contextContext,
 		AppID:   appID,
-		Redis:   appredisHandle,
+		Redis:   handle,
 	}
 	oAuthProviderFactory := &sso.OAuthProviderFactory{
 		IdentityConfig:               identityConfig,
@@ -80959,27 +81259,231 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		HTTPClient:                   oAuthHTTPClient,
 		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
 	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	passkeyRequestOptionsHandler := &webapp.PasskeyRequestOptionsHandler{
+		Page:     webappService2,
+		Database: appdbHandle,
+		JSON:     jsonResponseWriter,
+		Passkey:  requestOptionsService,
+	}
+	return passkeyRequestOptionsHandler
+}
+
+func newWebAppConnectWeb3AccountHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	store := &user.Store{
+	userStore := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
 		AppID:       appID,
 	}
 	rawQueries := &user.RawQueries{
-		Store: store,
+		Store: userStore,
 	}
-	authenticationConfig := appConfig.Authentication
-	featureConfig := config.FeatureConfig
+	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -80989,7 +81493,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	uiConfig := appConfig.UI
+	loginIDConfig := identityConfig.LoginID
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -81000,6 +81504,9 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Config:             loginIDConfig,
 		TypeCheckerFactory: typeCheckerFactory,
 	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
 	provider := &loginid.Provider{
 		Store:             loginidStore,
 		Config:            loginIDConfig,
@@ -81044,16 +81551,14 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -81127,6 +81632,9 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
 	ldapProvider := &ldap.Provider{
 		Store:                        ldapStore,
 		Clock:                        clockClock,
@@ -81291,14 +81799,14 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -81315,7 +81823,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -81397,7 +81905,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -81408,7 +81916,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Service:  elasticsearchService,
 		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -81453,7 +81961,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
@@ -81467,7 +81975,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -81490,7 +81998,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Translation: translationService,
 	}
 	rawCommands := &user.RawCommands{
-		Store: store,
+		Store: userStore,
 		Clock: clockClock,
 	}
 	userCommands := &user.Commands{
@@ -81509,7 +82017,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -81524,26 +82032,13 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	store5 := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -81565,31 +82060,15 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  store5,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   store5,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -81625,37 +82104,278 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	identityFacade := &facade.IdentityFacade{
+	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	accountmanagementService := &accountmanagement.Service{
-		Database:      handle,
-		Store:         redisStore,
-		OAuthProvider: oAuthProviderFactory,
-		Identities:    identityFacade,
-		Events:        eventService,
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
 	}
-	accountManagementV1IdentificationOAuthHandler := &api.AccountManagementV1IdentificationOAuthHandler{
-		JSON:    jsonResponseWriter,
-		Service: accountmanagementService,
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
-	return accountManagementV1IdentificationOAuthHandler
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	authenticationViewModeler := &viewmodels.AuthenticationViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+	}
+	alternativeStepsViewModeler := &viewmodels.AlternativeStepsViewModeler{
+		AuthenticationConfig: authenticationConfig,
+	}
+	connectWeb3AccountHandler := &webapp.ConnectWeb3AccountHandler{
+		ControllerFactory:         controllerFactory,
+		BaseViewModel:             baseViewModeler,
+		AuthenticationViewModel:   authenticationViewModeler,
+		AlternativeStepsViewModel: alternativeStepsViewModeler,
+		Renderer:                  responseRenderer,
+		AuthenticationConfig:      authenticationConfig,
+	}
+	return connectWeb3AccountHandler
 }
 
-func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppMissingWeb3WalletHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -81668,45 +82388,46 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -81770,19 +82491,20 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -81820,14 +82542,14 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -81942,17 +82664,17 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -81978,7 +82700,7 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -82022,14 +82744,14 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -82046,7 +82768,7 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -82119,16 +82841,16 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -82137,26 +82859,11 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -82184,7 +82891,7 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -82199,21 +82906,21 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -82235,12 +82942,27 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -82249,32 +82971,21 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -82286,7 +82997,7 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -82294,19 +83005,15 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -82345,23 +83052,15 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -82369,8 +83068,28 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -82389,257 +83108,104 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
-		ErrorRenderer:           errorRenderer,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
 	uiFeatureConfig := featureConfig.UI
 	forgotPasswordConfig := appConfig.ForgotPassword
 	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
 	flashMessage := &httputil.FlashMessage{
 		Cookies: cookieManager,
 	}
@@ -82664,59 +83230,88 @@ func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 		SupportedLanguageTags:             supportedLanguageTags,
 		AuthUISentryDSN:                   authUISentryDSN,
 		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
+		OAuthClientResolver:               resolver,
 		Logger:                            baseLogger,
 	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	analyticredisHandle := appProvider.AnalyticRedis
-	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
-	writeStoreRedis := &meter.WriteStoreRedis{
-		Context: contextContext,
-		Redis:   analyticredisHandle,
-		AppID:   appID,
-		Clock:   clockClock,
-		Logger:  meterStoreRedisLogger,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	meterService := &meter.Service{
-		Counter: writeStoreRedis,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	tutorialCookie := &httputil.TutorialCookie{
-		Cookies: cookieManager,
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	authflowLoginHandler := &webapp.AuthflowLoginHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		MeterService:      meterService,
-		TutorialCookie:    tutorialCookie,
-		ErrorService:      errorService,
-		Endpoints:         endpointsEndpoints,
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
 	}
-	return authflowLoginHandler
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	missingWeb3WalletHandler := &webapp.MissingWeb3WalletHandler{
+		ControllerFactory:    controllerFactory,
+		BaseViewModel:        baseViewModeler,
+		Renderer:             responseRenderer,
+		AuthenticationConfig: authenticationConfig,
+	}
+	return missingWeb3WalletHandler
 }
 
-func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppFeatureDisabledHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -82729,45 +83324,46 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -82831,19 +83427,20 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -82881,14 +83478,14 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -83003,17 +83600,17 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -83039,7 +83636,7 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -83083,14 +83680,14 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -83107,7 +83704,7 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -83180,16 +83777,16 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -83198,26 +83795,11 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -83245,7 +83827,7 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -83260,21 +83842,21 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -83296,12 +83878,27 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -83310,32 +83907,21 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -83347,7 +83933,7 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -83355,19 +83941,15 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -83406,23 +83988,15 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -83430,8 +84004,28 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -83450,257 +84044,104 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
 	uiFeatureConfig := featureConfig.UI
 	forgotPasswordConfig := appConfig.ForgotPassword
 	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
 	flashMessage := &httputil.FlashMessage{
 		Cookies: cookieManager,
 	}
@@ -83725,71 +84166,87 @@ func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 		SupportedLanguageTags:             supportedLanguageTags,
 		AuthUISentryDSN:                   authUISentryDSN,
 		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
+		OAuthClientResolver:               resolver,
 		Logger:                            baseLogger,
 	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	analyticredisHandle := appProvider.AnalyticRedis
-	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
-	writeStoreRedis := &meter.WriteStoreRedis{
-		Context: contextContext,
-		Redis:   analyticredisHandle,
-		AppID:   appID,
-		Clock:   clockClock,
-		Logger:  meterStoreRedisLogger,
-	}
-	meterService := &meter.Service{
-		Counter: writeStoreRedis,
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	tutorialCookie := &httputil.TutorialCookie{
-		Cookies: cookieManager,
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
 	}
-	internalAuthflowV2SignupLoginHandler := authflowv2.InternalAuthflowV2SignupLoginHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		MeterService:      meterService,
-		TutorialCookie:    tutorialCookie,
-		Endpoints:         endpointsEndpoints,
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	authflowV2LoginHandler := &authflowv2.AuthflowV2LoginHandler{
-		SignupLoginHandler:   internalAuthflowV2SignupLoginHandler,
-		UIConfig:             uiConfig,
-		AuthenticationConfig: authenticationConfig,
-		Controller:           authflowController,
-		BaseViewModel:        baseViewModeler,
-		AuthflowViewModel:    authflowViewModeler,
-		Renderer:             responseRenderer,
-		MeterService:         meterService,
-		TutorialCookie:       tutorialCookie,
-		ErrorService:         errorService,
-		Endpoints:            endpointsEndpoints,
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
 	}
-	return authflowV2LoginHandler
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	featureDisabledHandler := &webapp.FeatureDisabledHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return featureDisabledHandler
 }
 
-func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppTesterHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	serviceLogger := webapp2.NewServiceLogger(factory)
 	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -83802,45 +84259,46 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	redisLogger := redis.NewLogger(factory)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
-	store := &user.Store{
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	rawQueries := &user.RawQueries{
-		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	logger := event.NewLogger(factory)
+	eventLogger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	authenticationConfig := appConfig.Authentication
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -83904,19 +84362,20 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -83954,14 +84413,14 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -84076,17 +84535,17 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -84112,7 +84571,7 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -84156,14 +84615,14 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -84180,7 +84639,7 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -84253,16 +84712,16 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       store,
+		UserStore:       userStore,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -84271,26 +84730,11 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
-	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+		Database: handle,
 	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -84318,7 +84762,7 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -84333,21 +84777,21 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	serviceLogger := whatsapp.NewServiceLogger(factory)
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            serviceLogger,
+		Logger:                            whatsappServiceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -84369,12 +84813,27 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -84383,32 +84842,21 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       handle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
+		CookieDef: cookieDef2,
 	}
-	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -84420,7 +84868,7 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -84428,19 +84876,15 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -84479,23 +84923,15 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -84503,8 +84939,28 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -84523,226 +84979,139 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
 		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
 		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
 		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
 		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
 	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
-		AppID:   appID,
-		Context: contextContext,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
 	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
 	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
 	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
 	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
@@ -84753,135 +85122,220 @@ func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 		AuthflowV1Navigator:     authflowNavigator,
 		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
 		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		TesterEndpointsProvider: endpointsEndpoints,
 		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
 	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
 	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
+	globalredisHandle := appProvider.GlobalRedis
+	testerStore := &tester.TesterStore{
+		Context: contextContext,
+		Redis:   globalredisHandle,
 	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
+	appDomains := appContext.Domains
+	oAuthFeatureConfig := featureConfig.OAuth
+	oAuthClientCredentials := deps.ProvideOAuthClientCredentials(secretConfig)
+	tokenHandlerLogger := handler.NewTokenHandlerLogger(factory)
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
+	authorizationService := &oauth2.AuthorizationService{
+		AppID:               appID,
+		Store:               authorizationStore,
+		Clock:               clockClock,
+		OAuthSessionManager: sessionManager,
+		OfflineGrantService: oauthOfflineGrantService,
+		OfflineGrantStore:   store,
 	}
-	analyticredisHandle := appProvider.AnalyticRedis
-	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
-	writeStoreRedis := &meter.WriteStoreRedis{
-		Context: contextContext,
-		Redis:   analyticredisHandle,
-		AppID:   appID,
-		Clock:   clockClock,
-		Logger:  meterStoreRedisLogger,
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
 	}
-	meterService := &meter.Service{
-		Counter: writeStoreRedis,
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
 	}
-	tutorialCookie := &httputil.TutorialCookie{
-		Cookies: cookieManager,
+	accessTokenEncoding := oauth2.AccessTokenEncoding{
+		Secrets:       oAuthKeyMaterials,
+		Clock:         clockClock,
+		IDTokenIssuer: idTokenIssuer,
+		BaseURL:       endpointsEndpoints,
+		Events:        eventService,
+		Identities:    facadeIdentityFacade,
 	}
-	authflowSignupHandler := &webapp.AuthflowSignupHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		MeterService:      meterService,
-		TutorialCookie:    tutorialCookie,
-		Endpoints:         endpointsEndpoints,
+	accessGrantService := &oauth2.AccessGrantService{
+		AppID:             appID,
+		AccessGrants:      store,
+		AccessTokenIssuer: accessTokenEncoding,
+		Clock:             clockClock,
 	}
-	return authflowSignupHandler
+	preAuthenticatedURLTokenServiceImpl := &handler.PreAuthenticatedURLTokenServiceImpl{
+		Clock:                     clockClock,
+		PreAuthenticatedURLTokens: store,
+		AccessGrantService:        accessGrantService,
+		OfflineGrantService:       oauthOfflineGrantService,
+	}
+	oauthAccessTokenEncoding := &oauth2.AccessTokenEncoding{
+		Secrets:       oAuthKeyMaterials,
+		Clock:         clockClock,
+		IDTokenIssuer: idTokenIssuer,
+		BaseURL:       endpointsEndpoints,
+		Events:        eventService,
+		Identities:    facadeIdentityFacade,
+	}
+	tokenGenerator := _wireTokenGeneratorValue
+	oauthAccessGrantService := oauth2.AccessGrantService{
+		AppID:             appID,
+		AccessGrants:      store,
+		AccessTokenIssuer: accessTokenEncoding,
+		Clock:             clockClock,
+	}
+	tokenService := &handler.TokenService{
+		RemoteIP:            remoteIP,
+		UserAgentString:     userAgentString,
+		AppID:               appID,
+		Config:              oAuthConfig,
+		Authorizations:      authorizationStore,
+		OfflineGrants:       store,
+		AccessGrants:        store,
+		OfflineGrantService: offlineGrantService,
+		AccessEvents:        eventProvider,
+		AccessTokenIssuer:   oauthAccessTokenEncoding,
+		GenerateToken:       tokenGenerator,
+		Clock:               clockClock,
+		Users:               userQueries,
+		AccessGrantService:  oauthAccessGrantService,
+	}
+	app2appProvider := &app2app.Provider{
+		Clock: clockClock,
+	}
+	codeGrantService := handler.CodeGrantService{
+		AppID:         appID,
+		CodeGenerator: tokenGenerator,
+		Clock:         clockClock,
+		CodeGrants:    store,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      resolver,
+	}
+	scopesValidator := _wireScopesValidatorValue
+	tokenHandler := &handler.TokenHandler{
+		Context:                         contextContext,
+		AppID:                           appID,
+		AppDomains:                      appDomains,
+		HTTPProto:                       httpProto,
+		HTTPOrigin:                      httpOrigin,
+		OAuthFeatureConfig:              oAuthFeatureConfig,
+		IdentityFeatureConfig:           identityFeatureConfig,
+		OAuthClientCredentials:          oAuthClientCredentials,
+		Logger:                          tokenHandlerLogger,
+		Authorizations:                  authorizationService,
+		CodeGrants:                      store,
+		SettingsActionGrantStore:        store,
+		IDPSessions:                     idpsessionProvider,
+		OfflineGrants:                   store,
+		AppSessionTokens:                store,
+		OfflineGrantService:             oauthOfflineGrantService,
+		PreAuthenticatedURLTokenService: preAuthenticatedURLTokenServiceImpl,
+		Graphs:                          interactionService,
+		IDTokenIssuer:                   idTokenIssuer,
+		Clock:                           clockClock,
+		TokenService:                    tokenService,
+		Events:                          eventService,
+		SessionManager:                  manager2,
+		App2App:                         app2appProvider,
+		Challenges:                      challengeProvider,
+		CodeGrantService:                codeGrantService,
+		ClientResolver:                  resolver,
+		UIInfoResolver:                  uiInfoResolver,
+		RemoteIP:                        remoteIP,
+		UserAgentString:                 userAgentString,
+		ValidateScopes:                  scopesValidator,
+	}
+	appSessionTokenService := &oauth2.AppSessionTokenService{
+		AppSessions:         store,
+		AppSessionTokens:    store,
+		OfflineGrantService: oauthOfflineGrantService,
+		Cookies:             cookieManager,
+		Clock:               clockClock,
+	}
+	testerHandler := &webapp.TesterHandler{
+		AppID:                   appID,
+		ControllerFactory:       controllerFactory,
+		OauthEndpointsProvider:  endpointsEndpoints,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TesterService:           testerStore,
+		TesterTokenIssuer:       tokenHandler,
+		OAuthClientResolver:     resolver,
+		AppSessionTokenService:  appSessionTokenService,
+		CookieManager:           cookieManager,
+		Renderer:                responseRenderer,
+		BaseViewModel:           baseViewModeler,
+		UserInfoProvider:        idTokenIssuer,
+		OfflineGrants:           oauthOfflineGrantService,
+	}
+	return testerHandler
 }
 
-func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
+func newAPIWorkflowNewHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -84912,6 +85366,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -84962,9 +85417,10 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -84977,6 +85433,9 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -85014,14 +85473,14 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -85136,17 +85595,17 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -85172,7 +85631,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -85313,11 +85772,11 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -85331,9 +85790,9 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -85350,7 +85809,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -85378,7 +85837,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -85400,7 +85859,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -85443,7 +85902,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
@@ -85459,7 +85918,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -85468,7 +85927,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -85480,7 +85939,7 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -85488,6 +85947,18 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -85539,12 +86010,6 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -85608,11 +86073,6 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -85623,51 +86083,6 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -85675,97 +86090,74 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+	workflowStoreImpl := &workflow.StoreImpl{
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Context: contextContext,
 	}
+	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
+	dependencies := &workflow.Dependencies{
+		Config:               appConfig,
+		FeatureConfig:        featureConfig,
+		Clock:                clockClock,
+		RemoteIP:             remoteIP,
+		HTTPRequest:          request,
+		Users:                userProvider,
+		Identities:           identityFacade,
+		Authenticators:       authenticatorFacade,
+		MFA:                  mfaFacade,
+		StdAttrsService:      stdattrsService,
+		CustomAttrsService:   customattrsService,
+		OTPCodes:             otpService,
+		OTPSender:            messageSender,
+		Verification:         workflowVerificationFacade,
+		ForgotPassword:       forgotpasswordService,
+		ResetPassword:        forgotpasswordService,
+		AccountMigrations:    accountmigrationService,
+		Captcha:              captchaProvider,
+		IDPSessions:          idpsessionProvider,
+		Sessions:             manager2,
+		AuthenticationInfos:  authenticationinfoStoreRedis,
+		SessionCookie:        cookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		Cookies:              cookieManager,
+		Events:               eventService,
+		RateLimiter:          limiter,
+		WorkflowEvents:       eventStoreImpl,
+		OfflineGrants:        redisStore,
+	}
+	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
+	workflowService := &workflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
+		Logger:                  workflowServiceLogger,
+		Store:                   workflowStoreImpl,
+		Database:                handle,
 		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
 	}
 	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	promptResolver := &oauth2.PromptResolver{
 		Clock: clockClock,
 	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
 	oauthOfflineGrantService := &oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
@@ -85787,166 +86179,40 @@ func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 		Cookies:             cookieManager,
 		ClientResolver:      oauthclientResolver,
 	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	analyticredisHandle := appProvider.AnalyticRedis
-	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
-	writeStoreRedis := &meter.WriteStoreRedis{
-		Context: contextContext,
-		Redis:   analyticredisHandle,
-		AppID:   appID,
-		Clock:   clockClock,
-		Logger:  meterStoreRedisLogger,
-	}
-	meterService := &meter.Service{
-		Counter: writeStoreRedis,
-	}
-	tutorialCookie := &httputil.TutorialCookie{
-		Cookies: cookieManager,
-	}
-	internalAuthflowV2SignupLoginHandler := authflowv2.InternalAuthflowV2SignupLoginHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		MeterService:      meterService,
-		TutorialCookie:    tutorialCookie,
-		Endpoints:         endpointsEndpoints,
-	}
-	authflowV2SignupHandler := &authflowv2.AuthflowV2SignupHandler{
-		SignupLoginHandler:   internalAuthflowV2SignupLoginHandler,
-		AuthenticationConfig: authenticationConfig,
-		UIConfig:             uiConfig,
+	workflowNewHandler := &api.WorkflowNewHandler{
+		JSON:           jsonResponseWriter,
+		Cookies:        cookieManager,
+		Workflows:      workflowService,
+		OAuthSessions:  oauthsessionStoreRedis,
+		UIInfoResolver: uiInfoResolver,
 	}
-	return authflowV2SignupHandler
+	return workflowNewHandler
 }
 
-func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
+func newAPIWorkflowGetHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -85977,6 +86243,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -86027,9 +86294,10 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -86042,6 +86310,9 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -86079,14 +86350,14 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -86201,17 +86472,17 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -86237,7 +86508,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -86378,11 +86649,11 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -86396,9 +86667,9 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -86415,7 +86686,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -86443,7 +86714,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -86465,7 +86736,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -86508,12 +86779,14 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -86524,7 +86797,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -86533,7 +86806,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -86545,7 +86818,7 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -86553,6 +86826,18 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -86604,12 +86889,6 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -86673,11 +86952,6 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -86688,51 +86962,6 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -86740,256 +86969,90 @@ func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+	workflowStoreImpl := &workflow.StoreImpl{
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Context: contextContext,
 	}
+	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
+	dependencies := &workflow.Dependencies{
+		Config:               appConfig,
+		FeatureConfig:        featureConfig,
+		Clock:                clockClock,
+		RemoteIP:             remoteIP,
+		HTTPRequest:          request,
+		Users:                userProvider,
+		Identities:           identityFacade,
+		Authenticators:       authenticatorFacade,
+		MFA:                  mfaFacade,
+		StdAttrsService:      stdattrsService,
+		CustomAttrsService:   customattrsService,
+		OTPCodes:             otpService,
+		OTPSender:            messageSender,
+		Verification:         workflowVerificationFacade,
+		ForgotPassword:       forgotpasswordService,
+		ResetPassword:        forgotpasswordService,
+		AccountMigrations:    accountmigrationService,
+		Captcha:              captchaProvider,
+		IDPSessions:          idpsessionProvider,
+		Sessions:             manager2,
+		AuthenticationInfos:  authenticationinfoStoreRedis,
+		SessionCookie:        cookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		Cookies:              cookieManager,
+		Events:               eventService,
+		RateLimiter:          limiter,
+		WorkflowEvents:       eventStoreImpl,
+		OfflineGrants:        redisStore,
+	}
+	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
+	workflowService := &workflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
+		Logger:                  workflowServiceLogger,
+		Store:                   workflowStoreImpl,
+		Database:                handle,
 		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowPromoteHandler := &webapp.AuthflowPromoteHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		Endpoints:         endpointsEndpoints,
+	workflowGetHandler := &api.WorkflowGetHandler{
+		JSON:      jsonResponseWriter,
+		Workflows: workflowService,
+		Cookies:   cookieManager,
 	}
-	return authflowPromoteHandler
+	return workflowGetHandler
 }
 
-func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
+func newAPIWorkflowInputHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -87020,6 +87083,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -87070,9 +87134,10 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -87085,6 +87150,9 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -87122,14 +87190,14 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -87244,17 +87312,17 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -87280,7 +87348,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -87421,11 +87489,11 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -87439,9 +87507,9 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -87458,7 +87526,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -87486,7 +87554,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -87508,7 +87576,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -87551,12 +87619,14 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -87567,7 +87637,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -87576,7 +87646,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -87588,7 +87658,7 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -87596,6 +87666,18 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -87647,12 +87729,6 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -87716,11 +87792,6 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -87731,51 +87802,6 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -87783,256 +87809,129 @@ func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+	workflowStoreImpl := &workflow.StoreImpl{
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Context: contextContext,
 	}
+	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
+	dependencies := &workflow.Dependencies{
+		Config:               appConfig,
+		FeatureConfig:        featureConfig,
+		Clock:                clockClock,
+		RemoteIP:             remoteIP,
+		HTTPRequest:          request,
+		Users:                userProvider,
+		Identities:           identityFacade,
+		Authenticators:       authenticatorFacade,
+		MFA:                  mfaFacade,
+		StdAttrsService:      stdattrsService,
+		CustomAttrsService:   customattrsService,
+		OTPCodes:             otpService,
+		OTPSender:            messageSender,
+		Verification:         workflowVerificationFacade,
+		ForgotPassword:       forgotpasswordService,
+		ResetPassword:        forgotpasswordService,
+		AccountMigrations:    accountmigrationService,
+		Captcha:              captchaProvider,
+		IDPSessions:          idpsessionProvider,
+		Sessions:             manager2,
+		AuthenticationInfos:  authenticationinfoStoreRedis,
+		SessionCookie:        cookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		Cookies:              cookieManager,
+		Events:               eventService,
+		RateLimiter:          limiter,
+		WorkflowEvents:       eventStoreImpl,
+		OfflineGrants:        redisStore,
+	}
+	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
+	workflowService := &workflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
+		Logger:                  workflowServiceLogger,
+		Store:                   workflowStoreImpl,
+		Database:                handle,
 		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
+	workflowInputHandler := &api.WorkflowInputHandler{
+		JSON:      jsonResponseWriter,
+		Workflows: workflowService,
+		Cookies:   cookieManager,
 	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
+	return workflowInputHandler
+}
+
+func newAPIWorkflowWebsocketHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	storeImpl := &workflow.StoreImpl{
 		Redis:   handle,
 		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
 		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
+	eventStoreImpl := workflow.NewEventStore(appID, handle, storeImpl)
+	factory := appProvider.LoggerFactory
+	httpConfig := appConfig.HTTP
+	oAuthConfig := appConfig.OAuth
+	samlConfig := appConfig.SAML
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	corsAllowedOrigins := environmentConfig.CORSAllowedOrigins
+	corsMatcher := &middleware.CORSMatcher{
+		Config:             httpConfig,
+		OAuthConfig:        oAuthConfig,
+		SAMLConfig:         samlConfig,
+		CORSAllowedOrigins: corsAllowedOrigins,
 	}
-	authflowV2PromoteHandler := &authflowv2.AuthflowV2PromoteHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
-		Endpoints:         endpointsEndpoints,
+	workflowWebsocketHandler := &api.WorkflowWebsocketHandler{
+		Events:        eventStoreImpl,
+		LoggerFactory: factory,
+		RedisHandle:   handle,
+		OriginMatcher: corsMatcher,
 	}
-	return authflowV2PromoteHandler
+	return workflowWebsocketHandler
 }
 
-func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newAPIWorkflowV2Handler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -88063,6 +87962,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -88113,9 +88013,10 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -88128,6 +88029,9 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -88165,14 +88069,14 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -88287,17 +88191,17 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -88323,7 +88227,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -88464,11 +88368,11 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -88482,9 +88386,9 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -88501,7 +88405,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -88529,7 +88433,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -88551,7 +88455,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -88594,7 +88498,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
@@ -88610,7 +88514,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	redisLogger := redis.NewLogger(factory)
 	redisStore := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -88619,7 +88523,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -88631,7 +88535,7 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -88639,6 +88543,18 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -88690,12 +88606,6 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
@@ -88759,11 +88669,6 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -88774,51 +88679,6 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -88826,97 +88686,74 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+	workflowStoreImpl := &workflow.StoreImpl{
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Context: contextContext,
 	}
+	eventStoreImpl := workflow.NewEventStore(appID, appredisHandle, workflowStoreImpl)
+	dependencies := &workflow.Dependencies{
+		Config:               appConfig,
+		FeatureConfig:        featureConfig,
+		Clock:                clockClock,
+		RemoteIP:             remoteIP,
+		HTTPRequest:          request,
+		Users:                userProvider,
+		Identities:           identityFacade,
+		Authenticators:       authenticatorFacade,
+		MFA:                  mfaFacade,
+		StdAttrsService:      stdattrsService,
+		CustomAttrsService:   customattrsService,
+		OTPCodes:             otpService,
+		OTPSender:            messageSender,
+		Verification:         workflowVerificationFacade,
+		ForgotPassword:       forgotpasswordService,
+		ResetPassword:        forgotpasswordService,
+		AccountMigrations:    accountmigrationService,
+		Captcha:              captchaProvider,
+		IDPSessions:          idpsessionProvider,
+		Sessions:             manager2,
+		AuthenticationInfos:  authenticationinfoStoreRedis,
+		SessionCookie:        cookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		Cookies:              cookieManager,
+		Events:               eventService,
+		RateLimiter:          limiter,
+		WorkflowEvents:       eventStoreImpl,
+		OfflineGrants:        redisStore,
+	}
+	workflowServiceLogger := workflow.NewServiceLogger(factory)
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
+	workflowService := &workflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
+		Logger:                  workflowServiceLogger,
+		Store:                   workflowStoreImpl,
+		Database:                handle,
 		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
 	}
 	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	promptResolver := &oauth2.PromptResolver{
 		Clock: clockClock,
 	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
 	oauthOfflineGrantService := &oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
@@ -88938,134 +88775,43 @@ func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler
 		Cookies:             cookieManager,
 		ClientResolver:      oauthclientResolver,
 	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowEnterPasswordHandler := &webapp.AuthflowEnterPasswordHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	workflowV2Handler := &api.WorkflowV2Handler{
+		JSON:           jsonResponseWriter,
+		Cookies:        cookieManager,
+		Workflows:      workflowService,
+		OAuthSessions:  oauthsessionStoreRedis,
+		UIInfoResolver: uiInfoResolver,
 	}
-	return authflowEnterPasswordHandler
+	return workflowV2Handler
 }
 
-func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newAPIAuthenticationFlowV1CreateHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.Redis
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	appdbHandle := appProvider.AppDatabase
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
@@ -89099,6 +88845,7 @@ func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handl
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -89675,6 +89422,18 @@ func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handl
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -89945,11 +89704,6 @@ func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handl
 		Redis:   handle,
 		AppID:   appID,
 	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
 	promptResolver := &oauth2.PromptResolver{
 		Clock: clockClock,
 	}
@@ -89974,138 +89728,45 @@ func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handl
 		Cookies:             cookieManager,
 		ClientResolver:      oauthclientResolver,
 	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
-		AppConfig: appConfig,
-	}
-	authflowV2EnterPasswordHandler := &authflowv2.AuthflowV2EnterPasswordHandler{
-		Controller:                             authflowController,
-		BaseViewModel:                          baseViewModeler,
-		Renderer:                               responseRenderer,
-		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+	authenticationFlowV1CreateHandler := &api.AuthenticationFlowV1CreateHandler{
+		LoggerFactory:  factory,
+		RedisHandle:    handle,
+		JSON:           jsonResponseWriter,
+		Cookies:        cookieManager,
+		Workflows:      authenticationflowService,
+		OAuthSessions:  oauthsessionStoreRedis,
+		UIInfoResolver: uiInfoResolver,
 	}
-	return authflowV2EnterPasswordHandler
+	return authenticationFlowV1CreateHandler
 }
 
-func newWebAppAuthflowEnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+func newAPIAuthenticationFlowV1InputHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.Redis
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
 	httpConfig := appConfig.HTTP
 	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	appdbHandle := appProvider.AppDatabase
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
@@ -90139,6 +89800,7 @@ func newWebAppAuthflowEnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -90715,6 +90377,18 @@ func newWebAppAuthflowEnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -90980,170 +90654,41 @@ func newWebAppAuthflowEnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 		UIInfoResolver:          uiService,
 		OAuthClientResolver:     oauthclientResolver,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowEnterOOBOTPHandler := &webapp.AuthflowEnterOOBOTPHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-		FlashMessage:  flashMessage,
-		Clock:         clockClock,
+	authenticationFlowV1InputHandler := &api.AuthenticationFlowV1InputHandler{
+		LoggerFactory: factory,
+		RedisHandle:   handle,
+		JSON:          jsonResponseWriter,
+		Cookies:       cookieManager,
+		Workflows:     authenticationflowService,
 	}
-	return authflowEnterOOBOTPHandler
+	return authenticationFlowV1InputHandler
 }
 
-func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+func newAPIAuthenticationFlowV1GetHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	handle := appProvider.Redis
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
 	request := p.Request
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
 	featureConfig := config.FeatureConfig
+	clockClock := _wireSystemClockValue
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	appdbHandle := appProvider.AppDatabase
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
@@ -91177,6 +90722,7 @@ func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -91714,6 +91260,8 @@ func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -91753,6 +91301,18 @@ func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -92018,179 +91578,71 @@ func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		UIInfoResolver:          uiService,
 		OAuthClientResolver:     oauthclientResolver,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
+	authenticationFlowV1GetHandler := &api.AuthenticationFlowV1GetHandler{
+		LoggerFactory: factory,
+		RedisHandle:   handle,
+		JSON:          jsonResponseWriter,
+		Workflows:     authenticationflowService,
 	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
+	return authenticationFlowV1GetHandler
+}
+
+func newAPIAuthenticationFlowV1WebsocketHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	httpConfig := appConfig.HTTP
+	oAuthConfig := appConfig.OAuth
+	samlConfig := appConfig.SAML
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	corsAllowedOrigins := environmentConfig.CORSAllowedOrigins
+	corsMatcher := &middleware.CORSMatcher{
+		Config:             httpConfig,
+		OAuthConfig:        oAuthConfig,
+		SAMLConfig:         samlConfig,
+		CORSAllowedOrigins: corsAllowedOrigins,
 	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
+	appID := appConfig.ID
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	storeImpl := &authenticationflow.StoreImpl{
 		Redis:   handle,
 		AppID:   appID,
+		Context: contextContext,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
-		AppConfig: appConfig,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowV2EnterOOBOTPHandler := &authflowv2.AuthflowV2EnterOOBOTPHandler{
-		Controller:                             authflowController,
-		BaseViewModel:                          baseViewModeler,
-		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
-		Renderer:                               responseRenderer,
-		FlashMessage:                           flashMessage,
-		Clock:                                  clockClock,
-		AuthenticatorConfig:                    authenticatorConfig,
-		IdentityConfig:                         identityConfig,
+	websocketEventStore := authenticationflow.NewWebsocketEventStore(appID, handle, storeImpl)
+	authenticationFlowV1WebsocketHandler := &api.AuthenticationFlowV1WebsocketHandler{
+		LoggerFactory: factory,
+		RedisHandle:   handle,
+		OriginMatcher: corsMatcher,
+		Events:        websocketEventStore,
 	}
-	return authflowV2EnterOOBOTPHandler
+	return authenticationFlowV1WebsocketHandler
 }
 
-func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
-	request := p.Request
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
+	handle := appProvider.AppDatabase
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -92204,6 +91656,10 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
@@ -92211,6 +91667,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -92221,6 +91678,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -92271,9 +91729,10 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -92286,6 +91745,9 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -92323,14 +91785,14 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -92445,17 +91907,17 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -92481,7 +91943,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -92622,11 +92084,11 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -92640,9 +92102,9 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -92658,8 +92120,29 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Commands: userCommands,
 		Queries:  userQueries,
 	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -92687,7 +92170,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -92709,7 +92192,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -92752,12 +92235,14 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -92766,9 +92251,9 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		CookieDef: cookieDef,
 	}
 	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
+	store5 := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -92777,7 +92262,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -92789,7 +92274,7 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -92797,6 +92282,18 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -92806,10 +92303,10 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
 		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		OfflineGrants:  store5,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store5,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -92845,26 +92342,9 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	identityFacade := facade.IdentityFacade{
-		Coordinator: coordinator,
-	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
-	mfaFacade := &facade.MFAFacade{
+	identityFacade := &facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -92872,361 +92352,59 @@ func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handle
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
-	}
-	forgotpasswordLogger := forgotpassword.NewLogger(factory)
-	sender2 := forgotpassword.Sender{
-		AppConfg:    appConfig,
-		Identities:  serviceService,
-		Sender:      sender,
-		Translation: translationService,
-	}
-	forgotpasswordService := &forgotpassword.Service{
-		Logger:         forgotpasswordLogger,
-		Config:         appConfig,
-		FeatureConfig:  featureConfig,
-		Identities:     serviceService,
-		Authenticators: authenticatorFacade,
-		OTPCodes:       otpService,
-		OTPSender:      messageSender,
-		PasswordSender: sender2,
-	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
-	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
-	manager2 := &session.Manager{
-		IDPSessions:         idpsessionManager,
-		AccessTokenSessions: sessionManager,
-		Events:              eventService,
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
 	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Context: contextContext,
 	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                identityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
 	}
-	authflowCreatePasswordHandler := &webapp.AuthflowCreatePasswordHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	accountManagementV1IdentificationHandler := &api.AccountManagementV1IdentificationHandler{
+		JSON:    jsonResponseWriter,
+		Service: accountmanagementService,
 	}
-	return authflowCreatePasswordHandler
+	return accountManagementV1IdentificationHandler
 }
 
-func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
-	request := p.Request
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	jsonResponseWriterLogger := httputil.NewJSONResponseWriterLogger(factory)
+	jsonResponseWriter := &httputil.JSONResponseWriter{
+		Logger: jsonResponseWriterLogger,
+	}
+	handle := appProvider.AppDatabase
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	clockClock := _wireSystemClockValue
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	appID := appConfig.ID
-	handle := appProvider.Redis
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: handle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	contextContext := deps.ProvideRequestContext(request)
-	featureConfig := config.FeatureConfig
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	appdbHandle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
@@ -93240,6 +92418,10 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
@@ -93247,6 +92429,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -93257,6 +92440,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -93307,9 +92491,10 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -93322,6 +92507,9 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -93359,14 +92547,14 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -93481,17 +92669,17 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -93517,7 +92705,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: handle,
+		Redis: appredisHandle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -93658,11 +92846,11 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        appdbHandle,
+		Database:        handle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -93676,9 +92864,9 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: appdbHandle,
+		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -93694,8 +92882,29 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		Commands: userCommands,
 		Queries:  userQueries,
 	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -93723,7 +92932,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  handle,
+		Redis:  appredisHandle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -93745,7 +92954,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -93788,12 +92997,14 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  handle,
+		Redis:  appredisHandle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -93802,9 +93013,9 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		CookieDef: cookieDef,
 	}
 	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
+	store5 := &redis.Store{
 		Context:     contextContext,
-		Redis:       handle,
+		Redis:       appredisHandle,
 		AppID:       appID,
 		Logger:      redisLogger,
 		SQLBuilder:  sqlBuilderApp,
@@ -93813,7 +93024,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 	}
 	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: handle,
+		Redis: appredisHandle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -93825,7 +93036,7 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           handle,
+		Redis:           appredisHandle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -93833,6 +93044,18 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
 	oauthclientResolver := &oauthclient.Resolver{
 		OAuthConfig:     oAuthConfig,
 		TesterEndpoints: endpointsEndpoints,
@@ -93842,10 +93065,10 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
 		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+		OfflineGrants:  store5,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
+		Store:   store5,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -93881,349 +93104,51 @@ func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Hand
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	identityFacade := facade.IdentityFacade{
+	identityFacade := &facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-		Clock:   clockClock,
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
 	}
 	authenticatorFacade := facade.AuthenticatorFacade{
 		Coordinator: coordinator,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
-	messageSender := &otp.MessageSender{
-		AppID:           appID,
-		Translation:     translationService,
-		Endpoints:       endpointsEndpoints,
-		Sender:          sender,
-		WhatsappService: whatsappService,
-	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
-	}
-	forgotpasswordLogger := forgotpassword.NewLogger(factory)
-	sender2 := forgotpassword.Sender{
-		AppConfg:    appConfig,
-		Identities:  serviceService,
-		Sender:      sender,
-		Translation: translationService,
-	}
-	forgotpasswordService := &forgotpassword.Service{
-		Logger:         forgotpasswordLogger,
-		Config:         appConfig,
-		FeatureConfig:  featureConfig,
-		Identities:     serviceService,
-		Authenticators: authenticatorFacade,
-		OTPCodes:       otpService,
-		OTPSender:      messageSender,
-		PasswordSender: sender2,
-	}
-	accountMigrationConfig := appConfig.AccountMigration
-	accountMigrationHookConfig := accountMigrationConfig.Hook
-	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
-	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
-	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
-		DenoHook: denoHook,
-		Client:   hookDenoClient,
-		Logger:   denoMiddlewareLogger,
-	}
-	hookWebHookImpl := &hook.WebHookImpl{
-		Logger: webHookLogger,
-		Secret: webhookKeyMaterials,
-	}
-	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
-	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
-	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
-		WebHook: hookWebHookImpl,
-		Client:  hookHTTPClient,
-		Logger:  webhookMiddlewareLogger,
-	}
-	accountmigrationService := &accountmigration.Service{
-		Config:   accountMigrationHookConfig,
-		DenoHook: accountMigrationDenoHook,
-		WebHook:  accountMigrationWebHook,
-	}
-	challengeProvider := &challenge.Provider{
-		Redis: handle,
-		AppID: appID,
-		Clock: clockClock,
-	}
-	captchaConfig := appConfig.Captcha
-	providerLogger := captcha.NewProviderLogger(factory)
-	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
-	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
-	captchaProvider := &captcha.Provider{
-		RemoteIP:         remoteIP,
-		Config:           captchaConfig,
-		Logger:           providerLogger,
-		CloudflareClient: cloudflareClient,
-	}
-	botProtectionConfig := appConfig.BotProtection
-	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
-	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
-	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
-	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
-	botprotectionProvider := &botprotection.Provider{
-		RemoteIP:          remoteIP,
-		Config:            botProtectionConfig,
-		Logger:            botprotectionProviderLogger,
-		CloudflareClient:  botprotectionCloudflareClient,
-		RecaptchaV2Client: recaptchaV2Client,
-		Events:            eventService,
-	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   handle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	requestOptionsService := &passkey2.RequestOptionsService{
-		ConfigService:   configService,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	creationOptionsService := &passkey2.CreationOptionsService{
-		ConfigService:   configService,
-		UserService:     userQueries,
-		IdentityService: serviceService,
-		Store:           store2,
-	}
-	ldapConfig := identityConfig.LDAP
-	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
-	clientFactory := &ldap2.ClientFactory{
-		Config:       ldapConfig,
-		SecretConfig: ldapServerUserCredentials,
-	}
-	manager2 := &session.Manager{
-		IDPSessions:         idpsessionManager,
-		AccessTokenSessions: sessionManager,
-		Events:              eventService,
-	}
 	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	dependencies := &authenticationflow.Dependencies{
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		Clock:                           clockClock,
-		RemoteIP:                        remoteIP,
-		HTTPOrigin:                      httpOrigin,
-		HTTPRequest:                     request,
-		Users:                           userProvider,
-		Identities:                      identityFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		Authenticators:                  authenticatorFacade,
-		MFA:                             mfaFacade,
-		StdAttrsService:                 stdattrsService,
-		CustomAttrsService:              customattrsService,
-		OTPCodes:                        otpService,
-		OTPSender:                       messageSender,
-		Verification:                    workflowVerificationFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		AccountMigrations:               accountmigrationService,
-		Challenges:                      challengeProvider,
-		Captcha:                         captchaProvider,
-		BotProtection:                   botprotectionProvider,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		PasskeyRequestOptionsService:    requestOptionsService,
-		PasskeyCreationOptionsService:   creationOptionsService,
-		PasskeyService:                  passkeyService,
-		LoginIDs:                        provider,
-		LDAP:                            ldapProvider,
-		LDAPClientFactory:               clientFactory,
-		IDPSessions:                     idpsessionProvider,
-		Sessions:                        manager2,
-		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef,
-		MFADeviceTokenCookie:            mfaCookieDef,
-		UserFacade:                      userFacade,
-		Cookies:                         cookieManager,
-		Events:                          eventService,
-		RateLimiter:                     limiter,
-		OfflineGrants:                   redisStore,
-		IDTokens:                        idTokenIssuer,
-	}
-	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
-	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   handle,
+		Redis:   appredisHandle,
 		AppID:   appID,
-		Context: contextContext,
 	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationflowService := &authenticationflow.Service{
-		ContextDoNotUseDirectly: contextContext,
-		Deps:                    dependencies,
-		Logger:                  authenticationflowServiceLogger,
-		Store:                   authenticationflowStoreImpl,
-		Database:                appdbHandle,
-		UIConfig:                uiConfig,
-		UIInfoResolver:          uiService,
-		OAuthClientResolver:     oauthclientResolver,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	promptResolver := &oauth2.PromptResolver{
-		Clock: clockClock,
-	}
-	oauthOfflineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	idTokenHintResolver := &oidc.IDTokenHintResolver{
-		Issuer:              idTokenIssuer,
-		Sessions:            idpsessionProvider,
-		OfflineGrantService: oauthOfflineGrantService,
-	}
-	uiInfoResolver := &oidc.UIInfoResolver{
-		Config:              oAuthConfig,
-		EndpointsProvider:   endpointsEndpoints,
-		PromptResolver:      promptResolver,
-		IDTokenHintResolver: idTokenHintResolver,
-		Clock:               clockClock,
-		Cookies:             cookieManager,
-		ClientResolver:      oauthclientResolver,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   handle,
-		AppID:   appID,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	authflowController := &webapp.AuthflowController{
-		Logger:                  authflowControllerLogger,
-		TesterEndpointsProvider: endpointsEndpoints,
-		TrustProxy:              trustProxy,
-		Clock:                   clockClock,
-		Cookies:                 cookieManager,
-		Sessions:                sessionStoreRedis,
-		SessionCookie:           sessionCookieDef,
-		SignedUpCookie:          signedUpCookieDef,
-		Authflows:               authenticationflowService,
-		OAuthSessions:           oauthsessionStoreRedis,
-		SAMLSessions:            samlsessionStoreRedis,
-		UIInfoResolver:          uiInfoResolver,
-		UIConfig:                uiConfig,
-		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
-		ErrorRenderer:           errorRenderer,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
-		AppConfig: appConfig,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                identityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
 	}
-	authflowV2CreatePasswordHandler := &authflowv2.AuthflowV2CreatePasswordHandler{
-		Controller:                             authflowController,
-		BaseViewModel:                          baseViewModeler,
-		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
-		Renderer:                               responseRenderer,
-		FeatureConfig:                          featureConfig,
-		AuthenticatorConfig:                    authenticatorConfig,
+	accountManagementV1IdentificationOAuthHandler := &api.AccountManagementV1IdentificationOAuthHandler{
+		JSON:    jsonResponseWriter,
+		Service: accountmanagementService,
 	}
-	return authflowV2CreatePasswordHandler
+	return accountManagementV1IdentificationOAuthHandler
 }
 
-func newWebAppAuthflowEnterTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowLoginHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -95248,18 +94173,43 @@ func newWebAppAuthflowEnterTOTPHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowEnterTOTPHandler := &webapp.AuthflowEnterTOTPHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	analyticredisHandle := appProvider.AnalyticRedis
+	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
+	writeStoreRedis := &meter.WriteStoreRedis{
+		Context: contextContext,
+		Redis:   analyticredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+		Logger:  meterStoreRedisLogger,
 	}
-	return authflowEnterTOTPHandler
+	meterService := &meter.Service{
+		Counter: writeStoreRedis,
+	}
+	tutorialCookie := &httputil.TutorialCookie{
+		Cookies: cookieManager,
+	}
+	authflowLoginHandler := &webapp.AuthflowLoginHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		MeterService:      meterService,
+		TutorialCookie:    tutorialCookie,
+		ErrorService:      errorService,
+		Endpoints:         endpointsEndpoints,
+	}
+	return authflowLoginHandler
 }
 
-func newWebAppAuthflowV2EnterTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2LoginHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -96284,22 +95234,55 @@ func newWebAppAuthflowV2EnterTOTPHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
-	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
-		AppConfig: appConfig,
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
 	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2EnterTOTPHandler := &authflowv2.AuthflowV2EnterTOTPHandler{
-		Controller:                             authflowController,
-		BaseViewModel:                          baseViewModeler,
-		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
-		Renderer:                               responseRenderer,
+	analyticredisHandle := appProvider.AnalyticRedis
+	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
+	writeStoreRedis := &meter.WriteStoreRedis{
+		Context: contextContext,
+		Redis:   analyticredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+		Logger:  meterStoreRedisLogger,
 	}
-	return authflowV2EnterTOTPHandler
+	meterService := &meter.Service{
+		Counter: writeStoreRedis,
+	}
+	tutorialCookie := &httputil.TutorialCookie{
+		Cookies: cookieManager,
+	}
+	internalAuthflowV2SignupLoginHandler := authflowv2.InternalAuthflowV2SignupLoginHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		MeterService:      meterService,
+		TutorialCookie:    tutorialCookie,
+		Endpoints:         endpointsEndpoints,
+	}
+	authflowV2LoginHandler := &authflowv2.AuthflowV2LoginHandler{
+		SignupLoginHandler:   internalAuthflowV2SignupLoginHandler,
+		UIConfig:             uiConfig,
+		AuthenticationConfig: authenticationConfig,
+		Controller:           authflowController,
+		BaseViewModel:        baseViewModeler,
+		AuthflowViewModel:    authflowViewModeler,
+		Renderer:             responseRenderer,
+		MeterService:         meterService,
+		TutorialCookie:       tutorialCookie,
+		ErrorService:         errorService,
+		Endpoints:            endpointsEndpoints,
+	}
+	return authflowV2LoginHandler
 }
 
-func newWebAppAuthflowSetupTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowSignupHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -97324,18 +96307,42 @@ func newWebAppAuthflowSetupTOTPHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowSetupTOTPHandler := &webapp.AuthflowSetupTOTPHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	analyticredisHandle := appProvider.AnalyticRedis
+	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
+	writeStoreRedis := &meter.WriteStoreRedis{
+		Context: contextContext,
+		Redis:   analyticredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+		Logger:  meterStoreRedisLogger,
 	}
-	return authflowSetupTOTPHandler
+	meterService := &meter.Service{
+		Counter: writeStoreRedis,
+	}
+	tutorialCookie := &httputil.TutorialCookie{
+		Cookies: cookieManager,
+	}
+	authflowSignupHandler := &webapp.AuthflowSignupHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		MeterService:      meterService,
+		TutorialCookie:    tutorialCookie,
+		Endpoints:         endpointsEndpoints,
+	}
+	return authflowSignupHandler
 }
 
-func newWebAppAuthflowV2SetupTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SignupHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -98360,18 +97367,47 @@ func newWebAppAuthflowV2SetupTOTPHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2SetupTOTPHandler := &authflowv2.AuthflowV2SetupTOTPHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	analyticredisHandle := appProvider.AnalyticRedis
+	meterStoreRedisLogger := meter.NewStoreRedisLogger(factory)
+	writeStoreRedis := &meter.WriteStoreRedis{
+		Context: contextContext,
+		Redis:   analyticredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+		Logger:  meterStoreRedisLogger,
 	}
-	return authflowV2SetupTOTPHandler
+	meterService := &meter.Service{
+		Counter: writeStoreRedis,
+	}
+	tutorialCookie := &httputil.TutorialCookie{
+		Cookies: cookieManager,
+	}
+	internalAuthflowV2SignupLoginHandler := authflowv2.InternalAuthflowV2SignupLoginHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		MeterService:      meterService,
+		TutorialCookie:    tutorialCookie,
+		Endpoints:         endpointsEndpoints,
+	}
+	authflowV2SignupHandler := &authflowv2.AuthflowV2SignupHandler{
+		SignupLoginHandler:   internalAuthflowV2SignupLoginHandler,
+		AuthenticationConfig: authenticationConfig,
+		UIConfig:             uiConfig,
+	}
+	return authflowV2SignupHandler
 }
 
-func newWebAppAuthflowViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowPromoteHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -99396,18 +98432,25 @@ func newWebAppAuthflowViewRecoveryCodeHandler(p *deps.RequestProvider) http.Hand
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowViewRecoveryCodeHandler := &webapp.AuthflowViewRecoveryCodeHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowPromoteHandler := &webapp.AuthflowPromoteHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		Endpoints:         endpointsEndpoints,
 	}
-	return authflowViewRecoveryCodeHandler
+	return authflowPromoteHandler
 }
 
-func newWebAppAuthflowV2ViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2PromoteHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -100432,18 +99475,25 @@ func newWebAppAuthflowV2ViewRecoveryCodeHandler(p *deps.RequestProvider) http.Ha
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ViewRecoveryCodeHandler := &authflowv2.AuthflowV2ViewRecoveryCodeHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowV2PromoteHandler := &authflowv2.AuthflowV2PromoteHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
+		Endpoints:         endpointsEndpoints,
 	}
-	return authflowV2ViewRecoveryCodeHandler
+	return authflowV2PromoteHandler
 }
 
-func newWebAppAuthflowWhatsappOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowEnterPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -101471,17 +100521,15 @@ func newWebAppAuthflowWhatsappOTPHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowWhatsappOTPHandler := &webapp.AuthflowWhatsappOTPHandler{
+	authflowEnterPasswordHandler := &webapp.AuthflowEnterPasswordHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
-		FlashMessage:  flashMessage,
-		Clock:         clockClock,
 	}
-	return authflowWhatsappOTPHandler
+	return authflowEnterPasswordHandler
 }
 
-func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2EnterPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -102437,7 +101485,7 @@ func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -102448,7 +101496,7 @@ func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -102473,7 +101521,7 @@ func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -102509,17 +101557,19 @@ func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowOOBOTPLinkHandler := &webapp.AuthflowOOBOTPLinkHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-		FlashMessage:  flashMessage,
-		Clock:         clockClock,
+	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
+		AppConfig: appConfig,
 	}
-	return authflowOOBOTPLinkHandler
+	authflowV2EnterPasswordHandler := &authflowv2.AuthflowV2EnterPasswordHandler{
+		Controller:                             authflowController,
+		BaseViewModel:                          baseViewModeler,
+		Renderer:                               responseRenderer,
+		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+	}
+	return authflowV2EnterPasswordHandler
 }
 
-func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowEnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -103475,7 +102525,7 @@ func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -103486,7 +102536,7 @@ func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -103511,7 +102561,7 @@ func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -103544,23 +102594,20 @@ func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
-	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
-		AppConfig: appConfig,
-	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2OOBOTPLinkHandler := &authflowv2.AuthflowV2OOBOTPLinkHandler{
-		Controller:                             authflowController,
-		BaseViewModel:                          baseViewModeler,
-		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
-		Renderer:                               responseRenderer,
-		Clock:                                  clockClock,
+	authflowEnterOOBOTPHandler := &webapp.AuthflowEnterOOBOTPHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+		FlashMessage:  flashMessage,
+		Clock:         clockClock,
 	}
-	return authflowV2OOBOTPLinkHandler
+	return authflowEnterOOBOTPHandler
 }
 
-func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2EnterOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -104516,7 +103563,7 @@ func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handle
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -104527,7 +103574,7 @@ func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handle
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -104552,7 +103599,7 @@ func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handle
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -104585,23 +103632,26 @@ func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handle
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
-	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
+	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
+		AppConfig: appConfig,
 	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowChangePasswordHandler := &webapp.AuthflowChangePasswordHandler{
-		Controller:              authflowController,
-		BaseViewModel:           baseViewModeler,
-		ChangePasswordViewModel: changePasswordViewModeler,
-		Renderer:                responseRenderer,
+	authflowV2EnterOOBOTPHandler := &authflowv2.AuthflowV2EnterOOBOTPHandler{
+		Controller:                             authflowController,
+		BaseViewModel:                          baseViewModeler,
+		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+		Renderer:                               responseRenderer,
+		FlashMessage:                           flashMessage,
+		Clock:                                  clockClock,
+		AuthenticatorConfig:                    authenticatorConfig,
+		IdentityConfig:                         identityConfig,
 	}
-	return authflowChangePasswordHandler
+	return authflowV2EnterOOBOTPHandler
 }
 
-func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowCreatePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -105557,7 +104607,7 @@ func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Hand
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -105568,7 +104618,7 @@ func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Hand
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -105593,7 +104643,7 @@ func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Hand
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -105626,24 +104676,18 @@ func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Hand
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
-	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ChangePasswordHandler := &authflowv2.AuthflowV2ChangePasswordHandler{
-		Controller:              authflowController,
-		Navigator:               authflowV2Navigator,
-		BaseViewModel:           baseViewModeler,
-		ChangePasswordViewModel: changePasswordViewModeler,
-		Renderer:                responseRenderer,
+	authflowCreatePasswordHandler := &webapp.AuthflowCreatePasswordHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
 	}
-	return authflowV2ChangePasswordHandler
+	return authflowCreatePasswordHandler
 }
 
-func newWebAppAuthflowV2ChangePasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2CreatePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -106668,18 +105712,24 @@ func newWebAppAuthflowV2ChangePasswordSuccessHandler(p *deps.RequestProvider) ht
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
+		AppConfig: appConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ChangePasswordSuccessHandler := &authflowv2.AuthflowV2ChangePasswordSuccessHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowV2CreatePasswordHandler := &authflowv2.AuthflowV2CreatePasswordHandler{
+		Controller:                             authflowController,
+		BaseViewModel:                          baseViewModeler,
+		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+		Renderer:                               responseRenderer,
+		FeatureConfig:                          featureConfig,
+		AuthenticatorConfig:                    authenticatorConfig,
 	}
-	return authflowV2ChangePasswordSuccessHandler
+	return authflowV2CreatePasswordHandler
 }
 
-func newWebAppAuthflowUsePasskeyHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowEnterTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -107707,15 +106757,15 @@ func newWebAppAuthflowUsePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowUsePasskeyHandler := &webapp.AuthflowUsePasskeyHandler{
+	authflowEnterTOTPHandler := &webapp.AuthflowEnterTOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowUsePasskeyHandler
+	return authflowEnterTOTPHandler
 }
 
-func newWebAppAuthflowV2UsePasskeyHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2EnterTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -108746,16 +107796,16 @@ func newWebAppAuthflowV2UsePasskeyHandler(p *deps.RequestProvider) http.Handler
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2UsePasskeyHandler := &authflowv2.AuthflowV2UsePasskeyHandler{
+	authflowV2EnterTOTPHandler := &authflowv2.AuthflowV2EnterTOTPHandler{
 		Controller:                             authflowController,
 		BaseViewModel:                          baseViewModeler,
 		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
 		Renderer:                               responseRenderer,
 	}
-	return authflowV2UsePasskeyHandler
+	return authflowV2EnterTOTPHandler
 }
 
-func newWebAppAuthflowPromptCreatePasskeyHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowSetupTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -109783,15 +108833,15 @@ func newWebAppAuthflowPromptCreatePasskeyHandler(p *deps.RequestProvider) http.H
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowPromptCreatePasskeyHandler := &webapp.AuthflowPromptCreatePasskeyHandler{
+	authflowSetupTOTPHandler := &webapp.AuthflowSetupTOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowPromptCreatePasskeyHandler
+	return authflowSetupTOTPHandler
 }
 
-func newWebAppAuthflowV2PromptCreatePasskeyHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SetupTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -110819,15 +109869,15 @@ func newWebAppAuthflowV2PromptCreatePasskeyHandler(p *deps.RequestProvider) http
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2PromptCreatePasskeyHandler := &authflowv2.AuthflowV2PromptCreatePasskeyHandler{
+	authflowV2SetupTOTPHandler := &authflowv2.AuthflowV2SetupTOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowV2PromptCreatePasskeyHandler
+	return authflowV2SetupTOTPHandler
 }
 
-func newWebAppAuthflowEnterRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -111855,15 +110905,15 @@ func newWebAppAuthflowEnterRecoveryCodeHandler(p *deps.RequestProvider) http.Han
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowEnterRecoveryCodeHandler := &webapp.AuthflowEnterRecoveryCodeHandler{
+	authflowViewRecoveryCodeHandler := &webapp.AuthflowViewRecoveryCodeHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowEnterRecoveryCodeHandler
+	return authflowViewRecoveryCodeHandler
 }
 
-func newWebAppAuthflowV2EnterRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -112891,15 +111941,15 @@ func newWebAppAuthflowV2EnterRecoveryCodeHandler(p *deps.RequestProvider) http.H
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2EnterRecoveryCodeHandler := &authflowv2.AuthflowV2EnterRecoveryCodeHandler{
+	authflowV2ViewRecoveryCodeHandler := &authflowv2.AuthflowV2ViewRecoveryCodeHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowV2EnterRecoveryCodeHandler
+	return authflowV2ViewRecoveryCodeHandler
 }
 
-func newWebAppAuthflowSetupOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowWhatsappOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -113927,15 +112977,17 @@ func newWebAppAuthflowSetupOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowSetupOOBOTPHandler := &webapp.AuthflowSetupOOBOTPHandler{
+	authflowWhatsappOTPHandler := &webapp.AuthflowWhatsappOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
+		FlashMessage:  flashMessage,
+		Clock:         clockClock,
 	}
-	return authflowSetupOOBOTPHandler
+	return authflowWhatsappOTPHandler
 }
 
-func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowOOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -114891,7 +113943,7 @@ func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -114902,7 +113954,7 @@ func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -114927,7 +113979,7 @@ func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -114963,15 +114015,17 @@ func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2SetupOOBOTPHandler := &authflowv2.AuthflowV2SetupOOBOTPHandler{
+	authflowOOBOTPLinkHandler := &webapp.AuthflowOOBOTPLinkHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
+		FlashMessage:  flashMessage,
+		Clock:         clockClock,
 	}
-	return authflowV2SetupOOBOTPHandler
+	return authflowOOBOTPLinkHandler
 }
 
-func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2OOBOTPLinkHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -115927,7 +114981,7 @@ func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) htt
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -115938,7 +114992,7 @@ func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) htt
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -115963,7 +115017,7 @@ func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) htt
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -115996,18 +115050,23 @@ func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) htt
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
+		AppConfig: appConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowTerminateOtherSessionsHandler := &webapp.AuthflowTerminateOtherSessionsHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowV2OOBOTPLinkHandler := &authflowv2.AuthflowV2OOBOTPLinkHandler{
+		Controller:                             authflowController,
+		BaseViewModel:                          baseViewModeler,
+		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+		Renderer:                               responseRenderer,
+		Clock:                                  clockClock,
 	}
-	return authflowTerminateOtherSessionsHandler
+	return authflowV2OOBOTPLinkHandler
 }
 
-func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -116963,7 +116022,7 @@ func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) h
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -116974,7 +116033,7 @@ func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) h
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -116999,7 +116058,7 @@ func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) h
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -117032,18 +116091,23 @@ func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) h
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2TerminateOtherSessionsHandler := &authflowv2.AuthflowV2TerminateOtherSessionsHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowChangePasswordHandler := &webapp.AuthflowChangePasswordHandler{
+		Controller:              authflowController,
+		BaseViewModel:           baseViewModeler,
+		ChangePasswordViewModel: changePasswordViewModeler,
+		Renderer:                responseRenderer,
 	}
-	return authflowV2TerminateOtherSessionsHandler
+	return authflowChangePasswordHandler
 }
 
-func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -117999,7 +117063,7 @@ func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -118010,7 +117074,7 @@ func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -118035,7 +117099,7 @@ func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -118068,19 +117132,24 @@ func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	changePasswordViewModeler := &viewmodels.ChangePasswordViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowWechatHandler := &webapp.AuthflowWechatHandler{
-		Controller:      authflowController,
-		BaseViewModel:   baseViewModeler,
-		Renderer:        responseRenderer,
-		OAuthStateStore: webappoauthStore,
+	authflowV2ChangePasswordHandler := &authflowv2.AuthflowV2ChangePasswordHandler{
+		Controller:              authflowController,
+		Navigator:               authflowV2Navigator,
+		BaseViewModel:           baseViewModeler,
+		ChangePasswordViewModel: changePasswordViewModeler,
+		Renderer:                responseRenderer,
 	}
-	return authflowWechatHandler
+	return authflowV2ChangePasswordHandler
 }
 
-func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ChangePasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -119036,7 +118105,7 @@ func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handle
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -119047,7 +118116,7 @@ func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handle
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -119072,7 +118141,7 @@ func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handle
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -119108,15 +118177,15 @@ func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handle
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowForgotPasswordHandler := &webapp.AuthflowForgotPasswordHandler{
+	authflowV2ChangePasswordSuccessHandler := &authflowv2.AuthflowV2ChangePasswordSuccessHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowForgotPasswordHandler
+	return authflowV2ChangePasswordSuccessHandler
 }
 
-func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowUsePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -120072,7 +119141,7 @@ func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Hand
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -120083,7 +119152,7 @@ func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Hand
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -120108,7 +119177,7 @@ func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Hand
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -120141,24 +119210,18 @@ func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Hand
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
-	authflowViewModeler := &viewmodels.AuthflowViewModeler{
-		Authentication: authenticationConfig,
-		LoginID:        loginIDConfig,
-		Identity:       identityConfig,
-	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ForgotPasswordHandler := &authflowv2.AuthflowV2ForgotPasswordHandler{
-		Controller:        authflowController,
-		BaseViewModel:     baseViewModeler,
-		AuthflowViewModel: authflowViewModeler,
-		Renderer:          responseRenderer,
+	authflowUsePasskeyHandler := &webapp.AuthflowUsePasskeyHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
 	}
-	return authflowV2ForgotPasswordHandler
+	return authflowUsePasskeyHandler
 }
 
-func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2UsePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -121114,7 +120177,7 @@ func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Han
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -121125,7 +120188,7 @@ func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Han
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -121150,7 +120213,7 @@ func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Han
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -121183,20 +120246,22 @@ func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Han
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	inlinePreviewAuthflowBranchViewModeler := &viewmodels.InlinePreviewAuthflowBranchViewModeler{
+		AppConfig: appConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowForgotPasswordOTPHandler := &webapp.AuthflowForgotPasswordOTPHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-		FlashMessage:  flashMessage,
-		Clock:         clockClock,
+	authflowV2UsePasskeyHandler := &authflowv2.AuthflowV2UsePasskeyHandler{
+		Controller:                             authflowController,
+		BaseViewModel:                          baseViewModeler,
+		InlinePreviewAuthflowBranchViewModeler: inlinePreviewAuthflowBranchViewModeler,
+		Renderer:                               responseRenderer,
 	}
-	return authflowForgotPasswordOTPHandler
+	return authflowV2UsePasskeyHandler
 }
 
-func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowPromptCreatePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -122152,7 +121217,7 @@ func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.H
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -122163,7 +121228,7 @@ func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.H
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -122188,7 +121253,7 @@ func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.H
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -122224,17 +121289,15 @@ func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.H
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ForgotPasswordOTPHandler := &authflowv2.AuthflowV2ForgotPasswordOTPHandler{
+	authflowPromptCreatePasskeyHandler := &webapp.AuthflowPromptCreatePasskeyHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
-		FlashMessage:  flashMessage,
-		Clock:         clockClock,
 	}
-	return authflowV2ForgotPasswordOTPHandler
+	return authflowPromptCreatePasskeyHandler
 }
 
-func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2PromptCreatePasskeyHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -123190,7 +122253,7 @@ func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -123201,7 +122264,7 @@ func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -123226,7 +122289,7 @@ func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -123262,15 +122325,15 @@ func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowForgotPasswordSuccessHandler := &webapp.AuthflowForgotPasswordSuccessHandler{
+	authflowV2PromptCreatePasskeyHandler := &authflowv2.AuthflowV2PromptCreatePasskeyHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowForgotPasswordSuccessHandler
+	return authflowV2PromptCreatePasskeyHandler
 }
 
-func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowEnterRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -124226,7 +123289,7 @@ func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) h
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -124237,7 +123300,7 @@ func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) h
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -124262,7 +123325,7 @@ func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) h
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -124298,50 +123361,28 @@ func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) h
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ForgotPasswordLinkSentHandler := &authflowv2.AuthflowV2ForgotPasswordLinkSentHandler{
+	authflowEnterRecoveryCodeHandler := &webapp.AuthflowEnterRecoveryCodeHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
-		Clock:         clockClock,
 	}
-	return authflowV2ForgotPasswordLinkSentHandler
+	return authflowEnterRecoveryCodeHandler
 }
 
-func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2EnterRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	handle := appProvider.AppDatabase
-	appredisHandle := appProvider.Redis
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	serviceLogger := webapp2.NewServiceLogger(factory)
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
 	request := p.Request
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: appredisHandle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	authenticationConfig := appConfig.Authentication
-	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: appredisHandle,
-		Cookies:     cookieManager,
-	}
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -124354,46 +123395,45 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	resolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
 	}
-	logger := interaction.NewLogger(factory)
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	redisLogger := redis.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	store := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	eventLogger := event.NewLogger(factory)
+	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	userStore := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawQueries := &user.RawQueries{
-		Store: userStore,
-	}
+	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -124457,20 +123497,19 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	templateResolver := &template.Resolver{
+	resolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: templateResolver,
+		Resolver: resolver,
 	}
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -124508,14 +123547,14 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -124630,17 +123669,17 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -124666,7 +123705,7 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -124710,14 +123749,14 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   userStore,
+		UserStore:   store,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -124734,7 +123773,7 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              userStore,
+		Store:              store,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -124807,16 +123846,16 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       userStore,
+		UserStore:       store,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -124825,11 +123864,26 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -124857,7 +123911,7 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -124872,21 +123926,21 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	serviceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            whatsappServiceLogger,
+		Logger:                            serviceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -124908,27 +123962,12 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
-	rawCommands := &user.RawCommands{
-		Store: userStore,
-		Clock: clockClock,
-	}
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -124937,21 +123976,32 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
+		Redis:  handle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef2,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
 	}
+	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -124963,7 +124013,7 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           appredisHandle,
+		Redis:           handle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -124971,15 +124021,19 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   store,
+		Store:   redisStore,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -125018,15 +124072,23 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -125034,28 +124096,8 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -125074,140 +124116,227 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	responseWriter := p.ResponseWriter
-	nonceService := &nonce.Service{
-		Cookies:        cookieManager,
-		Request:        request,
-		ResponseWriter: responseWriter,
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
 	}
 	challengeProvider := &challenge.Provider{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
 		Context: contextContext,
-		Redis:   appredisHandle,
 		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
 	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
-	interactionContext := &interaction.Context{
-		Request:                         request,
-		RemoteIP:                        remoteIP,
-		Database:                        sqlExecutor,
-		Clock:                           clockClock,
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		OAuthClientResolver:             resolver,
-		OfflineGrants:                   store,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
 		Identities:                      identityFacade,
-		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		BiometricIdentities:             biometricProvider,
-		OTPCodeService:                  otpService,
-		OTPSender:                       messageSender,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		OAuthRedirectURIBuilder:         endpointsEndpoints,
-		OAuthStateStore:                 webappoauthStore,
+		Authenticators:                  authenticatorFacade,
 		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
 		ForgotPassword:                  forgotpasswordService,
 		ResetPassword:                   forgotpasswordService,
-		Passkey:                         passkeyService,
-		Verification:                    verificationService,
-		RateLimiter:                     limiter,
-		PasswordGenerator:               generator,
-		Nonces:                          nonceService,
+		AccountMigrations:               accountmigrationService,
 		Challenges:                      challengeProvider,
-		Users:                           userProvider,
-		StdAttrsService:                 stdattrsService,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
 		Events:                          eventService,
-		CookieManager:                   cookieManager,
-		AuthenticationInfoService:       authenticationinfoStoreRedis,
-		Sessions:                        idpsessionProvider,
-		SessionManager:                  manager2,
-		SessionCookie:                   cookieDef2,
-		OAuthSessions:                   oauthsessionStoreRedis,
-		MFADeviceTokenCookie:            cookieDef,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
 	}
-	interactionStoreRedis := &interaction.StoreRedis{
-		Redis: appredisHandle,
-		AppID: appID,
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
 	}
-	interactionService := &interaction.Service{
-		Logger:  logger,
-		Context: interactionContext,
-		Store:   interactionStoreRedis,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
 	}
-	webappService2 := &webapp2.Service2{
-		Logger:               serviceLogger,
-		Request:              request,
-		Sessions:             sessionStoreRedis,
-		SessionCookie:        sessionCookieDef,
-		SignedUpCookie:       signedUpCookieDef,
-		MFADeviceTokenCookie: cookieDef,
-		ErrorService:         errorService,
-		Cookies:              cookieManager,
-		OAuthConfig:          oAuthConfig,
-		UIConfig:             uiConfig,
-		TrustProxy:           trustProxy,
-		UIInfoResolver:       uiService,
-		OAuthClientResolver:  resolver,
-		Graph:                interactionService,
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
 	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               resolver,
-		Logger:                            baseLogger,
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
 	}
-	publisher := webapp.NewPublisher(appID, appredisHandle)
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -125217,30 +124346,66 @@ func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 		AuthflowV1Navigator:     authflowNavigator,
 		AuthflowV2Navigator:     authflowV2Navigator,
 	}
-	controllerDeps := webapp.ControllerDeps{
-		Database:                handle,
-		RedisHandle:             appredisHandle,
-		AppID:                   appID,
-		Page:                    webappService2,
-		BaseViewModel:           baseViewModeler,
-		Renderer:                responseRenderer,
-		Publisher:               publisher,
-		Clock:                   clockClock,
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
 		TesterEndpointsProvider: endpointsEndpoints,
-		ErrorRenderer:           errorRenderer,
 		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
 	}
-	controllerFactory := webapp.ControllerFactory{
-		LoggerFactory:  factory,
-		ControllerDeps: controllerDeps,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	reauthHandler := &webapp.ReauthHandler{
-		ControllerFactory: controllerFactory,
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
 	}
-	return reauthHandler
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2EnterRecoveryCodeHandler := &authflowv2.AuthflowV2EnterRecoveryCodeHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2EnterRecoveryCodeHandler
 }
 
-func newWebAppAuthflowReauthHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowSetupOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -126235,14 +125400,48 @@ func newWebAppAuthflowReauthHandler(p *deps.RequestProvider) http.Handler {
 		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
-	authflowReauthHandler := &webapp.AuthflowReauthHandler{
-		Controller:        authflowController,
-		AuthflowNavigator: authflowNavigator,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	return authflowReauthHandler
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowSetupOOBOTPHandler := &webapp.AuthflowSetupOOBOTPHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowSetupOOBOTPHandler
 }
 
-func newWebAppAuthflowV2ReauthHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SetupOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -127237,14 +126436,48 @@ func newWebAppAuthflowV2ReauthHandler(p *deps.RequestProvider) http.Handler {
 		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
-	authflowV2ReauthHandler := &authflowv2.AuthflowV2ReauthHandler{
-		Controller:        authflowController,
-		AuthflowNavigator: authflowV2Navigator,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	return authflowV2ReauthHandler
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2SetupOOBOTPHandler := &authflowv2.AuthflowV2SetupOOBOTPHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2SetupOOBOTPHandler
 }
 
-func newWebAppAuthflowResetPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowTerminateOtherSessionsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -128272,49 +127505,28 @@ func newWebAppAuthflowResetPasswordHandler(p *deps.RequestProvider) http.Handler
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowResetPasswordHandler := &webapp.AuthflowResetPasswordHandler{
+	authflowTerminateOtherSessionsHandler := &webapp.AuthflowTerminateOtherSessionsHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowResetPasswordHandler
+	return authflowTerminateOtherSessionsHandler
 }
 
-func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2TerminateOtherSessionsHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	handle := appProvider.AppDatabase
-	appredisHandle := appProvider.Redis
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
-	serviceLogger := webapp2.NewServiceLogger(factory)
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
 	request := p.Request
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: appredisHandle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	authenticationConfig := appConfig.Authentication
-	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
 	trustProxy := environmentConfig.TrustProxy
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: appredisHandle,
-		Cookies:     cookieManager,
-	}
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -128327,46 +127539,45 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	resolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
 	}
-	logger := interaction.NewLogger(factory)
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
 	contextContext := deps.ProvideRequestContext(request)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	clockClock := _wireSystemClockValue
 	featureConfig := config.FeatureConfig
-	redisLogger := redis.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	store := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
 	}
 	userAgentString := deps.ProvideUserAgentString(request)
-	eventLogger := event.NewLogger(factory)
+	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	userStore := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawQueries := &user.RawQueries{
-		Store: userStore,
-	}
+	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
@@ -128430,20 +127641,19 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	}
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	templateResolver := &template.Resolver{
+	resolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: templateResolver,
+		Resolver: resolver,
 	}
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -128481,14 +127691,14 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
 	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
@@ -128603,17 +127813,17 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -128639,7 +127849,7 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -128683,14 +127893,14 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   userStore,
+		UserStore:   store,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -128707,7 +127917,7 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              userStore,
+		Store:              store,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -128780,16 +127990,16 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       userStore,
+		UserStore:       store,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -128798,11 +128008,26 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -128830,7 +128055,7 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -128845,21 +128070,21 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	serviceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            whatsappServiceLogger,
+		Logger:                            serviceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -128881,27 +128106,12 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Sender:      sender,
 		Translation: translationService,
 	}
-	rawCommands := &user.RawCommands{
-		Store: userStore,
-		Clock: clockClock,
-	}
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -128910,21 +128120,32 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	}
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
+		Redis:  handle,
 		AppID:  appID,
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef2,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
 	}
+	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 	}
 	eventProvider := &access.EventProvider{
@@ -128936,7 +128157,7 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		RemoteIP:        remoteIP,
 		UserAgentString: userAgentString,
 		AppID:           appID,
-		Redis:           appredisHandle,
+		Redis:           handle,
 		Store:           idpsessionStoreRedis,
 		AccessEvents:    eventProvider,
 		TrustProxy:      trustProxy,
@@ -128944,15 +128165,19 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   store,
+		Store:   redisStore,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -128991,15 +128216,23 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 	identityFacade := facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	authenticatorFacade := facade.AuthenticatorFacade{
-		Coordinator: coordinator,
-	}
 	anonymousStoreRedis := &anonymous.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -129007,28 +128240,8 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
-	}
-	webappoauthStore := &webappoauth.Store{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
 	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
@@ -129047,175 +128260,6 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		OTPSender:      messageSender,
 		PasswordSender: sender2,
 	}
-	responseWriter := p.ResponseWriter
-	nonceService := &nonce.Service{
-		Cookies:        cookieManager,
-		Request:        request,
-		ResponseWriter: responseWriter,
-	}
-	challengeProvider := &challenge.Provider{
-		Redis: appredisHandle,
-		AppID: appID,
-		Clock: clockClock,
-	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	manager2 := &session.Manager{
-		IDPSessions:         idpsessionManager,
-		AccessTokenSessions: sessionManager,
-		Events:              eventService,
-	}
-	oauthsessionStoreRedis := &oauthsession.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	interactionContext := &interaction.Context{
-		Request:                         request,
-		RemoteIP:                        remoteIP,
-		Database:                        sqlExecutor,
-		Clock:                           clockClock,
-		Config:                          appConfig,
-		FeatureConfig:                   featureConfig,
-		OAuthClientResolver:             resolver,
-		OfflineGrants:                   store,
-		Identities:                      identityFacade,
-		Authenticators:                  authenticatorFacade,
-		AnonymousIdentities:             anonymousProvider,
-		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
-		BiometricIdentities:             biometricProvider,
-		OTPCodeService:                  otpService,
-		OTPSender:                       messageSender,
-		OAuthProviderFactory:            oAuthProviderFactory,
-		OAuthRedirectURIBuilder:         endpointsEndpoints,
-		OAuthStateStore:                 webappoauthStore,
-		MFA:                             mfaFacade,
-		ForgotPassword:                  forgotpasswordService,
-		ResetPassword:                   forgotpasswordService,
-		Passkey:                         passkeyService,
-		Verification:                    verificationService,
-		RateLimiter:                     limiter,
-		PasswordGenerator:               generator,
-		Nonces:                          nonceService,
-		Challenges:                      challengeProvider,
-		Users:                           userProvider,
-		StdAttrsService:                 stdattrsService,
-		Events:                          eventService,
-		CookieManager:                   cookieManager,
-		AuthenticationInfoService:       authenticationinfoStoreRedis,
-		Sessions:                        idpsessionProvider,
-		SessionManager:                  manager2,
-		SessionCookie:                   cookieDef2,
-		OAuthSessions:                   oauthsessionStoreRedis,
-		MFADeviceTokenCookie:            cookieDef,
-	}
-	interactionStoreRedis := &interaction.StoreRedis{
-		Redis: appredisHandle,
-		AppID: appID,
-	}
-	interactionService := &interaction.Service{
-		Logger:  logger,
-		Context: interactionContext,
-		Store:   interactionStoreRedis,
-	}
-	webappService2 := &webapp2.Service2{
-		Logger:               serviceLogger,
-		Request:              request,
-		Sessions:             sessionStoreRedis,
-		SessionCookie:        sessionCookieDef,
-		SignedUpCookie:       signedUpCookieDef,
-		MFADeviceTokenCookie: cookieDef,
-		ErrorService:         errorService,
-		Cookies:              cookieManager,
-		OAuthConfig:          oAuthConfig,
-		UIConfig:             uiConfig,
-		TrustProxy:           trustProxy,
-		UIInfoResolver:       uiService,
-		OAuthClientResolver:  resolver,
-		Graph:                interactionService,
-	}
-	uiFeatureConfig := featureConfig.UI
-	forgotPasswordConfig := appConfig.ForgotPassword
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               resolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	publisher := webapp.NewPublisher(appID, appredisHandle)
-	authflowNavigator := &webapp2.AuthflowNavigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
-		Endpoints:       endpointsEndpoints,
-		OAuthStateStore: webappoauthStore,
-	}
-	errorRenderer := &webapp.ErrorRenderer{
-		ErrorService:            errorService,
-		UIImplementationService: uiImplementationService,
-		AuthflowV1Navigator:     authflowNavigator,
-		AuthflowV2Navigator:     authflowV2Navigator,
-	}
-	controllerDeps := webapp.ControllerDeps{
-		Database:                handle,
-		RedisHandle:             appredisHandle,
-		AppID:                   appID,
-		Page:                    webappService2,
-		BaseViewModel:           baseViewModeler,
-		Renderer:                responseRenderer,
-		Publisher:               publisher,
-		Clock:                   clockClock,
-		TesterEndpointsProvider: endpointsEndpoints,
-		ErrorRenderer:           errorRenderer,
-		TrustProxy:              trustProxy,
-	}
-	controllerFactory := webapp.ControllerFactory{
-		LoggerFactory:  factory,
-		ControllerDeps: controllerDeps,
-	}
-	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
-	customattrsService := &customattrs.Service{
-		Config:         userProfileConfig,
-		ServiceNoEvent: customattrsServiceNoEvent,
-		Events:         eventService,
-	}
-	workflowVerificationFacade := facade.WorkflowVerificationFacade{
-		Verification: verificationService,
-	}
 	accountMigrationConfig := appConfig.AccountMigration
 	accountMigrationHookConfig := accountMigrationConfig.Hook
 	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
@@ -129241,6 +128285,11 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		DenoHook: accountMigrationDenoHook,
 		WebHook:  accountMigrationWebHook,
 	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
 	captchaConfig := appConfig.Captcha
 	providerLogger := captcha.NewProviderLogger(factory)
 	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
@@ -129251,6 +128300,7 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Logger:           providerLogger,
 		CloudflareClient: cloudflareClient,
 	}
+	botProtectionConfig := appConfig.BotProtection
 	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
 	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
 	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
@@ -129263,6 +128313,21 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		RecaptchaV2Client: recaptchaV2Client,
 		Events:            eventService,
 	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	requestOptionsService := &passkey2.RequestOptionsService{
 		ConfigService:   configService,
 		IdentityService: serviceService,
@@ -129280,6 +128345,17 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		Config:       ldapConfig,
 		SecretConfig: ldapServerUserCredentials,
 	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
 	userFacade := &facade.UserFacade{
 		UserProvider: userProvider,
 		Coordinator:  coordinator,
@@ -129326,34 +128402,42 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		IDPSessions:                     idpsessionProvider,
 		Sessions:                        manager2,
 		AuthenticationInfos:             authenticationinfoStoreRedis,
-		SessionCookie:                   cookieDef2,
-		MFADeviceTokenCookie:            cookieDef,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
 		UserFacade:                      userFacade,
 		Cookies:                         cookieManager,
 		Events:                          eventService,
 		RateLimiter:                     limiter,
-		OfflineGrants:                   store,
+		OfflineGrants:                   redisStore,
 		IDTokens:                        idTokenIssuer,
 	}
 	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
 	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Context: contextContext,
 	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
 	authenticationflowService := &authenticationflow.Service{
 		ContextDoNotUseDirectly: contextContext,
 		Deps:                    dependencies,
 		Logger:                  authenticationflowServiceLogger,
 		Store:                   authenticationflowStoreImpl,
-		Database:                handle,
+		Database:                appdbHandle,
 		UIConfig:                uiConfig,
 		UIInfoResolver:          uiService,
-		OAuthClientResolver:     resolver,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
 	}
 	samlsessionStoreRedis := &samlsession.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	promptResolver := &oauth2.PromptResolver{
@@ -129363,8 +128447,8 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
 	}
 	idTokenHintResolver := &oidc.IDTokenHintResolver{
 		Issuer:              idTokenIssuer,
@@ -129378,7 +128462,33 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		IDTokenHintResolver: idTokenHintResolver,
 		Clock:               clockClock,
 		Cookies:             cookieManager,
-		ClientResolver:      resolver,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
 	}
 	authflowController := &webapp.AuthflowController{
 		Logger:                  authflowControllerLogger,
@@ -129394,23 +128504,52 @@ func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handl
 		SAMLSessions:            samlsessionStoreRedis,
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
-		OAuthClientResolver:     resolver,
+		OAuthClientResolver:     oauthclientResolver,
 		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
-	authflowV2ResetPasswordHandler := &authflowv2.AuthflowV2ResetPasswordHandler{
-		NonAuthflowControllerFactory: controllerFactory,
-		Controller:                   authflowController,
-		BaseViewModel:                baseViewModeler,
-		Renderer:                     responseRenderer,
-		AdminAPIResetPasswordPolicy:  passwordChecker,
-		ResetPassword:                forgotpasswordService,
-		Database:                     handle,
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
 	}
-	return authflowV2ResetPasswordHandler
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2TerminateOtherSessionsHandler := &authflowv2.AuthflowV2TerminateOtherSessionsHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2TerminateOtherSessionsHandler
 }
 
-func newWebAppAuthflowResetPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowWechatHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -130438,15 +129577,16 @@ func newWebAppAuthflowResetPasswordSuccessHandler(p *deps.RequestProvider) http.
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowResetPasswordSuccessHandler := &webapp.AuthflowResetPasswordSuccessHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowWechatHandler := &webapp.AuthflowWechatHandler{
+		Controller:      authflowController,
+		BaseViewModel:   baseViewModeler,
+		Renderer:        responseRenderer,
+		OAuthStateStore: webappoauthStore,
 	}
-	return authflowResetPasswordSuccessHandler
+	return authflowWechatHandler
 }
 
-func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowForgotPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -131402,7 +130542,7 @@ func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) htt
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -131413,7 +130553,7 @@ func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) htt
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -131438,7 +130578,7 @@ func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) htt
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -131474,360 +130614,15 @@ func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) htt
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2ResetPasswordSuccessHandler := &authflowv2.AuthflowV2ResetPasswordSuccessHandler{
+	authflowForgotPasswordHandler := &webapp.AuthflowForgotPasswordHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
 	}
-	return authflowV2ResetPasswordSuccessHandler
-}
-
-func newWebAppAuthflowAccountStatusHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
-	featureConfig := config.FeatureConfig
-	uiFeatureConfig := featureConfig.UI
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	localizationConfig := appConfig.Localization
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	webAppCDNHost := environmentConfig.WebAppCDNHost
-	manager := appContext.Resources
-	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
-	staticAssetResolver := &web.StaticAssetResolver{
-		Context:           contextContext,
-		Localization:      localizationConfig,
-		HTTPOrigin:        httpOrigin,
-		HTTPProto:         httpProto,
-		WebAppCDNHost:     webAppCDNHost,
-		Resources:         manager,
-		EmbeddedResources: globalEmbeddedResourceManager,
-	}
-	forgotPasswordConfig := appConfig.ForgotPassword
-	authenticationConfig := appConfig.Authentication
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	appID := appConfig.ID
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	handle := appProvider.Redis
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
-	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
-		Resources:             manager,
-		DefaultLanguageTag:    defaultLanguageTag,
-		SupportedLanguageTags: supportedLanguageTags,
-	}
-	engine := &template.Engine{
-		Resolver: resolver,
-	}
-	translationService := &translation.Service{
-		Context:        contextContext,
-		TemplateEngine: engine,
-		StaticAssets:   staticAssetResolver,
-	}
-	clockClock := _wireSystemClockValue
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	factory := appProvider.LoggerFactory
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowAccountStatusHandler := &webapp.AuthflowAccountStatusHandler{
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-	}
-	return authflowAccountStatusHandler
-}
-
-func newWebAppAuthflowV2AccountStatusHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
-	featureConfig := config.FeatureConfig
-	uiFeatureConfig := featureConfig.UI
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	localizationConfig := appConfig.Localization
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	webAppCDNHost := environmentConfig.WebAppCDNHost
-	manager := appContext.Resources
-	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
-	staticAssetResolver := &web.StaticAssetResolver{
-		Context:           contextContext,
-		Localization:      localizationConfig,
-		HTTPOrigin:        httpOrigin,
-		HTTPProto:         httpProto,
-		WebAppCDNHost:     webAppCDNHost,
-		Resources:         manager,
-		EmbeddedResources: globalEmbeddedResourceManager,
-	}
-	forgotPasswordConfig := appConfig.ForgotPassword
-	authenticationConfig := appConfig.Authentication
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	appID := appConfig.ID
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	handle := appProvider.Redis
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
-	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
-		Resources:             manager,
-		DefaultLanguageTag:    defaultLanguageTag,
-		SupportedLanguageTags: supportedLanguageTags,
-	}
-	engine := &template.Engine{
-		Resolver: resolver,
-	}
-	translationService := &translation.Service{
-		Context:        contextContext,
-		TemplateEngine: engine,
-		StaticAssets:   staticAssetResolver,
-	}
-	clockClock := _wireSystemClockValue
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	factory := appProvider.LoggerFactory
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowV2AccountStatusHandler := &authflowv2.AuthflowV2AccountStatusHandler{
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-	}
-	return authflowV2AccountStatusHandler
-}
-
-func newWebAppAuthflowNoAuthenticatorHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
-	featureConfig := config.FeatureConfig
-	uiFeatureConfig := featureConfig.UI
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	localizationConfig := appConfig.Localization
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	webAppCDNHost := environmentConfig.WebAppCDNHost
-	manager := appContext.Resources
-	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
-	staticAssetResolver := &web.StaticAssetResolver{
-		Context:           contextContext,
-		Localization:      localizationConfig,
-		HTTPOrigin:        httpOrigin,
-		HTTPProto:         httpProto,
-		WebAppCDNHost:     webAppCDNHost,
-		Resources:         manager,
-		EmbeddedResources: globalEmbeddedResourceManager,
-	}
-	forgotPasswordConfig := appConfig.ForgotPassword
-	authenticationConfig := appConfig.Authentication
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	appID := appConfig.ID
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	handle := appProvider.Redis
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
-	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
-		Resources:             manager,
-		DefaultLanguageTag:    defaultLanguageTag,
-		SupportedLanguageTags: supportedLanguageTags,
-	}
-	engine := &template.Engine{
-		Resolver: resolver,
-	}
-	translationService := &translation.Service{
-		Context:        contextContext,
-		TemplateEngine: engine,
-		StaticAssets:   staticAssetResolver,
-	}
-	clockClock := _wireSystemClockValue
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	factory := appProvider.LoggerFactory
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowNoAuthenticatorHandler := &webapp.AuthflowNoAuthenticatorHandler{
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
-	}
-	return authflowNoAuthenticatorHandler
+	return authflowForgotPasswordHandler
 }
 
-func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ForgotPasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -132783,7 +131578,7 @@ func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -132794,7 +131589,7 @@ func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -132819,7 +131614,7 @@ func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowNavigator,
+		Navigator:               authflowV2Navigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -132852,18 +131647,24 @@ func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
 		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
+	authflowViewModeler := &viewmodels.AuthflowViewModeler{
+		Authentication: authenticationConfig,
+		LoginID:        loginIDConfig,
+		Identity:       identityConfig,
+	}
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowFinishFlowHandler := &webapp.AuthflowFinishFlowHandler{
-		Controller:    authflowController,
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+	authflowV2ForgotPasswordHandler := &authflowv2.AuthflowV2ForgotPasswordHandler{
+		Controller:        authflowController,
+		BaseViewModel:     baseViewModeler,
+		AuthflowViewModel: authflowViewModeler,
+		Renderer:          responseRenderer,
 	}
-	return authflowFinishFlowHandler
+	return authflowV2ForgotPasswordHandler
 }
 
-func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowForgotPasswordOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -133819,7 +132620,7 @@ func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -133830,7 +132631,7 @@ func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -133855,7 +132656,7 @@ func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -133891,15 +132692,17 @@ func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2FinishFlowHandler := &authflowv2.AuthflowV2FinishFlowHandler{
+	authflowForgotPasswordOTPHandler := &webapp.AuthflowForgotPasswordOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
+		FlashMessage:  flashMessage,
+		Clock:         clockClock,
 	}
-	return authflowV2FinishFlowHandler
+	return authflowForgotPasswordOTPHandler
 }
 
-func newWebAppAuthflowV2AccountLinkingHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ForgotPasswordOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -134927,131 +133730,17 @@ func newWebAppAuthflowV2AccountLinkingHandler(p *deps.RequestProvider) http.Hand
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2AccountLinkingHandler := &authflowv2.AuthflowV2AccountLinkingHandler{
+	authflowV2ForgotPasswordOTPHandler := &authflowv2.AuthflowV2ForgotPasswordOTPHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
-		Endpoints:     endpointsEndpoints,
-	}
-	return authflowV2AccountLinkingHandler
-}
-
-func newWebAppAuthflowV2NoAuthenticatorHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
-	featureConfig := config.FeatureConfig
-	uiFeatureConfig := featureConfig.UI
-	request := p.Request
-	contextContext := deps.ProvideRequestContext(request)
-	localizationConfig := appConfig.Localization
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	webAppCDNHost := environmentConfig.WebAppCDNHost
-	manager := appContext.Resources
-	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
-	staticAssetResolver := &web.StaticAssetResolver{
-		Context:           contextContext,
-		Localization:      localizationConfig,
-		HTTPOrigin:        httpOrigin,
-		HTTPProto:         httpProto,
-		WebAppCDNHost:     webAppCDNHost,
-		Resources:         manager,
-		EmbeddedResources: globalEmbeddedResourceManager,
-	}
-	forgotPasswordConfig := appConfig.ForgotPassword
-	authenticationConfig := appConfig.Authentication
-	googleTagManagerConfig := appConfig.GoogleTagManager
-	botProtectionConfig := appConfig.BotProtection
-	appID := appConfig.ID
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	handle := appProvider.Redis
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: handle,
-		Cookies:     cookieManager,
-	}
-	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
-	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
-		Resources:             manager,
-		DefaultLanguageTag:    defaultLanguageTag,
-		SupportedLanguageTags: supportedLanguageTags,
-	}
-	engine := &template.Engine{
-		Resolver: resolver,
-	}
-	translationService := &translation.Service{
-		Context:        contextContext,
-		TemplateEngine: engine,
-		StaticAssets:   staticAssetResolver,
-	}
-	clockClock := _wireSystemClockValue
-	flashMessage := &httputil.FlashMessage{
-		Cookies: cookieManager,
-	}
-	authUISentryDSN := environmentConfig.AuthUISentryDSN
-	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	factory := appProvider.LoggerFactory
-	baseLogger := viewmodels.NewBaseLogger(factory)
-	baseViewModeler := &viewmodels.BaseViewModeler{
-		TrustProxy:                        trustProxy,
-		OAuth:                             oAuthConfig,
-		AuthUI:                            uiConfig,
-		AuthUIFeatureConfig:               uiFeatureConfig,
-		StaticAssets:                      staticAssetResolver,
-		ForgotPassword:                    forgotPasswordConfig,
-		Authentication:                    authenticationConfig,
-		GoogleTagManager:                  googleTagManagerConfig,
-		BotProtection:                     botProtectionConfig,
-		ErrorService:                      errorService,
-		Translations:                      translationService,
-		Clock:                             clockClock,
-		FlashMessage:                      flashMessage,
-		DefaultLanguageTag:                defaultLanguageTag,
-		SupportedLanguageTags:             supportedLanguageTags,
-		AuthUISentryDSN:                   authUISentryDSN,
-		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               oauthclientResolver,
-		Logger:                            baseLogger,
-	}
-	responseRenderer := &webapp.ResponseRenderer{
-		TemplateEngine: engine,
-	}
-	authflowV2NoAuthenticatorHandler := &authflowv2.AuthflowV2NoAuthenticatorHandler{
-		BaseViewModel: baseViewModeler,
-		Renderer:      responseRenderer,
+		FlashMessage:  flashMessage,
+		Clock:         clockClock,
 	}
-	return authflowV2NoAuthenticatorHandler
+	return authflowV2ForgotPasswordOTPHandler
 }
 
-func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowForgotPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -136007,7 +134696,7 @@ func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
 		Redis:   handle,
 		AppID:   appID,
 	}
-	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+	authflowNavigator := &webapp2.AuthflowNavigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -136018,7 +134707,7 @@ func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
 		RedisHandle: handle,
 		Cookies:     cookieManager,
 	}
-	authflowNavigator := &webapp2.AuthflowNavigator{
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
 		Endpoints:       endpointsEndpoints,
 		OAuthStateStore: webappoauthStore,
 	}
@@ -136043,7 +134732,7 @@ func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
 		UIInfoResolver:          uiInfoResolver,
 		UIConfig:                uiConfig,
 		OAuthClientResolver:     oauthclientResolver,
-		Navigator:               authflowV2Navigator,
+		Navigator:               authflowNavigator,
 		ErrorRenderer:           errorRenderer,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -136079,16 +134768,15 @@ func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2WechatHandler := &authflowv2.AuthflowV2WechatHandler{
-		Controller:      authflowController,
-		BaseViewModel:   baseViewModeler,
-		Renderer:        responseRenderer,
-		OAuthStateStore: webappoauthStore,
+	authflowForgotPasswordSuccessHandler := &webapp.AuthflowForgotPasswordSuccessHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
 	}
-	return authflowV2WechatHandler
+	return authflowForgotPasswordSuccessHandler
 }
 
-func newWebAppAuthflowV2LDAPLoginHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2ForgotPasswordLinkSentHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
 	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
@@ -137116,33 +135804,50 @@ func newWebAppAuthflowV2LDAPLoginHandler(p *deps.RequestProvider) http.Handler {
 	responseRenderer := &webapp.ResponseRenderer{
 		TemplateEngine: engine,
 	}
-	authflowV2LDAPLoginHandler := &authflowv2.AuthflowV2LDAPLoginHandler{
+	authflowV2ForgotPasswordLinkSentHandler := &authflowv2.AuthflowV2ForgotPasswordLinkSentHandler{
 		Controller:    authflowController,
 		BaseViewModel: baseViewModeler,
 		Renderer:      responseRenderer,
+		Clock:         clockClock,
 	}
-	return authflowV2LDAPLoginHandler
+	return authflowV2ForgotPasswordLinkSentHandler
 }
 
-func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
-	clockClock := _wireSystemClockValue
+func newWebAppReauthHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
 	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
-	samlEnvironmentConfig := environmentConfig.SAML
-	samlConfig := appConfig.SAML
-	secretConfig := config.SecretConfig
-	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
-	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
-	request := p.Request
 	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
 	uiImplementationService := &web.UIImplementationService{
@@ -137155,24 +135860,47 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
-	handle := appProvider.AppDatabase
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	store := &user.Store{
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
 		AppID:       appID,
 	}
 	rawQueries := &user.RawQueries{
-		Store: store,
+		Store: userStore,
 	}
-	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
-	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -137233,7 +135961,6 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -137241,15 +135968,14 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
+	templateResolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: resolver,
+		Resolver: templateResolver,
 	}
-	localizationConfig := appConfig.Localization
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -137285,7 +136011,6 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
@@ -137293,15 +136018,14 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	factory := appProvider.LoggerFactory
-	logger := ratelimit.NewLogger(factory)
+	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
 		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
-		Logger:  logger,
+		Logger:  ratelimitLogger,
 		Storage: storageRedis,
 		Config:  rateLimitsFeatureConfig,
 	}
@@ -137492,14 +136216,14 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         store,
+		UserStore:         userStore,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   store,
+		UserStore:   userStore,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -137516,7 +136240,7 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              store,
+		Store:              userStore,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -137525,14 +136249,198 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		Web3:               web3Service,
 		RolesAndGroups:     queries,
 	}
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
 	}
-	userAgentString := deps.ProvideUserAgentString(request)
 	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
 	idpsessionStoreRedis := &idpsession.StoreRedis{
 		Redis:  appredisHandle,
@@ -137540,6 +136448,14 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		Clock:  clockClock,
 		Logger: storeRedisLogger,
 	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -137547,7 +136463,6 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 	eventProvider := &access.EventProvider{
 		Store: eventStoreRedis,
 	}
-	sessionConfig := appConfig.Session
 	idpsessionRand := _wireRandValue
 	idpsessionProvider := &idpsession.Provider{
 		Context:         contextContext,
@@ -137562,225 +136477,465 @@ func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
-	oAuthConfig := appConfig.OAuth
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-	}
-	offlineGrantService := &oauth2.OfflineGrantService{
+	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	samlService := &saml.Service{
-		Clock:                       clockClock,
-		AppID:                       appID,
-		SAMLEnvironmentConfig:       samlEnvironmentConfig,
-		SAMLConfig:                  samlConfig,
-		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
-		SAMLSpSigningMaterials:      samlSpSigningMaterials,
-		Endpoints:                   endpointsEndpoints,
-		UserInfoProvider:            idTokenIssuer,
-		IDPSessionProvider:          idpsessionProvider,
-		OfflineGrantSessionProvider: offlineGrantService,
-	}
-	metadataHandler := &saml2.MetadataHandler{
-		SAMLService: samlService,
-	}
-	return metadataHandler
-}
-
-func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
-	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
-	loginHandlerLogger := saml2.NewLoginHandlerLogger(factory)
-	clockClock := _wireSystemClockValue
-	handle := appProvider.AppDatabase
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	samlConfig := appConfig.SAML
-	appID := appConfig.ID
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	samlEnvironmentConfig := environmentConfig.SAML
-	secretConfig := config.SecretConfig
-	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
-	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
-	request := p.Request
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
 	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
 	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	contextContext := deps.ProvideRequestContext(request)
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
-	store := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
 	}
-	rawQueries := &user.RawQueries{
-		Store: store,
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
 	}
-	authenticationConfig := appConfig.Authentication
-	identityConfig := appConfig.Identity
-	featureConfig := config.FeatureConfig
-	identityFeatureConfig := featureConfig.Identity
-	serviceStore := &service.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
 	}
-	loginidStore := &loginid.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
 	}
-	loginIDConfig := identityConfig.LoginID
-	manager := appContext.Resources
-	typeCheckerFactory := &loginid.TypeCheckerFactory{
-		UIConfig:      uiConfig,
-		LoginIDConfig: loginIDConfig,
-		Resources:     manager,
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
-	checker := &loginid.Checker{
-		Config:             loginIDConfig,
-		TypeCheckerFactory: typeCheckerFactory,
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
 	}
-	normalizerFactory := &loginid.NormalizerFactory{
-		Config: loginIDConfig,
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
 	}
-	provider := &loginid.Provider{
-		Store:             loginidStore,
-		Config:            loginIDConfig,
-		Checker:           checker,
-		NormalizerFactory: normalizerFactory,
-		Clock:             clockClock,
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
 	}
-	oauthStore := &oauth3.Store{
-		SQLBuilder:     sqlBuilderApp,
-		SQLExecutor:    sqlExecutor,
-		IdentityConfig: identityConfig,
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
 	}
-	oauthProvider := &oauth3.Provider{
-		Store:          oauthStore,
-		Clock:          clockClock,
-		IdentityConfig: identityConfig,
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
 	}
-	anonymousStore := &anonymous.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
 	}
-	anonymousProvider := &anonymous.Provider{
-		Store: anonymousStore,
-		Clock: clockClock,
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
 	}
-	biometricStore := &biometric.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
 	}
-	biometricProvider := &biometric.Provider{
-		Store: biometricStore,
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
 		Clock: clockClock,
 	}
-	passkeyStore := &passkey.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
 	}
-	appredisHandle := appProvider.Redis
-	store2 := &passkey2.Store{
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
-	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	resolver := &template.Resolver{
-		Resources:             manager,
-		DefaultLanguageTag:    defaultLanguageTag,
-		SupportedLanguageTags: supportedLanguageTags,
-	}
-	engine := &template.Engine{
-		Resolver: resolver,
-	}
-	localizationConfig := appConfig.Localization
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
-	webAppCDNHost := environmentConfig.WebAppCDNHost
-	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
-	staticAssetResolver := &web.StaticAssetResolver{
-		Context:           contextContext,
-		Localization:      localizationConfig,
-		HTTPOrigin:        httpOrigin,
-		HTTPProto:         httpProto,
-		WebAppCDNHost:     webAppCDNHost,
-		Resources:         manager,
-		EmbeddedResources: globalEmbeddedResourceManager,
-	}
-	translationService := &translation.Service{
-		Context:        contextContext,
-		TemplateEngine: engine,
-		StaticAssets:   staticAssetResolver,
-	}
-	configService := &passkey2.ConfigService{
-		Request:            request,
-		TrustProxy:         trustProxy,
-		TranslationService: translationService,
-	}
-	passkeyService := &passkey2.Service{
-		Store:         store2,
-		ConfigService: configService,
-	}
-	passkeyProvider := &passkey.Provider{
-		Store:   passkeyStore,
-		Clock:   clockClock,
-		Passkey: passkeyService,
-	}
-	siweStore := &siwe.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
 	}
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
-	web3Config := appConfig.Web3
-	storeRedis := &siwe2.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
-		Clock:   clockClock,
 	}
-	logger := ratelimit.NewLogger(factory)
-	storageRedis := &ratelimit.StorageRedis{
-		AppID: appID,
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
 		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	reauthHandler := &webapp.ReauthHandler{
+		ControllerFactory: controllerFactory,
+	}
+	return reauthHandler
+}
+
+func newWebAppAuthflowReauthHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
-		Logger:  logger,
+		Logger:  ratelimitLogger,
 		Storage: storageRedis,
 		Config:  rateLimitsFeatureConfig,
 	}
@@ -137891,17 +137046,17 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -137927,7 +137082,7 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -138004,92 +137159,6 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		Web3:               web3Service,
 		RolesAndGroups:     queries,
 	}
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	userAgentString := deps.ProvideUserAgentString(request)
-	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
-	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
-		AppID:  appID,
-		Clock:  clockClock,
-		Logger: storeRedisLogger,
-	}
-	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
-		AppID: appID,
-	}
-	eventProvider := &access.EventProvider{
-		Store: eventStoreRedis,
-	}
-	sessionConfig := appConfig.Session
-	idpsessionRand := _wireRandValue
-	idpsessionProvider := &idpsession.Provider{
-		Context:         contextContext,
-		RemoteIP:        remoteIP,
-		UserAgentString: userAgentString,
-		AppID:           appID,
-		Redis:           appredisHandle,
-		Store:           idpsessionStoreRedis,
-		AccessEvents:    eventProvider,
-		TrustProxy:      trustProxy,
-		Config:          sessionConfig,
-		Clock:           clockClock,
-		Random:          idpsessionRand,
-	}
-	oAuthConfig := appConfig.OAuth
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-	}
-	offlineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	samlService := &saml.Service{
-		Clock:                       clockClock,
-		AppID:                       appID,
-		SAMLEnvironmentConfig:       samlEnvironmentConfig,
-		SAMLConfig:                  samlConfig,
-		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
-		SAMLSpSigningMaterials:      samlSpSigningMaterials,
-		Endpoints:                   endpointsEndpoints,
-		UserInfoProvider:            idTokenIssuer,
-		IDPSessionProvider:          idpsessionProvider,
-		OfflineGrantSessionProvider: offlineGrantService,
-	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
-	uiService := &samlsession.UIService{
-		Endpoints: endpointsEndpoints,
-	}
-	rawCommands := &user.RawCommands{
-		Store: store,
-		Clock: clockClock,
-	}
-	eventLogger := event.NewLogger(factory)
-	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
-	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	resolverImpl := &event.ResolverImpl{
 		Users: userQueries,
 	}
@@ -138154,11 +137223,11 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
 	client := elasticsearch.NewClient(elasticsearchCredentials)
 	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
 	elasticsearchService := elasticsearch.Service{
 		Clock:           clockClock,
 		Context:         contextContext,
-		Database:        handle,
+		Database:        appdbHandle,
 		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
 		Client:          client,
@@ -138172,9 +137241,9 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	elasticsearchSink := &elasticsearch.Sink{
 		Logger:   elasticsearchLogger,
 		Service:  elasticsearchService,
-		Database: handle,
+		Database: appdbHandle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	userCommands := &user.Commands{
 		RawCommands:        rawCommands,
 		RawQueries:         rawQueries,
@@ -138191,7 +137260,7 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		Queries:  userQueries,
 	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -138219,7 +137288,7 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		Logger: usageLogger,
 		Clock:  clockClock,
 		AppID:  appID,
-		Redis:  appredisHandle,
+		Redis:  handle,
 	}
 	messagingConfig := appConfig.Messaging
 	messagingRateLimitsConfig := messagingConfig.RateLimits
@@ -138241,7 +137310,7 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	whatsappConfig := messagingConfig.Whatsapp
 	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
 	tokenStore := &whatsapp.TokenStore{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -138282,8 +137351,14 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
 	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
@@ -138291,7 +137366,43 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		Cookies:   cookieManager,
 		CookieDef: cookieDef,
 	}
-	oauthOfflineGrantService := oauth2.OfflineGrantService{
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
@@ -138301,7 +137412,7 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 	sessionManager := &oauth2.SessionManager{
 		Store:   redisStore,
 		Config:  oAuthConfig,
-		Service: oauthOfflineGrantService,
+		Service: offlineGrantService,
 	}
 	accountDeletionConfig := appConfig.AccountDeletion
 	accountAnonymizationConfig := appConfig.AccountAnonymization
@@ -138335,51 +137446,321 @@ func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	userFacade := &facade.UserFacade{
-		UserProvider: userProvider,
-		Coordinator:  coordinator,
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
 	}
-	loginResultHandler := saml2.LoginResultHandler{
-		Clock:       clockClock,
-		Database:    handle,
-		SAMLService: samlService,
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
-	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
-	loginHandler := &saml2.LoginHandler{
-		Logger:                loginHandlerLogger,
-		Clock:                 clockClock,
-		Database:              handle,
-		SAMLConfig:            samlConfig,
-		SAMLService:           samlService,
-		SAMLSessionService:    samlsessionStoreRedis,
-		SAMLUIService:         uiService,
-		UserFacade:            userFacade,
-		LoginResultHandler:    loginResultHandler,
-		BindingHTTPPostWriter: samlBindingHTTPPostWriter,
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
 	}
-	return loginHandler
-}
-
-func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowNavigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	authflowReauthHandler := &webapp.AuthflowReauthHandler{
+		Controller:        authflowController,
+		AuthflowNavigator: authflowNavigator,
+	}
+	return authflowReauthHandler
+}
+
+func newWebAppAuthflowV2ReauthHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
-	loginFinishHandlerLogger := saml2.NewLoginFinishHandlerLogger(factory)
-	clockClock := _wireSystemClockValue
-	appContext := appProvider.AppContext
-	config := appContext.Config
-	appConfig := config.AppConfig
-	appID := appConfig.ID
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
 	rootProvider := appProvider.RootProvider
 	environmentConfig := rootProvider.EnvironmentConfig
-	samlEnvironmentConfig := environmentConfig.SAML
-	samlConfig := appConfig.SAML
-	secretConfig := config.SecretConfig
-	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
-	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
-	request := p.Request
 	trustProxy := environmentConfig.TrustProxy
 	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
 	uiConfig := appConfig.UI
 	globalUIImplementation := environmentConfig.UIImplementation
 	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
@@ -138393,24 +137774,46 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 		HTTPProto:               httpProto,
 		UIImplementationService: uiImplementationService,
 	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	contextContext := deps.ProvideRequestContext(request)
-	handle := appProvider.AppDatabase
-	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
 		AppID:       appID,
 	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
-	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -138471,10 +137874,9 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
@@ -138487,8 +137889,6 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	localizationConfig := appConfig.Localization
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -138523,22 +137923,21 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
-		Redis:   appredisHandle,
+		Redis:   handle,
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	logger := ratelimit.NewLogger(factory)
+	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
-		Logger:  logger,
+		Logger:  ratelimitLogger,
 		Storage: storageRedis,
 		Config:  rateLimitsFeatureConfig,
 	}
@@ -138649,17 +138048,17 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 	testModeConfig := appConfig.TestMode
 	testModeFeatureConfig := featureConfig.TestMode
 	codeStoreRedis := &otp.CodeStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	lookupStoreRedis := &otp.LookupStoreRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
 	attemptTrackerRedis := &otp.AttemptTrackerRedis{
-		Redis: appredisHandle,
+		Redis: handle,
 		AppID: appID,
 		Clock: clockClock,
 	}
@@ -138685,7 +138084,7 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 	lockoutLogger := lockout.NewLogger(factory)
 	lockoutStorageRedis := &lockout.StorageRedis{
 		AppID: appID,
-		Redis: appredisHandle,
+		Redis: handle,
 	}
 	lockoutService := &lockout.Service{
 		Logger:  lockoutLogger,
@@ -138762,64 +138161,12676 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 		Web3:               web3Service,
 		RolesAndGroups:     queries,
 	}
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
 	}
-	userAgentString := deps.ProvideUserAgentString(request)
-	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
-	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
-		AppID:  appID,
-		Clock:  clockClock,
-		Logger: storeRedisLogger,
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
 	}
-	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
-		AppID: appID,
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
 	}
-	eventProvider := &access.EventProvider{
-		Store: eventStoreRedis,
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
 	}
-	sessionConfig := appConfig.Session
-	idpsessionRand := _wireRandValue
-	idpsessionProvider := &idpsession.Provider{
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
 		Context:         contextContext,
-		RemoteIP:        remoteIP,
-		UserAgentString: userAgentString,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
 		AppID:           appID,
-		Redis:           appredisHandle,
-		Store:           idpsessionStoreRedis,
-		AccessEvents:    eventProvider,
-		TrustProxy:      trustProxy,
-		Config:          sessionConfig,
-		Clock:           clockClock,
-		Random:          idpsessionRand,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
 	}
-	oAuthConfig := appConfig.OAuth
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
 	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
 	}
-	offlineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	authflowV2ReauthHandler := &authflowv2.AuthflowV2ReauthHandler{
+		Controller:        authflowController,
+		AuthflowNavigator: authflowV2Navigator,
+	}
+	return authflowV2ReauthHandler
+}
+
+func newWebAppAuthflowResetPasswordHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowNavigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowResetPasswordHandler := &webapp.AuthflowResetPasswordHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowResetPasswordHandler
+}
+
+func newWebAppAuthflowV2ResetPasswordHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef2,
+		MFADeviceTokenCookie:            cookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   store,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                handle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     resolver,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      resolver,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     resolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	authflowV2ResetPasswordHandler := &authflowv2.AuthflowV2ResetPasswordHandler{
+		NonAuthflowControllerFactory: controllerFactory,
+		Controller:                   authflowController,
+		BaseViewModel:                baseViewModeler,
+		Renderer:                     responseRenderer,
+		AdminAPIResetPasswordPolicy:  passwordChecker,
+		ResetPassword:                forgotpasswordService,
+		Database:                     handle,
+	}
+	return authflowV2ResetPasswordHandler
+}
+
+func newWebAppAuthflowResetPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowNavigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowResetPasswordSuccessHandler := &webapp.AuthflowResetPasswordSuccessHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowResetPasswordSuccessHandler
+}
+
+func newWebAppAuthflowV2ResetPasswordSuccessHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2ResetPasswordSuccessHandler := &authflowv2.AuthflowV2ResetPasswordSuccessHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2ResetPasswordSuccessHandler
+}
+
+func newWebAppAuthflowAccountStatusHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	featureConfig := config.FeatureConfig
+	uiFeatureConfig := featureConfig.UI
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	manager := appContext.Resources
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	forgotPasswordConfig := appConfig.ForgotPassword
+	authenticationConfig := appConfig.Authentication
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	appID := appConfig.ID
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	handle := appProvider.Redis
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	clockClock := _wireSystemClockValue
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	factory := appProvider.LoggerFactory
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowAccountStatusHandler := &webapp.AuthflowAccountStatusHandler{
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowAccountStatusHandler
+}
+
+func newWebAppAuthflowV2AccountStatusHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	featureConfig := config.FeatureConfig
+	uiFeatureConfig := featureConfig.UI
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	manager := appContext.Resources
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	forgotPasswordConfig := appConfig.ForgotPassword
+	authenticationConfig := appConfig.Authentication
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	appID := appConfig.ID
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	handle := appProvider.Redis
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	clockClock := _wireSystemClockValue
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	factory := appProvider.LoggerFactory
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2AccountStatusHandler := &authflowv2.AuthflowV2AccountStatusHandler{
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2AccountStatusHandler
+}
+
+func newWebAppAuthflowNoAuthenticatorHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	featureConfig := config.FeatureConfig
+	uiFeatureConfig := featureConfig.UI
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	manager := appContext.Resources
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	forgotPasswordConfig := appConfig.ForgotPassword
+	authenticationConfig := appConfig.Authentication
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	appID := appConfig.ID
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	handle := appProvider.Redis
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	clockClock := _wireSystemClockValue
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	factory := appProvider.LoggerFactory
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowNoAuthenticatorHandler := &webapp.AuthflowNoAuthenticatorHandler{
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowNoAuthenticatorHandler
+}
+
+func newWebAppAuthflowFinishFlowHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowNavigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowFinishFlowHandler := &webapp.AuthflowFinishFlowHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowFinishFlowHandler
+}
+
+func newWebAppAuthflowV2FinishFlowHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2FinishFlowHandler := &authflowv2.AuthflowV2FinishFlowHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2FinishFlowHandler
+}
+
+func newWebAppAuthflowV2AccountLinkingHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2AccountLinkingHandler := &authflowv2.AuthflowV2AccountLinkingHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+		Endpoints:     endpointsEndpoints,
+	}
+	return authflowV2AccountLinkingHandler
+}
+
+func newWebAppAuthflowV2NoAuthenticatorHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	featureConfig := config.FeatureConfig
+	uiFeatureConfig := featureConfig.UI
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	manager := appContext.Resources
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	forgotPasswordConfig := appConfig.ForgotPassword
+	authenticationConfig := appConfig.Authentication
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	appID := appConfig.ID
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	handle := appProvider.Redis
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	clockClock := _wireSystemClockValue
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	factory := appProvider.LoggerFactory
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2NoAuthenticatorHandler := &authflowv2.AuthflowV2NoAuthenticatorHandler{
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2NoAuthenticatorHandler
+}
+
+func newWebAppAuthflowV2WechatHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2WechatHandler := &authflowv2.AuthflowV2WechatHandler{
+		Controller:      authflowController,
+		BaseViewModel:   baseViewModeler,
+		Renderer:        responseRenderer,
+		OAuthStateStore: webappoauthStore,
+	}
+	return authflowV2WechatHandler
+}
+
+func newWebAppAuthflowV2LDAPLoginHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	authflowControllerLogger := webapp.NewAuthflowControllerLogger(factory)
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	clockClock := _wireSystemClockValue
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	appID := appConfig.ID
+	handle := appProvider.Redis
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	contextContext := deps.ProvideRequestContext(request)
+	featureConfig := config.FeatureConfig
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	appdbHandle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, appdbHandle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: handle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(handle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        appdbHandle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: appdbHandle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, appdbHandle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  handle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  handle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       handle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: handle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           handle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	customattrsService := &customattrs.Service{
+		Config:         userProfileConfig,
+		ServiceNoEvent: customattrsServiceNoEvent,
+		Events:         eventService,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	workflowVerificationFacade := facade.WorkflowVerificationFacade{
+		Verification: verificationService,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	accountMigrationConfig := appConfig.AccountMigration
+	accountMigrationHookConfig := accountMigrationConfig.Hook
+	hookDenoClient := accountmigration.NewHookDenoClient(denoEndpoint, hookLogger, accountMigrationHookConfig)
+	denoMiddlewareLogger := accountmigration.NewDenoMiddlewareLogger(factory)
+	accountMigrationDenoHook := &accountmigration.AccountMigrationDenoHook{
+		DenoHook: denoHook,
+		Client:   hookDenoClient,
+		Logger:   denoMiddlewareLogger,
+	}
+	hookWebHookImpl := &hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	hookHTTPClient := accountmigration.NewHookHTTPClient(accountMigrationHookConfig)
+	webhookMiddlewareLogger := accountmigration.NewWebhookMiddlewareLogger(factory)
+	accountMigrationWebHook := &accountmigration.AccountMigrationWebHook{
+		WebHook: hookWebHookImpl,
+		Client:  hookHTTPClient,
+		Logger:  webhookMiddlewareLogger,
+	}
+	accountmigrationService := &accountmigration.Service{
+		Config:   accountMigrationHookConfig,
+		DenoHook: accountMigrationDenoHook,
+		WebHook:  accountMigrationWebHook,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: handle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	captchaConfig := appConfig.Captcha
+	providerLogger := captcha.NewProviderLogger(factory)
+	deprecated_CaptchaCloudflareCredentials := deps.ProvideCaptchaCloudflareCredentials(secretConfig)
+	cloudflareClient := captcha2.NewCloudflareClient(deprecated_CaptchaCloudflareCredentials)
+	captchaProvider := &captcha.Provider{
+		RemoteIP:         remoteIP,
+		Config:           captchaConfig,
+		Logger:           providerLogger,
+		CloudflareClient: cloudflareClient,
+	}
+	botProtectionConfig := appConfig.BotProtection
+	botprotectionProviderLogger := botprotection.NewProviderLogger(factory)
+	botProtectionProviderCredentials := deps.ProvideBotProtectionProvidersCredentials(secretConfig)
+	botprotectionCloudflareClient := botprotection.NewCloudflareClient(botProtectionProviderCredentials, environmentConfig)
+	recaptchaV2Client := botprotection.NewRecaptchaV2Client(botProtectionProviderCredentials, environmentConfig)
+	botprotectionProvider := &botprotection.Provider{
+		RemoteIP:          remoteIP,
+		Config:            botProtectionConfig,
+		Logger:            botprotectionProviderLogger,
+		CloudflareClient:  botprotectionCloudflareClient,
+		RecaptchaV2Client: recaptchaV2Client,
+		Events:            eventService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   handle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	requestOptionsService := &passkey2.RequestOptionsService{
+		ConfigService:   configService,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	creationOptionsService := &passkey2.CreationOptionsService{
+		ConfigService:   configService,
+		UserService:     userQueries,
+		IdentityService: serviceService,
+		Store:           store2,
+	}
+	ldapConfig := identityConfig.LDAP
+	ldapServerUserCredentials := deps.ProvideLDAPServerUserCredentials(secretConfig)
+	clientFactory := &ldap2.ClientFactory{
+		Config:       ldapConfig,
+		SecretConfig: ldapServerUserCredentials,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	dependencies := &authenticationflow.Dependencies{
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		Clock:                           clockClock,
+		RemoteIP:                        remoteIP,
+		HTTPOrigin:                      httpOrigin,
+		HTTPRequest:                     request,
+		Users:                           userProvider,
+		Identities:                      identityFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		Authenticators:                  authenticatorFacade,
+		MFA:                             mfaFacade,
+		StdAttrsService:                 stdattrsService,
+		CustomAttrsService:              customattrsService,
+		OTPCodes:                        otpService,
+		OTPSender:                       messageSender,
+		Verification:                    workflowVerificationFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		AccountMigrations:               accountmigrationService,
+		Challenges:                      challengeProvider,
+		Captcha:                         captchaProvider,
+		BotProtection:                   botprotectionProvider,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		PasskeyRequestOptionsService:    requestOptionsService,
+		PasskeyCreationOptionsService:   creationOptionsService,
+		PasskeyService:                  passkeyService,
+		LoginIDs:                        provider,
+		LDAP:                            ldapProvider,
+		LDAPClientFactory:               clientFactory,
+		IDPSessions:                     idpsessionProvider,
+		Sessions:                        manager2,
+		AuthenticationInfos:             authenticationinfoStoreRedis,
+		SessionCookie:                   cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
+		UserFacade:                      userFacade,
+		Cookies:                         cookieManager,
+		Events:                          eventService,
+		RateLimiter:                     limiter,
+		OfflineGrants:                   redisStore,
+		IDTokens:                        idTokenIssuer,
+	}
+	authenticationflowServiceLogger := authenticationflow.NewServiceLogger(factory)
+	authenticationflowStoreImpl := &authenticationflow.StoreImpl{
+		Redis:   handle,
+		AppID:   appID,
+		Context: contextContext,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationflowService := &authenticationflow.Service{
+		ContextDoNotUseDirectly: contextContext,
+		Deps:                    dependencies,
+		Logger:                  authenticationflowServiceLogger,
+		Store:                   authenticationflowStoreImpl,
+		Database:                appdbHandle,
+		UIConfig:                uiConfig,
+		UIInfoResolver:          uiService,
+		OAuthClientResolver:     oauthclientResolver,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	promptResolver := &oauth2.PromptResolver{
+		Clock: clockClock,
+	}
+	oauthOfflineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	idTokenHintResolver := &oidc.IDTokenHintResolver{
+		Issuer:              idTokenIssuer,
+		Sessions:            idpsessionProvider,
+		OfflineGrantService: oauthOfflineGrantService,
+	}
+	uiInfoResolver := &oidc.UIInfoResolver{
+		Config:              oAuthConfig,
+		EndpointsProvider:   endpointsEndpoints,
+		PromptResolver:      promptResolver,
+		IDTokenHintResolver: idTokenHintResolver,
+		Clock:               clockClock,
+		Cookies:             cookieManager,
+		ClientResolver:      oauthclientResolver,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   handle,
+		AppID:   appID,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: handle,
+		Cookies:     cookieManager,
+	}
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	authflowController := &webapp.AuthflowController{
+		Logger:                  authflowControllerLogger,
+		TesterEndpointsProvider: endpointsEndpoints,
+		TrustProxy:              trustProxy,
+		Clock:                   clockClock,
+		Cookies:                 cookieManager,
+		Sessions:                sessionStoreRedis,
+		SessionCookie:           sessionCookieDef,
+		SignedUpCookie:          signedUpCookieDef,
+		Authflows:               authenticationflowService,
+		OAuthSessions:           oauthsessionStoreRedis,
+		SAMLSessions:            samlsessionStoreRedis,
+		UIInfoResolver:          uiInfoResolver,
+		UIConfig:                uiConfig,
+		OAuthClientResolver:     oauthclientResolver,
+		Navigator:               authflowV2Navigator,
+		ErrorRenderer:           errorRenderer,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	authflowV2LDAPLoginHandler := &authflowv2.AuthflowV2LDAPLoginHandler{
+		Controller:    authflowController,
+		BaseViewModel: baseViewModeler,
+		Renderer:      responseRenderer,
+	}
+	return authflowV2LDAPLoginHandler
+}
+
+func newSAMLMetadataHandler(p *deps.RequestProvider) http.Handler {
+	clockClock := _wireSystemClockValue
+	appProvider := p.AppProvider
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	samlEnvironmentConfig := environmentConfig.SAML
+	samlConfig := appConfig.SAML
+	secretConfig := config.SecretConfig
+	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
+	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
+	request := p.Request
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	contextContext := deps.ProvideRequestContext(request)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	sessionConfig := appConfig.Session
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oAuthConfig := appConfig.OAuth
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	offlineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	samlService := &saml.Service{
+		Clock:                       clockClock,
+		AppID:                       appID,
+		SAMLEnvironmentConfig:       samlEnvironmentConfig,
+		SAMLConfig:                  samlConfig,
+		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
+		SAMLSpSigningMaterials:      samlSpSigningMaterials,
+		Endpoints:                   endpointsEndpoints,
+		UserInfoProvider:            idTokenIssuer,
+		IDPSessionProvider:          idpsessionProvider,
+		OfflineGrantSessionProvider: offlineGrantService,
+	}
+	metadataHandler := &saml2.MetadataHandler{
+		SAMLService: samlService,
+	}
+	return metadataHandler
+}
+
+func newSAMLLoginHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	loginHandlerLogger := saml2.NewLoginHandlerLogger(factory)
+	clockClock := _wireSystemClockValue
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	samlConfig := appConfig.SAML
+	appID := appConfig.ID
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	samlEnvironmentConfig := environmentConfig.SAML
+	secretConfig := config.SecretConfig
+	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
+	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
+	request := p.Request
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	sessionConfig := appConfig.Session
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oAuthConfig := appConfig.OAuth
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	offlineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	samlService := &saml.Service{
+		Clock:                       clockClock,
+		AppID:                       appID,
+		SAMLEnvironmentConfig:       samlEnvironmentConfig,
+		SAMLConfig:                  samlConfig,
+		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
+		SAMLSpSigningMaterials:      samlSpSigningMaterials,
+		Endpoints:                   endpointsEndpoints,
+		UserInfoProvider:            idTokenIssuer,
+		IDPSessionProvider:          idpsessionProvider,
+		OfflineGrantSessionProvider: offlineGrantService,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	uiService := &samlsession.UIService{
+		Endpoints: endpointsEndpoints,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	oauthOfflineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: oauthOfflineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	loginResultHandler := saml2.LoginResultHandler{
+		Clock:       clockClock,
+		Database:    handle,
+		SAMLService: samlService,
+	}
+	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
+	loginHandler := &saml2.LoginHandler{
+		Logger:                loginHandlerLogger,
+		Clock:                 clockClock,
+		Database:              handle,
+		SAMLConfig:            samlConfig,
+		SAMLService:           samlService,
+		SAMLSessionService:    samlsessionStoreRedis,
+		SAMLUIService:         uiService,
+		UserFacade:            userFacade,
+		LoginResultHandler:    loginResultHandler,
+		BindingHTTPPostWriter: samlBindingHTTPPostWriter,
+	}
+	return loginHandler
+}
+
+func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	loginFinishHandlerLogger := saml2.NewLoginFinishHandlerLogger(factory)
+	clockClock := _wireSystemClockValue
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	samlEnvironmentConfig := environmentConfig.SAML
+	samlConfig := appConfig.SAML
+	secretConfig := config.SecretConfig
+	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
+	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
+	request := p.Request
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	contextContext := deps.ProvideRequestContext(request)
+	handle := appProvider.AppDatabase
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	sessionConfig := appConfig.Session
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oAuthConfig := appConfig.OAuth
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	offlineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	samlService := &saml.Service{
+		Clock:                       clockClock,
+		AppID:                       appID,
+		SAMLEnvironmentConfig:       samlEnvironmentConfig,
+		SAMLConfig:                  samlConfig,
+		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
+		SAMLSpSigningMaterials:      samlSpSigningMaterials,
+		Endpoints:                   endpointsEndpoints,
+		UserInfoProvider:            idTokenIssuer,
+		IDPSessionProvider:          idpsessionProvider,
+		OfflineGrantSessionProvider: offlineGrantService,
+	}
+	samlsessionStoreRedis := &samlsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	loginResultHandler := saml2.LoginResultHandler{
+		Clock:       clockClock,
+		Database:    handle,
+		SAMLService: samlService,
+	}
+	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
+	loginFinishHandler := &saml2.LoginFinishHandler{
+		Logger:                     loginFinishHandlerLogger,
+		Clock:                      clockClock,
+		SAMLService:                samlService,
+		SAMLSessionService:         samlsessionStoreRedis,
+		AuthenticationInfoResolver: uiService,
+		AuthenticationInfoService:  authenticationinfoStoreRedis,
+		LoginResultHandler:         loginResultHandler,
+		BindingHTTPPostWriter:      samlBindingHTTPPostWriter,
+	}
+	return loginFinishHandler
+}
+
+func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	logoutHandlerLogger := saml2.NewLogoutHandlerLogger(factory)
+	clockClock := _wireSystemClockValue
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	samlConfig := appConfig.SAML
+	appID := appConfig.ID
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	samlEnvironmentConfig := environmentConfig.SAML
+	secretConfig := config.SecretConfig
+	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
+	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
+	request := p.Request
+	trustProxy := environmentConfig.TrustProxy
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	uiConfig := appConfig.UI
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	idTokenIssuer := &oidc.IDTokenIssuer{
+		Secrets:        oAuthKeyMaterials,
+		BaseURL:        endpointsEndpoints,
+		Users:          userQueries,
+		RolesAndGroups: queries,
+		Clock:          clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	sessionConfig := appConfig.Session
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	oAuthConfig := appConfig.OAuth
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	offlineGrantService := &oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
 	}
 	samlService := &saml.Service{
 		Clock:                       clockClock,
@@ -138833,7 +150844,14289 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 		IDPSessionProvider:          idpsessionProvider,
 		OfflineGrantSessionProvider: offlineGrantService,
 	}
-	samlsessionStoreRedis := &samlsession.StoreRedis{
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	oauthOfflineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: oauthOfflineGrantService,
+	}
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	samlslosessionStoreRedis := &samlslosession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
+	samlBindingHTTPRedirectWriter := &samlbinding.SAMLBindingHTTPRedirectWriter{
+		Signer: samlService,
+	}
+	sloService := &saml.SLOService{
+		SAMLService:               samlService,
+		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
+		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
+	}
+	logoutHandler := &saml2.LogoutHandler{
+		Logger:                    logoutHandlerLogger,
+		Clock:                     clockClock,
+		Database:                  handle,
+		SAMLConfig:                samlConfig,
+		SAMLService:               samlService,
+		SessionManager:            manager2,
+		SAMLSLOSessionService:     samlslosessionStoreRedis,
+		SAMLSLOService:            sloService,
+		Endpoints:                 endpointsEndpoints,
+		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
+		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
+	}
+	return logoutHandler
+}
+
+func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
+		Localization:      localizationConfig,
+		UserProfileConfig: userProfileConfig,
+		Users:             userQueries,
+		Identities:        facadeIdentityFacade,
+		Clock:             clockClock,
+	}
+	authflowV2SettingsProfileHandler := &authflowv2.AuthflowV2SettingsProfileHandler{
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		SettingsProfileViewModel: settingsProfileViewModeler,
+		Renderer:                 responseRenderer,
+	}
+	return authflowV2SettingsProfileHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityAddEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityAddEmailHandler := &authflowv2.AuthflowV2SettingsIdentityAddEmailHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		AccountManagement: accountmanagementService,
+	}
+	return authflowV2SettingsIdentityAddEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityEditEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityEditEmailHandler := &authflowv2.AuthflowV2SettingsIdentityEditEmailHandler{
+		Database:          handle,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		AccountManagement: accountmanagementService,
+		Identities:        serviceService,
+	}
+	return authflowV2SettingsIdentityEditEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityListEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	identityConfig := appConfig.Identity
+	loginIDConfig := identityConfig.LoginID
+	authenticationConfig := appConfig.Authentication
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	clockClock := _wireSystemClockValue
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 store,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	serviceStore := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store3 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store3,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          serviceStore,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   redisStore,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
+		Localization:      localizationConfig,
+		UserProfileConfig: userProfileConfig,
+		Users:             userQueries,
+		Identities:        facadeIdentityFacade,
+		Clock:             clockClock,
+	}
+	authflowV2SettingsIdentityListEmailHandler := &authflowv2.AuthflowV2SettingsIdentityListEmailHandler{
+		Database:                 handle,
+		LoginIDConfig:            loginIDConfig,
+		Identities:               serviceService,
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		Verification:             verificationService,
+		SettingsProfileViewModel: settingsProfileViewModeler,
+		Renderer:                 responseRenderer,
+	}
+	return authflowV2SettingsIdentityListEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityVerifyEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityVerifyEmailHandler := &authflowv2.AuthflowV2SettingsIdentityVerifyEmailHandler{
+		Database:            handle,
+		ControllerFactory:   controllerFactory,
+		BaseViewModel:       baseViewModeler,
+		OTPCodeService:      otpService,
+		Renderer:            responseRenderer,
+		AccountManagement:   accountmanagementService,
+		Clock:               clockClock,
+		Config:              appConfig,
+		AuthenticatorConfig: authenticatorConfig,
+	}
+	return authflowV2SettingsIdentityVerifyEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityViewEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	identityConfig := appConfig.Identity
+	loginIDConfig := identityConfig.LoginID
+	authenticationConfig := appConfig.Authentication
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	clockClock := _wireSystemClockValue
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 store,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	serviceStore := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store3 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store3,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          serviceStore,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   redisStore,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	service4 := verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	accountmanagementRedisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     accountmanagementRedisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityViewEmailHandler := &authflowv2.AuthflowV2SettingsIdentityViewEmailHandler{
+		Database:          handle,
+		LoginIDConfig:     loginIDConfig,
+		Identities:        serviceService,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Verification:      service4,
+		Renderer:          responseRenderer,
+		AccountManagement: accountmanagementService,
+	}
+	return authflowV2SettingsIdentityViewEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityChangePrimaryEmailHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
+		Localization:      localizationConfig,
+		UserProfileConfig: userProfileConfig,
+		Users:             userQueries,
+		Identities:        facadeIdentityFacade,
+		Clock:             clockClock,
+	}
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	authflowV2SettingsIdentityChangePrimaryEmailHandler := &authflowv2.AuthflowV2SettingsIdentityChangePrimaryEmailHandler{
+		Database:                 handle,
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		SettingsProfileViewModel: settingsProfileViewModeler,
+		Renderer:                 responseRenderer,
+		Users:                    userFacade,
+		StdAttrs:                 stdattrsService,
+		Identities:               serviceService,
+	}
+	return authflowV2SettingsIdentityChangePrimaryEmailHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityAddPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityAddPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityAddPhoneHandler{
+		ControllerFactory:   controllerFactory,
+		BaseViewModel:       baseViewModeler,
+		Renderer:            responseRenderer,
+		AuthenticatorConfig: authenticatorConfig,
+		AccountManagement:   accountmanagementService,
+	}
+	return authflowV2SettingsIdentityAddPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityEditPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityEditPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityEditPhoneHandler{
+		Database:            handle,
+		ControllerFactory:   controllerFactory,
+		BaseViewModel:       baseViewModeler,
+		Renderer:            responseRenderer,
+		AuthenticatorConfig: authenticatorConfig,
+		AccountManagement:   accountmanagementService,
+		Identities:          serviceService,
+	}
+	return authflowV2SettingsIdentityEditPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityListPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	identityConfig := appConfig.Identity
+	loginIDConfig := identityConfig.LoginID
+	authenticationConfig := appConfig.Authentication
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	clockClock := _wireSystemClockValue
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 store,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	serviceStore := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store3 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store3,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          serviceStore,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   redisStore,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
+		Localization:      localizationConfig,
+		UserProfileConfig: userProfileConfig,
+		Users:             userQueries,
+		Identities:        facadeIdentityFacade,
+		Clock:             clockClock,
+	}
+	authflowV2SettingsIdentityListPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityListPhoneHandler{
+		Database:                 handle,
+		LoginIDConfig:            loginIDConfig,
+		Identities:               serviceService,
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		Verification:             verificationService,
+		SettingsProfileViewModel: settingsProfileViewModeler,
+		Renderer:                 responseRenderer,
+	}
+	return authflowV2SettingsIdentityListPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityViewPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	identityConfig := appConfig.Identity
+	loginIDConfig := identityConfig.LoginID
+	authenticationConfig := appConfig.Authentication
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	clockClock := _wireSystemClockValue
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 store,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	serviceStore := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store3 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store3,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          serviceStore,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   redisStore,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	accountmanagementRedisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     accountmanagementRedisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityViewPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityViewPhoneHandler{
+		Database:            handle,
+		LoginIDConfig:       loginIDConfig,
+		Identities:          serviceService,
+		ControllerFactory:   controllerFactory,
+		BaseViewModel:       baseViewModeler,
+		Verification:        verificationService,
+		Renderer:            responseRenderer,
+		AuthenticatorConfig: authenticatorConfig,
+		AccountManagement:   accountmanagementService,
+	}
+	return authflowV2SettingsIdentityViewPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityChangePrimaryPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
+		Localization:      localizationConfig,
+		UserProfileConfig: userProfileConfig,
+		Users:             userQueries,
+		Identities:        facadeIdentityFacade,
+		Clock:             clockClock,
+	}
+	userFacade := &facade.UserFacade{
+		UserProvider: userProvider,
+		Coordinator:  coordinator,
+	}
+	authflowV2SettingsIdentityChangePrimaryPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityChangePrimaryPhoneHandler{
+		Database:                 handle,
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		SettingsProfileViewModel: settingsProfileViewModeler,
+		Renderer:                 responseRenderer,
+		Users:                    userFacade,
+		StdAttrs:                 stdattrsService,
+		Identities:               serviceService,
+	}
+	return authflowV2SettingsIdentityChangePrimaryPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityVerifyPhoneHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsIdentityVerifyPhoneHandler := &authflowv2.AuthflowV2SettingsIdentityVerifyPhoneHandler{
+		Database:            handle,
+		ControllerFactory:   controllerFactory,
+		BaseViewModel:       baseViewModeler,
+		OTPCodeService:      otpService,
+		Renderer:            responseRenderer,
+		AccountManagement:   accountmanagementService,
+		Clock:               clockClock,
+		Config:              appConfig,
+		AuthenticatorConfig: authenticatorConfig,
+	}
+	return authflowV2SettingsIdentityVerifyPhoneHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityListUsernameHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	identityConfig := appConfig.Identity
+	loginIDConfig := identityConfig.LoginID
+	authenticationConfig := appConfig.Authentication
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	store := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	clockClock := _wireSystemClockValue
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	factory := appProvider.LoggerFactory
+	logger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  logger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 store,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	redisLogger := redis.NewLogger(factory)
+	redisStore := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	serviceStore := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store3 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store3,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          serviceStore,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  redisStore,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   redisStore,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   redisStore,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	authflowV2SettingsIdentityListUsernameHandler := &authflowv2.AuthflowV2SettingsIdentityListUsernameHandler{
+		Database:          handle,
+		LoginIDConfig:     loginIDConfig,
+		Identities:        serviceService,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return authflowV2SettingsIdentityListUsernameHandler
+}
+
+func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	store := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
+	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	userAgentString := deps.ProvideUserAgentString(request)
+	factory := appProvider.LoggerFactory
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	authenticationConfig := appConfig.Authentication
+	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	appredisHandle := appProvider.Redis
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	resolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: resolver,
+	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   store,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              store,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	store5 := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  store5,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store5,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
@@ -138841,78 +165134,270 @@ func newSAMLLoginFinishHandler(p *deps.RequestProvider) http.Handler {
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                identityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	webappServiceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	facadeIdentityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	loginResultHandler := saml2.LoginResultHandler{
-		Clock:       clockClock,
-		Database:    handle,
-		SAMLService: samlService,
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   store5,
+		Identities:                      facadeIdentityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            mfaCookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               webappServiceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
 	}
-	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
-	loginFinishHandler := &saml2.LoginFinishHandler{
-		Logger:                     loginFinishHandlerLogger,
-		Clock:                      clockClock,
-		SAMLService:                samlService,
-		SAMLSessionService:         samlsessionStoreRedis,
-		AuthenticationInfoResolver: uiService,
-		AuthenticationInfoService:  authenticationinfoStoreRedis,
-		LoginResultHandler:         loginResultHandler,
-		BindingHTTPPostWriter:      samlBindingHTTPPostWriter,
+	authflowV2SettingsIdentityNewUsernameHandler := &authflowv2.AuthflowV2SettingsIdentityNewUsernameHandler{
+		Database:          handle,
+		AccountManagement: accountmanagementService,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
 	}
-	return loginFinishHandler
+	return authflowV2SettingsIdentityNewUsernameHandler
 }
 
-func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
-	logoutHandlerLogger := saml2.NewLogoutHandlerLogger(factory)
-	clockClock := _wireSystemClockValue
 	handle := appProvider.AppDatabase
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
-	samlConfig := appConfig.SAML
-	appID := appConfig.ID
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	samlEnvironmentConfig := environmentConfig.SAML
 	secretConfig := config.SecretConfig
-	samlIdpSigningMaterials := deps.ProvideSAMLIdpSigningMaterials(secretConfig)
-	samlSpSigningMaterials := deps.ProvideSAMLSpSigningMaterials(secretConfig)
-	request := p.Request
-	trustProxy := environmentConfig.TrustProxy
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	uiConfig := appConfig.UI
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	oAuthKeyMaterials := deps.ProvideOAuthKeyMaterials(secretConfig)
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
 	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
 		AppID:       appID,
 	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	userAgentString := deps.ProvideUserAgentString(request)
+	factory := appProvider.LoggerFactory
+	logger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
 	featureConfig := config.FeatureConfig
@@ -138926,6 +165411,7 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -138992,7 +165478,8 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	localizationConfig := appConfig.Localization
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -139028,7 +165515,6 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	web3Config := appConfig.Web3
 	storeRedis := &siwe2.StoreRedis{
 		Context: contextContext,
@@ -139036,14 +165522,14 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 		AppID:   appID,
 		Clock:   clockClock,
 	}
-	logger := ratelimit.NewLogger(factory)
+	ratelimitLogger := ratelimit.NewLogger(factory)
 	storageRedis := &ratelimit.StorageRedis{
 		AppID: appID,
 		Redis: appredisHandle,
 	}
 	rateLimitsFeatureConfig := featureConfig.RateLimits
 	limiter := &ratelimit.Limiter{
-		Logger:  logger,
+		Logger:  ratelimitLogger,
 		Storage: storageRedis,
 		Config:  rateLimitsFeatureConfig,
 	}
@@ -139267,101 +165753,6 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 		Web3:               web3Service,
 		RolesAndGroups:     queries,
 	}
-	idTokenIssuer := &oidc.IDTokenIssuer{
-		Secrets:        oAuthKeyMaterials,
-		BaseURL:        endpointsEndpoints,
-		Users:          userQueries,
-		RolesAndGroups: queries,
-		Clock:          clockClock,
-	}
-	userAgentString := deps.ProvideUserAgentString(request)
-	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
-	idpsessionStoreRedis := &idpsession.StoreRedis{
-		Redis:  appredisHandle,
-		AppID:  appID,
-		Clock:  clockClock,
-		Logger: storeRedisLogger,
-	}
-	eventStoreRedis := &access.EventStoreRedis{
-		Redis: appredisHandle,
-		AppID: appID,
-	}
-	eventProvider := &access.EventProvider{
-		Store: eventStoreRedis,
-	}
-	sessionConfig := appConfig.Session
-	idpsessionRand := _wireRandValue
-	idpsessionProvider := &idpsession.Provider{
-		Context:         contextContext,
-		RemoteIP:        remoteIP,
-		UserAgentString: userAgentString,
-		AppID:           appID,
-		Redis:           appredisHandle,
-		Store:           idpsessionStoreRedis,
-		AccessEvents:    eventProvider,
-		TrustProxy:      trustProxy,
-		Config:          sessionConfig,
-		Clock:           clockClock,
-		Random:          idpsessionRand,
-	}
-	oAuthConfig := appConfig.OAuth
-	oauthclientResolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	redisLogger := redis.NewLogger(factory)
-	redisStore := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-	}
-	offlineGrantService := &oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	samlService := &saml.Service{
-		Clock:                       clockClock,
-		AppID:                       appID,
-		SAMLEnvironmentConfig:       samlEnvironmentConfig,
-		SAMLConfig:                  samlConfig,
-		SAMLIdpSigningMaterials:     samlIdpSigningMaterials,
-		SAMLSpSigningMaterials:      samlSpSigningMaterials,
-		Endpoints:                   endpointsEndpoints,
-		UserInfoProvider:            idTokenIssuer,
-		IDPSessionProvider:          idpsessionProvider,
-		OfflineGrantSessionProvider: offlineGrantService,
-	}
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	cookieDef := session.NewSessionCookieDef(sessionConfig)
-	idpsessionManager := &idpsession.Manager{
-		Store:     idpsessionStoreRedis,
-		Config:    sessionConfig,
-		Cookies:   cookieManager,
-		CookieDef: cookieDef,
-	}
-	oauthOfflineGrantService := oauth2.OfflineGrantService{
-		OAuthConfig:    oAuthConfig,
-		Clock:          clockClock,
-		IDPSessions:    idpsessionProvider,
-		ClientResolver: oauthclientResolver,
-		OfflineGrants:  redisStore,
-	}
-	sessionManager := &oauth2.SessionManager{
-		Store:   redisStore,
-		Config:  oAuthConfig,
-		Service: oauthOfflineGrantService,
-	}
-	eventLogger := event.NewLogger(factory)
-	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
-	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
 	resolverImpl := &event.ResolverImpl{
 		Users: userQueries,
 	}
@@ -139421,155 +165812,559 @@ func newSAMLLogoutHandler(p *deps.RequestProvider) http.Handler {
 		Database: writeHandle,
 		Store:    writeStore,
 	}
-	elasticsearchLogger := elasticsearch.NewLogger(factory)
-	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
-	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
-	client := elasticsearch.NewClient(elasticsearchCredentials)
-	queue := appProvider.TaskQueue
-	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
-	elasticsearchService := elasticsearch.Service{
-		Clock:           clockClock,
-		Context:         contextContext,
-		Database:        handle,
-		Logger:          elasticsearchServiceLogger,
-		AppID:           appID,
-		Client:          client,
-		Users:           userQueries,
-		UserStore:       store,
-		IdentityService: serviceService,
-		RolesGroups:     rolesgroupsStore,
-		TaskQueue:       queue,
-		Producer:        userReindexProducer,
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       store,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	serviceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            serviceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         store,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	store5 := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	oAuthConfig := appConfig.OAuth
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  store5,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store5,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                identityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	webappServiceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	facadeIdentityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
 	}
-	elasticsearchSink := &elasticsearch.Sink{
-		Logger:   elasticsearchLogger,
-		Service:  elasticsearchService,
-		Database: handle,
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
 		Events:              eventService,
 	}
-	samlslosessionStoreRedis := &samlslosession.StoreRedis{
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
 		Context: contextContext,
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	samlBindingHTTPPostWriter := &samlbinding.SAMLBindingHTTPPostWriter{}
-	samlBindingHTTPRedirectWriter := &samlbinding.SAMLBindingHTTPRedirectWriter{
-		Signer: samlService,
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   store5,
+		Identities:                      facadeIdentityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            mfaCookieDef,
 	}
-	sloService := &saml.SLOService{
-		SAMLService:               samlService,
-		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
-		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
 	}
-	logoutHandler := &saml2.LogoutHandler{
-		Logger:                    logoutHandlerLogger,
-		Clock:                     clockClock,
-		Database:                  handle,
-		SAMLConfig:                samlConfig,
-		SAMLService:               samlService,
-		SessionManager:            manager2,
-		SAMLSLOSessionService:     samlslosessionStoreRedis,
-		SAMLSLOService:            sloService,
-		Endpoints:                 endpointsEndpoints,
-		BindingHTTPPostWriter:     samlBindingHTTPPostWriter,
-		BindingHTTPRedirectWriter: samlBindingHTTPRedirectWriter,
+	interactionService := &interaction.Service{
+		Logger:  interactionLogger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
 	}
-	return logoutHandler
+	webappService2 := &webapp2.Service2{
+		Logger:               webappServiceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  oauthclientResolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               oauthclientResolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	authflowV2SettingsIdentityViewUsernameHandler := &authflowv2.AuthflowV2SettingsIdentityViewUsernameHandler{
+		Database:          handle,
+		AccountManagement: accountmanagementService,
+		LoginIDConfig:     loginIDConfig,
+		Identities:        serviceService,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return authflowV2SettingsIdentityViewUsernameHandler
 }
 
-func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
-	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
-	serviceLogger := webapp2.NewServiceLogger(factory)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
 	request := p.Request
-	sessionStoreRedis := &webapp2.SessionStoreRedis{
-		AppID: appID,
-		Redis: appredisHandle,
-	}
-	sessionCookieDef := webapp2.NewSessionCookieDef()
-	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
-	authenticationConfig := appConfig.Authentication
-	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
-	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
-	httpConfig := appConfig.HTTP
-	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
-	errorService := &webapp2.ErrorService{
-		AppID:       appID,
-		Cookie:      errorTokenCookieDef,
-		RedisHandle: appredisHandle,
-		Cookies:     cookieManager,
-	}
-	oAuthConfig := appConfig.OAuth
-	uiConfig := appConfig.UI
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	globalUIImplementation := environmentConfig.UIImplementation
-	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
-	uiImplementationService := &web.UIImplementationService{
-		UIConfig:                       uiConfig,
-		GlobalUIImplementation:         globalUIImplementation,
-		GlobalUISettingsImplementation: globalUISettingsImplementation,
-	}
-	endpointsEndpoints := &endpoints.Endpoints{
-		HTTPHost:                httpHost,
-		HTTPProto:               httpProto,
-		UIImplementationService: uiImplementationService,
-	}
-	uiService := &authenticationinfo.UIService{
-		EndpointsProvider: endpointsEndpoints,
-	}
-	resolver := &oauthclient.Resolver{
-		OAuthConfig:     oAuthConfig,
-		TesterEndpoints: endpointsEndpoints,
-	}
-	logger := interaction.NewLogger(factory)
-	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
-	featureConfig := config.FeatureConfig
-	redisLogger := redis.NewLogger(factory)
-	secretConfig := config.SecretConfig
-	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
-	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	store := &redis.Store{
-		Context:     contextContext,
-		Redis:       appredisHandle,
-		AppID:       appID,
-		Logger:      redisLogger,
+	store := &user.Store{
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawCommands := &user.RawCommands{
+		Store: store,
+		Clock: clockClock,
+	}
+	rawQueries := &user.RawQueries{
+		Store: store,
 	}
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
-	eventLogger := event.NewLogger(factory)
+	factory := appProvider.LoggerFactory
+	logger := event.NewLogger(factory)
 	localizationConfig := appConfig.Localization
 	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
 	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
-	userStore := &user.Store{
-		SQLBuilder:  sqlBuilderApp,
-		SQLExecutor: sqlExecutor,
-		Clock:       clockClock,
-		AppID:       appID,
-	}
-	rawQueries := &user.RawQueries{
-		Store: userStore,
-	}
+	authenticationConfig := appConfig.Authentication
 	identityConfig := appConfig.Identity
+	featureConfig := config.FeatureConfig
 	identityFeatureConfig := featureConfig.Identity
 	serviceStore := &service.Store{
 		SQLBuilder:  sqlBuilderApp,
@@ -139580,6 +166375,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		SQLExecutor: sqlExecutor,
 	}
 	loginIDConfig := identityConfig.LoginID
+	uiConfig := appConfig.UI
 	manager := appContext.Resources
 	typeCheckerFactory := &loginid.TypeCheckerFactory{
 		UIConfig:      uiConfig,
@@ -139630,6 +166426,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		SQLBuilder:  sqlBuilderApp,
 		SQLExecutor: sqlExecutor,
 	}
+	appredisHandle := appProvider.Redis
 	store2 := &passkey2.Store{
 		Context: contextContext,
 		Redis:   appredisHandle,
@@ -139637,14 +166434,16 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 	}
 	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
 	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
-	templateResolver := &template.Resolver{
+	resolver := &template.Resolver{
 		Resources:             manager,
 		DefaultLanguageTag:    defaultLanguageTag,
 		SupportedLanguageTags: supportedLanguageTags,
 	}
 	engine := &template.Engine{
-		Resolver: templateResolver,
+		Resolver: resolver,
 	}
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
 	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
@@ -139885,14 +166684,14 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		UserProfileConfig: userProfileConfig,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		ClaimStore:        storePQ,
 		Transformer:       pictureTransformer,
 	}
 	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
 		Config:      userProfileConfig,
 		UserQueries: rawQueries,
-		UserStore:   userStore,
+		UserStore:   store,
 	}
 	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
 	web3Service := &web3.Service{
@@ -139909,7 +166708,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 	}
 	userQueries := &user.Queries{
 		RawQueries:         rawQueries,
-		Store:              userStore,
+		Store:              store,
 		Identities:         serviceService,
 		Authenticators:     service3,
 		Verification:       verificationService,
@@ -139991,7 +166790,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		AppID:           appID,
 		Client:          client,
 		Users:           userQueries,
-		UserStore:       userStore,
+		UserStore:       store,
 		IdentityService: serviceService,
 		RolesGroups:     rolesgroupsStore,
 		TaskQueue:       queue,
@@ -140002,7 +166801,43 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Service:  elasticsearchService,
 		Database: handle,
 	}
-	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, logger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
 	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -140047,7 +166882,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		FeatureConfig: messagingFeatureConfig,
 		EnvConfig:     rateLimitsEnvironmentConfig,
 	}
-	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	serviceLogger := whatsapp.NewServiceLogger(factory)
 	devMode := environmentConfig.DevMode
 	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
 	testModeWhatsappConfig := testModeConfig.Whatsapp
@@ -140061,7 +166896,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
 	whatsappService := &whatsapp.Service{
 		Context:                           contextContext,
-		Logger:                            whatsappServiceLogger,
+		Logger:                            serviceLogger,
 		DevMode:                           devMode,
 		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
 		TestModeWhatsappConfig:            testModeWhatsappConfig,
@@ -140083,27 +166918,12 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Sender:      sender,
 		Translation: translationService,
 	}
-	rawCommands := &user.RawCommands{
-		Store: userStore,
-		Clock: clockClock,
-	}
-	userCommands := &user.Commands{
-		RawCommands:        rawCommands,
-		RawQueries:         rawQueries,
-		Events:             eventService,
-		Verification:       verificationService,
-		UserProfileConfig:  userProfileConfig,
-		StandardAttributes: serviceNoEvent,
-		CustomAttributes:   customattrsServiceNoEvent,
-		Web3:               web3Service,
-		RolesAndGroups:     queries,
-	}
 	stdattrsService := &stdattrs2.Service{
 		UserProfileConfig: userProfileConfig,
 		ServiceNoEvent:    serviceNoEvent,
 		Identities:        serviceService,
 		UserQueries:       rawQueries,
-		UserStore:         userStore,
+		UserStore:         store,
 		Events:            eventService,
 	}
 	authorizationStore := &pq.AuthorizationStore{
@@ -140118,13 +166938,26 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Logger: storeRedisLogger,
 	}
 	sessionConfig := appConfig.Session
-	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	cookieDef := session.NewSessionCookieDef(sessionConfig)
 	idpsessionManager := &idpsession.Manager{
 		Store:     idpsessionStoreRedis,
 		Config:    sessionConfig,
 		Cookies:   cookieManager,
-		CookieDef: cookieDef2,
+		CookieDef: cookieDef,
+	}
+	redisLogger := redis.NewLogger(factory)
+	store5 := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
 	}
+	oAuthConfig := appConfig.OAuth
 	eventStoreRedis := &access.EventStoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
@@ -140146,15 +166979,31 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Clock:           clockClock,
 		Random:          idpsessionRand,
 	}
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	oauthclientResolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
 	offlineGrantService := oauth2.OfflineGrantService{
 		OAuthConfig:    oAuthConfig,
 		Clock:          clockClock,
 		IDPSessions:    idpsessionProvider,
-		ClientResolver: resolver,
-		OfflineGrants:  store,
+		ClientResolver: oauthclientResolver,
+		OfflineGrants:  store5,
 	}
 	sessionManager := &oauth2.SessionManager{
-		Store:   store,
+		Store:   store5,
 		Config:  oAuthConfig,
 		Service: offlineGrantService,
 	}
@@ -140190,18 +167039,9 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Clock:                      clockClock,
 		PasswordGenerator:          generator,
 	}
-	identityFacade := facade.IdentityFacade{
-		Coordinator: coordinator,
-	}
-	authenticatorFacade := facade.AuthenticatorFacade{
+	identityFacade := &facade.IdentityFacade{
 		Coordinator: coordinator,
 	}
-	anonymousStoreRedis := &anonymous.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-		Clock:   clockClock,
-	}
 	messageSender := &otp.MessageSender{
 		AppID:           appID,
 		Translation:     translationService,
@@ -140209,20 +167049,57 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Sender:          sender,
 		WhatsappService: whatsappService,
 	}
-	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
-	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
-	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
 		Context: contextContext,
-		AppID:   appID,
 		Redis:   appredisHandle,
+		AppID:   appID,
 	}
-	oAuthProviderFactory := &sso.OAuthProviderFactory{
-		IdentityConfig:               identityConfig,
-		Credentials:                  oAuthSSOProviderCredentials,
-		Clock:                        clockClock,
-		StandardAttributesNormalizer: normalizer,
-		HTTPClient:                   oAuthHTTPClient,
-		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                identityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	webappServiceLogger := webapp2.NewServiceLogger(factory)
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	mfaCookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	interactionLogger := interaction.NewLogger(factory)
+	facadeIdentityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
 	}
 	webappoauthStore := &webappoauth.Store{
 		Context: contextContext,
@@ -140260,15 +167137,6 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		AppID: appID,
 		Clock: clockClock,
 	}
-	userProvider := &user.Provider{
-		Commands: userCommands,
-		Queries:  userQueries,
-	}
-	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
-		Context: contextContext,
-		Redis:   appredisHandle,
-		AppID:   appID,
-	}
 	manager2 := &session.Manager{
 		IDPSessions:         idpsessionManager,
 		AccessTokenSessions: sessionManager,
@@ -140286,9 +167154,9 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		Clock:                           clockClock,
 		Config:                          appConfig,
 		FeatureConfig:                   featureConfig,
-		OAuthClientResolver:             resolver,
-		OfflineGrants:                   store,
-		Identities:                      identityFacade,
+		OAuthClientResolver:             oauthclientResolver,
+		OfflineGrants:                   store5,
+		Identities:                      facadeIdentityFacade,
 		Authenticators:                  authenticatorFacade,
 		AnonymousIdentities:             anonymousProvider,
 		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
@@ -140314,33 +167182,33 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		AuthenticationInfoService:       authenticationinfoStoreRedis,
 		Sessions:                        idpsessionProvider,
 		SessionManager:                  manager2,
-		SessionCookie:                   cookieDef2,
+		SessionCookie:                   cookieDef,
 		OAuthSessions:                   oauthsessionStoreRedis,
-		MFADeviceTokenCookie:            cookieDef,
+		MFADeviceTokenCookie:            mfaCookieDef,
 	}
 	interactionStoreRedis := &interaction.StoreRedis{
 		Redis: appredisHandle,
 		AppID: appID,
 	}
 	interactionService := &interaction.Service{
-		Logger:  logger,
+		Logger:  interactionLogger,
 		Context: interactionContext,
 		Store:   interactionStoreRedis,
 	}
 	webappService2 := &webapp2.Service2{
-		Logger:               serviceLogger,
+		Logger:               webappServiceLogger,
 		Request:              request,
 		Sessions:             sessionStoreRedis,
 		SessionCookie:        sessionCookieDef,
 		SignedUpCookie:       signedUpCookieDef,
-		MFADeviceTokenCookie: cookieDef,
+		MFADeviceTokenCookie: mfaCookieDef,
 		ErrorService:         errorService,
 		Cookies:              cookieManager,
 		OAuthConfig:          oAuthConfig,
 		UIConfig:             uiConfig,
 		TrustProxy:           trustProxy,
 		UIInfoResolver:       uiService,
-		OAuthClientResolver:  resolver,
+		OAuthClientResolver:  oauthclientResolver,
 		Graph:                interactionService,
 	}
 	uiFeatureConfig := featureConfig.UI
@@ -140371,7 +167239,7 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		SupportedLanguageTags:             supportedLanguageTags,
 		AuthUISentryDSN:                   authUISentryDSN,
 		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
-		OAuthClientResolver:               resolver,
+		OAuthClientResolver:               oauthclientResolver,
 		Logger:                            baseLogger,
 	}
 	responseRenderer := &webapp.ResponseRenderer{
@@ -140409,23 +167277,15 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	facadeIdentityFacade := &facade.IdentityFacade{
-		Coordinator: coordinator,
-	}
-	settingsProfileViewModeler := &viewmodels.SettingsProfileViewModeler{
-		Localization:      localizationConfig,
-		UserProfileConfig: userProfileConfig,
-		Users:             userQueries,
-		Identities:        facadeIdentityFacade,
-		Clock:             clockClock,
-	}
-	authflowV2SettingsProfileHandler := &authflowv2.AuthflowV2SettingsProfileHandler{
-		ControllerFactory:        controllerFactory,
-		BaseViewModel:            baseViewModeler,
-		SettingsProfileViewModel: settingsProfileViewModeler,
-		Renderer:                 responseRenderer,
+	authflowV2SettingsIdentityEditUsernameHandler := &authflowv2.AuthflowV2SettingsIdentityEditUsernameHandler{
+		Database:          handle,
+		AccountManagement: accountmanagementService,
+		Identities:        serviceService,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
 	}
-	return authflowV2SettingsProfileHandler
+	return authflowV2SettingsIdentityEditUsernameHandler
 }
 
 // Injectors from wire_middleware.go:
diff --git a/pkg/auth/wire_handler.go b/pkg/auth/wire_handler.go
index 82c2585012..833c8aa454 100644
--- a/pkg/auth/wire_handler.go
+++ b/pkg/auth/wire_handler.go
@@ -457,6 +457,13 @@ func newWebAppSettingsBiometricHandler(p *deps.RequestProvider) http.Handler {
 	))
 }
 
+func newWebAppAuthflowV2SettingsBiometricHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsBiometricHandler)),
+	))
+}
+
 func newWebAppSettingsMFAHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -464,6 +471,27 @@ func newWebAppSettingsMFAHandler(p *deps.RequestProvider) http.Handler {
 	))
 }
 
+func newWebAppAuthflowV2SettingsMFAHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFAHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsMFACreatePasswordHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFACreatePasswordHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsMFAPasswordHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFAPasswordHandler)),
+	))
+}
+
 func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -471,6 +499,20 @@ func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 	))
 }
 
+func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsTOTPHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsOOBOTPHandler)),
+	))
+}
+
 func newWebAppSettingsPasskeyHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -478,6 +520,13 @@ func newWebAppSettingsPasskeyHandler(p *deps.RequestProvider) http.Handler {
 	))
 }
 
+func newWebAppAuthflowV2SettingsChangePasskeyHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsChangePasskeyHandler)),
+	))
+}
+
 func newWebAppSettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -499,6 +548,13 @@ func newWebAppSettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
 	))
 }
 
+func newWebAppAuthflowV2SettingsSessionsHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsSessionsHandler)),
+	))
+}
+
 func newWebAppForceChangePasswordHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -513,6 +569,13 @@ func newWebAppSettingsChangePasswordHandler(p *deps.RequestProvider) http.Handle
 	))
 }
 
+func newWebAppAuthflowV2SettingsChangePasswordHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsChangePasswordHandler)),
+	))
+}
+
 func newWebAppForceChangeSecondaryPasswordHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -534,6 +597,13 @@ func newWebAppSettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler
 	))
 }
 
+func newWebAppAuthflowV2SettingsDeleteAccountHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsDeleteAccountHandler)),
+	))
+}
+
 func newWebAppSettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -541,6 +611,20 @@ func newWebAppSettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.
 	))
 }
 
+func newWebAppAuthflowV2SettingsDeleteAccountSuccessHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsDeleteAccountSuccessHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsAdvancedSettingsHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsAdvancedSettingsHandler)),
+	))
+}
+
 func newWebAppAccountStatusHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
@@ -1163,3 +1247,115 @@ func newWebAppAuthflowV2SettingsProfile(p *deps.RequestProvider) http.Handler {
 		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsProfileHandler)),
 	))
 }
+
+func newWebAppAuthflowV2SettingsIdentityAddEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityAddEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityEditEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityEditEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityListEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityListEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityVerifyEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityVerifyEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityViewEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityViewEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityChangePrimaryEmailHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityChangePrimaryEmailHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityAddPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityAddPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityEditPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityEditPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityListPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityListPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityViewPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityViewPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityChangePrimaryPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityChangePrimaryPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityVerifyPhoneHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityVerifyPhoneHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityListUsernameHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityListUsernameHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityNewUsernameHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityViewUsernameHandler)),
+	))
+}
+
+func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsIdentityEditUsernameHandler)),
+	))
+}
diff --git a/pkg/lib/web/html.go b/pkg/lib/web/html.go
index 7dea2a72d4..3b58870480 100644
--- a/pkg/lib/web/html.go
+++ b/pkg/lib/web/html.go
@@ -72,7 +72,9 @@ var TemplateWebAuthflowV2TermsOfServiceAndPrivacyPolicyFooterHTML = template.Reg
 var TemplateWebAuthflowV2WatermarkHTML = template.RegisterHTML("web/authflowv2/__watermark.html")
 var TemplateWebAuthflowV2CSRFErrorPageLayoutHTML = template.RegisterHTML("web/authflowv2/__csrf_error_page_layout.html")
 var TemplateWebAuthflowV2SettingsItemHTML = template.RegisterHTML("web/authflowv2/__settings_item.html")
+var TemplateWebAuthflowV2SettingsActionItemHTML = template.RegisterHTML("web/authflowv2/__settings_action_item.html")
 var TemplateWebAuthflowV2SettingsRadioHTML = template.RegisterHTML("web/authflowv2/__settings_radio.html")
+var TemplateWebAuthflowV2SettingsDialog = template.RegisterHTML("web/authflowv2/__settings_dialog.html")
 
 var TemplateWebSettingsV2PageFrameHTML = template.RegisterHTML("web/authflowv2/__settings_page_frame.html")
 var TemplateWebAuthflowV2NavBar = template.RegisterHTML("web/authflowv2/__navbar.html")
@@ -143,11 +145,13 @@ var BaseComponentsHTML = []*template.HTML{
 	TemplateWebAuthflowV2CSRFErrorPageLayoutHTML,
 	TemplateWebAuthflowV2BrandLogoHTML,
 	TemplateWebAuthflowV2SettingsItemHTML,
+	TemplateWebAuthflowV2SettingsActionItemHTML,
 	TemplateWebAuthflowV2NavBar,
 	TemplateWebAuthflowV2DateInputHTML,
 	TemplateWebAuthflowV2UserProfilePic,
 	TemplateWebAuthflowV2SettingsRadioHTML,
 	TemplateWebAuthflowV2SettingsTextInput,
+	TemplateWebAuthflowV2SettingsDialog,
 	TemplateWebAuthflowV2LocaleInputHTML,
 	TemplateWebAuthflowV2TimezoneInput,
 	TemplateWebAuthflowV2CountryInput,
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index 01b7d4463f..4e3e6e71f2 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript is required for captcha verification. Please enable JavaScript in your browser to proceed.",
   "v2.component.button.default.copy": "Copy",
   "v2.component.button.default.download": "Download",
+  "v2.component.button.default.label-cancel": "Cancel",
   "v2.component.button.default.label-continue": "Continue",
   "v2.component.button.default.label-continue-with-passkey": "Continue with Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continue with Phone Number",
   "v2.component.button.default.label-continue-with-text-login-id": "Continue with {variant, select, email {Email} username {Username} other {Email / Username}}",
+  "v2.component.button.default.label-edit": "Edit",
   "v2.component.button.default.label-login": "Login",
+  "v2.component.button.default.label-remove": "Remove",
   "v2.component.button.default.label-save": "Save",
   "v2.component.button.default.label-send": "Send",
+  "v2.component.button.default.label-terminate": "Terminate",
   "v2.component.device-token-checkbox.default.label": "Remember this device, and don’t ask again",
   "v2.component.divider.default.or-label": "or",
   "v2.component.input.default.placeholder-email": "Email address",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Resend code in %s",
   "v2.component.oob-otp-resend-button.default.label": "Resend code",
   "v2.component.password-input.default.hide-password": "Hide password",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Re-enter new password",
   "v2.component.password-input.default.placeholder-confirm-password": "Re-enter Password",
   "v2.component.password-input.default.placeholder-new-password": "New Password",
   "v2.component.password-input.default.placeholder-password": "Current Password",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "No results found",
   "v2.component.select-input.default.not-provided-label": "Not provided",
   "v2.component.select-input.default.search-label": "Search",
-  "v2.component.select-input.default.unset-label": "Unset",
   "v2.component.toc-pp-footer.default.label": "By registering, you agree to the {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Terms of Service</a> and <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Privacy Policy</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Terms of Service</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Privacy Policy</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "You will be redirected shortly after you completed the challenge",
   "v2.component.verify-bot-protection.default.title": "Checking your system...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "You have logged in with {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Proceed to continue.",
   "v2.page.select-account.default.title": "Log in to {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Use another account",
+  "v2.page.settings-advanced-settings.default.title": "Advanced Settings",
+  "v2.page.settings-biometric.default.dialog-description": "Are you sure you want to disconnect biometric login for this device?",
+  "v2.page.settings-biometric.default.dialog-title": "Disconnect Biometric Login",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Disconnect",
+  "v2.page.settings-biometric.default.item-description": "Created at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.title": "Biometric Login",
+  "v2.page.settings-biometric.default.no-biometric-description": "You do not have any devices with biometrics enabled.",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Unknown Device",
+  "v2.page.settings-change-password.default.title": "Change Password",
+  "v2.page.settings-delete-account-success.default.button-label": "Done",
+  "v2.page.settings-delete-account-success.default.description": "Your account has been deactivated and the data will be deleted on <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Account deletion scheduled",
+  "v2.page.settings-delete-account.default.button-label": "Delete Account",
+  "v2.page.settings-delete-account.default.description": "By deleting the account, add data will be permanently deleted and we will not be able to retrieve it. If you continue, your account will be deleted on <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Type <b>{input}</b> to confirm",
+  "v2.page.settings-delete-account.default.title": "Delete Account",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Please enter a number less than or equal to {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Please enter a number greater than or equal to {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Please enter a number between {minimum} and {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "New Email Address",
+  "v2.page.settings-identity-add-email.default.title": "Add New Email",
+  "v2.page.settings-identity-add-phone.default.title": "Add New Phone",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Phone Number",
+  "v2.page.settings-identity-change-primary-email.default.title": "Primary Email",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Primary Phone",
+  "v2.page.settings-identity-edit-email.default.description": "Your current email is {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "New Email Address",
+  "v2.page.settings-identity-edit-email.default.title": "Edit Email",
+  "v2.page.settings-identity-edit-phone.default.description": "Your current phone number is {target}",
+  "v2.page.settings-identity-edit-phone.default.title": "Edit Phone",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Phone Number",
+  "v2.page.settings-identity-edit-username.default.title": "Change Username",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Add new email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Change",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Primary email",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Add new phone number",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Change",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Primary phone",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Add username",
+  "v2.page.settings-identity-list-username.default.title": "Username",
+  "v2.page.settings-identity-new-username.default.title": "Add Username",
+  "v2.page.settings-identity-phone.default.title": "Phone",
+  "v2.page.settings-identity-verify-email.default.title": "Verification",
+  "v2.page.settings-identity-verify-phone.default.title": "Verification",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Edit",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Remove this email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verify",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Are you sure you want to remove the email address {target} from your account?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Remove Email Address",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Edit",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Remove this phone",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verify",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Are you sure you want to remove the phone number {target} from your account?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Remove Phone Number",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Remove username",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Are you sure you want to remove username <span class=\"settings-dialog__description-text--highlight\">{Username}</span> from your account?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Remove Username",
+  "v2.page.settings-identity-view-username.default.title": "Username",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Not Verified",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verified",
+  "v2.page.settings-mfa-create-password.default.title": "Additional password",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Additional password",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Are you sure you want to remove additional password?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Remove additional password",
+  "v2.page.settings-mfa-password.default.title": "Additional password",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Remove additional password",
+  "v2.page.settings-mfa.default.activated-label": "Activated",
+  "v2.page.settings-mfa.default.additional-password-label": "Additional password",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "You have {NumberOfDeviceTokens, plural, one{# trusted device} other{# trusted devices}} trusted devices associated with your account. Do you want to remove all trusted devices?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Remove trusted devices",
+  "v2.page.settings-mfa.default.inactive-label": "Inactive",
+  "v2.page.settings-mfa.default.title": "2-Factor Authentication",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/SMS message",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Authenticator app/device",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "You have {NumberOfDeviceTokens, plural, one{# trusted device} other{# trusted devices}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Trusted devices",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "You do not have any trusted devices that can skip 2-step verification.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/SMS message",
+  "v2.page.settings-oob-otp.default.added-at-label": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Add email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Add WhatsApp/SMS phone number",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Add passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Are you sure you want to remove this passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Remove Passkey",
+  "v2.page.settings-passkey.default.item-description": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Country",
   "v2.page.settings-profile-edit-address.default.locality-label": "City",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Address",
+  "v2.page.settings-profile-edit-address.default.title": "Address",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Postal code",
   "v2.page.settings-profile-edit-address.default.region-label": "Region",
   "v2.page.settings-profile-edit-address.default.street-label": "Street address",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Birthdate",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Birthdate",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Custom",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Female",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Male",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Not provided",
   "v2.page.settings-profile-edit-gender.default.title": "Gender",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Language",
+  "v2.page.settings-profile-edit-locale.default.title": "Language",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Last name",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Full name",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "First name",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Middle name",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Name",
+  "v2.page.settings-profile-edit-name.default.title": "Name",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Nick name",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Timezone",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Timezone",
   "v2.page.settings-profile-no-permission.default.content": "Not authorized",
   "v2.page.settings-profile-no-permission.default.title": "Unexpected Issues",
   "v2.page.settings-profile.default.address-title": "Address",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Gender",
   "v2.page.settings-profile.default.language-title": "Language",
   "v2.page.settings-profile.default.name-title": "Name",
-  "v2.page.settings-profile.default.navbar-title": "Profile",
+  "v2.page.settings-profile.default.title": "Profile",
   "v2.page.settings-profile.default.profile-picture-title": "Profile Picture",
   "v2.page.settings-profile.default.zoneinfo-title": "Timezone",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "This will remove access to your account from all other devices",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminate all other sessions",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Active Now</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.title": "Signed in Devices",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminate all other sessions",
+  "v2.page.settings-sessions.default.session-dialog-description": "This will remove access to your account on this device",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminate session",
+  "v2.page.settings-totp.default.added-at-label": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Add authenticator app/device",
+  "v2.page.settings-totp.default.title": "Authenticator app/device",
+  "v2.page.settings.default.button-label-account-deletion": "Delete Account",
   "v2.page.settings.default.button-label-advanced-settings": "Advanced Settings",
   "v2.page.settings.default.button-label-and-more": "{item} and more",
   "v2.page.settings.default.button-label-back-to-app": "Back to my app",
diff --git a/resources/authgear/templates/en/web/authflowv2/__error.html b/resources/authgear/templates/en/web/authflowv2/__error.html
index d985bca8a4..34fe804136 100644
--- a/resources/authgear/templates/en/web/authflowv2/__error.html
+++ b/resources/authgear/templates/en/web/authflowv2/__error.html
@@ -1,4 +1,5 @@
 {{- define "authflowv2/__error.html" -}}
+{{ $dict := (dict "IdentityTypeIncoming" "other") }}
   {{ $display_error := false }}
   {{ if .Error }}
     {{ $display_error = true }}
@@ -154,6 +155,9 @@
       {{ else }}
         <span>{{ include "v2.error.developer-email-required" nil }}</span>
       {{ end }}
+    {{ else if eq .Error.reason "AccountManagementDuplicatedIdentity" }}
+      {{ $dict := (dict "IdentityTypeIncoming" "other") }}
+      <span>{{ include "v2.error.account-conflict" $dict }}</span>
     {{ else if eq .Error.reason "InvariantViolated" }}
       {{ $cause := .Error.info.cause }}
       {{ if (eq $cause.kind "RemoveLastIdentity") }}
@@ -207,12 +211,12 @@
       <span>
         {{ if $error_reason.title }} {{ $error_reason.title }} {{ else }}
         <!-- title is not provided, use default title -->
-        {{ if eq .Error.info.event_type "pre_signup" }} 
-          {{ include "v2.error.webhook-pre-signup-disallowed" nil }} 
+        {{ if eq .Error.info.event_type "pre_signup" }}
+          {{ include "v2.error.webhook-pre-signup-disallowed" nil }}
         {{ else }}
           {{ include "v2.error.webhook-disallowed" nil }}
-        {{ end }} 
-    {{ end }} 
+        {{ end }}
+    {{ end }}
     {{ if $error_reason.reason }}
         <br />
         {{ $error_reason.reason }} {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/__new_password_field.html b/resources/authgear/templates/en/web/authflowv2/__new_password_field.html
index 44b4c81f7f..1737d2ae46 100644
--- a/resources/authgear/templates/en/web/authflowv2/__new_password_field.html
+++ b/resources/authgear/templates/en/web/authflowv2/__new_password_field.html
@@ -40,6 +40,7 @@
         "Type" "new-password"
         "AutoFocus" $.AutoFocus
         "PasswordRules" $.PasswordRules
+        "Placeholder" $.NewPasswordInputPlaceholder
         "InputAttrs" `
           data-text-field-target="input"
           data-password-policy-target="input"
@@ -66,6 +67,7 @@
         "Classname" $confirm_pw_input_classname
         "Name" $.ConfirmPasswordInputName
         "Type" "confirm-password"
+        "Placeholder" $.ConfirmPasswordInputPlaceholder
         "InputAttrs" `
           data-text-field-target="input"
           data-new-password-field-target="confirmPasswordInput"
diff --git a/resources/authgear/templates/en/web/authflowv2/__otp_input.html b/resources/authgear/templates/en/web/authflowv2/__otp_input.html
index 0fe2a25fbd..87346bf0b1 100644
--- a/resources/authgear/templates/en/web/authflowv2/__otp_input.html
+++ b/resources/authgear/templates/en/web/authflowv2/__otp_input.html
@@ -69,6 +69,7 @@
       data-action="submit->turbo-form#submitForm"
     >
       {{ $.CSRFField }}
+      {{ $.ResendFormContent }}
       <button
         id="resend-button"
         class="link-btn"
diff --git a/resources/authgear/templates/en/web/authflowv2/__password_input.html b/resources/authgear/templates/en/web/authflowv2/__password_input.html
index 9f00e5f716..27a68fc1bd 100644
--- a/resources/authgear/templates/en/web/authflowv2/__password_input.html
+++ b/resources/authgear/templates/en/web/authflowv2/__password_input.html
@@ -1,7 +1,7 @@
 {{/* <!-- Example usage:
   {{ template "authflowv2/__password_input.html"
     (dict
-      "Type" "new-password" // new-password | old-password | confirm-password
+      "Type" "new-password" // new-password | old-password | confirm-password | confirm-new-password
       "Classname" "foo"
       "Name" "x_password"
       "AutoFocus" true
@@ -24,12 +24,16 @@
     {{ end }}
     autocapitalize="none"
     name="{{ .Name }}"
-    {{ if eq .Type "old-password" }}
-    placeholder="{{ include "v2.component.password-input.default.placeholder-password" nil }}"
-    {{ else if eq .Type "new-password" }}
-    placeholder="{{ include "v2.component.password-input.default.placeholder-new-password" nil }}"
-    {{ else if eq .Type "confirm-password" }}
-    placeholder="{{ include "v2.component.password-input.default.placeholder-confirm-password" nil }}"
+    {{ if .Placeholder }}
+      placeholder="{{ .Placeholder }}"
+    {{ else }}
+      {{ if eq .Type "old-password" }}
+      placeholder="{{ template "v2.component.password-input.default.placeholder-password" }}"
+      {{ else if eq .Type "new-password" }}
+      placeholder="{{ template "v2.component.password-input.default.placeholder-new-password" }}"
+      {{ else if eq .Type "confirm-password" }}
+      placeholder="{{ template "v2.component.password-input.default.placeholder-confirm-password" }}"
+      {{ end }}
     {{ end }}
     data-password-visibility-toggle-target="input"
     {{ if .PasswordRules }}
diff --git a/resources/authgear/templates/en/web/authflowv2/__select_input.html b/resources/authgear/templates/en/web/authflowv2/__select_input.html
index 4230ad9d88..a0b75cae99 100644
--- a/resources/authgear/templates/en/web/authflowv2/__select_input.html
+++ b/resources/authgear/templates/en/web/authflowv2/__select_input.html
@@ -2,7 +2,7 @@
 
 {{ $options := prepend $.Options (dict
   "triggerLabel" (include "v2.component.select-input.default.not-provided-label" nil)
-  "label" (include "v2.component.select-input.default.unset-label" nil)
+  "label" (include "v2.component.select-input.default.not-provided-label" nil)
   "value" ""
 )}}
 
diff --git a/resources/authgear/templates/en/web/authflowv2/__settings_action_item.html b/resources/authgear/templates/en/web/authflowv2/__settings_action_item.html
new file mode 100644
index 0000000000..4b55ae7566
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/__settings_action_item.html
@@ -0,0 +1,61 @@
+{{/*
+  template "authflowv2/__settings_action_item.html" (dict
+    "IconName" "email"
+    "Label" .Email
+    "Description" (include "actionbtn" (dict "isVerified" .isVerified))
+    "ActionButton" (include "actionbtn" nil)
+    "ExtraContent" (include "ExtraContent" nil)
+  )
+*/}}
+
+{{ define "authflowv2/__settings_action_item.html" }}
+<div
+  class="
+    settings-action-item__container
+    {{ if .IconName }}settings-action-item__container-with-icon{{ end }}
+    {{ if .ExtraContent }}settings-action-item__container-with-extra-content{{ end }}
+  "
+>
+  <div class="flex-1">
+    {{ if .RedirectURL }}
+      <a class="settings-action-item__content-container" href="{{ .RedirectURL }}">
+        {{ template "__settings_action_item_content" . }}
+      </a>
+    {{ else }}
+      <div class="settings-action-item__content-container">
+        {{ template "__settings_action_item_content" . }}
+      </div>
+    {{ end }}
+    {{/* ExtraContent shows under label and description (e.g. Verify Button) */}}
+    {{ if .ExtraContent }}
+      <div class="settings-action-item__extra-content-container">
+        {{ .ExtraContent }}
+      </div>
+    {{ end }}
+  </div>
+  {{ if and .ActionButton (not .RedirectURL) }}
+    <div class="settings-action-item__action-button-container">
+      {{ .ActionButton }}
+    </div>
+  {{ end }}
+  {{ if and .RedirectURL (not .ActionButton) }}
+    <a class="settings-action-item__arrow-container" href="{{ .RedirectURL }}">
+      <span class="settings-item__forward_arrow"></span>
+    </a>
+  {{ end }}
+</div>
+{{ end }}
+
+{{ define "__settings_action_item_content" }}
+<div class="settings-action-item__label-container">
+  {{ if .IconName }}
+  <i class="settings-action-item__icon material-icons">{{ .IconName }}</i>
+  {{ end }}
+  <p class="settings-action-item__label">{{ .Label }}</p>
+</div>
+{{ if .Description }}
+  <div class="settings-action-item__description-container">
+    {{ .Description }}
+  </div>
+{{ end }}
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/__settings_dialog.html b/resources/authgear/templates/en/web/authflowv2/__settings_dialog.html
new file mode 100644
index 0000000000..53ff4bebde
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/__settings_dialog.html
@@ -0,0 +1,90 @@
+{{/* Example usage:
+  <button
+    data-controller="settings-dialog"
+    data-action="click->settings-dialog#open"
+    data-settings-dialog-dialogid-param="remove-male-dialog"
+    >
+    Open
+  </button>
+  {{ template "authflowv2/__settings_dialog.html" (dict
+    "Ctx" .
+    "DialogID" "remove-male-dialog"
+    "Title" "Dialog Title"
+    "Description" "Dialog description"
+    "FormContent" (include "inputs" (dict "value" "male"))
+    "Buttons" (list
+      (dict
+        "Type" "Destructive"
+        "Label" (include "v2.component.button.default.label-remove" nil)
+        "Value" "remove"
+        "Event" "authgear.button.sign_in"
+      )
+      (dict
+        "Type" "Cancel"
+        "Label" (include "v2.component.button.default.label-cancel" nil)
+      )
+    )
+  )}}
+*/}}
+
+{{ define "authflowv2/__settings_dialog.html" }}
+{{ template "authflowv2/__dialog.html"
+  (dict
+    "Ctx" $.Ctx
+    "DialogID" $.DialogID
+    "ClassName" "settings-dialog"
+    "DialogContent" (include "authflowv2/__settings_dialog_content.html"
+      (dict
+        "Ctx" $.Ctx
+        "Title" $.Title
+        "Description" $.Description
+        "FormContent" $.FormContent
+        "Buttons" $.Buttons
+      )
+    )
+  )
+}}
+{{ end }}
+
+{{ define "authflowv2/__settings_dialog_content.html" }}
+<form
+  method="post"
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm">
+  <div class="flex flex-col gap-y-8 flex-1-0-auto">
+    <div class="dialog-title-description">
+      <h1 class="dialog-title">
+        {{ $.Title }}
+      </h1>
+      <p class="dialog-description">
+        {{ $.Description }}
+      </p>
+    </div>
+    <div class="flex flex-col gap-y-4">
+      {{ $.FormContent }}
+      {{ range $.Buttons }}
+        <button
+          {{ if (eq .Type "Cancel") }}
+            type="button"
+            class="secondary-btn"
+            data-dialog-id-param="{{ $.DialogID }}"
+            data-action="click->dialog#closeOnCrossBtnClick"
+          {{ else if (eq .Type "Destructive") }}
+            type="submit"
+            class="primary-btn--destructive"
+            name="x_action"
+          {{ else }}
+            type="submit"
+          {{ end }}
+          value="{{ .Value }}"
+          {{ if $.Event }}
+            data-authgear-event="{{ $.Event }}"
+          {{ end }}
+        >
+          {{ .Label }}
+        </button>
+      {{ end }}
+    </div>
+  </div>
+</form>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/__settings_item.html b/resources/authgear/templates/en/web/authflowv2/__settings_item.html
index 4fd98b395f..367118db4d 100644
--- a/resources/authgear/templates/en/web/authflowv2/__settings_item.html
+++ b/resources/authgear/templates/en/web/authflowv2/__settings_item.html
@@ -4,6 +4,7 @@
     "Label" (include "some-key" nil)
     "Href" "url"
     "MaterialIconName" `email`
+    "SupplementaryNote" "some content"
     "Children" $.Emails
   )
 }}
@@ -19,6 +20,9 @@
     {{ else }}
       without-content
     {{ end }}
+    {{ if $.SupplementaryNote }}
+      with-note
+    {{end }}
     "
   {{ if $.Href }}
   href="{{ $.Href }}"
@@ -35,10 +39,16 @@
     {{ $.Label }}
   </p>
 
+  {{ if $.SupplementaryNote }}
+    <div class="settings-item__note">
+      {{ $.SupplementaryNote }}
+    </div>
+  {{ end }}
+
   {{/* If there is content */}}
   {{ if $.Children }}
     {{ $length := len $.Children }}
-    <p class="settings-item__description settings-description block tablet:hidden">
+    <p class="settings-item__content settings-description block tablet:hidden">
       {{ $item := index $.Children  0}}
       {{ if gt $length 1 }}
         <span> {{ include "v2.page.settings.default.button-label-and-more" (dict "item" $item ) }} </span>
@@ -46,7 +56,7 @@
         {{ $item }}
       {{ end }}
     </p>
-    <ul class="settings-item__description settings-description hidden tablet:block">
+    <ul class="settings-item__content settings-description hidden tablet:block break-all">
       {{ range $i, $child := $.Children }}
       <li>
         {{ $child }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings.html b/resources/authgear/templates/en/web/authflowv2/settings.html
index fac42a9056..1ca636868d 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings.html
@@ -52,17 +52,20 @@ <h2 class="settings-title text-start">
       {{/* If is Email */}}
       {{ $label := ( include "v2.page.settings.default.button-label-email" nil ) }}{{ $icon := "email" }}
       {{ $identityArr := $.Emails }}{{ $identity := $.Email }}
+      {{ $url := call $.MakeURL "/settings/identity/email" "q_login_id_key" .login_id_key }}
 
       {{/* If is Phone */}}
       {{ if eq .login_id_type "phone" }}
         {{ $label = ( include "v2.page.settings.default.button-label-phone" nil ) }}{{ $icon = "phone_iphone" }}
         {{ $identityArr = $.PhoneNumbers }}{{ $identity = $.PhoneNumber }}
+        {{ $url = call $.MakeURL "/settings/identity/phone" "q_login_id_key" .login_id_key }}
       {{ end }}
 
       {{/* If is Username */}}
       {{ if eq .login_id_type "username" }}
         {{ $label = ( include "v2.page.settings.default.button-label-username" nil ) }}{{ $icon = "account_circle" }}
         {{ $identityArr = $.PreferredUsernames }}{{ $identity = $.PreferredUsername }}
+        {{ $url = call $.MakeURL "/settings/identity/username" "q_login_id_key" .login_id_key }}
       {{ end }}
 
       {{/* Render with given variable */}}
@@ -156,14 +159,22 @@ <h2 class="settings-title text-start">
         )
       }}
 
-      {{ $url = call $.MakeURL "/settings/advanced_settings" }}
-      {{ template "authflowv2/__settings_item.html"
-        (dict
-          "Label" ( include "v2.page.settings.default.button-label-advanced-settings" nil )
-          "Href" $url
-          "MaterialIconName" "settings_alert"
-        )
-      }}
+
+      {{ $show_advanced_settings_button := false }}
+      {{ if $.AccountDeletionAllowed }}
+        {{ $show_advanced_settings_button = true }}
+      {{ end }}
+
+      {{ if $show_advanced_settings_button }}
+        {{ $url = call $.MakeURL "/settings/advanced_settings" }}
+        {{ template "authflowv2/__settings_item.html"
+          (dict
+            "Label" ( include "v2.page.settings.default.button-label-advanced-settings" nil )
+            "Href" $url
+            "MaterialIconName" "settings_alert"
+          )
+        }}
+      {{ end }}
     </div>
   </div>
 
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_advanced.html b/resources/authgear/templates/en/web/authflowv2/settings_advanced.html
new file mode 100644
index 0000000000..67cf4212a2
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_advanced.html
@@ -0,0 +1,24 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-advanced-settings.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div>
+  {{ $url := call $.MakeURL "/settings/delete_account" }}
+  {{ template "authflowv2/__settings_item.html"
+    (dict
+      "Label" ( include "v2.page.settings.default.button-label-account-deletion" nil )
+      "Href" $url
+      "MaterialIconName" "person_remove"
+    )
+  }}
+</div>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_biometric.html b/resources/authgear/templates/en/web/authflowv2/settings_biometric.html
new file mode 100644
index 0000000000..ae56ed9d9b
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_biometric.html
@@ -0,0 +1,77 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-biometric.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div class="flex flex-col">
+  {{ if not $.BiometricIdentities }}
+    <p class="settings-description text-center pt-5">
+      {{ translate "v2.page.settings-biometric.default.no-biometric-description" nil }}
+    </p>
+  {{ end }}
+
+  {{ $ctx := .}}
+  {{ range $.BiometricIdentities }}
+    {{ $name := (include "v2.page.settings-biometric.default.unknown-name-item-label" nil) }}
+    {{ if .DisplayName }}
+      {{ $name = .DisplayName }}
+    {{ end }}
+    {{
+      template "authflowv2/__settings_action_item.html"
+      (dict
+        "IconName" "phone_iphone"
+        "Label" $name
+        "Description" ( include "v2.page.settings-biometric.default.item-description" (dict "time" .CreatedAt "rfc3339" (rfc3339 .CreatedAt)) )
+        "ActionButton" (include "__settings_biometric_item_remove_btn" (dict "DialogID" .ID))
+      )
+    }}
+
+    {{ template "authflowv2/__settings_dialog.html"
+      (dict
+        "Ctx" $ctx
+        "DialogID" .ID
+        "Title" (include "v2.page.settings-biometric.default.dialog-title" nil)
+        "Description" (include "v2.page.settings-biometric.default.dialog-description" nil)
+        "FormContent" (include "__settings_biometric_dialog_remove_input" (dict "BiometricID" .ID "CSRFField" $.CSRFField))
+        "Buttons"
+          (list
+            (dict
+              "Type" "Destructive"
+              "Label" (include "v2.component.button.default.label-remove" nil)
+              "Value" "remove"
+              "Event" "authgear.button.remove_biometric"
+            )
+            (dict
+              "Type" "Cancel"
+              "Label" (include "v2.component.button.default.label-cancel" nil)
+            )
+          )
+    )}}
+  {{ end }}
+
+</div>
+{{end}}
+
+{{ define "__settings_biometric_item_remove_btn" }}
+<button
+  class="settings-link-btn--destructive"
+  data-controller="settings-dialog"
+  data-action="click->settings-dialog#open"
+  data-settings-dialog-dialogid-param="{{ .DialogID }}"
+>
+  {{ translate "v2.page.settings-biometric.default.disconnect-button-label" nil }}
+</button>
+{{ end }}
+
+{{ define "__settings_biometric_dialog_remove_input" }}
+  {{ $.CSRFField }}
+  <input type="hidden" name="x_identity_id" value="{{ $.BiometricID }}">
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_change_password.html b/resources/authgear/templates/en/web/authflowv2/settings_change_password.html
new file mode 100644
index 0000000000..1c61def0fd
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_change_password.html
@@ -0,0 +1,122 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-change-password.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+{{ $err_map := (resolveError $.RawError (dict
+  "oldPasswordField" (dict
+    "by_reason"                    (list "InvalidCredentials")
+    "by_location"                  (list "x_old_password")
+  )
+  "newPasswordField" (dict
+    "by_reason"                    (list "PasswordPolicyViolated")
+    "by_location"                  (list "x_password")
+  )
+  "confirmPasswordField" (dict
+    "by_reason"                    (list "PasswordPolicyViolated")
+    "by_location"                  (list "x_confirm_password")
+  )
+)) }}
+
+{{ $old_pw_err := index $err_map "oldPasswordField" }}
+{{ $new_pw_err := index $err_map "newPasswordField" }}
+{{ $confirm_pw_err := index $err_map "confirmPasswordField" }}
+{{ $unknown_err := index $err_map "unknown" }}
+
+{{ $has_old_pw_err := not (isNil $old_pw_err )}}
+{{ $has_new_pw_err := not (isNil $new_pw_err )}}
+{{ $has_confirm_pw_err := not (isNil $confirm_pw_err )}}
+{{ $has_unknown_err := not (isNil $unknown_err )}}
+
+
+{{ $old_pw_error_message := ""}}
+{{ if $has_old_pw_err }}
+  {{ $old_pw_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $old_pw_err) $)) }}
+{{ end }}
+
+{{ $new_pw_error_message := ""}}
+{{ if $has_new_pw_err }}
+  {{ $new_pw_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $new_pw_err) $)) }}
+{{ end }}
+
+{{ $confirm_pw_error_message := ""}}
+{{ if $has_confirm_pw_err }}
+  {{ $confirm_pw_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $confirm_pw_err) $)) }}
+{{ end }}
+
+{{ $unknown_error_message := "" }}
+{{ if $has_unknown_err }}
+  {{ $unknown_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $unknown_err) $)) }}
+{{ end }}
+
+<div class="flex flex-col settings-content">
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+    "Type" "error"
+    "Classname" "mb-4"
+    "Message" $unknown_error_message
+    )
+  }}
+  <form
+    method="post"
+    novalidate
+    class="flex flex-col gap-y-8"
+    data-controller="turbo-form"
+    data-action="submit->turbo-form#submitForm"
+  >
+    {{ $.CSRFField }}
+
+    <div class="flex flex-col gap-y-4">
+    <!-- This field is for Chrome and Safari to correctly associate the username with the password -->
+    <!-- both `class="hidden"` and `display:none` do not work for iOS autofill -->
+    {{ if $.PasswordManagerUsername }}
+      <input style="position: absolute; width: 0; height: 0;" aria-hidden="true" type="text" autocomplete="username" name="" value="{{ $.PasswordManagerUsername }}">
+    {{ end }}
+    {{ template "authflowv2/__password_field.html" (dict
+      "Ctx" $
+      "Name" "x_old_password"
+      "Type" "old-password"
+      "AutoFocus" $.ShouldFocusInput
+      "Classname" "w-full"
+      "HasError" $has_old_pw_err
+      "ErrorMessage" $old_pw_error_message
+    ) }}
+
+    {{ template "authflowv2/__new_password_field.html" (dict
+      "Ctx" $
+      "NewPasswordInputName" "x_new_password"
+      "ConfirmPasswordInputName" "x_confirm_password"
+      "AutoFocus" $.ShouldFocusInput
+      "PasswordRules" $.PasswordRulesString
+      "PasswordPolicies" $.PasswordPolicies
+      "HasNewPasswordError" $has_new_pw_err
+      "NewPasswordErrorMessage" $new_pw_error_message
+      "HasConfirmPasswordError" $has_confirm_pw_err
+      "ConfirmPasswordErrorMessage" $confirm_pw_error_message
+    )
+    }}
+    </div>
+
+
+    <button
+      class="primary-btn"
+      type="submit"
+      name="x_action"
+      value=""
+      data-authgear-event="authgear.button.change_password"
+    >
+      {{ translate "v2.component.button.default.label-continue" nil }}
+    </button>
+  </form>
+</div>
+
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_delete_account.html b/resources/authgear/templates/en/web/authflowv2/settings_delete_account.html
new file mode 100644
index 0000000000..f8df9d7463
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_delete_account.html
@@ -0,0 +1,45 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-delete-account.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div class="flex flex-col gap-y-8 w-full tablet:max-w-86 mx-auto">
+  <p class="settings-description text-center">
+    {{ translate "v2.page.settings-delete-account.default.description" (dict "date" $.ExpectedAccountDeletionTime "rfc3339" (rfc3339 $.ExpectedAccountDeletionTime)) }}
+  </p>
+  <form
+    method="post"
+    novalidate
+    data-controller="account-deletion"
+    class="w-full"
+  >
+    {{ $.CSRFField }}
+    <input
+      class="input w-full"
+      name="delete"
+      placeholder="{{ include "v2.page.settings-delete-account.default.input-placeholder" (dict "input" "DELETE") }}"
+      data-account-deletion-target="input"
+      data-action="input->account-deletion#delete"
+    >
+    <button
+      class="primary-btn--destructive w-full mt-4"
+      type="submit"
+      name="x_action"
+      value="delete"
+      data-account-deletion-target="button"
+      data-authgear-event="authgear.button.schedule_account_deletion"
+      disabled
+    >
+      {{ translate "v2.page.settings-delete-account.default.button-label" nil }}
+    </button>
+  </form>
+</div>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_delete_account_success.html b/resources/authgear/templates/en/web/authflowv2/settings_delete_account_success.html
new file mode 100644
index 0000000000..40fde18d55
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_delete_account_success.html
@@ -0,0 +1,35 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-content"}}
+<form
+  class="flex flex-col gap-y-2 w-full tablet:max-w-86 mx-auto"
+  method="post"
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+  novalidate
+  data-controller="turbo-form"
+
+>
+  {{ $.CSRFField }}
+  <div class="flex flex-col gap-y-2 settings-headline text-center">
+    <i class="material-icons text-5xl">auto_delete</i>
+    <h1>
+      {{ translate "v2.page.settings-delete-account-success.default.title" nil }}
+    </h1>
+  </div>
+
+  <div class="flex flex-col gap-y-8">
+    <p class="settings-description text-center">
+      {{ translate "v2.page.settings-delete-account-success.default.description" (dict "date" $.ExpectedAccountDeletionTime "rfc3339" (rfc3339 $.ExpectedAccountDeletionTime)) }}
+    </p>
+    <button
+      class="primary-btn w-full"
+      type="submit"
+      name="x_action"
+      value=""
+    >
+      {{ translate "v2.page.settings-delete-account-success.default.button-label" nil }}
+    </button>
+  </div>
+</form>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_add_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_add_email.html
new file mode 100644
index 0000000000..725340879e
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_add_email.html
@@ -0,0 +1,49 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/email" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-add-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm">
+
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  <input
+    class="input"
+    name="x_login_id"
+    placeholder="{{ include "v2.page.settings-identity-add-email.default.email-input-placeholder" nil }}"
+    autocomplete="username webauthn"
+    autocapitalize="none"
+  />
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-continue" nil }}
+  </button>
+</form>
+
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_add_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_add_phone.html
new file mode 100644
index 0000000000..adeeb68524
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_add_phone.html
@@ -0,0 +1,58 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/phone" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-add-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm">
+
+  {{ $display_error := false }}
+  {{ if $.Error }}
+    {{ $display_error = true }}
+  {{ end }}
+
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  {{ template "authflowv2/__phone_input.html"
+    (dict
+      "Placeholder" (include "v2.page.settings-identity-add-phone.default.phone-input-placeholder" nil)
+      "IsError" $display_error
+      "AutoFocus" $.ShouldFocusInput
+      "PhoneInputAttrs" `
+        data-text-field-target="input"
+      `
+      "InputName" "x_login_id"
+    )
+  }}
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-continue" nil }}
+  </button>
+</form>
+
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_email.html
new file mode 100644
index 0000000000..e1ba296b95
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_email.html
@@ -0,0 +1,55 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/email" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-change-primary-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-8"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+>
+  {{ $.CSRFField }}
+  <ul>
+    {{ $currentEmail := .Email }}
+    {{ range .EmailIdentities }}
+      <li>
+        {{ template "authflowv2/__settings_radio.html"
+        (dict
+          "Label" (include "__settgins_identity_change_primary_email_item_label" .OriginalLoginID)
+          "Name" "/email"
+          "Value" .LoginID
+          "ShowInput" false
+          "DefaultChecked" (eq .LoginID $currentEmail)
+        )
+        }}
+      </li>
+    {{ end }}
+  </ul>
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    value="save"
+    data-authgear-event="authgear.button.update_profile"
+  >
+    {{ translate "v2.component.button.default.label-save" nil }}
+  </button>
+</form>
+
+{{ end }}
+
+{{ define "__settgins_identity_change_primary_email_item_label" }}
+  <span class="break-all">{{ . }}</span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_phone.html
new file mode 100644
index 0000000000..f947e4e6c7
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_phone.html
@@ -0,0 +1,56 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/phone" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-change-primary-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-8"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+>
+  {{ $.CSRFField }}
+  <ul>
+    {{ $currentPhone := .PhoneNumber }}
+    {{ range .PhoneIdentities }}
+      <li>
+        {{ template "authflowv2/__settings_radio.html" (dict
+            "Label" (include "__settgins_identity_change_primary_phone_item_label" .OriginalLoginID)
+            "Name" "/phone_number"
+            "Value" .LoginID
+            "ShowInput" false
+            "DefaultChecked" (eq .LoginID $currentPhone)
+          )
+        }}
+      </li>
+    {{ end }}
+  </ul>
+
+  <button
+    id="save-button"
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    value="save"
+    data-authgear-event="authgear.button.update_profile"
+  >
+    {{ translate "v2.component.button.default.label-save" nil }}
+  </button>
+
+</form>
+
+{{ end }}
+
+{{ define "__settgins_identity_change_primary_phone_item_label" }}
+  <span class="break-all">{{ . }}</span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_email.html
new file mode 100644
index 0000000000..46c5720c1c
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_email.html
@@ -0,0 +1,64 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/email" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-edit-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm">
+
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  <span class="screen-description">
+    {{ include "v2.page.settings-identity-edit-email.default.description"
+      (dict "target" (include "__settings_identity_edit_email_inline_breakable" .Target.OriginalLoginID))
+    }}
+  </span>
+
+  <input
+    class="input"
+    name="x_login_id"
+    placeholder="{{ include "v2.page.settings-identity-edit-email.default.email-input-placeholder" nil }}"
+    autocapitalize="none"
+  />
+
+  <input
+    type="hidden"
+    name="x_identity_id"
+    value="{{ .Target.ID }}"
+  />
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-continue" nil }}
+  </button>
+</form>
+
+{{ end }}
+
+{{ define "__settings_identity_edit_email_inline_breakable" }}
+  <span class="break-all"><b>{{ . }}</b></span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_phone.html
new file mode 100644
index 0000000000..572e8ac028
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_phone.html
@@ -0,0 +1,74 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/phone" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-edit-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm">
+
+  {{ $display_error := false }}
+  {{ if $.Error }}
+    {{ $display_error = true }}
+  {{ end }}
+
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  <span class="screen-description">
+    {{ include "v2.page.settings-identity-edit-phone.default.description"
+      (dict "target" (include "__settings_identity_edit_phone_inline_bold" .Target.OriginalLoginID))
+    }}
+  </span>
+
+  {{ template "authflowv2/__phone_input.html"
+    (dict
+      "Placeholder" (include "v2.page.settings-identity-edit-phone.default.phone-input-placeholder" nil)
+      "IsError" $display_error
+      "AutoFocus" $.ShouldFocusInput
+      "PhoneInputAttrs" `
+        data-text-field-target="input"
+      `
+      "InputName" "x_login_id"
+    )
+  }}
+
+  <input
+    type="hidden"
+    name="x_identity_id"
+    value="{{ .Target.ID }}"
+  />
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-continue" nil }}
+  </button>
+</form>
+
+{{ end }}
+
+{{ define "__settings_identity_edit_phone_inline_bold" }}
+  <b>{{ . }}</b>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_username.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_username.html
new file mode 100644
index 0000000000..f3b27dd5fe
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_edit_username.html
@@ -0,0 +1,59 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/view_username" "q_login_id" $.Identity.ID)
+        "Title" (translate "v2.page.settings-identity-edit-username.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+>
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  <input
+    class="input"
+    name="x_login_id"
+    autocomplete="username webauthn"
+    autocapitalize="none"
+    value="{{ $.Identity.OriginalLoginID }}"
+  />
+
+  <input
+    name="x_identity_id"
+    type="hidden"
+    value="{{ $.Identity.ID }}"
+  />
+
+  <input
+    name="x_login_id_key"
+    type="hidden"
+    value="{{ $.Identity.LoginIDKey }}"
+  />
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-save" nil }}
+  </button>
+</form>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html
new file mode 100644
index 0000000000..bac3e92847
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html
@@ -0,0 +1,86 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "settings_identity_email_verification_label" }}
+  {{ if $.Verified }}
+    <div class="body-text--md settings-text-color-success">
+      {{ translate "v2.page.settings-identity.default.verification-status-verified-label" . }}
+    </div>
+  {{ else }}
+    <div class="body-text--md settings-text-color-failure">
+      {{ translate "v2.page.settings-identity.default.verification-status-unverified-label" . }}
+    </div>
+  {{ end }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="flex flex-col gap-y-6">
+  {{ if $.EmailIdentities }}
+  <ol>
+    {{ range $.EmailIdentities }}
+      <li>
+        {{ $claims := index $.Verifications .ID }}
+        {{ if not (empty $claims) }}
+          {{ $claim := first $claims }}
+          {{ $href := (call $.MakeURL "/settings/identity/view_email" "q_login_id_key" $.LoginIDKey "q_identity_id" .ID )}}
+          {{ template "authflowv2/__settings_action_item.html"
+              (dict
+                "IconName" "email"
+                "Label" .OriginalLoginID
+                "Description" (include "settings_identity_email_verification_label"
+                  (dict "Verified" $claim.Verified)
+                )
+                "RedirectURL" $href
+              )
+          }}
+        {{ end }}
+      </li>
+    {{ end }}
+  </ol>
+  {{ end }}
+
+  {{ if not $.CreateDisabled}}
+    {{ $href := (call $.MakeURL "/settings/identity/add_email" "q_login_id_key" $.LoginIDKey ) }}
+    <a
+      class="settings-link-btn"
+      href="{{ $href }}"
+    >
+      {{ translate "v2.page.settings-identity-list-email.default.button-add-email-label" nil }}
+    </a>
+  {{ end }}
+
+  {{ if and ($.PrimaryEmail) (gt (len $.EmailIdentities) (1)) }}
+    <div class="mt-5">
+      <div class="settings-title">
+        {{ translate "v2.page.settings-identity-list-email.default.primary-email-label" . }}
+      </div>
+      {{ template "authflowv2/__settings_action_item.html"
+        (dict
+          "IconName" "email"
+          "Label" .PrimaryEmail.OriginalLoginID
+          "ActionButton" (include "settings_identity_email_change_button"
+            (dict "Href" (call $.MakeURL "/settings/identity/change_primary_email" "q_login_id_key" $.LoginIDKey))
+          )
+        )
+      }}
+    </div>
+  {{ end }}
+</div>
+
+{{ end }}
+
+{{ define "settings_identity_email_change_button" }}
+  <a class="settings-link-btn" href="{{ $.Href }}">
+    {{ translate "v2.page.settings-identity-list-email.default.button-change-primary-email-label" . }}
+  </a>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html
new file mode 100644
index 0000000000..e314531811
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html
@@ -0,0 +1,86 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-identity-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "settings_identity_phone_verification_label" }}
+  {{ if $.Verified }}
+    <div class="body-text--md settings-text-color-success">
+      {{ translate "v2.page.settings-identity.default.verification-status-verified-label" . }}
+    </div>
+  {{ else }}
+    <div class="body-text--md settings-text-color-failure">
+      {{ translate "v2.page.settings-identity.default.verification-status-unverified-label" . }}
+    </div>
+  {{ end }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="flex flex-col gap-y-6">
+  {{ if $.PhoneIdentities }}
+  <ol>
+    {{ range $.PhoneIdentities }}
+      <li>
+        {{ $claims := index $.Verifications .ID }}
+        {{ if not (empty $claims) }}
+          {{ $claim := first $claims }}
+          {{ $href := (call $.MakeURL "/settings/identity/view_phone" "q_login_id_key" $.LoginIDKey "q_identity_id" .ID )}}
+          {{ template "authflowv2/__settings_action_item.html"
+              (dict
+                "IconName" "phone_iphone"
+                "Label" .OriginalLoginID
+                "Description" (include "settings_identity_phone_verification_label"
+                  (dict "Verified" $claim.Verified)
+                )
+                "RedirectURL" $href
+              )
+          }}
+        {{ end }}
+      </li>
+    {{ end }}
+  </ol>
+  {{ end }}
+
+  {{ if not $.CreateDisabled}}
+    {{ $href := (call $.MakeURL "/settings/identity/add_phone" "q_login_id_key" $.LoginIDKey ) }}
+    <a
+      class="settings-link-btn"
+      href="{{ $href }}"
+    >
+      {{ translate "v2.page.settings-identity-list-phone.default.button-add-phone-label" nil }}
+    </a>
+  {{ end }}
+
+  {{ if and ($.PrimaryEmail) (gt (len $.PhoneIdentities) (1)) }}
+    <span>
+      <div class="settings-title">
+        {{ translate "v2.page.settings-identity-list-phone.default.primary-phone-label" . }}
+      </div>
+      {{ template "authflowv2/__settings_action_item.html"
+        (dict
+          "IconName" "phone_iphone"
+          "Label" .PrimaryPhone.OriginalLoginID
+          "ActionButton" (include "settings_identity_phone_change_button"
+            (dict "Href" (call $.MakeURL "/settings/identity/change_primary_phone" "q_login_id_key" $.LoginIDKey "q_identity_id" .PrimaryPhone.ID))
+          )
+        )
+      }}
+    </div>
+  {{ end }}
+</div>
+
+{{ end }}
+
+{{ define "settings_identity_phone_change_button" }}
+  <a class="settings-link-btn" href="{{ $.Href }}">
+    {{ translate "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label" . }}
+  </a>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_list_username.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_username.html
new file mode 100644
index 0000000000..0e7d01712a
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_list_username.html
@@ -0,0 +1,41 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-identity-list-username.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div class="flex flex-col gap-y-6">
+  {{ if $.UsernameIdentities }}
+  <ul>
+    {{ range $.UsernameIdentities }}
+      <li>
+        {{ $href := (call $.MakeURL "/settings/identity/view_username" "q_login_id" .ID )}}
+        {{ template "authflowv2/__settings_action_item.html"
+            (dict
+              "Label" .OriginalLoginID
+              "RedirectURL" $href
+            )
+        }}
+      </li>
+    {{ end }}
+  </ul>
+  {{ end }}
+
+  {{ if not $.CreateDisabled}}
+    {{ $href := (call $.MakeURL "/settings/identity/new_username" "q_login_id_key" $.LoginIDKey ) }}
+    <a
+      class="settings-link-btn"
+      href="{{ $href }}"
+    >
+      {{ translate "v2.page.settings-identity-list-username.default.button-add-username-label" nil }}
+    </a>
+  {{ end }}
+</div>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_new_username.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_new_username.html
new file mode 100644
index 0000000000..18369ae105
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_new_username.html
@@ -0,0 +1,52 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/username" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-new-username.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<form
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+>
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Message" (include "authflowv2/__error.html" .)
+    )
+  }}
+
+  {{ $.CSRFField }}
+
+  <input
+    class="input"
+    name="x_login_id"
+    autocomplete="username webauthn"
+    autocapitalize="none"
+  />
+
+  <input
+    name="x_login_id_key"
+    type="hidden"
+    value="{{ $.LoginIDKey }}"
+  />
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.change_login_id"
+  >
+    {{ translate "v2.component.button.default.label-save" nil }}
+  </button>
+</form>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_email.html
new file mode 100644
index 0000000000..e0875cdd63
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_email.html
@@ -0,0 +1,76 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/email" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-verify-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="settings-content flex flex-col gap-y-8 flex-1-0-auto">
+  <div class="screen-title-description">
+    <h2 class="screen-description">
+      {{ include "v2.page.enter-oob-otp.auth-email-or-sms.subtitle"
+        (dict
+          "CodeLength" $.CodeLength
+          "MaskedClaimValue" (include "__settings_identity_verify_mask_claim" $.MaskedClaimValue)
+        )
+      }}
+    </h2>
+
+    {{ template "authflowv2/__alert_message.html"
+      (dict
+        "Type" "error"
+        "Classname" "mt-4"
+        "Message" (ternary (include "authflowv2/__error.html" .) nil (not $.display_otp_input_error))
+      )
+    }}
+  </div>
+  <div>
+    {{ $otp_error_message := "" }}
+    {{ if $.Error  }}
+      {{ if $.display_otp_input_error }}
+        {{ $otp_error_message = include "authflowv2/__error.html" .  }}
+      {{ end }}
+    {{ end }}
+
+    <form
+      id="main-form"
+      method="post"
+      novalidate
+      data-restore-form="false"
+      data-controller="turbo-form"
+      data-action="submit->turbo-form#submitForm"
+    >
+      {{ $.CSRFField }}
+      <input type="hidden" name="x_login_id_key" value="{{ $.LoginIDKey }}">
+    </form>
+
+    {{ template "authflowv2/__otp_input.html"
+      (dict
+        "CSRFField" $.CSRFField
+        "FormName" "main-form"
+        "CodeLength" $.CodeLength
+        "AutoFocus" true
+        "Disabled" $.FailedAttemptRateLimitExceeded
+        "ResendButtonLabel" (include "v2.component.oob-otp-resend-button.default.label" nil)
+        "ResendButtonLabelWithValue" (include "v2.component.oob-otp-resend-button.default.countdown-unit" nil)
+        "ResendButtonCooldown" $.ResendCooldown
+        "SubmitEvent" "authgear.button.submit_verification_code"
+        "ResendEvent" "authgear.button.resend_verification_code"
+        "ErrorMessage" $otp_error_message
+      )
+    }}
+  </div>
+</div>
+
+{{ end }}
+
+{{ define "__settings_identity_verify_mask_claim" }}
+  <b>{{ . }}</b>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_phone.html
new file mode 100644
index 0000000000..fe2d1f26ae
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_verify_phone.html
@@ -0,0 +1,76 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/phone" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-verify-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="settings-content flex flex-col gap-y-8 flex-1-0-auto">
+    <div class="screen-title-description">
+      <h2 class="screen-description">
+        {{ include "v2.page.enter-oob-otp.auth-email-or-sms.subtitle"
+          (dict
+            "CodeLength" $.CodeLength
+            "MaskedClaimValue" (include "__settings_identity_verify_phone_inline_breakable" $.MaskedClaimValue)
+          )
+        }}
+      </h2>
+
+      {{ template "authflowv2/__alert_message.html"
+        (dict
+          "Type" "error"
+          "Classname" "mt-4"
+          "Message" (ternary (include "authflowv2/__error.html" .) nil (not $.display_otp_input_error))
+        )
+      }}
+    </div>
+    <div>
+      {{ $otp_error_message := "" }}
+      {{ if $.Error  }}
+        {{ if $.display_otp_input_error }}
+          {{ $otp_error_message = include "authflowv2/__error.html" .  }}
+        {{ end }}
+      {{ end }}
+
+      <form
+        id="main-form"
+        method="post"
+        novalidate
+        data-restore-form="false"
+        data-controller="turbo-form"
+        data-action="submit->turbo-form#submitForm"
+      >
+        {{ $.CSRFField }}
+        <input type="hidden" name="x_login_id_key" value="{{ $.LoginIDKey }}">
+      </form>
+
+      {{ template "authflowv2/__otp_input.html"
+        (dict
+          "CSRFField" $.CSRFField
+          "FormName" "main-form"
+          "CodeLength" $.CodeLength
+          "AutoFocus" true
+          "Disabled" $.FailedAttemptRateLimitExceeded
+          "ResendButtonLabel" (include "v2.component.oob-otp-resend-button.default.label" nil)
+          "ResendButtonLabelWithValue" (include "v2.component.oob-otp-resend-button.default.countdown-unit" nil)
+          "ResendButtonCooldown" $.ResendCooldown
+          "SubmitEvent" "authgear.button.submit_verification_code"
+          "ResendEvent" "authgear.button.resend_verification_code"
+          "ErrorMessage" $otp_error_message
+        )
+      }}
+    </div>
+</div>
+
+{{ end }}
+
+{{ define "__settings_identity_verify_phone_inline_breakable" }}
+  <span class="break-all"><b>{{ . }}</b></span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html
new file mode 100644
index 0000000000..8c67d8235f
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html
@@ -0,0 +1,126 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/email" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-email.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "settings_identity_email_verification_label" }}
+  {{ if $.Verified }}
+    <div class="body-text--md settings-text-color-success">
+      {{ translate "v2.page.settings-identity.default.verification-status-verified-label" . }}
+    </div>
+  {{ else }}
+    <div class="body-text--md settings-text-color-failure">
+      {{ translate "v2.page.settings-identity.default.verification-status-unverified-label" . }}
+    </div>
+  {{ end }}
+{{ end }}
+
+{{ define "settings_identity_email_edit_button" }}
+  {{ if not $.Verified }}
+    <a class="settings-link-btn" href="{{ $.Href }}">
+      {{ translate "v2.page.settings-identity-view-email.default.button-edit-email-label" . }}
+    </a>
+  {{ end }}
+{{ end }}
+
+{{ define "settings_identity_email_verification_button" }}
+  <form
+    method="post"
+    novalidate
+    data-controller="turbo-form"
+    data-action="submit->turbo-form#submitForm"
+    >
+    {{ .CSRFField }}
+    <input type="hidden" name="x_login_id" value="{{ .LoginID }}">
+    <input type="hidden" name="x_identity_id" value="{{ .IdentityID }}">
+    <button type="submit" class="secondary-btn" name="x_action" value="verify">
+      {{ translate "v2.page.settings-identity-view-email.default.button-verify-email-label" . }}
+    </button>
+  </form>
+{{ end }}
+
+{{ define "page-content" }}
+
+{{ $LoginID := $.EmailIdentity.LoginID }}
+{{ $IdentityID := $.EmailIdentity.ID }}
+
+<div class="flex flex-col gap-y-6">
+  {{ $extraContent := "" }}
+  {{ if not $.Verified }}
+    {{ $extraContent = (include "settings_identity_email_verification_button"
+        (dict
+          "CSRFField" $.CSRFField
+          "LoginID" $LoginID
+          "IdentityID" $IdentityID
+        )
+      )
+    }}
+  {{ end }}
+  {{ template "authflowv2/__settings_action_item.html"
+      (dict
+        "IconName" "email"
+        "Label" $.EmailIdentity.OriginalLoginID
+        "Description" (include "settings_identity_email_verification_label"
+          (dict "Verified" $.Verified)
+        )
+        "ActionButton" (include "settings_identity_email_edit_button"
+          (dict "Href" (call $.MakeURL "/settings/identity/edit_email" "q_login_id_key" $.LoginIDKey "q_identity_id" $IdentityID))
+        )
+        "ExtraContent" $extraContent
+      )
+  }}
+
+  {{ if not $.DeleteDisabled}}
+    {{ $RemoveDialogID := "remove-email-identity-dialog" }}
+    <button
+      class="settings-link-btn--destructive"
+      data-controller="settings-dialog"
+      data-settings-dialog-dialogid-param="{{ $RemoveDialogID }}"
+      data-action="click->settings-dialog#open">
+      {{ translate "v2.page.settings-identity-view-email.default.button-remove-email-label" nil }}
+    </button>
+
+    {{ template "authflowv2/__settings_dialog.html"
+      (dict
+        "Ctx" .
+        "DialogID" $RemoveDialogID
+        "Title" (include "v2.page.settings-identity-view-email.default.remove-identity-dialog-title" nil)
+        "Description" (include "v2.page.settings-identity-view-email.default.remove-identity-dialog-description"
+          (dict
+            "target" (include "__settings_identity_view_email_inline_breakable" $.EmailIdentity.OriginalLoginID )
+          )
+        )
+        "FormContent" (include "__settings_identity_view_email_remove_dialog_form_content" .)
+        "Buttons" (list
+          (dict
+            "Type" "Destructive"
+            "Label" (include "v2.component.button.default.label-remove" nil)
+            "Value" "remove"
+          )
+          (dict
+            "Type" "Cancel"
+            "Label" (include "v2.component.button.default.label-cancel" nil)
+          )
+        )
+      )
+    }}
+  {{ end }}
+</div>
+
+{{ end }}
+
+{{ define "__settings_identity_view_email_remove_dialog_form_content" }}
+  {{ $.CSRFField }}
+  <input type="hidden" name="x_identity_id" value="{{ $.EmailIdentity.ID }}">
+{{ end }}
+
+{{ define "__settings_identity_view_email_inline_breakable" }}
+  <span class="break-all"><b>{{ . }}</b></span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html
new file mode 100644
index 0000000000..4827346e4a
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html
@@ -0,0 +1,123 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/phone" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-phone.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "settings_identity_phone_verification_label" }}
+  {{ if $.Verified }}
+    <div class="body-text--md settings-text-color-success">
+      {{ translate "v2.page.settings-identity.default.verification-status-verified-label" . }}
+    </div>
+  {{ else }}
+    <div class="body-text--md settings-text-color-failure">
+      {{ translate "v2.page.settings-identity.default.verification-status-unverified-label" . }}
+    </div>
+  {{ end }}
+{{ end }}
+
+{{ define "settings_identity_phone_edit_button" }}
+  <a class="settings-link-btn" href="{{ $.Href }}">
+    {{ translate "v2.page.settings-identity-view-phone.default.button-edit-phone-label" . }}
+  </a>
+{{ end }}
+
+{{ define "settings_identity_phone_verification_button" }}
+  <form
+    method="post"
+    novalidate
+    data-restore-form="false"
+    data-controller="turbo-form"
+    data-action="submit->turbo-form#submitForm"
+  >
+    {{ .CSRFField }}
+    <input type="hidden" name="x_login_id" value="{{ .LoginID }}">
+    <input type="hidden" name="x_identity_id" value="{{ .IdentityID }}">
+    <button type="submit" class="secondary-btn" name="x_action" value="verify">
+      {{ translate "v2.page.settings-identity-view-phone.default.button-verify-phone-label" . }}
+    </button>
+  </form>
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="flex flex-col gap-y-6">
+  {{ $extraContent := "" }}
+  {{ if not $.Verified }}
+    {{ $extraContent = (include "settings_identity_phone_verification_button" (dict
+        "CSRFField" $.CSRFField
+        "Verified" false
+        "LoginID" $.PhoneIdentity.LoginID
+        "IdentityID" $.PhoneIdentity.ID
+      ))
+    }}
+  {{ end }}
+
+  {{ template "authflowv2/__settings_action_item.html"
+      (dict
+        "IconName" "phone_iphone"
+        "Label" $.PhoneIdentity.OriginalLoginID
+        "Description" (include "settings_identity_phone_verification_label"
+          (dict "Verified" $.Verified)
+        )
+        "ActionButton" (include "settings_identity_phone_edit_button"
+          (dict "Href" (call $.MakeURL "/settings/identity/edit_phone" "q_identity_id" $.PhoneIdentity.ID "q_login_id_key" $.LoginIDKey))
+        )
+        "ExtraContent" $extraContent
+      )
+  }}
+
+  {{ if not $.DeleteDisabled}}
+    {{ $RemoveDialogID := "remove-phone-identity-dialog" }}
+
+    <button
+      class="settings-link-btn--destructive"
+      data-controller="settings-dialog"
+      data-settings-dialog-dialogid-param="{{ $RemoveDialogID }}"
+      data-action="click->settings-dialog#open">
+      {{ translate "v2.page.settings-identity-view-phone.default.button-remove-phone-label" nil }}
+    </button>
+
+    {{ template "authflowv2/__settings_dialog.html"
+      (dict
+        "Ctx" .
+        "DialogID" $RemoveDialogID
+        "Title" (include "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title" nil)
+        "Description" (include "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description"
+          (dict
+            "target" (include "__settings_identity_view_phone_inline_breakable" $.PhoneIdentity.OriginalLoginID )
+          )
+        )
+        "FormContent" (include "__settings_identity_view_phone_remove_dialog_form_content" .)
+        "Buttons" (list
+          (dict
+            "Type" "Destructive"
+            "Label" (include "v2.component.button.default.label-remove" nil)
+            "Value" "remove"
+          )
+          (dict
+            "Type" "Cancel"
+            "Label" (include "v2.component.button.default.label-cancel" nil)
+          )
+        )
+      )
+    }}
+  {{ end }}
+</div>
+
+{{ end }}
+
+{{ define "__settings_identity_view_phone_remove_dialog_form_content" }}
+  {{ $.CSRFField }}
+  <input type="hidden" name="x_identity_id" value="{{ $.PhoneIdentity.ID }}">
+{{ end }}
+
+{{ define "__settings_identity_view_phone_inline_breakable" }}
+  <b class="break-all">{{ . }}</b>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html
new file mode 100644
index 0000000000..ff24025926
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html
@@ -0,0 +1,78 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/identity/username" "q_login_id_key" $.LoginIDKey)
+        "Title" (translate "v2.page.settings-identity-view-username.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="flex flex-col gap-y-6">
+  {{ $actionButton := "" }}
+  {{ if not $.UpdateDisabled }}
+    {{ $actionButton = (include "__settings_identity_view_username_edit_button" .) }}
+  {{ end }}
+
+
+  {{ template "authflowv2/__settings_action_item.html"
+      (dict
+        "Label" $.Identity.OriginalLoginID
+        "ActionButton" $actionButton
+      )
+  }}
+
+  {{ if not $.DeleteDisabled }}
+    <button
+      type="button"
+      class="settings-link-btn--destructive"
+      data-controller="settings-dialog"
+      data-action="click->settings-dialog#open"
+      data-settings-dialog-dialogid-param="settings-identity-delete-username"
+    >
+      {{ translate "v2.page.settings-identity-view-username.default.button-remove-label" nil}}
+    </button>
+
+    {{ template "authflowv2/__settings_dialog.html" (dict
+      "Ctx" .
+      "DialogID" "settings-identity-delete-username"
+      "Title" (translate "v2.page.settings-identity-view-username.default.dialog-delete-username-title" nil)
+      "Description" (translate "v2.page.settings-identity-view-username.default.dialog-delete-username-description" (dict "Username" $.Identity.OriginalLoginID))
+      "FormContent" (include "__settings_identity_view_username_delete_username_form_content" .)
+      "Buttons" (list
+        (dict
+          "Type" "Destructive"
+          "Label" (include "v2.component.button.default.label-remove" nil)
+          "Value" "remove"
+          "Event" "authgear.button.remove_login_id"
+        )
+        (dict
+          "Type" "Cancel"
+          "Label" (include "v2.component.button.default.label-cancel" nil)
+        )
+      )
+    )}}
+  {{ end }}
+</div>
+
+{{ end }}
+
+{{ define "__settings_identity_view_username_edit_button" }}
+{{ $editURL := (call $.MakeURL "/settings/identity/edit_username" "q_login_id" $.Identity.ID) }}
+<a
+  class="settings-link-btn"
+  href="{{ $editURL }}"
+>
+  {{ translate "v2.component.button.default.label-edit" nil }}
+</a>
+{{ end }}
+
+{{ define "__settings_identity_view_username_delete_username_form_content" }}
+{{ $.CSRFField }}
+<input type="hidden" name="x_identity_id" value="{{$.Identity.ID}}" />
+<input type="hidden" name="x_login_id_key" value="{{$.Identity.LoginIDKey}}" />
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa.html
new file mode 100644
index 0000000000..baa408cd2b
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa.html
@@ -0,0 +1,151 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-mfa.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+{{ if $.ShowMFA }}
+<div>
+  {{ if $.ShowSecondaryTOTP }}
+    {{ $href := (call $.MakeURL "/settings/mfa/new_totp") }}
+    {{ if $.SecondaryPassword }}
+      {{ $href = (call $.MakeURL "/settings/mfa/totp") }}
+    {{ end }}
+    {{ template "__settings_mfa_item"
+        (dict
+          "MaterialIconName" "phone_iphone"
+          "Label" (translate "v2.page.settings-mfa.default.secondary-totp-label" nil)
+          "IsActive" $.HasSecondaryTOTP
+          "Href" $href
+        )
+    }}
+  {{ end }}
+
+  {{ if $.ShowSecondaryOOBOTPEmail }}
+    {{ $href := (call $.MakeURL "/settings/mfa/new_oob_otp_email") }}
+    {{ if $.SecondaryPassword }}
+      {{ $href = (call $.MakeURL "/settings/mfa/oob_otp_email") }}
+    {{ end }}
+    {{ template "__settings_mfa_item"
+        (dict
+          "MaterialIconName" "mail"
+          "Label" (translate "v2.page.settings-mfa.default.secondary-oob-otp-email-label" nil)
+          "IsActive" $.HasSecondaryOOBOTPEmail
+          "Href" $href
+        )
+    }}
+  {{ end }}
+
+  {{ if $.ShowSecondaryOOBOTPSMS }}
+    {{ $href := (call $.MakeURL "/settings/mfa/new_oob_otp_sms") }}
+    {{ if $.SecondaryPassword }}
+      {{ $href = (call $.MakeURL "/settings/mfa/oob_otp_sms") }}
+    {{ end }}
+    {{ template "__settings_mfa_item"
+        (dict
+          "MaterialIconName" "phone_iphone"
+          "Label" (translate "v2.page.settings-mfa.default.secondary-oob-otp-sms-label" nil)
+          "IsActive" $.HasSecondaryOOBOTPSMS
+          "Href" $href
+        )
+    }}
+  {{ end }}
+
+  {{ if $.ShowSecondaryPassword }}
+    {{ $href := (call $.MakeURL "/settings/mfa/create_password") }}
+    {{ if $.SecondaryPassword }}
+      {{ $href = (call $.MakeURL "/settings/mfa/password") }}
+    {{ end }}
+    {{ template "__settings_mfa_item"
+        (dict
+          "MaterialIconName" "lock"
+          "Label" (translate "v2.page.settings-mfa.default.additional-password-label" nil)
+          "IsActive" $.SecondaryPassword
+          "Href" $href
+        )
+    }}
+  {{ end }}
+
+  {{ if $.HasMFA}}
+    {{ if gt $.NumberOfDeviceTokens 0 }}
+      <button
+        type="button"
+        class="block w-full"
+        data-controller="settings-dialog"
+        data-action="click->settings-dialog#open"
+        data-settings-dialog-dialogid-param="settings-mfa-revoke-device"
+      >
+        {{ template "authflowv2/__settings_action_item.html"
+            (dict
+              "IconName" "person_check"
+              "Label" (translate "v2.page.settings-mfa.default.trusted-devices-label" nil)
+              "Description" (translate "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message" (dict "NumberOfDeviceTokens" $.NumberOfDeviceTokens))
+            )
+        }}
+      </button>
+
+      {{ template "authflowv2/__settings_dialog.html" (dict
+        "Ctx" .
+        "DialogID" "settings-mfa-revoke-device"
+        "Title" (translate "v2.page.settings-mfa.default.dialog-revoke-device-title" nil)
+        "Description" (translate "v2.page.settings-mfa.default.dialog-revoke-device-description" (dict
+          "NumberOfDeviceTokens" $.NumberOfDeviceTokens
+        ))
+        "FormContent" $.CSRFField
+        "Buttons" (list
+          (dict
+            "Type" "Destructive"
+            "Label" (include "v2.component.button.default.label-remove" nil)
+            "Value" "revoke_device"
+          )
+          (dict
+            "Type" "Cancel"
+            "Label" (include "v2.component.button.default.label-cancel" nil)
+          )
+        )
+      )}}
+    {{ else }}
+      {{ template "authflowv2/__settings_action_item.html"
+          (dict
+            "IconName" "person_check"
+            "Label" (translate "v2.page.settings-mfa.default.trusted-devices-label" nil)
+            "Description" (translate "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message" nil)
+          )
+      }}
+    {{ end }}
+  {{ end }}
+</div>
+{{ end }}
+
+{{ end }}
+
+{{ define "__settings_mfa_item" }}
+  {{ template "authflowv2/__settings_action_item.html"
+      (dict
+        "IconName" $.MaterialIconName
+        "Label" $.Label
+        "RedirectURL" $.Href
+        "Description" (include "__settings_mfa_item_status"
+          (dict
+            "IsActive" $.IsActive
+          )
+        )
+      )
+  }}
+{{ end }}
+
+{{ define "__settings_mfa_item_status" }}
+  {{ if $.IsActive }}
+    <span class="text-[color:var(--color-success)]">{{ translate "v2.page.settings-mfa.default.activated-label" nil}}</span>
+  {{ else }}
+    <span class="text-[color:var(--color-warning)]">{{ translate "v2.page.settings-mfa.default.inactive-label" nil}}</span>
+  {{ end }}
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_password.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_password.html
new file mode 100644
index 0000000000..d17c243b25
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_password.html
@@ -0,0 +1,96 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa")
+        "Title" (translate "v2.page.settings-mfa-create-password.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+{{ $err_map := (resolveError $.RawError (dict
+  "passwordField" (dict
+    "by_reason"                    (list "InvalidCredentials" "PasswordPolicyViolated")
+    "by_location"                  (list "x_password")
+  )
+  "confirmPasswordField" (dict
+    "by_reason"                    (list "PasswordPolicyViolated")
+    "by_location"                  (list "x_confirm_password")
+  )
+)) }}
+
+{{ $pw_err := index $err_map "passwordField" }}
+{{ $confirm_pw_err := index $err_map "confirmPasswordField" }}
+{{ $unknown_err := index $err_map "unknown" }}
+
+{{ $has_pw_err := not (isNil $pw_err )}}
+{{ $has_confirm_pw_err := not (isNil $confirm_pw_err )}}
+{{ $has_unknown_err := not (isNil $unknown_err )}}
+
+
+{{ $pw_error_message := ""}}
+{{ if $has_pw_err }}
+  {{ $pw_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $pw_err) $)) }}
+{{ end }}
+
+{{ $confirm_pw_error_message := ""}}
+{{ if $has_confirm_pw_err }}
+  {{ $confirm_pw_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $confirm_pw_err) $)) }}
+{{ end }}
+
+{{ $unknown_error_message := "" }}
+{{ if $has_unknown_err }}
+  {{ $unknown_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $unknown_err) $)) }}
+{{ end }}
+
+<form
+  class="settings-content flex flex-col gap-y-8"
+  method="post"
+  novalidate
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+>
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+      "Type" "error"
+      "Classname" "mt-4"
+      "Message" $unknown_error_message
+    )
+  }}
+
+  {{ $.CSRFField }}
+  {{ if $.PasswordManagerUsername }}
+    <!-- class="hidden" doesn't work with password manager -->
+    <input style="display: none;" aria-hidden="true" type="text" autocomplete="username" name="" value="{{ $.PasswordManagerUsername }}">
+  {{ end }}
+  {{ template "authflowv2/__new_password_field.html"
+    (dict
+      "Ctx" $
+      "NewPasswordInputName" "x_password"
+      "ConfirmPasswordInputName" "x_confirm_password"
+      "NewPasswordInputPlaceholder" (include "v2.component.password-input.default.placeholder-new-password" nil)
+      "ConfirmPasswordInputPlaceholder" (include "v2.component.password-input.default.placeholder-confirm-new-password" nil)
+      "AutoFocus" $.ShouldFocusInput
+      "PasswordRules" $.PasswordRulesString
+      "PasswordPolicies" $.PasswordPolicies
+      "HasNewPasswordError" $has_pw_err
+      "NewPasswordErrorMessage" $pw_error_message
+      "HasConfirmPasswordError" $has_confirm_pw_err
+      "ConfirmPasswordErrorMessage" $confirm_pw_error_message
+    )
+  }}
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    data-authgear-event="authgear.button.create_password"
+  >
+    {{ translate "v2.component.button.default.label-continue" nil }}
+  </button>
+</form>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_password.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_password.html
new file mode 100644
index 0000000000..9a8c0bbd17
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_password.html
@@ -0,0 +1,79 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa")
+        "Title" (translate "v2.page.settings-mfa-password.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+{{ if $.ShowSecondaryPassword }}
+  <div class="flex flex-col gap-y-8">
+    {{ $href := (call $.MakeURL "/settings/mfa/create_password") }}
+    {{ if $.SecondaryPassword }}
+      {{ $href = (call $.MakeURL "/settings/mfa/password") }}
+    {{ end }}
+
+    {{ template "authflowv2/__settings_item.html"
+        (dict
+          "Label" (translate "v2.page.settings-mfa-password.default.additional-password-label" nil)
+          "Href" (call $.MakeURL "/settings/mfa/edit_password")
+          "SupplementaryNote" (include "__settings_mfa_password_description" (dict "SecondaryPassword" $.SecondaryPassword))
+        )
+    }}
+
+    <button
+      type="button"
+      class="settings-link-btn--destructive"
+      data-controller="settings-dialog"
+      data-action="click->settings-dialog#open"
+      data-settings-dialog-dialogid-param="settings-mfa-delete-secondary-password"
+    >
+      {{ translate "v2.page.settings-mfa-password.default.remove-button-label" nil }}
+    </button>
+
+    {{ template "authflowv2/__settings_dialog.html" (dict
+      "Ctx" .
+      "DialogID" "settings-mfa-delete-secondary-password"
+      "Title" (translate "v2.page.settings-mfa-password.default.dialog-delete-title" nil)
+      "Description" (translate "v2.page.settings-mfa-password.default.dialog-delete-description" nil)
+      "FormContent" $.CSRFField
+      "Buttons" (list
+        (dict
+          "Type" "Destructive"
+          "Label" (include "v2.component.button.default.label-remove" nil)
+          "Value" "remove_secondary_password"
+        )
+        (dict
+          "Type" "Cancel"
+          "Label" (include "v2.component.button.default.label-cancel" nil)
+        )
+      )
+    )}}
+  </div>
+{{ end }}
+{{ end }}
+
+{{ define "__settings_mfa_password_description" }}
+<span class="settings-description">
+  {{ if (eq $.SecondaryPassword.CreatedAt $.SecondaryPassword.UpdatedAt) }}
+    {{
+      (translate "v2.page.settings-mfa-password.default.additional-password-added-at" (dict
+        "time" $.SecondaryPassword.CreatedAt
+        "rfc3339" (rfc3339 $.SecondaryPassword.CreatedAt)
+      ))
+    }}
+  {{ else }}
+    {{
+      $supplementaryNote = (translate "v2.page.settings-mfa-password.default.additional-password-updated-at" (dict
+        "time" $.SecondaryPassword.UpdatedAt
+        "rfc3339" (rfc3339 $.SecondaryPassword.UpdatedAt)
+      ))
+    }}
+  {{ end }}
+</span>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html b/resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html
new file mode 100644
index 0000000000..12a9d133f8
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html
@@ -0,0 +1,70 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ $title := (translate "v2.page.settings-oob-otp-sms.default.title" nil) }}
+  {{ if eq $.OOBOTPType "email" }}
+    {{ $title = (translate "v2.page.settings-oob-otp-email.default.title" nil) }}
+  {{ end }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa")
+        "Title" $title
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div>
+  {{ if $.OOBOTPAuthenticators }}
+    <ul>
+      {{ range $.OOBOTPAuthenticators }}
+        <li>
+          {{ $label := .Phone }}
+          {{ if eq $.OOBOTPType "email" }}
+            {{ $label = .Email }}
+          {{ end }}
+          {{ template "authflowv2/__settings_action_item.html"
+              (dict
+                "Label" $label
+                "Description" (include "__settings_oob_otp_item_added_at" .)
+                "ActionButton" (include "__settings_oob_otp_item_delete_button" nil)
+              )
+          }}
+        </li>
+      {{ end }}
+    </ul>
+  {{ end }}
+
+  {{ $href := (call $.MakeURL (printf "/settings/mfa/new_oob_otp_%s" $.OOBOTPType)) }}
+  <a
+    class="settings-link-btn mt-6 block"
+    href="{{ $href }}"
+  >
+    {{ $label := (translate "v2.page.settings-oob-otp.default.button-oob-otp-sms-label" nil)}}
+    {{ if eq $.OOBOTPType "email" }}
+      {{ $label = (translate "v2.page.settings-oob-otp.default.button-oob-otp-email-label" nil) }}
+    {{ end }}
+    {{ $label }}
+  </a>
+</div>
+{{ end }}
+
+
+{{ define "__settings_oob_otp_item_added_at" }}
+<span>
+  {{
+    translate "v2.page.settings-oob-otp.default.added-at-label"
+      (dict
+        "time" .CreatedAt
+        "rfc3339" (rfc3339 .CreatedAt)
+      )
+  }}
+</span>
+{{ end }}
+
+{{ define "__settings_oob_otp_item_delete_button" }}
+<button type="button">
+  <i class="material-icons text-[1.5rem] text-[var(--color-neutral-200)]">close</i>
+</button>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_passkey.html b/resources/authgear/templates/en/web/authflowv2/settings_passkey.html
new file mode 100644
index 0000000000..4baf50bee5
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_passkey.html
@@ -0,0 +1,103 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-passkey.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div
+  class="flex flex-col"
+  data-controller="authflow-passkey-creation"
+  data-authflow-passkey-creation-options-value="{{ $.CreationOptionsJSON }}"
+>
+  {{ $ctx := . }}
+  {{ range $.PasskeyIdentities }}
+    {{
+      template "authflowv2/__settings_action_item.html"
+      (dict
+        "Label" .Passkey.CreationOptions.PublicKey.User.DisplayName
+        "Description" ( include "__settings_passkey_item_description" . )
+        "ActionButton" (include "__settings_passkey_item_remove_btn" (dict "DialogID" .ID))
+      )
+    }}
+    {{ template "authflowv2/__settings_dialog.html" (dict
+      "Ctx" $ctx
+      "DialogID" .ID
+      "Title" (include "v2.page.settings-passkey.default.dialog-title" nil)
+      "Description" (include "v2.page.settings-passkey.default.dialog-description" nil)
+      "FormContent" (include "__settings_passkey_dialog_remove_input" (dict "ID" .ID "CSRFField" $.CSRFField))
+      "Buttons" (list
+        (dict
+          "Type" "Destructive"
+          "Label" (include "v2.component.button.default.label-remove" nil)
+          "Value" "remove"
+          "Event" "authgear.button.remove_passkey"
+        )
+        (dict
+          "Type" "Cancel"
+          "Label" (include "v2.component.button.default.label-cancel" nil)
+        )
+      )
+    )}}
+  {{ end }}
+  <button
+    type="button"
+    class="settings-link-btn py-6"
+    data-action="click->authflow-passkey-creation#create"
+    data-authflow-passkey-creation-target="button"
+    data-authgear-event="authgear.button.create_passkey"
+  >
+    {{ translate "v2.page.settings-passkey.default.add-passkey-button-label" nil }}
+  </button>
+  <form
+    class="hidden"
+    method="post"
+    novalidate
+    data-controller="turbo-form"
+    data-action="submit->turbo-form#submitForm"
+  >
+    {{ $.CSRFField }}
+    <input
+      type="hidden"
+      name="x_attestation_response"
+      data-authflow-passkey-creation-target="input"
+    />
+    <button
+      type="submit"
+      class="hidden"
+      name="x_action"
+      value="add"
+      data-authflow-passkey-creation-target="submit">
+    </button>
+  </form>
+</div>
+{{ end }}
+
+{{ define "__settings_passkey_item_description" }}
+  <div>
+    <p>{{ .Passkey.CreationOptions.PublicKey.User.DisplayName }}</p>
+    <p>{{ translate "v2.page.settings-passkey.default.item-description" (dict "time" .CreatedAt "rfc3339" (rfc3339 .CreatedAt))}}</p>
+  </div>
+{{ end }}
+
+{{ define "__settings_passkey_item_remove_btn" }}
+<button
+  class="settings-action-item__icon--pale"
+  data-controller="settings-dialog"
+  data-action="click->settings-dialog#open"
+  data-settings-dialog-dialogid-param="{{ .DialogID }}"
+>
+  <i class="material-icons">close</i>
+</button>
+{{ end }}
+
+{{ define "__settings_passkey_dialog_remove_input" }}
+  {{ $.CSRFField }}
+  <input type="hidden" name="x_identity_id" value="{{ .ID }}">
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile.html b/resources/authgear/templates/en/web/authflowv2/settings_profile.html
index 46f3218c95..69f56be7ac 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile.html
@@ -5,7 +5,7 @@
      (dict
         "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings")
-        "Title" (translate "v2.page.settings-profile.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-profile.default.title" nil)
      )
   }}
 {{ end }}
@@ -134,29 +134,51 @@
           )
       }}
     {{ end }}
+
+    {{ range $.CustomAttributes }}
+      {{ $labelKey := printf "custom-attribute-label-%s" .Pointer }}
+      {{ $hasKey := $.Translations.HasKey $labelKey }}
+
+      {{ $label := .Label }}
+      {{ if $hasKey }}
+        {{ $label = (translate $labelKey nil) }}
+      {{ end }}
+
+      {{ template "__settings_profile_item"
+        (merge
+          (dict
+            "Title" $label
+            "Content" (default "" .Value)
+            "Editable" .IsEditable
+            "EditURL" (call $.MakeURL "/settings/profile/custom_attributes/edit" "pointer" .Pointer)
+          )
+          $
+        )
+      }}
+    {{ end }}
   </div>
 </div>
 
 {{ end }}
 
 {{ define "__settings_profile_item" }}
-{{ $url := "" }}
-{{ if $.Editable }}
-  {{ $url = $.EditURL }}
-{{ end }}
+  {{ $url := "" }}
+  {{ if $.Editable }}
+    {{ $url = $.EditURL }}
+  {{ end }}
 
-{{ $content := (translate "v2.page.settings-profile.default.attribute-value-unspecified-label" nil) }}
-{{ if $.Content }}
-  {{ $content = $.Content }}
-{{ end }}
+  {{ $content := (translate "v2.page.settings-profile.default.attribute-value-unspecified-label" nil) }}
+  {{ if $.Content }}
+    {{ $content = $.Content }}
+  {{ end }}
 
-{{ template "authflowv2/__settings_item.html"
-  (dict
-    "Label" $.Title
-    "Href" $url
-    "Children" (list $content)
-  )
-}}
+  {{ template "authflowv2/__settings_item.html"
+    (dict
+      "Label" $.Title
+      "Href" $url
+      "Children" (list $content)
+    )
+  }}
 {{ end }}
 
 {{ define "__settings_profile_date_item" }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_address.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_address.html
index 424c24178a..9dd3162cad 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_address.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_address.html
@@ -4,7 +4,7 @@
 {{ template "authflowv2/__navbar.html"
   (dict
     "BackHref" (call $.MakeURL "/settings/profile")
-    "Title" (translate "v2.page.settings-profile-edit-address.default.navbar-title" nil)
+    "Title" (translate "v2.page.settings-profile-edit-address.default.title" nil)
   )
 }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_birthdate.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_birthdate.html
index 67ab8a3f46..983eb3e5fd 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_birthdate.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_birthdate.html
@@ -4,7 +4,7 @@
 {{ template "authflowv2/__navbar.html"
   (dict
     "BackHref" (call $.MakeURL "/settings/profile")
-    "Title" (translate "v2.page.settings-profile-edit-birthdate.default.navbar-title" nil)
+    "Title" (translate "v2.page.settings-profile-edit-birthdate.default.title" nil)
   )
 }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html
new file mode 100644
index 0000000000..c812709472
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html
@@ -0,0 +1,196 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ $ca := (call $.GetCustomAttributeByPointer $.Pointer) }}
+
+  {{ $labelKey := printf "custom-attribute-label-%s" $ca.Pointer }}
+  {{ $hasKey := $.Translations.HasKey $labelKey }}
+
+  {{ $label := $ca.Label }}
+  {{ if $hasKey }}
+    {{ $label = (translate $labelKey nil) }}
+  {{ end }}
+
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/profile")
+        "Title" $label
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<form
+  class="settings-content flex flex-col gap-y-8"
+  data-controller="turbo-form"
+  data-action="submit->turbo-form#submitForm"
+  method="post"
+>
+  {{ $.CSRFField }}
+
+  {{ $ca := (call $.GetCustomAttributeByPointer $.Pointer) }}
+  {{ $Value := $ca.Value }}
+
+  {{ $err_map := (resolveError $.RawError (dict)) }}
+  {{ $unknown_err := index $err_map "unknown" }}
+  {{ $unknown_error_message := "" }}
+  {{ $has_unknown_err := not (empty $unknown_err) }}
+  {{ if $has_unknown_err }}
+    {{ $unknown_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $unknown_err) $)) }}
+  {{ end }}
+  {{ template "authflowv2/__alert_message.html"
+    (dict
+    "Type" "error"
+    "Message" $unknown_error_message
+    )
+  }}
+
+  <label class="flex flex-col gap-y-2">
+    {{/* The control */}}
+
+    {{ if (eq $ca.Type "string") }}
+      {{ template "authflowv2/__settings_text_input.html"
+          (dict
+            "Name" $.Pointer
+            "Value" $Value
+          )
+      }}
+    {{ end }}
+
+    {{ if (eq $ca.Type "number") }}
+      <input
+        type="number"
+        inputmode="decimal"
+        class="input"
+        name="{{ $ca.Pointer }}"
+        value="{{ showAttributeValue $Value }}"
+      >
+      {{ include "__settings_profile_edit_custom_numerical_range_label"
+        (dict "Minimum" $ca.Minimum "Maximum" $ca.Maximum)
+      }}
+    {{ end }}
+
+    {{ if (eq $ca.Type "integer") }}
+      <input
+        type="number"
+        inputmode="numeric"
+        class="input"
+        name="{{ $ca.Pointer }}"
+        value="{{ showAttributeValue $Value }}"
+      >
+      {{ include "__settings_profile_edit_custom_numerical_range_label"
+        (dict "Minimum" $ca.Minimum "Maximum" $ca.Maximum)
+      }}
+    {{ end }}
+
+    {{ if (eq $ca.Type "enum") }}
+      {{ range $ca.Enum }}
+
+        {{ $enum_label_key := printf "custom-attribute-enum-label-%s-%s" $ca.Pointer $Value }}
+        {{ $enum_has_key := $.Translations.HasKey $enum_label_key }}
+        {{ $enum_label := .Label}}
+        {{ if $enum_has_key }}
+          {{ $enum_label = (translate $enum_label_key nil) }}
+        {{ end }}
+
+        {{ template "authflowv2/__settings_radio.html"
+          (dict
+            "Label" $enum_label
+            "Name" "gender-select"
+            "Value" .Value
+            "DefaultChecked" ( eq $Value .Value )
+          )
+        }}
+      {{ end }}
+    {{ end }}
+
+    {{ if (eq $ca.Type "phone_number") }}
+      {{ template "authflowv2/__phone_input.html"
+        (dict
+          "Placeholder" (include "v2.component.input.default.placeholder-phone" nil)
+          "InputName" $.Pointer
+          "AutoFocus" true
+          "Value" $Value
+        )
+      }}
+    {{ end }}
+
+    {{ if (eq $ca.Type "email") }}
+      <input
+        class="block input"
+        type="text"
+        inputmode="email"
+        name="{{ $.Pointer }}"
+        value="{{ $Value }}"
+        placeholder="{{ default (include "v2.component.input.default.placeholder-email" nil) .Placeholder }}"
+        autocomplete="{{ .Autocomplete }}"
+        autocapitalize="none"
+      />
+    {{ end }}
+
+    {{ if (eq $ca.Type "url") }}
+      <input
+        class="block input"
+        type="url"
+        inputmode="url"
+        name="{{ $.Pointer }}"
+        value="{{ $Value }}"
+        autocapitalize="none"
+      />
+    {{ end }}
+
+    {{ if (eq $ca.Type "country_code") }}
+      {{ template "authflowv2/__country_input.html"
+        (dict
+          "Alpha2" $.Alpha2
+          "Name" $.Pointer
+          "Value" $Value
+        )
+      }}
+    {{ end }}
+  </label>
+
+  <button
+    class="primary-btn"
+    type="submit"
+    name="x_action"
+    value="save"
+    data-authgear-event="authgear.button.update_profile"
+  >
+    {{ translate "v2.component.button.default.label-save" . }}
+  </button>
+</form>
+
+{{ end }}
+
+{{ define "__settings_profile_edit_custom_numerical_range_label" }}
+  {{ if (and (isNil .Minimum) (isNil .Maximum)) }}
+  {{ else if (and (not (isNil .Minimum)) (isNil .Maximum)) }}
+    <span class="body-text--md">
+      {{ translate "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum"
+          (dict
+            "minimum" (showAttributeValue .Minimum)
+          )
+      }}
+    </span>
+  {{ else if (and (isNil .Minimum) (not (isNil .Maximum))) }}
+    <span class="body-text--md">
+      {{ translate "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum"
+          (dict
+            "maximum" (showAttributeValue .Maximum)
+          )
+      }}
+    </span>
+  {{ else }}
+    <span class="body-text--md">
+      {{ translate "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum"
+          (dict
+            "minimum" (showAttributeValue .Minimum)
+            "maximum" (showAttributeValue .Maximum)
+          )
+      }}
+    </span>
+  {{ end }}
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_locale.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_locale.html
index fc86343070..70d9f643de 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_locale.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_locale.html
@@ -5,7 +5,7 @@
       (dict
         "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings/profile")
-        "Title" (translate "v2.page.settings-profile-edit-locale.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-profile-edit-locale.default.title" nil)
       )
   }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_name.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_name.html
index b934640080..fec3d9c4d9 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_name.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_name.html
@@ -5,7 +5,7 @@
      (dict
         "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings/profile")
-        "Title" (translate "v2.page.settings-profile-edit-name.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-profile-edit-name.default.title" nil)
      )
   }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_zoneinfo.html b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_zoneinfo.html
index fd9b8dc4a0..c197edec4b 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_zoneinfo.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_profile_edit_zoneinfo.html
@@ -5,7 +5,7 @@
      (dict
        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings/profile")
-        "Title" (translate "v2.page.settings-profile-edit-zoneinfo.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-profile-edit-zoneinfo.default.title" nil)
      )
   }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_sessions.html b/resources/authgear/templates/en/web/authflowv2/settings_sessions.html
new file mode 100644
index 0000000000..e8e9e8d4a4
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_sessions.html
@@ -0,0 +1,121 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+    (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings")
+        "Title" (translate "v2.page.settings-sessions.default.title" nil)
+    )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div class="flex flex-col">
+  {{ $ctx := . }}
+  {{ range .Sessions }}
+  {{ $actionBtn := "" }}
+  {{ if not .IsCurrent }}
+    {{ $actionBtn = (include "__settings_session_item_remove_btn" (dict "DialogID" .ID)) }}
+      {{ template "authflowv2/__settings_dialog.html" (dict
+        "Ctx" $ctx
+        "DialogID" .ID
+        "Title" (include "v2.page.settings-sessions.default.session-dialog-title" nil)
+        "Description" (include "v2.page.settings-sessions.default.session-dialog-description" nil)
+        "FormContent" (include "__settings_session_dialog_remove_input" (dict "ID" .ID "CSRFField" $.CSRFField))
+        "Buttons" (list
+          (dict
+            "Type" "Destructive"
+            "Label" (include "v2.component.button.default.label-terminate" nil)
+            "Value" "revoke"
+            "Event" "authgear.button.revoke_session"
+          )
+          (dict
+            "Type" "Cancel"
+            "Label" (include "v2.component.button.default.label-cancel" nil)
+          )
+        )
+      )}}
+    {{ end }}
+
+    {{
+      template "authflowv2/__settings_action_item.html"
+      (dict
+        "Label" .DisplayName
+        "Description" (include "__settings_session_item_description" .)
+        "ActionButton" $actionBtn
+      )
+    }}
+  {{ end }}
+
+  {{ if gt (len .Sessions) 1 }}
+    <button
+      class="settings-link-btn--destructive py-6"
+      data-controller="settings-dialog"
+      data-action="click->settings-dialog#open"
+      data-settings-dialog-dialogid-param="revoke-all"
+    >
+      {{ include "v2.page.settings-sessions.default.revoke-all-label" nil }}
+    </button>
+
+    {{ template "authflowv2/__settings_dialog.html" (dict
+      "Ctx" $ctx
+      "DialogID" "revoke-all"
+      "Title" (include "v2.page.settings-sessions.default.all-sessions-dialog-title" nil)
+      "Description" (include "v2.page.settings-sessions.default.all-sessions-dialog-description" nil)
+      "FormContent" (include "__settings_session_dialog_remove_all_input" (dict "CSRFField" $.CSRFField))
+      "Buttons" (list
+        (dict
+          "Type" "Destructive"
+          "Label" (include "v2.component.button.default.label-terminate" nil)
+          "Value" "revoke_all"
+          "Event" "authgear.button.revoke_all_sessions"
+        )
+        (dict
+          "Type" "Cancel"
+          "Label" (include "v2.component.button.default.label-cancel" nil)
+        )
+      )
+    )}}
+  {{ end }}
+</div>
+{{ end }}
+
+{{ define "__settings_session_dialog_remove_input" }}
+  {{ $.CSRFField }}
+  <input type="hidden" name="x_session_id" value="{{ .ID }}">
+{{ end }}
+
+{{ define "__settings_session_dialog_remove_all_input" }}
+  {{ $.CSRFField }}
+{{ end }}
+
+{{ define "__settings_session_item_remove_btn" }}
+<button
+  class="settings-action-item__icon--pale"
+  data-controller="settings-dialog"
+  data-action="click->settings-dialog#open"
+  data-settings-dialog-dialogid-param="{{ .DialogID }}"
+>
+  <i class="material-icons">close</i>
+</button>
+{{ end }}
+
+{{ define "__settings_session_item_description"}}
+<div>
+  <p>
+    {{ if and .LastAccessedByIPEnglishCountryName .LastAccessedByIPCountryCode }}
+      {{ translate "v2.page.settings-sessions.default.country-ip-item-description" (dict "countryName" .LastAccessedByIPEnglishCountryName "countryCode" .LastAccessedByIPCountryCode "ip" .LastAccessedByIP) }}
+    {{ else }}
+      {{ .LastAccessedByIP }}
+    {{ end }}
+  </p>
+  <p>
+    {{ $desc := .DisplayName }}
+    {{ if .ApplicationName }}
+      {{ $desc = .ApplicationName }}
+    {{ end }}
+    {{ translate "v2.page.settings-sessions.default.device-item-description" (dict "time" .LastAccessedAt "rfc3339" (rfc3339 .LastAccessedAt) "desc" $desc "isCurrent" .IsCurrent) }}
+  </p>
+</div>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_totp.html
new file mode 100644
index 0000000000..b96dc24e13
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_totp.html
@@ -0,0 +1,57 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa")
+        "Title" (translate "v2.page.settings-totp.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div>
+  {{ if $.TOTPAuthenticators }}
+    <ul>
+      {{ range $.TOTPAuthenticators }}
+        <li>
+          {{ template "authflowv2/__settings_action_item.html"
+              (dict
+                "Label" .DisplayName
+                "Description" (include "__settings_totp_item_added_at" .)
+                "ActionButton" (include "__settings_totp_item_delete_button" nil)
+              )
+          }}
+        </li>
+      {{ end }}
+    </ul>
+  {{ end }}
+
+  {{ $href := (call $.MakeURL "/settings/mfa/new_totp") }}
+  <a
+    class="settings-link-btn mt-6 block"
+    href="{{ $href }}"
+  >
+    {{ translate "v2.page.settings-totp.default.button-add-authenticator-label" nil }}
+  </a>
+</div>
+{{ end }}
+
+{{ define "__settings_totp_item_added_at" }}
+<span>
+  {{
+    translate "v2.page.settings-totp.default.added-at-label"
+      (dict
+        "time" .CreatedAt
+        "rfc3339" (rfc3339 .CreatedAt)
+      )
+  }}
+</span>
+{{ end }}
+
+{{ define "__settings_totp_item_delete_button" }}
+<button type="button">
+  <i class="material-icons text-[1.5rem] text-[var(--color-neutral-200)]">close</i>
+</button>
+{{ end }}

From 26bd61c3934552328f3223c7e7aaaace04d9e094 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 17:45:33 +0800
Subject: [PATCH 04/17] Generate material icons

---
 .../material-symbols-outlined-subset.ttf      | Bin 214960 -> 227780 bytes
 .../material-symbols-outlined-subset.woff2    | Bin 102296 -> 107780 bytes
 .../python/subset_fonts/material-icons.txt    |   9 +++++++++
 3 files changed, 9 insertions(+)

diff --git a/authui/src/authflowv2/icons/material-symbols-outlined-subset.ttf b/authui/src/authflowv2/icons/material-symbols-outlined-subset.ttf
index 8ce6008c44485e988ac75d03970bb40480a577f7..e554697eb708cdc5839d69ba73a8dad6fe8af9d7 100644
GIT binary patch
delta 18494
zcmc(F33wdUmF~H<c2}=zb*m*=mRq~<BHOVI!q~x>C4_+>zz{-!K)~P_LktPT@CdE8
z%+3IbNDQ$Jb}%+ECIL(WfeergLp+Hy!(%3l2aF>dVzjiSmelIKtKWaBBzb|!%=f<c
zeXpvk>fT#-IrnV;xwra-M?7zjdZHwVD1e(nkuP0z@zRk66@MbSc{5SD<LpaLyO4r(
zKGC{oQET@37tQ{{)oZ@7glN^-$X|8QveTB`o4EC-c)u6<x39kK>RZU&_X5$~8<Fq0
z=Ekd6fBNpgW2lez$~)KL{X_X1e~$DScptz1>hJs@sz+~r92v*;t8Tw;`odjVB6SYY
zH9xr?mG7SVQ2?FANgCa|V)@nA&RKc(ZA2?qq5g?0P@sRThtPQ=@{KEQ{O+38RVQ@d
z{Z=Az*Q#${bM=!~-u)w@6>-krc=ejqbU<uDeh=zLZo2x$<zG+U-9z1~C=1-YhRasp
zvV8Rl?V-EDfYrNNg;R;Dw3*h(5&3K?qbW3v8fX?#Q+@M-vW5lo7R(FH3pJDlwT7~~
zvN?0+*5PWJSJqIDt7R^i%*7=t>t?s^PV8=-U1zQqkD70FbZqYENUWJ%CpkJ=TRV!G
zy4ljD#Y~4-VLmQaAWs@b?T}Z?XGh6Rtu&h!&}sA~%wle6PB0V<hPdBw!!cxpnwuLI
zSY*trsA!ot|HQcq8p0=@c+!G~a@3oD;=C_Zgo0YjNi7Q+LZWiVj&Y*OW(CaE>$Kok
zK*{E^8NrUt7u|a6MYzgp&S{nAyu117TSKko9TUXvRQ1ipOz4D%PrYF8T33a7dGTGV
zHd?H#IcIg}uGwm9c|f-4kI1XZLp9V!bW-=Nm2EQ<b+c#Ji6x2Ib-T@8(PKuq+s?Y#
z2{Qr~ICd91#jCq<m}g6!yDqLgx%yP`s+5r&Btsh))P;6SbHuA1kg%ZLv>R_S<U(dr
z5}^k1Y9i5rAF6R;*Zp7E=3b%EL*V9oP$QF$7Uhs+1A1&ZDSQ${7{*g9XhHvasAb-Q
zlaL6Xbh38vlJ-lU?AW{Tl6G_c8qu?6bH^I<tu?Ju=dy*DELpQ=P5ZL;;+?zK?8dL-
zi8WvS>Y6FLW}TXmqY4DJNPb*ihjCiy6bO!*TEKRk7%v>w`P5MoKFKO<Y0+DBs}Q3G
z^piL%E<N{A?>E2cee~S>?wd?qcioEin~ZbLF>YEonc6)4VEc|s+81?39$UTou}J5_
zg^iQRnKNfzRlR!IC95m1LaK80CChH9-2d>wg*%qD?`k~#e4|zerJJE;5%9%Fwb1O7
z=}cM%j)E&{_dlK6p-P>JVx~KM-gFhZ+R@s5`gwaJcC*cBrot#9(9Ton9J&O}curw%
zxS+9|HFWZ4*}_CldgI}fFW%8!+>L%`Y7e(xyyN79=y;}L7R0h$)n6&EC}Rl|y&*PJ
zJ)X#Q&%GfOJ%t{p-&09U7c0ekl3!XT{ZvZGUzML$+LUf3uePb*Qn#w_X^q-%wGVV%
zuh*~FpK%zDWsYAu%bZ_wu6OP;W*FZzwi!dNde<ecpSy+o9QRuHpFFDPY|lfUxc6%B
zQ{In!bA7k@Uh@t6Px1fQ|4aW+*;mVAWxpyLiv}(XtO<Nlerqroyd(HX@af<i!Gj?R
zO$oJ!E)GRQKMTDVN>|LTxU8bPVqds9d}(-P_|EYC;U~kdhTjbztUROgv8r!Z{kp2B
z`uys9tN(FI#guPO>7MfHlzlbTHMi94o*J2Y`_vbvCTg2%SJiH*%}l#55{cXr8Lm6C
z?#8-Jb@}?}m+Bv@-_vkoW3X{m<8PWyY<i+uYQCiT?Uqo>Bdz7FceVDNu=IqdrW?~2
zO<z6Zq8XcK9GFp<IcMg#W<D@;^URlL4$P8fRn1y5>+)GQ%=*EsowMGbRct%C?b^0y
z+Foh<plx(^&Fs@=UorbTv!k<rHv9G2gL4+oxp+?ZoZdP4xohSE5l9%gNx%R3yr1-b
zt^4iebLGvnxjVW1%<hw}yGiWs{^@nIJuowzU$*Y8-5*>xRc)m;)Y_f7Zn>cD%dg*X
z%1h`c0@>=&o0I7qbVpBZPfO1idzSQE&~ty!KOd++u=v242flXT>j$nraLs{#IPl?t
z<iQyS&pFs}@EhGTSIm(P-PnEkij!xx^_||gzHe*aOMS2R?e2TG?=St~{-*wO`@c7E
z;=nfs?i%PGczo#Eq3ecj82Zl8ZQZY}I8`j~&a9Xh{;#@T^ewCFRp0u&t}FgV*MIod
zsnO+QcZ_XK^{34Al=PhRdFfr5>oU>IuSz9a2V-iVR*0N7Ego4s?fq&0IPLmr`n0*z
z!nOZ4jcWg?c5m&@+Ud0?)Sg`%oVvd@G&Mi<S5qTIQ!A$$Qyn$u*L2h@sky1<vYHt+
zVv3GaseZotk?KdQPp!Vby0O|_^-9&0s_UXvS5%!*3E@<JktqC9_>=I@!goXQ{t3C?
zhPQ;j5k4>c$M6&3HQ`@{9}h2wLe^I#D*mk^Rk6R~dlkQ~xW8gq#c37mi7KuR{VMcP
z@Z*p_*c*H=_>%wGvW7C%zp+g5Kkxsu{~rHL|LH`&UA`ar?!@_~??c}&eShaWWg7}l
z^Ud>a^ZwEMWAE3z*LW9sXL#>)%dUN{|8)J*b-k<E_z&ZNbE<Qh)8m}#$U45R=NvBm
zVwm;SH+-Rc$qlOL=Trq0>{VQE;5u@=4BMY29>BdxtiZioTsq!NuUkOv^eFw19-(gf
z0er=mX%SV>SKxDRh9|p^PVc^QRcBP6NkR{jlPbkm#G_Kb;#S_%H0@H|0WhefGiW6}
zOh2bR)Gs7aA(}-S-Af_bfO9)NPuplG?LvAB?ZAC2Z9?uz<hEMrjpU`k->e(mj_OYm
zM-V%3Zl_;Z9c)MX7xV<~8<F3F^5<w3{P1%)x8T}|clOZF0!_Cgza1ff_ozO8f*Kp>
z>B-jj;_c@U9UZ4y!fc<ny4i&xH(Av0#PfD=W*dfl2Hown2-!yKVWHbli^<)B=UPC-
zvq)Wz=SG|g8PrH~Xd!(E5eiR*d)xt1m}gt95(n^sQz53Y9!<96e46e?7u)HD?sIQy
ziaHTpZbn0U7RR!fS-%q<YylygKw|lSS@URN%tyq*L_Z5sn5-@Il-0u%=*bCEj~OkB
z3bsTWz#FEUrMqF03(vuO8CE%Wwaa?D4WhXP0oo4KWPWX;TalZX^K%$pvjn#RZ?@7E
z<2-l{IXlg*c7Pqso9Gjkw7-VT1YKXY_{7YdgVbhgh|`f``nS?@@Q(F^qpGEJ72N^d
zf0kZ@>h7mOGKE`Ik^}0v9mH<KofUT@=Fi&nJcj)V^4!x-;H#H5MUmWO&4HP9G`j;}
z)h5`)7I1_0ooCB)*hx*`6sI?!YzqdT&=`lsspE&60&;9|Y{Uq^08!_o#7<%U+d<7n
zsG4J(M%H*9upMPbhJTL2R-P?_&F(o+ui^a!@r~f$4!nC3#9U_a&(@eAeG&Ov=pMuk
zTj>S*4M-27CKF_-Y82f~XaLXAwsvOzMpR`*ny7j#cUIx;GpPMjv}a$i6@xzovX)qu
z#GHB2;tcmwjmf=$94j&__)e+=xj)Ak+o)kDI%3-GVP+!DM#yu#1@mCZ?d<Njd0KQ9
z`7N4{_zU(1>@~JQrm!Zk)nm0|VNI}_jgR@u<k}=2>$rZ5a_-?N5VHd$vOwA6bXeuK
zqkEo7kB)crFkZ0B;X&9h@&IhQS7P3rKiYDx!n}_y(@^pZ$k~Mf*%fT03m{e&#l*B4
zAXc6{Th$JF%n~v)B+9g`0!QpwJZ#wmlOdzaIk1Ea;2pTjr%;25V|G6eflMea+Yzhq
zsi^-f&Lbq8KdxD97yQNmetZGp?3HvA-3bKwA;{bo1#_9bPr)Erj{IcPvK{*k;L3K)
zj0Zm26@3?6IlfH*!`bG@^L`Of#fm)9<3cFFPMptz^y@K6JAEBtO|cULY^57eXb<&w
zNU>wy1Y1z(E^y*CdYL4gPk=b0S8zH=xYohW>#0{XO0BYAzD(Yz_NYniCFhgIBICP8
z4@eBc+AgQt0D&7Z@XJ8oIv^FhITiv>b4wIi_62N!6ZYPCTqVYeEtXzSaA6b8hZi}z
zqa#4p2A&=L#&+{hV?m;UhiuHu&x^s2Z6N9jc1`ogt%J4Iz?`?C;&xhLp~-WWCe))&
z%yL{Wf@(G~rk~A@ecl(qk4<1X+l!65ooI!U?gzd*HM$4_egf~<s~qnP7otyF(T{(l
zjlVg<7S=tsBF$0?9(jUc+;$tCK3UG=*bITUT0z%96zmt7Xl};ruK>yH5}$%HvxnJ)
zcv3|z8`5q>dO~v+Aw5C<LQ6^5F28Ci2|NEbE47WD?tb{zDbZUXJGMX8SoTpY+2f}+
z6H~KY(P!Tnc(Vijvwhn*xDgJE=|8s5J5gr$e}oNlNROhBQOusw8Q>LnXHV)JOoUm$
zlU;00ga=@6Xm|c2q*$7pXr`57cfnqu8P3-MUAHmM_G8=+kHqd|Be0SojbpDU7jqXj
zm!Cr<!`*W=?y3=Lv<m8QG#;|on(*^qgbhE7wzfBa5w2MqugmyYO(#MrAHvY@&_O_Q
zrTBt4OI#*ai95wZVx!n8eiIdY#6A%hImsbaNcB>iw2<Z@5S@tfc7f(C^b*M7luatT
zR`yZ+WM$Y25pq1q%3#luy`BA@&5%X<BK#Ln9`Bz+y={1J!x-EtGiVdtk69l5nmb}#
zW7E0sxOYc;wuyJopiA2cF>KgFE&!W(BHTZ}om6pp&=LTMVK`xGHlU&%`<)I&Inv0E
zP}+|wn{W>|TL!_p^9%IBLFWk&26N#jmO!7O|7GQw1I&vTv8%!F?O1}P??yh#*vnea
zmUSiySUYXZ*+vgoc^=|vG<y*dAirmAvFp@Wd5(eY_9099JUly^(~#p>kkib5_U;qx
z*Pz-AU>jKf=OHs8@6*TA%(953imbEj*H>e(iJ+QIi_vL5T}a=AMXbfjhh62%&>WWX
zvld5KOBl(IaO5HD?Sxnv5ix((XP(_A?A}a-TFjp35Il08319|q0z7b@2jbGr^nGhi
z&mzZM`?{5z=zKaR!T|>_W-bN!&s%)ctSK>UMF7=zAf);E?WaV$u?fd=V7*~qZ!dLh
zr_Ju0d$FAa*LV&TY(cG!Smss!&35coj&1P>!pF~y6h)WESDc8A9|e~`)8M}(XeC%Q
z!K_`F3M&iycAfw;jV+d0`65=S<&*tJkIebAg!~Yu{aFH7J=iBPI&Q_@0t=mW($+)U
z{8>*K^iG7TFe#iqVu2UHd|2sF%8NqotP4fQcC*wf;kOLv>_s?af5LJK6CCnEDL68m
z&^Z-(dzQ9Op9;13h1HsEyb8IWp+1wdiDn?Toub@5hj6zc%i)<Fw4R0B5r-#RIc~<?
zd=t4NtB&tM*O)k-@k%Rg>+88z+MfB<NHagSKzpVk&1+L8;oGG0{B5(o5bDXs|17pK
z6+GEBG$UotcrGB}8R!aI-gK-dzJge3C5T>&c<IMjS2)ojL-cbXg!O3?U363#M<_ec
zey(LiFW~)iR&P;?PJkXW|0K+e(cAViGe9XXVA+S<W2M;>ZNqLE<2^5l*=l8U{33Q;
zc`?1g!mSz*cr6BJvGA-XqKFRk&H=H#7$~=L8>8dY@<P59TOgOw-$S9;(6)dOMpaw(
zj2XOpaq2i6Fe`0C<RyR|BR+&aKHKsROOI^k+buZOoP*f<GH|f_Pv3V$E72)SigzE_
z7qfajV+CP5usi6+&>Uq<z?KaHo9J6$CZi6A2+Yt*<d5z}!3?=STcd75?ns1vp2fqB
zXt$Y8uC*K!577b!Zo<GEKX1WFDEq~(Tkh%*QQ41(SP;qlg=_qfvE^l8pWK5FRY5mV
zXfsju?}+Np!e0Ns5KV6-YQsmSd3O@EuOwQG=Xoa*U5Gkgt0B4^pD?akM0D*!qU-S`
z?1tBfZbkaGRYbR6PISjRM0f2ZT3bO;x({Es9_%OTo=)@xDsB9LXv<AR+Z;qY-X{7v
z8oY$BV!uM;R})0P!8YJ;LEJka@{ew!f4z+8&sP!cMcKYfiF!cfU%yK<fbF)y_lZV+
zOq52OJjzQQB;;k-E&Ck_cP|Ow9r!+2zK%rI2PA50Nko1~qN$U_tPF|S2@(rYep-^m
z-|ZpM5g~B_)*Kfgf6+=37ypFBSA!%jMVrgoNqqevi7UTC;;Pq3T(gA4@|Q?_>pBuQ
zyiMXJyu0O261U-6vya5>|3c!9w@Cc2=ouvLY$fsi$MFg89TL$sB<{h$4<f(*SrQv}
zlX&W765BA?&psjX{MjU4dW^&?X!kk@dIKH(7M;IyABjB=koY%=#QTd#?9)i}yh`HG
zLK6KbADT~MI7uS?E=lq|BzZ0&DR?DG(b`W)YFtB7^FESJNRrfcIZ5sJk+c-6tur4Y
zY1tu?u0{HW-;nejH%WJSNxJ7kk{*7Nr0yjoZPZBGvXZ2oe<10X=;!r2N&4+-Y@|1m
zv?oB)d+SL0a|cO#7m@VoYb3>?gOK9H6`e@@e|lm@N2uxEy7r%=RS0k0kuo|d;<T1)
zCq-0R7?J2p5kX5LFpNkLR~VNYSAd+6N<2d}KjNa(BM!7<kE7G65rq~+WW1}u<wKu-
zJUw`N@hmS7kPt%RL&%aYa{~9qs8Bjj6OW2V*OvLoDn07GU-JhPGcht!&<bQ^Bu(=N
zja(w0$Qi+$p%?XH&Il9|2M-=J6?|RM3Yt0)E*1)bo}R&+Qrlds<a(4`Ue3!(ZnArO
zV7~h!t&wPDZ_nPnJ&_)NWp5%9@mKnLdvKOl_WB(ON21psC<9qc7?VFvciCY<NjH^B
zM)~3LQ9bK9e7IAK*OE~iAB*X=@sX;Ls@gbdk=FTqbZL9|_|Kj$IS}cI$Mor`)O6$h
z_l>`o=SSzaMq=uoJ#W3WXHQIyw9KC$6Olld2uAL=o`FbLu-szZBn_ZNlJ)Yj1Hb?M
z3w@!ElTV)J8gmV*`M}s%`TqSG_t?UQF?VMF{xLU57GrMOs-*b17wD=Od|0Ws__#O9
zh0T1RaJxL%6A9eSMHPJ9`=Z}BKKn_T`HGpeDIB^~lqj#1ibY>4FB=XypOW)M6w3Kf
z@QA37Vp>pg_<TNLCUB%t({zntBGI7V@088q!^5WR^!rU&F3BZRwxop_%SV{*A0Jqr
z9NBM=oJ&m(9gvJbARx?mJYJ9rMb8LE2n2&}#T@J#G?k#K$fj%}G0D;>hQJ^iGgUA5
zIPjUrks&cU>hXG<c{T0v#LArB0m=?|X~66C8bij=fOk@vSeLn}tovneP|L?hMv8J#
zEs26G8_uGf9!bkZr(En3auHlj^I>uSV?L0IZq*==^6Es|V*4N;TtWNbgAaN>N$0K7
zKk<RmPBzvcmC<)#thYxrx(&wqZ5ZpFFxI<atX{nJB0ly4ZTUNf7sl$vw~y;1F4T9>
zY8dO?5uH}TSZ{-|x+z+L3O+1){luGMe&oD}Yde>+O^PWpzKq|sgx0;e_RR;I8igcl
z0#mjQA*sk)b|DmeY2lN_-H2~7nmKN{qq%~nlvFaLQa)2s)lznJG@Hxh3XQp<ZUloy
z)H3H14B05x@`X|<U+{rnMcL^y9168GbFccupxnR8H+T|jFd^gMd~<;hS7F>0RC}~S
zuAt`gj=`Mi4d%4GR;C#aNorP9Gneb>vE73yqN<Y1CI4D*`9Y@BP=<19E}6*%GR;la
z0F(0_&+*6@8WNXfeu^eI9vlL`#BwG7(bE&b*L8=#^6;m<i9C%Z4v!X+$)?_PJZJbT
z$NfvGm`(Qv!VX{5pBNk(N%&QAdCHB1*4V()!-V-UVe**r<cv`$%MFM5Fb}7MFh}!=
z!-=9etSM3|6(`vo8<L0mk~FH+I=!y=+9_j}XL1=%xTjQpMC7UhK8K^K<gaiUGosVc
zwP2p|VGDMgx%}WCZq{Ta=^i!C9%_C}hCBO@uJT~Sk#aZ&>jMM(1F{2ubjjqjPLV0Z
z%7PJ8Yl+aFxAu@+%1|V@*55*Z{XI#C2M9G~2j!$07&|Ii0-c=fxOjQOHW`yNOdsRJ
zH}3Y%Z=X|Pj3rZAHY+QK^JX9~o7t@C@OovBk*^xli%$3c32!)J>SJ!V`7vq!vY1yj
zXmk{RLjf5h#i*L=)KjTk35UsA-l-dgc2w@IxBk@I+xzJu`&}?t?sPhRLC&d)48<3U
z;&4QQ>pJyNs7z55QQ~)X5h3f0WVQ(9qa>(|Gc!^w7DX{?dsDbm(<J=zB_SzfD!Q!5
z5-c>IvYnhj9FxzciUnvLTynM~<?{t9wlvEE;~Wv)arObxDVCZxL$vuL9(XhhPc0Q?
zIa+YaBAbHOEoO>rf6b;O`zL*}D4B4{nn%iIOi?W4P55e6Q{=P)MTP6sFh^^OEJnpP
z$|KG|k{U3{q9`1hWXYPMtO(Nthje)<&$9ufV4^w35o@Bk;`lTRrX-n#EKhaDbdqHl
zhNYuCWmXj#+4b-b!RU09XW9K*-anBkNX+QGOA(o*Qb1EGWK*eZA(t<erkh0t|N5{|
zK~T|z45e(!6oq`wGz^_UH0g$}Dr0JW9dp-qL7%lpmaih$c|1`M4&f=`Pi8KUODcH^
zMN`+kWJ(UV+wUf)I*?0cGTvB~1tytn4v3;FMoAeO9m@}i%y1@axg1H-#yu=Xm4Hj^
zX4n)gF<K_sgo(*=VFGZ*a=^5xR02DS1*nfC%wn-rG(}K0OQPr;haqT{T-2!$^Fqzw
zG$GlN1a+0xss+q9o3S-K9#0&}ISoTWu4pDwZ+5~qq`|@DT5#Q}>IBNdB8U3Zxi>rg
zY&rY(^`KyMgkSHvq3e##p;|0pYq4aT0iZesKy?;JmFsg2VhUcl5MVkGNE!$tbyQQR
zZT<8{Q62Sq$U<dCS4~o}WA$ZhyjF^y@p}(aI3IY);|K&CG&q>i92tkh;Rzb4c)Vl;
zQ-+dK3=hztkgTm$dJ77`!PAq|B9U~iN6YnV{W*^tECqH5)f&S+B@(Ih_w+a_d!v<=
zm2STylSo9+Z6%zQ9WS8n_+gVJ;$vOXSUj{=cLk@#gJ4HY9*YNEYo!q4Ks6Yz57x)2
z%yOA<hSgRKIDdX5*d+%M2R`m)7uoZlD6Y2Ztd-+Ecqy&Ft4Wkcj~^2%=+u>Rj_la4
zdF$)z9m%Ad4=e0TI#A-}*C@n~HaSf*fgc|aVEY;Ja^S~@l}#kx#gC5%o>W5k=Tqom
zRGK%h6~ETjXlpBKZB*gNY5x3i(kR&Vk|NjY2!!DjsmoJHrwinCDn*;ask~|!BA-(8
zrfTMopMlM_a?1<(9FjIXJe)Dz5=>kwXOB}%gHn~lz@qGm7G1L6#};lMvLz*7KAna$
zfDcyfA$_SF2T&rP8y^&*8ABE~!ozChXSZNT`ru&7^jX9CVf+QiOM@FIDBglsA#Y50
zhhy4Ezjp*-UZ;q9M`Dg)FO7J6M|!<SG}0D>hs~;($;b#*aCl&2nM{!*J%oQnu(7YN
zfFB<guk-m&@Z*D->Q40b`tkGot0Re27p1ybJhinFetdA9dUxs{{$VeEd-v`?n96lg
z&Z;yrlEaUW2VQ#R!v?W(54N71urNMVa=^wk;_vB%%Z1B<%fN-N@(B7gU<WfM7#C@m
z=!pn#Qbc-0L7{tPBb73`#QZ(tP_@`!FT#ByWe7Dd{0WiO#?#zRN8PNhXS;+mBXU}_
z(~V7RFNpA>doPH<k{K8OC4nPS7cTykW8l(pfz>2yh#mP**<w?M>PjC@yFzNus3+nX
zRg>O2Z}NcJsucDX6xF)7b}B}SP}91TI=}kRo<r3t?#mBV&sX>Nh3mt8s&(J5vKp#+
zoVce{zn)9vbXChHvYP+6cR@!co^hypI-b_cJC&?XdRDdWq&hVOs+wxuov$oOi1L-^
zaRA;JDWfwZPON@4JXLA~&lkY2Ek*zy#%ei))p8iC<uF#uE(G8%td`G206qh3I5T44
zsiTcTC$FC~PpXbiESJXh9OAKXlr}6aU4?C}&2nq&-n~moS9NVT4Ic+y7FYcBw9>hy
zbH!h;=%Oj!fE&?vp)it54!Yf5@5o3pDVb)WpeWLV4Y|}{GST0kz{^z7p(T@=BM6U<
z3KAj}`-pZ?dGCHyNqW7Nn!o<gp@Ro&Ypbi*$_kw3Lk*Hq8?0<>tdxQ^#=dx>vN93h
zmrAAcrkPJ$dWahck(Clqv{1-PqEJ~mXU@CtLcbG<y?a|*{SP)I#|DRB+lk~*Vhro*
z-rj`6?{KJx6N$qJz{ig+GD<W$Y(Ni7UhjQ+91zV;^+DO^Bhf{k7<up2<MB);7|diI
zr1IAGpi*6Z=+OIx_-=%o^WjMMbeHGi@4Wxs8*jXqdw+L)enrKeJrxyLQwzZt8twn*
zKC`bc9IltcC%uOw+J>XM!4+9D!`Ig4bIn*9dFQ}^Q0Tyccaq7mG5bndM;C3-F-34s
zQo1(ixtvLwMkb0S@Vko&C`15=4TvJh-JnBmiG<(ZisE>@4}qfS<Kl^Vp%@d1W_U(j
zw0+Y!jmIRXWYanL7v3w;oVi>UcBg42jt79=4>rh9Qisdsz)Lk%C~8`<kjm$Q`i$=5
zM_0gIh6>qaF*D@x_=bl^5tPJ&rTj3oqm+t{<O7By=`d6wt1|sR8PFFp6g@p$NDcV?
zfx*FqJz#Dy**{!L4&^G`#<1Z=n4@94Ix5KN;(3Ww>OLI`Ji`9>K{=J8QWvFTl)6{<
zdNpliMAII`W(>Gwhnbwf&*5`=H31_n<wgL7h(BUw#Y|#stWX?FWU$c5I~)l9Ht1R|
zmqC!Af$aq>N^xi`jhiqe9G~Gu`N)Wjv2>Zs*@D=TP^@VZ<#HsUSc3e!h@}rbfDuV7
zeVw(GrHWz(*kI7%;9~H4co=&gC>|bGRi95)yI#5AGU>hg=!Nhh%i%+=fe%>@A95{x
z$a(M~*T9Fg!H2ZLhs=TxX@d``gb!(h4{3)hy%YgcJ6!2C5glz5x)@7@Hte{yVaKg4
z;-?d^<JK1O;wqm~%>c;ZBm69w#p`6ghrl#29bXjBDqUrcm<97CTqC8cq{r#HvuLyM
zVpa1MTwZve6%TA*YW}WNUs@>bq)X1CcWA%(q6mmD;vZ`7NSDyg(@Tp=_2%!)!TYJj
z;SK~U0|B>#GReWgUc`zSc>6*jlR@NLC=jod42MJMR-;l1@ww5}QsMV%lp9I($NLi_
zInuoTilE^znB!Qcr!pxvGVJ?xtA?2>6d;0@k@)_e_j~roN5~tjk4%r$2N7kXZ{Bvm
z8W`hQZmIB?QXx|*-qo`Alim~=l{KyPtu^>#ZL0T^z0v(SY!4s~h6pvBXa=9zt;7+C
zV1GO)E4t>;bVa6OfwwENg(8_TYo~`%E2gn+!Nj`NwCqS{id~g%%!@G7<X94OCCt?A
zvNSa2FpDNHE=@BAfpn{;QyPhmq%jk$$gt+iOBlSQVxL&$#Sv*`l@(JfD$Br^q2B(F
z`+JAFl@hs1sdb%bA9Iw<B4IgXmSSNck<!=ScX&8M4qth=B3$kR?}ra}t4>Gya6#{)
zKt+A~iD#YIUSC1|`*;80wLk3M-@lg3D0aLz(7v_Q*cDpZ)*7I}z3;uT`;GVZ4pN}C
zZD~6uYyH-egxc$sM*84`ee1ycfe%0W_m4gt0PjOh4Ko{>LX7wM%t&%5Ig-hf>hQYD
z++N3HimOCotgGeEA0HYcSM}5xO*5ueyJ+mt$AA9N=k-NhPBcr84UY_urP0jk>Q=_c
zaJkpf_P~Ui9HlxBY%l+;P8g2+QQI6BcLB1rRX{=Q9L)1*;i6UnwRKx;X7ngwKDeFT
z2*d=5LQF+7hDD_i+;@Il08q>cp`h>2^1HA9etaL5?j!Soon+cfvl+;}OfcmrMn%z$
z?=w8`dGD{zrIYD`=5#w1&@ZX18zvmODw+A}3>KyE^^_gU7xG1tRRs>am=~&4s+oc>
zJ>v$>X3huJgIa}^nxY#atZK8Vfm9Z8nQ2C`K*WXujX_Gr6d2G*e8@7WGTyPkI?^mk
zMk$?1)Bi0&)Z%o9g4My0+ezu<K>SdAAepwt=9oBIFfqOzgh-DmBPPC2b+uHL`JnW}
zL!S<OIy4NP`^u_9ip2XD1oJ82L@Ri+ZpB?nrjpRdQb`dc6l~gp<`R{Ps0y`74h_eL
zhmtTucbPBfD|2_FT1M!wpi(L35F#p(Oz1ZjM$@9-=l8fUa%wa&oES}EWS6H~&E+(Y
zobQ@ajlMzZxD&M&B+ThBN<~<K>N<;QC~*;#DcEc&72zw2F_NoYx=y*V9O=5tiQNEf
zmw<|rOt4@4WhPL<{*fvxDriT*fU_W=6+95!0oLz0Sp^hHwv@;dC<~PZJUZo*gG2G5
z!DJS-170`i9vdAR#x4TrHoO5J*PigX`AMIvqPFEsWlb~mD69#DV9}JlpPuF2MuZG7
z0v#3r7M08genw&~m0~1fRI(B!i;8hGP$zv;9{pNwCp&z&uMeh?C5OK}97b&&GgMVv
z;CLR9A%4~jp<rbYC^o#<GlFf<x%*$K{k}AIv-LIV9AM*(z{YjJ#?`>aOR=0-4s5&;
z*w_SYJO$Wz3b64^U}G(?@f2X=xrncC05)ET`1)pGBmZ6HdSK(}z{b;ojZMJDg}}x$
zfQ@HF%4f}lNFhHy?ZaMXu75W!g(Z4zefy`<jOeecUU=azRM*kbQAdAyfg&>&FTDc$
z;a4nOJR`EMq5jw|#yhioht;Vh-0u3qpz3z3rA(%T@Sx1A7olSb;8QjS_;VQsw5mQM
znd#yF{^7J)?R5il06uQ7-|Jid!Kac-<xNs)eeb9E!)L2fzrL&&iRr=I`h~q%JM7!H
z|KP#qhPv9?x`yWZj~W|b)RWU<Dy+-eOF;^J#%7&6m`K#Nw$=t5jzD{R8}=nC{7xwo
zb36SN*oT-C@=u9i10>N)ss5gx{uD*rspMEDgUwcVr5h*)PwCDa?j0SjjFKZJ3?qin
zZJnx=<p%Sm7zgbhJtdjW%m^0P*i6OunOtm&R3Xyo!-vypL4!j>gZPLyI5;#I9~?yx
z9YYXcjt(9khW!?Y52xexb)cL#xoqKB{2bp27!Us3?tu1QEf$`85ctn*p5{&-_~767
z>{+X25&(O@V_n^$>h+KINs)7p6_h0(Sn9;S0`o+Y-Sxh<<beapKvPoykF@M83pC+V
z4K_$s-RCpY4xcR7FKt*q)+g1q(3^LAc^Ad$kO&{8GB~>4ya%jd_`qfvgZ(-v(JB2>
z4U`CRKb7G0py~>#D(njrgPo}=Dpkqo2woh06v1@>ILsdqj_sAMUsvh6RKgZZx=@mI
zN)GiNI)rlEhT!~uDwW81tP0#^kA*!D4MFHg#tElEx|^d>t`U{Gt0pVJ#gU{3;Fg2I
znqZkOt)n;Z!>0-Z1f&v~d)~Z9$>g!;xK_a}p8<JgP+vEI3+tae?=-m;DTWUue1JUb
z)#&Ib5Zq0}5NJQh>qo#pysi?#39H+A*dS#?0h8HvDlm$$<SgcdlFDQYi0lxY<D*<2
zyRxOQQW6fAk_9;6yW(gjo5e0^R?{*pLQ5UiUly09M$I8a!ec%FC_L{l+z46=6<ein
zmoaQCudPqXxuH*nruj5gRyAM1=L-a|62bHE(9rPk(9q$bKy}s8_6tYMxCh8&v#pYx
zh(0-}q*SV?f<#%#;{c6SN@*%~3|%f=6{Fdbna$wL;R2aW_&_GDUly0@<*DYt`tQZ1
zx@cok$&UQ>qk)m;fUYU39;gTeD#F2F7|*_efx*Fnfj<0oBNr3dY)t6-I<=ToJc@_~
zu@Fk<^%C}8oL+Asn=L51uEeI4hD)06@#tEKJZ`tg<#q7`A1eiK?G{KlJsx~*D@le&
z^VUTp*d~Yl+ZM!kB&`j4q~Uzv4kCpyM?Q^Jk|s+fM8VlK#8on(vDix%CO!#766v9V
zp@Jeoxf#8S9&iAMrX~`j>Ga5`fHDfoKUO8f-*ZTk$ERQkpZrFnfO&_8b(Gn)l}g=J
zldloIkSJx+V-RvOoh=DgXsZt<k|7XQgoPj$O~|BpSvX>MG5Hn%PPud{orDIC;+cas
z-|dAVC5J|fq<G2@lZPB^nOJAyYXiIqM5?i6o;}Ex>4JfijJ-sVoQ@en)18PQow_FO
zwunhRR%O{0%myX|n{mlWMsPC?OM`VGlIn&J*Z3n%3W2*3GjfCdhw$=~{-K=RN9IQo
zIEK!_8785W8;fZreE29f7mHROrEcJVOc5AbumHU-Rc4~FJa&24(JO%=>1o9R#&ZFT
zw*eS`0ARcmz<4Dr{U!k8?c>0>7{Is~z_=K|SOZ{O3}Cz%z{p>IzYbvh0f6yJ0ORcd
z#>D`}#YX|-VgTc!Nco)E9PLb=w)=(ULMZG171$W{(d%cH{MI?8)L6Pq+D+|e;@?^O
z=&zLEv(xy?3zM+f^?LQ&p9~4DZqcGeb($FZ<n75<K-8}0rq7J_c`)khBt2G_Wh6cC
zZ$fDkV%#i!KAQTx9uKt1oAf1Tw_#Y;GKSTbc3+#}t~FB5cu!B9uy2kX*Pc%b4!BSN
zwJ9h)79SWK85zS5J6`Ejs%<cCmYea<f#AQ?x3-M;J<damb<95gT4pnnAxD;cm07=$
z?fv+_hvJ&v|Gnp<Kfd?*aEz7A1RlE+o#czjBlJH*<XS}iBlw5Z{}7Z@>83_YTF2t@
z$(Wgq((oF5xFM~kSlPb60nLp~^x=oZ=v;eQFy7L9JjXsCqkYX&%jQlkMF#fn9dOpv
zIPn<Fk;7Soe@rBESj}tN*kB2}Jk5WJyX&NbjMdYkL-XkM<H7oo*WutwG3;0ZvSaX-
z;t_hi8fKaqO97+}mjjza0P9KMh8pu9Q}87d@ktTzjjhfjnBIlP$3Ztupn4Rrj@E7<
zC~wX3El==E<A{%X+<FqYQ@RIk#`ZThrlWBxQ*;=90KDJ8C+j0{k7`}?#u51b;ct#X
z??>r%%^e-b>@pj(fzy+4&SVv_cus*VtPBc8`_(v{kFR^6wXCeiK{!NQj8!O~kK)zv
zz2Ke=<Tb}2c~+Yc_9U85iTZ;1+;CnksD2eb*6)=HxfI5X`4r8-5(-EI&|qL`b{Zlr
zjQ<AN%Z8@bSb93)#enKZgS$n0r80@{(c=KV#wP!BAwH{3x(+sPTj8M-wgK4IjY4Z=
z>nVI~x$Iz0%R#Ij_Dxk)RpDTnl*^`*N$6Jz|6B%`JDs`{&|~dkwYl6PDcl@1AZo}q
z2fP3z1P)H`=Y<Zzflf-rWCMNwPojrf#Ks046F@}&Rs^9R5t#jF2TayFfTfl@vtkII
zzppu4NM<P`8D<u$>QJq9teNG2fOn%yGH{&N{LKy(e-v>P5K(wIqKH}{ML|IT#~}q`
z3Jxg}$|&r@jv>&>V}%fi87AWgXs@D5g?tt<3H}}+@lta<@<25<s>$FXZv_v$+@FXm
z&{)Sua;$%Ixo92<{=7dPbD$nt9~VYA9(mncQsDtG0mS^6Oz9DNLsE1{EKthk*e}>2
zyd6%Ue|Q!J8;A-v64}oj9ceIelfi^1YT}bM{wv4<ylwbsjgK^$WCEt1NM@|R>>Y_Q
z&^ie7FmuTgncxfNPbH2`W4xWR?sb2`se|9(6g~s!P7XfCV+(wr=&ZzF%I8uU_K}@f
QGiwMBUitl~^yx+a2dblh{Qv*}

delta 6543
zcmbVQ33OCdn*Q#qN@d@Zs-&`l31kC8nnh_)1Vp3(!y+IqBoIhCR3Ne_i}FB}MQI3m
zA*9Jh7DJ4RG@%<u(WV^^(2mkHGU`!B6WVbMbc?ot8wcn6-%F7I(|t})>ZIQN@BQz;
zZ}pCT6TE+Wunq+vf?swd-#z`lF>R;+unh2&0pXubn0e<kMB!dw?Q&ubx_A1Zocxt@
zM+1fH2<J_oap#OpU#)25c{Aao`H$u=MNrp%KrbSkJHI5qH0NUBgT(J3gS88JzV*kF
zeO!;@`Ckk3m+jDfb<bu3eubV@3x_|oXcOR*4Lp3MkjQ&i&#{r%E6|Q#E?SUZkX=0C
zQDDI<#2;3~4d1``Mw2)hAf>2e`O5UOw=CrOSAg<(mdwxJfAYkC0|k==F3De6iVsu+
z;Vj}OFU~Jn@W92VJ7D;z@Cc6xoLsteL1~d=>(ewqUVEDIx3}jz`bD;1iXHB5FCEel
z)V}7<%eMCD@lyhfp;KGi|7}`?GgR#NTeSy$`6M4>swY|>ghG_#v>KsSs>51<He36>
zEznkJ`_Vq%UTOccPms?DpRJB`#~8;F$1{#U`3Czg^*!vD;J3=}Wxt>N$N3xn?*}9Y
zOb^%;@M&O9;F`epz^g&Sf>s5+9-I(d9(*b!BxGL5-jMU5eM3E=$3s64OAgx{b|CD3
z!uy492!B2zT90UnyesmB$Rm+wA}>TmMh%Xd6!pufjZyofK8&_Sr$y&QKO2428SI?p
z+~TZuzT`aa{M7liYr3l`W^K%gm<zEF$5zIkcBi@@aW}e;yU)j^$E}ZhKYmdB=J?;o
z|CBI3VNJs6#CeH7B&|w%C+SjhYVwBUKlO?4Go#O?zBPR>-ZJhM{f(49DJxQrrH)QL
z+HX+5-Tl7lpWFYn{(npBlWtF+nqHp%QhH~GJLBgWQ!^H1)MT`0yp{2FW^iVF=9tWf
zGB;)J%RHAAoi#J7DC^m*=B#(J{yrdNK+1sZ0dod;2GkGua-d`2xPiYO_~M}SL2J$E
z)sF9bE@Jq*b3;d7^3!Zb0OQHx{>Dqi<BV^LJ;wY+S^l}m#XbDbHEI?msFlVWixwEE
zp4~%>>97zw&=(=N4Rf)&BeA1@$L$@XJEnGQ>G)%3-_B8;_jl%Z&hLD^^P|p-XEV=E
zJezC$;K??!N^VOX+qJ8!x$8jJYh5S0PIY~H&UG&J++*j5ou7Mt?Rn#T)rEo!i!LlP
z%1iDr-Yv-qznM<_;%sBe;+yF>|4%vx7vG_;zSMmA+~up^#(kUp?c{IUzgzg7{@w3>
z`Uz|B3k*v7A$ep{SMso=cax4J6(re{vJy`vzM1%+iF*^%68k5PO$<%=DB*I#!Gr`L
zAv(b~!6$xl{FL}n@kQ}7;?v@;#=(8n{iD0hz197!dz8Dt-N)@88yh<}c2?}D7(XCp
zs1CSZc6GY;x;D60yWS-9hO5r?kn0z&qpk|q3fD`n?XEo6I#-hOOXoMv51cEU2b~+8
z)0}rWcL2^g(H};2Mh8ayCF-51m&01Z5w<(5E$n326JhCLw*#U3LygeY{2UH_FZ4j@
zJ)z9h&=H|oAx$AiLyVAFA$cMFM}(w@tO&ds_<rD-!2N-F0cQd}^pEqO>L1|m_PgwN
zzwaeKo9}ey;Na51>JxtFM1jQy2PHGF{k8ERQ$5M=B(;#~8mVRqs*&gM>63$@*n}<E
zh-a`F$r#VDh@x?ChX-S@9;1!LkF3)j2caA_@JEcwP#*1=t<7HQ)9iEEQO3O}jK)G<
zZ^H?EjvrJ2)*+hJpd58*MlG6nQjRJ#@Vgongmx0DHrED%5b;lO>xixI#9as{fd-On
zF$vUh-GVZH8-%O4-^daa%I`)(jbvKZ&AJ}Dc-qAOaSZw%8as$lj@{R8ujA=I5L&0y
z%cyBBN!RdNlgY3a+n7hS6hOqP;&TmbsOQR#0Hh!rBe0nIiKqrCG?10pq}tqZz{gyP
z2+6!r$Iou8C51ZdrLrlQf=7w}B96k?zRaon($Kp|#*+DZgNmV>NUn<FR8XkMe~8)J
z^n(#>ie68_M93;sniR@N$(Mp($4w`K<-a}%B)a9l@@uwe#8PVQ)vk@_6%?isC2;U&
zg=w`4EFt8@X(Szo>85g?S7Ua!MH&fNYq`}x>xiZFGSjy+33%liZ<<X^JAkWQCX3Nr
ziTu^bqbVgC0^r0*%%m%xqJFJ-6>s4~GLE1iZ4^;rqm2%-qNbS)cMujDO$ehED)1c7
z$|VNcOie_-CU(C-J{xHhF<kvMJ2*@$+(<AMe#EOIp26=HvYo^oYbEhe#(f{|^n|Y1
zWGLOx%^tcii#9hTwk3fYG0U`o_*~NPcFds@Hu9_)`*GOZv*O(fz1}G(!boz8^$cQ4
zB*>m%ULQ?`RI~<lI(|*UlDpMpUrFYp%#0BITTT6iPz-h0OGrXdLbM4<)ayAikvibd
zwU<pg*OE)3ND0*t2Q)DS6Io3j#Byw<c!zNcXK_*4RfN)$RR%KXk?S*G@>=r0mR^&@
znM6&5q&UlKYOjGs6HEB(OVF>lFBB?ytAWCcLq*)l=DtO%SvR$^JoPjWq<9DuF`_V#
zw7j1h3fwy@9-u|8-?MY4hQhUxp=7<mO!wupr=ay=c#0BDra;dUs(>!W5?KmqEK7^0
z%~%&PY$Tb@dOd}iFC;5X%r;ZxX1dB7xRN81j3bF(&rgpCle!~IB417<p0Y84iMWt4
z^*A=_JP0(6Tgg-t|H@NRM=JDAqDfV#A@S>t8%DxbREvhKY%QXV_x5l`K@&gq6mlNb
zvDW$Ks)k$^a%EA~CvYi6wt^#&9gk7x-{1vk{FG4;u<z}oRx02F22o$UiL08XowEhm
zrufYE@i^T64*zEVj{}AfCj!Gb8Wpj;KFJbZ#Sjgr(<H4MOohbzlJk;h-cmnUXDR57
z)YDcnsd?`cs|@c(DmC3nl4Yh<rcu*c>M4bKaChuW!1+;`TH@7VzFGSlO=tGS5Ue(f
zPb=*y`I9QLNm5A^4C1v48dGB4>Vd0xjXTDzs}uCw=%zBBNm0Eqn}?IA6|6U&*t<`9
zbe8xLTi8w43TLl1<Zdk!Ra|aKB)HONS&NGBFvCY`n;2A%#k5frSz2->Eg<!y0#j)P
z2~}ZH#I-jjZsXc3{%|t4#GS#F6-SxosusJAk!#}g5;{+ENa9W^khtwe)zYb&RcUTM
z3E)Wsb60ZI>Qe^mk;s2N%@y3U==Ydm0DPq_NSCoxx|1#!a+XqeQxP$NC_BPbL>Nf1
zvxsly%F5|<b0sM+vF%_4TV2VjLqbEiNI5Xf@JL~J6w=Gh(0kgxR1|M@{yDR*p2V#h
z+)9EDGxDT>G_gwOpn&6E3)AEie5Zm`vdU3o)HF3uEmcpda@D8~s3Yp6`dEFTE^1&Y
zh%w!3m0KCHo+qU?G>ZO0R7#%I4ta`$t2v9w#3l~5q?amWomX{dS1aes5Z-N|ZW1{+
zI%hpK?0wpMcJZFEEK2zoUrEUp@3&Gr8D7j_G*7RECPUW0*NKSP#4g*j=gnP@8Li^j
z7SfUVtsgBa>g+Jptzm}}xJsukqE##6%?+zvSMXW@VG&9~Qo?==VF?|psMoUg2rMji
z6R(w3R$$9Pg5x$}<J$d5(}lubs=)1pWRTJY5JO5;^%~O7z>^jsts$Fh?*Kfydo2S)
zq8Ww~R1$KF$jm#RiY=x5=deiTp_J47HZwn*rnBlzdx*28QF1Ks8f1fc%t^s4S60W7
zkQCi2kVOVPwrOM^7g*Sfc`I0x1(tFtySrGMMWK5Bi_Q8|a2b(g&cBc1Hk)>`bLAuL
zuEsc~kJX<+9MP>PkUk_Ut9DA?@lIrtsuCxSWL8BigLx41Pw(A)V<TKQ-_S|&M$!`T
z5@MS;gWfEf=wsE6>jhds<9qGWW)4X*&sqwIeI&=MX1bC6-b<I6;MMtNLAEd%y@)+{
z5(m<cq(@cb3DbcRpjN<I2`d39t><S9Xc<9d-IGsKm?sil+|?<U5PRJ0O})w7VeZJO
zOjeShGW?cx$BAX3VEVtAguUTqBW!7DRn|DhLyLL4oD5xr_7GphsX!W`I_N@PBEFQM
z3_8~MH<nOOiBcvc*M!VNgnH)pM;K%xoM^njTw9@ekGZxqe~@djM-`(dfou6aCn6NX
zNA$Py_g==OWN<xh<x0$M;1;edjR&%V*U<0syCj2oJcZ+KarZ1ziS0~1afb{PlEOkK
zx7VHw3JttJ(9D;;Ja06qt%UAvJyPL^P&4VFRyj$dr1INCYK3mDrR3D|=Yn)y=^&Dz
zHWF^dbUvly%19Yc0q2srxJ9(~_VUT3E;GJ04TqbMAp@dFD;N8*+C9Z^lK8Ho7}D7+
z&r6M$adBjKZ5KmYX(*$#HG^%SZEn74O{5bkbTL-)S57(gcAAq;168SlE=5)nu7(Un
z+F|BEBfb5`#!^7zNzahRECzHE7XJzvp`uYESy>VEOF}&p>qOIL2Jh`62WjQPAqBPw
zBJD8e(JEdBH(T0Up2}6a_E-FtMHaSRZ)LQP0e`;L4dk2Ju*H0@^mia`HIQ_MFLqY~
z>1n_~C-5^q$D9Qw5NFB>VCog%zAu3LKL;M<Ti<-X{VnF&69X*q14@?y%Vz_Ry$L*V
z3RquBhi`rl*hZxCjleE9P)$MhlmgAq0IlnQ7wnv#rvdFnz$>o;uO|b4Aj9L!fw#DK
z(gU2H1H8W(_^%A0;~el=8_>l&f8+kw1;8cZeNR4DuRy77P(D>qfnV}vV-8=qN3=k>
zIJYMULG`smW$|DLXZ2AXP-BKbjg5yINBAzj-n@Gs)IDiX6M1LSB&f-kp>pRzO*;v7
z-wdc($Dkfq4fW6mP<cEnD1$2EfALpPi_Y@3_Zg_g<Dix-g(^*fdW>~ZJ<g5Iy!@->
zP-S^gyT(K9=B3(;P)(zu_VV%zZ$rII!UwiN9U21l`Y@<}r!dF9fO`7?)SnBW-uoQt
zBi{QY7wWSts0(EH{Q+q9TcP>C4J{}eTId95k^7+~d<-qk51O9Q0d2$xXcGxc4TCm2
z58C{B&=$2oD<$%Z7on{Wg0|&VXxra_wvz;_7ed=J16s>5XwR2JdvPta*RDW2G7j3&
zG5^wk;lFy}|A}v0+5E@$*ou{V4yE6!^4>o5wT~83eCXcg+Nr*W`qyb+J#uJ%jIGgr
N=s!|z-%saA`M)ng;w1n8

diff --git a/authui/src/authflowv2/icons/material-symbols-outlined-subset.woff2 b/authui/src/authflowv2/icons/material-symbols-outlined-subset.woff2
index 4627977a98027fd470041df665ef11da4db2a675..408a926d3111328928ef82bbf4a000853e3ba5c4 100644
GIT binary patch
literal 107780
zcmV(%K;pl5Pew8T0RR910i^^05&!@I1A2r20i>1y0>`cZ00000000000000000000
z0000SrU*YsRzXrP24Fu^R6$gML?=)HiAFDhY!L_wfyi8et06Fp=U4$Y0we>1ehY$r
z00bZfh8PDR3<p~jX>$Ud66p}Mo$2cwk;%MQz!m^Z_OO-61a3vg=@2uZpS4u=&(Q_u
z7(#w#Ubi8T{Qk~1)7muq|Nj$@#WB3o?jI7V)Y=xvEZ{MEOu3Yj$=FJXv^p6lSoN)0
zf~2h*HbZYh+eOh~<6sw5QpILSHGEPM4_dQPQOmGvcwnfSNy~~%L1|%8)S^RL)M;{_
z2_Cpf0g?C`F~=0tqSG)p((Pp2EYL`KgbF=~R2M#!kOE(Rxms{!_l1d#laYO<26hrm
z0TXu5<l)3hA+ygM6OX2uD49D%)eY8GsQ-SNbc_G&q947(=z&P|9!G8FI8P*x9(Si`
zrUOseR<iKmpXeVPk_vKP?@^(iyv4x2W_Cy~<`;e9+Hi||FrL%@=n=1O`r<@PN5Tfb
zabCBlCvV>Am>s2|;Hvj{4~ZtdI|*Op6>H^l$76sgmpuSYD5Nt8lduSzOiwwk`t<V$
zew+X225<?na6^aNl{trs7{xFif?^a_EHH)@+divy8HCYHFnSff&A<7gS+}oJ_~(Cr
z^!wcVMnERBm}V-353cSER>0MD;#Zpc|9`9bzvWofIVIXQ-6K7Y%=CoFz`D2Kxv&4{
zfA8b(R1fe15iuZsFCm1)`>Lt^r|UoK-fl@V|1A(_;LwpHZ|E@lEzK+-<US4(%$)+k
z?2y!bt0+FkUiXDSB@R!xI4Dq16-c-WUkz+KzQWk5{`uai-)m+>WO+=A<EW04x|G7|
z0%qX>^B0nH-3LU4W$2zgmnfG~%C>3hq^aX1V_Q~aSr!hFZZ#-EkD(@jgoF}84W%a`
z329V!(`ZEq0VGsq69g$ODj1Yg?1`0Td4(f(t_RDBt)K~VrJCUBp?CLkxRzxqv#kp(
z9P<_s0>|Kr4^9HgSC;PoQ?<TsRo$CAq7evEBt==aX7YNpF?e4NUoW5k_wj{B)Aq|L
z&U%wp_Gmnk4M_|j(CGO0xw8L`#HobJB3HSMjgO+=9{}9VYGymDrIjjo4-jnu;Sspq
z?t0~NL4s1cy1H;KA8a#P`cN`dR&kq&pOn7%_th%<%poE&iyBBUBn>S9osWvjmS#Qx
zT$kQ``3wL<qVB57KzDP)`F}Tkk`if10}Yf=>a3DATaab2220CpX4H7FQJbjJJ`??N
z{}b~b2O2`S@uPQI|5Mc<uq-<nCo>sZ;_S>Npg(v(kcY_s_;oL5fgO@<sny+8XGm4w
zzXJ}y-Qh|DI!TaJPbqyEGi6zm-FosbeafHfu=F+C?{jI6)BG$yTB0P14eh5_Xa7gC
zEX$HCjYcDBtU8uuBWz<F5QJot-Tq4LKcBG$ySMg_pI2(%%`GiA+gLW6us|Fz#5l&Z
zpMTx@{{<>4U_)l~dggeXes1Y=@9XWiwcq#iIWf*{wazKsJEBGgdI%xxRCbb`N)iG@
z_`h1(|Nq_`5lK~2Nw#da+wDHx2j~*_gHJq|{?SCKl>6`l<k1H@YyN@gK$C5$l$Dtg
z0i|tZB*9ogg26%{-FEgWYW|n`^Xr2Ud%2KOYJAuEbo6ELWk3I4U7z<#cHlk9S~z`x
zxLjhv0NV4%3xMtXqEDA9MVT7m__^12{q8O)s0rWA0zu$Gkp=*<iKQY!0|H!CC;r_=
zWz_J|nS&$6chC*Z|FdcJMV4e9kH%g=%J%KcFU&peLyUrpI9^1JL25~j1>Duu)u8{s
zH`VW_=M)L@f(q|~vfCH#RA_f7>h)`ba)&8J>!mpQt4BYCaLztAo?BJ8b*lhY0Ki)X
zkgO_@R8;|_3I$TGTSe&=3X~rJ1%uM_`;z_sTe3P)@_X&v>sEo3iy);3fD}bil%Jw=
z$1KYoWOuUtlilfu5Jz#8@?ie|><|Am<TX$8*&hw_?62?lO-($h)B-G}5>^2UL%Uz&
zTaW(j6JD<iO({)siq8PazRTl{kWy)2Sa3x=6u8sy05yDU9(bH_f)qX9@BL5dZ&e*>
zDFP(uhg=5OuSQQ!$b=a1J@cQ!shaBmov~2}@lPN`0NFI7kdVs|nKJ`yO8tLJO}gVE
zIq704_3;jnr1LFGL-%+NrNi6(TgJ0%?MZ9*E4}Iek=s~zw_5j2>vBpdkB6WjaCXvp
zAojrk8Wb9USU{E2VgYf_Xm|)}tkr+t_=<W6aZeDH1j(l3k;qVL#XJdj$(ArJUsY2R
zbt1YmLvd1)UA>Nwg<y=)G*1X&git;8c)a!;6vUjldrjh#j5!nwbjfQhCzmO|+QhD1
z2@@52Y!2XaUK*(A#2|<eNFc#q`l<9&>ATZdT8sIb>n1g8ThqLnD35}IB7%ZXI&({`
zX>-S;wYJBox(+EKpi;q?S49*=KtN<}N389?0ah$S$4|%UaRmwram^H~qM&kA|NY3E
zUteVCPRDj5ih~LW3Q9tzz*q0!-)ib;!D*fGExkzQzvTvTYr|Np4zB*0j-LPAS^NDe
zOPlO7MG_E12iaCX!n*UEUl)GZFQ*uk<gid;u!2`JSCcFNeUb0%R$2h~7y$u*fh#{~
zlOiD<*dwYHRlo)Z09@gSsftoH5WqF%h&BmO7}%v@0GnrlR@~XIgbsI-kb~xp#}Xg$
zeJ=msXaq3fid1I5K2y9AinZJ%VkZas&-8A+x|j`XeuAl0&q^H{Ax-R9-rj(XU7dBi
z^AyAOw4T6zsCC0_(=IbaX+3LF!5W20tC_hXC8L&Z=Gl$LhMO*(>a_#6x)Ym1LSZr>
zIG7>gY-UNT(TitVb<!$Od`l<L77b0TwV&Mr!|0X|GYsN=xz>k7Jr)a~Id~I2J5HH^
zvVmN|hg&y_?XaIYz?Q2ds~l!F!5v=ln{Z6UlRyCqR}7L0bU0c7aJ!r(59>Is3$AoZ
z_RTI016c9#3b6H1HYd|&uAd6);CxKFYrQ;|O*9xxIb1*{)uG0!QAppXD^bgiixoOb
zz4URhIA#jEuu%)-Cu&tN$Uz{)SOFn&@_`ee59M&;9=&2%x&9cB%ra{nW^~pR5BR`;
zVqq5oyWV?+mY@Mu*`8iKbU^XV5DVI9mpR#Cne_$g3*bppU0#5>Q!i?56saPX_D175
zh(3tH`YYpP#0Ei3%SJSa`XE?WjMmuEYW5K&bl6K5fl52MqKM<x6qqZVDkX7*$Fp^I
zI9a=Sz<EqKrdr&ip4ek18ZLzys@i0+io`lkYl~1FIw;MQ+6$6w8!R!*2{sS_Lo26e
zT~O%ju<euyrGW|mv6J2TIyi>Pcd?mED&Gow+5dFjmptJY;h2k*2VQL4MNJQi)R`|O
zvuet2kwJ2BC~3D@Cm+WISItKEDm@@NP<p@_^s;~<`{7SI)m>gNT!KC|jkIbR;%ro7
zCv9nl>X%c{80Gn>Eor90qkV@+?C3+p>5uor3492Hz=uo<d$ib07t6GlNy)Gkw)6>t
z&l{V^WUav_$bOr_EPmoFQDvP5hx7AYtg!Nxaf^=U+B^bS?j(yleQEUy^!l+Kn)cbP
zn_d!XC?pBWa&E?StcLGgzU=ALp}gOu7Y{GBYlz&v0mfM)&~da@3xM%oNq__$hYjB=
zxf+4BvALMR=aJ7Z`A|SpU})e9#v|x(h~-;lKLeu?7rC(Q9mJ1jb-|kR=25c9wOkog
z<9gtasS|)zZVtR<5oT76cD9`W^%B+wzm$Q}XtZJsFbgzl46tj|<`S6GLIK9lx!J|?
zpkWfgg$bdY?1#w0B&xE!33h_BUM-fY!Zz}K1FrHpcX+`xe-X+GEuHtYyTV9<rTg~m
zPHGSeypi{MVkRDI`H#9oBA^t7=<H7@K&&(iv0>KOD@9I6Q9aP7l_*M*&^6*FffBVW
zsQOF<mHgc-oP^6(WsBp-r$=1oCg1XaI<~{fhG*$f?Oa7z`q-?jFmjJ}576=XdV@N2
zywN)J{YhD}51MVoB+WSz6-il293(-OVa$MC*9}uSrk)`}r3Q^W>PCuyO}DPqXV9eY
z;asC2=|=|OQglDFD;!dKjt{Q}s9?o*-Y_7}hNEGGj)9AVY*6dqHUG{@kP>_KxXu&)
z6IXsxAh}2dvJTlRgUmXwDc#dM{S^~b8@>@43I4bSa!pJ&1Z+w&>Rk-a((BI3HlRWq
z%FlTy!Kz9sH(>LxOp>>EaCsN20xmHQVXuu1`KI@U#7>E$VFYTkNg$TOQFv1C%X_fU
zYJE_e$k8i8sF@R=gM*A~5iu+FhuG|n#@}=R?P~22+#!Mo=gt~H&~>tYAR6dc%u#5X
zELGyW>{fKP`v)~g;A*+zP3|(Rbm)52g@PCn9<f9AW2vN0I@SjM2z?&N5jc`mAe3sz
zp4Om6bjXX*^`QW%3e?%+pqJ(m-0qrD`##*1qPrKnpXhF>V({{_>y0K0P2+2Kqub;h
z>!u;wTaW5h!*Vwd6*qgJhyrt;&xX_6JW}6DIGiQPthxBN_r$<M%11V-Nh7*0i{2=k
zaUAf3|1AG){13xPcoTd8J_lb(|3Vk&<8*~yO23`HmENH@95F{_>z!K|1@&NDrHK}1
zs1;1Nd<YjZtNOGD%$`{jbh`4OS+!3~Wm<+Kt__R6AJBwzt&a~ce}FxO%?`7zftp}+
z_MjswsDf3s(L`Ja=`aX`1okJ*no|%78R~IXZABnZc0wWcn4if8o$s^pz#52|L7_$w
z<)_{+&g=)m56m&xsj5ag^Azc3k7<fks8Jh$y9!iiBsK#81SxppolX893N6%4%TT0e
z!mgZ61vXZvCi4*WWmYGZiK$@?`nM3Mi<ldf>-D}cI+;xReICLk$ya8TE%rO^B>H6;
zjbg|9&H1!*`5A*(`Wns#GMbR;je`-QGxz{&BhfP)h%xK!*x63VmLj$eqwEb+5;Nn}
zcKx+H9*WTW(TpEmCF=VD+8?5U=KFCN2t>-Y4_kZQD&0WPo`=9Z`Gl2(!6LCY4sNy=
z1GH)lq8h>VLq6i<Dx<L@rVAGm#4g=&I7m_lii<wim=V`<DcX2a;a)Z2q9J4)>ZWSi
zSQXeM5im0cTO^9kh0*ei4hq`68=UUSkRf0k7Y_l#Ox9&#1D`{3Dn2Z@eUlDC;pRq^
zKx8BY^O5k&i;8}k91WN8`8UR-YXR_F@_wy_-5=WlK=Oo`#Bc23U?c;e|NaC=z`r`)
zL_{J8AmcUlYY-IBd3DJO1Op5Xl8{&=rF<1Mwm|?uW&h+xWXI?Y4!CcQ0f+}hZ}5T1
z9$(y#F+VDeH||1j=Xd+#&(a$L=-)ztWw^=WVE6f8z|vzs_-Ga1b^YYiH>Q^bbA`iu
z>m-jSmroVwBcKQv24|VbD&pRS|KGhxx&Ua97FlYgn+-UFzai1UFz^lA3^x|M7ibHd
zg`9=Fg_4ERg=-5h7T&!MdY$?jeqHps>~-a$<05e}a4~q1yg0k~U@^eI(3k`pJ{{Li
z9n=xs)S*jn?%9%iYfTkZTOmv&3{p!YO~_HQpMxCbI9i4o<1}A!^YM2wckKn{9rLg|
zJmhnp^yz19t7XL((lNchxAst<oT4e8jng<yb7Z<9G+CLpO@Stssm0V~QkwcrgQj8A
zLDO~9cczC+tfl0oz9sF_S4-b6%`QD$dhyow-T%E)zT5up^n3UBlK0K;PyGGc-=CH}
zmcy1amM1@ye`xzKy|N+z2m?i+M4WG|-_8x#;pR0vAG)RQzVWVaE$N%*!LMIOKm_8v
z{=+l9{=n0`9(#T5CH1nL7w(0@J@5j!Z*fm?r*VO}09-Q8+4B|7#q(d!X-_-=o>)&C
z=bR9J@*#Z4IIKC$Jq+@IM;rg;fxEp!H3kRW9t~f6zB<15u!j4BJ)3J-8vxiu05BIY
zKVZf%J(w2Ew*W9-Vvb^pFd3LznEe<zW*V~(Bf)ILc)OZhAGrSQ`pOk?z2v&hRpiQa
z9R|R)#AVv$rSqZ-+W8mf`_328qYgd}YitfVnA@B|KSKASgVBQ~2e7^sb}Ve&>t7IX
zDeP|8Xjr^;7hqj)?H}3|dMosJXb!uO9UAHxx{ig}&jsBM8Vyo2-2#6Id>r5$kWRM>
zhW>w+d9=Surv7I@xcDxAgK*lny6C%X#CLkPZ>Pj}OSWepNbI1)4mjcvzF47VNfMz}
zlm_zGk`&5cKjE))-W}cjY7+%?_dz|*8{Wm7o(L7(-LTDE9~@hA<dXo}2^Kd{2c>2{
zXZ)_6_;zFQ&iwG{o%!S6I|=Bf-kk-??msa(2}xpI6mUhLSHgJzx&ytg?t}zMj~IM8
zBl-v8Z84E-qJ@$rudNpep+KZys%eY4CVCEggi6bhB#;vYV?D-XXok6QtI$PLk|KGH
zbhIO3ir!3+i7b{#EwoC>OCc5Y@-o8Utt71+Co(Wh;eZOsGqW3~*&ot1WTr?3&^L#K
zhRuTfnhk(0J}iE=@2c3%zyt%3V7HcPX|*}(%*O2Ev-sr&UJFjT9d-gaB43saG6)s|
z1Ttt5;pkQ)Qwh*a714H@i*;Z*=!Dm1+Qr?im@#+sFY>TxWw}akc*mS=WQhh%9R$dc
zA%_WRg2F5ohKETsXbmXu5gPk2iHx)a8Fj)1w~QK!A8n;}SwXSE_~(LEKwuRcDd_Sp
z0^%+`odTC8$JXUiR;;pm^9X?0%JPrMf%r2Ia%4pjhV%2CaYJJ^o#O?U0Kox?UzxY`
zS10T!PN))~R#KKw023m_?RVlMP{IHXHxo~6j+;==Aji|ZjK7`dlPw%st$rhb1m54<
zy}|t{>rP8WRnulfq}Cb)Yt@!HwrPRD@}B6igsuA$$6gSqr3kU(1GXO-+iSt@{qA@-
zT*-%-AVh8_qF?8N!GIgbs&bnNv%o8FbhAoU=S~;z=ZE+7xNGnKoL*4sG+)u8rF#Eo
zA`Mc#BZ1Bv@5`eYrrHut7%E=@b3{Z$KP?mpdlPCNU|1EE)fG7mfTCp@2h4N{`fE2l
zL_nREfb5rS1)RwyM4rcAiLeVcYRpn+X(V`aM5ZT=Q4%CIOd|)>UM7&0k%9#FmLON2
zyHZ|5v9|<gf!!H0ubkk{lgADBRviiMc#lYVGj93`3D9_#@-Sm|Q=M#WApgIT2lCYo
znrNh2RmLCB@J`Vr!eDO(?ZdEHTx@Y^q*iJT8*8YABLY-j6{v!W`>fo6RYQK{6al7c
zmd9i4Z?`g5UI|+&=08+|i*?{_GsJhn&@#{~bz3&Zh1Ic?71`8GB*f~N*72U2w0bb@
zUbQyJhuS%oy3+n(eC^D{-r9Nc?w7<aRNiY=!=D`Q!)niWMXo|2m%bI{2D`HIwVJN_
z>6{O}`K+v{K~fga>_y#aqH<BAmu;|k%8it~dIxCqIHl+)g288Zi6Ml>1KbfUSF=UQ
zqIZyF*F52~G<97{X(`z~pg0Xp`V-U_PzAUP09ootdAg(f`;#kB?Eeg7j|-rbV(u~8
zmG!V6t59^45BspQ!7f%pm&!eGd<XGmT}c(bj(PUgrjAhN7CMUh>AdS~0aa736NVLP
zIKK+|)r+^OQ0-7hoBIoAP4h2IWT``yEvcKTW~Evo2F)fqh#b?aQ7hb_DpoVZgt#Bk
z-dmTx@f<D3qvyBxiiOOOilV(e2WWGav?<#d=`(XZnMp#oyx09_e7g%vBQ!xxB74@U
zFi+cby~UJVG$zOCQV0|=KEz=+qoYR-p?;=k2j6-+hNJ;~4iLie^p`dtKKbhQ8yl}h
z&d@J$pHuC!4B0>n$I(ZX-7Y`a`s}BO$<Yd*G@6u4XIv5wtlkHn1&uBCVS|dT;eZT}
zq`AH)1I{k63G%s?FHcD3EV<eV+qNy-0Ft6Q)N$eMIDp~zQVcZva88PYtNVSFk*ABM
z0)VxUtxIf-i-$U7i`R%OB4{^{6zOq3l_u`molkgJfcmMSYTV+HLu6z&9&_`xURwAJ
z#IpTGAM}d8NA=!FBBuRnHqP{ZHTli3%d*jyA#7^%!Ctp93@W+k8h)!wvyXj<2VC;>
zMiv$o+&FnksC_hDO=<v#J`q8(w~Gc9hW1d+^oZ2z5h193<<ggwOU^N-RZYu+Ci8AV
zMWJb>hT!cpLAb*@>g{ux&|N82JytxOS*{h#)!v6M*NnEl1KN(4Hrgzz@0}0Pw9^zA
z*e_s|amiaprTvdqM0?US&M}gh-J%U3wML+}5W_c{Yee<8o?sN)>qLK=G?XZHX+q#R
zg>EW!c2zs)k7gbhlGTc#l8-2RFroJZT4%wzbxs4G)UEB1y508#HI9v?_ZS?hE~-uF
z>D5=xcP&x`34$Ph<o*b2W_RzH3Q0^I#WZ6Y<gOM=^V_uD36m<C>T<^YMxbJr#<<0W
zkzJ+CjuKPKnH}mUl(J*3Fj6)?wIh(9JDkuVsn~bmgH=B&Tbkv*7xieuf!>n`-^#|`
zC~B``nmtKBfNYtj%~7a!$c%9f2L~B;WzwTDRxDEb<&sLuvfx2QU=ZGgYi+NDit=Si
z8TG$-?Dj#(7>lZKFosJe1QEChc1kd-@B)nYo#>L>RasZA=f{K3kSEoxy%JUBK97b`
z6-q0RMXJl3KVIe#zc)BQ71M-0wtyUeh&!>dbOb`d%{U;|b>2~TOpyY^>5eHugmN>c
z3eReXTqR9Q3EmmD=jhgbT5WZ?Ul;3DPQ<i4S@Nk=F4^z9<Z+{?;NWrl4H$XL94b(7
z17);#tQvn!IQnv<KdT>)$U~1I?oM=@*a-`(o5|>pXdStM&AE%JiMVng+1r@rfwEaV
zFt5>K-tM*NhgN~&&ga?~KfK6YzoZf;C<2b3!ZtS`4ndaZeN?DvhB{hcyBzhSiesSA
z;L<}&AvA|tLOz}rP=e9nrZQ-{Cq+IR=W0Ud7mZirjwde6OJ#>jv5sfLPwqB7)`558
z4xZQn0}cIz$$TjY>B6pU5-vq!*CGg~>ZrSi%K*&E7j_>_sf9uu2_l`R<4&~ZY43K=
zu<mSWR`-u|u2Ohs*MCL`VlIYZ++gA$Lju`kiG?Ziy;5Re(F|<ee9yCa^sm=x8OF=X
zT&t{1gZ?Hb*`dV{iSmOuINF@gBITa#84Z+Uca-o8Gt?Tcn5g2?!1NR1i>{s}FUvPR
z$n2cz3g4+&8lLMdbFIc+1a~fTFa$sx?NgmMF*2|Hy7o7%5U_Mq@}3Y5QW>P2TT2PF
z6n*H@-V4oGhms{0#aO?o&~fB)l#L+6z~R9__O9vE=1rtcU78lg)LU)v<4yzt_xr^$
zPUi}tDaa%10rv04JkJLROu4915)9-w8W09jaxGB^(I!1mXe$?+w%!Z_Zl;fvvMf0c
zM`M9E7Ls^?wQ$aW>y+(qNGJg~Y?YaTO~|f%SZdD(3~aYFPQY09v!(V)*FPzXAxnW`
z!*{4mvN`k3hAevYqK^HCZh~VlG4PgvGjFi#)_N$dH`Y^hW6kUX4?L~ZsukAUjX%9&
z84rb)QHmLTR1C6X1hWzWCvZ%V<OsHOLJQ)@*|ihIvOV63pTY)BahrFvQw|~FCr!vq
zE2hV}uAz*uD<4cd&NCRgcnCh=ypn<>Zy()8pj(e`-hMcB^EY+x!L8go4@JdR0f%o<
zj#a1B3{1ozpI?CmJQ++NNb+$%lALUAUVKeKF*Q8f0Kt6Egr&?97;M1o0a+t0b{Tvt
zU;d>9WgS;i6`~%+{RF#NiwljXw!8P=Oy9m)R!3eApEe$TK#c6Y<Xm&dQK=2^OPd;~
zR5f1gwDN8|zvXPDmbD^9HTWS^^3!qv@?q}C#70H0x3g}Ox(zT{=(2*2W%{yFp2f1K
zpR@ta*Pva#=hF6crenJ2yOFWEW$9%^=WBIVBz8?djI_22-(9i|_1)HCeBgDbr4Dr7
zGaX8`6LwDtY*tS`;UFlnMR0>}$O1lKxCa|J+>HX?<c?<Qm8ZAg@j}VuSeEOTLn^~c
z-UVWy05Z;LMsLbBef9foajLyo!2g*vivG%lDp^ouJ8z~w@|3o(^z28UlN+qD@`kT}
zp}Uuk>Adwc1%pQ@$=;ZZhahU9XMx0lSTmFcmdJxyzNKd87YLYmr^oeY4Bf8{G{_op
z)s|S}=o}VlvqfES>22(VIXX;Fl~C8Tdc^ST4Po98{ybREB7Pe8^6=;*c0+J+J+_ja
zKI*urtR$ByUxLV`&L{{(viUO1SduxN5sBZYM>$s{f|OSA;MIyjeu?`D=?h4;T+`wS
zovCH9(Sx^NViI}dDbWT+cS+<uRNFbK%E>ASHrmnsrh%p~7xS;T45scRMh3EHP}o$P
znbAZmZEi<HL-+c|N*>=1CS21RA5AbNKqDZ6`5ikyuUFBF{`MZ^5&EbkER()ELB{2)
zcv8i<_DaEF`gH%os~P3i>b3styz7^SYI2RP#%Y{8H;zc@eTi=4uOCX!n%1bdI_LO0
zriYyR23p-rYiqXnPt`Xd_8MbYVR!}oXf19rVZku*hcB9jS(KY=lx03SuHO%=G^yl2
zD<&|v;#N)SHi{`|myXv_ZBTd2r#QkVtA-A(mf>hPFRcmAM@M#%36S!=P?m$gJ+@N=
zyd&)|A6r+MS0>3}{F<R-O=T|e8&l)R(w}7v0D#S?XAi;y)FFuf;+*(Gi#Kzyb56;l
zCG8D%SD`jcv21)3%`7Y?-K({+li>%<VIN^PFB<1~cTB`|d5|nn5A-juEcH{_(?|1i
zuGWXu>sNOa&;9xVPoV~;gYPsNh{_f8ep1l4J=$Elwb?n}Y4n)AF{rE8VI#A~w8z3n
zmf&se`~dFnh@A&1FX1fucy6i;6yj@44l8|yg&IF$xt3w{$2D<7N|1^bH8bP>4?whR
zf>{i_`U%qJSwdBPNUkK*`36@IbY(N30r4&nx5{ikB|Vj)T+SnvHo?XwU8d_3)-tp+
zB`FmrB{`Gxegl*6Bb0C3bK}A})Ef@1lxL}FDpA)uIm507opyna@DFV23rO_5)XZ~w
zM$VotB_yrA!HBXSiyUjc0EZlpO_sGXmgHOF7NN{Xf}ZE-k4!{EXRFCt??i(TXy--D
z1!7$<DC-*?qN6t#s3usg#5P9hYsZ~%l?N*@ETeap_XMq)$D0;vuIXijb=jJEm0yWY
zKk)9HK#P~8Fp$xQE@(388~S3cjhoS)&W2d2iVLEwfR<f#Xo&AZoU!7lT5&wBg_c>i
zr<SO&c6nnrMrD}afXX3Z<kjI`Wne%W2%-5&&T7f!H53*8s_Un)JgZwtORuNXOs6mS
z@ce7~L}o9#z(jlBe<iE1mbGq0yuBq(=&3|YqrBB{C$0x19J3g_LcL(8mGasTsi7y2
z`d^5&*awV@P&-gQLj;P-pmzKN)*%S^m4sSW0Xy`h6^@N}{6DnPN6F)WCK?I-LRs|a
zUvwKKWh+t;0K<a^eibjMqVvlOf#8R_I*5#bbL%85yed2|DYm!MO?U7L3|~_19Vpte
zG10v?R@_Roo+2=`2(Gz81m=E&>uv=fodMpHY{Oa{yvc8d{Id(}7@+2#uS@vY#uq4S
zvWCbo&}2$U0>;mbPwoGmAcQvrD*-%9GLdFsl2znn4_W~VgP@oW!4<Gt+H>RoXi>a2
zm^sh_j&F7$IbEGN28|=X>9qNGjvB9SQC!9ViS7@Br){>w=43$r@Nlwl(<WhXk?6`R
zDJgZNb`TEa|Ni?V!y{O>cdzV^6YP=EnmOq$eOg6D8nA(m;>IwLHquR|>#)fPg^NJO
z>vDjoHFq^_{xI(blKvb9^m@V@!p;-#r>NaL&6924E|C~Z#+yAA&os&-zm@I%;(S{h
zti5Ges>uX?nI5X@Ns7kK=2p{{k~vp^iHt17%t>>GUd%joi*}wBFE%8X?oKW5kaD?U
zRpqRbLCNR+((PXt@*=7rUa3!b_{D%`i&wZ^(Eo&qCQuIL!d;0QHzw{93IiF*Oi<(c
zi3LzhsrTT_jJ0=ZOz)*j9b4XcZ<GfZ@pp4W78dI3`@7bG1rVx(r9E`uKaLgyn_z#)
zq1<8f4n$iLo3F=UvR&1<e*m+*gP7xP-fsVnXW{$~JS)r~0bx{Zf_%OMbt@Qmxw)Ob
zuD-r7*3!QK*WVvPk>Qmc;wgE2Yd3E<Yllrryum$z&rfhief{@-kqbWv>+OU1E}Z>q
zYh5T=-%26W%6_<Li?3bU+@uWe!Ya!p$^XcV_md`Mw*<0?X=`cS-O62*rnai@BxKo<
zJJvF<+M*&WG5yYw5ZUr{^0t6qBRHIh!29I+p9>4O%E-UYw{JG9)VD75pUbE3yb7dx
zhjItGlDFe=Mh)EP7wXiJ@33-}FhOaMK&Y-p0)23#wKCqlJ(n-{1oE9OI3`Ey8cYOw
zWc%%Dlrq&`YUr!neC*if#cDYSy{`r~nczb5ZjK<WGp@Ket}`v|LPj!A_njFYehOb~
zYx}KMw3Q|(waJB02W$EeItSM)sXWwYFHJ=$r>5OL!s-I7gVP%KO%062!lTPIbY|I(
z9c97qhZ$S4uso4R<wQ@-TvjuGJ>d<3G&4hBIVz5P-k%x$mOF;qP<=Gl2c68qutT{+
z&rSS&Ad>qL4%x!N>)4=>BLs!~A-{|(`>yof8BS<-Zco#fnJJbI^_TdUO+8o7b61r<
zL>CvLkCMgh#<}xOSAh&-DEp`&D}n9!0@A8SpRo;o*sP(UU_S`LVWI1DSpXrbIp1Lz
zG7Lex4f@@{AJHyf9_2?UKg9Bpi4YNZ)+z-Q5#;XHHYiL7^0TBE6Rf#ElbYO5=;RuD
z)dIGZH|jR7)na+y8naO5)3X>mp7ZDX_>`WcCx$V|faoTT2|-}qr$#L@be46Kdm6$F
z05FiCJ$oJ3llOq&r;tyH%Zoa4B!uF^C9$QzZ={;fI%E%33Ds(&aX#Df+n7lc)dWL`
z=j`p|eS6DrWmL_IM5HPN*1D-2Gh9r|bxMwN2C6}i^wVL3$#9Vhs8oFs{U%_70SsnA
zC;%*D;Qqkn;7K(L773=oP_s$pO%8?)7CHpy!QrD1B!CerFxo@N5XSY8L2S^ziepPD
zeh@o*seQ}9)=8h3;Io}nHMngu51~OrK}6I*BUBA+wUH_luCJ}IY7QIJP@^TuFdDaG
zI?GuskRN3)>UCh!6VrH_i7~p70ekl`q=I~KROhIn3QuZ)zO1jmE>(+R{7ri4HF|}n
z!awDC7uW}YS}i;|blRX3{XPM}JC_3${eSIPzWU(S@mYA5vSXGpOV*|3?Nx-^?-yX`
zZGBLUDIK(cdMJ&C63zl4(B*?ZN4JrRkKem7Q+ggkC9v(-!$yB8N^hncU^dE$8CZ{i
zZKP+f8^Cys4ZS7^Vl)i0POV;&2+cvM-!=^5>x(Eu$Ix|u8KOl;7WsA<2Jjv8V|wkQ
z2Un0t6-X0UCz8u-%H^|05aS3uveKtkFKhReq_Tbh%+On~y%yFu+@l&;Q-AMQgFr9?
zM$~r$aGETr>e<Bg{czpV9HmWED|wS?cl_nM^n#4chXmrDZ|}7Q9$^(GL2zHG+mP-p
z-O`BOS2!&(u9h+1VC^bmA=G<@0W*-Hz}+Cw=W*#H2Q8&IHh^Q)wAF#*4;l7USn8bX
zETfkG{)Ozu_~W~w!Ei*SlQXnbt}EqRe0p+_Bk&;Uft?MKV8BOjF_?>lDU76jI7tN!
z8c+vF2zq;~X>L`zyYAW}<alg|lVAgf!VH)7Ve^n$4qqIJcEj1pizc}%XbhT=DRgv*
z2J7=c1AtmwkdC>IhQ`>i=1!|&d{GH4qh$eASTktMirxTJeQOSO8)^$+9|MEB8xJZW
zH|D7R+nXsh!R==uLT(I<4@K?E^by@NFZLTLnf}??etuU(br{aPKSyvT&4Q`UgmY={
z2XyZmI6<YGB?Msp7Hv%)&*Af<yBnPe=gz#x4+S5X#RY*Ym*{{lV^2NOb6MNX46nPg
z@Y3s7MvK`Uw`jmTx8?as#>PfuwUH9=Ie%e6IXWs7DyMgD_n!K&?;RbvSnu{t9^1pD
z_`Yuy*Ni!^t|_ov>JI!Pj!WgP?eP)}*M2!+B=NrcAm{6$bdN8NKa|(j=Dyt}sh}V!
zct5VA$F9V=<d9)sA%6ImV#FqWVL((>HIV+dXg$Ij6WbMgcKpw#`U9n<Ez123@HNO=
z|EezK>Z|{1bwnJGp#(g)9bRIjxFjluz4i?&N_;<)a`xUfj|a~7ZFWeap2<|*=z`^Q
z007AjP*Z;~?9|!bG5{1fE}M8S7DyylOds5dt{ybCJE}Wpp%WaB>O2gLYH@k3VKDa%
zut(p#+0Gt!JKIn=dBGrjpr1YVW<};SD?s|uXct%Zv9e=q*C$C=&e03UCHiQ^V}Y}A
zUc==z&Mjx%iR=Y8bg%()2vUDC6}O?e%j0VEOtK!3Q)?dFr-2Gmv4_h|9tI5PNE)J&
zfNu0BE4A9`Y0KDe9a**pGYIm<m*ool?N5kW3Xo5?@rv?iA)?oV0Yq8AD@JvR3iXpd
zI<3842|z{zY%uhxR6oN%?^I#1XVcNf`&Nz^fo}ZtfQLxz(-E8z`3lIooUYR;q*5--
z?I$a=Qo<X8-1Wc)IsxsrmL5+^<jvh;)cbTBrccXBeMV!1nY1%cEUQ!z5xs9Tm;3mW
zgJo$Xn;jXf@heDPUe1Gg<x)ha0~`I-YQ;*X>0W4>g=aHY6ftZj_5uK`fUPrXP*bC4
z$uz1*;Qv#tW1&cCnN(dVk?>$%|FBA(4m7jra?<Fgx(hE8?obH$!|-tbc#6qMfMDP-
zn5_P@C_-<#^)F5Ym@JrYijg#3jY#SKTmyDxU;q(`#>V6kW?#b<u#|rJTtKUFaZx!w
zUQ?qyJ)TYrhrvLrHNmF8Ik2MpdOh8X0`O4{uQvJs*dQl7)^#Ar!Ev?KygW=kZv|AT
zcwz;D7buCI)v`Mzq>Y4kb$26R*U-!X0E`L@P0#>$IM++&0)rd<aq%17PR-B4pf_BD
z@d*idcotnx{E%3nP_7Ux8!PN1qjvX(?+&wnVDB|?KlaRheC<*C`GoUH>v^vRT7T&R
z%|Q4s(dC=a4?W#{Jls?8Wz)<JUom+n;ii!1&&@9FShp#)JT0Rs@C&X)Qfy<pb6fW@
zGlvKQp2f%!y}0?ClWTqWc=q7tudQr<M>$4@r(8%mY9U-vV`WKUvmdtGn%lS(<m8Y<
zuQLDH`;LNQF8zfM%?U)9A->jIX#7+L86&4dg4uB~813J7o?YG;!M)clw}>1TgL#4O
zXa4>28lSb~lL{w11>^kjV6<9|tbBk!tRP^>cqdD?ajH*fq1T$ziFFtJ>k|Lh#rWJD
z9G5zjJCLZ(FsbYlqRvyf7k91yDQ<7nMCRnMGnJ&Xpu$9jsZ-yr%iywqrnuBuDtD@8
zHfu};vM8S-^;7#vQ|6}T;bm0dFHM;-O;M@;LYk1Qa{bsyEGdvf-rwm9BtS-6ouvu$
zbQ5fv)rO$n%EGRLQecw;blobXd4tEyoYuY@1N*fLz7)pT&4@s%-ngsdM!iOExIb4H
z3Aww7sMLzttoD}-5DLqw15nSw?Qk2}M1uWw?f2<0$po7;CORaJ9|VGZc`yd~4;XcF
z6CHVlaT0z=YoHq=25i-Q|AKz9c(h_I^k@*<k6>SDW3pm(uj#%i`QGFW^oWfB#-^-a
zd$SMKtZeSdhxZ#Lnk>#ShHW~2d{eM7PUWngez%P}Z6(C120_hnzEN*DvYlL<Ha%0w
z`pM7W_Y+GFP1oYM0TH$qA;n^)zYa%N10bk2;ZUBmKCVixL{Il-<Fk7rmb_|35+vzS
zYl06t3}5f7stRQEI0&no^9I6(h(paq<~9@F5FBoeBlS@k?j9MD^~m^DbhFLPE%}b2
zA*k)=db*mcJH}zU5%%AphG5vq;EVv$!FYISiRQtkvfXHIj(&8H<-PW#+!g|zF21){
zsXiT$a(pf7@+~y_#f0?onYHNCS5T-&Jb(aE|5cy_0M_6&ZS=U<nA=xkVxhkAnd{>T
z@f88Rw)gt=o@Fa`bdTOTEwqV+3bFVwT@K5iAj69a<W|=#g3KB|9W?~+ckwJn7E~Ur
z9pvnI|9=0lz5THE#~&&yX$+NWf1ka5pEiRONrmg`-@j~d+U|dXSYJm!k8>7#M*p7i
z@QautU=D|J)GijI8|QD@fg>ZHe?YHz2h}q5dGbm>Vm{~O>VIFDIsfy_)qg@{Kl8g}
za$=>blGgcOg8+bgX8KQ5#;%%;Ly01IAf~D~u{)!2M{`-KbtTnq-ZP>$SOxrpFZ|sd
z+&A-gsV|P}b>y#!FEQ4q2-G8D;I2S!Qb9UjaZ%HzoVnE7bNMomLJ5)}u{cPQz!&zg
zyko{o@vJ@}KjH?lu;cdLtR5i@5xyQ$Jgg#~N(l7gjgRxZjv|D`A&Ml}`hz8u_{0Dl
z@A3o>7vQ*tk~g>J8`R)FhhfKgH!{YL2KszGkr&9Kq_wHM?2o8wJ$aLfL{?wCsw1@|
zLGY9Y#TLojtgB;%DdP8@N=$qa!WdobEbDqafchmMmmDy#u%H+l6AKZr?bIstDwj6|
z%L55&H4B2g003TtQM=Zs?2ysJ21EhmJp!!$VPL9FadlceRUn`ePRA=--m(K90s!#7
z4yr0{XCUqE-7YqPpp*FdAt8qW*;-czoEA6^m;v1xwa4|qn)k<Uv|_HCd_j~t#21q-
zmUMg1nPWZB<3+Go4sbx_kWJp#dno<>oK=4&AUR}H00SMQO@Fyp1Dk$&+1J{K6%q?b
z>pVHUHuT9#j_{{VV`HJSFtNL&3L{8&5+q>o<5_$5TuSj+Nm2ni^0e%ItA`?8f>1Pt
zhV4?wudRj!Oz6;l{%n<K2(O;Vi&f2hUyLA=lMux_A`1C^+&Kw~6R{q&?&DLrF{!CY
z;{z3no83}ye1x{3-ZLhJzLi|WtY%>{uTWHsA;+;qwAO7@ehha8I<3<nrB^|u@5F)9
z(u?H1M<n_*`b8zSzjOc!wpPo^qE&%<Xl>hsY@{h%cC9?a!rs!--a?U?#PN~Vsch4G
zZJ+DL&8s>FLH3m|*NZohh%7N9BN2^G%oxdh@(lr*>wmVZL~l-CPjf)i*4r^Dk$u1m
z6c{D^(8TQkq`Cf->VMEUWb^;fL_Gp%MAvrl*dlvT&QL=>!9XmZXZ{PdZTGq}D9785
zs9xUoZK%IY+A9l<G5B_N4{{yySB2Lr<UpeVtvosSw{fX%@I{s9i)iU30^yPrN&3Ch
zzt*qsbQLhgv9@*rEgVZsvW?0ne{bxzOgI6Kw!ypQ1>jdFVrwvm6AltdL@6Z#QK!r&
z#Wqu5n1b$Ig4F$FqYH4=)d)oo=0{0A>f<_?$JSzcy`w7cpx1em?!0QlElBA6>JG`f
zjtm*_wyoQ8W$tltmmj6v?xVIwuY?7Q3<C0>zipQAG;Haw{}7_q=}Da%BI3i#P4F({
z%H^xE$zk^TgA0k^)HqzZqLP|n)~^>HOaj;R0|R~Gvv+Llf?@IMYSKjHW@;ruIhe`|
zc@y%hFnDIS@mRD{ljp$huO+*J04bQSzuFXDridD-$8AB^#QvQ;zH+~%zq5|z&JD=U
z;rs-4+Rih%+|=lajJ#|Yqsha+pNi_PN-gvB7&#fpwIPbn!lvhT$!Zb3zJBF~tkzoU
zEQ*Le7GXP+!)$#5f3pGP4SQ3;L1~Z6Z5Oujg<$vp=!KsbHh&ZQGfdvmj5v;0MpMK3
zb*s=--ufM}#HUf-4B)6l*{I!L4T`8wg46OyVabn&0Ew0Rp!pjuV-Oox1kV$z*;VN~
zlSIjZK|vudO4`}oE7qg~as`Z<F?LAD`ZI5(^qWs;>J4t~+u0YEuD+z*FBCKG6R>|G
zmbCvq^j}y49vr*+4n*i?-gI2}okFM|bjBse%uPpz-f{kyW}na^Fx!aM+n253=e2Lm
zYwP@(#9Sm7^QSv_jek-Qv6?i&(j$k1620@=+VWpMSi;-mM~+D0NsQKCcW_SjW#@7e
z#T6MMktr)C<FufpWK0m7k-a1;3(ca5E*Df5^nE$m6TwZ2j7(07AlUJ}?OaM4I&$4Q
z3ox#iI;3u02kIhttOFthXkFodgiT|Io0{<JQ6ttW+L|P5X!yzhC%bg_o-ZbQW*7=w
ze|HFx_~f(Hx^<L<TKC{h?_y)An_3lKiTHw^mOSfmy47WRT2)zkdUaVEKejGgj27#H
zGl}ild0j`(<=55|L|S=KvIT#zV-|}!SnsS^owEhWvzh>Zqg7SSWI<F)Tek4CP0`t7
zT<mjI=(0C@(`Q1GCVOOm{zjR@Z9FLyfxFP>deKV^RD88Y6@uKj;T@MF7sV*90&bJb
zRTvAy<~i8p%o7gx6_t4M6)o272YI&uoIWcVKU>vQgVe<SFDNZgeNusJ;(eYvxjLTC
zo-^C3fLPV)?81rU(|jQ-E?!9IpH4l@U!M>evp$M{7%ZbiO@YnXDLuJ)Dc#Lk>enL?
zrNgNqLX>6C&b`fx&+{&}^Jld9Y~WC(Y}Mo5Uhi_d5;BEC%U#3H$dO0%IRV*3*M8IJ
zh~3Ea$bM3CK<oKdrQNo{Ev*6B79MF|zNk*EetRS3_8Vzv+QVPBq-+TVX6(#X|5kBY
zZ&41XdsFtlAYpWe!)9`hV5Vp+IV#_?$i}<t+a25YJ!{>T+lM}=4oK~>&G5V92V@hu
z#4uw1L_Q^q0w}3+j65~9_kw{L6!XA3gq2YvFweyqVS>WY8i(-6TBrO7ia2SYa6p*e
zfN%%BrheX!rf7CNd^at-vXK|OvJcc=Dz2GL1Emw2P3T<n)M@nQiL8%w^XeBL1V4W$
zGADnmUu|JH(>!r?rl}}2(R|(tK&a85PfR;Z_kp7$f1R3gm|DxJjP5I~DhJh-t=+ws
zTL&EmueAKqVNHa@nNN;_D3nM@K%OrpV!~EzVz);Kg`MF^6TpCij|S9>*`3)A*+L#<
zk%8f%z;8GUbrAe-GN6pDUv_SH*#2eL*0wJ@`W^beY+tI*TJXp+fXWGng257L)j)Bv
z7E`QE6w#BC#8jHLsCdDr2>nMC_yINbhq%!qmr5U{jGs6i9qA{H=*71>mOfE9RR^S{
z(cue)&)$yIWLo4=nMY&BkE=rB+%rfUaShI#S+DQ1rTH&&!BlZi+J>~QVqice?;>to
z&qVlJa<_C{kTup%)pl&j-oj@f8`mp|;DY&u{&LDkTD3X7I^ko<^f~a-{M&N{1FQDn
zdycFsJ-KQhuH3aM|I>5%!`4^uTYIg6-I&HE&A0bholViAeZ}z>tu@<I!!5=&-~t#Q
z@AM1BnTv>_&Ew+$1SehboJ?b~F5#Z0fRNm@vNWJaoqBb2U%{T=4;(-7+wgGVfuGf<
zQhUyARum!^WS#9(b(;zmlbeB8PIXr1>3r-IkZ>YHy|a>neZS9kFR>v8RNEELV?_n5
z$)wO>zMQ<ni4xOkS0_kIXV8jDG6Jsr*3Se#pd$OxZGqXT@fO+C0A8rXRkp@2P-b2_
zn;l6eXGJx+ZC-;bP0l-XiWVO?6w~9q!6MJ$qpx`e9s_Y2N$qRHkK8K~hvf*%T~}AJ
zTeF!=G1MBk69pzpE&fE_rL|K!=HLl1k76Hi-5iq2A)9C7UYGOT>TIH;8c@aa{|gn~
z;VPKj1ZF@<2thOsmpCsa1sn>>;10Oe$M7;~EMZP-^pFcMV`m@nSzM$wz-x2T2Sm}L
z=%whRj;W44cYHJaGW^n;gjiab$l4m=CJ!Hl)6<UfhgqAPS*&=XPgIORr5f@o6m@%%
z$>D;isJQkyRpCLJUh)ekJ^V)n_zCsxjHJM8@y8#Ny+#1`>fXH?&%i*|*jN`fKflLq
z{0%NJDbQ1M>eQhR0O5J9p{({QxFxxsnuj<T4F9e3q!I|5(R_X*nm`ElT=$2`wAmq>
zlPq0pF#PHs)yh<<nwe4V&kP31TJV&d;j--k(YRYPdP_Xq+!UC!gJbJcQ^Ip}kb^i0
zg|WW=k@4`^v%|O|aUU)*F%pi9jN_}-L!Nor!`=)Z+n-(!ua#yT&We3oy)DPg>JtzM
zH;yB~!nr8g7%5u-%z1RNNoViF*^Y~b`&YcV{O$-O3B4_{MO;<1QASLHV>#>O!-}cO
z5=hxLUT(8!s;0=-{GF|*b-Gge+VPvA!1lwT=Z@AmWo7)E&eponWV+f#ldFlo6#4Fy
zTXyDhJu2?$)_gVt*N>b0?&{5BZ}(bG?BCq60s}Kl6wtoH`h|5f`)-cU@o>o97PRyF
zz}u7rB7PA+MM<s{0^=8HWioWKIAzz%70Y{KNs?t}6-pHkDP697Le&#>>skexdscsL
z&1GvNtrJ*((uV6cYV4S9Pwa$|VN&ymE}c`)^u`!EYCO_8(#6kRdF{H=)OO#j@;%i(
z3y&^(k<go*k5PUMj^8T)#d?KRCQhNbKX8?Eo9F(HD4$qKHX>@T^cNM)%FnB3*}%3V
z)&3?&qzqK8Wz08?YMfi=N}U_NrW}3U?K_x->g8pvYm@%Z6#zp<u9Y;tC4xcM(K+9w
zpz#Aofng2FNETs9>oIvv0L6MbhM?=3BNMwoo9`K0J?a;@a|0e?Wnh6F%Znf~9+t;l
zQ3>Ll1nginhe0@}GTj23DG*DlHRNBWa}Z?$EM)~?yH5x592pgbwXA7k0Q6x_5NZN2
zg>P`YI%e1VN1A3jpmCR+iYXQbLaEI=aCNLyO5}#LuC9t%rF#(N<Y(lX;w(LXc4C*y
zPj}9(J=#L{Bt310LUXkknxsv*nKgh0o-Ac_2eB+V*xLNW-RG>)QA~ZnHr?5ju82gi
zaR$?<5Q4tM>`{u!&Oq0NeYE|!ILu#K_Z8U(@pKs0y0`p?p4{@lo~Ievnyb~a4x-s$
zTjbE=_(XhD{%R}x*KD1X^`*96ei;tM)?7TZj~31mvkwj?43?Mqb*BA1#^-?a<oNB$
z$<Mxh<wxSLMatdu)lzhH%#SyPcy{+2>c_KsBE2C<ZW(x3_z?O0nTd;V00#IofC0V;
zC`v!T19X5lZn^GuJ%Yh>R_-vb|4uPvtQLY(j*xN<eRSlM0<R^l8gu0Jg{$IfemMs(
z4D7)&^{X1QUEas@JSauD%=gk#+^HdPO_iyZ5Wj&Dl{^P{wej(;rL3H%UOJ-)%Uxg-
zH@$unzoci*F)0r@>+)g9TvD;j&21PN(GXoC4^=2<z_;sl-^I0ixbDWR>VFQ0w}+r3
zVx`Xw8Qn6932}hmAHwzS$~5J!+Lk!QoF0~%@{#iiO<pB9VZQ7$Zu3O|KbD0J#+=+u
z%i`v50E^L|W6bcw^1pz84=7j*T_9(mF$G?eS}l4)!2}p~1E^3yN};YEyeduEK`00f
zvWL*X4kajX0_{nP=pY`eHGIOY4A4E(IkN-0mD?e)A-0_alE!k~rUdDLFhO4m87k`f
zY*&(AY6msdir#6R*R>IneCwz~I;gPV@iC?Ia1~dTN0GCpIHVwO*BK;4&(B6&am+?u
zMUV-h{b2_NFE{nS`jXp5(ye^>%-hZ3*suLQOo8Y_q=o1Qp-y;4C8#X4ecD{^Q0-!p
z&waOSNKg0QIVG)?RJn>0uJc699H#JtCe8dXr$4MVa!wJAX`b4n04+e$zX5g)+>!mz
zGWPM#sGU?PH7U<v?vz{?94Sdho#T^b5lqoUzRKUIx03}zsClC-tB8d5gGc_0Hrq#$
z7)C?(u8Uq~Xxxbw(7^kJp&r0(dRmVC=5R39Mv~&JyWq&ssCkHWV~#H8Ma6xt#i0;V
z03X7)a)m`0i<w7!PZF&}jK!;rx9Ot03~5)IS2yrOp-?bALap-^2DZ*HD_Qd#gVmQA
zKqJCA8Kg(y{t3XBCbap)fEwp3AXXQXUBO;uKzp-4d+dh}G~LJNhvRy-e8)t7Pzk@B
z`lHiiP|BBaOp$9J9vA&2JTZT9>I?k>gy9{qsnL%a2XiCF#`H*C*1XWZ(4o3p(<agP
z6rFOOdHDh}Hqd~BiCKo76rcnBk(N;qMM8MtUgmGIlV~J@_3*`;Av<AD(a2R75<Xfl
zdWM1?L!K~$?gCaf642}{OfP&$MX!kne7>!yBtkHBa$i{>fA`EsCwL64;!Q*>M86HI
z&K1_SGE+{x9T`t0)s#_{?$(Ef$U7~Z2$i~(b+n*`ENr>6b|(CgzqEwJXoOrifvBly
zfDF<5{l^ZQ>FY8UEEd>XSf$_hDVxnSNa~e}MJm#EQ~vlBFzlYT3Nw%cZDo9IpP#fp
zTV@1G6!+DwmxA+_H(-X`N@+sudTh{qaIQ~yNdkyv33MtJHYU4B4x$R4T;;xdIfsZ^
zs9u|d+cDwyxc}l{S1n4@HB_(M)CTWCV`$qQgGzty3*yb#>q;EgsJXL6l4|~3?|km<
zXKY#rld^>69wH`n^dW4~2bAHhyJ^3Zr4nn0n8lwyK~eRvaPW&;KK4OZFQ6$8kjGdJ
zn6c8_1*_l4tf~#=e94lCtKOhaQlvJOf8pH`bj-{x5<k${AVlF<Z;UiZ>kS?$d!+9Z
z&~lXEO5!LMaM&kBKyE|<(Pb1khW$8DQHkI><)I`hta5lx(`~?g&n1$0bQi5T)g;se
zh&+x;+68)tXg#>`mXdbGG$7Bb-WlXj2#izxc$Oo{#bMc>q38{!jN+Pkf~#}}4T_3E
zw-<+ql9yi37ddaq$k*HYn94;QrNQkw)47`9J&EjCgj%l${!2zdh@o~ML}Vbd(6{7-
z3(gu80u_(@9-51Iv^|Ce6P$8b{p4t^jX(SF`f@)1aUx>V31N>ves#gs-p|2jWwtsG
zK{f2jAW>nzqQqU4ES+Stt3pu?Ke38)NF`K{N(g8~O&A*P_uOQ2&|Wz$4N^iH^c(%m
zv10S|t(q3KHCm^}lq!YlOt5VLTA5#t$XVxXr0#<1y#!-pOd{jKV~pByL>cBG)TtnZ
zJG1XKdPU0(`Z~bAX$#DwLXx4eF=B;r9EN@XLn`C=KvLOqAPy}iB>2hvfI8q!=nD++
zjPX5_j!4G-$fl7oFb)bKC<<fZ(#G`bDve>t)@aNO<kA_XaM0S<5^(|Vgb6jmF~vtt
z8lN-?#Wz7`P;BA{gZRkfBNr9l<aaF+sYq;pURd6y4%d<_s$&oorGcueE~+^D2WYGL
zGK}H<MgBvab7|$n>r8&Qi5O^wvK>w_R5rp3NcbE}b!W#0(PYNRq}wWU%Q^=c>D|#6
z)J9$ws8A7ILUBmB9eWVFA;(4;Dfys2RKuZ1=#T8;G#ixE*>@(0P$Ysz>$q!4xiw9Z
zFiFv!7!tC)fKW(^eS;?_Azy7sw$<%~cnB|9#~}Y~^~RKKv7Ri_G-Mw__fQS&?70l5
z4`2?+U~Zmzzz}2&tD3%#@N%~VAW&zT=Z{mweerBtUVJXn7PhP=Ie;Yth(vw`my1D$
z@{c8+N=b`!gP~X*&Jh81J9}Yh=NuIAyDhVB6LF?eYu1gIl#lZj2+QVD&TP7_R-w8a
zY!MEYd<YwfgU!8c*}dCDoZ0qQtQ#*V9~aRee9)-i*<fSSV1z4^AOh5WcVTEF01k5`
z(WW+1ge8l-G1Ubh6P1HPtynIGK^DB$3R(mp{`kW1g#g%)#Bvc^MOC01FDV~WC;r-*
zI~h9j)M%`IMg}yxVXK(g05`J%x^bQIF?C|rdJ!kk?z$4pu7$fYpwWpfQnLXzh$G$F
zCSvOwnm{)mQ9d#FLV_gMDmg}B5iTP3sC#^?V#vX@^c{URnz$AaEc6<RLvipP#Gc5p
zQAS2SsJj{pkGuZe2}H^reRwosg4Iuqf*1|~m8b;AMoDCpBcg`V<2b*&M_(ZJapJ0f
zQ%}LL3~!d<bkm>46k_KljylWz%yb`d${7<F9!V5JcP=0Eh|^*a2*9Q^;r0{}wL-ZV
z>;mrXZNF?cp0d+KS6ry3e4M92_=(1WI<vvM*kC|b%WXgdq@E&x4m%ck(@n(WLIRzF
zXq1ns5<e8rW+<IKN0#=63}|%S*6585a5E2}8!spyQzxFB{Q~DbLIX?aH7wGQ0S)Xr
zddCL1h-|c6?rb8?yonB2H?C7YF3LfW$r-29<r3wny91+6NY_3LxpRd5h;z4zIJ)f$
z@~bG!Ac-F@KacZ)u4qdbh?e_S1~fqGXEwk^+Pf_q(I(=|Q+U9-@sjd!Fu!MmGl4TF
zXv+yxQO;)!qdQuMNDuQ{FEBXhv-`HdMR*JWZ>*)5b2I(;0SU}SOu`kyd<tc|wW)u8
z-`&uxxTl)hy%ufcO73PJ?tT^dX(c{NF5)~~dohEWRFihoH~+^k%+L0poXWeOJ^eqg
z=x`B}*Z=%I+|QELFV249N?%W~Hy1G-iGmYq?tS8;TMOp*-N{xmgcP#Qaq!=pt_{em
zJ6S6UeFjMtIL!XgLI}~5mO|GshAsDr4|f)1`H4(~d)delOC0Vsgc?;}$twY6f>uV(
za+Z^vjc`ZF6PuzE@GQ3M<t(0fayI%7dmVOM3SEA8*He56)9fE_&6oBF$^-e}|Mcli
z@gME)<Nq|p-i6HfW<d-*nHUcPM}<@na=K!L>Odau%I87hXbM6*Dd<6aKgWIjV##d_
zT<siz+FK$}k^&rs5(V2N?VpTuRH`6up6XzFD~$h-%S7+#wjMvc{ZoH$Rze7^WvZ1=
zJb1`0a=EnzN{Xj`u2d+;syikog8|P)pmGjUNcJw-UxKe^p43{1gz%k69heFNgv3)9
zNnf`Uc$abagqvsee%f-{u3+#o;#Qi0b5T_8eyD5s+Gsa->0xhVY$Q4(zj|j~Zoguf
z-n4o!J9jMY5R(*$^7Eo|a(*BV2ZnQmpkew_fO?FaiHUwXkIY%RO`DTVY%SJ>m-t&D
z!{Kq$JYs9W<Qu)(v8a$1N(N*`#V*dg)f>`aZb-*(Ky*tn4XSv<q#Dlfptm_JjaYya
zMx4_G^21J~S=kM0+@WCe<2H~ZO_+ZSt7su9q|Io^U3SNu=RKO2XYz!(YKQ@#0CHti
zikvxVuom;e^)Ljk0mNoZAf?8psi#+IRmfwx>OJQsnI47ckuwI>jznN4n!nr?RIipp
z2;5Vt`rkxU^fJNHNb^$cz%MA-1XRl+pM9~DdIT+02p=s8QBq)&7-*9WNTiC%L1M7J
zOBTN{exN4ms|gEChZ5+(t@!@oTlU=_j+#c+O?1YVJvW$_g}c7D_Ox`KaRM^})CoXq
zHX1kkU5*wQm<vJ;BvOQo33=%!r4xr*V(Zbgjsi~Uo&62KOOM!6D9;imna+g$Y$AlH
zEjjHJG%aU6Gu>+HU~L*C0}4hHrE6qu9A!+1a}E@57)Ji3V9jZb1?jk^4EV*tAuzlZ
zkcon8RRF^qq)X7JI|jr-K#1XzAKP(LFfPYsq?^$gU0|zHuc4&uw<!)Tam0ZaM;p`7
zp{$nJ_Be8h0~rT1#2cj(e^CFGaOo3*+})tK!`Jt-C@x{rD*BQ=I)b1;eFFdCZ#G0c
zPWmU*Pac(Ldv(DiHR3#LN)T_^g3Y(S2oDQV9(7{pBwz&p2u*G3U?;!<Q4j@kEs4y~
zOW9HcG>(sKhz!^nt;B$6(1bs!baGFuQ5>n7LicgP;U6wqgpy-~2_hq!q_KZz7jL}v
z(>GOk_VHPHd$kw$p5^n+E|AcJ@^C0%%WDEBTVde#|HM0d&>fC%Fl*;}`vr`dOMKcq
zZtA2nagt!0!vUnLv@WFW#1O#k2<?V_xmst)i0FZXF$&6^Qrr@V9IaYI@;wfWNWZfw
zWG=+X#2j)jN6UvOw=(fAq#+RwWT#O|B_uwaEgHB1m(DTo$}EtW-wEf_tr^Gb4fWv9
zGu6>+ap7t!GYX^bIx|fG{zf}a0=++odqFcRDdFaE=cF+31n+~SC#MkiQ2y}XDc!F9
zm~<r|nY@f3gFX6<e5NklIKA9lEBs)$?y>Utb3qG0lmN;MfY9=v+_aduB_I@}4CRj%
zZsq$SQg!LLklbU(I(ht98Laa${Z)_nDpTd->Cnsa$WQk#M-(<TvdLQ$zs5-lmZ&Uz
z_!oMc|D8y^{f+N=_2*A~<6rw|t3OuB0Br?Z&La*%iJ$6EKZuLoi=Bwx{KwyuZ!M|b
zXGH4Xx4CJ5=_0<Au6J9P&R>n<m$7bL8WQTYb}4Z#g%3@jOr$x&zqOW%>RarL$P`~z
z6c-2)5bfl(4}l7z9E@lit;E~b;f_>?gQMa9r~U#h=yUkl6zCSn0(wDa3mOUK`BF`W
zv}t(THahHu&S&mo`szjVu30^p;J=_MR^?X)+urcPv-Ue%X!j{+CNQdswO0`+e*8%b
zgB3WnZI=<uIG6X0nn6)@7gZ^Ra!hs6?7-jnn9$vwKWwptNC(TmHm(Z4ZZ0o#lUF%8
zei3JsXUjQ(=<{q@5ax<IznLawP0Db7X5%HqraLpdiA;<1&G~hurv7O>_LqH`c1xUF
z^OXPeCwWj)PHm!fm^6=KjsAF{*!qSSATo}#f*`2I#bYa_F<46Sq=uM{-?|+GG9#o_
z(tuKvLNRJ+m$c3r#0g14!=!gqAhMBs12n+-|M236>1WTUX)&FTKU!{byq<r#rDUiM
z&fm(J5UZrw1m<TvW00o1)Vxue<uDdmpYu$2glUQ$pK5JsgWGidru0iYA&{48kLe=5
z4db#b1lsq#-6GX5+p%>;JeKIG@B8HRP!hQdY_p1SS(XOU{r!FSHlz@TU^HQ&@Kj)A
zpT9nRO}uDICw4Zq;2A2{yEqKN;~EYVT&PGx_Rzo#ejnj+QyUlA0HIs4VU@szkCqA9
zhJs-YQK;&G5WzFe1S5hv5$V+@SjExrDFrZ|d8sS~=egjz<NP_$FnJwI(Ug*g2XZh$
zED%BTrv`<{#59D=LP;R=HCY~<Qa*t_JaOUOm$}g=*#E$Eciw9jlGf-zq+&UZ8e#A0
zEqRZ-drsp$NqNtMQHb~S0O&oG6ddHX-8=TvOdxM(auaT3jMOf+=<%`fh)h#20S71m
zq;BTOE)k6~ZF8sY1>pErFn?ViLStdsTXlB3uOcUxj6aGaTBw_(P)K56D~;{-s!d%7
zB_#2c?bo7!H4ZT)bM0jwu^LZn2>{B#-OTI;HZa!iYDxtU8z&W36m0)aC{`hMrenJ-
z70}mn#K$ue_6XpLPIV!r<a8^0|M>VjkRzxJ(^%txT$kr4JS7GY$CORUi`D5~7T8a=
z#-Jxb>=BqHP+Dyo2TDo}tWbkp`1xAF*Hi3iY>PFLGPa!}<Ynyd&2g;5y{dw9+6ret
zn9B2z_y8+KlX>&`Pz%MF3}~gG-8ciTzZFWI2q5eRb?kc8M)9F|O|I*x0>o^>%($?s
z`i=p20)SfHXEA01;;iQS-70jdci7SN8s@O?5~F4(boyr+QT=MzaL9`c%%<V-*nMDt
z7Yj$+gc6=eC<GCr1QnA4Jb8+pL7JUIV(ugY5}&mbYNuQCyi9#GF3}YY&5F|PZf+^s
zKG_$Gfc3@*Oi+2@lV4@^$ZdlXC}X;@!IongO>3Kl1VZh!R`B&*5rmtlfD<vR+gLfF
zjW)FKazRfX?_KI=EI|&wt}=*Bgn^0>WIVVS*QJ1>onK^^0-5n6vjoKC1jsoU1I<9I
zLiB{B-{SD#|7m*j#WUpXz)5^J2xk511w0tNYJuCy4q+NVmGfI2s{oZG?4BY4m?C$=
zYls+!OqP*@xj`T*Nyi$*%UY#H0YD2K8}dH$fd%z&n8pZ02jV}Z=1DgJ1%{U5j|xlm
zIcUYQ1Ic;!VfdXZ%~SCdm^M7X$y)zT;Co;8G6qOoV)t(ed0Vp0_)kkn^?vAAku*d~
zn+U_hJs%APn0X~EwZj`o{RirsU2X7B_y`nP6;u~)!mB%<UAxJv_)>_=i&!GjZQCTb
ztz4|?SIex8AUm;r6dCr}f$$(Y?yeaON`wBL%rv~>0_!U{c;h+v$p#~x?2+a07`6Dq
z1JS_?$65$2svbnP4x?1mAR{cOX6>Vq7JlAFMTT45j9~}#vAeuV;WI=+E0Yc{;dQk!
zz{IiNiEWvRsaj;FOInXuVJ9N=Q%OBjtlAs|BJco&_Eac30QOx^6!nL_CSVrGCJkW!
zL493z2H0w|b4~^89WiVY<$~3H+2NpKUAH?@cRPoQL?{TCXcc%G@Vr}*)ITgo>WPR`
zE)5v%It-5*|8T|!8AbTDerbm}W9f{+OXvl8l!gJJj}(_mA-Wbu@T?;n2H<x=Z%LhF
z^U>qEh(KR!zf<99n%dB{v_|_~6t98~>9q_<T!RCQ8@hkd?{Wi-Av1ov%K+_wpU5iq
z55enUN+-Z2kbE(eXT8Fm{7EE)RND0cCV{0CT&CjKP!5g!MeoI3PFwklSi^35lIAZJ
zfEni_>LzK)E3~a1h{NWINQjkV*xLrV!T}=MIC`umzS7GCFq0Iip)Sn1u-c<_CvC}b
z1e#<r0gT1fDC2UcHmQIhwjvPQCAs3bkjvNm{~iEKaAX>P_{;x(08~3uNqE@uH5|aw
zd-(W80$}6g4AL6M5ciIH<mEsFN~*Wdt2T%QsI(V(uds*g^<N$OU72K5?alEOhOjOV
zOzqcJc(Xr@DQDe<mm^t0w6o8PHi!gti%<`Dll^g;e&+IOHxwd^W<)`AeMO;P9uQ)x
z(9ls^yG|c~lpO?_qcTF;ch6e!)Xp#7CKq0+>0R_K+*`Tp@(taa<EIE5ptAdQ_Mb2K
zXRhSh;=GEzJ^Q`vO$*~)R~~Ch1Za)1^{_Od0Kv8a0jM!Ickm#Vk1^Q$ujOE=Rcx?y
z0zad(F-itdV@}ubUO!U(BCQwg@L?0BYhydgH*lL8-yLRrn9Qg|51YNS`SIE9f5@wG
z5tSELYp!xg01D~^k9%=3ch<ervh#&1gLI<rmsXJ-?@6LE@5y-Tujlg#7Ah7c)Fya~
z0PZ*pyh{S_(%`nnco@JlN4>D6S|L10KXsoe%2Udcshw@K7wK~cC2+clf!#%Q=5jx@
zX3?FNUi3dBe9-ovB1K#~BbxOOi0hUlT+-ot4U0<~)NzqBjrDmabIk*e6l1M*3Q+k>
zDyW9(I_9nLSRCt^Bzv_i9FADdy5KqQc3nnoXq8_`TjAN!7{^3>Hk;joa)ryDbSl+6
zHfC8+Sj&l5hAJkqeZngoSzG%8mNJLV!nqsgm;|Y1Hg&;Klf~q&3rtlgC~Uj~1&sHU
zGYlwKC@wKmxAgWmDHCS14`p*CxNYv17tra5MwcoCJ$&zcq+?S2R{O-akTkTDFtgtt
zFWkyV8sSN4v}4jNM?@<Jd<5iB#B?Lhy2#k_*aO;<I3{CmkNGC|olI@ReXfVc<*|-Q
zGG6Uj81*e1GXmL(Y}=zKE77Lyt34wyPOtSkq?8Lo>DSsdVGr=mAcIy;v7!z|e2KPC
z2rs@4crN;H$Hm`oc0#aGww$%;k!CTLZk0o~FAN7rfp@&G*~k6Ni6($zZuvBcg6%|b
z!54r9COm-FCRb+6$0OxH16P0&nq#69lO_X8>?`0i4=@{R{?!IlO)&?xj7?^iut`2c
zC0SaloCLfD#&IQX@RV#MqAfL8Zv{7soL4tv3O6f|1C!*w$f`g7qVY6{T}wkJDhiCX
z8eq_!L@U@r8oq%8{U}8Ma`h506MUjf!PX)`4#j}G7;u*a^P1UnmK=NlbIYfZ%AW)k
z3|j6~2iypq@)I`2C(ETi+F97xJvj#glQbeP%JJ%wkv%Ntg@5G=3a!x7GwQU-E-+?_
zrfN3ZT@|&i7<JB#&NJFpZDDOI+1=gSH?SAA@WUOZMeTQ@zq+oMD%Hfp3K(@Kosl&W
z%6*8>8dNK;>+hf8e+h@2E!g(wtJl}r{x!-R<_ypbW;S~WMvpfvI3>>YPZOT9)`n?2
zqOx9A!RS(<_`*>sDCY6w?gn~wPdwgC_s(-*{rm&I=I`$wf|*8U_EkO#rc^gbhw9<Q
zN7Y3Nsex$cLYVzi@mq(Xh*)G1da&Lg?;=o}v^!G@Llt{CA)sB7<a)zbO+rx<!KOFA
z#Zxq-Lx}0j@?chK6LI9e<X!v;@7o<QaA1&HIqzE!5eO)Yl$+oA8mOCdw4hxR<v~-;
z2I_Fp*ZAA`s7;geV?+gFJF{c**!jcMga(16-}&1rYip+9Fx=$ztKhy8)isK}Q=D9Z
z_G#J)uOeua$LI=UKwW!9U^9>JOq&Me`UCJIUmQL!w_|xi=Iz@LW<YC4v$orql_^?>
z)3eg3cJcD)y#y8-uM*K?-?u<$#$d%hFAAbSvCJ2oc90UGOSS&iSN`dX-E&iCqLGQo
z-`d;KMc$ZTR{kW8BSGmNWm%M>;oz+i!Ta;oPr&TBgRH;v;d@U*0miKYqaNCi9`NS*
z3g9ma8$#Tt*tcFBJ|lw7?OF_4XgJ1L78<MTZ<oCHXg-7Rv(krghISoWe!e9`2jzJ&
zhK<+cu(Lv&E7c)w%MEFYcp-i+ZcREvX;Jr!*q#wDh4B{RXPD^A!o|sn7_VQH1QOXH
zg;bmTGUjLju31Z2a5M}{q;JhxLBF0J4IhOQr;mF=eOtmU+jV7_B3qL?ZXRy)4ECW9
ztBw6EyYUj;J$pYy{Xocdu&q4zVljO0;v?Wv+oh-kl|u)_rE42QE&A}{BpR;ne>E7W
zb^vL1Utegp6AdPb#>tfzmrrERGkx5EYN)f(Z|)?+-c_do`kUwXy~eqw{UlFvT}=x$
zm<yz-d`l{MlNU^vENkbXg53JkoIqa|<iRvsqLK?%g3-7$ZYh7SVb}VrzzbOlZU5d-
zYdGg-MkTlT0|If|IDL2`_Wqym0rZ;<1?50}|JIbQ8)6LlMfl0$#b6axjc$4(=1!Qo
z0Eq~Js)#wMltKdP^*O*6@DUNv2za(gotjftmBgYeQ?oQ0A`uZH90RIL*`{gQ@TY-Z
z0sRGr0lfmc-IRpIjF99a2o(^K0LI)Hgc>P$?7FUP0@beo&k+H=LfBN8EQDlcK?F2P
zNI^zp)Kf~XJO-mgHFszHqd<QQ=zBmvf^w`3vo|S<s&!r4wgC`gx2X|Eh$JE@1b4u*
zfGyDX0WSgF5CM&V5wIx&AaSkCc-8j3ib!ZjQr26_Y-8ZfomS@7z6U5k-vzvlPyzZ8
zX>In4UcFv-bh#bvym+Mb`+XC_-N2fFnp7<j=647o!?UyGeaM~#@P`4cH2_!ur0shJ
zeiUTMyk4(+@ANgRsCDD6PnnRBJ56($uC1VUJB8yo)r0XF1max;;&(%~K_J!vfRYeG
zN)VTR0|-P!MEJo-aZStfJP+ZXI1^A4Vv6vuf)H{w`1o%{Gkr%>h;>nzBa=dWa-x7T
zQ?k{>3%jZgN~BDO4WpJH;yB~)A7V$n*~;RjJ8?-+kQ1M<vjsHHGzIF=c^Zmp#H{P+
zJy#I7x<?rjp<U=MOx^1;I~yCC=kbg)0mor9Hg;$95>dwB8Qt~!gr`&S9|ii0KtF0;
zb_T^<gTQ73)u2bS$XWXt>P39PJF;Z0Iv!v#B4A0Tstg2_wL|HA%U(9@c_C&NgQ7fG
zEBSic&l+<yp>ai2EvOK14hTk7%~DEMqfj8xxKsy<W+GxeApsyDZDf-^HgHge)U%P?
zl3Q4E_*-2^*WXKv+GZ9IYo$!E-WC>xqJz-3PSc#bosvV#_tp!ucvURhU+X#+3&B|y
zc0(+-Z5xnhg{-p7(^MtOjtFG&WA2m*M45SLe)sF3Zo(ULBWHakcNx(#H)693?`V}t
ztwA<Ft}!t%&_Oo=gDBk<l40e>v_+6LDq&P+bnF8dU{T%0U~e*wB^Tf>ORr%qkde==
zS$yiE?MW`kec7`G+jK~+<8ghQ`DuLcA`X#*@+S<OGe+<m9ZbZ6aZ!1Y^lsaWc}OXk
z=!pRlD`z~>#$^+7acdKLU}O*+fC|}~2NNosc^hhU=nkKV(dLJau+3*JApMz?Ue=9g
z7YOG`oMg<HD1=<;h`$H)^Nc0_80^Po#?U~YW8e2pP=dIgd+@edbN;4}#%X4y#ol&;
z*Q#-s@--*?N#3=OZB$IT6x0LQkI|%8MK0yehKDz-0&a#KWvV;-?f4$1^E&5tT{3LG
z(kZQxk$YZtfx`WN;bM0J%qU_|Oe!EVLBudtp@Moetc#espk_$=XbaiF1PH}IL}Q-R
zWi`UwfS9SCDvm|v3JFS5=FQC1v&XNawaoLp%oVy&IESw5S|E#xfCb6T_hnfsM#njP
z59k%pUnD?pG0P`K$}r5!JkRC23$ogwYrD}Hkr<;1k3sZ{i(<K4mg@IGKL-6}pjUu`
zREu(|s(?)~eLK(dOhHnnvR!pu*YQYJ`G$mK3^X!x4Qli~pzi`+2l`$Jr~^#^>r||+
zli)JX^K#vF?cGkAy3r7VVFtp{8e$7=+cpmLhY@-QFlhx+Rnd?4rOZUMA=0}FVd;ip
zH~>-;1kA*4{h=&N?$9p*5Y#i{+6uc8qC_Gd1}#B$g_BpooC-z3s>V1xqm@X&c_H&5
zQ?Vj6w#iM6!QEyUBHp8WZAFxhu<q-|pl#nOoZY8f5fSa(-vs&|D^zXp4;OI>aTrc|
zg<}!7dfxW}C)MrDyskV3s`?PD`9i-0IFs3gjnmG-B>zz1={0cmbRpkvudog~GvJRS
zDuHq@sxhQti~C(exZVf%Ht#_;a_T+eRDM<*Y%2}9=V2(PysbUITCh&v2&o;z%R%MR
zI;<$d1)h-+&;fl1p)IPv27LQ18Uw&2^pAjz-#}mp<uT_>5~9uyFam(E%3xKS?62F#
z?hBT9Od1s0$f*Hd&l^Bu%FL8f&=V*3G#Y}me=UHcX(OS85cK<ir$NDd0SBKu4t}ib
z3Lf8C)}*h{oA{Ex8}>MSx3BQs-qcs8dda<)faB$+swj7YgV*cq#*as~t`AZB&O|+K
z3`FpoL8PP96wz2M**BPvGo{!mR;Cd%Pn|=AGDub~#EttU`0<HmY!}Kp@$N##XMQz4
zgyw>_tA#h0ORT(AI(40hS*i0$A}&IS@!831XyAAi6Xo?{I$MOAahJMIYrEQqbm(by
zp1fFMSpGetjaeG!(MZN7a_+Y#b`S!Uu_%O3J7bzL>oP@+UN|vWRb&PGB~?50h<8h`
zQXAXclB6n5%{zs~IYbrPlC@EAM#ks%zU{H@DwgGL>@U`SK?-fl+K7`(TvsgX+P5P!
zu~B}Ux!fL6(TwZdsjdZ*7ErE>y*bm!z1-@xXFp~2?_8a8A(JUmq<!&RiPK)DsLMWD
z-aliGiZtDU?Q+L2r-1;AA@En{uRr@!`E$SH{)}rnrOyM3Z5w<DYP+k#y0(2kCc9sd
zlg0?$|AVBUfBBUtR>FGOxHb>ixC_nH==_2n@EP}>OQX({#ne93#-}t7q&T^KZe{OQ
zs`aW3)8;)YwHgj_(r`ogs|>`KqbO4ow$@lp0@sKn;->5(M6CAJg`!oQr>i7&7s}66
z6I<0x?n!fZ*RNL;4hWuh+V8j5)DeYsrko9PD$?htxwNwe@h^Ga=Tl>lEj`zQ_*CX|
zD=w>fkYXm!lLx0a(fw4#5qlO0RkLQ4H@v^^dec;2r>0n7?eM-%n&{V?3$Z?ut>#Vz
z`RQ<o-Fbq9FA@=vR6wuLq|#sHj_LZg5%IL%*IJT;XK8d$>^@x{wtL*Lxz#*K3A5+s
z&YS0p>eDTWJ(YcZl<aORl$*W$K_a-$*Ig63*K5-uwgq0Zw|k=;dJk<TUPN(`v(9B{
zbv@*^&X>ujmD@d`3Vf>Y39LNwqT`o>peHmp;-a2}u+r?fp#&t#>WYZ<0aK7;%!xpz
zu1F&hZYAIdhvPxjC~GAm=;a?f>3|U{FB$g7wmV~^4Ypq7WcW?<!>p`GRqJ&`TwlbL
z`0Tl1k4xl3NVf5CO^H)ZNGf@^$JJ`rU=Ye`3ZNEwtGNT$qO2{CO1xQ&*dyDK^b6)N
z>=IAu5h6A3^vF_?kA_g>l2*Z~6A}EPE`;B8B=vvDAIQeUDVkzpZU_-5w|7=cvBe|{
zsgy#at{6Xd7H$jrtX)%eGM03u&||ywtA;SY7+eW{%@$CTl{kNB$KDSXYRaHUN;x~e
zQ<l3;E2;*02+ji8tKx>#UQ^#f<VIHof|S2#)(0d=O#4w&^>XG)@CFpDOQ<RNvQ7@y
z0@O14SBdDWMiL&tOTwHe3bQ}UzejPv4@qeBqqRh1Jj#dBqaG~v?uej)(psXj-S0E*
z3RRQ8o3gm9;QU-`&>U_6QEidga)6Z()`A07L-SN@c26J8?WbFecKmPk<qN_c>Eozc
z%r^Kej2VDguclJEK70sZQgs4fHHB@<0A4~+Gv6aLO$Liy)Q*oiNc$j>7IZ@xEBY^@
z+^u3L)WDT&q0!`WFnpiE8b**TYQ_?|Oes^pKx`d-))dM)2{X!=f;fC3TSr^rW+(pj
zfAR?keAuJpcxJiwiLWKv5?FD?)4Ahf-VklXR8w>ytdGnJ1t~xgsJ!f{dP0&zQs`PT
zye^N;-c#5XFpe;>AKIN>h*jBF5mGHs;J7ZCFwYdH<3tG_vlUIHN3<xvt^lH<7YsVS
zR4b=n<^ZJufH;zQ3eJe=6JtPc;hIt(Zt6_sUGogo>5$Q#TrZ!jS~ZVOq$a_*BpZ^t
zvg@(IhudlixHu+7P53cO_qY>4_mFQh4SC6yzt&*9T8!^twqsiWh{Fe&Ap5)wfvYmO
z6i5tq?v#OS8H<ZJj*0cO;a-pP!W((skn*l-F=m=LAX*#(>1EA9wG?s~h7{FeO7VPK
zD!Ip$f@xu31}u*y)=CC3biWYcaPc`EMBp0Rw3bH~niVz;3=vXyy#%hz<Rm*fc?4Ac
z)s>QknD$4dX*@T|Iu;4Gqb#H?!Rs}OYBalpfD<DBdPp!hq|&7zMFgkvj<&v<l9KIQ
zwIwz3Tw2)g1v1@MOuADN@V#UZmo@E8PpCdk1rva$O4^<Z(R_K)QKnZrqD2V>8=-*G
zX@@u{8Kk5uay=va&DIrA5q$vDnRCozp%}4?6i{M3C<qV}Om15pu^GXau50YTF4)}C
z2Cie*6yN_KoP}AWTj>f*M>4_#*$d{1UOq4wrQzB@eJ5zgiqt1==hLJ7+M*!7CK-A3
z9}){Weu>8@iZd-cSNwl24?g#?-F**Qd>YES5UqWr2Jz;QEt;@t{W2W1KN_&shN$9$
z6z^%#UgBUO5Q0$D_c5hN5%5otcDCQ6w2`KDL{X}Vzf92(cV4p4baCvR(|)$*^vj~)
z`ii{|o0Jc19%*#WU#Qg0d5vWkZCRb4CqqcnEEKx^%hbh1J)uheEnX6br=<a#_4IgY
z`5Xq^v6vE3{f2E3OC5a}uj*%X>S%a;vf}-LLzA6Z3@EQkJMn)6HaT67k@Id!A^6jF
zhUF6dj$Tj6n_gC;q3m;KUo8Vpe5{3BTc2hggX9^);iHvCR<tR2wPUJsnVDrqKdn^L
zX5q8P7K9Mrzr$OwQ-2T0n$^<h^0$2jN%`e~lxm3YTa#>^w^NRKwX5PG5=0nMuO1^w
zP}*U6HwV1B79lh!o~0ijE^`IpXQ{>fl0-kvcbLeogPeC5h{sGc=-Gj`X{jl8Y1Z&4
z1x(0H#GZsWZK=3~vr1C(RRv}9<VL1>38^65#6HxjDaVz~WMbm0q{q9PZZpR8<9GkK
zy-!mt_0xDq)+HS1Sh5J#Cc!RuZN4LIYULQ7d8x&Hsl0Vr7L5eP?DgzoAi_Fo7(F2N
zcH5TA%|_kyy<}XLWxl7&r7d=fAi88AY8GtjUVwy*>@)d;o#^L!<i`?FFgI{UOk4iM
zAS#Y(EJXuzZLkzXbPJIP(B1KEI4-=;j_>MvFV*U1ZIU6@xR9XTSrwIa{=BU%MLo6i
z(^HVmwm&dcwhKs@gHm|fXGy48%}+Z&*cOLBZF&b;`y}D(-tkAPP8|+iT=I01pHnsd
ziOA<-(Aw2%boI20<+y}|h8b#8hU`GrSRF&{dWV7$x7%?H*6ErCxl(N)CZT$oHmF&|
z6XE6jyMySx-x{j|3#7K?5#wauq<p5K*i`zyuo|Ew`O@N*+d2eXE_ARsKkoy|f^gPZ
z;S+WuRb2h};^Omn{kpI-;s_rY<A1*(2$f~+P=VZalY!N<Z}~sazs}dinY+lBcN&AV
zGMqZrfi<P8Vz3{@MX-)X8E)JD;Zh==aF%ZHU<GFvMRDyqE4Wh<gSO*3@>xT^sO@1S
z?4}siFi6%jVnuQD(2;VMAQIcrM>}$Vg&19J1s2@YTeslbxET&9S9Y=qbV7WKho~}#
z;I71l<hU1A4~~#eoqA;O;;~U{PfehhDUE{o32@Zqj`EBerv4rSCnO2R$4W{Br*N{7
z_|6hAwt~%r*>kmPF^?7%L!4~NiBMS{+Ff)mqQ~TEMd+b?Ivng+o*^l3mm}WuiSzRv
zk*&TA(N(yK&?st{%EjDn7HVi7LmY-m3F4M|9;IdajBod)ky2Do?ZRoGrTqUTOeu6S
za@F29Ki&`&8(cauWWZ?hI~xRd<<nLMh!g^Y>Zr|Jbx?SnQLGgiPzW|jC#|8Qv;)w5
z2u>y$;rT^Ik~C7%0@5%jso|M5_ar$&!4%eWmU0;fn(CLLREtLSo?c=Y*p9szYD^3x
znmoK*{eta=0a)w%wTI^XoT)2xv;hp=^Ob6}Dfqs+xLCDjd+3m4SVp|2-a}bSE@?kh
z&!wXV+8$$sR`{=JBXA40kpZLIO_ElTgEe~vTQ+-68GCD(k@Gqh*VdL;?g6YN01GCh
zFW}0O3e2~%juEKBhD@iH0O%undk05Uu7Fu~y!}uqeUWNlJo8CHlXy-N{x(6&?*H79
zy<z?z6=&7nW0)5&zVGR=YOs)nXFVs+fs<spZ8w`^*4ZN)8Dm5zdiPl<SJ9?0gy@2n
zZ?(4`4s{qFjU}o?_mZYV)I_bO`RmQ})1g3hi6s%JT8d%6%MnW@u}l;(57HWuvYLQ`
zu-!Sdy$-8lx*Yym3#jktnby&I=Hj03_Aa?Fg}t+oD}CYgJ%u)uQEt~7m0{+F^RBQ|
zu-aRY*t^L9d<uGK-yL}NRTnPyP(4c$yu8IE$NQbROoh^gR#0)rDWCZmZ`K7qW2!>G
zEi>RvRCaLOv}Ni0sH&yOF<1ZHtJ_0Kf`w~RVJuN(enR3X@vrb)&$$XUs-O3b5D?2M
zfU*><PC^D0G6d8C%*7%$3)vY+E`*wN{I&v?#=tuOUZ7ebjv)r3pgHIhnSW^%yGTmu
zu^NS_9sgGDtUZ(XJS`(}fYKxlsI>PhpkL1U*BHZ8Yfbe<trOkfzWO@ez4&xBSi~(a
z$SzHiN@H;F*0Nj~6W^apidIBIU=ICGje1g~R%X1cC~fXpj3&Kk>sCO?Vh{<0vyPd2
zUlYt0d8CXnLyA43t4&#xrOJzxowqLC!C_XR1>a^WCK!<5xw_`CRPy((i8Gqw9+N(M
zkQpa%Eh_E<l@g*f`Vw7~RJV+t;oJyaNQ7Z0N1;8G=UHL}MXim0Eyaoa*w|Vm0l~+l
z*4E0*Jm3>D&Gip-jZ8O-Hv`_&m{71{N(%Dq(iiZvXc;m24Y7qDcb(7Jo_!-#jbvGg
zzVT{9$MgO{bGYB^$0anuRp?=_WEP1+_;Wxv!oc4=@~#E)8+Wr|kWu~RJ+J**VEWUY
z-H0WP<S2NU2q|82p4wF^XH_ApF=gOP1o4F8mfeIIM^yVtRlN+eHN^rp5~%bvc-(%G
z5NYVwdEdo$9n7?C_<sIl8O1>*yZYpi_EK6CRt2-GeCGr~+S0(<ZxDJ+G+|>NY)-ec
zFlsTE&6vpzR5mgtf;hw%ZIeD<p!cJz=~PFj=|^kP0{6Wgw{2Ytvjt@Gjk(ruI-<`b
zX;s-)q-|(paDnww9gzIjZuRgeP3kjMNkO)qUt^b^h;&2m$8A|EvqtrWxjtdRWz~LY
zBE)rC3e!kT{_fNhQs(%g;gIOm1TQ5ZQK)sj1f!G<;h_`52&3eqRNY1?M!-i)NSh$g
z3*}2M?EmAa1&8)J$WdK_u@-8fwrafxPOnhlpy<ij-%r9#&!J9v{9sHN-R+cr+dr_Z
zdX+Obz*(=7YrL!6%4J}tNvW={qSE$KcFZ27x|J3M(cU!QSuO+q0WpC|IGYCxo+1!d
z0jA**&_MvIc^RINj}xy_rHHV7)QtZO7?@_o@8S*jYu%tCS?E|>Q|1d*c8{lum~M5#
z>sl<mkv{aK=x(%v2ROo6HAR;SIX~FkS}n|{%`L!I?V2jXG^t81rsPJ)LW*>YYM~ZP
zE6bqF7Ia#ZDvmN{o&3;9Heb&m5rrGw6eg1>%Zh8Nba{Q?iJXs{`I6CjlQCuW(T7O{
zf0Ews*8cK!rO>a`)$-;mb(!8xhq2F(N27$QgFQ!cd)cfXwize8tQCTtUJQPMgtjz-
zGH8jpyNq&RHq??KE5xrIELc}*0@3g?K9W~NdI#g+H`Tssrzj9F8`h!58#J1J^-!H9
zD^?yeg2UW)-Fpq}c{d6)->B3pBI!jElUBN=<CxS(4xS^^8m%83HQelj_r|uT4uQz7
zdcMoYyI?8-%!DIY9RPLnWL8dnyNPmd{JTCzO=-I=rH}DUnN=El6QNiTqkjy9=r=Cb
zipr%5u{+*QN__0o@=k<9F|sBiFFaSS{6xIh$ym|}WXQd%f&7vhatL8oeV+usds*b~
zhhP84PvwmJ{A){#NgZBEvq<X<-7Hdrex%)y-phSGb*s6=yykmchF1#mPdxXo{@`_l
z;0J48tF67{Gie&{VUr%`lW80q#Vc|&<oJ)>yL7a|fo%sKFyz<}Kzr)3z>zuCAch^3
zd8!D2T?$Y()R*G7=gHWWSos{i{I281QUsa`aGz8p06B1pgViZ9Y8GxUSo7JiTq)kr
zO1cojBK*TCv1LIfCB3gS+A5Mzw=i4OMip7Zw0{d6wpzGHf?0?Ij#6q;h{jkP<DBJ*
zqa<|%D`HGOMRoDYt?U&Qs;D6xDec7Ojg;y*_lfZvjg6XEq1Y)+xmRKlT?KF8tpRWi
zXseiBYw}c?OihKViXkkjLae8CZf>^)qD|u722DsSzw2U{UGaBIr!1^ECB*19EHb_B
zB?OYHQ83EHZ9xzk@FLIOKrrAqbJp*WO)CRYu})|;_25p#ds(nyhajL&xRQslMglM^
z(UZlls4mk|A$80o#6pBD!nFY1z&#rI$i1zitR5o9W>b<M<(uiw%$}`2j10@p87m^D
zoziu@-y-x1lhj&)4A+QY!NMNFohhL2-pY<Qp2ds`owBm{cZiH~k;yl<-8oKDOhC5M
z+cKL1`e4F)gCx8tZ8Rrh9oA~tTlLVGT!c3)Dx}leuSg{li%bAU5i^!)a|N(cb{aT%
zc~FWG!GkHq@pKHe9w*Ag;+q>6B?B;K-cEb>v3Q2y>qZ@Moo`xyiw2h}>hM#v_0VPY
zAN#sTDIWJiTIrZ#Ov>8@q&2f#*#&~93Gl%E>xn?Z<!EgUXE#$x03ye7oemnCEfvj}
zc1{H|4(++*ccr0WRh5*U=q`GJAY)k&1W}>!bhsK|IFC*bgja(@H@}gCZ_7QaPQEGe
z4*LzLt)&|wRYC>SicUCAm>oAn$hQNPpfG(+23f{L8OOt`3He+R@~3@Ov=wY<TtZgT
zVxB~MLmehEcu8s`-{*9L*~S}1*x>L~;q0>kdWaAibCSJ;U4VD-t}t)#E(!P?p5PMK
zMv=#8O$N#c19rL|){}8}-O3bobS2;Z+fdVP$N9~?$oXVcxgQ0Aql1$Ybp%D_on3^A
zDq4xvm(i1KeUfbc$ge^A<%Y+=bhn{Pll|F4D{xxYlAGt@31e5^IoQd~=0E*pC;z((
z`Sy=N^5By$DN6Gpp*;xtYcQh<-4sm`|8gZVCpf10`WrA9m8PE5MdFKWsL!Fgr*Lty
zUPkecc(AR{=Bi1HgqN#{J5a%@kj`YeW=jCar6D&U$z&v16PE{C0$dhG0vSn08i|Of
z3IBYQYxj>DpWpTej3XXw<0L4ycO;=-LO1Kf<#$%=^ZNzK)D@!v_4GE_vm785Q&OU1
zq$ShWYWrDn<1KewqHk5pm!W#4do{5&jX7^3+1jZh7*Jdyyi*_-qjQ9W1xEI`Pj;5(
zS(kWnqc6iUZWd6!Ay1$8`iNB%hQQ>h6XsVM&cTIoax3;14&m=BA!P9$%vRs0LU1^-
z!}l{{ojh@WDE^;;?;*DAAA|EKHhU{N-9|O^@1Al#^hB_p)U7=N+~b$N=QFVAdH9iE
z_UwTt?sw;-JHGX$dkfv#0a0blmk&1&B6&4$!0X<FBG2dvczn=9ZrY!EXfAH=;K040
z6L_&8ImV1zKo8MK`IF2pf}ke!&dehk{<yjs91c6EQ6Z_jTjbNahmVU(zkYxw+3PqO
zB3f+r9*xsxPrfTWe(SeO$;Zd(`~RoUc43&CTh)9JSLQHMKN3JU&dxdOP^kt?f07FD
zzMkSV^jzRYfW00(EcW=|dV;d<iGh2Pr0=Q2rdYeT9|!R6Gz^BQBu<fn^Hhj}C}2TE
zLD=~O4iz4x!T^pKutWiDK!;Rlv|&?}?3aZrj=9JGMxWmxjs3VZM!qUYby;Um55z|6
z?0jpIH@RHwxJ!hJ&v(&iIZ8>QKq`iWERf=`$P0nu@$J;=z2cJ_<5>vuVl(f}w(y(L
zA<Yf&=O~AVYdYwfW-9b>Qcflu6`0w*O}q3}8@Yr?UM&lK(vP=_p&(9fio#oY`Ebzc
z%SQ3d;wH0o(mR*clRoJaxB_FlvTJk{P29sZ>#PuJ=F2GOcs$cCVdKMe4c2efUcF{J
z4nm}<SK4%7Ql)e?Y-|`JW?Sw%QlmB#gkLCWZ_nMD7J-*=S+|;vCEj)-gR$|fel=dJ
zi!3605=JpPHt?}Vk?8_k$6XG@0%7|;bnjCDbsg!H){%x>z^SGL#t!O1V>v*7@UdrS
zEtK7v&<Cnk$~R%d<F=?&S}Mp;IpV$`8FzlDM<FKrRxLI3_d(6wM!r`IEY$BB+v-$j
zO`AB)WGE&%;7<?CGSzg=0Uua0U_2wMW|~!neJ|`I=i0{-Hm$2(v)K%i$J0{Ou6~Vs
zz&@4zctv3SeEm}-JW5Z1kC3|y^EW_R1H^t<LV7Wa@Ej)!TKI5RMHf+kw>>_EArY#Y
zE}r(2Ko?|T*&IxuR<MoI{s&s#`vB4FT`eM0AsD96pN&+SFcm1PMMf~$P9z%)wNN`E
zMLO@D6f6jWLjvU(chD>ahop5;I<)H+C8{^Ia_Iu6t+d)z`wZ5)(R6^meSCr8xY{q9
zdPpAggQ`{i#S@TyOX#fpY;TD7=0fMWi|Dv)B*weLJ_0C1Sr>>}`>3>kEwFY3DbjeW
zq0ndz_~o-Yb1@f_*+6SnvN~JD1m<F{d*)>=NGEZpA0{N}2e1>8iwo3|%D!|pcR$0t
z8veft<b;i0j5tBB*MM8joeETV5)x-{jqT_h+BZ%K{ldoDhS|yKCrDqsQv~`8jbk>Z
zY2+%>GW{_9F!eCc#XRSlA0{N=wUS8(uTwhKC8j)1HLS0Sc7gP3Ni{;fHHmnw9e-=A
z9QL^zm#VGCV?nb7e%vaSz@N<Zdj3HS#+nurlWMUGLY97*dYJcOo^z>(`7TNyg^hh%
zVar@J+2!m8)h=tE6Td08jvZs^mR?3EOU+G9O`=fS@!WV`liuccPUDwT56Tz?{STr+
z)PM*ehad8AYt2-H>AiX$eK=p0)w@66*-<t^{O!%GASyOGCOul7#n;_^4LYO#@;5b{
zjT`mq9Pxmf!N%O62R^WGb%zzR1~c5FZ!fsGCMqkq-M+5dv2$1;_Cqj4CU+dnB85A?
zQ!yqQY6>mn+_LsT5ma6SD&*IwpfY%4;2PDi4!}V5z&+x!T{NTob#S=pxl2a?q1+?(
zyI=6s!ZzAd$a>CL;r-+Bj#&|TrQb=vlX@rS={*rMJ1Lsqu_8Zc0O*l|{?#%UsR|I&
zIO=CeA_Ne~Z{@c~7)dGwC3ZZY*jnHWNG0?64_p@+Vj+u8OQCd3lj?_^KgI~AfoGCM
zD@@P?wU$1BWSjdaGFT-DcjdQ7A4#eN4X=DwfkSlGy^4LXc<IZ^)HDU>Pdja!Se8Q7
z>kp{3A$||SCGYRg`A%^qQgN3IueD~prWGrt_di+j(s^Rf<dGnH|6)JWcN$ixja??7
zcL~f$_p86{<4F8Se+#5{!AWuAX1WA~JltvKz-&ZE4!FYt8EJUHj#X>9&9Tj-`z;h7
zo_xys6j;NG7A~Fnf^7Aw=+?Wp0?onv_Tk(fEpctrw-B0o6>H(H>Pw(wM8{SJ@ZXzs
z=}uGtLhP0ej`HO74s&P~Q^H%Y(=Djb41Ef$VO0X_3vcv)iTYA@Vf05t7rJTa)?OwD
z3>c`W0@2512G2$%zS9)yL!SWO3@Zwlxrjm(Rz!*W;+*d|O)|QRlBTAVBv_jr(tj3L
z2l%l-k{u+~Ev!#1+mfow&X$5gf;f>~2}wo>8nlMfu!V*0<^EMNGfXx}0I|O9myai2
zI#NR&Z3Q1K)<t0OmZS{Jb4b9MT|9;Ar|26)2%pFKio+aBpvp_3hR*>;fWX83e`yKg
zXvo3_MjO$t^!vw$kbTVeXU&((giF6Il6zT~dFlG0m$a2{PK24y>}7?ngVnV{S{d|M
zG4H*?ts%2L$jcgPAJGcwf84`Gp6uUdxZO21JQn0)@1LJ+M|C#H$W|?t$C+gY(?>$j
zN`?4Vx=`%wvLg)Z;;rP0@qM{5%T0?bs6x7MgHP!)wZ~neNbNhYxKgyTjBPOtVvcoo
z4SV(4s=ar1a%O}*6Ngf6QKcf=P-zBldoVN@9ALQTfW8{n!O8ME=0;R3N!2MhZA;u3
zJsKS@Kagd*n4hCnJ{Ka1bDWPBh}}82rh4LQg3rB-+#XM^+)2Xkb_2y$2%ZNqY^6@%
zag2ns!jfk@D>d46s;k!Ek&$SgeYautWe+Wl+;HCYgnfe)(#Ci^$IkTBMhd;B-jC#F
zC@INSN{61h4<Iq<08P?o3VwIVqfGF#c@WN(a;1+)rn6&jVm_u#r?vDzn+wjGa3usS
zu=WkgSaW=G%k^lh#8LA}z!tT4In}6@AvoS`l>FU%&?F60!<c}`shfV`#~sHB=h|4C
z=_!N52p-;#(u||Nm;!UQ_sJo`Vn9wM`pth<Ia)*%^;3UX&&Z824k(f1kiksz^ZO3>
zA!azq$a<0IlengA^Jt&tvwjC19NO+kleg&6skGV*VuYc>0`|^?)B(|DaG6##YYLp3
z2Z9ezi6e>{pW!C7bAMH>`KUvNn|K5kuFWQ2BGK+T^v_+jZ`3k@W>5e*K*ql{IN2Np
z!*&Q;zQ(dYJmPjZ*z+_qFrNwQrfkDrw~f2DRc4Al>*7f)%V1*NN}G9^oOxI?fq7n+
z>kZnLRH;~OEJjUzL1o(|kFcYvFmmLb?3~4F+VK)R>I#;eVmh69HSBd{O=HWx(<{s%
zsKBGhUaX+e!|=DdNtGpA8DyY079aNmrn4PYR%MW3WF*Y9cT?}2f7))Jx$28SAzNf*
zTBeEmoeHgA7Qh>XMn{8*Wm?+kQ@v5{FQv(Q$jY@54G&w!N9OjVv)=)gXc(YL`Xv6y
zk7V*ol9bt^eHAT^)6)IC7BWfd@HnY(r1NBjoaVELuLoS>GzlRTOh%^Phho=h;&<k$
z(ED@lRd2R<|BI8SM<y;3J7UQ;+OE)Mh=(+(eQC^nz3?pV5O(p~FNBYqmlV3VFZ;yQ
z_-uBCCiyuN2T+a1@}|6r7yMSRoYnBFL{Ohi`kFLX5!3n2tj0J5uB&d=l=c6Z{O?yY
zR@5L2#jT(ZD&@*qXN|+qCx$d%5P0n8T6=d|Oh$f*P}EQiFFwF@`Ft08P=3D}LdwPI
zh<tM%03M^C42bkP8bnUO#WV4>@6ZXp7+XbqU)>jh&@H=9?hSEraxVkzA|+EX>GGk?
z(f6XD$?)b;yKqqHXhhJDy{fRAxM7rB3D6j*ML%1n==HlouV{{x3L}Dm!~B{FC+6lV
zi5a;D^VC1W2d3w1>pd=5g-vam$o-L;TtOx6v7WK%Y5G57+hXt~lzo+77xIG~;ZBDR
zSs@hx7Sw_19dxLew+l)xihwDxnI@T9TEWwyl97$sO)BjkPC%{M*1MOI3ZL&9EJK&j
zUZi`V&}g%ngleT_+(f>?W@F9ZguCbXM~g%XTz!kRW%<gvC0G={ysP`l4IqhS8@8eD
zy;sYo;s0xazr4r0g1|TrOP0Ej<uxv8%g_CHX8ku80Nfn3cwpC|8-5uosS815gC8o+
zy+Tmf@Vk4vNPy^~bUm)e`hOqHH<R#xG$8MG|0Ei^Y{yflb#B%z@s!u@1N8n`_pPP>
zp_w%ZVV?9{*MW;~>B6s6;imy>YLlL6^9XTBFkT-ulcCxBZ(ej{dKKNJq%A<0`z6b(
zbY5=D8TMl&aU@f4lB-0S;g=yLziMDgbIKR%2DWiXge+-2X^*ysj@MFQ;kmifCIdt9
z!SJT_!%{6@&TbOu`yotFlXOfm`HYCj($8&(6E82&w&Ab;42lH`^{3+okVSS32oP$8
z0*rkE6-KWWCW`?Ah9JPM$garlEwV$=bTW|#2B|Ducg%kACf(aWHQpDZM~_BdF_kI7
ztlmtL0~mEsh!?#o$gT`XTmd@3CQCsd?|nQow*#$p2-;LHJw)7`1(Xh^bjK5esRDZO
zTOt)_q&7Vr<dICb)TM#5$p=rTcTq*AZVY?8U46Pontl$ymE8_zp<#=TJiL7m^EdJT
z%OfJu!jWOz`ldy?dE*5ANh3$5@n%L=09a3efnRs|0u5itS`1q7FCNYKb|oSu1_BoO
z9sLnI#DIWBmTAPk7zkKo4@acLKtQ4TE1xBQFjA$EY-0DusQx0i;24Njh;Flob4ApJ
zp?%*gnvIZ-vd*%^EFnNt*V`cRllzKlxJIVx;iy`<fB%CB>FTcPY`Jy`$v{tzTuvvW
z3qbTC091dK(2Th2Y=V>+v|y1mOLJr(V3C52Sc-vwMSke<h^-h1SmXvDkrD#|Pa0HH
z!y>-!kmIimIUo@N6EMgTVhs2$>qf4*dTd#UArJ#9W>i7@I%@&Hi{pEmgjjW<hJXn)
zR+J%iiCUE`s00|;V9Q6MF@5s*F~}Gu$QE)(wO8&tqV^i{({Y!?1lZW?VD@G{E1s){
zEnbvrA%2vU7oq7FOWk#H(v{R3ziIc0#cX*kMA^_tps90u>D|iTn_}kBh)A7^m#TTL
zAlG{!1+U1d^pwSy=zg#^ER<GAV7YTHnG>XK!bXqVCBJIfpytpnTp(C8sN`-x9X;j?
z*wH9ug~qe~*Zt!IR|ILA21Hp8q_*=t$yoZ+{D&`aM28;$ZWVsKT^zSE%Y8Blfpj8E
z_Np;PaYzf}@X@EvS+r>21Je(0uU}F3Abdn1?E_{PNFl}}Z78hj-oy%du+0^bzFQ7N
zQA{+`0bC(}Qtz3a$n{kHyRzmYTEj>66amo#HrVnBe%gm;E<zN&6(-5JKSHfAu_jHC
zaqymKaU^UWG!dIUHNOUz5Uu8>!W|?AJJCCyCv+kkn~j6JO(H{&J-=4#q|+Nm^LllR
z+MqFYX*SBuj|82{c#xYOFt=Do4FD}p7S4-aj;UjyFfSc8NoywATuWZnA=5`PwmaMR
zH>a`7`R&d0n2wY7d`r1llv3@BL&~T%7j}!OmSG*JXFjM1y+Qm?Jj4AL40UCmks)Ky
z<Un>XrmZ=%2xPmkCIn?G6!~C}z!gPY@Vsj$ZbHdNFd!G|+w7<X<_UtZq|N!@U>>wk
z3A1KAkq?Bo1Tn&9ptS1LIVNK2Jnqj0Y9=i;l6Mo4q(e<Yh)W`(pgn4i^*;y#Yz&#0
zEK^<Y6DV?liyg-%>Azyp<V4=JB&v!@xvO@fGHf{2mu#JM*HV(6h5|=X$Dw&bA?g|M
z#txWZ4uw2aD<On58`Hhx%majQ4f@78tttEPqk2>z50ibxurUg;1lo;sG(3yFsG{yr
zTtw2e-5rYcmiEV8oYP(B#9>Uxhw10tf+31Q7^j4pVN#BQkE8AOF*=@Hac0sXErs1d
zD&-Q+MEWvC+r{&a0LD(pT$JV}QB-KV2mYFNaOoetiw1u8g|`gN@N)&K1aH>6p|>%G
zXmuFvjXV`<VhYg}lq!M+mym9xX>m=eQKfhXS=BMb15JcuqgQA1U=wdotJpeIw{>f$
ztC-j;FAVGpRB+w~&4}Wn%PR^>@4=Hj{LH{D&BtJ>6p|YR>c5pOOP*VB(+Mr6SDbt4
z%up)Y8#yz?$k_ahR$_%A%XPxDJ@mrur#tp2#hqzUx8UGLk<dD=r_zVtpEMIekFz$h
zPh&C6WyX9>;$x4&914SJ6M?@^;At)6(m#3^Rm|#_-r#_Rb`XWgNlg{NgB;NWR1EFJ
zW5GOCDkLDTO9Wq6(J&NZ)%0l(-iAU<Axg$mMKIRtP(Q)hiZy{y5?H{S@t8RbvmMzk
zZsK7)7}`>vy)g_s)@hG^85Zq6krq(mw;}r>Xd}U=A(x^K{WOJ|Q^=4%I<tgyFcE>B
zc?4qjzyjrnDAC!d({%b=YbLLq)m*!6809I_bly|!^mzW_GW{{So74RtY0+O@oUVjp
zy~a8WkPyT&l|VTfksF1;L<DMM<29$e9)?X)#d;O-^?JCLp3U(^IIrU3xG1%igvoy$
zlW;|lr(fW~?4FLQvylN;q;X!L)Ob%PU8^GXXVME82^qy?Uxj_?r3=>V9iK=|gI)s<
z4QKM`b4h}ne>UCg|MN)u@W3`*>gYb=B*VVc1OC5cIQa|u=TiX-eg}u0V&Wg}unNq+
z<xZTsekXkg50tZO`AG2(>i1)4gri<RaLoi)q|qPbb<t2~Dv`S%je+rR;pg`+0-ux^
z@8sF8x68edl#;Rx19qoug#nrKXpDu42q0#x&F=Y0L2YQe9zvr?xKc?sVQ+_YH{D0H
zb~3Ze!zBAyY-X53F@upk1w(vd>4Oi)w`r>lW*RIhTuI+KTxGP4C`TG4TP=LKf#;WY
zro*LX9M}F8&Z9dJqe{<;n^D@t%jK{Uol3**igcBGo;)6=pOxwbrfgtCI(I65h#%Bl
zd~tLUKV(7OqhyuVXXVUl`F`uD4qf`qmIl<bH*lhqBD*$2cbX2yH#>d(`p8Ge7#I)Y
z`Hb(QDR9zK>YR)SB)Z(nmLUg2-lz+@Ln*AY@^|#@O5}^qu^bb1q4ti?DqxcY;vz&6
z|L)RxMlZbtbr%xpC-^HtrB@BA2b>@|DQ21?GfbZ6wT2pkK=pv%W}&H~sbYrAQ7y{c
zk&sX;%)vc>ZVn%M`mR9o0~aDv2}4hAYBS0w;kjLLofbe2VU~QJqy{talS9L8W`8md
z*W8<O{Z=^6Pf)alR+ueZC4U6+oGeGCiKzim!?KSc$Ac(-WuW!$Xjo)kC)QNZx0iT$
zgTzC~<#0^bB9lrA?D|}sftY*FG6^H(6wmr<*#L_*J=*x;LJO;TLfACM$|aj8T(f8b
zZHwTZAob)0IP%9XEE9yR2q1<?#`u8(T=0SWMZp3XA5)2UEvEoX3sV0jtsNQ|q$cGT
z1UfCDrsqsTJ0evu1p9zy`4lX8E22Dx&<jt<7E@V0GaLpcmYG?liSMVB>XwX6T8$^U
z71&tJN|PTDD$ogOQ#eH0zg&^~!IVVd+UPmJA(UD?V@#xRx8Qup;n%ftx9cvGRWKvc
zKIpl>UXPb@_%mgbojK&XsV{c$$AdjRc|jQhwvrQ(xiJ7%XVy7uyy@y6Pr#k1g}fnP
zNc;cs)lXUb=Y%2QQf&yRwecni%Zi977Ek7-DTvZBun;edO|soVYPM*%6(`qTCg&`e
zc!Fk~42c1G8ta6^gKMI%KOCjaf~ng!il|y6i(#(CTZtaIChM%?f~?lnmtu@Yy0fLl
z-N}G&P?^@IGR9rCdH*1B=AVovJ$lvaouALVT<n}j#7o0613;EKmwnm%Kz+%ym(p*B
z867BC?mCB4r-R@X{?@b3r{$p(eb%`&BnR1@(ab2}y@?x0>Ahov6u;w?9Fy|bFD8@y
zBm>kh<RRT>fweqFqrv-E<Dnq30l~p>k7^L=9ddotHwxK*9s;P`ASfheUMa^207w8p
z(DYJg2zqE#BFSp&w~SDTg?I=BN-Rv>6^O(m$^!|7SWr2m3R<r})hf{E1&zw1siXGB
zgA{8*r=aFQrL>wzy}hxtLtC~i3w32UIGHd!o+QCC?nQw+Th>R$s;06g2(`{w89ivS
zAmMO&bfop6CMTC~Ur*D=vQ?)4MNN{}C9=U$s!uH&gc3u|kSlVa`cxNot-)NgFe;jO
z+%8~wqs3%DQE7&O5;C04ip6kgpeE-fw<&^>MyTD<Jqqc7<YB!3AdMW14``=%T2Fs6
z+Gm6)>ZPbG_<{6L%0J`n)8+0D*pVNwu=@SKr!M$1t^x;hnqp|_M`mkgV42hOLIZx9
za_FYLs^p5mwqZE{QE>+W0cFk26lytqd<PJIfc00ohha!Z3HB!WBuS#A3)8zTgNK+`
zGZ3g8<(hX@=~_&(>L?v}#GHUEz&Lg3mi%FF;iH4BIH}2J(%s>w8XRr2$p?b2H)l5H
zg8FevW==%VgC^m&@%|{X-zhfnI7!p)IEBq87dT>fGe&J$+6_!#(`(=NSoj!EWXI(u
zAI|aTb-Q`<ST3s_ps``bltH{PVFv3_ZkQPjJY`biO&}kRb$>{$G<-zq2vylgHZ&o#
z>Qzo0bUl5YPEU#qdLnT>7HVi~OVG%3%;G4%0LP4a2y!9*q!#J{aZ0WR(@|&<F>(dd
zk=+s7K&1Y88)X`+=ck+_@^rG)sQyzkTgE1MKu}0rOUxT)Vx+?z?pci=!V`=Ni=AYh
zcxBhKgnIX58eSpXbg0+;OIjeAVTO6=>AC~P+lU-;7v|>cEJM@>Jr1OuF}p(H{+kMe
zfU;@9G-QmyrYC)#$Kj}~kE{whFxRO2rE)ew+P~&gy}!d`j~Pwbcp8m-JB6LHi%3L_
zY{nYFm{Yc==~y#>qr-J`SaAKIOehF5Zj$Om&RKz0u@2`ow$gyU^?}7T4X<;)$bAcH
zSah>)9xy=w@z7Q|_PdgxXAM}E*y9i{ksv2Qyd)ee$ABROk2-Du5RjT0$#T%e5C#O@
z1R&@p04_LM1wIph?B9*OTQ*m-vO-3(^;!~6?B;E(LG#X~aqG1tZRgRb28!N#P{22k
zJ`@bTK|KvzpD!7~`w16YUc`8~fIby}?SO#2iKg0Msv1G7c2bt5aArqXNc-A6Cxnyx
zXp!~0;Io?8k<<NxsgsN&r#M%;V{a}5jzPh0lRs`GFy|p#!d=v*L~I)cu}8_We8Jn=
z;kR!{hU8QrOM{GtjxY8h)Q3_VCHm7@t~LaR?S&C!&_D(aLNRIP0!L<2?cI>*4yRi;
z>>Da;_DMM<5ScfpgHOzHm(-SYS=Wg~U95G?NubKX3m}6Q#;jHdqYxU0ZXkGBKr<3f
zh|aqo1q4{e`|!!Rh94Zh%Mc!g#x3%7oNi1*mu;i1S`1mggi!IfmGJxEj1L{A10)1p
z;?{c$^)a<-tB+&E01h9=cG5}JF7Kc}Wr!N@W8Zr^41+3P9Upl$z7Yes#z$+6ox_@p
z2e<RPgP*FhvsrK$go9F>L^FW#kU2^|sdGxG<C{SfBZ&b#-BeK%r)vl$#7$O|X0c?s
zhV@V0@qX}jv&oc{^j$e|KJkn?_U)sGO#H@4UH|%vec<(D$Fz$Bh5F1t`-qwc!HbP_
z@oufuhC6hDhr+dhLz{;Dh^Is%W2L#+L-i}{YYy`DtKT+HPW-$F5YJIEF#qoAPSmF=
zQNu#Pe%!$7;`#Lfn%7^!>B+tge0cz0AQ$P-#%9-y7oWr1Tvm5s=s?N_qY?%&fO_o6
z9<ER7vOWfP<`R|I^VtPS)qvZKA#8b_jm9}pH>nE`q@rqqbbwEKhDYWQ{7^Lc;ZP%X
z;pwZ9zK-EoK%eeJx!WZkIdB@Xz-dB>EM^(lTV=ML?k3)qJPiXVx`sI&bY}KtUF=U#
zzo%_F2q}-8RNySux^~&eyl#^gRH-6tlvXF7@s-!@m(gogWAGS73Tuz~l|P}1YPQ*+
zA;Eez>@-H2)b9@r7pxebj5g_{z+=LA>J<nU>?1XV$g!3BKY;bh#z-{ACm)558VHSK
z5B(JJok-_G@xyY717#R_1%s^U$-2k46gnb5GkimuRbF0Y807tcly!RaiZjW_fP4(_
zMAiiG8Y`3jEXO6hd3ek-)bjXX_RS4|giQXX+$uOVYNokd5EG3FOLvr{L+S>`i&r=&
za>v=)rPNl1%&|e!ptcpyEI<M^i_EAUpU$pizocDDGMOX^`6WwwpWbn`ufl~^kQtc^
zw)UdP%`kY?I=-|U8Bb{f8!Ds}X<zEb$ElUcf@xcV!jA3k)N7?jl}b*RYNmXzuh#CX
zm7s95%PNp>iWGu;Uu%6)$%O?h;QCaQ9=ADOfLg8fb6Ao^ql<Re(aA7dP~YR}=Wbs;
zt!6Vk?G;K+90gkd%LNY$ADKDZJxtc{!!KQ<zD4P^5G-b?RI@AzQ+8kB`Bo`D5R?<m
zjTllJHIJ2<@8M$bPJ1DpZ`aI#p2z?BTF-lBKiP<?BApHEeYMJZmji+IWGH=rfd8%_
zSVr&h)PneDYa!KK28v$Ik4~6b;to(qugN)_hvZ*~CXj2E#u)y?;}$~pCuorkB*>(<
z%?0)sA=&aCQaqNg;V*~(FgFv;8Vq6FRN%r-+rn||gQdE%KnPi)68PvR^!}EkS{vMH
zEo_a<MQTZy)_Qm5B)<thk;opz-#jFG5_D$JuhEkv5rJ_zSEUq9p}$CQ6AN1k&GU(6
z_s2+172Y{2LN~KhoAlK!MK*E&&Wl*=-8`O57&@}b`!wAotL{<Qh|Ed)BZYcDE~((D
zy)Cybr@3F>v`t&c=IAZbB6uaVH&Vdc7l-L)+`Nel*uepTHq_2EqCJf<W16S)A+3vO
zHcxDTu_?I<ia7nO=<It+b7aiUucRcIE4nVpAko|lF|A4B$B_T&9!~>S9@zhI0%`Sk
zMMoff^iEVn6(Rda=!lh|Oe0D47WKheFs|YWQuN+b(yRbl!Pjg*Aw@6N0SN4j-B9d*
zflUklj7`Z|@IE1{k5pEnBn*dx!8q^JB`#z@DEu79j$>Dgu=YiMn-@Z_{tzEb&2>*a
zUg0d%O41}WDOt$CAXi2m=yn>51Cav)WX&%oxS}uo%I#o+f#!wnGL<c(cc9yMUy6~V
z$D_2VZ}KN2Bopd<lWiTMyAUqi0hCq2hZL#i3TnbW#N@X0m?P;qI$%ECVnwCG?)vO5
zo3>1`Px{u>RusEJ^89rq3$Jj6Tp7{X<$D6SGd^HnCFQjW&eC)k)vB3FkoTKHRbrg?
z(9}z8S`JWZ-{QLj<Fh>}(WN6JYCp)*bG`m3Z46AH*|kGuS3cZz4SM%p*cX;lywy$G
zC%3Ats-o=nKGRK0j)vZ?=`8dfObIDH8>Hzve8i!DizW@miKjM=14PeS&ub#ap&(Tl
z5;bZ-w+AH-%v)$7)ffOpQ41!MK^55$1AUEfkj#;l0>ubQZ*(r7#EX*N>V*bGK}D(T
zdWrQ_SkNxX4j42FpSuBRLmRoUfnsb}3Oc7|kAR}qk10$-3NM<1ZWnVgl1nDd$NmLB
zC+kw~X2<T1YwaL0`2_iuDxqG7H>xpHN_D$_ghIH1ICF7Atd(1_Q`Wgs?I?2H@!U8B
zB)Dh_x-G2;9i`mj#uU!hT9j&d7I)%5ZfGQBxcwD6e61YW*a@-u8v$W7NP3ww#<`m#
z_=fz|k@&tW^;ibwEqqb1jlL+zYPK=~y;kT$G0dTsbpL<Pz{@Zw^%4sk1A~RZq7+e8
zN_AoJ|9CiDXu>m5P_W^gW~Imp*v=foc|kQ=!aJyaFXB2jb9*fehi3)XQc!aR)D0X&
zt?2`<QMrzjHPHNgaRd}QL~POOogq(Vmx8Gg>JkUjf@<0H-R^srYb^WF?itz*+R|0b
zCgcPlNzf0?SrmAL#f9OU`GPEvvCh?VvN)lDMrXN!)1t2w6y^%u>kQ{)u<HYOv`+(s
z_n-I5K1xYqtLcKK9E8wnx}YbGrncBmeXBgfCmbrlIH<&tW+N(4N5mNl$zbs^v;b59
z{y-Cb$@!_qR!JrNCzm}tw_k_mI{Xhh%XRG751u~QthhOp=}|bOWXM->s#1V9N3k||
z6$2t3)6v3b7*jS7_VqWwp-3{($D-8+w`wE=MA-nq&zv@zsxti;#6t6n#>LV=9cZxh
zkqd)biE-AFsZ|QxS=dkTdq`%x<ZhK|2_^viffo=%*s-mffcL`PG*)~NBDZYj?fTZ7
z(zmK%J^ZwY4yP30Ae36+WuedT`W2BU-@_lpIQyMXAJ9P6zKYSms{Bup#)Ut<;0&ZO
zckD4W_i=xmebAdiIzpgEvcFFoXjn!P8a?V3Ra(l<*0L7^tFnFE1cbr&+H0eY4QJh9
zD*&p8IoWuRefZC9$Ma3I@h^ur!N=fC#qnFYV~*Y5p)#V92=$a^+%Tc3O5mz5N}gdH
zGjr$SHtt2AMdP@W35Of9dD4?gE}2M0XmlIbk3B2DHzH1D6nH!<*avy1LYou*uDFYf
z<_w1)?I#rUC&~*QX#Pn@N^GAR+R2x?X)n&WoD?Wg5UV3g={yrnfcl6?FG{hgOB`Fi
zw;SddFO1z9ziEz{grS~nOL+M;d^7fd27xub0WmSVm|VceDhsWHJ953+oP6SIFoC1#
z;sSG_icdHzBJ6hJ(K-?jU+_;!UKq@!o5NP-hO5w74!2sO`kXO5`6M&eiG$o^IYVRm
z4+p%Q$@iss{NCh*&Rya$DB>S(jO$LX>D|O2al(ZvnN6=+VvkO+&gwY1r{W10-_CQK
z_gB3sW3RE`({;3V{nlE&elz%M82^(&B!1T07V$W`l^7C#`iVfHf9g3%CF=r?1ABkU
z=w<O2wsa&E23M2%y)tPylm1y=uhGxq`dmt}49}o{dK+Y~5!LukIs9D9h^LQl?%Ank
z{=-Urq#q=oGm6ji;F<o);8MUCX%7g~lQvt9D;dq~sHW-~R~&fnFBJeS{SkJgDnd%$
zG}Y{lA|oyEGp#<sqL9<k``p*#{QysRNr+DSUA3V0lnhT0p^9`a+a{K;PlNPKz3>LF
z<Ih`TR;|4W42`dKGRM|2407G?P8Gtf-Q{ZeF0_&EWZuA*@BEzR*q1}x{X8b(eVR8t
zsJ*0T9;JGzp+}-?%2#XZ5SVIO-R_#&)6H17Z{U9W^T^{}JpK)_&|^|x|8UP;W-Pmb
zq9ZyaE#J>a9a0bfr~2B&R?zB2<>7aFC+{a}p1@=Qst&m+>R)}zOs+?{aAZyvMU1V<
zS1E>ux&KEnjeol;W5R3v{8pOi@K>J*c1!?&x54u0g*dv6Qs@89Z2&4v<KOBg1QDmp
zszr!DZEj^xL(<mA@NZ=!a*%v`MCS^??{<-RjTwDe?6Pcc>asf`eFXnn)&os3fqEPM
zio6>*zD3T6w<sSR{O!Z>e3sY2B%=f<B=j&M!Z3XqxP_VWkaF`c&B2~i#GrD%uGq>U
zS(xKoC@%XQDd^Q97+aS`D!bn=Qe?Sb_-Nm4A>tfhz1c1-Kk%r0INA4e|03iE8YsEO
z_HN|+8>sCP^yO(V)~0NpFolp&2{{{KLBU*5uoW0pyxbCkwZH-NFjfx)|ECXq(tIY>
za`<`l$<QB_ktc6vosLrEdG~LcSD*g$>gypAtW7?9pc8Qu`7geneOh!VM9TE`cN(E<
z_ZfJ&di~{@yn6(<g6aQuxY%@Un6K9D!^i(Ovw)G1LkouObC_|IhmBQo&8mUSGS43w
z(xgi6hs{C-EwI<uGe2+4-IjL#mf}OsIZv9p4pt+M{m82ox<@b<4VejRO(#`tos{^I
zHj>T|6>Gt}LC;CK!I#_ofaxQ$@(nFot(VRH-sz?yfqtxV$9+~#=C14Q?~9u76T9El
z^Qj4Jr*7a};gjyz?xBsKLN$v!q=?qxk^27CwFwRrr@>F81ug)Be_X5RZb>Ay8Ak$?
zSpwsYzb_6{V*!Z}G^pXIY%SGj+j0M9(y7RZ9=x1&2J!%z(1qO%>wGRvo;LX_2<L&#
zDjbXBC<jn)*RVzdaYgP<eUp<~d=c2;PXJe`nt`H~9?){3$}S_8_vvSnG&p$lK0ckQ
zfIV5A*5zy;jLL}w%FR&f&IxOK%?}>Cu_&B*hm^ir=yb4rMXKDyvZ=cprxa5WRKp#R
zm$w0T5V)4Mi4v-pvKvXaoWk*#c~65!hJs)}21;#{B=AK|&uTxr5~TS5-RBIZ1A7h^
zfqT;+CWaPGaoa2ZOs9rI;hOx+9nxP%J81$sM58K&&3Cg=7~qEmt1Q>R6g*D|`Gi{1
z1wH)h$Fp!hng}MyeTeH}X$K)}5~L2U$R;G6Kr=nr9SSakIjGEJ&pEjNQAg?jKo5_d
z>K8`JS0kzq&4KYrAse-n*r>BdJnh^B>;HSi*trO}f*?(;{l^~l5qSf>(@{Ms<Q9*j
z<DJzPyZH_MvT_K*S_gP1Ofs4f2-NSyP<NfKr+XR02G2F<9*fiLob0dWC8n@#%jas7
z_ntqE3%W?lzU_3?G=DXCtp;Pk(h^3YQ}oh>|E~FWOB|dHj|$oYJ4QWr#e3A~&F$cC
z!pWb{!S1gsZ9w3shzs7o+gSzwc^OH&$&ijAalAVnZB$KLMz!gLbOfP}^{F`}A;3?B
zLft613$MkZP!1$u29q-XYX#`)4TZK1Da6{f0$eM=V=4!$K#w$slSu(<3?4VspUun?
zvw!zo2DFQ7^2W(V$i;B9C|-iIz`NF|mYjzC<8$L(Unjt_Zl!-Wf3;3n3Bp5mo^?jo
z$RsFyCjNU}&UUNg<4gTVRR6oL=s4OlpD^I#<UCg?WyL62$>DSI9D5n_+z+tF%7DxL
z>nk+*l}HbH3Vl4L-4AJ^5BnF=A*~`ie8govRl{I^4sO`Eal=+YO$z0GiLh9DL!Lj8
zoz2~~;rP56fV|6oFC~(uylu<(rw1RExEwhx7V;N8_9N2Y>jNJ95#8_g0gt^U`p2N>
z+Z`4caoKCFTiCbQXonP0d=bn3to>f!mzwAF${d~HU-`gA0i^<c+rmbA^t%^=fU-+W
ze|!&<8LOk$-SEamj2-QTc+;RdbGO2~xFh(X_>uG<I|rK5JYvci&%$wijhL4Wj~HZk
zb|#oM5s%DrN<a<?wjSOjQF&8bL?pY>)@7HctOi~y;+ASB^K)guoMV@0!I9pO`MGy&
zcgm97vQuASE(-6B$2;aw@KWy6H8U^lOIK{;hL9)|MTiT2G&mKoIulZqnJfVTt}#!M
zKMI!K%=vo`YtkBlGrMut?&lpAGG){i{pKPnn<y|~Dl5Gl$>JJ7tSm9a)V5D3c49@}
zE$LT_G0Q=dakmo-V^4@eesaJQSly}&^!!3@then+TeccZ1J4xwdEw&Gwu9b~qMuPJ
zP@rEB0ri7$QShwyQQb42w>EWZG?LJEOiYsu=6_i`^CI8V#vbnEc^Uw9cv<R*Z<;_2
zjCt@$tpz6K_cy_~OC9S-E!?rTt7>CaRe5fb)X4RaViMsmgs~NoR!qlnuDZOtm#mMw
zI(@<qYwUn1M<T#d2Mh8|zM``BG~VS+H7xL1Z#eDwy#$sn#E*j=gF5YB-<1bSh(DAl
zk3KQ>6<sY^s?E;QPyAPCs;|Hw+}RgMb*6bp>Rw-yN4!D@op$S(-J~ks3JqCO$yeYk
z92UE(S@effhR53EC!%^#vv+A!?Yh?=wED^7Jp_ZK(%z3_pzf6Zas6I?J-+Sx3S?tu
z)f5`@(2}H96E1<0&|3PhH<Cu|6N$ZagLm13qFYa|m&3IVktrXY`1CbMo3e8Dz!)0N
z8guMPgw^YG5&fmR!a9x;*bF&*Zl>d>^Vs~Wi7a2ymeFgM(;7}bJt{GOC<lTpE;w}$
zvVkq#>*MxAI0E~n^w&Mi><g4F9)CG_M_2YD$!Rg)^IF|t^utpiw9Ro79Qpv^-Ck28
zS=J6??YF#y2cKSC7I|qX!RZ8)&OBfTSGw27^_?GqEo96h@eR7AmNc)REyr~@<zu{?
z0*+82Xg=alus2_xhVJ#pOgwrMyb87r3f{B;?g$Y*st-CIu6tYZdY5*PLn-B$9P&a4
zP@S{rQjbv-QUJISJa8V=jAO@2A^^$9B{I8MIZZxc9Jcv8ie1)?*7+ue14Of8;B$0+
z8*@GvvGhp3<Ho#|Q>yl2r|Q#}NXGG8E9`2NHeDDLcmTlZ;seR9OLFA7jh(HwGB~3I
z$Ed&olchWMWM&)LS?!{h6Pi3@ODWts$1>KxdPgn*KIbDRndubJ$?ccr(y1;C7Ju|4
z{-Mj?nVnzpHU#f!x^K*W5Rlz{zv8(1pHNX-5MFQfNoLL?E*J@RLiS<1r~w?CZs{O3
zsB3bm((nQmrN*4^MG6a46r}N}b#muYA(@ql+bBQiKO=;F0Q$ZBE<W1t6ujv}`SXRr
zRkdRu&Y{~Zt)+q5en!yIkq!ZW7l44{#Sv1MT^9;eeD>kg>qN%D!)p#vMrLPWZun>S
zr&!c}AeVMECC(jYeUYHnq!pJMitX_f2&u{HNc+AU!7@0~7W^lGL;c&ukBHP)f^4n5
z`rvpxoW6ML^ht>G_5~1h@f-QWlzhywRXtfAHk@DqHzFk_wjM{Pip&EnqPuh`5jrEM
zntGG?HM(Gp2aSsAM!Z+uyqd6_Qx=~pEySTNjWlBPD*&rf-JK~WoiDT&w95uZ(p6Y|
zX4!}tl$nkYcgK2qPG8uV2R<UpfhjS-I_AOgky#o7ScJt-gPWn-psG7IO31zUOr(ye
zX7dkGM9PCsU3_+@M!rJ!8Qv>5<;F1T$9(^OyyzG6`*)Cj@Vo{}DOT0mvLUDUl|6S`
zdm_nqm5_j8M006GeK{#bgzubN=<QqfO%JZKGpl(0qeC?kJ!_!@8jKC1Ytm$22#-P3
zU-o^x0o=qb2BL^JQ_%1ReBpC7g@$XvHC}8>V7Cv!m|~X<_lTKA97sR_3dy18Bz$6F
z{zwS}xvqnriKg$cPArPWBk;f@+3p>!schx!SjlPB3WccbYkrVJ*!6DyOyKf=U_jw<
zCrCzOAaPY}8G47MB0z+M<fhnk!IOfqBD3XnB(tvAE84MGLe+*vS4k4AZyBk(sYPl`
zeCh7_A}nOI&YcScQHW~FbxKcT@J0+h`WaXx_``Vz>H)TVR<*9YZTcT-wTkFZ^9bRT
zt4h2}AsAMNmfD`Ovwh56y3#=bFTL1NAo&13YfWd&{E@g&J}L4{UTtnd5{#^%P%|Ms
zhr(9?z)_7==|(v5?&?2gxGkX5S!hd_ATF7}LT979HnLUou_=SkQc@mCex75&TMZdO
zDde<EWg-&ugXkp-m(h<(JDU%a-AYhCHPNmm-XM?$GOD4@O*4qd(=P+4p`OgGIl1QP
z=Nh%RZ?aPP9U<}e=pLb!<M{xSU>AkT;Vt=c&sal>Y+wSy2h6)Aw?T-RW6mCOnTl_1
z?z<M@>5yVVE%Nzn%z2mq25!LwFz_Z!0Cn)gXBGKr1@icIU_y;}Aj8Hb+Qrrf4!a+2
z<zp?iJQ&ZO<A_1Dm|2@WvbIb2*6y2dZnQL88Zyez+@W!W1`8ipB%yt9_LLyB)z6-i
zL)N$1ow4ERpiI$@L$~-omz~z%Hhn+uRGZhT>Rv+vUM_b$@TElAVSpx7%niPyn2<mT
z#oC9U8DN2M8cnF!!;1VNXbgzJu`kvH7>`Qu0~SJ}-BQ7LR53r8;D=l2rv34nF>B3%
z{;siTdAX{aIR>)XPK?A|ni14C1)^!gYwUeEZG}D(mql!lO&VEdnD+3V<k~b1v61lC
z+u0w@Qze$_(-2gBP;j+sl2zFuXr6+AP43Qju<qAW7ITNfVd))TX$biJ0pv{RiseOI
z6pZb^&F(RrhZ*iBewvVt2gvpflxYK+CfkB5&kA+Jhvxcxol+NLM?Sy@G|hOD_dbZn
zvnMU6w8_K2d@9t@go?lN-ZhW`@H1#a#S&jvOi0w`6Ysy_W&U6iFQW<7+^+<vO&l<+
z;sIXx@USWhew3))$YB}--t=f<fRZ7`As+Di>!T9IXsW)7Y{%V{p~<{#K{q{`Q)yLE
zwJ0@gho^7f#O+>uni;ep@*6y6^zx@@=;pF)_9a1+Hx&lQgqT-}2}4->2Vx=J8mJCC
zc8@m8r+}x#gdtnLhjFL%z<aD7$`Wvvm@qWo4+L<4zax|)_r%MLZs1gHc`qn17dpl6
zP*@B&VTQ5b$0qXyR8VROp_DR?zJZ($o;q{P9Nc2PUs+fSU~F+jh`h<_94q#*xbBFz
z?FnneRPEX*FSrn_ORNGYlbjIIDFtm?nPrm9XQ+>{sAGLLnot%%O--pdu2gj>y2A6!
z<RTJ{dD@4qvCmV3+Kb*MvjEIju_Dlb5o98?qck6kF;LSZChykVeCXg6i;W^rB_~tY
z8bXCxG?1UDwI)EyEL+a52(kFD<KnG!y9oFm_`f1emnQJhAK#O%TA&!TYdeU>zEXDk
z0QcSf1tp>%xwvSjzS>El$J>ZGj0Z@&*YYCuZ;q!NY-@0IGrEvut`g$J6t@_Ty}vpZ
zDX}qe-0Rh$VE+9f9~1HhFEkl`rFC+5y|5Mb>>uN%uc!d#KRSa}Zu{3f8eMZbUGt&-
zYhLtK@BjYt=T%?$Vnry*pn({94r$6QOKg9x+U!<qt3_G$oor7vuW=o+`6wP__={wM
z1P1{h;<To(E_9Bl9GNWF-@nS`)b6^AO-%i|_lgbV_Hcx4nS3&g>X5Aa1#GpQ7j@ok
zWqVI+__-6UQ0GKx`%ALDT61Uhag8&coJ<u4xZ=8A9!4=Pf9&e<BiebaW7NF>#s3;b
zH)F8#A9s><;P(HRWH6n?jGD41_SR6WP*b&6eeyDh{L0bU_L%ArUBEVo?)SO5QxP>9
zN7v}}*O1A(_8ik^A%d7CJPE)t@MsFuJgF?xndSHZb{PmTFmQE%0%y8<)want@EurN
z`C7e~P%y4Hs__QDC*Z&+-(-f^sg%lSwvRHRD~2IoaoP=GUz8d%R^ue@cF)Z$KEdBw
zK6Z&d-kRW1l9dFW>aU?2lA_1h(p^jy$QK$SY=!h#Zjy%5l8Y&VbRF{P6iJ~ArMv*;
zrhBX!0$~M&a@c^EiC#lNTr9z*gD}_+IT$*BIAB7CQ2nZUd8kXxMxN~YY;T3ckIvr7
zMbAEkW7rVWBmTk+7Cw9`rs3H4gSlt;?0uygj;MZbNiOv6JBvSykLYebD-f|gy_tY4
zpuB#+gVW(^<}%kgq}gZitLFd5Hq`eFu<zdEU2-!<HknXspJEw#-)It-cNTQr3-zOz
z8GY|q=VigE%GC%~;qQ*wE2UOK6oPGe0<wVkVOjV|vD*ROxoHj*u8xElan7Ptw&~2F
zMux*O$^~E!8N<v>4n7ty4A(J_?P2|IUCM&hlJjWm{RJk8y_2sY4N2~8H9yRu=oksw
zH^2>JzIh2j%z@>=(qMFH`R$xd$hj=%7ttQ_Q;8D$5s_@si&n!XWtxh}kQYWCNs@7v
zp}(qVWF@dYZPAgnqDldFN4m}83b%g?$Z&}-X+3vT1|n0nxIaCx!M@F?;nR(B*sp+B
z1q#y5Af_1!zx*hI1Fkob<1J-*)omMpv^*m6z;=>k2EO{fhRX4fZad<7Up<ID-2%i0
z=h@2GEq-yN0Y@GOZxpEdp$~e43|6x-j^5JmgKsq?JBm{&=myB)cbzmf>~~q@x0?nr
zCjVp==%ykgk}!s|%sLp=W=HCA-B8=+91~MgnNq7e4mDf_WHd)3lE;r-KnAD;HVHvO
zB8;XTOi+SkV{y_?eJeS?pHb&hakReQBkN%WM6=ic2_+F~bovAhU4&;|XK0_W;NYo+
zQU<qd)~i`(fPaS+fm<$-|5!IHWBv9{&3gW&h8t7(dIpqfZ3-C$sii)K_);|`mga{u
zkw8S&ksABuM}sPoWD8Ureid*047YxFWAd?-x-OC)J~>z<59ndwPM=7*PDOar558Tw
zVhwzS+AI+s_-<1D(|~dKSOWAB5*h>$hFkI&R7J*go65Fs_3oB~HA665r-_x_a)7Y_
z@k+LskZ(#WkwJ|b8SR&)Nw3AZC9j}o*}G{fqt-LRm(KAn4iggl$3d}~3wDcL<-Y<f
zBns^2V;e89SWQ^0*7wds(l8{*BLhxAZeWCg_6<f!3zFYhF-OdxwAXk(^VccU+PSo9
zid@AOzN{)6+Y$dm6fqm`oAVioudF!>5!2ar+j?tEnlID<1f1-NSHeEtsH#6De^YPu
z;0aC#rZG^1Q$p`~5k^<_$1Eo}WjWr&F>8-EU{pjI>}hGGTpeAPiO3y=42<L=4Gs<q
zPz$`p2P3O-o2<>VsDEcEDV(;1XTj(BJ0MAA1@&3xfg+fakhcR8wFXEFAZaD(b#URz
ziSh7=twRg{z{MG_gNr)2*e7tb9fWhkHu|veB2CE4UQ)fo6-Vtm3O{-N__c_KM@C0m
zabD+2naM#4^pWf{Fn?m~jy+@X7PV`l{_6@u>I_5g^yXdA7Id^cTcYU_w96A~3-Zv<
zQ&}+N6Gy{Sj=W<?YyvCkDc^@0Ukdax<GTPJXV0!Q=kUS@@!Ou+BLaB9gcL~*^oQcp
zaGL_{w<etf&|s#qhU9u^;LpLWQFNErVv<}&NbL57fcnCxT%2?kgnFkmUDJ*L&_NP)
zVM6qE-IxebMt&l8_ORWB9_V)WmRPCWUYG!v8l${Nd}`t0I0^=h1%{@%>(Q+CsNEFR
zcW#Bnpmz`C<4un4`_}`y*8viV&1(~g0iTXPhVOLk|9U989#&3MJ`bMR76DI5Td*M<
zA&!uLCMjpwKpIKOvM`9q2i=4SOhZQbtM9uGz#CG#H+Wmz0b;s~_LiUwUD4kn?9r%O
zM}#JmTi>Y8W@1DU{ZA633l}~tCdoB|@Q%vU1mF#s9&<v-Qc%BUt(7JvFF4XjKLFQb
z4m3K@h(y+Mf|5;y?+MA>u~k<wyoz<~f=!?mZ8U@8%^0GM4i-#yLAZwO%z>t_1nWgH
z9FQUn1qQH6m*fT{L{_%-$aV+`f7^;=#`|8k6Dfp=_Vh@Sl6c1XK1AZ7EtG8sOg1D$
zHM0^7?ReW*0+8ff+2nS%D<CJ=NQwg!DJX`v{%|PW4roViv@?f}&t|9gX-lj?h96-1
zApDHaA6|`EJWzTBUGJsgFrh8M)StQ^KDwjxoI`?mluNSM(mT4(bX<G7+vzi$RXWth
z?A_rFu>m>w(_-L@{W<p{%_Ze$5fK3xh<yAx5&>o)av~xTV1Q=I(QJ9-jz%Kr5#>RM
zYgIY;r((qw@uMg(yg~v@c5;-xhP1P=?_$l&{C3JB48-{)oi&eB@J~=8-6gX?I5*X*
zvB;g`vz2cxAJ`9_2uMiwUS|szQ5YgSX8sJbhM4=F{hGyY;$*8H)O5O;V+sb7L>p$b
zRcJv3q2|Yw%_eqxmVEO`ZQKVV;~yo~5-P<=?3;t%5aR54hQW?%<S`B+=*dSupr(Dk
zE?=*o-qC)I6oEv5+44Yk-(fj<5b1zW+{+w0CeTCfiFqHCRe(7l`hl)mu+AoTK51QA
z*;VMh?3(_nytvEkdXgF5ke{fr>topG-tDPKcw+3@dYS&JkI4Q{9n@Uy<VkN~Ya_3G
znmY8Ld8)YL(~i?T7+}U?I#9d<rJmDa;i*>{>Wq&)RK!5$TKj_oyndncp^e;BkYdWr
z&r{#01R=ukY(KLBqxcSoF(IxZCZq?Y&S@ML&3y8Tn&Vrq5dtgTf?8yoKzb9cgh8}D
z<oB+$A^&w|4VRf(BZmnkMEO?_Uw9MsTsq7Mgu%x3!yY9yxXTlxbM{knM^Xt@8+{qm
zQ)_f#w3-kTL+T8)&O_1HnEG)#WRuN+pgwag7!3up3Z(sD0olEx1R07zxV;T);jtQL
z<aJ{BV}z4m{eE05ej)|e#!~xG3Z9ca&Q{mprBWEf=>JWjc4Z8%2Z%__08_sl%?jkr
z7D!T&U-NBG@g8@zcGJMO2eaa^;Om`WE~?vT)8t|vT*0HJ<RM>a&4JvLM48!d4&XVX
zlINd^KQ_C2X{5q6lA-a<!Uaf%#+L9VVlW);GpqrG3pD?}+_*%({G>8yI4}AlO~sTd
zHRd=FAOS_bF}lsFL;Wlc@wFVOhbFjn?yI&S)$-LB_1<PFNGJv+imC1bv3Dwz?_p~2
z-lr)K8-^V?jkV!Kzk>~&31#_pNsh6Ei7!M<A*%5Y%ha7HrM-ICtYuUscRPf>-4Qps
zr3&~EVQp?bxe9RL%sH@(0rGi43j`EP<W`8ah+RnbFU||Z+#*S>LQ+}A*JTk}OQV1#
z0#Dx_7Lq;eYFLvX3*khq9oQIDVwP;#((F8iN#+gqjTnAa|4J`Z2@D&LJpts*W}#>o
zl{k*NWXiOis4;mY*B%rFGQDBWcGh5W!7?;R%Mk7(*;jh?oXcn%^*!E{PuGg65eQdE
zUhY*1n(1QN463p^b+fKapl>b-O}&GV(FW)oUp}Y}S`4`%o^j#uT6~PyBxEW>6zBo6
zLuWCb94=LZ(zdD%ER7z;HbNhQ;ZY10t&gh1mUpcH&48jCX4F2DKC)$<&%VK1aTKLZ
zR1x)_pJ*G4W?0C13$S56D>#pMy5B9tAo~X{Dbos%viiKAydZqRm~^F-9?I&t00MNK
zO#g~)AaHt<ZYlBMmNM^FDw&33)%T503K;<l32f9E!AxZ@0aVd+B?8_x|L}8C07W(s
z5cJCr`C&b|lRA_brxJF=C`YC%x;~#)dsRyu$R(x1p7<wCjHf9!@OvpJQtlt*1Rmp-
znHi=J60{NATp*GZkr){TnW7C1oXw^{@eIxPfS7=~Hm79!iQBCj1#|?OhE)aJ_Sn9I
zm@898zcXFCZ6%<a9$GUX>Mn!1d}*;0LLhoY0NtAD>v`LuX@{vLM!Y3Lx>07vdxvRq
z6GSFrLPWv9(P2bQGD7a6t{ZnFvj{zvkQ*@}5@CY#mp@@S%28}0VZG?+tr8v)oIjF}
z&!b2=%2A}LCLge;bF$<a!j~Ij$ro+Gj?c}M9TSfgqAb@-UqN`DKW1xR>{NcdaPJ*8
zQiN>-j#-Nk7`AAsBIy9SI|UJXh?N8FAkpCEWJbKsb`i*1{i8KZr+@{r!P%<sl!gBr
zq>J<kN&8G2vU-@WN-s8FLmV|auwh2|B&V(HMIMX#KflWB5sPamFyI#o_34lb{D1?d
z;^%r*v)*@?hoL48R`+wELw_kezb)}6eY}yP(hp%bLjdOK<Ig4y=yH7O!K)bf5)b(5
zI?x?V0nor?GuWc4pCYcDj4=-IzrmuR7<}MtKSRR>;QtCsFxdwW3+R6MZDT^dLptf{
zuAokWOQj%bTC`LwfEWZO18|`$7Ct>XYEe4F&?>N(SerWpa6dVoWHs-P2Z!Q)66PI<
zI58p6F{@}Tz<RyybXPDvkLa|u=;t>*bX3*A5g1?{0TK(4*WxdYQ&6IML;+6@853^<
zs{&{NXnw+^Q>vWUWz&rTH9o*ugG+@frcCye?W51f8ZqU_xL4q;#+WLhon2^Sf*l57
zSAz&qX0o=)F2dWyZ?4x#XFy#z1II8D2w~3ZzHEM@{rNPIB9_q+dcPo`k3%3V%L0Ah
zhadGK<_>2^VwWnz(9l}u!m;^L2sxy_mi5+k4KhY1LJ%Nk5H;BMpBR=3F^juUZQ;)u
zBW!1po@5pl&tEmF?DVR3+A>QDA_R_z>el=#!4~IrdoY|jXUg*dHLa(+g3Zp>MJ>E1
zH5qy-I0ya-^i7rK!BZzWpq9T9>?r@VyiqOfj-teNwbUhdss=g}i2qeSF$xQEI|1J)
z!4u+^iRu0jN$1tRhb&AMvy$VyqFVK9UcBJp+obglVx-P*$ki<usq^AD(6UpI2PIxQ
zFX5lSJOA-~zhD@8(hNiIkk8xm&2L5<U<P_a273OGe<u@?kb6|XA<T&pf=`dU&IaYy
z$HJcTAIr3;_gwUcxD~n{oLYBT7m}2ca^1@NSY>Yr{<x8H(~Pd^nwo^%lpmywCnS|w
znoJCWECe9J^`!uHuG13;Vk&<-2WWjQ=y}#x&ZoaUxf5>KW;x)6dzyh|HDN3b=eKd!
z&9dXgn_c);Uv|9M<N|4J{&2^OH_L&L?oEHuFkpT5N}cg$;@@-6=6Pp8rLkT0PH1sc
znSHTq)b_(u2r<$bX+MV`G{QJWEaC&68^B1ydg|=h|053?+2Chenh(}WHLkr(77=2%
zS9}rQm%Y{;W0NTE6`L59Mi@rN%5$mRv2TRC!yt`|A`;#o;#O=*ZF1Yqt(Kkl=5==6
z;3mJ+<zOYWok&a!Xk6wWy+Wb#9VQyw@vk@Hza7mA@$Go=W*2sJvkN<#6~^1~)2w=`
zV;WhaU)HFltyNqbGrK}ULZLhfr}j46=fj{fD+^Vqgc2&$mWbuoG5#C}O>&#}{J}+E
zll*)AH_kDH%S6BHSM+n)UC;k9pPi}DjbF=NoP8~S@2}dP2VYA)>82n3lRsi__P=M}
zcc%J-RIZdz5Z`Kb-pD&n(FYPKj@u!+KNduZ5GZn4;DvOdMA#qW>tUUwlPhe@3d_h(
zJb4o*1>Z|OOu)*Tzm-f`ma4~AV*<^GL^W`Dc+7QW6TYW;K%ALHaZAnL*kscTcvr$P
z<e8A7$dv^2&&wUDx2iCUaKxVugh|^WW$n#ETVZAuowIE2JwqL!_&xhQoBA$S<N!t}
zTIew`_1BO|$D^$!d(qdTV;ct^Wf)Y+B)LtHRJEHvJHJ}cWvIQeR0M(N1=(gvO9;W}
zJ$IZly2ztnn=pARb*aGCveCz}USk!YQKn>u7ON34u*VyFo;$JYjRj$5K<JC0hvJZ_
zhOWz!0AE0$zhFHYtxDQ25$ymyygW`hz?ZzvkMMz!FFkc*b!C>P21-73q8hTo_4!r)
zK@14dDs2s$p@(wwjc_`QkNjxDO=V<_vTNIMvl;m#&3RJb6zuX3?>4nt)yyhaURriq
zY$3hAx;i?p{P<t_XpnP*LgGb5La#FUCU#b_z=UMdN6k{FQdW(*NqZwHjD1#)Bj;FC
z+}-8cEaJ$7I2es3GS-!umJ7xy5urTK5#yYZ<ar&J`6@RYdG)i1Wk{;CShY1u_FMDY
zawFZmn$RG~`N{NSpE>BZ9f~{7xHt4Rbs=<S+`rgNCyA>FN%`A2Tt<hd(Uxx|U~pzQ
zzrGNlJuBeAihrGtJg|B87bYzdOTpNx&Bt`+ygcVq`}vmd8fxZ7?MB_T@}Ec7ZE;LP
zEG5Qji*)EQ*+{`=dnxb39?t|90y8!7%f>;dCy;F4MGV1y{8R*JSgBr889cYBV}a;>
z_t)hk_S2-5yV(4b#OsB<+1d&T^vklYYzBmYLsciX7Rv`(N1ub-i^Eb7%?f#D`<reL
zaWF&PUjSyp6OC#MU^aaYUtA_zf!Soh3@c&xjq>hDC2gRteL1!9)=E|u7<~B6eF!9^
zZ`E#M)u-7jr6;(8X{`3-aOPqnwuSq7hyXijIloF0@^iq4MC+0#2dK8GLJ=FClm21{
zPtb3E+-o3w8;rBaoj4=mHPG$KrkKHuDPS}mx4`$X@@d3`Ru?N{<7PVky2=f=tw=De
z;c?SKE=!Tr4u$3ogfb*{UMtEL;!hez@wW22`%piLu@M4_M7oLKLG%%1UW*|)GicQ#
zd^r>=a>TKRwF!PU`RM0%OEGP}n&EF^jw4e3nS9eM*{K!;qyon6%Ou#rDsX*DN1{^b
zdt)_a)u5%F{tcC4yxb4z-W<tata3&iNjR>SFOgeNqymtNw5|$C2JD;X^OBqgti-~?
zVaRc%jmeyIr`gy2sW;?eN1*C2(~`Iw_v_jem}D%+550ypcvKZ1O1f=XmTlQSW#S@C
zG6A(^yJl#UPgPMuILSe7Q@?-^rve)E-p+)ZTtsS^vnU*e)$#~onh3Bf8<TMurp6&e
zDcn<x5yY2x4}UU606oWsrW<-aFmQXKvw22nFo9!$_F6%GEIV4x3~JD-73cM^$q@-q
zAC3`#0|Cl22qmg>GCqz`gA^u+u?NOSK^Z9vwDFju9Ug!KW25X*8Oy(pxWLVY*8lNq
z$-CYiM-hr!`Pc)V76jFqy%tMCDE)bh-fpBfc$!zESa4H%<xOm4;hzHZV`>5Z*iGQX
zh`~BV*Wnovp!D{vbV#(RETA0Hc92Mv$`vB<DaaSsz-OQ^DAaK_q7<ry!$s#9)Ufx=
z5d~rZ=IP7IwHP3xjF1nZ>x{#}**AF_{Nn02B)1$57bS^03nQN4)&qSkfN@(#(elE(
z+ZL1D%FHmdI*P7}*vC;L4qawT5)ZYKumF-$XyxBDgU~ZLR@kwo3$xK4+gsmp;h%_A
zKqbbv^yKrk$~Jp6FxXdCWi&NA4I?edDLhgt9J#JIZX~p_aI1SA5s<AQ<VTl3zwH|?
zmm_kCL2Ju%G=eFhn-+nE9}~eAc(N^-42_KR*|u2j{^*_nV$-nkNbotRS9T7qL^8Q^
zxlamb&=*`w)P_Wvv$&%z%lD|aelLXXX+chURqr$F;>;Rr>)J@kOd~L3&MsW+Fq2+A
zT#1DnLpbz$X4z4)NItI*_hGmQcOnyD#5WHCk)^bII&IKqaTutxb1xO%^f3SY>(m`C
zn!k&B%&H4atlcaz*qEn_aHc9wJLj#ojGuI^{aY;{TW$H;TbYhm$IK%6?Au~;9#cCM
zv<uEz3W@`*A^e(#CA4lBX9ACqB!>2C>|R_8V(yu1@)EC<WMy3N*2a;QXAaO;qg@o3
z7@&R@11KZUMz7GxZeX_je^R18w^ZinrDa;SLwqjXG&c!4_jTkY{SI66ND-oJ!^p_0
zel?%TJXmZMU26t0EekJrX+cc!wWS-E;jaI)r<YtGzvCnVleb?pwp-aM@2S|76$ud^
zm0uhqLka)klwqf(JoT#7RyopRph&H0O0m%askjx{r?<1LMfT2X{*mJB5oFaY#ZIxE
z$_w4Dt}E!?rh+3&uqgvd?`GO~p9ge>ZJ0=TGW%8wzO~%}mtYo7*4EEo-Sp@FbYXdE
zb+H~)E0(XW^`M-e9SL2FuB48G;{#)*a-ZFl?NsJvGR_Y9jci7_OYSx1m#;3b_B?UC
z^i?>H?l!*ccOv>OKGO*lQMW7h(kfsKA#+6%_fvTbIuaV^5(Q1vT-)65xd5Fpb6>28
zZal_)0H0c|PIw0Pkr|7Q2_Op-h~|cY%90WpqC`ZxMB*=CZ@fB`+j)JP&r%{uX%mLe
zs*?ycH_-|=tL(7rmUS-W82i3n(Oz(ph7%b!%$@kPl2XH?q3>5Ffxj-GynfPniZ2eq
zTWi7Vu(vibyk6{z*?Dbkd<UlssP_HgY(*#!u3SjF(oAz|<!bLtc)4vKMie@&9oJM%
zQ8A~z;UKS+#P~KsyRsUySz^T$Rn3qaCTbsLS7uxGjL62VlxhYwo|cDrNzr>ES}TP*
zQC_>@@N87lIXj)B64F>e%>qEDPI^Swhji;7zv8q;(oELArPJ#Bht%zqR=o<fW_sH-
zR;+tH@h#6oOoR*RP4n`{6z7Mth&wea6hCj?_bT#Ot1YQvBqS!YW0Yt^q`S9$6&Dx^
zZFljI;TuFUZaTCQ=J3Hzi4X<F10u{VZf(sPiWwe<swn`d`9p-Ly=Q;oV-!CJYv=v-
z=e%<+ah-5Otg299z1VLZX@iF(63tBoZ<^;n?i4z{CFi}RN(6NZE$hzwJaL;QS{VCK
za=(ke{8{h7<Wk(n#b@bWy0zlKw2_U4-V9yWHf^7R(R`b-M;hz0$zD@w*mJChWO(^_
zz>$?Cj+;btMI=ue_eOR@*YAfzCSFQbx$1Uu*D4SwwBPy!*g(h5UrN*&8^(Pm%lG3)
zYgxBtt*xnf4n~E-hKS;#nwlFI=bt1odpIs(s}Wqe?IAQ)PTrcM+N|0EF5iYJ{c24K
z8Y9)}=&nQ{(&^TkG?{He6dr1!j^Lc=$Sp^(xfkq3Oed7?Po7m)#$4J=F@tfWAjp^!
z%T{!7Q*@AktVzb~Ku|N-e>+(j1%69-+R&u8NiXz=L*gI;5;E3WDust_y6?_|v9(c+
zU>FuCg1nXW%xSvL8*5rh+iyErlMz{`(N$uu>jhfl7ikBsbqX%bw-`Jn3}Gm0<c8Is
zs7(0F9IfMqQ;M<5YKzY<Mu-^UTDdvrT?+HtE=Ia1mXmTgF?3DA^nq^7+UGfGyA6xE
zy$;uD!D734QkGrln<nw4wnv8osroO}lD#=Z+HB$U3qk^7#+#H>Az-cH)ZQr(c|HA!
z#PXOi43b5%=7kUgf=PjgzYc#6{yO}9_|siKs-}n8@h1E&_+9vq@#pOLXI-~!x@F)!
z*_6*<=IR}Q8}&GZk>UgCmG?Fc5#a8x#5@QfReT`NGRV9An-ajwBn2JEdp@#Q0kZyg
zrnIgh;;HL2V-P^<&<6~=k9Xa^cT#Y`;2aboMKfYt4HyKFDn1ab8RXsmO}I=2{1&<V
z^FaC?={IVYQ5MnWjRa(yZ^Ur0-pvCK0!T5nk+$IrxZ@&Ib5$SQ4FRAk8}~UnEBp!n
z$w2|g%jeOtUXHdq>q!XvhQ^1Ylxw@k_!*aX^U9L&p=!00`^r%j-^`F72~-X|2q3NE
zPf8RG%5MKAgaDS1(UyGCwrJ70zc&46*F0S9_!rl9YWsWM61)-KRa{9Mz1<|#&hwpK
zDYEebzLfRSY7&`2#ryT6ai244Y#Mzx)a<ea!Nt7-2q49@8(AL|+`fkz91wX@&~l^?
zgfn!M0qd`$t)TlizT`H;U&he@XKaYIRg&n)lMq8j3li_h1<WxsNF|X4Q66=#MJi)e
zPhCf08o6tGzF3*4HO&wOs&Mfav-6l|4kR}5pcoQSg)xi;GF@ei(3rTjpemX5dfY%?
z1nbkVvZ^RMBnZAA`^_&KA7&{9Y6{_Q@=ud1CeE5X7AGL$3a15OrH#lm#$uXtpe(El
z$Rq($ZuV_aub~69GE%Eis+dfe8B(%ld=t2l1$$?|22P=>O~C}g-r29!UIX5ls%j(t
ztf#>5_V)|^*QYuBWlup*fQS66|8g?%g<pnMIf84H2zB}4oDJnlE%XBaM!dsr(X~3$
zJYk{Q2x#kZBdE(njwnG5xY-5Jo^C=$hWqJyzH+s&wn~H(kCsbkDG~t@jctBkN-H76
zI2Y+o#>L!Vz@c0^$R~2qk}dIZk_x=ON)j{jsY#sLM6>nK+1MC?nc5c+^hFiGZ6%oB
z;zih*w=%O^<1y@8>7Dl!%3AF*mWzd_FA_^+85cGZOxkL#tSz0Gn(j@vB~OdTx6xoV
zgi)fjY2*?MdN*aHO$VykELc2BU-5vtsHUi6)-X9hu}s*S^9gw&zu9B9T{cRJf%J}s
z2BIEGR0c3nJq~MxJ%kK<%tAc8cig$R=v}O;Cpc=Q<rWbUucZU2Ot6KC3{q$LVQT~(
zPPoZ~F!Ehbfvqrs<=H?23i;<KG1h9s7ydhs;D!#vL2PJzJnQ=sP&&G1=)(WF%J#?~
zYCz4Z#|X;4ATewd9?}FGCuLUV@O!!<%c+FXVL=gWzQ<+BQvEp|C|XA=GrhGQ3|EhH
zZsS3Cq#ud_CUuT?ByH^0X^M|vUeN3}iT!4)?ufUwx6>5X!AZZ`>KW7Q-#yx=(*7PD
zxMgW6EZNoo_(gb6hYD98uj%aZ^kTT_bqQ2nmhntmr`bGdw{|oQZRmZYK9w=%x;4;@
zZNDGB;SR9-R$=VjulsV9BXR9v6zSa10DllYZ}`23Z$(c#Mu;u~5#X~Z(hY?aDZ1gb
zb27Sd0ZAeb;Lt?{(k+0xJ~Dz|DpBg8I24H;Yv8yo434QhMJlO8k94_)f=&;F4Lf?>
zAsOF_Mq}?phWr@bkGz>*q;HBn%GY_K4}V!?9x43zKD^=g%52i#1@LzdGd3^uc*^%I
z>#!@oAdFBuwG9eweE)>Mp|3)9t9_7lq+g)`&j!d~10xt33sor3xi1jTHU<R5tjd8#
z3(Lyl5}-1ONJI^L8PcelSs#Sd86A>H=UgZ>?}`=8Zm&w^g6XF!ix}>uNe(f#jY8h{
z08w8gz@r4TX^VFTEYTY?i^mQMA*jmRk}`O!b{RW~g{Llvf^MzsXo@XbQE9bF_LRbO
zx4U7NlHCkpEcK&Z!{I+0G+PO6(}8L>3l?Xm&CCerbqhSKU?7r<2Ci$GnizrVEQb;i
zkH+Yqo<}l-qZ5T1yI7*PW@f}m8C$Ij2T=G%Z5ErvLc5?X!>Z$~Vg}}KLKv6?Hj=Tq
zMW^BJ<TE8#IU3R;<-vqC9JA}Dn$3d62Tp&H0)uC55YlhgPa=d`D<}khrVcT&`jzzU
zSz(w`>N{PE>9{g}&J0^w)?lDVGxP?lCBX5@l>>aUG1yT2)}v^&#Z?4_wYF^3MjAg)
z`*cCXlx#ih6yvRAs@qU!k!`!wwu<!p+kxWBBx_$l%+IE@`ZmU^G3-c)Li@+y?|ma^
zS8qZ909qS_0VYkZ1y|tTrBKJFITj=fA-5L*j$ALBV1!SP5-ohr4Z-m|2?5JvVbC7<
zTvu{>Q<%P9YY#NWqLS1cYk?S^!rnl*l_$2GX&@IX8%+F9!Z7`SH~t2Lkor5zaNHHA
zh6uWEp&%JzBHXl@K7Gn&>ug1X3bH5`^|FwV#oRte+!L9?VPo{5bkwT4$Y}a3kQ8Y#
zMPk@iT4JhI)L$oV9m3Q!69lKpIOjqT3nal5-3AO!U~N(Gxp1%IE4*riHpXB#BO`4s
zo9Dmh3YS=BjnMq~J<Sfk8?yAjnWJNL#WH4WsI{V9dNirlYWqaH>t690IbD9V1l539
zc-_R|1xV%bU-8_SzG7&|)13ZnGCVio`ElMX^J=X&EY!*(zt@GGP`NTY2a!31f;%)F
zS_`s1dXy@4)ulIDw6VLuXBnqwu)I6B1dh?e!i`++U_k&Jy$F^$t#-L6+rtH42-g6=
zghj+2f1Yu?(Q&e3_<uv68}^;0N1tky*2ZJy6`#AR?^t8$m^yM}?1{TMVfT!KhmXb|
zV3XjuyjbSdT5VXUl|_E9zU+j`m9td4nL`IkLZ~4pr8_#?8l~0tN!N;3d`7?Fq-j$=
zK#?1xl=y+7A-<b*L^^UT$%lEhRvQ*-Ws%>vY3F|sY1(@f3WvBcE?7KJ*2FiHwl%gr
zX6=)CwN@JzYGsk%4@KuE+U@yR#I~Go!H@M&<>^8}C=WL<P=I3zO<t|lhQ(bwV#gQU
zz6H4x7@mb!Ge^;pH>8IlOsGD3Mtad|`>1x4SA0ghb>g4ERC6%bm^TG60;7W(=xx!o
z0NgTb24B|5ZE#mYH3rnz)v>Jtp6r!G90E?^bno|QK7EAgG^Mk5(w4N)HD081ajpV+
zyN>q&lyfs^p5^NH=n$HhrD+mFrji3x3K;>ZY)3f;G_bN@YbpiANz<F&KN}|sxhYMG
z_&%wJdXk~aBnKKQAvESeNG>Cu;W?h+7FRs$n&G*xjcDx8c-x3=0z>z6DXnSS2UmX;
z*(EIa?D~iG@~b`noWqI)oOH9H=K;KpQx601t;WgtCFu)+{+FM7ambd?<j}bQYh9``
zWkn?h3ob4L*eQp1zl4S%j|$#F2fS(Ij7OTn7|@713gHMG>h5*&No=Mzz~4Y{v7ETZ
zSMWu=hcDyH_z+*lSMU|Qhxf7*&CuWl8&7Kcz)r>4!~eIBf;fiB=KFTZ6TabNdURu#
zy$p%*4t$-#%FdOd(q9R~32COvixy(gSFPslt@g8H{;p-@+`oe^N)Rg_=C}dfE)R`H
z0z4fyfKLIcaVg-B?C5LHz*ryH_Qsh!>_CkJ;I1HB>7GlgXrTnEUQ?WG1Y;0VV8_XF
zM>91W%*%EPYuFfI0&t(?Q#Q~Ms~tU*`DB~AGq)C07oS><)j7fWzWmrivDyLZdUQ?J
zwz3g*(XCOLy_&UJ<M=q{Fo#(ZV_;AtmN1V+BACToK_=yxCCAA@zIJ~rtCxkLXze|e
zL>oEqL*+Tn^LRVrqXhUCFdzL6<?T$kEIPioN>IDF&^juV_4G=i^ZB%_nAxY`aBHoW
zuX;yC*?dg4gOS5^?Bu=Sj>q)4@u`|&*|{qZm`;S~9RH<HUB=%Tchv!g*;{*Z$fV9f
zSaZQIH<jMSC5cM+L1F9K?aVK?M&EHyubhffCXcf`CsCx;(R&IHIh_g0$a=9k`yh1i
zt7pdby?)t(6UG;pe&bUJ#X@q!6*L*u^CYi|fmMltG$}zMRj&1vbED?&n4tHCf7?%X
zdtJ;UBvz->xr(k#=sPh(r#BA>z!uhiPBdDurUgM3i}diejM0QK9`wcOx2+-I5&?(7
zY1{N_8(4>MkpHg>r1{e$heJ{BI#EM!4;|%MR(@@V{?Ij&o8IQW?>A}~qBO+dcaY0Y
zxXuZUaMb?)Iqb)R%}+DgLd`ZgZp_*<^+kZtW~*?3X7k%|4m9KaD>$4FS7{4_ayxyr
zD5g^|@J)3>re8`SSc+Hrhb-{^8cxyKvUq&}zk4sj(ei8=9=-$ZI(t&FX8%y|<PGu-
zZ}k`N&OLzIPk#T0Z~pTA{>@w~?35Zid-@J_u+~vJu)A}u^rnXy?Cj>i;q{s)gHOO(
z@O?BScY3B6OnDJjDQpVez(7J1p;)4HBo$(zea({s)}^Uo({6nO<s21bTR<om`ZFlL
zbJHCxloC1@?)DtmPJ21;GWJcb8VHn64ftgm-%*5^uXS8?UBwsiReTj6;H&sDzKSoR
zt7`*yZ~>G>uWl$Zd)hKlokf%(X3eJy*FlqTdSH{V8%wj?9v<*RGIMbb@y@5enKCA+
zySwH0*Z6gMPoHTEblm*3a?}Qd%%^W&s;Oibdpa8`>e~Z&9__4eMyEYO7VSfZwt3y#
z3((HMn@28ZSrKlXJFiRWx+>n=DeWTI9bkvDCIR}w-19`n(quJpQ7GsP_SVgn&ufm%
zQPx=%7Yhvu9rxUi(@a}9B&XcS%R1eoxSa9OVo;ah``2yI_W1B=5B|SpxZTs#oZ8?=
zf2^^JSs`>;uLFdW^$Ya@JW?<Ne6i;7Q`o{5HnD{*oQ5qthb?SktFsc}3JWqdw!>*4
z-FAA*6gX^wm+O2Khl!#Oe7X@_zNxmO9q?sE5v!m?hofjBzAQn(-?JuuEc=QXPGGlG
zh3zT3mv_{6T3vj@U-T%x72RE05^1)+U)=~<uekU%<C$6HHlV{{bLgCO$Zu|+TYdGy
zx-qyodzXE2UWXNO%UUbI5Vu}JA5|2Ec0i(?W&zST0Sj*&#=(34lz9<x>NPmg1M!8e
zRTH()8LbV4R<)MTeI5(17L^^^ZsK;biMGJKN7OxN(HK=txjz1lU2%W=pgiaq3N6+L
z)hSAomW_)@)>#zaj%{)ZtEC2vFjb{kK)0mnI^EgL_JIqCFvPOIi56TthP4${N6ZV=
z86x?^W|6G}EO*=A(mF9ORA;OvQX2{TlxY%G8;2at{L413;)^KzDBG*J;`aPjoxi3d
zW8>Q<ecjk-d*_AfOj#an7M53EW2ER&`Rv`x<{qeFD0Wp*fyvN;MWF^m<e<(Uu=MP%
z#xG@VsNN76#{51qToRaVAaXeKFWSITm)^OddXs4)p<@*#vQg7ONSdWcpMirykYNG9
z5FmIN=7mN;ypY7*LI86PO@dZYt}I(4`z+spWftzx58GisK6%MnQfSf2m#COA8h>v1
zvrx><t|s}p7&RX(w^@5R-kLD4M;#k+)|D&A6L;2OIrv&3w5Ce}EC5VIeI8l?*Z6y-
z`JoM00U^HPN&}RNoTv0%ouaF<U$*?=1+)S1RT{p8mirdgSDerOiraMTPzV;3O^dI7
z>q1EW;>>%Z-D5m*BC>hx?#@%~V1k06xcw@A+uQ6o`j^%EGJkAcc@Vzq=Qnu&S{^lu
z8^Yj6-^WE1tWQW<mMbmeHnrMm%RA%!9KyI{BBtJKiP#TF>L2~SwgY;dVzEp4F(O1Z
zRi{BjLAy|xu%X#OVZFE(;KdO~!X6Y`4;|{-X3n3kViK?LOknoKi!h~!LU&AVts2g)
zq$?WG5DIPaO~Ig<E7!1Uv}J;q{4pts`eBo~buK5pbFuYjSZu^!G?vn4;J!3}(WLvf
zEeMN^_zT_8?N8gc2>XlbQ}=v-&#~A*zi`A%27<HSkRn+`5sjEGl5Gko<ZV6pc{I~c
z>=IzJ=E*<0a?Ykd04{#Y_2FM@y{GBz-KTpt7G3yPmb}otAHW%X{`3B~y8pq^kC|U|
zJ@ppBN_z8<V~2gHZQT3O+E2Nckp_QpY{XY-WU<&tnh6TffCe-mgI~zn_=tNRsGr*<
za<inlUsO4$v<2A}Z~k@9Ks(&lGU#?nae%DV;LYcr>(oazSld9nc;0+46;B-T<^{vb
z>?cth9ri^EHFqzt<ypsNAb}-`$w5(sqWokALF&a~Ufdg5rS0@I-2Y$KlDqo3%e9F;
z4lW}(=bp~8SOIFzeVVYi_E#!Yi_;VB>bI#4Wvz5#PapWDZzIGWSl@lcMpYxJ=qGui
zH=tKxb#(4w0U#mz@SBU2(B`$v&0c4qE51!5FoNc_*2*^Re6rm|;hb6=edpdP8}2W%
zaI>c`6u6_8p)trez=rW10k8oLFau=}@)~{=P1ku4c>M8)-z>iJjca}mW`ffUW4Q&J
z<-|Gx7IdJ5Sl9W4uBq380h@M0C_^bXoKi!`A}gK99P}QH{A2~u>%vSpPe}6BAvVVu
z$7o(*NksOTASj19*DC@XhY6{rBvRvV3GOt?$DCB-6gzNtzgAva&#7i+1x|6)B^-1~
zfTf`$9cNMKcLEvr+5v(bKZv>N<9RQNqNu83+Di~H#LRmTo$iFN$)&GKV<1edm2@vx
zIL#+Mh;t3_H+g^xL~9KJO7Nx#stL#_;64fVyAO_iA83DX(f!aqbAS6_zkTr1S#T_o
zSd6-IsC|nV)JUh2gcvO8>?46~LXC#xo6^C61TIZhq}}F*kn6lz-jp4+ac)g(!PwDV
z$JkP#Bd;n?2SS3_3vx6Bo~lSfP)>h_1rU_PH{0w**`x`QVwxcH>t#FpNO`-aEHsVM
z1L$F?zimsi6VW!rPt63Wjh?t^dnj8E{D>g^(LiHg1q>5VsVQ&CiW#}L%w4TJjHP%^
zno26Q+j87*|LXod=PMUK9=o7}yfAToErn2CHKT2*V4NMyXs^Ik!?g+@Wd?j9jv^6|
zPLG($wP@gJs=~Nm$Y_wN5`)1ho&v$npRQq7Kq1xGp3yT#^R@d{YiiJDw9O5*OWE2{
z5Td!#*k7{tQmi7eiX`s)9^kP<_oU5k25x8#Jj;2W*~}03gZG6G-5SKCP+kVFD?E@#
zvGOMR1SE^;q=@~Ijj<|A!wAV3U@@MI>1<TT6-W~V^dj))UIfPn*}PBPaSTuBMPRjS
zUIenFi426XGk`-yqM+ua|9sPY3!^DAr?s5KWc5Z4V_Q2joJ}lqS=0_F_A#|sWHd~2
zW#$pOiuTj-h<??SnN52P{kfLsVmI9<nXdkIAx&r*nuo(ETYhP-BOe==`X$i*9(bGS
zwKK+;RAG}8Xsa&dDM1|CpQ}(fl<`KF;`qVWp-ek5eDYG3GCKD3@V{~#gvR&FrrNp6
zL7kcsLcW7u<aPDYuD=s6`e8jk;4l`qU(Yd=k1r1M4>ET<ej1^GU>+M4M_F17TCG-=
zwOS}c!%aUDReGCgwcORLDEcV!w{ol1qBkBU`>i*gXorp>-E6<X7?w!kxT8!;`K|UH
zyErjNQY^U=@_@Vel3l)bbJY-39yZPHU7p`u;Y)mJ!I`ViCOep|{q`h$_#KkYNtNas
z@!&F_n&<W%KF5=0aF;V|POIRv`Fr<O0G2Zr#8%mxUWDL@i6w-q$4ZQvf@tcKN=Bv{
zIRxRS!vWkHLfGNJEj_?GA?ntxT|s=m(wIZQwVM^su|VYmhke`4XdT=WfMw2%h{Zy}
zu;_)k047<T3e!fNSmz&-v?{0#qBDS?@Vl)rO#{8C{VBwFAd!2z^ZCvenfp^;N_l^t
z5RMT~{ZY!B1+mhO94`+2u~>iIkNGt4slln`1#BCj@U1_+IOyQleZQ}FHRyW$f4GO`
z9F2Bg(cyV}jI|zBg!N9-XC`Pg9?6cy2$r2njigW=k3?5gA)D0;Qd|oMeJ}xixFAb+
z2zN+XXgdQeBuYY*z|JX1z+tk+Ld!P*$1+JQv@dcUiA+2Q9~^Eo%PK`BQ=1o&$OBx&
zkQa0_EhZ~Y;>;(fRa89{GHQ+FGL{63c$UJR?ZAcCN0(uL{$ysJuP4K9!>U4O?-3Zr
zk7<Y<{5Xq(%eTU5+$J;<3Sd(dpVL;AFxivb&%uo02ZSyOnup}e@xR=flMee?Nz&hK
zcn%&&$(rpSAcn}^ll#^2!Z6Jz4vKurFv)QF7Y{Fd;TJD_dc{au65{n#9DT<zdO+QZ
zK)nB845T>xO*g1TNG7XD^aN1U9;DQPU`!`ys7_gGwm<YKLew|Tn}J>cU#|&#{kaoa
zse|I}QKoa6gkg#hDJMmyB${P7*{3Av_0%eg1t^?(8V4kZt+Pdq<d0HS^<L6@P{LWo
zn4yt|%4{6gsjxe6L|f)l=gKZ1*N~8EOk7UN1(t`!S7`DQ)&N)q+%AYLl#s6;rvXCg
zvdtrJO~K)OVFJPclG|(X$?=xT8?ZcewkSK^9S`-S@PSQMg?2vEZzxP=;atXx^8KxZ
zBz1IZ4#&Tk<ZpSmi;}}}9{GD<7=V<Pj6$Ln!Ax*0Xr1Ld)yJD(tuilfF-mtZU%(?&
z$(=O}?pR>L`m7C(*n~Ba;_xsbKME=?n+7a(G?hHnpPU=-IvKXpXgj&%RU5#z+(h*Y
z2UWuUcyaBSVaYRV<Skl{+I2*;)<K;G>ndr!y@u`YJ7JfOoESPz^zJ5^UsLk6hR~1~
zPI!NF=|hUHTyy;1_t6RS?^kA(pBim;obn?8>ilt?%5yJUSc=H%&WCy{Jg~o?tfiSH
zW(Ug|wjE`c>?oC8KkQ_$$M;9*hZ4T8gUXaNf5SNMGT9}2no%ml7sp~Rng6HS9=_O8
z6-Ep!ZGJu^s0xmIu6}Qv(c#-?4n0QO7r%%~6NMSu1E5f$n!wvL%x~bG3vw;nPeQgb
zU)~J#qk|rnLpWtT?~nODX`fLYn%H<fJhPGciP{6JhI2}`kQJAqH8-2ba2<gnKqB4^
zH&KNxRy!h+#!mwdiM+Tq2aBC}N+GH=7h{vh<b<oFjFCMdmfsIsqIEu@ADw33@E#IF
zPcpk&=!~(+RaQZxhUHcRDJp2tKqcr+&bQK>mE+9<#@bipjK5s-KB;`5JCj~=W0Om$
zvv58%0y;$>WapAr$5`*0_v@Q?PB1LW94Nz3vev~9f1p@-SOq?)4`NXeS(cK)ZGc$}
z!LPsuiTNx~TVRqVbz?ZG&}#BY2|f89_Uvqvb5L-_IBJNY_|j~P-?6>-Ka*b-sb^*h
z{s(UR3#MP^EfbSg8FEZ!n{#e&vPmx3FO9MLTxaiZn1B4JeyXpOq*?dHdj=xbY?Wb&
z1j&4x;zP7j#%cJn<_DGxbF&qwSRft`O)z&LT7*bUcuh{!h>OwdVItT9b#cex<e0zo
zC(M#f%ve)Dw8gZH9Yi7nlQ~DMGp6MmCJ;exFudNL&#<7aHqdrF$ul={?^m>NDnly~
zqlxi)7R~p?3-_=vhyi&)9o+>cuCtuprxdr=OJm^|AP~|kQ-D9|ky2Z8@9B41C{EBp
z(Zrq)KGC35IS{d^K}rWehY}KULV$CSRCLsIWB6P4XJK~CU;9I%yaH&4MElZJ;(z#a
zyIzOivctRP6fKTWTd9E_IZE<4+HhsZrgK(=Fao8DeqzUOmCe)gk&<1OQIRV-`0S|2
zoYpRLm0Alv7_x`w+@suwA@6)Ies;!Xz3j`enO)}Qz6$$G^*=U3lXnkG&(Q}tbMibh
zN)65x)R0ps#|#?LhQ~tO9!xMAOSD=$K<~FVwM?`n$j8xh(=f_U>WEZjP$$mGP6%)+
z+^$ky2mpKW@0{~k)-Xqn5Y8Po`A4r-6u)Eh_Vd*pIP5EUPL17vky`?yO=6JD;03q$
zRXgih&%+<^>^A@3m9NcadpzFe8h!hJIDPIa2X-xph)N%q5?0l06(Q(8#(qQ`3vHYW
z@H=O8uVi5!4`ql75#}JD!y7owi7Ud}6Mr)5N6AVdgcK&Kt+=PROGlGElitZkH?Uv2
ziKVNO&lZs_obZN-jE{?l56Vcj!!h`qoc0wrWiN!%x(BHJDbv{FSQsCiG4o@twn-EY
zU31{7BzXomoV_a(fJcNL84a{7@jAP8Sm=3Y`91Bz=6cz)6GC<RcavwPG)YLR18|4g
zk?T0_VOrCw?ux?#I&NX)3fQrSgTpi}3y5TZ9t(&pO0T*Bd_iWV=%Y8#F&AOaqkFG&
zl^uD{%gz!23&`weO2t|JLkLKab9fc5v(WRKy)bbJv0#j;5#<e(3;Q)E(OkO+V)~@@
zIJP7}+qrXo+AD`gN=aD}!Kff*wk#E$UBu@Npl!XLN`ZQ<Xv#9_ih;qPez@!1E115d
zdY|bvbxd>4$WrYQ+BEsil?q@2E)~qD4`c6KVoEL{;03gjb}FFgVT9J1cUk<~e7953
z?G%g@iav(UOx#XXkgXsek;AJ*hv++gZ$!_I_;(w9orts1vvooHXv1%3#_;4)$Xmk6
zx5c$urVW*G<F!U`ujZr2Z{_56!u;d=3d2_$w63Q23BQ@UN&PDKuRjT)VRI1c570kI
z3nHzZgZ3rv;$56>wRTQx;lK)*k_^j3j0Z&s03yrIXH}#JFTwP_IrT#BxE^Td>}5+7
zw5{1pIZH>ZBI-peV%Ts9WnIES(hmZX00+HsuIR;|@ZDNMJveZO5fxBNqY8b1H8oHv
z_{5VAJmyvlD}>0|LO{0a)u^;I#7>!UK2jXqG2rGE4M4WoHGgX}JjZRIqm<yDbZ7?Y
zN8Nbwq=)j!Dd6e86EhT0d}bN_<WB{c_v67c)CXkf?0hWpxZT#1TK}C8@Ve;s;fu?A
zU5pPqKF`G=%;Wh>36!AWYnvEJp~>G6<k3GFOXGEx`DYA?^tIzwX@G&6_fbF&Vc>=l
zmPH$}-~U$Z;$UGR&sV<SdC2qptV2BHcf;pZta`htc={L@Z=>_qy)K3C<4Y4Be}MSr
z0q%*o`E74o3E4*JIy&TYn8qmTn716qs*Xs7+~qq!DrN?1m*v1UEex8xhcdZapJ65a
zeqT<f!Bagy=eOB*abIlTjxJF5s!8QA{^*4`gn@y#1otcDo6nO6if@?(Px7-kyB$Rr
zBauj>Z3ezrB1@x&=t8OkQF*F=eg&>uS4zEa%VP3Ej0F^@47??{s2bF{9I)h2_zJ#^
zFXIbc7rHLvEBG?Lkf<&8JrHU1!eZAbKHlJ4RoT3ysEK%HQzR<;WCQ+*D?`X@7KFE5
z1do>B|L66qo1fdM0U5IFH5RcxKyjj~IH}M8aVk%@BYr@iiv0q{)&)*zN<T!rpqq*0
zF%g-hgHV+30prn28{ZTpvQK{#vUh)r49X?<7q&r=QH&0_wOd?~<v7GR+QO(0lbs=C
z!iWVPe6^ZWCIj~-e^I9fWSquRiMXZ^dkNz`D=bX}ztEZtz_dVvz%YRZfd*WSX<UtI
zvW|r$GWr$cnsvby!%O1YWdW3Z0<tJQy}UY*{fk<91(;P}?rQnW?3aCQd_Dfb@*><q
zF_?2$0j;7t-d7Ji4I$STG-O}2BW*|7?eAZD{C&$lxc_z+*6)>`w1per=l^})B?q|=
z9>C1zG7HwOmDEnau0p4F7TDoXq<lIu^5HBj<cS8Iu9hqKVmQIrvIN<D@SYu3z;CFc
z9Bp`#AzKTIl^1ZS1!wCn>f&MmstYLiOe~U$QH)?1L)d^#7{>(0uu&0I?VohX6vH^_
z_Q^?M|Mozp<XnHcAV0brB=uGN9K;g*qyP-)iz~P53rBC?%?dAs8?<ou!SUrnEGi~+
zxJzU@GRc9c<<GpD3@1smN3)W1%F+$ofCXC*Q=K>#^gr%)m)qUzZufM@f_vQUHmh{L
zb-{ZEUhXqE5M~SFNJ=1Qr;6%k7TnF82=Im`7hmpL8WYMYt*v%sKDEmY7yiVttf^Du
zO6WO~QyVkh#;HwZB|_e0S8l{e2B;aXCR!p6B6d2{A<}3BAI2aZrsjmVL*6Uhqi-rF
z&mg_!w8C!baGo8udv=C;a+D?akVr)h-OhG)*6GJStD3g`0?T%3YxPE+akCoD+vL%1
z3JhAux0%^aAL8n;-+3eFOh)^OJ|UAC#Vt!A^+koDM?5)>W6EPge>)$EZwyl4meY6N
zT1qh?Qfa0(&o$QU`pVRLK<z_#lqx=`Q6r*{b&3!s7->#2KF21pT;jN>iJ7$VJu#i3
zeG?FIQBWzMs2q?xHqxS8$ebzGS~`|AFg*<Db;G5j&L0qsrH^Omqd1PWNXT}$n1eVT
zjFJ$ceL!Nx_p49^$#gN1p&aqXkr)h8z%c4xR2|*(p0nT3ZWn7>ToQekmP(CJ`DX!Z
zydq?Nf-iiN#c~)16Hc9F>N<|og7h&6Hz}=MicoP(Wr{7!DRs5L<e*5fc)27ZA#3mm
zQ7ZTazh%T_g{nD**tV>KueR{8yg%Pc5*9K|w|k_d$ZH+1++3^E($&u7`4@iSM(Cc%
z?Kc+wO|&@qk2c*TP0gC_V&o!ew7Xj_@M7l}vMgmz#{?MaHW7w&<fQ;U(WgNWanD4C
z{O&ksPgz2MFXL|WuU#H35PJ<lfzo56N-`3d{3?i*izF&uw-J<zm`Kgrw1{Iik%jz=
zAyq9nicFa%2DMmerfx)p<CRRz9lFCsun|7s$Pxw-fwfpH!z%|SkvL=NY3Ii0nZOK)
zW{{}#nw7RT=<th#ax_gx^1MDd$sG}E+M_CE<Upz0YLz#HN&brj$IC*pf!3QuG(Pq)
zWhil%l`ZW=cIdSZr-B-#FbwSj1WZRN!XLTV_Y@#MjZnaj;IlV_24AJ<TG=r8KmghS
zeRO>}zQx(QsU3E)R(3vJejMp+F)6m>S-ZT*=5v>tu$MXfgz#uk*AbClb0Qg~KmTd(
z=gIO$o^dwp=j#ok+2|%b9uCfNBiDxuZ;dAXjbq-j{IHV*SH4d&AyJf)<x}ob?r$eX
zzj_#bb&6>Y!H$vgKH}dYX(HQ`JUi3M!C^g$TKPFeSrBtfqrKqhbHf*E((kOONy@%f
zz1VFF$y8povACfTR+&-Wdlu53cTzg&DXoE>QZb6For`+G*)R~3?349b1AQ@yW3i3*
zyDul#*~v8J_z07{99AY)qe3*>ei?}&K@M@w9I>n|$Q=<It2?FqrqAer+VonCeXUW|
z2MNIjL%>Q*a2dwdBpoUnQtY3_#5lxlEWm>S&kzh@?1D**B3I$l$}-BwB*P?@@>Bx3
z99+C1QWcea(dq(^{9dy_2kbIQ&$CG6lv5dhHz|Ua#lz7ycI;k?KB{TJ7hy@{eX(nc
zjXjv!G`}k6cp>GFq&!8InY_soU52rv?PEPLivl$|=OmDoBm;p9fyCa8G)6fHr5U}b
z@kLIJu|Dgl&rjq49AXLb(5G3h_}~5eVP=pYl@?BP0KG961YhGX{pG6Elboph$lRD6
z2bEJ68Q0ygzO5%;5P3gdvu=40M#AVyb5qp22PRQMh2=oSpaRl~4qQE^CNu}|X@yhx
zjm625zaOjTfV+4{R3rZ>#IX%%8D@~ScfwxL!dJ1++^*XLmIj&OH#p*ec#t#@9}=s!
zTBgJv(zeQ>A*?o0K+AE824roh0e8SFS8jCP<zc%yG+_-@Q-}k`BXfXpe4I5iT_YWY
zlvSBS=3?Vsop1oU8#NTbnW^oc_|4FdwGNf}%fewzu=460wLT`}TA2e2B`EUsYDj5%
zkUEu2DwdLopTg_SUL!9l(51C7QheBIO{52ap$O8C$?6P7@Mpt+4FY^e5Z^?`_2k3E
z-wD!xyYXlFuK~rM-6wu9BpB#=^~MM8Pei{_g`ORLPm?G}Y7#Xj;GnS%Rahg5V8jcJ
zSOx-76J527LSzWlZdA*{eu3X-RZ%JpkQf}CubW&zG4z-H#ycYr<51O}327D~PGbQo
zrPEZRP1N+E^l_hO&Ck+d^EA8#&GJpt3*`e74k*njw;HWNE^w(|%90^U{HIuH!31la
zw~R7MqtR1xE-tKyzn3}Z6c8dSW1O=J;MAhj9xM%3%+dNm2r>FdTkE|Kj<fp5hujmF
zBWr0FX`-OER>g*wpM>U2{~1jBh>dewd5A5cj1Mhkr|f1EB28wqN|?3?quNWN0VJk1
zf2FX;ff8qI2yUw|Bqh03onp;HuLQCId>h5-R>vc6*K4#$?h3jEE6<>rMm+XAC8Ge2
z>`cbcJmWY>+zmQa+66BmJ0Bp4k#UL6IXMEv{X_TqA%6}q-2dci&8;-n$0%4CAK8(D
zi=*h;RzY~SaaPuBoK2ZG+Ve|r*|C=Pxd>pnG*VM21sjEnNm(l;wmiITmt{LV*J!r;
zY_;_0cPIE?J3eVkmaL>zsHWvkY%GdKMP5dh?J;=-eo(8WSC+FYpk--cK5Z7%f@+1>
z2fqlqM>UbGYB?2UdXP(L)}rth9l`i?bG#K*qt0S)A)RYp3C~@tonBdJFU-|Kv#ia=
zwR$6oJV%##Dwd41fsodexK6u8X-`vy-k;qma`n<}%(qdH1ZU)eO~YC;-<k_)JU`!V
z9XmNRq&nzl<N?>cNs)PpLwaD_M(!Kszv_P5wN=3ye7-@q;Obv}u*SXK_`m>hIkJ}4
znEpCdQ%Gs^AM5&KY$`t+4E@^$Dt%KYpc~K=tIKBm$Pj*Zali=J04pn*e_}W6d7?@5
zywK#jF#*?&GFp#_nJWpaFfkS7CgU)XB;NkS&E(95?yL=)K&1c@j*G0Y?11(#60^>Z
zn*D|3$`du@@i1xYmmo!@<)KSKw;;8j8mEGw&LA?ws1m>DcBUd&Obz(Q#+3m@4pd<t
zgbKJ+#jVuV{`PSyRj2?}F)AANON#O=OO15#%BD*=)?HfJgdTT{_Y7i}BWr5!;&hZ#
zjan*iLvOvEikAu&p-LpMp_n%^B{a+Vx0lpX8EUY*{qK*!mUQ!V5hb2S)k4#4gDF2?
zEi@h`x#_M&7;|%AUo6{x_freW+bzf|OpP~1EY7HEy2AQ7MAS{ym3vLxZDrFM1PKcV
z8Wq=VtM&1IVlWy?Jv}aCBR`7?A<NtBOEaB6B4j$DQLBJqIU+7wHtYX5ar)oNVn}tP
zIppUoT5%R7yQX8URhnWL$o#0#oo09pMs-Gy^UNSLDTJnPc1bGZE;TH83?ap6#y)Nx
zDx$R#RV4h%uGUg^ZEaX%8{J}pO$zzXHwn+5)1U7wZ2Ml(UqRh=tgRJPJ2a9J6?lA|
z^%%BDj>uEIzEB}FT@wO^Cn<BL0vltc41KMad_q4Xl6FDeY<RGp|8EW*aBYN09l4K>
z{E#pIHN<OZsViiS+uepoH5TragHEe4>ijS=;ZSl{WTM(c9Gks>So4ED!HJRoN2>$J
z$}llCk!Nk=kCkl;0Gvp+nN31PtD=wmM4&baYV#7lH8Z)al9J;(L_u)QGKL_5Sr8gE
z{spwlN($r-qKpU;0)kpulmYbahm)<AXjztJ+F!a~W@fq?u1WrL&C~;n9Ts5M3J_JQ
zRH;;<aw^+VQoJgaq#7k6EDtTv@4VIqxqem$<02NKF_vB_n2X(#cMyyj2G$0{6ql_r
zLg#$-h>_f?WBn#o=Ekn18T`fuN(W|}ohRypmW?rGSl&pCT@*)FiAacHhR{qjTD57V
zH4N3R?A=+$PH%>%gbQuiYm#P^hN;xc3v)fRgo`>4oaP<b(ZFfiD6<;IHCw3m7wxM2
zwrv_jxB4>bR4vEBrsy(_ZHr71$6l8@*4a##eC>!u?*!U%lZeQ`eiLJ4#7)onj3nTx
zCKz-ocS>lrwy6IQug8Jk7{!fdMXeV3olc#VVN0Kr)d&xfg|#M8U`obhLN3H{qtji}
zR*4PbH<yIWPb|$~duhsokqFboR_=sa=S~o~x#1|frT9%%OXdX))~eUlvcc-j+Rdk0
z5gPQC$tcDJi(F#h83iKuJl{*h|53)rv?$tGHtWqy=SyaPv*qg4)=w<Ubsc-A%LQ45
zDRcAS=zCA&S6@QE`hefwxzT!zzrk^A(~DCEsMqZgqFIokXNzs2ZllprWO<-7OY=<#
zSVUP>wfi_h(b=n4P+5}dQ7uyq#f0c^*S~G3OO;kle+DKOlWV$~#8V{%TUZe5GM*$%
zcH2`^YAPXX>m69;5G+l@4r|-06Vb*n_DIwHqGJw?NN5i^T5u0WQ#Cb~#hYw2l!C>+
zm5Sc<CQV9h$V8)p_F?U|NcTI<r(wCzGzb#c<bDgQsqM{qkeV5DYeCs3Rv{=$YT!gl
z!hN%NGsuC1{QzvTM_Bdyp14<<8K)IaTkY#4zmmfJ0s>{6TcAjmTe^!83lV8yX@GLx
zmZ`(9dGL`xcE)E?$ZBkVWfwx?d>nhF<ZiUQ$=eujsOtQt+G)j!Au*D$2Pb8aCN>1`
z+|Oy_y;rhdU1(eIRyjLQX2gD!B}rVF<T)a%Rf<ZX0^%f=q!%Yjvm$e&6C&llsM?B2
z5D5olemV#pmJ6y2aULcOQKsw5=o96kK2+Cq+0kn8W<)H>XF-d*0!tO=%sKD0@{hpR
zalChCf^{Vr;Nn3~4$gE>k8_yS3JAQsuLH3lM!{$t>Dq}cMuPm%In8|@^xzlpg#%cG
zSOLu1juniK-RD96{=c0263kzL?f)}D6<~2{5c<{(!$~am5gH?vHdX00chsg@sp}zE
zM5@u&Hh|AvxvLuORGmBb#Khg{k<vHr(3H+wGCR6xMVAZ%A-Afl)GL;Tm7EJ*>mi<7
z#K5NQSj4vTvSj&AY3^H&qbGBR5C>yDsQ_y+=fW;+^w$$vpLtmK51eZ5)uOKfb<*5W
zyn!q`b8^5uKF{}#ak>1*^QYUQferD@wDPj}JV|)E*nHmA-nXyXL13S#$9@iYif{)G
zF#SI+Oj2(t16=6|v{(1c5bky|g@P^Bm_ro3v@{Ly+&P2snkWV=HsZN+2JItZpdsew
zgm|LxSbYEsp9Ng95RMEAXkw~zDn%_i6;(Zitgc8*G{M57t;>ye(3~Hn9!5bj#l}=+
znNqQjT#DfzbsQV!!rf?$_HXm1t0+CP{ZgTrGiqnl6DIDWFhOn|muaf*qvA!I2sgT-
zPx)C|nJv`<*P;)+dW=};+Ze=Os7MgP7n7!yU_hbRb!Ul-+^mhU41&%Xqdu;m8Okt-
zcDmmXpfqoi0=+~|tjAiD$SX3N+-eUEAtD<RGckQklP{)d0Md6a^eYSf&_chyaD0E!
zeS25h5Hl)wI@(2k+v8tne)aQ!lya0s8ayyEN<%c9BBm$sA|L!6%Rm#R3VjV~wa3&!
zTA*u-6+t&$_@E+CBOgEpL{<j_ew$mgR`*|70(1vt$NnaBFg%IgJ`-hqJ#CpyU0t$r
zoSUVJsG_d;?TPiJ5e<~Hu{J0u)RlrLUYDjB{j>vrN1nO^TOh3rQJwv~dV)qFz*o07
z?lM3LuH2jBzsr)V(!;kYrB@!l@UGwgp5!=&{2M+(tV1OZrp7gnEyL0*#HOU>cWcHv
z5I|#B(kl;*YdF?9I|9;KImx}CmAp$z0<7`=Rg1B%jmP3*Fv_TuRT@Bm-Uy2CfC6Hr
z%XxM``Zb33<^B_^sR>cf+vkee;o<qAQS67q!|Zx+5H|T>7C>q91PF<%nJwe)f&ZI>
zh(Ct}n67q~5DV#~;#4dP!U*ntyJZGUj`EerbS=YSh8ag$&Ic&Nh=PcK<>%f)paDZ2
zaZo>kiOP&0p@uP25(vmZ$Pt9?P6yiXp<uAd3bve395b949(a@Ej>jfcecC!e2Do2S
zJcvwv1@qT@-7=|C=DZoRfg<Qxm;SMUa7!Tbm^~L@#SzZxKO=dQsEhjj;8RTYZ0(56
z$4Pdp1zqPhsUm9KE%xU^!Zk5~IomrU-2*ZVxTIS-8e~6Cn`tv<n%Icp(k}cMY<6N1
zd6!h0@fHhDEgBgOQ8i4AlNcj%0kKB$9q1xfx`@FNCoR9awP}cL|FI1aDl71ddo8&{
zU>c>y0>wtLfpbKwLD2?~3xO64b;JhF5#k#Htzj8Gw-4F}$2)3h>lH_=Hnv{fKJXTa
z=oMP33}~zV2<;bnl*(ab^b2!c#ju7Y>8icaMg%zlZ*X}O>d7F2S=s2x9_-LFzj)uy
z;kEATpdfFVJ@IAb)Ud>sY}^h7R(11|n*930nBC-8C8N^pC)|6}MHx7@jfrJfjfYjw
zUGJWqkJrID^}5Mje=bA$^3@gYdXcJTB*zm=Asy!jm7hq9qB6|sEWe6(u!2bqsFX60
zfO2JM1tbQ@!jy1GWLpl9Dx~MMl~NatnUKws_+&)9q&@hO><=+jsk`POO+B{CHQ<Pe
z;)YJvC4_;Envt?znb5))F|MEAi^#GhiNb)t^2$V6Jpot1Vc`>J4`2`tj2Q}cZ%$5>
z3}?Hb08>D$zZ9S(^K8BGeK9}h6XyD&74Af3&8nH%gm<)bhFHZ5MzOBR!={7N-Pw!p
zACCKrBU7)@rL!fb;fHenINOkP)ZW%wm-o6KHp#-wep21@c3B6Dd{B22uYA+dh`{V;
z2(SfgL8L%512-m6jJ0ABeISmJ5?3aCMJ>7_5Wc>hKdF2mB|**)Wd3|02gSi6x=ELK
zB$V=q$`2s5h6Pq*69)qX4gzW%JBbe&H3R3aiSd`&=l~i7sR53*qwQoHjrSV}vX7DI
za+h%|&s4DLrc%0UFlz__uvnv_Y*q*oA!=VZN;&zRd}{B;F9fd<<WFH!Dv{tP!LeJz
zRM-h#syx}G!uCbtohkG2{BX+63uj8?T_r>>f>=RR8xBbB)vb)^4?2@jm>s*TW0Zu%
z$z@YSZI(!A@{Zh1UXyNZvipwPb61RKA_9cdtjl<e>o|{gb=Pt&=Qk5r&o3o6!x=5v
zv_t-tOOt^{MFMB{d2Tev;xgk`gH<nf)TEKX>ZV}DVl+3uu;{>}v}P(AV2^9Vje2)-
z_&2CrR>lkOCit%NO7WVou|EF`A#FiKw>00CRM<;zVR$g`&#gS{Y+&`p2j6vRDOocA
z(k?`vS5UPzUnk`kI2|6k*Zx0y<0`h37}3vu8SH2h%;@uTG9z}96?A?lTkkdzlMIUJ
zXt6RnUd1mR-7S8z+hV*?C}lHZ?#r{p|Dg|fOYh0A`Fy{8K*!+MSF*AjehPiQ94M=o
zR0pv#G=MGH=4o~EV=AaJv1cv|W%yK%$2fMY$ws#<Be5T)8%I~wv3Je^&lr~g$Iz=T
zuH(+;P=D=iayQvj17V-9w$N@5>&oqLiFVtjsZskhpMvUdn*F5~RYHG>S9PTc?Kqa2
z`zb-E#UADcEg`8;@aJ~HKnZieL|3NQ!5qXpwXb9e&uBR?9lHn`w(N%wIfaFO_N#gc
ztNo`!-_B~B-Hr!Edyuq{PObs-?ZJZ&9+r?nUTZ%T%?WTbz1RTw<Yf2!;ovrJC)tF3
zn)G~=DJK0?{KmMSw0hkr9ZeOnFxuENs`hf%H0{U9VJTjeeL^+#F0OPQ(@}TerJRm2
zufC%-Rcy3AHJbJZl{Zycv=(<lpg_q+QP8r-5Rd=bdwgdPJ``c(50YW1lf~7Shzxj1
z#EE%96v&EU&h+4gxDuR2rsY^%n(HA>>J+Hf%k;db!iTy)Al54r$z8L!r9wIytnGz_
z0tFb3l}4?*L!N1+Rw6>pfwcgN6C*}vs!kc!KSs9W)~_L;57!>X?ZH;=WVUYGf)#VA
zQ!IaNm-kv!3H_yV%`5k2b?%yZO3-PMubdm2%cp@I8#JQnclHj8mr4g<w8y#_=G5?a
zM%=mB*f$qH8Dh4nyHeo9m+=}OmJ5o@@UY#mP_IYpS14sKUEX)?UOsmhV`UM!(U(5Z
zt|zhCO^~@r@Eyr$(PioRC@cGNoVD-E$GKu(#bb&;H66>+lS}zomdC(8(VKe0VL7Qj
z%MpH(m9QBvCnL1b^#<L@-^?Qz{!{RFOd_kuFY{Jz;wvj@TzD=nn>>XqL^;EHF6o>x
z*R6qF_8Z5z^&*zIL}KX@#d4hyQ=odd^j39Vfzl5#HD^cshy_=O`QVeyj06r9e!P|2
z;{d%;e%qi!Dl{FG#u0JtaM?g-X5qeLDmE2;`W3_fU4pL&PJRpzBD(ir-|_snkT#AU
z%3A2;k#~ZszT3TsKM7-HT(dJZ@z`{Yah8+fb(%__PpNg*!eO;FmToRS$t=B^cEA2=
zx~F7##c>#Oc(Io+K@uO0ApKfaWo13n@Lp!w=h_uw+EvT+UVMGNJ1w8@P9c4_DH69v
zeOP?>840fh&(S$Joy^Lcpu@eivaFPOzi@f(C`C5r^zk^2HmNKc&cqKD<57P*NRLma
z$I9j;=~Rf^_`#T9Ql9Pq{{FZA>0i!&)Jph$bl`EYwY56@#`k_yl8q?(<qv@Vj`Cs7
z{@pK&*UEnR@vK{2>~D;@UoL$nDdjBX#1L%v-DGf6*-roe^Onee_gVN~WK}6+=rC6m
z#<qD-hZ-0(P$jZl0$m*ou?>I#b7#9D_M;g9AZSADeW{?MfHB-{Hj&^Ec265N<QST^
zLC3;@>FA)dk)XR^kw+FBNFfEIZ8*R}J$8D~tBeHQcl+d#g%W9vUu;t_T8HapbnKeD
zyHGFg!q&10nQTqsmLEAu+KTjDc5>E<;hkmUSN)Uz%Lm8dlW?Z1K8sqTtG+E)%PUCj
z-2|lHZ<{IWro)f)s#l%<W!;PJCy$TE|38#H+IK8g+nAH((dm_vn$LGZ`h%vLvz{od
zc9BOr@8O{w^Xc0F(|XnMjSX*u%2uoP2!417Z?A6x^fu4;?#6R=-P|AY`VxmzC_9f!
zF4%37JKsO+UWugb5VpJQx(7}9^2kn~S@3J<blVD@c1OA<3sS+kuMlPfoKh!>NcVc{
z*Da8she4QizNru?z=916bzAA@4KfHsA&M^xLv;!$dJuHisb3jj3;`d60eS8l3kAz@
z;OYtl-3KOlWI+c9QZU+vg0e8M17si<`*yd1iORw_3PJ(a;i}Y37@apZYXA^t{VEEa
ziG(ANNSd|6j6~cu{)u;=6(*8GB+z)NY2s2Asi&|C;8rZ}ysw}9+b5Lt3O9E*$<8ig
z5z2zqYNWG`-GqW@hdxLs%tt!AJBf?;K1t2~=I$U{-rRH<`o9uD0*?<)^I3pLyH50l
z9*khj?wi+-<t@(`cI)o=n^QgMA|l3_tPk*Eq~m$Ux(T3ekDrFupFU(dC988@fbC(l
z`V?%hgvzexPWNv??4<7=5Fw#Hd%z0w=Th12trTBW(?MY;w1OlPU5D)KZqI)G((6*{
z1-F`Hu3-PAc-~Ku0N>d^MK0ghaVy{b_MoIKPopuveE*>a)`_CiK*k6MP19&}Xwlqp
zx8~v0dIzlWXeOlR;#>E>R`zo~uR|mpzLWp|+h6CgKV91U&yR89Vt_zYuTyxEAc9*H
zlYod-*V%_-)5M3p=2O2}ED@o3ZI3!ogKp@kn{d+TWc&MA;mP;Q-aQN}+^AmhS@%@=
zcSd=;>1}_VK@&q?aDQAc&sScT+xFbS+b~*s3vX}U;*auXdDJ6`5UtkY-j?A+y%M-9
z<_!0vZ0JBU;TzNn>|t7O$-bn+EUL@!KslBh;r2Oa&2qozTB>(IZvA<QV9PKRz|Z35
z;=A|3hu0g6;DPSG_}vX=u8gs=#q=~-yX}$t;(#T;8DrKlr?q7-N|p%V6wf!x?bmLV
zPDf#!MUmY#_EoD%L))&%CGK(IA@Pu$k@3Sl_)TAyOK~BQNF>rEL=H0<z(8*X>{}M(
zTPzXPQu7@vvl>l9!`A(1stlt3|ByTEK*j*>?8#5*_>|~Y6pjcBIKlfg!Q?Q=`jwGp
zK(E?@o>zic+X09eUhG^v;ByS+^8_+h0bu=IuBv=I^ix-gs~n*y&3<bJos|GwiiDdK
z;&IA3YgkU70h_FUG9U+d6U~pQ(kBth=9L$3yhW>u+5GmmIf500wSgdPzoOmiaxT2s
z8N(B(PfH-eTy2KK_GWxJgWql<lSyMh!OyR^kpVNHFO8I@g1>f3bUVffz@It0I(@xW
zB7gw^Vv=A5e{CGHM3h1g|3*{^By^o51Q1-&z$$wNzo{bk7Vu)ZSbCuk#|=39FGcIT
z!QV=D$RY~zjm42B=jIc_i5pf4H04K0{K`PPt#Z>}6=DjjZAeslR2E#(+QrSp{V6d$
zw0cpmxDU|4I#wJ65s=p9+B=-ezG@WJbedl|O}*+(fY|_NvA}g00BLtPSC8>#k^0l{
zMi>Ww@BQiAa)fe``z1jIL7h*^q*1p0ND<*jT%C?(jrMlBa%r8w)^NYT5SZ>f6Ksw2
z13NKC<P!)fSG`F50!RWXwSWLHRpj0Vj4AM`xn^)s>08_8q8PM(iVhfrz9q&Qg*8^D
zWw56?Fn+~)Xo9iQ$#$IVL0)%sVlSPK55p3H{xn#h&=pBotbt~=1$MX+fm8z+F3eO8
z6&|T-P|H;f+;y>42csZmBQsnHa3<F@&Z8{9fNf@(3g(LMHNgJLGGTtkj%|#UVzd7Z
z#1s-{u(BE10hbk*xLS*dE}bID6{w(wDt_h8g6rc3!CB$tuF@dckFJJ8k^piyS<+1b
zX$g9WBO%0e_T#KkeTC5qHI07lZ(T93e1gNMZa|9{>y{n*uo!|+a6_9}3Bz+5s2s;d
z*#h=ByVGKrH?%$*V1jMjL*D&#D2ShDI`p<ruEqD2ytL&rdttN*@xp6`D>(JJDlyc5
z{FL#uV_sRc`$0-#+N9gccG)Zo(YC$z1#zKiii}4=CxGoL`-F7i;BFFB4}oaTOq#a6
zeuY9wKwon815*H#rx?ZO9I^uE;dBfO$C_i<Uw;c7B@FlTMIz7`-fmB{;v}#fEN2Lx
zO5@pPdDv(4mBcTm`9<QCr*L4K1Sf|eE^hrchADX;-DxQc(O#N}Cmfu_1nW41j_`+s
z?X`Lqge*zWR2voB>&Q1fLbqf}k$KVOLnkcM?G08ZtX8(5O+JeZ{@}E1C76GxZ!*wx
z=hc4^fq9GB_WD>R?o!r%v6SALW?_LBsqbtzzHrpxPQo`*0S_BS1cco$v)h;U`_i6u
zZ0%mn+O3*@_sr1>jvs%aO3ayLT_b3G+#7?j6)TJF-<ilzwW471V%x>cmURLkE;AEr
zydjHf?h2w?YH_L^Q4Z6j)rt!Sd?}OTyU7(YhVy8~n79-b^*UN(1{c4fHDrt^=_L^s
zH)2L`&TdQ(HE5qFP^0Q>!|b`ZgUIXL*&%NST{q94oTTSi0z)+e(?6=>YRv@`FW~Tt
z&TuJtvl7U;O}LW7wmacgxl{z(LilZ9M)=JiYt6K^*h%(itVf5klgwp-f{!FW!?|gR
zr{STE!2LCap);^hrMcMyJ8R~N@FFk_yltiF4)WjNMM0k}Kl}h|f&JZOVcAl4YaHEk
z56y5jr!Uh3(kInoD73%<vhP-$K>aQI_DufHnrSJGI-Q83a`^7#W!$32LBAReyR#?K
zD(Q0!aqt&s5Ml+eIt$qZV8w<kwaMDfN@Prpt~o=zp%Rg)&Pq!yU5maj-I0(f^GYGc
z)_13N8~L8ID+l6I7mpg<ypkEcW<^NMx%YQt*J+emEol_nasjN^dTPx=ax1MG(A-*k
zl>(EHoh?1)*TwWPlZn_D+7*3OX&CDZG^Hy$k`Ec9k4S0A!WU`nT&8yerqlvN^BjTj
zGI3kapmyx*r2g!1hR0ZLmorJOBNFV?tljo|v_`a$tMiVoI)DG|Rc<RoY{xAs!5T#u
zFgT5_BW<GZx9DROIOsUPU>>3J_99Z)q4}b3yy^XMwhDQb(390QJ%X0<(QToI>47{_
zO;NhRBf`m<a7WS?$5YPXiX{F`$;?^pbcPJmh|JSjX;fF<>|2~7-48SYScquR?dCRl
zug6Bj6Yhn0wxzGhu0d;Y(pa}|wi({a$0-p%eornr`=0^vm}K8C17p$H9rp<##0x}k
z?1F2~KC`+3@e=V8N1q)1HKXlvO)vZ>s5lQi@sA!6okw_L^MynbB6WIt>}88uxaF0k
zU$W^os1|1G?P<%Mt_lGhWa+dVR~A@dV@keS1M7<248EY?Jkzy4i=@1s!V0GQ=SA$J
z>w{ZP>GZYORPN;U@R&!p^Ko9C*dGSBW0vir3oL_Gck~{Y0IAv{$yB82gHH;vz8Zib
zII?M2jIJ^2pn_O)cHYB#2<_mwdZ9YlDC^%)9|fX@HE|O#Dn-4gh!*lpXS+Mb0bn4b
zLr4>x@6KEdQ>%2z@n**<VW7MooRU6E*{)x+yV+7oMHhbhCyaph@J;>Fq<D364PDrb
z<{#ewk}A}zrIT9scK6!a;zI0Qzl!bt;At9m4PT6A%B98wuQ@Qfz3sp%9B%iX<c(Z1
zc)MK<D-8qwBhEg#eiUe}uIJT-L2OT!8s7@<?PQU9fzHX(z2wwE=9BCF@=JGPE*9^}
zR6f^(4=icv!nd<kMe|0%zRRQQ>c*cx@@RfC3Cl&2kc-#ZTLcH_x<%I=r`=txJ1D!?
zS%GcfSgw+KDVet{2l67%Z0?9`+5dSHytJ)8?)O`s#sLl}3G-%A?uVIGA4P=>{>6Xc
z=U5q7N@PNi1fW{XW)_%<vwp+pk}3mpWx_JnF788wAo-PIX>DPqsyjv`B(3pqSiv)4
z4`btYI1T2$9yfX&Y#W{(X;^@8M(<`FJY!cEh6UF3;5Qdlf}fjqz*c6gmp!0#47*^4
zR^mgS%-s@q4blR0?1K}NZ$Q=cq3*A}U)mi{)KS0cGQdz99v==KBa9bK2pMs&$M~f^
z9%fmDGVT3Q^NG^eMR7Bjp|ocFn+sqsK*?T-J3Cj^8GU@7sr9yRS53PteQ$RNSjzO+
zql&U!bY!zzPnVZvpcESycuQe>`~lay4c;nQir)17i`kYfM%vK`FTB)u4~Hc%gSH+L
z2_H_Km_j-@6~d<J?;dGb#gPcxX-lV+wpwJYR_kUzqSQg(olZTx?xxZ9%BpreDMB?E
zh64+T(dU;UyWS6a!2>RNX<pjvE&HE5W3K_01zkAF0(>eQ9{E+t{1aiJ(9L~pH}(C6
z)cwQ+>OOAFxKTzpMVqI9>c@OZUu!Vv{rXzwRCAz?d0^F%FZl1_@*j#{?0Xj6!jHaO
z;u}Adlb0h$xGqIaOc@}{KqUd5_4Jyn=vLMdAD@kA>>o5*7ruYQ5d?A|X>&xRGhzQ|
zK#2|mw1GNjCK2ESjm*cyvL!cZ4y{Hy45M$JOp^GN#u|op0OUkQ5uD8D&!rl)yI0Dj
zn$1(@Ed7=vD-{sM9cEF)HIIZC+tgOGq2aHjg-CyW9$FeO(S>Qo50YgVSz9%lt8v^*
zqjI(GJmNGGSA1d7Ex|f9sk&y8ZB#~VjFECYi;XcheE-ONa}^RnhP@#Bl<4JQXqF0_
z=OwOYJ;CWaL>%tWF``B@^%A!`JWAh^ZGu)B?RqNNmn+w(-LwL~Iq{4x<m{U-{_8XO
zIT^s8@+upxW#uYWyZv>fR=N~4MH?HodC{Lj>^>)enN$yf&6-8!7pF(K2NEg^kL}g}
z<lLFkoOl<$eEtuxaP!Gc2cd2sEq}TX7{{03;%N12b$;>BrGK_l^2r}xJ%0S?zV^fk
z?fpkn`KyoQ{CpA#Ye60R(DO6dyHB6qJ<)ikCs8BGex6R0R8baW@_hE%-l4>a4(mEz
zNRs~CaVVCFrq=BfFLYnc9-456dFD^QQ9tZWW-KyR>Gv;*{;?y8);?9=u!4lP?I1%B
zT08fxw(tb{;&8#|3B6PlYawwFu{K(J-+Sv4D61~<6Q1ZfIS<%HWzIh*b7u$*C)MjD
zn%fCPBY6Izf)MFQfbHFFMxU`yKcJ_}VMvR&S<{xM_jl7Lv#b+uGoO9;nOm=TUlfg_
zk+msLp=QFCRQR%3kOaZAo;h-+K}LrZT9uYN7NQ@l3$UM-0yE0#FN2oDmITa&qdY}L
zNtuK+k5w0k?F|gF)lYts(XKpL_{#@Tyw!a9?9vcYiN{8V!-|0CZp*%rz^Ks6lC73b
zu~2GTUWO$)xfA5FQ?lhR3}iyZk}jG|W5p~2t*_IHjVQ(MquOX`1U~pa#tlW_gKI$F
zas%s7$*nO4-z?UOWZovW1?a94(pB+cYJn9~CUX-l6xvT8DFwj(gJwkSyxOo+Te%09
z{g8lhC7KU`L5Xl(Fq;xX_NhHsrRX`y;xd&cbvE6DRq{sm|2ul<lzs>F7rinfVihzP
z{nz0!ZHX3iV?$AS@+0c-J&=<sVB6^sA&J48vA~p+dgpW93&^r|3RQP@r)w4krFvFt
z`u-6@1od9IDydZhLb~65t=D0CsOsFcnq#Zo4pRzN(s_DLmJRWs_D(NuF7a?MaE{__
zCbTVTwwLyvw<+23ey8`|=Xtec`}l=F{AOt5w=|pE%-(FiaV+=VuGPBR><xeZ`pO)_
zICAd6_)!utix~_ts47Zr#{>bzJ>-z&j%AsEK=#(cwM;67z*2X&5sxNj0O`Oyh+3E0
zUbi3tx+(QBa0OIuf=Og6r(-KFKq7<RM*8&uwHA=kKUI{rBtVxhqW%Hd((}TdAORH-
zM+HbMQTlpZLQUg2f&s07YY_BQNFd!b;8%U|bO<Pkptv`KtU3TJ<E`akXPSRqlwo2Y
z#(q2yT1$yGf^14X23*k3S7Ei|wjPdmmev7@jPy1_)d$pCaCG!5(bAnG0lF#i{{UA&
z<x8+sm#uP`TTUG$GWczzUms9w!RF{6^NlW$09|)dNjXb<4!rhZD1X&j1AY=Kl&WPW
zp=__BdKGX0WjGDSl9*QPg=;6(cfb{l`3l|^w>4|CS^<fSxQ&eU0ksyS(Qm~)*`C;c
zrI{nT0~~>K3SVqt>n7Ezn~=ze+sIfS2y4*W(QhTjmIUY)UH8YghX8FN=w3i5%;e>a
zf`SMK{o>-WLH~15{Tw5+suKWC^(}A(W4?j=DqFLXMHM76;x;nY2f{t*ar7HDizGmo
zxf;Z`y6v{xZn))kH!;dHWZ=fYyjB)pT;6(eMJ7oqU)xw~35g&(_9kTr937+5x(Fb|
zS=mMiL3%-?tl4c4gA_y!5=f&+_GFTcHd$u8d#z)Xkl#Lu&)^y9+l=#!v`Q47$m^X-
zZaOPEm5g$o5u5QY#F<&kaH4RMDV14IUH%^9WJ+EaVa8cdX{y2yY7F;h<E5N>nM|eh
zelI=izz(`mMNf53LurO2G8E<5<eZFbMXfS~j+9k<sUTzLu+t7l7uOi~BR0EtH_gT3
zVmiILdh4H_NJDN!-Q`@e!p$Cq)Rn`UYYS^#&tf3kGG>lV2X=lYhncht8?*Qs*wFnw
zEBChK%3pOvfk_CxE5_oU-7IjJFcrt6ud$Bo=vVa>Q`pY0ilzTs(a8fJA>W>X`b2Tb
zjgg@sa(?$GanBY5M?`OtG5KX)B5}sR&Ua6H#>aQ^aK5q@4BgZtdehk&neG?FWltdW
z@>*My;VhsKNY7;ZWRhi*k`2ERoxCk{e+;)6kk4!0>wT6;r`@row}$Pd3pe<1lh6RT
z%LfE2%pyQafHV<eP@bxjh_1zMjR8``;?0WghN^E5SOwZX?N*QH1&^tXu}vhJ*;TcZ
zIz-jz)o4Kxq=;KKB9l%1w1;3jd7O5uO^${l3#n{}N|Xf+!Yh5&O0&5Y{#Ci8MBwD~
zKf@VP8d?(Dnpu-x%CRwPVhJ=CqJj~Z&WT(X@%>WDvUxl0)(c%Ys-BvZrATX?q9;eQ
zQ`5RuZLK%-20POp`T3v8j>A!VhO#s30vKM3YM}(uC+1{%48uyaB4kQFa>0w9{8iHq
zf+9v*gX0=$M#UASlz@x(bqRPZ0`_V5>K-#?;yvyx8W?^&m70V|xMDqLAUjr+(?m(=
z%ToD`>S)h_@Cgr5r|&h3M6Q4~86_-ucU^?*M63&kk}^kSU{3xgH1T_#NZTRG983=N
z>ZN~%SE$0j06z+TXY6QbdXadr%%8{DNb;{2c*3)Hh0t@}TZA|>;Y!aF*|QjWVmXnt
zLEX71*`LnzUDQzJ%o!yq{it5XR=Y0jP0aiIV1coDb$qorFWV|<j2SB9!~ZcRxf`ll
zP#7iP5(SHYaV5;<22wgxw6hHz8_N!d<_JMp=}!!7m@Z-F{FrFqP5*5-hm<+pPMBvJ
zBCRb{U)?t2`0CA@y<R>d<c}BMfg4M33?9Rr_^i=hgd;VKR~Hv=+{p9XvU8%=NSGZw
z)dPFEdbsO0m@b#nd(o}neZX~@CT|Vj%QD0rmV`?9Pp7%~oHAvgJHw}}&VDRpdxox`
z7L-c#NDl9U?B;&JVvuZZGPYQ)v@qVMd(=H16t_V!QbDzV3MgYBh`7G+Ek;IMP`XQr
z?p!sSBQzK1fB(j=KNJ4pJo@uM8C~^%e2xDXrHxCx1!`A=Z{6^p+8zM?QJ@>~>V^^Y
z8p7mcF2&qg%wkNmBL+Tm8?)Ii9Y)|7WP!>6SiGIcX6L{vxwAy25C{`~x0`eo`!iNJ
zc8e}a*PZ))IWNf?4w()o+#%_Dt9T95wMbwjqRrF-hFaU68AC_QBV(YYHpJ7ac_aZc
zME*qt?G!pdlo)aSiAhXjmL@4Oh13v+twD5snIj<zAvKT?&o`UvE9R~=Fzg|-Ze>&Z
z<ng%1T(c<%^hk}r+TVfMa~}yY*m2w&n$(9qeK@}E_ggLc4GX2W0#D8taX+y}DW*ec
zG@~$&M_7ZJD1+({Pq*rnzaK_5jXs+1!--rFK5XM-Xev&Rtc`_OaA+X{WgJ2AsA`x9
zh(L5lo>2h;BK&{#i8Xo(*#^$7)#mX3U4RSX<_~QU^Amfd`h)BDkKs>duY*_1u`n>s
z6MX++Ej^|Kgt(%HBam2$q+-O7<xm0TQ1iphJ(B!L$d4G&IahGF%CD8jy^@I2#^oEp
zCrDBRI)CeS4Lq@T_?KHz{7kd#-X^t9aT4Z!!{T*qGj%(jP;ZtNq@o6EefTV+tk!0q
zAMR#Z`mkr)#EP6x_}21^4GRJs6}$2$>Zj2g{vep_=B!)wBnfeo#|2HU=9H($YZ><c
z9I#1<pB2CRM+JOtBM^AFp3lXnhCn4sc1~dyK4T+6Bf*)`==g}^IXj}efh3{<iOP=|
zG$n-(dWm8}5p9^k;f`$A{MOYQL&_|58q6c8h-(YwS2s}<<*x9?V(#5nJJ7fOWVQEh
z>Sl&s=d_;KLEK#EagSk!BH6o{-@`JZ4MOwf%7wtP9Nt`5X|pSf!FX?S7u`<ESgq|=
z^=}`~g8F~_<opv4Kk>}l&itwUM(bjq5<S$$><0j9RaEB58*43<I<|cvZ%A(9*z0~V
z*RAwVldu+l3fql(HHu9npCSA?`|Le;rT&Aja#?tgY7C-*8$y6YwG3I=UZnmT>z!CD
zZe*fjbB>4iN9M)j3u`O@?2$U#xU@kj=t5lEfIl{o`1i(`YW(@7^9b7CwgbH{^*?+5
znYQpB(wfuH>*o(n+IAQ^{bvp4fy(hznOz0RSK}7?kvAV)G}qn{5IzJvesDR5c&7ha
zy8<$mPZjTvy&u<93I`;NnacXao3B>CCMU@h%RshzXY~=?*(1j<=4E58d*%4VD8!AI
zbAC3;M0YQ-Z8+`WNSScsMr4OD8>2H=XNcx=I|bL;`v_o!d2Tw38kbMr2;wm3j!bJF
z_^~*Xt@q&*(_kV9&Bn_)dpyj5<}Fvg@Y63Gx3`_7mvMPeNp<!P*IHjO9Z@qZpF6*@
zse5wFw?^)HX!U9DW;{@$|IZ0mFR#XKl_zE#TC5^rzQ)7xa+yMthIWudR?9vTDAt_%
zNK_2Q6qUlBhqRSn3J~tN3wS`O<drry7ha^H=k*%n0>Zw5KZWcy?Swl0{#eRNH@hv2
zYBBo#U5}dSMIog9$)()r17FNQ2VeC`=fiaZ074<4LWpQc1`u#3gf)l1apkFvlK_6t
z&~1Oy@{J8>&)3(+jjWJ~^y<}e39QvVfYxTKtYHnHG!;%9z54h(1uFPss-5{uW-#;p
z|D}uRU}oN&bpG&~qE$`%29+_ma1(p)-qTMm@sUeml!j`LwB?2OeJPfGt(b1SrNS5m
zB@Bt=YjL`9c!kH=k<?B}^HOcuI1lCFu0K$5;yQMjEbXlPo~wS*2jGwX$<)(5xIh2r
zBAC%~Rk5P8RI@HGN2rZ677v%DwD_&#P;>#=8t#r0ok+^=&rKn_N^GhmS3!P9IBd@r
z@j^`FZB3H)!>0Tqc=nzB6JzL32~85p7ry)x#672@mXCxq-W#b&X#+C_9=&SE#G*T{
z?Df7@!FY2-Vs@sX505?GIWBefPVuEwG&{N3Mn<wUESX_U9AQ=cA3Z!rev>Bo8eiE5
zSxW$_Kq*0eUlS7J37O&_hkUw5gk$ksD``vjh;MiPWD&NHTD2En`^e;HC34TU*ChOm
ztdBs@6Pe9ZeRd?BiwpCs-ynWV;it#a`LjX#$3yp@dmjHkqIks$Z+a9k&J~nu;6EGD
zKI>!T>N_pe9+U!*vMDyX5#P6?S@hPrD5INq*<*JjRofAwr)U;0v_+zTWq@TNGWdb}
zOy~YHOw`MV+NAy&XN!S*2s6d1g={{?7sf`Tg{BE?QIDd%Whu<&hLt3J%A5V}|32Wf
zDV`7b@OoaM#IXd=<-z!I;ioj*9g-p|&+DAC3o8CFOL=>&%pDUiI@$HUk-k6smn^-$
zXbsr}YJ{qp!y$Mq-`DLmdL4hjeStc`Fhc)5-S!>9Blh-#e9MJ&pfJSV&=&M%xgxsH
zj+x*ztX_1V@KFfsAuz))X}=KSA=vayXX!-<NDAf#3A&74ZqhBu``#G<oDY@lyb(kK
zVrj9WU?&$WZlMxdWWvoDWCnbr2|hR+WWtFFR7h`ing&%1I|F@-R;zX3SQ5YW@dc!v
zN=D6KG1O+z2JvSnnLd)Hpv1#H))~fwR7Rdg1l)?0>i{Vz8QN95jm)1~=fjw}yoHS3
zS#yldlESAx<B?Uy=?O8k$Qd?1ic^vwyh#S4`wfUt)5bol9Mr-#<Bs=qHZ~Bq6beu_
zbKFRGK3?5Ht84hGjDWmfF$cQswoDBvr|H9yJ8Kx<tI%y9b=n~9FrxhdIZoU!4z%4!
zsNVufj>o0)(h^f~Abo&=J;}-QJv0Mck^rod{ftQE0tULU9f#VdAVir00S@Xo#LyO6
zMsg6;>H)|ygXu?@IW+ow&iDa_BYE$vQ=z=Rp=o7|24r>-k7_Z4X`lfvE<B3S??E^V
zS7M`N71)69pY>Dz?QALa$N#%D4p|O+YfZ6q9f{p|-|bvn^!AtdQ4##^IC?wtES-9n
zB-6|_%Xk&riJMi4Tis0AqsOd9qp#@Re>$4rR9{0zvfa_^Ylf`8wWWB(SvsFp=L>r9
z>bbZxEiRmQUv&n8pz&jMiEX0C8)9Q&*HQ3}wU$zgTIgER*8xC1Q)War4p8;r2`UiB
z(_)p3Sz!s<DdGnhP3T_QF%?ow((+<LtzkJG+@WpdS=X@7xL`30a^mdi3^Q>n&g=mp
zxUaLme|$cZ3mdy^1j|H{y*W?f%q-KbyT0t;MHHKUf$>MpW4pWQ>;7*fKxuCw-ayVC
z8_ww`+lyKu%tSYSpd7kOV)PJ?WC22DneKI|RZO2`BI=58x^vvc{!tlq=bREDxQoV+
zb8=RtWG!fDPcXb$CVbm^VzND{Fk-c*_^s$$xiA(YzJ+`$sLGH<k2A~#)9wlACp{@S
zhBp3;`pIs5dvGRb>x8sJuz1CETO_G>T8OX2MRXfSDh1o04%!_L${WRknubHS`{%((
z5}hYh)ab{Fae{JBHQvD#1pHor(0j#O0<iJs!J)5SD6jy*zH+X>6f9CA_0irIkri8|
zykn#vp8YUk3!ZrvLLauoXIA)ZH8lwX83xGN_k0RF)!tTaQWxfn9Tq|d!iGJK4t%7I
zG=TK@KEoNei)ow9SBE{0iQdV$-;mDiL)%ue;b3^ahi5Y7kYxq#u<yqH9qGhASaR{7
zFOb_B*|+sDDc$3sa)UVjKzE@h`2o07+*fkp2|xMUo%0Ux<Pz-3Tm`1UNvp1kVssU?
zF7JeQ^%K=}>i5P-TSo8|%hEhV-jj1xcr_t07707`nB`Rpku^JDPM1ewR>R&ZbZ4!)
zDUBxgzY~>I04C#C6?tPfD_d~hHs+hrmiph9lP~4a3PV3~JNIu!*&UXpw`*>f!<$ie
z{d@!dP2cBZ%*Hx0C(UmJz-AuTkXdj~3+7*9M?17jYdmp_Ai3|OUouCS9gg(ab~qJ9
zMKN*Aef%gcv_ao{2rLpM^Bp<Q<)j)XcfKM?$-`M(YG@8L&N|CuiDxN`3f2L|=fLT`
z5*o$mNhY@Xjn?TyZX&f)l(eSp$0~};EHPfiWMv!}-dz+dZnnJ}S(JKR0!Mb<pAz%N
zKE`v`j~uO!oFvgJ;#WQewf)N-K8}+#n+S>DR&QSm6#?jY<cD<+3C&uGMBpfOzY>i?
z+nirIrK;`oS4F8-qz{PVUg_iz8=GqBX~a4Z$}<u|5UczDD^?t!4CdXPLaV{-juAEA
zwslpi4R`yo#aW6u_>HeoFiHraOkhb@<2Vx1?2IW1c{ny&YadyPu&iaq)r|M1B%cS6
zi~*ODByn!Zd*|j+we!?^ljc9@k@26Hk&T5@{bTD1g(ltkX|ya86)UBD3Z3O1n{(4N
zDb06`Y<X!3Uk6O$)A?5(pSS12eZTZmEL&CL3T$7Ex@@PzenS0;{Kpid)R(U|F+TrU
zrE<#IZu;5Y=NIOHwFz(40tO4tHic~RuKNsk6mRek!!Wj_ncr;ssHEkqXddmJjoDRK
z3s|&dEOAvo+#y-^F~+*x;I9#fe*|Go`DmmXYKLe{BOm){il?Z6^GLx8+Q#=#fCE%Y
zmhzpdv_~zx(iu=)S;j)GjMx}Xh7P%LvQ-zy6#PaHoJQ&bg+))Dhn0zHMT+7fHPLId
zHfF?)f(e9dUC`WO+V*|FlhzM{^$Bxmx?#^;V6!gM*6{wZILOaffRnFw@~K(=nJ)aN
z>Ot+wRJLV4E40-1s(>)`n8R^$Ut4u)zOLd9<|7oada8I!tcy|DltO%ku8}~l*c)ql
z%GHMEw#9B|oQzs`)0wIo>w@Gi$q*%qh?T0gD?iu?RsWxzg0n<M%Kthr#I2=%9~u@Z
zDi#YSv?)QP++~B@y<ImU%d4O6NdYhUxh7en&SADu5D(!q+aAhD^iWSb^TcU2B{76|
zaSU;75<k(dX0-P>*9WF{6cOB)hY9*zuj`p-!6Ts8fnhGUa`FWU`lVul1UxH=;L=)U
z<0|G|&^GqMhtDJ=W5xxsHdV0T0&cTRB>xt(t{cdvqCLEaJoc!=9Rh~35L)3Cx`wYJ
zJ)mQ{{kLJ}oVZA-wDmdNq;nc&<MZBb<SUtY3eXLFPS?dcM{6O9kdFc+Gvn{DXSmW9
zt~j^5iEZ+af}JBRgD13X<of&qbVHtg>4;vYNDl3}9Elwu*SzZXrGefGWhz+I*Owo3
z|Ec>|Ejb3+6JwUYtI8seeE2<t(Ii4{CYgg%RQTwdG%n~_L<8SS$*G{_Wux1ei7JUo
zUM=3g;+&uN>5kQ4y;f*K<@F(i2(%SxgHV)Go1#bxAw3pQ@U-2&2(Q#{nHf%J(^G#?
zZ@xD}NdWwl&A>@o>-tvGO*=Ce<LeX}q9n|1mRitGQp|f;Z!ylQdcBk%b;W&nI}L=7
z(c|ZJQK``OCc=?9Q33J~{?R<t6>NnMm_?AV^Fy#e7`bLc+%V@tk|>j#MBmxu^5zBm
z+{h4E=+U-K6aw7fi2mB^*-&KYdzOwAAviGi&n2aR1o~?wLTMBnMtB+sBEwfo=8fST
zgJb+mEHC)!l`GENZTse+jdgU5T(jGTF!Vc*$|;z^Ppm?K!*r4%(5tXb5spA4p!&7R
z>OPmKZYs65o+aHpNp-+11@HC}KVv~^&+<AT2Yi!KFMB#j0Y2RIy3+~T?j~l9aVN^Q
z`A0dee!U6NB&mXaAvyJ>SWu!FW;Ss_fonG3+`UM&FJ%UJw%it^SdcO(Ej>sl+{W0p
z9jJKswmvZee$7C?{+TWBP6{9_@2v`>Qw@I<<TWMn`1ydl7(MxS&7#)evV53HmYnTk
zSiUblyQP&j`pWD>RwxkIkY?;}*=Pb3B=~C_nX9B*t-VS@v0CdZf@Ch{{5X#A{6e=I
zdy*PdGwAb%3CNL|inD-^HWjXzqzT_$va_V}dbDx*f3U02hJZP?yuY;aMqT?C(vnNV
zA$6$}{rI|js_!_b8Bo|8Q=0;ReCnQR*memyG;dlxlzEd?#d4gcZ8PC5%wRPN_Pt`K
zo1!r)>2r!bLxaloaA_+;_JUzj8fhnnkn(ruBg~aS7lINb>Wq_b!2A=SKYiA{@TGnc
z;|18=>L4bFE%E|>wq8<-$UgyZ-vfFgc)o?^$G1E}RTw4;1xLX5Pv29;Wp||DCjVmt
z(guqI#wSZX3XwQ+(Xx<o2qCp0@B3if|BZ<O^G9RC7)fDS`85<DSMdY8_fi8y1jSJa
zj*OkIbUdliUm0(JZc{8ZWWin9r$M>hCLE-muS}Xi8qc3a11{y)j))o%GZUz~z>%L5
z2rzQZ=1h8t*&?I<Bk5Ko=d7`AXWdV8<9eDOdb@BxqY~h6HIA#4)EdcziWEhYqy$+B
zJDK1B<ACPZp|T$dY3&1LG5G7@Y%7vLE_2a}8k-)=x5-E3-A@~D2w|7WAQPz!W1V20
zN3PlODGm8DO5UhOx0Ht=Pdhh2kfmanPx);;_65U6_T8A6JD3s1k{aJxD`6wI%uztI
zQ7YK7$xv<SAI+%R78rvXZmpySUQHZ%5MV`9izT(Ozx9pdnSH~kZWfzR3rBvAUqM#6
zwA%^(u0Nb-i46B%Zb2K~JW$PLcq)D9f>74zZCe+L5~I|>IAOwQi+pOy!_FzT)dM_N
zG<JKGl5vv{Q66KeGaoYeY5F*@qpLJS475f0m<a*fux|t%s2|ZkIpMX5r6fr;wo+6q
zQdr%kTI(j&wGz28v3Vt7xV7SGa$6{=_q|`I6QtYS#%PW9Qkt3z#r01WJIK|O$zX1!
zCZrHA@DM7?dE}bSZ|Y)_ev}x*{TnSy$A_ilbop~u`Y16eoTz3Tubq%zBUf$B5qN!>
z^JrD98JV)}yA4#?AE;zH97Tzuu9cZKNz9mah^_^Zb?jA~>5jm_#BKG}o?NJh=l4U9
zL4TX5YhG$@R1Q_EViMrHfOoEBm;8u@Wmg)<=u(ov4q3H=eti1w+Qwai#5BKsQ!Rix
zY(GBrZ@zvB>{J9H?#qU#u)?9J#LlR{2KrO?WaPu!;{Hn#JZ(Gh=K*v19?P|Op*)sS
z3yx0O{P8$B!to_(D!z&;m=_<nZ5lpgmiA2|X7sk50>eQPDRSq}ZBr*|kew^&kF~yq
z-K`jgM6vfQeKucOn>rJY++BN%Y)ST;ewfy&soKVaskI5j7o9FPH!0<ZBbSOw6Jlo*
zL2EwkQ|Ke;N$6AXX&-}+ec~f0K%bPsP2bA}9VNN*GBP;t>?mzy;z3lgDy_6*<&1US
z$0=U{XEIuXF;?1`5PQV}e&~zNhDm6Q1qRyy+%$^*sEjp;QgHfo$%>7PG(%WM*}x`*
z)Tpf6vZjy})J3WA-dST5OKog-_9za<XvK<vm>-5pW7tOL(AruTfT<SBnzH^RMnc~e
zvT0QA^Z3CsLQ;SdTE}*h-Efs>MRVCEFii#PaF!(8$GtrZZ2%l4qhy~+Ypru155Vf2
z%>9iJ7%KRQ4*N;Th(jJ$h|}ce$YB`gwDfs?+b^qV^bD%Z5^VPfVU&hm@1r=w%pmtZ
zcr3G)tf^%3yd8#dO`WqZ7BI20v6qN|z{j+Yk)>2hB@3&ROmF<0^}h7W6W)X<E~7n5
zks!$hy%P+x!O$Y>;*=Xs$x;!JNEe*>3(I!BwTfG#p$Lw3LQ1+CLnNJ*1Ik&anLygC
z&sEG6hQ!8U_4M7=LfJ*ZdY@vmd6o^4RjNE}w36np?W~UsGeS#ctTh^<v0UA=vC_uo
zxQFbtLB!|tjDqP#MC+YfK~|e0c%>yGu7Mky$fVZ!Nu5z1Qa`l3Vy+}K@6IQhDL)y<
zbz}nl)P*F@sM=YFGbpZccfTXsIO9ei?!w5}R8*}M?~PWHNe||xF({-qQP2VemSpQ?
z%yC}VVIzm05<O;ltfOLnT4*pJXQQ<)lxU-nBtdIY^vd3(rZ7=zopVtgc;mra(|%2?
zH3Hr(=bK40jmwmO-EG(oEXQ|QG=h3{b!mQX*YkR`z6Ky=UC*whhsZE8$MY8t00pn)
z74%+xP%T$EUTD!nJL@z;nL4~;yFKn8ymO-~MO43(Hj-vL>j$;#dlk*Jmn|E8@^7r*
z_~g=(#@yo4iu-wbvn;(=-F?*HyPYcSVR4BMdkkV8in4m*d@@N`M{P11#|{shFp*4Z
z2^IvYBCKz2Hf((Z_md;JT#T9vG@?@~G)iI+d&-ru!2QYT<l^mg)jWf#<OYgfC`ZW^
zSm|lVT58su<0%%6H*&mPL>BBv)>{k1B+iDLgvykvhbyi$+@j!Gg${A~!<v8^jgr&C
zM72-u-82rBDv|AGve(1e(_n>|nR-7hRg}qwt$&25K~dAB&W4I@-}XP`a!*77(l#Ir
zrUAlCBuI;VI?|U~ZW|0o&E3I_F~O{tP%EpahBgoqH=2Us8DiraOmxL5X3{c=2>Uk9
z^EH%`1=q<kZIPxHm7dw8rb%3Dtr}ot+hw9yB+1X3s5|h-B+TPwUer9KHV_dK0?2Hx
zi+R+=zpiTKK}%LpY;r#xjv34+#aw5~_<K{l7j{n#AHUoA9Q(d)qKR@s<Wv;e7)+S>
zhO+P`x>fsy8{1=eiJ9XnV#;3JD!%9G50fC-i%s>cOf#xzUQF@ORA;Q0`DoC#fqA2{
zz@E&47A|WX)1a!6%E}~90+0#HriY1tL`9n_MzFkYG-v?>K9SM`iiER34TmMHS&8);
zC<MVvz74JE_xs6qeb@C3*JWSMFV?dD+PkQ;y(!}ar*?*!j8SM5hlT`lL8L|%q;x7i
z4g<U`WO6+nNjOl_7;gJ=T{rUpb33^=kAD4dK+^72rg8Nx(=8GZhbFm>D2}Rxp!P<p
zO?!ckjY1cab>0qgjMGmkB)YxJOb3DPUeGP1v9ZBawtFI)#)1KXX>TyR&51#2D?~rO
z*l2E8N~@G>u%JfE%fhE;y}YZ$-C1f0XP;Wjh$3pi2=vydt1(sNv0-R?2o^F;@1J>V
z+OCgrTN~Hq%Y+*s3n4NSQlVN)L1uU5gT^b>eLcQe7Vbe)*xz`^<dE3er6iA|MF*F^
zoRF$0parwV!5W;Gl$1OMbpoSp`hBEBG!tHt#{z6&bkzHiAlYfdjSCSxafT}qb1PBE
zM6{SY60t?6aRD<0NiQ=y2mMTg-GRt9s;S#wn*shMfQ+iNGq7ktqAISiimRv+Q<$hk
z<<%idm`rqtOKO<dQAm1{j4cu(BJM;tqUJd9l9Lv5Vl*OA*H8%|gl@W974yf&?*)DL
zZtW*oehV$bMuC3=J=Us~{O*=<BfcbVCi51q^FZOU6X}V|O(vMHL=}J6gCCxQg&V9q
zlKb0_MZh1w|MQ<$(M!c(Cf_V?_-Ae{STV*K!@pPZ&c^JjwOu6?L`t><31sJxG<DQC
zZsd&!6hh4-hpl=@S7_r3jvlp(@W*gL6tss$bJZ-I00k?G+=vmf)yvwyAa;E~8?1dS
z64KO~>x;!jom1%7(R|^pw%!8^EB~@Ff?E6M#j<aeeF?b0S{bF8K&;ZJm35%CW~rxC
z`UIiapO-^o_UM{!L$2%y<BZ#?(coRUXlX1TSURI#lEa@to!||X4IJgM^`It3(4YjY
zqd@|{&(leo>kwj}p$*FT-vnS%%WJRE446U&@z(h_Ua%#9Vd$2JV3LVrJEm?x8TOx)
zg4yqrq5{K?*H*tPW-Yd1UnreD`<{|u976g>0RB<fID|%Cy*D()FkovhzU#%0ur?TJ
z_xU(T>#yPp;O}YaUlt9x#qmdQ^k~=ZHF{mshj`kkcj^sG0|bglSszd|AWa-HH8#Ib
zNF&f)vvyt9Lh#F=-Dn4{0=YZ6+1*eRhoOlIsqXVK@0CGg^T)*oQq$hT@8!0m+QvM<
zPd{4Ng+vP9s|=|zj|h;_8zMAzn<}j^L<O~ZHJTwtfAHun<td|PJV*^T9A_I!2fo3Z
z29-K{+RBlR_%q<|g8uYV`%B$-po6+Us`n9<Iy?VsdFa2_k9Dik$2Lj<A|(PfHt(qL
zdwT_M0>ikoumY<ngK$u)cN_yp9YQ#vh<5qD($gqiP=~R+wG9yV;AeL*!^T1BsT0uM
z@uMiH&oBHzB%8)mPgp@O=ZCvUd*Mo#un5EUmLvq5`ng=ljm*I$FDLy8(HUSnt?g-P
z5a)A>Q!WW?*cS;RAw&R8Oj1sW{&7Jl^D?jDuF*3BNrY}jb|3<R@V{R#?_^dU<enYw
zM-YPFdVFb%AtW%sh+_v1c`SFlF^FZI=4mYi)^vYdM(R6W6P=tuB>2}E9QdQoZ@iC?
z#wO;vS5`n07OEi%c?9z$c89nVxHoZA3&ete1gZd!<>-W!MJs3%6%`5Jf3#pB0`(Z$
zgn625clvc_I?;yvcH09doSC++ZP6OUeLc&w-U%%AXHui;Tn5;cHB^{{dCZep9{pBn
zj{m+UglZCv8iLiO{OQMqJ;dHjY=C0<2LkuVsD(**Bot8DAnayFrp7cn@uy2hL#xOy
zBM4Y50U!s(5{TFwsZ&89J#UN-JH=$mAU{6*aw0G%b*8D2oTR1Y$44L^f%ZPB6Z>7(
z-xC%&h5j5KIdVv+WDO30{W(^oP9&}T{MeQTu0!w{Fn^FzBWSQOvw-7)4&l_#WKeiI
zbFmzR*apmFJTSJMEEZJDrI@rM!gU!M>%1rAj-&t(Zb`~*(*K(9^`x>pkq1@@v~Wk$
zsWEF2uBxARh`ckHN=v3V2k=e1;Fsphi?H^3n`mm;lmIAIcbEQ49sD|5LTHkG8ZA+G
z(lr`5d9Y7ak<l7<;sC$+KK{76xUXX462#yB{$bAj|Die-PD5dGg-$$Q)4Gb4cF=vK
z>|2Q|r9`(mSej0|U%LuOFEDozHMwA;EGK}Xr{|mtZ46V*d^DBH4X6A*DWqOqOS11`
z#y#C-Ec7hu`H}%8{KVR4N$Qotsx80auWt3N@JVIYWjFtE4sQ>3`Yi$PO7c^lH|D`R
zoW#y7W^p)oqkWfbRN2DOZkJxa1_sw$-t@IVQ#o(7aUtA;d3iNjs1j8v{;FJ5*3`_#
zD1X`KI|4%CK#E*y4+R-GDJ%;NHc}ZE4`6S(5Y_(RYmbWql8Qs-J@fg}l$3)wcPO=O
zYY=G8+YoM}js&<EsOuJ%m3ZM>D$+mr7QPlJck0tKzV7?Y??NxY+fusS>2K=#9^D(A
z&e}8A{2Ehv7)sWK&{f%^>2GVI_jlfQcWw<Ts<iYM;xf2F-tO~i_<SA>+@lq|{7=?+
z8`)*Ejj`V;ZO?e~cV}lzv6(T5O>#yEkKn9)Vo`UnY_PWqILdye#m!6*^>DD=e>o2~
zyb5^l;bVLu@UiYb58`oE1)89e!7n?x%bxgPv3d58ypOerUeZiIW7qB=HvobJZjvo~
zo_i<K>a|>!esX>A?Sr>vQh<kN_~Hfur;znWi)J$;-3}^7<Bd@i&YsqbvQ37YwTJaE
z(W7MwKovjJB}rF7$|$xj0q-&sp<5->afs15nCn&Uxzp=ljwq)1P`XMOSkiCCL4S~U
z325XC)I9Q;Cn&xe4AWOB0prF0->Awy>0N1{Lh=40lTN>hHE=zMjGMX@Awa!(V+L;b
zn1Pe>xoi8vn!x=Wv+x?S?_XVHQ{1u>am%beI`CnqD9bhicLDL{!NY(<r{0bW<I}}q
zwHiFQ0>)F{3!FznahcL@G574SPnDf&V}?@Atl`tPwJOaUyT;NG5n>2k0wD2PBvt>_
zKtv$NBL|ZhMIvREW5PmUV)z5({4DEaJ_o2ns@*1k;d3sa8`A50<zj^73ZCk}H9po)
zIqb?MEkEEfeozK7x<8Jkk-+K6@4w4;+Oxi34FP?H-gM+;Bo9VsgI)Ct0AfI$zjjBg
z(c)OL5b$Spmxl8iB)<6KbN8U%{wg53L3K4J9YF0jx$k??5LKIu-C@2FZ)?L0v{)gE
zdg5;dtVW}@H*%M3Y$mH=RloJ0`;0roLMBr(xsfE{KbCg+=w+4hYda$SWG8-_caq**
zu1QZ31piRW|BS{*CEk-g&iae&rpoVQxw8jmZTk^*C(yn84D^%ztm?Z*%aQ2nlhx=D
z^<<JFFa^28esbb#+rv|8lNj25<nBX94Y;*uMUO)d<1(Eg2u9E?qYV$8epagCcnMW>
z_fvm-zEI6COXgwSa-=1N^*EimoZs02`&jc43#<i>m;FX9BvcV%vY7$AGPxa+&gq}E
z!V(Z?Omn6!+zS_tXU&iS$3P_UOij#gr6VkP`?C-cvoOf46+t>Dh@hPsb7nXpI1!kP
zHu`&yTMI?i=ZdVaDBeB)hyamJGf3=DZzqwdk0XZ%6#tLuGeKOTeBqmMucMEZZ<Dqt
z&cITiFmLWG$q)!JPfiBjyhdYxsQaasCtC0~{DU80(Wr6WZ;&BJaxP&Vte4S~9hAO%
zr#UZy3ENi0yEk*Z_+AgdVA}kfJyE`Pq={_uox5B70hL5B-V<>=XaiPG^32qT7K6L;
z@~Rp$P$QmPNe$qT=TWqfg=nY*&mVFQ)vo&1qGks#W2Uy+PrX617#T+sho_I$Z*3Nm
z5Pc#JeHBq3kTVk@Dw5G|B)7O~t<wz|g;dsK9F($gYQA!y8=Oulqn#xEV6fs}*!twP
z;7*%(sx3;tE|a-`eQR|y+%>zEXh|j^oPmqB?DFBXf?~(Ki1mT3YA0AXgJeV!--u^m
z)vzg~4d$<fWiaEqP0&<Vq^0as@i@thdL^}tqff}Q{gA;axKg?(nYweb0h+O_Go+{(
z9rm)`92aI%D~+i2%0)CvhPJ;R`SA9992NlvWl*_BG4>YKM-qXDHx4-TS~TraPAA;9
z$E-)4=|xc7Mu>1`sY{_oty3b}3o#vl?<=Q4!tJh0XFQz>H1@Oe<&%oVzaSpQ4;$9U
zx<gNQoYMaAR||_DE**Q}PfRj>*X)|7F$f%y*OuoY&lT%xyKj7+M6eHCB*><c{n<>b
zwEQhTkb9m^NQt^%NBv&mUr@RD*_wNlUM5yd^2x$H-1G$_9~HK$;A~J(4D6dY)ei~=
z*hg0_g>+=K9}*A2|30&$lH>4O+<G!01rqtGeT79Vn#c7fa2zcf)v+jmWA9{~MiD^l
zY^h8T_o^Es>W@G-9Tp3wpOMd?)J28W@RmC5+L}c^ju4ZESdGMQj&&W3`2349%T1^U
zU-cWSTAX(4q*Nnua}v!0dl>`+TGMQ*{F5pW1!%ABketupbort{&S`ZQbrU1o>=KQr
zw`hRrCyl_CDXL&AVeJ?DzK_BprBtFU{)LIkMKTg@pM{v7kh0iue~eb5l5JY20^at>
zyWL~rwP5+C8ztOu(f8|BW39G8OYXrvwG(=|an@K3AIfEPYI~2(v4Sc4$~CoS`u|%8
zj-QXh)JC7$rJT_yd+0K1)+kVbq{ZqE>v@+mHj>*EX1)6y0IQ0lfbe$y8nD@Ma$y1X
z3KNbbdhVGh4vrCm)+$7XmA>XB#R}ZTMOZV<l51`x>nCO2s#2X2V(%C(=$``DyAJMk
z-E}Xnd(d_Fwhul{?Z^dwyJaoup~8(e{7!9cNU4$w3Z=@@&5{6T18Xe=V=k)ol_~O2
zoi`?W8gf6s&zs)shCi!|yE-xSaU$)*LY%X@8oiyWa)HUD3L8T;qQkXwNJvx7!CG32
zn6fpUjhZB|E7LSj5R6mAeaxiFM5aKayCkgYb8ki6T>@c}V!NtBKChIBv7kb3HG1Td
zba78tn&Jhu#ougc;*FLMbN?wn5k`9L$j7^eHU;E~OL-Kgp>lU3Z9AdojuH(D2IyoD
zJOOtQ|MPoOVFT5aKuZavNeNdz$(~^|8{OClLa?M@nQtq<3v*SSrmBw>;bo!}nJ3<g
zaz7@}m0h5_txc5IfVAq;;t*}S$nFT5w9`M|xtxfl1>T1CYL6A6*K@tAy5$9GAmcnP
zBW6-%l2)KmUJ|w+xcAg9P6WwZW;+!eX~Tdsq8ww8QZ0v9RmEE>IQ`(Po4^7FPRWx&
zYRd1c&W<io<@4*@?I_BoC+<=p9EG|;f(=qCFb?E4kQuUQggLk`vR1KCp)}+o<eO0@
z15q59@SF3g5BPwi7yACF9Mhq!K$mvp&26>ot}x3rF;HBIsTSp%dD`)}F2WIsmkx9H
z#v&{Q=n$h)c$wu{12r007$KEmp7<#tyI6V)mbB~xFQ8IYU|k}5pTAQ&KvIJ-5U;fY
zd2SR-D?oi!sB40tj~SzsEeN5oM+g~zL+(X0;+jPCId;~@%4X;iIaDb^qPiY8nQ2sk
z@;q-XW?4p|$1sffLD5`NpC8lld+U2$^Y1laC@-z%fYus;%JJ#!=?~d<xTy+AE~K%9
z29YPFpv_2MKA6)y?RxLj4SdoffP=O`)V**Nd@RP1Ck;<t`doNiGpxjgF666%o?nSS
z9s(}a==4UD5;oX%T{z=N25}Xdt?!lu_(mAk?LJ87Q4<74Pp<&1ZHjM+O!Q-}CTpBN
zWuuO@eY!mB!N<)_+@*dewtiW*Abm0z7H%yNb^=IZJb8kl(}K5vO_n9lBAr2r->vlj
zuA)z)lnc=2iMck~_5dQX@4Lul+;v@@V2a{xj8PyVqTEJ?xq`B4V!`#47UC{2B4Ptg
zG21N}<{K6jdX1G&D9OJO#0%JhC0KX2QurBUd(}F|F44*=M-_QJR!Bkz6{WO*Eb|et
zQHs;0kw$c9Xf(o$*-OD-1P=q4Ka!8Np-Yj9TL;)Ea~=WEk;|TY7!w3LtVZd`Jw#D6
zjyk`Gm70M$h<N>MEF^jez<6~Y_<;8ZYK%DUv^K_ipYx0}t$;xIB_^iFXIyCo42T|O
zlXrtjxIjqPuCf(kAgh>^tH_*?RuBb8s@&iYj9gup#x+P>wfBOR*(J#s8wkX*LhjKp
z(EEHEwxSS0SZBXcpxMVg<~3%`zM0k4xk&X^V$iQ`FNs<x$G2;9!GE0d`TEWHh(8yH
z(lk^KSJlF)q02~S%dZ_t@$)eu^npe2XitiOn8|Q8crl?E5F@CKv0(rMcZF+7lV-|Z
z!FHwt3=EWw=V(|J-}ZT`$&FWf2a38%Ar|mVJk?PJ#;hiZzAAqsVX~~C2%qwlaiGgY
zuQg%tLZ4tRw;nf?Do|e)CJ7;-0a*7?wTB;Nk<^1?Va!d!WkrD3KlJTgaY3Y@Ep;In
z%U%ZkLf}DR=YRa5_wTF*NvL17<k;+Sa<^WRAD}Lb&{DR#&T|z-Ox^xgwq5A3VheVx
zZ>wz)hV6p33exQ`XtUJn{ob{LbCL5AEe#A@`mqIOlBdC^T)r)92czmAlMbF_&qxPY
z1nkO>K&zv!SWC57xynObu~aOsgc7QXQCCc!>`F{!&4$&;#%MX*6h%%>r9NYJ!L<^4
zYeDcq2Gj0>^IR4UyxRxqw2rh88g2RTjvhDvPs4if;QGJ=RX%=$vv>o!#7AgqeDAk4
z8(tF@%ix3=5#)=N==_6G7Yk_!aUkoQgSyMmf%IJZLnw(aP66I56P7VBG`JXzzu4f}
zep!|c3A(OTA|6>#^QHi|U+h9Rt|e`=R0=wBc{RdDajLFj=Tyo?7pUGOXO$WQpgjwk
z1>#@})@uXJbEDD^e!1Bs%dH!`B1^JT_VPIdd<}8RiA=KKT4}CUX|pbKdN`?tNtSk>
z9umi~)rQwVPxkzR>;o2j4&bKO_z4#|g@9SA0s;!gvUy`k<3k~lUX}T5<d`%}wJ*p8
z;2~k~`%1|yB&l{+V;A!T*S_Co57XX>4lRQxP+)?D&MCt%A-!!`+HdNqBm~Z@pi8^_
zuL?|C6#myG9QL-z7#PRrb5<pUF-E_6G~bpqg$B>p&l?H8?!k+zSk3xCmxK<{8sb0Z
zH^Tu*gGwX?*|%Sv0Q}Om8c0u-rKf;VQK2XCP@$pUJd(GlgB8xCn?ncwx9sI~CsKiP
zCZ=^Zm@ogB#nIqw1U8-jo$xOcTtMT1gq#IuAoufnKIZO=UcK$X7uarK&duXE1bq&~
z&i?6wQ<Oz<a+%DgUWe9x8z3K22L4W<La`&zh5bGdXA0v9H+>_$*Nd3}Tm!5|i*B(6
zqwfpB549k0pJvz(LLq#`V@1uHQou{U&4q+w3c*iYD|8OHuQrMg%^<%{obzsKVE{J9
zaAoH%2c5nG+1T?myv9-4QJkp+uxyI^`w%-moa~TBV5e7Aes2_62O1CyCBXo<U5@4M
zHtMXIb>CIl#XMnt_ue7Q4EeR`I2u9)RkQP|SFWY(+zGkg-aj(?`!9(r7}$VKut*7}
zY9~))bNWAeCsh;7=Q+VWpBx^QV*c=`E0R~<{(J#cWZx^)b)O4;Y2_!a^&-YM&Wv{X
zZF@m%YQWW#Nb3eCF+F^&hCmtRhEjg6vM>agvuN|0$=uy4VfIhAhGj4{v7Y2n)Ft|<
zj<Qq>Ymreo+D*^b@=6>vH$jQoXz-aZUv#aB1uR-9qGNR|4jPrKJ=*vMtsRP6ax;h`
zn1fO|A#i;hy_MvYQPLRp99NQ0z_(umR%}36!iiZ_Lj|*l@U&3jS9Oc@6#)j+ooXPu
zA$6XV-UtFIueHD|NWft4+J#Mz_ES*}?QfNJ$5%1e_73JlGhEZLa)FrH7oxMCOZluK
zl7jA_;UW1E13jwhBA~nA%tSCgfP?^NNSQ|Z7N)ZB`yVhMI`m)b%+GpE0kSbXXk4vT
zD7(V8-4|u+d!AFsV@<8!&D*vi^nD<eV8wXppH*s+kmlt4EKg58DFOk6xb8Tec6$8~
zry;}Bd@6>#)1Im8;!JE4SsFwL4${4qRdHv}b?wqd84+GX9IK!SD4h7x>Oo47kJHs9
z1NKi@V$hSSy9<K}yOS2QWP0jYwy?JEB}L-OMwb(Nd{u^hCQJM6SV~@uHd$q!Q2?f}
zp#(U9qOE{_wZ<WVh19S`IOYGmW>WQ#CLOl5Rxv)^S*GKdQY3-~`;C36wXJ}9vW?$%
z-XOV<CK7^NdWi-^od&l6wD7S#f#R9(HT)avcZBa{xWm>jSn_3hQuP++jWuM2xB@uS
zT5L8aWZ&x}wtcRgrw!csAsb$2GJAeFzKZE<z+2Nl^D}Y59fx3Dp07jAlgkthXR&!+
zoL*$Shjxyt$?l+7KQd8S?!Mi2AUCg7*BFCaJdaSnotHD)R{LVy8fL(|azH^y*dqE>
zKv}Qg1&jwcqz;VB`fezSFOYhz?9|n;>T3k{>iYfYleuQC=A-@7$hO_=R7Xo>Ii?xf
zE0E-Hs3_B;XEKEN#0RP87EWRUkrdK%znO67C;PBiiCWRd77|u;2KMh71v;S9-pjX}
z2s@5EmYX$JrT_CP%{g(6rHcAq`P8X9&tG|~Xx4v<S?cH1Zf0^&rp4MeK)h|A^T+#m
ztK#Z8#l?|u-|ae3t;`*+z4zXMiHXL66CXIvuA#iR?3-sc(F9l)z}bgLUpj-cK<>*;
zn}dln0)xXG`+DZuOW?m!^5r?3dVIK$<T@lb5P!~qGW;ndNCmu#_iKK>TQv3vnrXT7
z5`{L4qfrl2YNgPgig?x3SKB%h+dW3&vQEqJe=AC%Y4yB%CXVWEe(H=RyeXv;g^JbT
z<albm>CI)5=;ST$_-S=5L|56H%*W<kv~BwWxG#OO!GCk=dH#a;C&zia4WAGN2wxtU
z=g;Y+8*-6lYbdvnPdWN2)c5f3R(j^)&HHd(6EyHFR-8_?ZlBc2PYp^--<b(Cz3T2<
z%>{1sQ+cl%0c%*bDtaRS%xNoCP(Y)DFM<M^kDiL=kg;g6=%?~tH3GWre82hM&41|*
zguDJ45Im6yv39LD(0J$3{ZUYq{TeUUu%q7Op8pgY{5AZ=E)~^OoL*+TZ8TE)@m<aw
zgJ;Mi!~js#k@T7FIQ6gZ#@%@xK7YGq$)es{Rvfu0>Q&R<mpBDlDMJ&E)7T0j#>f|y
zpSut8qn1#t0XB*v{&Zzd`Vp{ZUbFXhVkt-fD@dC^AWLr1Vj-d_JXgCmF};Rm+1o38
znY3et2#1#V4&ckqt9b{~0%*zZglI--LqL5%^y!hngrFhXqaleSH?wV7)Ghqw|40Qh
z<FmOR<ri*HKB&G=M{}REBH>w$6toho4et>nY?-A;^jKT+sJy`Z+=+W6slZpwfZi{#
z$e#B+`MXzs9<*QLU3@b&^MWV;-+)-KSfb6VtVm_K)oXWcEBH<EwW}6%k#Q0|(NRe}
z!{yOPr@&XufbnZd#?jonrMVR|om>-l*R-FTW8tZyz(R^P=W>>Qmh^ZY@9&%b+QCPo
z%$(5))1pljR}^hvMBxKN*{~!FT5_}Ujpdqv>q^{(s{AwtQ~*=naL1H%wo;#pde!t-
z+d30%8&b0rJozG2<=~)r#?x8w5Q;k#N<U^GP?d-3Y2l_`9}ra!Q{v{26c*G=EBkJa
z$W8Q#xn2}iOSq9w<-BV2t8GJ*x5{Fr#4`LOGLsar%v{S@2q_hyy56CEyc*~+6$bKe
zU}OXYX)pi%irSX=6yM;s>^VN<^O~T6ryiwrX7S_Nf>+>SV6g3ZJhb1=fPOmHbAPlT
zLqQn=Wgz6jf{MquoS!LCgxw)L%oE0CMZh2dv*|r>;_%X;M@Q^IubTb5OC=QYUs%1%
z(wwexxOMqtiS}JcBsx+pA&3B_z8BY3Bd^NL|K6j*<?!&e&ZDveMO2)WPsUt_fgK$+
z2fb?cyU1hiQodW8mr8|5ERTveehv}|1$GO41@=PWB5<M7VJZW!@+u{={}xBg2`J~B
zswTI)&U~?CuQv8w(5q%Y@1H;OA<H_GO6i=@`avI#yZr3W_xv0r63ui!fvg8kELOcf
z2bkRLXXN=y3(R=-<@f*Qm2bctDo)BL_tjx|2f3r;cnf;f?AKQDDIrRmjvL+h``<QD
zT=_X^=L661D%BTYTa6%Xu`UGut#p_s@e9Fv>f~KIve1#@q-LT-a$LwB4azyM8vVT6
zZPBtC?eb_5pU&|v^s#H}$Ba2h2|$CWI;)}2g-#h?ws#a)eA8<8Ms8y~pJZ&bp-@S$
z8vc0v&hks7KHc7Fd$EqiK8^4B4tK%M*d>AC=ROIP)^$~2_O4H53@eNNp<PmpVE&kH
zo;t4t0(1xv+5#O2a0kg@$>2vU8eG71F@lWRfvQdH9J<y}7T6b|I*8G3v?4VQ4X6YS
z#YbKpKmkHQKia;KMiicwozrDFkYpiu@-(7bs*J%cr3(O;e@*+o1L>s!r3ers1wd^8
zR0JA<`ev{L!&I^HrrtF{RcBdwwF?!<!H^1vFcc_k#g#@MaswFBPM$;tZ0VtS*s&?0
zf#ki8({Z>#MUVd$6;t>xJA3>EI6hb>=sokLce-aB-ctGojGuZV_o@TdvN>xnd}Ki3
zE!Dy93jp#oqT4FWG#Is02^D62B3`@Jh!>cOFuRIXZnPpb)&^99hT==FB*;T3s3UEu
zOA6Q48SX)nq~ADs8qqCP#_E>RKEMx9GOwT#4MgA=5f&-DnmC;Z3eX|Q(}-^AWUOu}
zeFz#l=ebt~48em?hBA-~3gdNUP=mJuxpML(GGI#&&2`5vg$6@C<;{Zv5{h*sXR4xb
zrybq{0~CQgjp&vh8mn7MN1#FE2q^};8^osi0D2#K3wi|_(GQ#P8vgO!enfBoC;K1l
z8T3B%3^b%4F+nO4J3JB3!MOAnwY)MX2~i0-`KR)dK(4edm`QB$zZ}V*XJ>wOTM(U|
z1iLg3iW_``g?pTCnH{+cRYbjbOX-1YTW8HtT**UzN>POpS6d!^Jq@;};Tz)NDq8(M
z=lgu$jPEBB=_fO1^4}1)WdqY6e!L}0iBkXa;f#<6FHfo8f$9n48%C_DfU)jZ1MYn|
zYn|!e8+*s>r<(hXNn%|ZfdYxhcex4>GHCpGh7Y+4DOl(^B@|D^XG%SqHW`k*|Kebz
zA+a9}IKXcuB2JQt4+09d-gC}n$IM83x&@O1pKIepLA^IdF*87mw^|5}f?I9<;pm(d
zSxM_$Cq(MR&wUPv4{*9+O|JTeaQfV+3PhKM;(KpX>iT=vH`n*L8QLsAqgICOd@*Oo
z<(Z0nQDh^K5-ZJ2mP!E?$OQNSeD>45Hp<mX9`^LD3ctOTCX1_aOb7Gv$$T<dEb6*h
zp0-lEL|Oggi*=fX-Wcb-Pe?JV(lNtDRNHZxIO@G$S>N@iQ}5&6x8{}Zxql{)QdW+W
zvw^#1HUD|c2QhvqgZCu-PnPRJOjozd(}zN)ie5QotyS0!Lf(_@qn09_c1Kt<vo?9J
z?Iaz52|=CK+Wo_3?x{3CT_Ntl?^E}`nb4jPugUsqX6q1QkI2(hg_vR^py=lhqp)C8
zl)TUifM4GS80qGSIfBf`;f!mb&3a&AMo{|?n{8q4$PjBKrBoWP2`}ROPT?$-gVM$r
zt-}t*4egpt>L{6IGEPXxc`9Qo`K&cahixu9W6+Z~NRG<*5T+dU{imqE?sJ8D@Yj@i
z;5JU~1_3ngFbo4fNI8M9VVEXvG*}Wvxuin70L040F3LpVL=tT5B$XvB2`V_H;&t=P
z{>Pf7UaGRi7lT%oSk21ni?fRA!eaLum7X=)fBqe(XPigr<hgH;`rS&+Ef|4W%_G8n
zNg5!BlfzddMZgxJ5_3gH<h~?nkQlvBJ^tejJ83LG_1w=`lguRL%2(cY!SM{!ZI_Q<
zhzc4_CF5rJp7%?0jf}l(He7vFqy$)WWK?)d3S324JsjvJhEq8aT4Ug{mHlyZPt>EB
z{^bALw!ogT;itG3<tOJHnO0BMW1hWM?^GaPjsnFigfY59I!Lz)qOFyjKa*tvK}J_)
z(L|13gs21)iTiftKWsL2P3SbTPxlqYS0ujKtWhhDEm~`~CN8rePM5EB1WgxaFd=Cg
zkAG$Zu$5z0<7Io+S-8KhD48IjHht8$G5))=2TCT17NUC~=ZL`*FphcRLN#v<h8ebF
zP^W`@Bf-;{Dx=L~Wi_XJkhdLq(1qM!OwO(DDaC2_;5uO;VT3EOw5Fjtvb$*@mF_C0
zgg9G$6vIJ06@?05jEU-~g(<TVVGZVmiJHc_b{*c`CGU<={uY7D!X4U0POVP?g;tR#
z!37H*kd=AO?Hno=WX>9Umji_NknUWyk_Yx3mjLlHG`cmmgSh8u8)F0nuKJx;d<fwq
zLfZj=l+Y&c2^*jqcdB3|k3C3C+@;MiWc4j3(73?*{>oB94ptnQYvSA40~?bzSsXon
zF$%W~(qzX<A3Sr}w*@2Z`eNG;xv_)9`1QPF-L?_~A5FTcpEuS=Lz7ZF{Z*Pku%<sC
zd-c1JUqbY%bxfII{c_8QaVda2Seohq>Q@x8rfu4`X-v=zTe_=4#fWjNtb?hL(R0nu
zfh*VWWZSS+2O$t>NHKUL{&JR>a6G6H>j_IM_dZ5~s0vm!QR21@x|SJP9+1R}!!iQ(
zfJD^NAfRheLfmmp4N6ciur3h~hATK?p4#?)tBvsfp&OC940X!;wg=Gl2Q~NiNx&kk
z@RFHWXjFU`eHY<Jig$b4v%BzTjH~4w(8}3%GU{3Wtfm9O-Dx?NIt17v*#}%lz-$p4
zBx3GP^W1eyiRqZ2w(F*R92Xg9lvxS>in6J`6*CAMNR}~wt1?;M$qx#6Raf@;HCq_0
zJD3Y(pQ+&5fAvKJ{?Nen%q9(+@htamAvWI0?~9?)^cYL;(ln>u4Sl-$|7vgL3rtXM
zh1Piq<4{agL`=m21Eb1fYNjSEG#Y+A$8c^j{+5%wB<mU}knm3tV;FNzP(BDD%B#f6
z;ec2O5sNo7VPYl{HM23x77>YAc4K{DrC&4t?b||!rm0m_RoE|@u$J{Y>AaVqA|fJq
zzhh1vXXRSvsgSkpWtvMN)vqJb)C{{gHBHNR*#|@guacX16Y1|#|Ip_IW5LT55pXW$
z&^Vxs0KN&wy&6zxnz=MUX#13cB^SamhqTh_UY4col}b|!V`0RTdrGIK!0yf<?H@Kp
zFhXe}Y~Ki?2R|XH$0g|$7hHFRI%Ctsj7TcN%p!6q7|93YA)2N<ZVEPt!2kuIW&Y7l
zWfoIYBv_m(e5{o?w3#YNJU&Y-?~iUVA4in|ZxbjB6GTjKzA441ecOLDdq^Mx)3^Y1
z7H5zQR1|Vtb)$-evj)`Q?*^$@x^|QekSZ;fS*1G?noATB6viY)gT@(*6uMz2Ass9F
z-jO%Kh8p7n(NBq7HWJYYf64I`VhUcHL0z!a&8LBDSRl22pSp>qQ`_w;k0{lo5Z0nL
z!S$Z^YU(8~rM1wuecyL&jHw~eMQSL;JApta%R6NK+_o`xP3Ov%2<sxs*tV_W$%!~9
zm2F>{xkR(NXk>^aArn|=LpGc>MvdINdG!ur0g@!Djm<>dcx!6zs#@F_WUPjE54@?z
zE#Gp>%)iOiypZBAvDzE6$_ESHHJFRDG#K_e-=*Cd&!#MeT_Cd5hsJ=uhX&*!wwM|H
zxvY&LBORPht#~$f3y(^59`yWo9>R^}vJC`SO6dY+4}~0q9xEG=re;G0<XAQKJPfj5
zDR<nYyY$ZTyz|!0i)a6v9{Iw1Kb8@h5*o__!T5DIek88PDOkHW_OOCl4mQ<h#G0Om
zHJ&}Jpq7J~_-~{ff}xLV2OseUbqbWX@$F%*+ThorX=hpUJRR*W+x3Hjs%c?2xL$S=
zbA4-BHlfjP)k{?h`aia_Y(}>J5CR1S5)CQ}u6$pWg6SV?75^t+*>o%-8m_9VQc&};
zfhI4ITPe*?|JYl%i$E0!1~)FQDyRr(@ITTU=<EYc4{?aQndVAAeV1JZxBSCa6<5NH
zYCO;FK1!~tt5Wb6^dBzY#JL0?LN3F|sB{D6`>GTyxqtXH{phy!qaXd~M?ZQTowj~-
z6a9`pKV;|;bpLmw&L$@x6(l{MR-77kR#!Db)b(h>F}kmK@%cyTiS$uI6oo^3Pyv=D
z%9e8_N%GJx0Sk--lO1woJxad^1|MP1qegTADn;7$IR?k;8ul+BV#5Bie|;R0VtzjS
znozck)g)<<yDuK3(|vXI*JHf~Z*4N={1ksz)m15|`G->cdZC<`QryOW*eV~YyM<9D
zJ+}-JuiC3L(7*`W3Kz!Bt$@XGP-F6E0o5h-vH$2tKl;&+e)OXs{pd$Oy5WV+)BO@D
zv4Yw`T`}q`_^MQAj+!@z>m#k|m5p~%Xmkp->s@jlNd!y8A0S3#pMWv2Sr;V1MgM@+
zHcnRe?Hq~EYJRM^hAy9ud9cu@CVHQW28ZtwtCm_VW4otW))VaMUd}7YR=nR;U1i)}
zk=PC$VU0nDV#$_|!fH=xzu)-R>SxGr2qhGf<vu^Zx;4^<tca4d&WgOaeVE|-vUvn6
zJ<ipx)&3AmV>HB>OK*8ln7QziINYIcv#q`LePTc1F7PfS9H-g4!;HkRULu@I*XTtN
z8H%Ecv70w-QL2}tr90|ND0(8vzV6JV7nU^blH`hy^=SYcq0n$p<3@i9#ilp_Lg~<|
zZc8Lp8vLkmKnUO=1z5fq-cSQfWTOnr6w0>RfEpL^!*F*)f&<Q#>8nwPvrKT;DVKWB
z(z4!H&R%`#LuFF8mYu^BQnUQ_RzNodh2Z3L?cy6Gc5U*p!DRO{+}~?cJFb$ioFBhZ
zuS`)=slW7=(z$LPcUqxts*qQA?5rBCmgkM1fe@+;3@CF+K2Wz0OHNL~?kIIxx!4@4
zM?6?DZ%%A8D2zY+dj6fq?Bl%Z+Wv$ZJgU{}HE(>&Pf#54AFfj6|C`aDiE^bql|Ofy
zTt@#sL4en!hPc!!=wC%LU_@_lCR<y^mk`pH2PNnSd)?8uWhL~`rzdKULHXVkI~FA^
z${da1?>0W1nj>`ym;j-trU(x$T-`Iy&R)9uG(FpW<(pKX#ekL@&-8Us+L3IR=jX-1
z1_OU8itrGNuT)E7S`4Abq{iIAXqF*tTFBddRhrax%%Ic+;4Qx+6yQB6vdKl*_6xi<
zuEKe^^$GtIQVgpd9aQT+fZ|{<)@o!QL#kkppJ`y3U2&&ewryf`Eq4!Roqf^WM7pHS
zcvG+xtI?YDvfrs*FHkUX=)GoZ<l*8>y&Yb3SFEG#@PY>*d1v8UzQ53ZHX&)^CED=7
z@%93(Wb0f~^L%a-LtspoR3smw_9@%7MXB8;OQSxytdcu^aVJ-(*fRFv>G4{%=dLI0
zMpL?wSsJOI@;GVB+TDrC$qvi)+pDJSd+2UP=<-hv-#Q#s)t@+L8<lEa+f5u@UzTP0
z;s_5v;mIDGAtl7EliwQn_?i4}pEl5(o5e(FcqHMmXHtBSQJuRjz1v^4sg3z)Os7h^
zMYbr)OsN(s&*Gnmvl)irkDVri{MYFbw7DSh81)qD({7((5EY;FrXq+FE5CQ$kNct;
zREkScSM)3suS)gAu02Ae8-SHxmO|`#J+T?4Vp%VTHXsEndoG2T6i$4Oc~wLbN}S2A
zaemg*gE$xsL`~5|qilrwKn?=QjcTw8Rj48@rEuzxu#Hi;1qt!BBo&zzYN?hXTtdEt
ze08ulJ$tq|<Yv*huJ%1N75aW41K0N=O6Be-JIJIHv!;;#JoYfrpy<p=#OuQzwBv)<
zcJB@4ML|LD#qdkece<iIX_cDl<5Qg_EYzBbPle}9nwGYF8jZjpWWli{ikaD#Xped%
z9En6GuY9%Ty5i$9(f<q86SS6jstJ;om^38B9`)uH-8y3!gZVi5`4_MQXK=Y~23hFM
zg#Wace2IVNMWM7(q{bg?B(TBf1qMyB4U`0SDG$+8-*2u^neIk$VHshYttJ_=q?q@|
z)1bT)?Q41@0eH&~jG-mYa-!c^??FaMbz%cPP55W9l`XRHp+0N~g_ed-$hg{c%QQY`
zB_L`$k^|U!I#Zsl@K~0#Jed_~OU$^LJT7uckep9$-Z^Xe5?n8*<{AEKI3Gm<H|WvS
zmB*vrmGG{tYoP_bRntdnPkSvbzYqyQ2#umjQz(#69u^CEJ`L}rDj<rEaqiWY2vKxy
z2y}7|Ju>j{-rmrtB*ePr=#dffu554Ju?zEfe|xwjXMzoG$mcz>#=F%!)XL0q7w%X)
z7`|hTcXBV(do%(2K8o(Qp)dZJ3|*qA|BOSXr|)5u|5lPz`^UUE*wM#hVik6Tt|pkS
zsZkDsNYYOAuL<gvc+Xw@`mZ*4Xe0pEB7*?>T?T-g-^KyL_^e(h#gq&ItR;Y=G*u;N
z0mbaMk|^66;QQCoJ``U;Og@5ye87v)K&wCF@ishr87H&fN+orlViljwzD%oNTd*^a
zRptYd(``?i>Z6mieJuU4aBsio@$fzWTm+&ho`$NhRuh)G0rPmjXBVWI74J2{e2{uw
z-NR9TJRi-1yR547%n`Xxhdf1Mx}H;D00>vmVrr&krbLBM+~>$OiOGO~gpQMFQEAOW
z+X(uREF2<*+c9onHMltg!a_i<)F=;5c{FiCN1e7x*_z~vytjq`n~o8fxY>%dB~HD|
zB@+R$PIH$xJ<Q6ElF)0?gHzFRE6tuN4WLkMst3qrZ)faUIGMnQ$2cQAEHR9S5EE{L
zr>#oY%H46eq7;bG^<wA~q+jpG$Siy#a6oK2u|WaM;-5i!XtgniH$CLh5fIll;%}CN
zw~RjdJS${5q$N*QaQgEj*;tC+RSn1zB?t6Lt7D*pd<UiOBd?YQGs8gDO#nqgKr<cF
zcP?<mDX(;^(*1S@28EbtteMD5k+#HsvVjPb*PxF;zF42o0xW-pOY(bMxZjuF>f-&!
z42WD(_uqqp_dD7Tgx~kVjs1sstT6-w9pQ*Mqk1Z(sBc0?29w>UAx{!Z5LIIydTj7C
zk~sx=j6<=n(6YWm{$cZ`xjnW!fNHg|23<~exYoGY@wD1a^zD`h@1VDLbI#qNZT5P*
zo^<%}pGDwSJT8dT1e!P{WusU~?vV;_#a!fA&AH<j>ef+TziZuu6x#E6n1j;dXhyIl
zbkP=u(8j5z2r3}K3Iq#wu$DA4wxu-5k|Id30tG!^_R??Gi^oVW!0BO`6WnT$Ox$LB
zzeV6B9C7wxfnR33W={vTJx{@T!Wo`E-bx)zQv&LqNXShfNjvtH;YD;`jXNsqjzv=n
zBt@DO$oW~5X1zF}8P<gy_du{*Z<|ZeEJb238-iP4I4wS>dC2}&b#1<mkPS6_9^GK9
z`^6`0x+p<g*JaUKzSzw{`Ya5Sy5E;gqubWFbJs!~d*McuGTti8GXbux*0&jR5+kKP
z$^E~$0g1yDX^GwUfARCWI#CF-i>m&rOxGr-+F$ZR9&#o*VNM~(mF^Q=Wk6#csnDtO
z%Qa#Z#_cjjg#a2$_*7OgR%MhHlvdAalI8>S@S)yI#42m{@?pCxv~iQCV;Eu))e8z?
z+nOdFcop#(pE}Q&A63LS-Vc4r66$<h7YFWxEJ(*5Lj4Q?SSdE;qF=gBMi3^fI9NF1
zo<w2DsXmJ0V5S3llNJj6rmC8pS2-^9{~B!enw(cjGCSKY%G#8RonA##j*^0q@_t9i
zWwmtW-6b2rHw|?~by9UMT0JY*fk_<@Q}f#)NQNXYVXo!S;JN~Trx<GVTZ-v1=?qcl
zA*|D6+I`r|^|0Y_PJ73i#RbO287%?&7Co{qP8dyr_|xYKy4z7Sqop?8hRTQ`60o<j
zpm?yPAD^xZ04B^pU>74e&K`7{or=bO@vua?VKwstJf*XL(WyiRA}-(<z){eZ+*5hA
z{IDONuJcyNdpoMl9TWts$KlHVon`b52ingBGM`!k=+BaxKLd0N^oj`ZYJG2|3E6nq
zpmvCZbsD3|iwoc8?=P17j$s&<534{w>@4~v3}?L-kHnn)xSnRGYu0q{2e~8oj#us*
zs%k9xfc)hxHF?){#(BWfg|)qS-fIhM+%e{1R~h`s!Vsf?R34jx#A$2a8*Ik5bRi-4
zp_AQL4n9~vQLI&*cA@hNIRdoM*oHdn&!&)@wb>Wsk!f7ipo+x;)%jpDR(ZP#ku>7m
zEOYwi>?tZw+TSL98(;@i7MyFNrikOZne5uG8&LkmF+wa*y!|SPg^DU}oKg7uMWdvj
zn^+a9*Sqs3en=IdxU1bVMDj9A`(OFoq0){K?M0cQeN*%{@0-Uxrn${Q9JFiQfm*CK
z(6!1IUQnzB(=Nuc?@InQRswZ{YN*8w86GPSiROWuo%?UBdObr%5|q4&Xn7hiBDVkr
zKWK`M3O5#zk!O`Ai~7(4ed&{B%zK*XDpl(W(rW1owt(S@R*5mBep71JLvEvAYkQ7?
zs!r3g)MMWdm4N`0yciKq=h7{n5nQ*f9kW@JQZpC~%TmEkqLfPHAHRUMGu$Lt*Zc7d
zZTICfKqyE;D5hfFHHPi1v3)igAaM<iCB_&OgpsAJQAEc8W6ok3SBLkf3Je<Sdintk
zF<Y~Kh^W6ie2j$O1#AHC)owsiNXvOLR8&|&5CA7HSXJpS&69n`0Cps(%zLr3=sX>2
zqDxGbHZlCYxA}jkMl8~>fdx?@sjHmz4_8*T5U2eW210*eoMxv(e=da(?|)oB8e_sB
zO8R<ssxv7Cc23Y6m5jNm55$frg;KNjxEeEWL*F~D8Vk(>6_Pl?P_8;3W5Vz3uCS$1
z`XhCUE`+ldz~?g?K)PSi_T<GaOX{JCDp)rQR8@<T{}Z&f=)}GNlf7I^^Xk(mEkkbc
z0T5GN3E1_<D!`opj98(DMrM;(9z%16j!F_qw0bGsKti;&TKv%_VmIY{B}kB(Cy*e+
zMyWPxkyRRyk}nWnGOz<m&46he{r@DK4P2NMX9Yc6hlhNXyJ{AQIp7qS2hYLu%kHkv
z-4@cpe-r|I5G|=d&PfWAXhAK5t)~zLphX1+(E5*raIemln2xE*wrpv3fvytJSYy@;
zX(Po4deXnA1wENqhd9;nFoxc(Teh4}SBpi6dh%~IA{zNOCtD-BFFE}q`Wbe{u)|Pz
zTjQM=1xK6lqIbD2FFI>$9jg9YNk0{6$u?5&b1q!}9q;k|XZ%jR_P2-C>dp9Vkr2u-
zL_btNPWD>D_XYo;Kj#8$-SjwY5yIG00i$F>$@YY={lwSah~OL*?-)nUM3z!?5yl|%
zVHfQ2kes*XKa1_=F||`G6xl)EqLGL#ccLzN3RU;f812WFkbGS(blnAexwq<g1d~2T
zxjOhAv4<YGjA;Pl^hnP|q9697mQB{~b;-YM#L^H}i4Cj&pAkjPNZr2W%(@O$Km@o{
zx}3L$55M>Kq+!zdcR6Wg*dP~bGIMPb-a`)?QnV|Wkig8KTn^P1p*Xx0yn~Ba9~=fM
zenGI&sWs%nJm=Le<dWw_q9kAA%ibc%45W9a)m52Osyg|zZgY9r@oN7?8z&YUClJg{
zcVaemYI(SF?LWj`U+Tr;2|ph0#X+eFA~HSK8(#qua7uNR<f=^dr|Q!eP{Yqs=?IwT
zn*dSeI=@&1Vfj2sbL2LWD|~%_2EZwxKf+>rC8GoV6KswChzaEx*Ka-$nQ%8=>9wXq
zEI@wdvgT5X)J1eVJ8sGyWsoxAC$p&t9F6YOK77U3m$Gag`4zd5&?w^;KRwqQYA0FC
zS~!~?7|N`p`-qrd^KvLmhJ%@XyW+OJ7&z)fBTeQWx6CRvL~pwk8ab`dB89Hl9tMfs
zTSdIph@kde290EWv)KeTk6;D;#pl^1F^?)Nm62QVb}61C{-|tBS*;l|UvZ35y4v#7
zTf-2MX4Xk<T~qKT530u#K2&<K;GtR{g>K!>c-tZMrg6o$&Dqcx<k$wY6L#tmH^5RO
z^^;G-K6|KXPmO4{ZF!KtutpB=)M;Eky}{}`CNfb!OLH#GoJ&W3djoM&Nz-`hrZITj
z?8t?&l@~q<Rf-<<&JJ>{p6FxWZ`bBN?k-~oy?32k#Wb~D*Y~OGyNIA;tbnoW5><KX
ztbbM^`uH^PdJW=PgsHtE8_F>XW1$YP0b>=Ev_8!^IKjNR#;m2)VO0Nu8??RVx~$<Z
z5oosr;N@O9HJ*MXDqIaX2o|%`{RmA!f4DcZ0$73Sxt_v1qLk`(dp}{hV87aHMG0~b
zHE!5{hzK}N^HQ}EZRQLhgjn~Qv>lS^WM9wPIM8-GYX#}{EQH_@<h_7~g>njrDVU-%
z7DoiGp2@<fFp~yE57_Y@Aax8$J(&ANH+*$J379aPI#ObRp7*D`-b%A>cRW}M<Royb
zh*Jv&OJf)xP;MWVX2gHIql$~8D*`evN2@18ub5R=GJ#n}fx>!>afZH8*2sP#X?g+L
z(e00^$?&?>l?_P9_@SWSz@bRDkwCp{QY<Wf60n^Rv46=S!41SA`ik{!?|lWYgg0*S
zi>wM*cc|}NoOMgLyc`ijBy3dE*v~N1nSZ~F*?H#>@nRZ>I~aLrcS`?<<dJaE{y}cy
zS)0@*0@w|Z+M1;Hf+RmD#fUsj(-2E0Ut8<WG1o?AtZOHvw#(*v7V;QnbhL&+MBQnC
zHnW8~_}Zj?#vB;VfiI&JZ*d{%Y}QS~Uui|};$c$LB?CBXBgb)Dx9jC6q;|rxS`c$b
z`ajHE{6Elsrxv?=ZOvvJb3b{Ze=!sG^iiXM2S+A0dx6{kBP}7RlVp%(LUi%GPZZ+;
z;9s6lcXsj~!xeR>FTO#HVR5*kzR4f}r02#sjboNd<$)r|_E^&lpRbY=T)+j&p#FW&
zH}!Ec00I_3@oxC{zF@b<C&mfz^wsK4PTpg<qTb>cSt&NvK09Ru*wVjXJo1qjGX*(f
zfkewQ3m0aWZst0`q9`Gf6)Sb@fpuy)gUl3Jd9a(B9P5+JWK|}$Q36)l>|^PtuDnP%
zYq<#YMZ3Us%ZmI5bt~7f25TB{cd-A?y)(RRKk)K8w{M<}fH+1YX532Iawn*Ym4}<3
zmJBerQJZY~rqB8)?<D)*Yal6R`M8EZVYw24==`aD(d~z|@*x;grAVuhu+lrMBrM{(
z=c)!QgiJt-qSqUp8lWE={3a2kUwyf0t*e8B(YrYVcq3GS_nxgbW%*jqiDA%%T^7RR
zn&F8JrDv@L+<fh)ot-2)=BJ&$_>;^d(;ez-JXgki7XYbL8WitFf8_-yVuUycNQ7Ub
z$Ms`))4J@V!r%<AcY`-xF!vyvTxg##%Q!-Ic!>~KNX^tDp(d;f*EBT-xqyHZU9%ut
zWf;<MN!D^l2%eEV5l~(Z7@4lP#2$7<Z->c=f=be>@k52MKa%*WAlf)a5F<>4QoHRo
z4a1ZfZ?xleC-dZ|AQ1|73lN&ezVHP@t7PPp8c!Nq?zYoZ<iaU;?C(BpZH79&>b>xT
zq<kfE`4el^LvAe}o(4tXvS&k1E}rFI^*u^84NB?7R#*>rWb9_88R#1Of@%8%y?<N=
z1!Iz;8gvMB-=#r7dEhdHljGc8m*M!^0h&yS<HEieg;k2SgAe*jh+3@ZlDVjOz#nN$
z@WJ`FK~y(2bncg~0H#d1C5yA@0mBd2eJoVG)UlE1cCUEaa;+-ElsaSh#p|>0p8XN(
zj?@pn^(kFpYc*EUS8<92YHurI5N|^BIG(QSbYW9lT*i?b9$l{2ElMpDA=3*w*IDk(
zUBNAhQ6D}hij<=y$9iNw>91tfO<0H7vtb%0N!~x|oCKAw)xCxB5E>Y5Dpb_2I7C0&
zM|M$yhlid8lPb{|gUWqscZwxL;&-Ru$|y!aJxnN(kRUdnBcfLWRv|T2kmFR>y5?rx
zTdl16wbn}PJF}Q5LECX>^Ln>YG6|U2?7pDn+7;RR)B15nii=f~YqUrr?0$c5@<uV)
z*PzI}8O>1WE`7SLW+LWKcNUdk^;A2}+XaZrPW#mN%Yr+~`+>y8a=N^Xc;)10Hk&LC
zpWeu$l8U)yBi$;_X!i5*166``pO@(&Fm?TlD3qg|*04tq=WWbm<&jfeo+U6*5BNiv
zQK`6|6nh%Zyl_wtX7z?hjarJlp)kq&>Uml~hfL;R*6oZjZ%j0%L$qJhHQA*_p_-*Y
zLqoF;jhI57T?#4C&S_}+Au22O{XTkp5DeZ4jruZzGwVfM$RmHb|AOMA*dsT1l$r>J
z$}#dYy0^Np=3|fX{MczN;M&D$*IZ!9&K((yA8lUkn*N;<_vx%H$#PBhrz?aAsE%5v
zA5s#YVKU462uyf|5hE_|Oi7)eUpc<LPiFZGf&>k{bAv6ccL^dwA3?2rvMEn985#Pq
z@^`9C@4SW({i-0Z&p~V1g)SdugZTD=!B{l;I5FH~AF$pJccGtc41Nrj7ogjPu3aRN
zRzU7h9O;bOVqjbeF7G*DS#!1Omj}n5P~pXBDI3?;r{90ZZ0;NX$vY%}gx`)Uy~~4l
zS{L{yW#%uuOjK0_F2a9M1lb>kf9fMhZvYZ~+6gLC_XWg<c;XUwGNzNYP$XAUGb)(|
z(w4D1e4fD2o~Q+^#gBT9L)QpUCo0o=)I-|Q6dn>XmRJ*U!@r_Q3xD|)W$!P-KPl8`
zW7Y_<CNNQ77NWw-RdTbgBn3-~IT2L?+wjAXv9^Qv^0ppCpi7Es{CB8-b;F^hnY*pq
z1<P}%1Z`9j^O#sm4Th|ymU%4tAt4I=j-XHDx9%UVcclJ6?%$)X9hi6Y>kgpn_No>o
zbfMh^cF9tkV|(!Za(!^zGc>O#&BVPjFJ0M|MJk+kU5p;1nTVNvD{k>Fv>_~N^p>I`
zw(mCf?OzpUADu%#at+;IX+}My1l<NVJ}%ZkgQ`(lNMdi^!-ogi8q6`3cA;Rvzvd@u
zty5*hN>54vFnx$MBZTdY`2qSRNcPz^rni~$Tln|;@vRNrEGUy4*_p6P8)N<V9xPEM
z9tQ49i)n4(-9Xr(GErbrD-#_Z7X*)i(UUb%F8vSBhS4#mIZp)QN$V@{uVg)pc`QqH
z+5q5jjG1S9D4&~$<3hjyYjLceD@$nv^ot64r)AzIBTXA-SImnlvpiReHc79I<lBAD
z<%O)s?aOICI#xdTx5VRya>XDwQjx|z2yd2SBw_+244yoB^5jOK7(==;jNAdwsnE<_
zjmxk=mGtTUCyn~AQbB!^S*Y1E^3YX=%yHxfXUOL{65?=>F>8E9<Pch5G|;H=J3o$x
zgQSf8i>Ymu4m-nag#vAAoZ(~jfZAYOQ0im}HWd+^^t(f~aJ1w|E@v(;ChNJ6@aB>i
z{KZ8QYiMvlf3}mQ_O*@ILx@hp3d~(6zzkYbIn$!o1JMfk(s=A99@EzPlb{sd1M5yK
zr}xPFRzO<~X{12I;>gs-xd-o6w|bC7BQ&%ID+9b#+8A1xS=F9yH6thHsm%^RP)esu
zfM6m9Q%KN|4Sfj~XL!{pbgZjuS0A31PID(CR+#H!!cZn=WsR4CBydumKG_Agq8iMO
zBTpTji-;!M^I6>r!JkD6<lX`p0rpqnzBj=XPWaQ0*e1uM|IQ8YD(N?^jYe^$qDld)
zMEOR=6`)eUvYGKt8j_e~mpEa0JC#;92#E&H*71k*@9I||*}!>`R@<EXs>_19m6z{1
zcZv5#VHOpxgh~G0BN%k$x)C{LMRm~1mwtT;HQG$!{x|-3Ypb_rC0Bcs2(vxo4mKIt
z2*d7&Ji|7;#z9u(lV|S|_+WJln_{u+T%V5&4$?Cn4g-U&#<WwpjN{x7K!Ei{nvjRL
z2$x>n6d%bfwHa(<sD6qF;q1X`Kn<hgSdPB%yUpBzB|^QZ3^~*Urq=l^xf{-;4lkgj
zLlSw6rU>*3i4&1Et(x5txr+0FqlyQYtzi>D1nBxUYRUV5eFhW&22{Ty!+b+x`ir)u
zhd{R)P|}|z>n#01n1`AZL7KpNFuQ4jJ*7LcBui9MZ2s{8jm#3ZDlf|vLwJ)ScX8F)
z2#S>J_ID7WiSDpOPWlW$aPHiYtcFb0h{iOgVI5Gra|sC#flfK4ow;EdkdTlNlUQVj
z)R~z{_2=VvBO!WyBQ}ot(F8r}lB&jXs}yjQagi29Olk@7a(iz5GLv?u>U{Kv;wiW=
z>=|A3>tYk1kNrzZ;X9>*Cs2fqSZm`U&RZb4-xcZM&r5+e&Bze$5Te!{p{%(-sa&ly
zF(_v+DTs_c1KE7qe3_kmG6u7Bb-V<q4xr;m$i0a3)DJ=YiPp--uzQ}iJoRL>#;_%{
zZzf~Kv~BLZr*h#_)qh9>&0{_dX%=V*&SN9i5!jG1#P^fBCw11t%~yQ4)oN&adsc+X
zLA{el+QVI(#x6AtHhp6`*rl7nJoBg^wQwvzqnk??ID>fPg%cGh>>GS9S#AgdrCDzK
z)LPOc%G<b-+lFV5DjC7ecgr-*l#_UBR8%Ovwe%^XzyZjHbPI=_>o@Cli2&EeW;71o
z+pdVw$AIR}$J-!bu7(snhMT`RGjEcp{z}qhJ}zf`C20Ckh#N_m19eN@6L$2$g~=hY
z+#UHwdGbWkFZM7SD_qnb&i=tU1{~bHE~T4M*bVfPOT4>2?bjMjlY7;w>iVzxjt)%k
zp%>?rmH;8pdj)PG4ma9hTuv9;dP0D>x$HuGD{X!-Gw)9}DP<g3T3qFWU^nI*>Oxnd
z+D5Gu4MkCEUT?)P4k|Rxo(2Utgi1TXBDmWS7~|xnw0Y*;z$Rs<a8Z?DvcYrL;oskD
zG7bJbFP*iL*}MYI)wQR-e|<XX?i=bt<?=VL6I%ef!>w1c4+iI;M^1I%%3!krZ6lK0
z(_n@T{Ji<WWL*puC7?d|fyA4&o9o=yu(Pk8X0dW<r8K+J@h^e_7370K`ID7v_QxBm
zwxQ`uh0aykdAnjMpJLr%=TYR1bHh+ri%3F>Gm|PMD&?f(&4=cqO3cCLn{_uTcZ0qq
zXV9e<!rjy&=;Hv&Gs3O4Xup$+67t3nhAwhn_SH8mesg<W$Ms>d`6QlR#HanLB9x6(
zJ$vMP^hjJ4IAv_hB#A8yS)GitSGFJpBsNpb^1B*s?|sAGq`>5am<IEsxHDxPn&=Wa
z3OQB$I8FC#b^8vFEnRLm8?3|!shPP`<1S}~7nMW%M4IO1r$x4^t!A_8$oqb_S9mCw
zD^>YRVfD%E$PDH<RkUw={`05^0|pR!{CV)EnBxQaqq3^Ul=kp2DCwb<w`Z-HGl|_h
z<+O;}MHVb$hGA&Zq(3c~eMz{Sa44n0MK%i2gr;&Q&4t+Uun*T@9uZ>s>uVAtWEr>6
zYcf|sfKzcoYLa3V`h71O9!`xFY88V*M0x$_atlPJRv~~u%&ZbZ2wG%CiVS=n{@{cf
zYC=Q~c-cryGU|H&tcd@e>laOFpMGuY46&hQ+jdKkY!e5EVp{5K$!~lnN%`B$q(WfR
zpiJP~w(ske&j@BemTjZh5>;-?JQHxbR7wsub|CAu8vzrk_I=y721da@`U7l850?8-
z3Pf(mdOCZ<ujn9Ts^SA2cVSRQSzH3NVVT&n95HVYpX{k9LD@4pRSD3-zw#vmcU4)u
z9yD3DiRu6T{`HMHsOjkSx~MWU5cVw$Z?ND<1l2{FmSv^ZH?1kS?kp6T?ezGlZE$mL
z+Z<z0G-hgM^O-R~?NjHBG0|8;d3sC&0h8KZOR!dlk7B&P+J%N-+&!ke-*H~Hc$Kjo
zkVwG(Ip;NO2Dt5zR__i*2g~yR*LFA9+N(pua+Ef|KH}8(J1~SsGz=Bw;UE#l6BFl8
zS#Oj8`@(v=Wq{WGtw}$}U6~ZKZ8%~JZ)T87x!#PwmM4vMlUGsuSO#?v-mpldu~x!H
zsfL3scnB^?ST#zcs!X>P;RZM7bxkVIbm3JSA)2y%qHrdYcuWnuSr-9SdT8^NN!{kQ
zX4V2XM>(2>s;AVi^<F%1st#xP4u|HdDAOtB>c>#OUgxv3<`9gY=_ne+r=E6me~!~k
zRegN7Sy~Mty3T;C0(PFDQ=Ka7)uQhSzg^2l5g2jx)(XU@Z&kmQwQlmLtmfb%;dwI=
zcOq#T#o8|SywRylmd3eQLh%2Kb^VHO@+@ATr2#{moGIu_IV|gO*@`|d&Z~JCDlLv1
z=+T2feuj5y&pdOpv$it5S%t4HxdRvfk&X(U2=iPn9f$1ccu~08amJ<f<@C%9tV$*(
z-g%<@!y;AC6>L78onbX?oJa;E`<C38N!f0X#<nEh#sqSgo5Le&y|+W7-MTsybsln;
zhpDWvt^FL>yYvTTub0HY{+X*7L?TjloaM2o%A4Q7`-@xm*xd;;&bO#a6_N~J!)4c-
zcK(7Jb=o+29*@<>&Ml$ZARC0%EcQA}!e;|Tcpgf|a`-k8l5tXIH}5}A$jPKW*UKwj
zW}3;)9cHu(nq=ohNKCJU)8057x%>3v8(`v4eljF?E=t1ZdmBLK2r7K+OrYLs4~Nh=
zl|zH#M1kAWyEm6)l>N_3qMo7q1`8+EhAuRrPK!BJ<w73Mer^HY>jV4p&85vSxzh~k
z?5>P+r%F5+-qzeUtm5=!TWK`T9)a?Mnk27R2F6a)T^YMn*~pI1mW+%uenm81_o)g7
zKaB%|4IL!uIaWaFlPFnZ%6)hUb@<x+hM8z6Dwu1&ht~9&y|6wb>tTUiB6=nJdM8{z
zx1z)gH*j^B`$`cvoyT|F&iqNhwjFKL)Sjw{y%ab?Q>d>qim0GWe<7sm^mG>DPPeGJ
zcwKy6Du{JGW|t^*LIVk=zwpBEUqyS5-!13l{2wu#<D#M;n)tuG`0YLVAbRgcU-vMK
zPqtvOcK>AlQ2~*>M%ExQW8Rm*<^!OKN!my?ZlmG!+-LZ%zNTk`*L)PomG`rUBqzUg
zYr-3eU>fb%2=&-(wfdn{$aliPo@za}q+zE^9YGpcm+6<=7~rugJwcl0*en&lCl<lF
z0-XVgx*d+j#k>~`dUq<g!zpo`s<b4rh9P@DJBp+uF`B_*Bt}Jsem^%4{=7LxCoH`;
ze*UFYuY2}4&|ig>ZCt|R*Qc;!!(*(^jXVd;|G!uk3`u`+PaapypStx4%$+c`y{6-k
zL0EVNgOpeq5@XbkU#JKjcILk@oI9)P-QT)cm<4P$L1&)-*x&#^ST)f~Eb~H<QqQug
zC%noYjl_(8_47t)8AThdrGBlQ;bx*`V$XNh)%3I=OIf;|B66)Di5Ii4#ezkFfx9zH
z%l_>1=c&|J&eSf#{PZj<u?|#H^h4vf9H`B5Q9oToL!PI6fEr1Oe6uHZY?wJ67cOkP
zm#P#^44uMh-r#O2f=Zf#{M-GFFD=UUK(j1svIaKnLoFJliH1=P6i{D@%d}bW1hUg`
znX$aQ`qG}lvVd_3m_g!L&s^4s(5Dz!c%Z9`Ms6Ag3d}HsvC6Fplal`yGWP{ASEu=L
zM5JY%caG|9-#=|@nH~tUaOINc>3CMH|5TuYRW7f8{PwjnQ7cUx;U<I-z3!IsI0sMi
z;r@#!=KD-U)F3Kvqe99&h4+9SML4F+j2NWKO&Y1`2M1y>YdJNC5vXP(t*;3G@|HAh
zRV4I;zM^Wkk_hBS`3T+66I)*#-U`Z4-2-<A80|Fxr8cTzQ2;Mh=>dt9R;ASw&qKeT
za^+}^gf_=Znmqn=i2?k~2sne3Ofoa7yyV-GA~fAV=Vo#zn2SSd7P=oaZOH!Oq2!5n
zoqb(k$$t~ZusKH^!mpxs>(c1R#QAI2=8}`i;tH_-eUG%3;OAQ!B#O0#uwppt|KI%Z
z^zNOz_ntj}MfCFkYu1cEA#2^yCvyw(v;?=vM*0Y=B2Xel;(6x>1mnq6DI-v5tDV(c
z<A$dr#WxLQp*P`j19o^s3zLKf4fuQex6(`@t@{=<zTdXd<|&qc&)W$2fYyja7PYos
zid9|MND|Sfu7u7sU+IdSp(63_0h|YV7raneCz5}6-?xP?x+_d<&kloV-Gg7Bf~Jet
zHS$+=qd%|D_Xp&<<F3by$;<xd>nSVELFd%oyho{LuZ2*I_m)?78G>(@jiA_7BYEE=
z6D+{;lsh_aV#Oq^y_H7`pMV1kdw>N)Sn`$AXY1~Qj!&nL|9^2;-8vWh@BGy5?<Rav
zBPQ9t*aY`7{Lr$+(VC=K-R=Ey;Vh%d`+PYB8Rsk<i#F^GNbw+e%nTuBodT%?VPTUa
z`>^%wB8vkvoU?926GKI?h)6MsR|<ayQNNE4|3vs8{|EksyTE)G%%8CJ&yUr+FS!Yd
zVJF}jh3u2U!}=D!zp$06`zZHS<>|DdgvA>tHKMUlBR^KfH7EQb!}Q0ax&ps2`59`7
zb6id!OzWxsYV-;oo59pTwU4=YZL^aP3dex?_fV$5r;{P^1hf=b8vgO3FJ{{WM0=vC
zTDybO*<5E2n}7YqrP4#UGy66aSJ>|wxUL#lyJ2f%)jLD-SHac-U(`AhdUhBPb{Y57
zYY%1J2VXW)sG&e=6>FTwSSAuF`lOXcOW(h<BXKpVudO_*dr*~n)zRV~oLKHKE4xIz
zpdS}_5=OGv>&j^nY2tlqG*rAM;<kZU;B@#%XkL=~B&J4F=fS_nY}T*)!!HlLsvn{a
z4nOPGCNUk3b`uIv_{De7V?vh)hh_O^<ZvjHFHj*RQr?Mnn?DTR|Bj!JUwsQ-p=DqD
zud@$>Z~O7487Z4yWTk0E%A(ue+4O=_BcY@41K_<s=T!%E`19BHJ4XJR)(E|>izlSQ
zRU?e`TW!9@g+qw=FnZ}TA6ju_I%m43E%c`8M>cyQ7i8p?DBfFa{mfErx*Y`kjQRlu
z(q9g?RdkvjAU68@4+x~+W^yFo)KbSQzCT3nZE74Nv-pc;GTrn+5Lu<&FSGQ%?GKt}
ztZaG_lN6$DdhBg_5ksZSMpNy5d+$!?WW_dKl&(bUHGXY7Txxyq{yW0_=iDG*|K|n0
zZQ212g6jjKidEnZF(B-87Y`%fuwMb`C>VT%S)%IyEE4=;mPN8x6~%ewxhECX$|k>9
zW!^W<`r`L^QA?{<?~6N6G3~xxHEL9HDpVvY{9SkDe8JjOLCe+@du6x#Mod;ukzd$#
zf3YHs*`X|vq^DW%3*KK9wige_o^me9FM;co@Sv`>_VX#*mM_t^ylJk!ki_{v8~V;Q
ztzM})bN4LBU4Gl<>i%eSv;RP<9z0bG*!vp(uj4RSWI9&bstl>o)cMP1aBUpAT@xeE
zf&SnBZUU1K>!5G`|Kf?c7zKX<=}@*l4Q}~fBgU+Kk>)9Q8geXlE^x47UDqZG+(T#P
zg5Umg!4Jcqjpo$ta?!R9>$=%hv2}kJx`n^9ABW)%3%+pOQik7mc@C0|Cf@W`{3FPt
zaCSuRu-*^7J5?6BP#g5WsLy@1Mb)ivV5O?`%YE&r9^^8?Y|S_{{aX>%ihfa__vIon
z;TF8IdG^Pi(`U?{s<UTn3jCtasy|dC#re~2pNoAt(!%dQ>ic9}XMZA0iz4~I!0!60
zC0s+Stlrs~%+by2$+Ip~Z;JN4T-n1)8%%=n+E80n@lzhgtWr;VWv@99Z*a}r^*1Bg
zjy)eAmna63tEt+jDEf<G0)!;`$kf*B9slAt<zv{{UwS>~&OUg-Ip0MV$K%fre1HLW
zzw5W>B$G3vx^-soO!>B<N>u9L2+m`>RHK6<Dvwp5&XJkbGBia6Qxvbsgo+%TVt9?n
zwRp$519F7lWKf%rx!8ejZ9b+gY5S@;D&c(u5oU+FnXZF1z79twsu4Bnb%sHN)Zw%g
z(O?axLwzKkF^xKIJS{{7=r(9ZEzmj7gQ>t0n$hn$H&`->W&*5`U|fidjR$cI9`a*s
z33L&)jFiOXM@v2Er5&lGSlJ69nyruos;9kXiQj0ay=CSqn>k&at?5#^3#KSrqdKX(
zWM&bm(GXwPE7Yc9r=DV~XCh;sN3)KcRAXNzN~d_nsPQ;Nvj3Kz&t(1W#d%}ar*huN
zE$C02aj8*>r;+H??;Cg6F{7=y#lknu<I_NELi@1g=f<Xwb^`<#9W0Y^JM!j&Z%B3U
zPlUIc1BtU#JB->njf_0_x)yj}srzlIF8l-gh7uNEzl&dwiDf(Raz=)l8W&1dhExj<
zkAh{q7ED1iUmJMKwNc>b2D$*DQiE|@P0C!{bS^mz8!xKF_ojFdVwvW5kas<HPIy<E
zp?`>|hheiI6qP&5zJF(g){qDXA6{486Yk|;!#3D7K$#MqJM(AZm+tdrX-HhS>B=Nn
zQd$g=R%B=Y$=&xGgU<o!PJxhL*paxuc(qj4-X)DaGKgQXA^O_#lILoB)yPq)eT`2e
zS?^+jv%o))vyGtF7x3?o6&)J%Zu+)RXa|q%H<_LHmGi^3-Pzi@e#n;x>a{#p=CDZE
z%(6IE4Cdcm+L1PA*hQk1YV)vs!oT_-)TcHYcL<V>B|u~v12S3`5wJW)FS%C>60%=~
znpE!}pqZKrA2oxB<Oe4Z9s9QHtas*11HXJkNDF^!6z<THcln)Dz*}73IeY8oZVNC{
z8v}Agz^wbf6AE)5C;tKT)>p;Jb!ydx50?*=frBB8{#C)or0rX=hLKm=)ng}Km-P?B
z*hK5hDI>lwpvw!A3A@!QHk!TP)b};Kt1g?hWH3}a@Tqe`WXH*G%8?zWzA+ben7Y{o
zmca*5I37*75V3ayn+h@p){M<nSl8Uh6AG(C5VqYM=qY<e6FMXGnleQ)m%vVt@ys<#
zVYV#l3C|2j5^56}FLw3>Z=k+&U<KX0V1|1#%O%BVhu7@`Ll1`5w1p)jt)%soEV3OA
zE{Bit$j4#G?uwK(dv7}Akm!tnQi<QFv6O)6*tuJF7y>2ij>P+(D9E~!7v;MGTjcE1
z^-Tl$tdm*x&8g&)$GS9JcKNeAASI0hS(g9myN6XC(>clc|H54%_G*y*0Wva9Ub)T;
z(4jM%lKX=cO7Mv(UX>&%GHCaRd%&FO{S_2tT$HhNG^B}Uf^^h%dWHa=5to2$P-Y{W
zmrlZ@0aMraU>lX``Wo3}s|MFxIQNw@%IgmJb+Vz8LdKO9BNT#I5G|lMRJ5|YZ!koQ
zPfX=8bnYux{B6CqLTO;eS^hhE9>OgUL#e6l?RiGPZQZy+)NvX+dp-A@#&bNY+krRV
zl^D(JIbPtK;co^R%i=DEtvs#m7UHO&60Mf0Xcx4IVDj9kTfdvTqgysS`E_jQ-afIa
zx#GXqaEm{B`$HMfW%~WowM1ULQP*<0!~c;Dz=cN16hCv%avpSkn1~l-)XYB#C&Hwk
zj_ADHH7#1bHOAx1SXEneSdc(BI`ebz?M&*;1Fx3JUI`faqw;wwQsp;&0+UY`iwE9(
zF9)~IW)JgACkbKWRd(vW{|A2y3~w7O-MPpA(W><bRylF_JHHqtITDoT58W(I*YgGJ
zxg_RFs9Fq|M^b~f5L9Sj;gZUThDXq8fvx&cPK<nh9A-k!R3u5bv(SeP=g|%#-l-|V
z!J4yw<-F-?uN$aF02V%=;+7Ocgo#6BAj$b~w8CRRc#c>W4dEOTd^1=Mv&0*|gS#d3
z_cLYs;%gTuH~$?zdHG%Tg=c?0HDUwS+O+%$Zr!85#|R_CQXs^{ZRn=j<E|e?r==lM
zLZAoYC?C=yJv32YnFLY+{&NEUQy%y)q4>{3_<JWh#{v4MmB!ys81=MAEZ{#U;6Iy(
zgGTDZsSMcnQWZQyOikOQz%YJ+M8!%<^Z1Q4hNKpP#2`glrU&AG|KQzDa!Q#EZkrI4
zu$Cf;0cyhTvY3J)qz6e{OpA;qK${psGqkN*vo_cz^D|YtjnD|00xuXDo0?jl%L>+x
zGJfn=CBhQx>P}eeBAM9{h*Q`!NeR>v5X&2xer?EyyV9A){VGD4grO00WK8cES1GB+
z>s($YQOD%Vn8A?Iz6%@VGccA+)espg44b;DR;OEE5CMS-6FZCr7s5Kt<!MLtf+V1=
z1lFRYbjlKrjY|7+&U#B<J?^ixRxE_HyCejxX0BYr1&G?PHe!WRkhbN_{Qi%E;!J{~
zCS}13iIJ^i$z4ian}S<6$ZBlw(;@hRWf8ZnO53)qkoA8qlub9L-d#p#w4ZHT=LgQb
z*)6KQZit*KK)p-r7Sk&>u46cd&unGi_EPtqxE}JfnfDy>V--=c3O^Rw^~N6_ag!Dq
z$44#_7CfnYiPu^ZpiAE@(A412*AS|ENm^&@T?vbxt<U#JT+ExqpiOevGyoO1OJ5Rz
z(q=oOIDY>(g$@3Zp45DrXr))-iZv(qU{c|*wo0ZYDYG{J&p%;a`I+YFJ+|%l`0<H9
z7$m|JB?6LdVGwT30tDz`mi``wsacJ!7<LIkwr?FJeea~A{r|x;72=R8yzzAF_N*-P
zM9aIknTuE)?dSBjew39G*|x`4=H-x;2ii+*-(j3Yn>bE!>?8>xYi%hllGrF_*=_Hs
zd!+&{d-E)@S|5hj8)XSBnt~LU`7_`!hLnj~eKuJNX?*UmO1q$zmCA;dJrE&E<Dw{X
zok|^uHa2!xid*6&CQR{P;<0>LfeB_>Qk9xh5(Cf#sH4F9;jCpXffY9$55debYXp-K
zjLQ#=x)~w?9MLLNVjgS4TqHY%kWw-oWSqcQY`V4~UD9_+mmITgOr?@;Mk<0UxMpHv
zkZ#A&Y!^%|!=0%`shsyFwNMfT5z{6C$Hv5NpSVP%>yTIx7zk%%4UU94wKnG!o*@mz
z-oveEGNko^+?dMBN2J@;pzZYEQr9D@&ZXPLEyN-D1Ae;&C8Oopp-GsvTS(n>VmBG|
zqmKsRMq(88nG`@{*_yj5jH+awRQc3`>Qbp8dne40sIes}(ky*B5(I6F)BA5=%*Yzq
zRJSIch3m}PhwA!K%i?Zg?jjbvHeyf(HW*t{RZucm46KHNDhk2t3duD%Yp^c^VNo(n
ztwco`ScQ=a!HEQ*bQ<)<f|q-QH9<}!?5VV|$#O@e=tBnP(N&QT!{Cxq9!_3N=FKdZ
z{$Sjgv)6$1K7Idv7r9fmpXFs{xfJqpz^FEHCIb#YOo-jkQORXsp)}&Olj_7BmGY3z
zwPF$96e7FSgGQON*`z9xo0D*?#b`;Jv<CNqWyr}uxg5G>m;;xL5s-+m1V0mQC*LZj
zR*o%2r3U9`aM7mV<<rVcI`_Qa1@b5|glb=Md(8(vbdnO%lf@Z4k<M64$A?{k4PGPD
zF)`fogmsdSPKVeA9t4W4mLu=y^o|)h!`S6^@(m?19#o}WNl+MjX*+E5?i7sXxFN`Q
zYyb+NPk2c5KS!8RDu{JM@f#osQk$ugNVbZehBOvOP(Uu{Wuc1@NvhN&3qa$-H<2K7
za)2Zi=494fIuMT;AjBgisNf{l0MUW%0n4T;%mQCo&$_+w9n=Y4qoRR`Qto{=J6bw3
z1{DhQ9U%bYLsB;hWv@F^L>s9&Fqi0_;vfX+1iJEXd<HWSrQ^5)Y2EO4j<=HSRYM+?
zPGw>BJmd1RLWt_IrB`v=7)Pc|!4*TP1HBdIMmG)NisWii6KrY3BPE7hd!VQkNLJH+
z84jfx-h?QjZJkKdp?NG+piGzr#g3~aG3p0O1bMWLc}OwlZ;<fTY7iF*rH&;nv;SMZ
z-zTIiB1!kuW5$|5fE23tr%#bz{;^&XFzwr|G}e+WNWcIH%YY5k)Ld9V(;Uu@4-7<&
z$l@YC($r&02(BSOG)RtS7=-b#M`|OMCWn078ZxG=u`qH8xyQga>tx=f5~!{KXtD^?
zn3AR<!z>-D+gYTkZA)AeW3X!or1=nqGThj)#)!o<aINAxvjX<V914bYrLZQ0K(Hz`
zvGO+KmGIcmFJA?DmlsM!QXGOg1)-pXNStfc5|UX$Q`!H>`oqCv1q_(X;vgJt1)blY
zn}!gZ)W~vl-0B8>L-(M<1h$oSw!2P)(d7_XXRu$yc#a_5O}Q_i2c#HaDZpJM0|J6l
zE}XSdTbErxn!Yt<Y!N_CPH9(99wuOhjcX*a+J(H`>>q7|@0cw6p^HWbj8}_i`22J;
zHUswPl?qHZeL~FCigx2Em8T&)x+9g^_{>@xH4aEt6s)GGr-MnNdX0IU>I!|2*2c}+
z&;qdpRNC?uy&w8$a?=pyQ_3lTYb&{tge6|_qHRS+Qm!&ks{6cdhw<xMm$i^VRc}nS
z{^^$8%OvL)HMNaUbrK@B5QMCQBaLwrG~`r{=U_$NoJ69MQz6z!u8xw`Fi0e<<d~9|
zHxM033P`Le)&x@94;mT;W5Deu0U*o2r!0~PjAuZV4W$JvC}GjO5~7<fTmXjvYtAP6
zIm?}1oO&t(F&HJmLP2q1oY9fMCS`;OSKc_A+JPN*=s&UPZC!v^l#!W6#+-3H;IV?|
zkqG;Xip?D*m}1h#a#mv_`PmsaDnxd=uoUBlHA+A^(yW)Hq`aug=vczictzxuD9TO3
zTO2^|kwd7P>n#QmJaX2ykfQ0DT5j~UQc4C+c1Bi^6~93Bq{3&GGl2ICgGz2g8F4gX
z`Aa<eFK?;{^?IYpa-8a`RkNA4I|~bO?^)SzijJg6s4Jm;t0A$_cRc)ja?8jlR-DYr
znhCOPlr*2-Nz5wjK4+S)%ak9&DB1NNm>yPlAcUlqs*04;6;+lcm7i)J<~;wQ54lhf
zCsygl)YcRoX*!a5UVJO9sKs~quE3w!U(NwV!m)yG6#<bBj`mVJDX!HtEzTC27k?7i
z*cfj?*mDyvFzo8Ej1-kk4(aOv?fd6y58bn~LZ~!qLPFI1?eD((=Id`BjE(x@f+HT@
znSbpbi8DTWI5&4^?zc*s%7>4PxJb`qlXecfrxTz}4SpR(g*4LStDIN9sS}|J%Xs3_
zG|P0hh*v)DZ<*ZRdq0R$ZLBlcdoyv?Xcf`R!Z^vRoW<O#kid^#zn1y4kVc`6wKmE+
z-|3w5qh+H+9`%$?yO6z^1IZ`nUMG;;!*!j_bDgEBv*IPih-b?q7Rt!$$m@=k$(#?*
zY_C}!p}VGp3GI&KV~A0${cCFKAZ(x_XTf-h;u&>ZDcx{Mn+Euc4%nzOQ8fYNqjlrh
zTwq<BygKSQMtQ<@9jmIMm~y9G$Z1G9OdN^q6I~*<<9qb<q@=~JHI12wjVLa*__>^6
zk~m&u6-5+M_&Y%mmHq{{_mmb?L3Il#3_zbSA<$?I=!j_>q;WtXcL3a@hN%u%xMF-~
zBM<(F1Qk;g6)!E2Nf?ukzX}-Y6`p8nSlF5CD1#Rww2$8fCxisNiu48s4A^3WLqq4W
zc)=N3C$z=hxG{m#JZ8O$0Ee=I6lH5#a;cNU)`DKp(W_W?1)Pm<4XEBlx1-rdqJ^aY
zjcF*l>6Di;RI9`AX;Ml6|LF1QtG|5V)2&{&#}8Omk`kLMqq=>+#bp^&C7pHkDLOkt
zV$j74rJ}N=`&^v^qE98m<n)rmSfp2FF*0Q`Z4=2Os70T2zBJ68Mbz3$%6!_z)v7+l
zB~pCoIL60ez^uz&V2qGUPDK9|V6Fq330l`pnQ;#j<B^%x^>I{pk{2g4tIwj_i8??U
zw;IHYE0^DOJdF&9Tbj-ZL6h5{EXan$M5Eh1MTG3;e#QS!7r!l6&r=IQh};LlNF7Dh
z?@4xdx3z~aeAC2D-WmTl|1}MEKd?#Lu1qxP3+}`IIQf5J@BY@AD>d>_vHumRWWJEE
z-tOH<4x?^%_5IVAUV80U)185zKrAuNcobN-KU%_B*M9_mC!o&4uP%O}84>FkOXJMs
zw~@)D|FkJHd~i^fq!OJ_rSsGVZyOM`P$G|IhI%Y!iBlpjxk=DioK}10!ms3sK_b<`
zDXAtzB@womj??I)&v<38AKC`nqpP|(J8_Az+VX>w15sAdnD&WnO-{-D&>pL*QYwsc
zQf*@?G3x|Lcr^_o?=5S0H>>*lPFCRht-<f$tFQet)KplXP8a8&{&-%dS(3`D!kCk|
z2?w@^GCL}-xY*U_Za#N5YIGLCm((VA67laL3JqUmayY*!sXDB->!BV>h<cXLdYtEx
z$2RyFDBD2**Ib9`cxnZ(PI+3EeK^PKvV1JNrRcF6sqH@xR;xJI43u-*?~V3E86sj-
zX;DS&qPLQ<$jaJOoLkbc04?n#Az+^2OP82X=G=wQPg5>{0DwNbx|?_6{nD#L{}3p@
z2>^KV!mj^yWe<;;U({)*>=gj0pujK!{AWUu16ZU9{^iC30Nn`W=$oWvG-^ak7_Ll(
zImyo3i!Ye?EuU?KYLpYxut{H#cq=}^1dn|He<_<Z>)}ZA91Qoc3f*X&EKFA!@Gs=o
z00?m42QwJv3(Ef9nnEmn&nau~rNN^}8aA@uQtJz*EM;kMYA@RWDoH2I@Z1-|-7?h*
z3sLirE#^%HfQtnUA(0eAiY4$ABbQu(PaptXoEG@KlH6?N_zjFMmKOxe-q=5h;OEzL
zLSb|Ggpsc0gd_9IiGtGvy^BitDBlAC2wi_dVCeP}0e4zX3@p8{MRmRHB!M$iTivZM
z9h%C6#H{a}0<f9iP9YFRoh-0SydC@3`^Z(Rv09x{Y9&@6`SF>_6aiaAC!$(26^cc|
zxK&Ps6cHz@Se^>;>kp#%XUx7jt6UV-`Vy%)oJ8q{>Z8-FR;fUBurB+OtxQFQ`Bf9Z
zh59s1s4j$`9ve)|M~LW}NM7m?M7+?8!Yd6n9TmCynLttRnQB#>;82nh3JQ{nXf;$6
zHKWXG3=0ZLnt!o|wPj5%x=8PU))z$+02CzT%Qr8vnHjdNR4L6^r7xqjyy%%Fi8=~x
Yp!?9a2IEGJ{I@~vH#6Jo_&xvt0Fpv)w*UYD

literal 102296
zcmV(@K-Rx^Pew8T0RR910gspf5&!@I14v{50go*J0>`cZ00000000000000000000
z0000SqhvowRzXrP24Fu^R6$gML?=)Hh<-1DY!L_wfxj?;qGB+Mk9Gkz0we>1Yzu;H
z00bZfh8PDR3<q0vH**1}0xKM2r@F@I?#lut92@>|qGC*B=yR!#VQ4!YtV8s9LJ8-j
zJy1JABej~pJ*(OO|K}wYIZWzLI))kW|Do*A>7ZmLS)(%}+kv4;80$QiMFUnAH=#i=
z3n@o}*p>_-Nt=QK_1e+Lid|he4j89VIE7N(3Tf4h#W2nRr&6X>ZGuy{!uxrF-sK2H
z!lhs{Jn&-k=PUR%?I%2<tCoaGm)`Aen*2E|x_u`KDUECgv|_^&KjHeP@5l64ARIyO
zyJ%ZV9_AG7BTa2qk2|IKNA9LB&*<>AXlQ#sk5a>q3Y`@>RnZa5m?=^Br{`Vxq<v*Q
zSUcw6NjwBN&i;@{(F|Fliyr#?d46tx?t5=<YaTFQl#I#8ffHdO;0VX4a3Cl)=};*H
z#U2b1vB(~&enqT8KMKajD6GO^^8Z(VGyi$J{=Z)PoKmB%Kj{o3M{tj`KN%T~BPjxT
zpIcQ2d$0K?H~Z(#oyMJE7>A(?5=>zw!RV4kG%@-@8fiTFOPYWE&rR_h_ti%7YAe29
zdbYXSV@k8ED18{F+{-`wufe(>lO&m!5N&3ICDG6{G^j3(#vv3+U`<lkWI8|TwEo#F
z9ubewGAs7j;k!@3O%+?8p{an&UmYN3DZK1kCr3K7nU&Sd>`H${`AL`Vv12eS7>+F2
zQUJherPdH6{{R2e)c$umu}%d5g+>RG-6Ta>P7^em5H(5nzL>vWUjOg&eW6e-JKqq(
z-}t2vJetIzY+0t{7TEy}6spdt`ssE0|Gy~47;p(8vA5H_lU;I3-}k=W|K8X8`gy;`
za&Bw&l-){h;({F)zygFA^^r81QE3PPKh-SzUPhu)P%7%GcB66T`vWh-ZBM(mt5aF+
z&v0720h0Fvx$Uugs;NpPrKHHn$bc6wB1~NN?~H8k?){(MP(olZjqJUWQVI<VV2|*i
z@K&y@E$JuRUSDTbNoExzRj7Ejq{g4$Rh>_$>A?)D(3UN!>7~lAI3+Vr=FBuV)4Q57
zJipD}HY>p314?OQ07fAoB?{vIl#v*S)nA?1C?>}4Tr=J7thH<1yog@mylCB39_Cct
z#?r=y0I-_^p`=S3XkGFcULPQO@6A74oGa&E7`@qhJ3u@jY|{U~pITjbk3X=;k_iHi
z6c;!?-9M=wq{VW0vwB~S3tRx`6mcqz8bI6)F9H8ARqOvE7YYSbKmjNMAP9n#Oa;qo
zH{14v6qf(&|7K~5^2=%UcOgf=kotI%M(uIivKuW?5=D`DO4af<0J~T$f}mwo80ymS
zL+1b6m2;IVH@!QTAEtNZrbwYE?J8xxFX8k&9VLMz2ob<yvElz}Y5(2J5s{HlQc1RK
zx9xU6f=}FouvyG%qg2ZMiD)(W&VJUj`^59ewp^-8h)4hlK;K$>#pXiyCYuk$)t!1a
zqJ2$Wy|}2YiRPB$<7N)bR1d00wzB^sv!J_&q(wafvQ5?0(m!DG&pN|7_ajMKX=b`0
zAu{m)?^Uh;>A93>UCQO^OS!|P`vvets8dnZX{vHnr#O1+jsE(h*KhQHK4+hs&ba`1
zaRE}m1xQ_hlmvj1d;wB22udzoP*n|5b~j0vt0cLDUERNztE23fT-E6Uq*M@Py9i2F
zvR!S<uF5aw3O~5({ZQo>>-7&Qjp8We$?y+me;m^I=fP~2XMcVB()F3%GqKK;qD&BE
zM?vH)nrXe&RO{WW45Xc1tDJq{$p4}RgHGn`uyQ*(=YWtq!q6D810CUmU<a0998lui
z-<xW-`xyWzla7#`yA+DXAVjT0tYVq-?%TzFV3C&~DS=d?A~ko6j*58igB19IJ1v$}
zf+D3$F;|VtEb1;-b}n7D?s%m`EM2*EQFZ2@_xJw4(l@?zr0IrCs0p|(6`8^H^{>m8
zy<J*kcG8h!)CvoMVU?z%hFD<dVI=<7(%B95$;6fJBID)T{JpZ5*7j&MMI|6xRY(S*
zF$#(B7T+6B-sW#mlrCS+Zr&yB_VtP5UdOz>hheZ{txeq!f`pJtx*wnYDz&FJqffmS
zAPJM|G%^g<N_M~4N&ImAgWPN1P_^DpPnY$y*B=!mBozb+NwK{ze31JIIkO)?gFdnd
z8bLuMDe5b#`yaBVz3^$RHLkOrTOa*FK;ci6@P|jCu7k{3mxO?eHhHRCMT#ty7F1k_
ziVG>Agz-1T-0B!w`+T$UHcZhV*#dGP-~w3(+yPKQoyBK;W6a!E2f%v?2mn}MM+)-~
z437a`TEdzP-~j;uU<${qN?WD^2EZfXh&~N4V1ZG{0#NTFdGrM*>wyV^;fT_(EBHPl
zi`GW_p^JeDd~!<_*=Nv*e-I1QOq6zSqc#n+lxVtI%S_iPhfrbGUHtgVaKNaJH9Gcm
z0K?2$g4xl^8i5xpo~$ei)rD3n1|ZI=!L(cfN;j#hOgm2X$7^RL+r6b~8^5n=JPhg8
zm;^^wf5ElYB&7GCPqPe+RoCK1I5fFQa6a9cOa=~0sZ2Ss{Jf;p>XJkPZA14=h+reK
zE%4o)4B3ga7JvMJevj$=Km?+Y6%r#?<b#4yG|+*sN_q2qzJT8u>x>Q29UYSK>=2R*
zE)8pHW=pZkz~Y^&hr-Eiv7xap<z=(gDlDS5uYgRGj*L|~gTA(z$g<<Y#=uxwT#j+<
zur=s~m5<tl!HS2>IVcfXAcJ7JnSvkyAITBOJyJZpdYJ{Lyl%d4hJ2N}oOaD)Bp7M5
zPs7B}W0`!eYty0x?Y?ZMaG+c}2RbL90A#Kv5%zASjMYsHROH2csEIiS$5O_QlSw$n
z2C^(>V;V5(0~^OqNAK)tWpYFb!}DTusY?UYxZTHms}%6nHa*U!D*OJH@y8aqTiLxZ
zL)APHEvvAhKC>o5HW-0anzu4Q{H(45Vp)IzodIp=wOz{w4cZ;bYMDUmK!<Ovr@(Zx
zvdZ`3!31&(t+A_k`;1#&`-TW)goMZudLN~K(b_(YR-&IK9JeUBzA|P(p};*){Ao9K
zb5*HTuhIgfZ3H$9+gJ%9+h8EN)D3DL&BI(~wQ!;Z7%2&}dfZY8*&ZK>PAJ(TdzuzY
zvlID(C94}lB=AqRArO2R4h(Rn5Xl%UR^r7)+on~nPzJWf3xju?y2o%qLGH*xGVkv!
zSe&I+*`%N(HgIiWQl;*_)>^bJHG=+nTbWSkQnp5cToHy0jg33nbk3&jBoVP&!o_v<
z>MR`qUJ;BaL`o#P*TLbi{jh%9VpRYR{&fsMtYP4R$R*<#hJC;}cqA>3mPT4INoE`K
zDa#cYV8o45s<ra$QO$<oh`@5xiU>;UYR&!_7o76!TseL+c2?E0z1B}isK{1~yopAu
z)}*KCB6!G*3|PZNOG$9M!w^?RTy3zM^)CCg!$L_IewvDrh0s+fX+1o7KQ37D5G_qU
zKEKB$LmnG31`)2rH7V(@Q});$N4oQ~=MsSh&_>?tf!TPi<#%-*M*ztdV_HW*0c<sV
zj0MHTHZD>Wns5Q$rlLtiW|YY34n@issH`{{%K7_oz=DrB8S?JFuESA%uDR#AbcQp6
z`$l0i^QnqMVMU9w!b&Y_b*xkDjmxBC!i}>r_i0{iin1_+lw$Hl0_nX3ffHm+Mhwt(
z`b?8us(W!zY(#j11l~5tRc!(t)Pe<nb33k7xFot|=DqBR4oy&tUhl#KvJN)z-v~%0
zE7akV=l((*Bt%lAK+z}>twMRI6t$vW)Q5)9Q=~)R2*8;@6}Hcfu^ZUxa*qIW!Mn7%
zTp4&fj9YO#52Z=9c0^4s9+wvIICm&+voCknc*334^ApSFj{>$*9ATm`B~y_P_AviD
z)6<~uNg9S1i5*Ta*`pI-31HUMnj=Vnjz?t`b&`AA+ku7YJD5Bp1-f8#jJ`^qf?KV+
zZPgL5TCOY>cNs3tcyzI3?nWPng&hp;OB%80<e)Rkfl-c<qD>GVq(p>v1-g%oWlrP6
zq?F=iQQM=6%oML`3TlzFOqix1^}}`#1tEfzAID12S+Ulsaeld5W^}A8rq~s0kzUnL
zrb%clKx?b92x#jU33u)A{}58x;DD!tg<R1>q(+VCD7u1%(FgP&aWE^)5%a(Tu^227
z%fhx`MOY=)iXFsGV^^?S*kkN16tR@f;rcBYbKT|hs#YY3kYGXWlnV)37FFMG0kefQ
zL6#@n&b0QKVrf(G`Q$!PkE{V{T{@>vzko4@lkH$w1Mxtk)&f4>j3?NENMkE<ool0M
zSSYYhYjAHQMv<{nm=kTn0I-<}3b94g7Ou!{yKcz^oLebL;-d7_h{ci}K!>J^Szz<2
zx+IE48ZogPBn$pYJth5Q%F+x4Gyp&rO?@FqE75SFu1!JX-a>Yz%!RP>>ZXD<Vrkiy
z2j$6TxgrRj9#GTZL@3pDCpgr9&DrkAN2G<9>Ty;p?ZqSurvlZBwyR8wuhm}7Nn=eX
ztpcddnNwihTn|t)f{ACfG^J8ocdJFj`H0msBuU^xvf1wD?9!c994)~d$E+JTHUjCe
z&F~P*aH3_WJ%xNc;d!e{OkM{bJm`~NxC{n`#5QksG7VOfy4>xd=36eumP^$$1?a{G
ziP=66XC(m9?Q8u4r<9V>CycW6`c|gs00{$fQ{f!F%mqs*+Nce569qRrSI3eo!JHGa
z6QV9azKf%PK{U>NMj<*V_m&WNA1VeKthb}F5RR}t@M=We|DvF?vx1<H^Pk5Fp}u(l
zggq?yxewrd{XPI7G#N6+FU<H@BUjkp_E4ebf8v6#KSF>qvsQ0F7+~vEscR4pIPeKc
zc<`sRP?{Y15CC9^{h7OH7wk$72=0jkAOe!FrNLlEB8lMFVTg{3AIHw-TL$_Tu4Q6z
zkyXaJL;&6gkATRZ`Qa@35%(_-UH-8DePTSq<g!7e<9@p-1>Xck3`86lf12o0B8cVx
zKerGM0nmX5Gb|CS#~IlgY~@;0tP1O>_3A6pHfK9`yJWj;`}X#eSKnSIA4wk}kIEla
z?Re}2?a+6^cNjabyveg`C45s`K6vBl8{dBO|KI<acR%;;7vG&|XIf8_^w)OZJh$@l
zwR4?p_1;Uz)|u$$=`wYzb!&Awx<cI^U9qlQSE;Mf9nl@voz&gdJ=eX~eK%#4J8CsL
zanx_LYP4;%cl6BY;OMQ<7az<%{PbbnN4JklK5qF~_ObeF^4Aq#SAT8%+8JDXjH>Zi
zYHVn4)1F2Yid~{uREauqUR<f(tNA?+e!Tt6i8GgKmurKyd$lKZc5}%uh3AXTAGl!g
z{o1c>7e8p@e_H-o_;cp>BbS%{vGtGRB?54UB`}GLuW8_&y%Y>zxBkw{-mq_96Vul>
z_;qpje>iM}haqV5SHO$%4K<GPKIIuoImO0CLVkz*9Qi}?5;=q%Ocs*et)Gy7^ByIU
z09c!l?5$~55x$we9N$V`wQq>ee{QfCcm3<yN1Pyz6FJ0kB8}*1ZcZpBWD_`e2LQoz
z0A`1vZD<J^gu0;T0GOSJPC|u{40-`N1hqluATy+e`XCDKN8HcaFs==E1viXS;&`|j
z0H*WV!Q?Ujl?j{whW{)75Y=G_)H`Y)HAHQu94H?EgC2u2gAM&(1$x%tfkCf9h(Qa0
zfy_X{)AIUxWxTn(c%F>sz{_TjXAjx;*gfoc);-o^rX@3q$zobCe%N{R?-r-e1_bN3
z@^j)r-{7ckrG35ydA^CIz76Jh?o!ijw?ly<g@gjlz!%0x8iic)-vJEs5+5D-M(qDB
zkpN`MS^21bD4sQF$e_I#n5;Rcg;~RBgOQ#A5RM2~QHN3=EtSCokQXA!f#_0vAclN9
z0P{jD?m#Rx?Ny`?aEIzxcn~e8d$eZ|Z3J-qxw2SSF`xnYr;p*UdNA^oA;5@e#)40Y
zEL>i$x=5=LMQYz7SHv!dJqkP-LL!MMz~N!Cg<gm=CvELw5EU-*#(Xqc>aLRzFhz$h
zDyA_<r|qN->?EXBW5P{g35TLWcwzP^j3_@9Qrg)hcw&nD+`I42eSqK}1fTWUUq;Ja
zTMZX|Rj7tVO6_;tJ*z(EeQ79=^b{FXNJNU12(V!Y+2_E&GBKb931hF!L2{G%t+`RV
z5unJ=M$VNVL_I4UMz;lLTQDt_UFv!?L?{qYKo>orG@EB=2lys`h3^WUrspJKSy(y^
zfk--x|FNp&ck~?l+E8u*|BO~cfM@kO-mp~n&B!9GulqM^a0j+T-}Y9i%E1B~k-4CM
zS(4I!d4VO&l(yS3w98Q3*<H3LOAJC5a@CRiHAyUTB~=J@%bE@~#6$bB#WdLxMDwAQ
z9xl7$Xg-Rcd~e%ToyL2;cbu5v*DJ1|>zZ}!O=Wj@7YKH(5bqS<ioPKk3j@tq$Q~=@
zkP+r{5A^|T<UHe#@p3#xt<H;3nw{|)N9&m?@i1sr8|PAM^rk}}KKt(-5t8%u%x;$M
z-kEV6>b`Cd6PhDrlodcG2@@3*GNd^n1LjNcvlR=A1u6CBv<aNCfR^zwKpJTP3_%q;
z3}GQ-UJZKdFC#5hkS%FGC%r}Wf3i!&#{&1884DkLjgjgyUg>+v0GKY<hk;f*kXI}&
zGxGl~CPdd4um}=rl!*Ol^0Y6xPGDs17O|g!?li4xTW%!O3v8|t_1cW&iWDe8(OWHU
zWUJ5eBPJOM_^R^Wu=Dp=g;dFznsp`rfil{-!<SEtYXun9y6s(8#r7+i>PV$#%2TSx
zW=*^=6V+3g_O@4_k&mtvSZUbWn)1ryx!66gVt(kdd0p+jY<KaS(`Udu^=q?_E41lb
zS3G0b?eF%MJByS0!iUeQLktp1^(=H@Z?>xPQDek562)?skf(Q$jpQB4A3~J$g?<J?
z-~0}D9PMGDDOq9xQTE)8&qD5drP@;p1IR*Rk+TT%S5OV+OF+9>6Y|`#_VeS$BcV5^
zGzbw;N^tT?wi`P|{d5=jN%YZ2u%0pK4q4@`24tq2@D+5y+f1D_TvxYP;!WMFNj{5{
zC$4&UC+3cmX`Nj(|2UjCXCZqHZn|d*=Zg04HHgj+OVJ8HDEV0GT2X|HjmsdMCwJy6
zAwZ?%b_@i7s2@>Vc`|wPaa!&TJAY5Fvyg8f!?S%)*0Y@ylV-d?2%jmN$rJ**J%92y
z%$xvhCX%2bk$s7ASmc@_Mh3QywUL~z1Of)F9}3}K)RG=0faaNPC8$WDMDGYdp96@(
z@!X5@FJwPfe8}&Wf=i4Hs-VVY8QmJv!r|D18oRw}BvSd$AYrvfeDcu*mu|}$%vh=N
z+*Y*U2`VPC3LcX{f^*WG-<=TV+JcB+d~~f;kiEy}W-~U4G7pMprw9QN^orrv6ATB*
zV-{5iedFn)m<pv96$(!(ctR)$w(w!V-QLT&#A$j59pN1`Dwv<h$HB&<Nv!b%^CyO?
z_CK)_Afd4Fn9F!<rd19S7C-bw@5INf$z~*CdWXeYxt@`Ya<kHstFNQrHs*t!L=iNV
zGaU!~*4Abk`7i|_(R2BLVv%P>wMNK8!YoB)fFm=8AYy9fj4;T~BiW(?jY>L6Xo`I7
zG<C*0Yqd5VpO$5T<=wIpR+?UFfZsFY8Qx@-^F4Eh(0y@rJ%I|Pq-_LG7Tw1dH;le{
z6O<RnPPdruk8l1Ii^e@)06{H7E#k8BB&r>HyoAu7bOmyPBo;>5h9R*|pm8O}R<_qT
z^Jo2`V8OeM_*YPXlt5maP~k-e&XYPjWuxu86TOI9_DCR;k24M+72guzCW|Z^+r$gw
z^EP&rHR-nm%e!VA4n|CtMU4qvoxfy$9D&h*2ne`N_s3L9(gPFKSYniqST6<=<i4iD
z{6;JJRI_e0Q_Yn7%}B)p$+)GBQM8|YpEEZ)XJJ$QKV>Hl6Wf{W#ExOyo*oz&RLwQ;
z!AKvshstt4fINygycYA&dAq-RE!wX+DyLB2i8wS%S1uECgr$t@I5>!~FPDBKubff&
zdX6%vh(dsB29lyrK*y1H+Ks|(MNFU<og2rYk_9T;0UKAKY@!$<B;cuVLH7cb_nT46
zxUZtAeDU{&o}oyhTNnST+iL2gQPd6D1BfEgRoS23qAC4ua*?;q0`|lSl;|V!sf%um
zK~&;^NZ)yPw!4TU7>*j23gbu*Hlc*c#sOzR(-VSqfnq`8BsHCGY}3TqAXm|*U3Io*
z+^uk|1uPrGco%wg63m{djszW?K^YlbkA=FYC8~0kUNy=){AFmLl9l+Btaxb+v9L5p
z>hJ?h$UVrCh%*PA)YC~G%!=s;<}zB$)uR^qCRNaJms<AH9$P8gSftVwB%x-rnlsgM
zEP|+MRfvg_W;8~FYL7(usNooPH2CDusX(X>bwu8p=BseLktdU&w<MBhcDyD!-)>$S
zb#J(Bo-RAoidD9RQ*kvaNIZ|LJ5uqQU4op$IBL_<Xk+_Sa<>#Ce;rNr?Qfbt+fEBk
z$ygYPdW#Z?T`zOBZ%&QuOrl0VH%&88rPkbeZ5T`nR(`<5KhK6>vBRSJ`hc977%T>+
zYH6)d_0h+G`_L#}wMBPsiPb@WDzdJjq9HyCGbzY~wG>3Q8ZL_!sHXWi(T^NMq2-)P
zD&K55`kvAkgTIR3R$ux?a%Ug6neJUHR_NX>x^sUQ!JC&kFyRqR^s0=T8auvyeH&j|
z5z^*ysd&L~7|N4gYzdsjFhm#af*@#dgDh#sm`L*k3`I^yMd?ut94wfK-Zze2JP5Us
z*QS@o<Xe66;zt6=)ox{ICG!Q)7L-@xVI0rdRGil{(9T4ZiZCqSh(|Ci&~>CJgqvVN
z2ez!UIZug(7lPSMMru2&8#9~69S#wNy1?Ek3}HFaIU5=%0T^ht7DEg|E8Q=Py{ln$
zFK!DdLQC-r&R2$ypKnRvt%ziU8bGOFbE>!!AO5TpJ+c}a0#h5s3TW;OygpRX=ICqG
zb#qP40}le7jU8($^R2(NZM7dADoQ9Rt!EWLF@#`VA#4mkhB24JgA;lX|CnDp&M;Nb
zzTgWqXiBO2v2Mou5`C|kvb5|eVJH7;&>Mp)7a|7e)lvKf=k*+pk%fQ$M94q>^}|np
zEWP|q{o(f?+jjwu(`rZKs!@my`)Xw%lb)n3pNCb{vv2_!$H>xjeAX=Uy6LT*lo%_v
ze<q+Dlg_$s^l`fH(L7kz6~Y^R>YbJ8pMKbqliu3^)U~1eCD7k0zCPHvU88k<dK&{?
zb^EWb=GHbIAG$ajTdGLXI6sYQ+?+;?ac0M)3d6{|1@{HlCRoVxX*4IYwAd`pQl${j
zT0r(=?3LDX?7f-m1fKeJ<!tt7ZFzqD-9BfLyrmz;4_AdhRPqSm-HuWG+~<yO)?gr>
zn_=oG()^sjmN{OCJ!`US!A>f<x*T=m`syAuIy(p-=h?CuxAZqJ?k$Vh<pz6mQBMBS
z07sW4H8aY@Bd_;Lb&Ng!l6(ef`<-5Ym4}!AojiP=0l^O!Jn&Da_xNtIrVFHyp&f0a
zPVi8Ot8V6d8OJ4UlAnJz&c7h9r)&^auM;)f=NL~~C@P_?v*~o2<HJ1TjQdtT${0KT
zhG?o`omzrV^GJ=0x!L1K;CrLZciz|h47-mT>m6<Du4vk%VI9Fzi0v@Yg4Fzrv-)%P
zDAXOBfv;AT4H(j6luuH9PZ>Py4&Bn`1;d=BXmfx*dW~7q`_G9kVg@oS@8FJHqOP2@
zhQQU2{x=;gii;xuZX0Ln&BVy?)KUgr#4^X*XsxQ(MkA(*UX3Ud&5`iiF8}TfID?Xr
z85dgYI8ygU@^@koM;JXEd|29?W<}gV9p`D;lOe;ch4ke!x4Nd@tn<%&`)2X$$u%4D
zqIt`?*(PPIOJWya*sq*8upt&I&he+19yZ>Wi1RwAZ>Sw}7(RwRx*K}HRPiG5N48YT
zm83A=tI0yUGt@0XHuD8jpVTu*Z3Ks*H9q`&br%j-4~?dJB~iUb^WpJ*WPwbj)1+e0
ze^u5_o}+!Xwqohwb!LIz8O6U<9<=&TX1)?>w)NNrOuq#-6Nc**vqHX)_n6*4UtREK
z0d}ZU@@U@5GsffiW^%jvGFKPS@7s)`)}}WMKWL6V687_=c?<7Oh?pTVPJ!R2{>jSn
zC#+b8y{=}+k6?cHO`p{5!}off8kp^Tv(bQ6v7kPogwg9z_o+SI*7?mwkGVF%@+tB-
z@T<A`SiBC7K2i_6`WS-k60Cn`Wa0H|GsS>Y`hq5gwS7(-3i|)VMoD8l@98_a1n~l=
z<;EWWNY?X-WHIoaF$m2GM6KW9SjAA(pQ&arxYMuzq=f;qW1zjwh=OOR80sTlZ6o{J
zbd`wzLpxL>6~1czpID}N+<~m<4;KqNUi02_bWQtTFRHqmSmL*v<SlAQ7zjNI=)G=z
z8Me(9=kXkxJKMR?u&=sy0v<ebGEx;dD)G2TyHO?t?L=-x|L_sB-_L&(B6@b}OlN<L
z1Q0^~yn<LjtT(7`_|&AB3vih%LXS)21%gre632)vDPRR&LdcUAJp~?%p4)=OGF}W}
z;<_s@6<5I%pRut_pv6pDs8I8B3T}zyR`87NnyuXJvvP!5RmXMJ0b2I>VM}~FR0^*;
z>KsmD8)eH|QLUX7Ha=@&MbkBk8)h-YjK?kx8Uw@BLNLv8!CJ|c4LmFS)HYAUn#*0o
zF6G%~k|#dp@bY2yI8Dx=K%G-Jv_qXRp@h3}<vr3Bt_4~O##I51k>w#6oNzS+?f0iK
z<`UzwYoXEX+5F2<k9|-+9X1Y>k5PeVrKxuR1)C^T@W-;>r%ni;;5?UbY<&p7p_e|2
zZG{kMC1IQ_OU%Bcn_<XiNPqzhk4)76YV|@_bO&z%3p{LigU~prkIp^ril^tP&mEk5
zWb*!p?&$b6$9=u1XuIc`z8R;=KZ?5s?a;AJ<RVwFz`|xkHdgbK%bWWgy6-QDf;Z)j
z#s1*}I}E9%q1Oa_;`&|0&Kn;gG=^w0V+9Eqe+rfh<oxsR=l5Dl(km;|p?i*H#OBCZ
z|KDH3Qd7ggZyE+}eyyAR-z>BS*MtB7!BMaR;@8zcs9m&^0nGbB#_1^V{bv6+^8%Z;
zO3YqZD4V%zRe8CwW|pmiiEr%8&c7oYUptXZ!rB<YLi;ZiRy{quK-ES;EdG_)Ml|VJ
zZx=$*(M8bP`rNs@7d|nMZ2~LrmZp`>N-O&Hsi}TL6~dBf-PH;G*z=1eQPr@d%%8=&
zF?h8kMdxL^K4xMOxPWTa47a9+JEKy0JmVFk!S$0X;kYut>8&kCQBvIS&71uP-}!J@
z0LV=u5YX-Il}*Ea>&F5a>fxzI9`Mg|!VK9{2E*72tot^^*b`g&Lc(O@EV#cHv#rBs
zT7n<p<KAqa--hQ^IizPvW-fw$z71d2W87nI{^xU6&h@&}r!68+O!#PYaAU_MCW*q4
zAR;)LtT9oo#3Y3xiRgCcN6k=gMHtq5hAF(oN8B@Q*?Hf^rZv=ke$kfN@Ho5O#2Un#
zDs<?7$4m^=C*^e0g+VfRPX3T-hTYaS^pcKIck(S}`jm#^Vh0WLt;UGD-<PxZhJF(z
z7DvJ0r!IZ9xTvR&@y$JT+rCPpXJdR-K6`2t7(TWF+o6>0WWw$#q}4Bf*%JCTt1wq4
zbQ+`-Yip6xn4U?kf_K01)-5Ac?hIuf=QcIX1uw|h8^_%Wqh0m&BUNpSi*5Es#VBv2
z9@!gH7BObUO4&eyR+}&&lil!)*VzGE^Yfo5Z}j$l)+pSPDNAieQL4lBBPdUd>tm@p
zKH{p1b~D{LPWTn0Pp}EGA>oC31dm6Sf6w6Y%g4vd;okz~2ea`KwNKTWv0<*OOOZ+Y
zkruMGMH6~-p1eAd75mfZ3c0j)A<rKZEFcKB0z2?M{yta;@g#?A)%108TE!6zuVOAx
zzHxYC2$p+dh^fZ*XS34nu`6$>XWNbUzzdru{~&MgAb*oEwVzDA=eY?KkaRN+iwF^H
zkGm<YCd?Jv8i>uBoAdVjVK^*IQ>*|GF~99PRKeCcc-H!&6a>~?|NZtT?~WHl*uPW}
z5(?Sav!(zgLW(<*C}e>AT0;`pK9iuqal#1Jkh>1)T5+{)%5h}Ab@_-aOSKV<-J28V
zxAK0UWT2#5I?{wK2*G@-awjtkmh++qvJeB1(BRa_d%_Nn!-G%WL4A6T>AG{LkM;~s
z=`jWTW>tO8L-t5>2&J5VpKtXC(kY<|jELg{w$nFnj5Lm@wu5)LDheAzlnc6#X{AYV
zzQ|POlVLVyf<32#s%lSGfWTnS<ADm$pSRu8)*0DHS+EpLru&6Tc^xZcJ#`cp!SS&N
z(!fyxOZg}ZQa)m0L&{0XQ~J0O*}K$#E5LS*7!y9*8K$-J)EIIfTGx(<26aO9z^0rk
z6F1imY<?^-Ett@_j`t(TWW~`r$C7g^pJmgVDm>@A;3;gHpQGoYU6)j_`Zy~?ug{(P
zih!&n1=Mrp%UaBi1s;s=g#!STR)i9`NwhcX(%^hkgjn|6>g^{UzS-kpug_{v_kwOx
zp5nKVIwMG0za61c>7X^wm!+ANZ~+8BR}cC)@65%ne0XQy2bX`IDlMnvY;!;$atk$v
z*&HXvWQV}!TK)zD<*~p91VVa~#X7OZq(JoJRN8MFL-hPrl-DH9{Yf)g8rfJWTxsGB
z_(|V+^w5~1#4=6E^_7NR!qrFQ2+!eMDNX4mXIHC4vY-;(u<li|hb&ky1diL-ZobF0
z3Bo!i^llg@DZsSl3&L(l<7LLEOtr3?@rakby<RBN3nH=<4X*B`H7{&|M}jFR0N+|P
zndyOQl@;P!tFc3jQxWU28rKmGpxN^})`?z!KLmZ=D?fCkvVmg@oS@XKhi(9|4HXt0
zbzi_G?ssp>J}Dp+qgF6xx^ae1jk{C$mMWaGIEF3dfjtsX1mG370-Q|26eCF=shG%O
zS%;MjEY)dJSQGBvqMZvy3oNBz#?cVFoIh<5(KvoiJ0tN(X=RJJS;s6B6@lv#TXrR|
z0j(}bM$JHG8ynkqdIJm3se#2S7Z4@bBYZ@76l_J2o7NDZ^#J;7*pkD7r3RcAsD11o
zZV23emXly>pnNDxUD9$?@$w@l?b`LsPrNd?i{CY_xz?Y5J=DyLG=($0XcuI^?sngG
zaN6F1K|%nQZgd**-kdl;I&s&FcH!Kw_~FTi2XO)P6_VIJkaOS*V!U;Ih|g-=*nZ}W
zGqc4X+P7$iK64I|>Q+{kWTVkKa5`#xyKs3~r7~Tc8uPpINA>xc>u%OB)k{E8NKYMk
zasBPxd9ZGGVy}t_{A0AL4qRWN4&vHR5~NEEIGl3n3zY2qv5Cj?dwYpv-h#qH0el?X
z^5RB<cP=CC$4H(3Iv#b(m=qdQS4|=R-flj^IupBSN&Od{(!Q`;I`b^PfKD$v3_qup
zapSc=Z}vbv7Tuz)2;&qDsx66$6S@EB7o&Mz$n?tX9X{`Sxwaai+=qO=>Z2B|J`Vtb
z>%#35TEugpzvTfI)mtwjvX`ZlUr~ARW;ENNt-YzTa{&h7-k8r>z-e^_*|L0hPl}d*
z{8A*E_j)<eIC<H?W%q<=<wt!U(A5bZ*%j-J6D^i6if}OwPP}m8ddDtQel7FbU83+=
z&2O(4ycIeCTvy2uj>48t+Qn`7?aO=BYnco=pd{8UxX*#Tv&`&IO-;)J9UXCtl>_+7
zVeU`QI8LEZxyNsVY+FN#kk?+1CYpY5lTh)Hn;$eyL|<Ow`*56O3V3XSmX6V{hD5=+
zUJnpwn6b2J{(=8^*2G{-TDHk_X(tB;|LzB$ByaA-8IPBMkJXy%CJZBt!^8B1V>J7}
zS={sx7+HXJ+tH$NiQ?X`M0dHQly*2R&3WfaHJGO_ndT0Qk)F*<WBl3S52MR~0bO91
zZ=iTIT87J_260_T1}IIGhKr|Hc-R|WO6<X%+6bTua9mF5%~F)gS-gz<1o>B~h5)LN
zR_QHOI-LZO43DUK`DLJN`iwMksvp9uRO6jW#XK@UoUe0z9S{j&A`HuFMU>Ze=f5}|
zNORMCZ7k)qCR9)VXBYVYckf2k>Xns_sC{>om582q`*^@peCJK!>S}$x=})fYzWJf}
zEe~*t9N2YXN^1x0qnA6_c7Q!i4o`EK9rqkyZz#pBL~)Y@yzK7Th=|@0Dvn5?;ce*z
z0LWtyN7;<@do}6ariZr#lcTp1){YthVM=c!)TAUT@=A7t`;GS^n|*`eQsts+wCn6J
zYnJKyoNKfHJ@<3(2^$u8my#|CGWo1QeQflB#US`M=tc?Z9*N-ZLrkZZU*nfP$Co^X
zv`2jQ89G(q+bXS)$=m7Ar0R59C+9u+LyP+ir8KHAC0Bj-wGYO)Ce~`sbldX|?2kO7
zX{_|i=?iwV*VH@Md-{t$=yN7mCW~@&L(~tl{;E9h$z%WK>(B87QiSZ7c{F|~Cx4B;
z77;E=h=Z>G#))YBAmzJ{HoYDs7N+no^8#%i{7LII5I(H*q_QEeKW}%lSWrNhF5}B3
z0_*q_Z>j6f*z2Ho*N?QGb22dJ{^Lva)3*VmZnUnVHo!{cJE|@(`R)6bjTKVOc4#q<
z8>osdKuoBZhB~&6;K<c{SoPF!ewG(yd5<^Mc_pi6mHcg@ePl$1fRQjS@~Zj~wF7)8
zX5}uj;&GN|2Y68dJlk}H)GKKM3s3SvS5|F%4oV;h6&UUzYQMo_syZ9rO~4lCCtnWf
zYxOuX2UgT6?%Q(vrytLWcPMV+CRJ2FwO`jkG*nOrpdaHDP6ma718(X$8!G|}TWCn!
zRtVa=>h==34&03ky73r4g%EO>#^X$`S{fKPCYD#kY9nUJ!<hV?6HypOSBOtd#h0Qv
z_(UH7#Zr}Z-b>ed96vtbZ=O{^Bv?L*hZgMFv%uR@{c_gNo7>!#Okz)S1ZEwVa$iXl
zmV_HSk3_uve{aQF{oY@We8g!SZqvEC_D8T%(qFHh8v%r7_uf9nnA>w&JX5EzVr0{i
z0~RYj?SKO~7%*GlZFM)jlAbor<2hg(rjL(#CbX{gy7mf3Ki=&BW_9@k==D{!DMn88
zkw-V7tDBfE{hC+iy8w^Ey{A|6EZi~(W_i1a{{<Ep0Z#!J1jt3G$m8F<Ek(&90*BC$
zZ^LK%fJy9IFBouV3=f;shXXdPy7Nw7r!aTd^taBrQwKKOc=v+<fuY$=kO5HI)Kk5@
zg!s5OHsa#pk=3m`tBAseh;bjdbI16*)uSs#9$k-G{p<IdO|IOknlIiitKy`X%|}LD
zx!Y?ZDB-NPJMi_74F?SNCvgw(2=uvNS8?pO3wH-bP420-07u`&O1#~9ly=bAN%|gs
zAUS5K>kUtRG%%<@{M3Pe&%Ju-s|%ZdO-Vm3)y!;kOKJ{Um%i~L0RIf}FV&Qp`kFbe
z8kvl%)^dmBE#qC~QpYON<*9X4L%13Eho1z9Sfaah#&U759)<p{couT(X7KLY(`V?Z
zg2D_%=Z#anrmdU9##^_5fs%A#8cmokNue?d{o+>3sKODIBII_Bs{fvTLZb?SY0uAr
z4J0Ph=oHE7s)VwD(st(9x^No`*Rd11VPwgzH3>P)!<M#SLj9MjCtpPnk0r0lACJ@h
zpHH<xu(D%6h1q_g+3yXvScEW40RT1=Yd9KL?C7p#gCxK#<pW^j_u5LGw3)KRWTi5h
zb~e$}{gXfa0|1~*8=$J@jR>@_Z^+w8qc}@oAR2K3_&c)Z0Cy8k0A_e#cIv!7c$-5Z
zH4gku>v!$%-JrYc-4^%zFW3kyt@A|*g;*rCYR+lFodLl3t_9U0We7H!0n#jUXZHOk
zPa%6F*S8yn*!nvQ7<GYSNiXK9DzWOz)|D0CS;ZYHsfLspp2{SMx|;pO6Sqn#UMDET
zL@!ppb$#?*L<C;E*KNBDmSy!|86P&1mr8rDMyZxmLBd-8ukk3lz7DgUt7bEP-FFti
z32Nc{hQo^F)HtaWZFyfs6Y!l1_H;THJbcAuJ9jaP`L#kDuj>?RAx45w%`uE7E8<cy
z7@S@Q8Q+Bc!81q8%5LCspIZH2*NI5-NLc_e_Vw$oa<w5a7rFQL*DbZP>TXxa?Of?}
zE~)T}_o*ermFS{Rw>_p?+cs1I!>(2DGc~0lK|)Q6oQuJ5<uhK-UK*N}`IXBu>os|q
z94v;DX~(612L@1NBPi(yCSe@-i@#W${Lh-0!Tt|S%!j}l8%W+T(hDbZQY^4br=a$)
z3;(?DLq)#l+>CB`xczK3HtP0=$x*T~kP&VaD%RbBgO&GAWe2dEL8qh#^_SAWJpCpr
z@a}Z|O&aZ{9u<5y;9l<YLz+UqCf?b|p<8SZ1-Ga|+MB!i_5nB4!`VGqT?qcFA7ls@
zi~ZrCkRUz#do_c-o)zE4Mi933z>@U+rx066uB}BhHdq>?mz+zE0e@j?^DX9gs_K4T
zqhH8d54Msw*mr*Lme{Y60b8lgE%|wM#Ds*~W6m2|aQ<rZg?qyp8hsW_BlMJB%~6T0
ziaq5Fx^ZhWK8@Mt-nED*aXofp!>ngv!8hNPp9%Qd-)A^1l|=j)@!<{Mn%!-UHEH}B
zo;{s169#<G)47}Nta63baFg8@EZu)(N}@0wv7f{zSnbt}PR$o2iDZdqa;v?Cgf87z
zYcP!Y?>b_Js-@*5pQWehsZK%H7ZLID2J0HohYwf&f3fkTm0s$o*u^MkEJr!}JAUf~
z{ufk+g2Sri-fwuj&3DiC#1~5MlJEtsqC-&rf;>S?k+(Nz`tHXtMfj#P`#DUnIf%{b
z9JkrqK^gf_BFhi)%f2}NA3betv2;b{@1mOjKL?&U;GdB(B~Yi)!@^WbEtu*bkZ`@t
z`3CpJ<SP6`^LagGUw10gr`$R`HF(Po+^jjG(lF&8dSt;CcmF92-Yx+T|DNt`c$vrY
zEqlc8*qFw#hTUu^+hnHJ+b;Mf{<O0WVH<U(YxxF6eqT>MG!!e|b9GcQnAZ<=_>`bC
zE*zWJpF9!9^(*M@Em*y)w4WaDJgG<4p`^d(G&Xi!ekPBrsg$eLdvoLDXO$%-E6R9z
z&f}Q!$ZU@KR$*1)$g@X`QK^FH=rlnT%|#?~u}x_1&m#;JLb#j#dcxq*#wdv}g9QWm
zdjAQoSvk?(j^B$~@D4!+A?eM{Uj~2a67FDp=7@1CrIS1{6cH5k@gZrWFFUD$7~cAe
zyL)o0p_9U;78<+r9aou*)6B4p@{Ekya+xB&F-L>ZXwNxrUrzpD?)iM)aX%w$MRA&)
z;&A^f0_a$i*Qo>Z^3Z&TH3)olSe~_B7?a+cqdL?Yn=_|0{+mL!1F@}#R5*-NIK6ah
zUB_*H>RblCLsuWhyd`?)b6uKI^wn2I3Ar8WxXw)wUgW)r;1R?;53ODj)%-|t2}#k}
z?buf=c^$xkgSyr8)$R3Yef-5R8C`u)!OTOyF0iE4Ch|mY@7odx3u`SoMQdqi6)Isu
zqKc<DD?OpeOp1=nj8U8bm!$DVdRI=mF)u%Ts4H9jUZiICdp1X@vt32=-;gBc`)OT*
z<=y_J;$*$Z{87QMUxiDFFrCfGvlYeWc0`SMg7ia!NA|jME}dhYTSC%84VMfimmP->
z8bYHjd}PnwO_SFCboJ2V_smGy2j6T=KNtxRZ%#|FK_eS3&J_=}<{S=F#r9*{7`e)=
z;+3?R0#dP)pXSA#V~0Q8JeoIxIc5o!8l5AgZv}$%LwP~Wpn|mmHj@oJLpz`jDdBL_
zz^gppy}qbWUaz#tBT~GTMUnMbR&;}BK@?jfm@Jx9Wi+Fy)0E6F_(J-r@ejTopSe*Z
z3ID$uW<Rg3e?<nS9BSL6=G#cesO+`uKW7q|BY#AH^~Vw$#^3cDEn@L)xcHp?#gSYa
z8$G<N)%8bP0efu-uUPuIBagk(&3^gNhQW+AZ}bce-!e>Nr#HGk>0m2O@lr5iU^Y7%
zRx;LWiCS}x-7o5kQmF=5f;GTuDa%8fG@^kVY>wbByvZZT9Q{VfM*SH7y9`*~^X$MF
zcI;VAPw%t+6WEDo)sNG%w|%m$VCErg;dF_<dQz*s4r#A*)jWYflgznZtljo6#(W<G
z-qt$$S8R)29?9!subw#@8y%>R8m1aN%0BM&tPPdPc*y0VPk-v1m1UPt^2_5^Pn#nW
zi1Lsca<iBC70OFF`hxp;ARlj(mC6RSfYl1#5mb}OM->P24h~+fYiYXD(0?%JpdtmW
z$utFlUZVF<1^dsQG#g%8(x29~3*d*_E*~nK++RUdl<iNd-d{}=?%2QZ@`ZwV$1}wB
zN=M)v&vBBu3@<i170)=VO|)yt8k4f@PUL`-aB$y1U?kbb$v(1cbrpa_u|Zmw@r5_Z
zpQM8h^JV2S;MeNVwHz*d;=9_@XTGhPFFN{F)6-Jpg|^Nj^m5%m-<8JJqR#a;&}3e1
zcGlSf{1s3>FgnsNTM!=bW)88$DafJLMQbCB3ALR=<0%y#jB!tP+<;4#SeB8(DK3$R
zZhX6o4}PsRZ5O7Oo+C}Piz7pWB6YYr+d#)Un=&&|G=q^H(@to!B`2ljAAg#Ym@pS-
z^eeT?H~BL{#1e6{#4RCx?k<h*F3~V^RTa1c89YNApRa)p^eH#kpJeyLx?jTj*!^!S
z*TDC+{P*J8BBWx5%^ZSqx`5E=6zkgTrk(gtZuVQLo%|shKeQx*rd~x#ydDpR9uJeJ
zP7<2pBv~AxD%TJ@=M4}quFQXD$GaJE&yAT>$Esr=ms>of9>%xq<bm?QjCK{C!&Eyu
zt`nrqFCZDR1;xCu)k`Q$4DyeOQ<}|llp^&Ig~4DcV`37z=haLFVZQEbaR%#)PVjrJ
z%NKNol$|f$1yh!QeD=vFPm$<!;mXP&zM#NJn4d4YfKEE~^wY=x08&P=rQtS<Uf11`
z=A&4v^*<}?WE!mvqfoS9ZZ|8O<oo^JST;6CoThiTz8tlPG4RdiE`AL0Q|rqVcQ723
zdyl?vPwx)-a7h4x&<V+otz=5m{quB8jC!h6@d3fniOBi$^W<X92${=`Mxvt=6c)=I
zDL-f4FU8*u<uxJh`q&fM@jtxZTeZOd{2{mrFbBXs!Rf0P|GzQ^_7s455<47~!R&XI
z8`#`qm%~BK$+T%R#m@!jMS7yHi~ZBQ-z^jpqAg#g$ug_RnrF>O>)x=rD7RAKgZ4ma
zfhr4iM>S_@E7GO5pKvhRkyIy7J12B;mVpIbI~$te&S(!ap0)MzZ*LD89o*-b-=_Lr
z<L~E=aSJM;JszzZ`wO0wQ3tbfLJkp;M7T0|zoc;GXT_f(V2hxGLd1pE3lA6ZgECR{
zkk}Y=uUN3bqG9nrBo~(|mXBHSTG~As{xVm|va_zfO?!ngcCS$!uPU%w(eRB{u5--(
z8xC#IXuW%!aCOejF9%)GxzX!(vIirc6nn1pR^sdH^>=(@gonbsf#b{|m~jv5r^F17
zFUe#=8KNk0@sbj)=qRgB_5ryZJ5JksUPZ6ErJ7@OT+v<Xz!qoz)93%6eg%kZ__O8G
zeOG4CC@<R=!(mzu44Ye~WnM8kKN!*c46!1DN$^mC#x(-G*v{FsdKI{Gj|nr8;2I6Q
z!$2N-C$S<MWHIL1ESMY}+>%an4KiSZ0fowpjFR)b4io2Yl`Af>x`?|B+|9=YkQ%B=
zq%QBc?nU>%h8*bOB21}lrHmALxXsOfuxZI@%#Vf=!i}*Pl5SY$$ds)CkPCXr8IhQ|
z|3XIB50$?xdw#LR(?B13?O?rmfrHV`(ftz61pp*sk4O)_^qdjP6p;`y!FH9mJJQs0
zih&Txq~`4RFTDEZ0stZkr&ISEKc9<8{KVxS40*m^ExNFlB5&;P_GF_MJQ!@@j>epA
zPM=&?Y<QL^vo!Rlo+qs<FHYk>NSX;bf%u@p1q(a}(e6Gw%-4%{keG4CN*t^q)vp{)
z!qu~y9*)99eF&pU9>NTp9B8F}HIeL=D#4zjZ9yfaJu>e6++c#2eb17W;!P?d`g8jZ
z)jN8;g>C~Lm}C$hd0F!;k+9Cbuj{#ld7xc)S`yh>h#v$@gq}%$*wK08%F7QRM~q!J
zY>>z!hK3LztSv(XpT?xMO~c{$h7bg@FyRm&A5$=+LS&O<oO3Dw4W+@Iiw?#i4o(=$
zhLJ3Y0|l>4gIwS^lC(lnBycFvGX)mqnNZ7+5>U~B{h2F+asx5C82ADYpB6F-5cjVl
zRdy6<gvvnO)x*NCV=eS|H39dA@^2CpZ3pt%-*Nii?weo#(BQ<MSUViyWu$a2P`9V4
zGsflCs`ApR=Azsdp(OV=91I)7Pdx-&`6V<iMR&stz-}pKtBf~XX#{AxO%VN25hs?h
z(dc&<Oe)Hfjn*lbcym`)F>`T8GD&8J1wpxuMQdQh<V=<7D^h!W={ixvk8)dtu<Z3Y
z*eg%@P9TqT9nk|=I8YmLchgdscM>|HtW1Yl0?2@4f@+xbNBOz_2!O9qotu;H1qRdE
zwtDjMpe<}=Lp*>S0to5G0K?@Vg7afpV6Cjj*rHOa?i^R(ccCkTz4uTi?|1C`B;tIn
zH+<WCiPXcT7M!QsrJTE+ra_DG=~07l*y2K{B@Wx-vyQ8qB;x!_f5o@WS4cfv#)0#L
z?gaz8eCk^4&B_=<5xS7SGT4g114A;los)Z0iA1ffw|f|)8q}m^Ue}=&_njp>icp8r
zD?@7$RE9twBDPutaNB%|)Wby5zxBp59DU<GJl1sw47_29HS7xmSuD2Tw)q&Thl!+*
zc0W(oF+NBkP7f?`00!QWVii}yKp2tu<y8`~^%pwew)qgLhcAaqwbqn5CoIAvQ8>Ds
zjGBT~gthc@4(i6J!GqA_6*MlX(#!ztmSVQbc*B*3K@&-E-@leaoK_q}jgcJqj|J(H
ztSsUY4>4OM2BSNSCYs=0eyv4cCKj&cpt#koZAE!2%EO{KG<S&Ig=@4`qAtUyiA!l`
zQh?l$@nC-#=^1aZEe9K1rMkSQVv@AT>mw2HH@E$)t36d{5-Yark$Skqf%Esf9d&M3
za7~MnugcB91ENupfq-D)l_U{cOC;n7Ku79fg7j~O$8j{=pCK!G0}Q-D#oB!(3}i9S
zg4^aRq#h=cetz-~bbmwaVu-6QFa7}}@gO?JJ{d@veA4lFKZ!X1RdvL-&BsVRTs8!!
zD$jW?s!rJu)AY#1IT=A=v|>o`<K;~fapI*5kY9%+Fo5*$oqtI8cSaJ0xRI>tB^Y=>
zG|q*Alm+j1oVAjO^N++4-!@+&^>AcpvcZKws1Vpx2*z^|@X+GoOwuD@$dLTQ+3aFo
zT33)!2y{y%Od<XB<6Q)+D-i6pfocjiY$?lL?mR=Qr&VWVE>GP~O)H7B3@9dC{fY*c
z<O=rPKByTW(tQ@EZ~ib_tbSeg>0P}0b<_Xn>lCg)xcO(lG5kM*{e#wfX_a*oN~<fF
zPKePE8A&0{@;idn-+Z%J3FsMESkRb!e>HLdg0i7jpygoN5)J7e6@i8EloU+|hZwVz
zX5pRyte(jt@So*+Fcpoa2E74jta6+vQ67aNPy`A=5f}&z8q1-wl_S}q@<0)&8|sE4
z07O8$zrY@&#slAl_uoZo^TqYQ43A7uJ>S26_w{S`;r}Q0Z~y20x!J$+*RQUc(bhs^
zHq9dF2Qo3%YsVCrielz(Sb?*4_g!*kjgDyrHjd~))m;CPUF46~;%$M^&Lx;8kqI!$
z39KU7fv|MKUtfQqA$eGgTuULN*MHkiQhJQL>%8Co>~KO$6fOPKQ6-aFuvZAjl}Er+
zIuzY|>tWrmxy!-!))?zORABF1zMDhV%`#HmFe7GBWgdiDLYbsfzmtDJb9lSf{$5&S
z{chIjw5v*J<`f2b2BCYBcmLalj?YeTdsDm^Cyo+~PJjKK4j#VlbjGv#>HIR$w4*{&
zWcI8q@73^f9ULT{AOr)|7a~*@OC~P-Y9561Y@79GC)g=h=4beioX6ow*S_u>z#Ltp
zO<16(9Dp>Num>jI8iX9c4e8VdY~4~sRw>*tP|9B6Qf_ltGf#jM%&j>WtbHQR2ljzt
zTX^c%^Mnj?gy}Ub5+ExuC9^0V$$19UZQZB+{DwFQT=$9rz@u@ssFZkP$6$HR%h&xn
za8)2SV*)KTHchQh;<`|#a`ijTZ8A3s)to!pW+0Z*vMlv&*HdE+TkzpKEY<&7up}-c
zEKMXtChhqJCAR?4N|i6X@Z=SOdKLPoYf6+A*klH*vH^))VYHVCEbg4>@2)@4kOpgq
z1!hADwD+xe`sk&N?f1vyR@O&!!OXrjIBpvcU1#~Ub>Hv_%otEx0eZX9xjE!=V}U`~
zqiP_L5@bxv+eT16ai|qxIhoc;z?xp{SAg%n?rWhUE0|<@!;Q0P8=|&kPI$(dH$5{q
z*RF-NY>*8oux6JVB5Ug^V?v5^pmf7z`4i8AyCoLn;?ixf{3T=;x>q0)p5rnLx|hf$
zppO%b;v&$5xs*aXtqLaPG|!VUy1GtpZB{ERGJB}wV;f(5tm12H3M<Ka5p9b(+xQ6M
z<A$upnG8kq*TRL{2-Pa+vH#+78UiO6w36>ekN35Ew3ieAd@ba>3*!Ijk<<FE_DAFc
zjoPzzM3`V9M{Q0u_98qplseh3l37HDC9$W^JnR&BK(+Ls)sa{Yy_6d)V2k1;2GfB%
zQhou90ZWB5Kk6NE5|-;uK>V<)(aOXgp%fSwh9pELOYA@1@r@t<?ay5Z{Hv4m+Yb(_
z!%s&=A;OF{zzY{<S!sDSC<kx+ce~<`xVN>jP3Lp7{Q@?{6}`wGmU*;vtSo6Lpagi8
zv6{N5`Upkk@~+<{s~rfIF(v?6Yc=o{W4>ds^`O<V6z})I694hmOMEEGg~;+uj8+f%
zJfvmjLuE7LKs1XgtiT-mt7ZM@K>2Ibx-kM2`^VwE*+I*vn>!~1y-3(nymGH1re!9e
zBfBn)Er7q%t@p}=a8x8EBJ26e&x`1_a_~b|1k|%*Fm``=@eSFopG>|IiA`C@NkAX{
zVShwU)2g@0uT;U<>13rleJ<)DU<07Z0i<{H+c*7A+7WPT>4NhePX_&N!H8)h63U0=
z4W{p0TW6Z07C-c%aM`&O(&>0mlq5{|-`FmGI|+Rgk?CQQ6^cL=xDNwI^;_K^N8{>4
z*Df92H!^3Iw_EfwIpnUx?AA-pL2@?y^U3UUmDMzODB&aj{{QgN`=pWjq3fIcRXy*L
zy56NBou8~^FFaj`)F;$yU8KZYDST`KZA98f_*Umpy1vEExJ>)&isAtv0<FzKmmyF=
zl%o-?v(@prb$>^u$Gybi@15)dE$B<|pXY#EfQ9Uy%oa2f%Jb=(476!@O^J@XK#ymZ
z#`N)C`)*i20>O`ncC6Zutu4J|k!R_5v5<GM&rIM{73-)XQhfiD76vPDYAMSEZd}Sa
zQ8Os2E}|->P#;qz?H%M(dzJ1V{9!9dlw@#%sf}#plVWE_36&}L@Iu25!xNrB^aZwF
z5Z0OR{CZiGwNr+zR_M(kHtm`4o5(cF*qje)Gj&(-*qHOSWb1fq&C~Yn10FOKQ=4cL
zBgvy`qwgsc+h4K>M8@^3P!U86C15S3F<46SA_kkSpScGEG9x6%F`&e_P>LGbC9O?^
zI3WpWjO306BsNlRfCf1KA71=OeE&`nH;VS=FP<r;E%WC~lOCGAG}dw^Bv#Vi1lG6x
z4TCi8CHEVpqa4RF>zn>YcZ3EMTRzp=x)pA-#mmI+4S_)3mK@WCckAM|Z3NnNo!uhp
zf9lq~E8?L<PhHm~r~A^8yTB%?5Vmb=Ank9TJF6u{IRK>zw#rkHk$(Q(^oihknaW@Y
z;}BLHZ@<$J0-dWmTyUWx4cSctGn6|A4@qrW6$6^4VuwWn7e3iW$Tk!VtBOMH4v29c
z+bKZ=Ga_<}H#np??kHOj&OGTXo-JQ+$+&b5)K5XjQnX7+!#z2KAeIyn7*ClCmZ`a;
zQ$tB3^WCZUvQs`ue0(JByARD!Uqk*c=DSN?dm&*>9EemhcauiYc=zNHXLL#Fkw%*N
zJPGkg=Yk>(a-mT8yptTli9k+g@>(pEDK@*<u7}6Q6ADcO1P-YH;JUdJ7l~+;X<MB8
zhXcdcgQe@{Z%}GjcB;m1-&N#flJN&oSc^5u3Wa0_vC5dQw|r^`C^1P-*>x`pSoIh)
za;&4wk6OvoHUgw#sGqwz!3V}VT+OIBN29$K1>3(L;<ejOru*G$wue=-e&yqn5S9r@
z-v^4SD#_Mwny<O}|G*`4;UG@9pIlehp&lfMGBZ_SdAb$u6_G;}X9|AatOA;$1O1&o
zi<z=nNnV2ZFduFgd@+^IV%&ErU0NPgu@Pu{Zcn4<cN!k8g>xWG)s{xQ2S=4;!F;~1
zg<?zwSSac+$-u{N#ZspND7!+PxZd)y`cS+z*G*IbVm4uBoLN=fqri^<sa7{wjF|wu
zshNIv3C+z8JGxvGIObk@)Y6E9{uM?ve;8a&aZ!NTv^?&a4;1jocEwF7<B5bo6v0Yl
z9xf1;KsPf;Ge}d+8<_yoW9@|6{6vwrWsJ%tv7n+^SK49tc-eNzzPt%or;I=aRTrMa
zmZ(SW9F)KqbBzto9Ls20-}DkFwRyYXi@PEyH%S4f;-=22a#|amNa6K@&4K3vNG4(^
zFeb<%Au1YphJh&5X8??hUu2ni97Z2nBp@p=?gA6!s#YiziaMlBA@ezn_Mtzj-*Ea5
zJi73H{4y{WeCGu`7{42V*-7^?eu1jix5#vWF6sAHNC;-&r~*RBB+Rf19hq|i3B@v&
zF|TW#4NbruoKgt$G6xon<GLuBfLpNtGaAnJ8E9~9uzp8esqR28Rt!ik-p{}v-<&Vh
zV_^F5u%Na6<G`m-CCvcfCH8*9QC+gl^k*dGZWn}ADDm;e2V(GW-_N=L7G5zc-S`!(
z!+YJgu-4U|3p?n@T1EBJE%fYGvl~BomA(+u>Pdy7l$3=a%X)UvNfseEk!+ZuF|#-j
zE31wh(+plpBj&f0u>6V(w692MO=i{{bg(2c0B^IaX22IKiH<BKYf;pw`VrZxH&Qcs
z3}}?;X6>COHM+9}Q^;^@Xv1`deC-`C;`DhUA;+ZsOSrD<0O;8jRS*SN!TZ3N=?G8C
zXs7}Q8dqt-6sffbkq9gR(HRx041itlvD*D%r&lnAib{jD|F~XPRR9bstE6Ps(2>vu
zVzMNYR3p^PQ-kctEU%<F5(AE~XL<r2fV^c^IO>nfiF(>$8_NNy{uqNt&3`=S37KUS
zsb6p^TikjqgEDvty&zB0G0^mp;#?_2*TM+C>BNqK_%zrpnQ?5sd3+)Q*gLu$n0;E7
zcG!%MgVU`d4suI5AcY#4!6earpx=`ozyvbm=&k@3&`_xud+65ODCZ%!dB`2N`2M-8
z^_6WJ8S^A?mScknz{e=KEhR#r5ParcaM!1`e1;JWMK@l5R0AmX-H2|S*7+-QEgmF?
z<0na?S+j#}9pnlHh-guI-s*ifeHj78B%~-PEz)QiH)!oiTjw|eCX*}xox#&d#_i5O
zby+}XRiLZp(8MUIEyU%u{%#k_AYbPc?wr5>JCU^{eAe_8?4fL5?*A+SSoJW`=!iXt
zC*Su#-vSXB)MU_;MGy;;>BRN1hBo9Re>EGEGPO~4GR0R2`h9z#ejXa$&D<N4oD~=P
z7GVXEok4Fcf=Ez@2<hQwGWVy+&s1LB9tx2~Ga^A#eT8AQJy;g?3mN*pjoU%*fs{6a
z%ux|R8hq@%c*>6>=j1|{ss=~c7M^qu%l?s`O!4a`6u{0d!_Y5G`;Q;Q;=<g-j)y+V
z?wTGCJ=iQt5kMYi9pPgM1?Wu;5P;xua|a*A`a=u>jo&qq0Trz9F$u~eS|=lA0KwyQ
z4HxvOT5ZxsDFJ)y%3hn?mcE47dw}kaNBk_AQHefl^3M1#w_pDcIaxh%%3BZ1u9QXq
zBs5AroOs1;wBjQRb`IAWWaR#Msunr2AB8IYt2Um-;jw&#go;H8Rk+^a8v=0ZFyK29
z@Er}T%{cc5U>jA3w^SK8)2!CxETe3dSt2{v#j{9PIw(P*t9Y0#>U}DA>((r~(>yx)
zH(dVG_CH06xV#4o?4q3g#-(q`E(K@g6rHk5<5q>#d9V3?2Hd9<)^e|bl`CX`?j<&f
z+H%h9$Ot5rSKv6|J~p$CdZqi_z7q7Jp0AB9=i(|N0+Bj9GhYM&UzP23i8?hlZd1yz
zz=N#7mx&}B6kg$&sP-_9XNf#><~}L{38~h+MUnf8%9QtgDz#%C+?(m0ZZA+>a0vJ^
zuI7wv<=dY~lPWgzt8DHQs%`2{*AOw`$!D6tb>3NpMj)l$svqSTNl$s;<Zkph{Gb!%
zIS-uh2&9!9(XJvOP5@Dg6y2DM9rD&b%z(z?CG1V@ncf#!)S2tYP`J*S8ySJ5!mB<n
z+P*=s8A&3oZGE2494^~n43fjt-aT3gp$Z+9J+%d42KYGZpj9zO+o2?1O_x%M=iOK}
z=l<4p=TC2O;;?h<0NbQSk&Urps{*QhxfJ*mu+Qe2<7S?@rVU`}XC5c8Fi8ZCdJR+y
zsRQmPS?PNojjZ90qye^Z--+&+vI|(Ta|IlEgv(gRUg|-2!W3Xsg<Z^w`5;FqW=U&F
z6oT3UZ-WLO3vGG7>qHBaaT()QQs;Fe`Dl#?Er6uzbFGKb&zejQVrFTOBP|0x2?5+%
zk7x^Hq``G)K+al4fUg$-J-{D|EQ}WcL@5S%hXLM^K)*NtH_F-}3qU{fIMRBCz$IW6
zUPq8#q2?F!A^uow^wD%-uWzve21t6YPpW9S?S=MZKb`(Rui$U3M6ZrxP8#eS$K8-q
zCb^2rV5N(WIb)!+9804-HkM6M5754lv4Huf!DC~H+;_sluhhvI3Xh~fIOcIUPXp^f
zHS2|6Cw(RZ-zZc=<yV+CL5b6zmDAw%w^wLCim|PK>cR9NxgOy}zGBB2p;C7xJVad^
z#<WO8gF|_aElBd{mD|%WUiEht64crMDwjERk_qRJ|BILX;7JMS8wUE_SIdCKMp#}w
z{O!T&c?yXEf9J!n`G-RGH++>NQD7`W`%q}GMk1I7*)CMd!4y_Ng#edPr1;p)GLN#%
z0qt);<G%PWXRY&BRtK#|ZHXe}Vl2CO<D=|I2sHuIszW2x5di>5L~8L%9|M#TR>;`m
z2+C(uy)@B?i_+yUqMf%sHGFK+2rhIk!swWpCbl_}A;#Qk>aHx{7E;XFg>|nH^}s|w
zY+PIiN6tqyGY6Q-G3w|6=|iCqD6NfqSbVhwOJ9TGcsaXG^s$V0{%-pp-e%EyVAhQ-
zu)07Wahj?^{TA;Vbx#QkHFp~FlcER!P-_NS^y^3&LokMnFF5VM=N0Fl`pEx2tDT!V
zGfxhs{?jX}e4bew()yojn(7L%voKZ-tGo{Km>Lh~t6u<Dz6T3Gd-2adsUbk)G(eSs
z^zJ3zHeUzWWh1n~*co=#W%=QA9B93j-5zrdC#1}SurclJgcYvbr(k?q`C;mz7>15d
zwkM4TyJ&3u9kuahXWvkvbu^+&?nqu1#}4^;=dwB4V0RF;_>6chM7Gcm=8vE$o|Q~d
zKH#VMg++nsZY^J#PX7^)qg%KxGjaNoNm9gfeSL)BkK>cmH|h&TTsXwZx?7rM(NH0`
zuIa;NTouHH_Z_&}eMrdGyJuRrUiZ+<I_CnYlea%nqIXW;0FG&vff~@Y$AC^PP2AJt
z_fMD8YE0ah-3~ZCfR6Ydl;+)-hc%+>`o+g~N%9U~6TgZGSR}vM{C<Ycv~|OLoR{{l
zxXi>ME6TZ`mz56q3h_GHk}2OT=S)|Gg5`38V(b6iLkz2ms2H>S6g7Ns3TWidOQ-a^
z;<916$B^1kJU&fyvf#AVG-e^aOMwwem%bT?p(_KKUMLPA1<=hlRC!)HXVrD`Qv8Zl
zTZ^b_bkh?t55mj^NJI!sMa-Q_DI}m?e+#$=eoFw1z*Ct9HK$EgIu>1+nsuWAiHH#4
zXi=%8Wmyvb4Zusl&oBevCE#{XJ1k~|Bo{%bfQSTe=Ek7ZNWo*<wz&yZ|1<DS0^lVw
zOr_g|kjyNIfJF%@$Y`8;O39T+8zic^JL3-mehBcLfbWHRtR1sADT=DKZO%CWP3$&v
z!U&N>qzl0vcmnPL-vxXZa6<r$zzST;9+0>)GhXGcQxOSyBxAj$%r@E5+-YHM?R}sE
zz61Cf(iIT2-`-odvQDRyP_-RsUVo@hCKDUxTf@mfFB*{z?JYvc@@Q6m703y|Uj(qx
z04M}t+*eBRVVIYzPN$RobfP=0AP(C}+bGFzblsKM_(1Qr>To#JJeZCM@O=dMCxNU8
zaAN`3N-3=YFT*ZCA|fJ~w+c?*3G4{-9bp;hg$!+2R?*=o7a=SDEoUZUB7?}l4~rx#
z@zV>Qw(0mrcMx`MV@J~E!yO67w{d~+uez}t-)<BKnJldsI(m|obaucNvp|E<?>&UN
z(V~zhG>rkgR$rA-v~6#-u-(B_=xlA$%ykIt%En-q&j|{gH1;OQi&@0EnD-}Xl7OED
zd~bW*8C2i~3^q(OOr8jLWBu=FC;1nAU`x8y>4Jz6fk-k{WdLB)9;Hhyxg;EUCT13c
zqI|F{TXoxy8gn$EaZ^<-s1V2&5S*%-rIf5{p+KT>t`4deB4Rxu10W)8Ws_dFa75l|
zXCq~(3<W9TH!TOc|7lv(l375kOg+IOZ7d2!4?^p{ENkBmjP{w|+9=H8)on{ZTMjH1
zg0sx*L@bt40`g5^Q`y#KsS;&y1+w_LZ<PsDnfcIs>&F2#_APKT(>{}*7>hpe;{>)S
zQC%XIku8neLJSlPh>L)TgW&;5R=JUE5oC?ZG?tkdhX5kTME5c%x0vP<30OeqeI4tT
zjQr$E<1-hFk>!HOm%W;`&4$zl9(TgZ59327;!rs%f1ZMrLInI;4<=&4xTrjM^wGsA
z<{_nEq9+DKthVB*Hf^{NiR(`2fs&Hi0~WHq?@g$1<c+A&vEASG(6;-Iu&(DoK)N$3
zoh*rq3xxB?OETs{6v9^H5&sbA=Lt#t0r(H9jG=*5AG@w=f)d32T)^8_<I+tRjY(#$
z#m<I+m&$RM@g4j8X<qWf&`G9T3+fU42k6qvGM91}hx?aw3f%MqCexn%oOh4Wd7bm)
zylmJ~r7*3tk^5dO1KIok%Ec}OyrGCeF{yye1QEkn_Z8HmVI?v3fSDobqcv;}A)qM+
zA{vXN9;_OU4Tza)tvHp9D<mkLGOuQ)o;`ljT*|tx+ghOwh5OL9Z3b9W1a3%9-=%5F
z2p!h&oq(5spCy9bVwU&H)I+y!>$;ZfHppVfHn*d3A~8l29&Pmd7mZG*ld@j|dl&2<
z0A2zWQ72WXssh(?@@8Gvm4c*=O1f&>w&jt$@(n4;WGymtRciD;;5&dH0lw1_%)udm
zbuQ=ENpN1*b-Qlce3wbPb~He6%m5s{BesxpZXEFaNdFwzv;nEA=m+Og&qTB$(npzz
zW$62U4?s;2cq4Xp`!r2`ht*~Q5j!(>SNeqzB@%JpYY8$mB)yB~L<l_d8e{(iE24t)
zLjD^@k>eOUXV0Q_x9R(cZ_%Yn5~U+7c~1<QyR2~N-e6se1YUj>@SSW>W5pvblM-Uz
zUknO|BF>6A7rCjXGo_&NWXtM<wU!F~ec+kQCLWyh?q+!|sRBWUi_>HJZgU6s=!}8S
ze4`1vA!#YdUWbF0SiRX<_fCHi$cAxngB|^8xpJH7`K=(PUJ6z(`t>pH&5X0sLIvrF
zYJ63ewb$o@SOM_!tVH@A%|8UW{VA)K;1Y&L;2L%r7;JgMd7}cN&JH920jy4#*XDyY
zC3aI#-(zCpwTV*$JYF&ZV#>^vQqU83?rAgt(%%i>Xxd09Aq4#{-~kNO6yW;YapVJD
zS8!jcYf`VW6iQn8RvzTbk}tH?DL#dyXYD|Smp@iTcqce=y_4Sf{^+gkLe#D`Q4bKo
zRz}?RN*f{z)%4ZW$GNCWCKl$hbnOu$grH(6ck}kA;1|1`vAv}5#QPH&ANlL`zd^a)
z?j$keKbhFRNuxfkC5qYeW)!@zmAYr$Qz*gsGmZF0Hy5qScA-O`RwCK&r?o+D&!fj{
zDVG0`C{Z+|hJp&sA*Jt5eJKSS3zlO2$~>>9U1o6bjnhS1k>%50GQ&hF@pb1763hH}
znl8GSSK^Itj+yTUzP3KNpqI_#bLz?cU4hkZINYr3roC>ET|DxY6xHHQUDMc2Tt2_a
z{X8BC)vn*w!n$rrx<&ae_T~{s?)Bz1+bbW}>*beEvH-n)Jn)jrB`ys<9_h=)MuxA@
z(-$0p&jyP;_Q>P@J`5qC3|7d>K_(xmzI6HVOzF_(2X(?Bm1ZH7+uab-rR97|_I5+=
zG)9>HiDVzT7q7%%A*`2;Yjcl{htNzd&oA%+U$A~(8V#N-rhH!;U(!{Oz2x@sl{_p|
z>s1cZ-kD`;bsS~C;fL7AQxM-5MVXqgwZ>`^xN0O3H)R(gVzrNNl&G?Pwo0e&Lfb1N
zV*8ri_PD;k>o1oS4hx<JZVcIR?1;h!qtIbaN&3>VmUiYK{;_X)om&yVl4~u9Ph~yN
z#lz|<WSB{HXXdWXL-M?FvJD_oe>HUSruR<WXp!jK)KnSd-QF`O;`n*yf^!ck^5R7q
z<g4Kj+w;g2zKDW|qykn!lgLn!I~vqixk#7&zR`{xRLhxrMxL|fKHb|nn_FFlj4-Qi
z-m3FLIl=sR>Q5!_kCNS`LVdHN-<>M%>vh|N_SN3>5OYD$+MC>{51og+k}9IQ!nM|A
zZgoFyZC@{wPn)OcLJj!T;nP_8!;6j|vVxw_oWw;v31Ky}(~1(1Xj2c1SifKka*SKY
zAd{v{BN478uom3oAvMs(l?Z!R+pL#mp^#g$z&0wIB#4(X$5vUW6KK>GDHuNQN@Esr
z9@FA4tQ?ztswS}-*n6_TsTUPDoNV@u>Kq+Xaxw?X<8#{vm`#c<j#~Vtm9tq5gVtBg
z;XTTqiYCf7oM={!(rz3nF)FNru#-i3>rIm8f`a;I{3*7!sMyq`_Lg&HitU%L*EDGu
zL4_(1g!%Zn^Fl9pHXg~clese1LeK58KSXZ+VDJrS4O>8xRepZQc6=I!twkn-lu}1G
zH!739Boo(z`3}wk>+afD<m&s|zb<i)b&Y`V4{GKBktOb4$+DLluLZTBo2CM?;4Aas
z@;LyViT+6Pz6d{@rb|Lu$_sP8pwHT9#FJ8<!bd7^%ub?Vdajuoy)0o6l#I$NTlQ|L
zRZxw~Tq^lx11?sGVCe3F5S?dsW56|FG=hMEAkXs6Ci>Q$)5Q5`m4EKpydaF^nZ<?q
zZ0%19j{(>ilcmz5<8uIPSC_&cGPmtUfNwx=m?i_#bmH}-9X!e~_rc=IFs(+eOn<b1
zhl8Qh0N1buL2^0ieq4eEONbqkNr7BXBW>6qw~61#T)E|`2zjM~H2zV%fLo!($@IVb
z0T}#X8QD^$1NvruuF+PyET>%dt(<h#sKPy}i6gM<V`oM!4KRW0%dT}GBtMo$>_|{8
zk1pR=#}T9)2~7V|rt4hmYONupIp9OEu2_^=XfHqGAZDelc_GP>qSA&BjCNiS$^25S
zqjVz?Y75wyfzK<b4#tGkT1x;9e}l}tHnifdB@Ask<Z05I-JPjZtH^@)q>I!?qv%Q5
zdZL)G%@S}7l9DsM*P6a&zX=Nm{KrmLS$PNlb+_Y9V)+c3`*8$-Gx&fC(zokCx~}>^
z5lIU1LE^%ANh$8Ds*=&mhIhtX&%IGrjrM=pv>264ii?9KeN+olErlG8Aw{*AQaqoO
zN-i;_U|JZMf!kw>h>S=i!X!l4UwqC55x8nv_VVaLvrf{$5FxeKYvh`m?66~0LSW~A
zh9X;t>0nfv)>kG(KgEM3)Q$8Vc&(zSIkVpiI3fJcLxRYGNLPXs5nSp!+WKSx*V>Pk
zi%LdWNeYKNMxonU$Z%wVvXc$s)>Upgqj{SPA)wE-wj7GmYGu=Lp_c~HorHjXAb{Fw
zM>rT65YlzIBC<d2T!9_YC$N~VPkKxgBM!O0M{|Go^Qio+t&o$(9(0ec$;0E!(qSn9
zn_!&(<M7fB(3xWf?MufeG^YdKxzd+O-xG+GmCk|RDzT?gmX&@NvJ+LcC_*oekbL~z
za!jW?d)3T~8K=>g|3CANzPNXLThJW6KweWC#E|GweYHW3OS|u~r9E<g_$p3MAZl@?
z)WDX_HI4)w=LXD~Qp`hG3bROuU8S~qy$(Y{9S>C%t8wR*l1&$9*-9K1>!CR>Yc^-4
z5Tn-jVx4&MK3pm5=UI(aS6y|yvm<NCvpm#B{Fj;c?$MH4d0f0<4$sM>X?N`D{kK;z
z;*RA~+WKEzD!so?$Km?=1os*Rr@yRuWiXBw{U`-0s7@Z_-&T%Q_v4N)xhF@EJ=*IF
z++efkb}avDT=S3xm%7iL?cz~W!@tv`Ok({mD<x;#JiWVP(24#cdQ((1<uZ5J@j-TE
zqqm*-?6)C4eu}r?r{R%M)U4G$SLXJW#>%e-q*PV>zt#%2F4<{|dUadHO(cjgq)|Oa
zmY{OL@=*oU{<?z@ud0@NIJ?{`FdwBBx3}Hsr}fSz-q1qs2L#|TR}FeLqqJ<bi)}h;
zcn||c$V|klM47bITxv&^PRUd?)SD+alFUoU1mS_;qpeDcSJ_4;`o3Cvcze^X#z;Q?
z<d5seaf+q>wN@!Bg*_fC5y2`F?DDp)cVymWIfN&A%D79JzHHm3k-(X~T0J}vVZGH1
zbdNaNZCCA86#u5{WW#OS)_Z3%iHprK-93V!Y8GtjAFdHHvdNTJ8q%NWfe}kU!L5Na
zB5C=hK~x;gSg8i)DlivBbcRR-eA@j!Atyd&_lJ5PC0aYIP4bQkmt*B2WKP-F=kwaS
zsHb**cp9`>^8@uux`2dzPznzRXc8LKXQy4-!^_|9d5?B`vrb-}nZHYWE78!E^?#9#
z&lTzZB(@O?kxuH+pFQkh#VaAyF-2{T0P_Fx0&7!fUGGTnboX)^!CJh4kvq{0F^zS4
zy)7k`>CAMyJa)j%?4`Bl1c{eBj+u53ww1mMP;xF!@0~_&Q_J$lhexjQ5OB58;a0ot
z04jiR-kb2GJ)gzv-#t6~^_st@TPscQp^5!(X9OXBRo7#nCHFeA#`IMBYszj%$j{uv
zUSR|bDNY?{2`leU%+tjyElPCGaT=o>--`sq(~PCtGhjVwW}368wE$z?Av0*6)R7Mf
z%0+D-BjHnqQAI|wnSd3=>7ga%O@c^#Ogy+{_t%Nh)fQmERed~pzKEKBAG5xsO`sFv
zE4wV!`Vh9Oa3MM5r0U@j^4x1jM%V%pwf4HO6gT8afS&|MT@RR#s9_o&nSv7)AJfAs
zA%ZaMG!oNU0?AfTc#!(9Zd=l$OoU0JNQy61cZbJbdLp8S?&Hj*`|{W2(N6Ul9C@<^
z_|C6MW4j|>t8d%5ic^9!iXqJAV$Pct)Okt}`@T_vlyx1)X<44JWhz2Op@wa58(ArT
zI+5w+I<dZL|Leb02uhBQ3K<FrX!49sB18SO^?~6O0)y$K-LdM#`<PX%jD!_}Rl2iQ
z)k*pZs5jhGNP$n%D9DmWPM&L8Mr18K)4{%DmI)<>^}JQuOasdvRu-AT-X1($3Rt6z
zmgi_vD@1l)Z1!){E{Gt;JZ^trFVC5VRY!{8_+jp~lc%B|>L&-Qy<KuOsn}Q4D)j-D
zh`->%IKH4`0M-s;gsSNKdIJ8KHW)a*yUVjSUSrj-Wh?gBZIb<3X1snA_Z~gEUk(F+
zjRYVIDF-=R1?fY(^Cl9|bqpltjsTE~``sGX*1neMuDxeqEnZ~_&}Tjw4de4t%Fmfb
z#sB>V&aBA)alzL5Z#tciKl`nxW831OUn~zpKMyR==W)EfJ(hc#P-3mcs1ELv0=Mx~
zF@XFDRvtBXUG|Mrfw4k2SiRulA)2q&Nd9JLOG7Y;xG^QbKBUghZZn7FF=d$=Da6ED
zBU1MhQ4qFUXnMx&DJq}7|7;83c#Ef;JHvswJ62o8$)hmYnG7{<^o7%W21P@S)YocM
zqSBT{uRT?8Qnn+}naKdz6eMeR>#F@F7aqfYdKyKj-`d2q8_N)<phAAhnWoU-gwMQ5
z>OsIO>T4*X=m9q|&0#IKLKKBlO4TM8xc+#b-AofNI69pwVH}xAckDXujBzGwLXGGb
ze2o<sJj{&=%OhcZG>C<PFa)XqCg4CwY>0~ivtmJ3^!+^vSP~9afX^UPL9rgCb(|eU
zJhC39{^b~Jt%EwFl%>E(BEuI2K38QGjbOFn(O3*&1@x14_O(DUZndWVqSlEYPo7_B
zwccU2CSx{SR=gBZOs%Cc5XnMYTRdKgKU&vvl_@~m`U6htIHZ)9CZ)}k#%S^{U27Fo
z8iQD5T5y)S_gOLdv2wJvcFZUl;~PUezGSKqlZ)ZCd$@(ChCqiI^BCHOn@cuexn%TD
zZyWCrX=jtc_-H1i=o?8(3b$6N%9?BRdD%WbxnV3+SSo_{)*BQCu!|%L10-W?Xd{hR
zrJ?l<{eWnYV+^O}K{g@fTz_W+gtS?m0d=BDA!`-L5#;5S7uqXzqSE3UoV_~dx#>)E
zaf#l0Mml-KrzeWDy6PV{vz^lL#w4>w3GGLXAuu9q8Lb7BN8oVm!(bl#Usa3aIQ*YW
z_ST*M8yr?8d%eRP7T2<);87x^c$x9ku9|YMDn!+z#LiNh-~z+84$g&BX!eP$XiHCm
za#eJWgV1B^;o?PFq+v*pIg9P#nmJqX<MH=qB?~H>$CMmWE~PbLRWQ3!h7$#;pEG&<
z1ws#T#5DJlZRs8sMy=+d(A4B6svDURK^*0awn=X{={@JFD7bT4{z7(J;I6YnO8Zur
zEg+Mx%(Z@gEqWd|rj>1jv>tK{F0j~|15%FdE)Ngls6A7S6{Pz7F1yr4r0qLDq;0Fr
z8r5g!`Wgu?i;jI0A@0jom?jePXN4}L%-%)EQQ@hHTo!;NptkiAiG^$kkDQo+Fcy4N
zs&kZT417Xe+ysG9P%gc&Kl+|u`FXztzwT$?D}4|89`s}A2k>Bf&BruX(a<?KO`~aO
zQyzcuNf=LOQ~G9OpJvq~UN{Hd^eVZ=yUMLx2IiZTs&+NiESHjzKFT$fmH_46G~d}R
z560e11;*uK9xQl@0IUv@!y~N60H~!Po-i9HRi(O&usv<Ve*pu@oMw0NGV^QGU?RQH
zp|+;X7pm+YPZcpa8>G)|u?$4|h%QHWBNaTrG0v(fx-`i7u5PW>!aVQk0J_>UY7En)
zCb?)SH!^!E(k+^mMlh?YgECvtIZdiK&X{!yV^^^Gc?=p?c#xAfl;yLeF`yt;Hy2)-
zY_)86NVH4JR4^y6bX6hUcrDFC>FLy(khRy7@hf#=w6k_Nm|LSkgUcb9aNk|F+Jl}c
zcb7M!wKKRO<Pwvsbbz-;QRFUfJ@A2A3Ru>dZ_Eh9s2qch2y!7&*IWk=hau$ZeLc*u
zkb-X04)v@-)(#s7=RB%ua!MF(nel${PN}7FzhW8g(E1gTgGE{3BHxK&aPUOJ^CT7y
z@!lNaB8SzGy1R)BhP*Bqe!h9e&7}ijrV->0K(t-qWSR|ks+pzG?x0zD<*-R~V05M|
zXhX@(5EF3<O$iZ&oM%Q8xmLv8>11-2D|e@29k-&1D(Wo7ZJ4r$`+X|*n;2TJTOhxt
zt`b2wYP=%hU)<Ts&!cbt`#-CT7s3}S+ue?Wy4x0Sa&)_>I3X6?@<WjO<;<^^jQdg;
zvx=ZL@$Y}|YZK!&M(|yw_uG%YFmckh>cb%eR+D8_aqF6&3`PB8_old8=YrBO0EM~W
zCRh*s1QNeP43Yvvvp_<C<qHuMC!aY)mt6N1PJ^q>9BeFA#8iRjtRfZ^16QD%L5Wdm
zxIJUbXIZ&Yyd}#z6T&9^BMXxAhD`E%uQW;(NobgvEo!5RtYJE@0|#Bbbr;M+9E2#R
zCWS<d$uZ6}PnsmO4}u~VsK-!KzHlqKqCyolgkz=6>Adk$8!pc{g^b45Ol(kWO;a9~
zSVR}WTX;tR-U{px(^r{1T_#ggq3UXYMOBD(-pS1Evw)*XnYR(krB!BzB&yW>_o`49
zR-6%HbT<~6zH|+Pq;V9CGx4J+2m<_4R&ODga9q0JTiB-cfvDIZw3xc_AfmpKvtgS|
zG3&V*Yb2oeO7v*A8>-u~RY)x}39%3%i*TI)H!wpZue7&SoYhUl*lcn9X>pqV%<P3~
z!^i}=a~2G_KzB;F@osxyK$xVF4hq~VB8VXL4a}JVe8-bwcy_{^nuD^k*mso1)gn`9
zeI6v!7!lCadRsmzpbe&dGRVTSl2$jOpjoW}4^)43ayH=;O9&~X_7$l_Vvz~xQN)a8
z+S37arPaW}$|J%@1h1y>;~7{Qy-ih##ZNaSN(o@Xe9Wo)f_R4XcUp7AeZ9&41`RHm
z)8ZGbWen}6_G4dnSdNEWaFI_bMn~RkAn!fPja`_qOTZ7@y;=w)TyCuG;cPgU01|RR
zZqk9V-C)iUyFoJRh=+Vm`9q~`SiMU`PjV5XNDR^}2&{zAaxy&|;C$|!9tfKr9A@iF
z@8IipPp5NeTf7tecJ|iNNl4Y8g3(DrI7zrU-eOUY2dZvi%8`t)EJ-jfhkquNb44u8
z=bC6bY#CfUmSb^SMFysg;K<;w6P0YA)1$yP-XL+s>{PS%*)YAviHw<(P|JE9&If#a
z$tB+u4gwxpT%0M^6$IWv+vIAfhSqr7d~hds{4?|dir{XT-_Fa*k4Cls9bmaBR5MV-
zDjT2eFlMPlEA+48=e25*Uj3`C3-r&x4<VGkgqIvGe)r&G=$CGW=J)Uk{@UEW*dCgv
z|LY}@{C79}GgO0;F{Cjqv&ES59#}&YsM*r=WnV@=t1jFbPH4NK8LTCh?Iv9r`=mC<
zOK9ft9?#aRM)BJnXf{ZN?z6Jsv$d5!QjwNRhfI;^L68*JQ$G-iL?Tf_vaQgAAnt)g
zAQFj0nFw7aeD12v?O%n{@X5Q(N@S!q3W0C$Sf=b07HSh{erKcE{6!Plt`@RjoIi#B
zya1pJWQ|ecg72TL?Wg5`zy7Yv@vY|gI!<22PRpsGdK}xBt2+~e1>L7oa0cS>=#nw>
zSg?3JfW6~wHige052UJ!egV!a@^p1D6M3C51g5N=vi}@>9~#CfR{MW&AbviUnv{PA
z&Bm*?1Nn&^zL9SqUu*;)l?-EDV5qZ(8&Qw8tbLLgXk$O^s(uB!zt4w$1KjWTMgLQ%
z`Y#?n@1MZp83!NSv8_+v9ppm}fTqCGbiddWWkZM&_}KeV<Qbj9LTLrb`r=T4xO{yF
zSuO+(0V^svO#<<Dz(;sS>C;>*tcVZkot<kC@mJ~@+$t|&GA-Fha*ND;)8$vn>5E<L
zWyU?H5mCErrc<+SVQahM@mUD>D%+i>C_XBZ%C?;~t5y!;#td|@XvhIJ5$>|&%PIH(
zOn;ULSYJOml>H-E?iY2dzX9JbtFB*z^qVyG--R2}>GOvv0Po+kU`$%#6v%mz1WAwt
zWGD&ZE~ZEjVw40UJancSq{Yb?#rOgjvZ1Z0UjaUJO`JRL@L`#qrxgYDs);%k@)vt{
zuR?xtniVRj<1=@ug7tETjZ~SjA|x(eOqJ@ED8o_v&eOuvcdX}+$IPGm<fJinIeZ;U
z-ab6t%EPTWx^><YSJ;v5ghqwuZckavK4BxDGOO#Qk<zr>s%s;0u3F}M<?xVemEz*I
z`%L7nOOy9`H%Vzq;X|lNw_8(|F#h${b6!+PZJA2cSE|$}zbD(3SO`;)_X~)W3J~<|
zq3mg?`k+2o2#_8~&jm_`8~`VgC07|TX^QE~j<NRQ<9R8A#Hw4X*`~sGUtpm7AaAe6
zJ7I-Iu1(r%LB}3G*4s2qf$dl<08J3KAHc#sN$8q5Rq7UL$OSwzL_kOAKC|Tn(~*an
zmW{At&a^oQwO(-*wOn^Cuhn5KYjn)MC@NR;L$e4mes480!t?+{)0cQ)x4hFIyi=YI
zI@SQ)T*7gY%jFQ%-yTiNv=`qNu*cpb78~L-+PGrK*~<f<hsL$f5MH#q_L?nc;G9h>
zsqyvK_!y|89HeUwoB69>An~o<Y48&=w|Dpf;07oiq#D3in}{!Qy2R*W@fuw?0KWU_
z0>%{eb-H*qbwDv#VdZ5cg`0wHmG<A&?A|+xlzbz4cSSIPqJP_0>5{2I)fYL@<#(d!
z=jZ^9eNsFI=Vl-?i6swL6I-EQiY3p<w(@8f7Y)X@jjF@~&sys^*83cehKXc?seQV}
zF?QWAn-e&v`Y7nv{^BVpwk1YV=Jpk_-l8j?ri^Y{j#MjX2q1z;FGx7IQLcF<^5Tke
zjC#F>*rOi8L2+?$StoDFA#t0f#l@HP?hTXyM#<3ae^w*4?}h9d<&$-&cGYg*r4s)j
zG%uz8zbquz*gQ)^aSht7LvY|SDIzHBh4DP(YOm$BP<z%L=|Q;&tx;UvIfFEm9=SIJ
z+C&pL8i!47t*Bt>f98MYdlu$9VQw@&tC51&L9*7->q2lmL$uUs84S-@4P%3YUm#0}
zptr2V*TIf!je{I^<_<ayYD?+N3}!X-X%ob1$fwKTHTkFj+NXIG9Mn7)9LoI9e9yvu
zC(I4svvA)LZiFGkF;nI9L7%#*>7%DNWx|^j9h+i{0%%;<u<p#aw=|?F8TS0|-Avf9
z0kpLm-mXAz3<42^$nIx4EF=*TPIu^OOLu$SR_}4zp2m5J_$}S6mV|m_VR~s`&OYNe
z9@35WH#r_lCp9%EI<R&mCcOzj51hySuaOsmGEC@u?wXjy5goQTH%*#)Z#ZJFgk`q#
zBoS0(;C7z)*5(5#iD}F7?KT($L5F#efFa?Xrl9WS9zav&Kzm}BlW0TnztN#hhpwFg
z#A1thbUZdP9>9X`^E6T{=kd+*$V*Yg%m1GLJ>PpCv&WLh;%=$&J;V2d2!P%w$gelR
zH9&L|5w1WgLO=qDU-yR_SV$s*B(^<jYMSH>NGa3vds&wn+=zi0>J>&~8dM%CV~JLD
z19Os!78#-m(wcpykwxn*mVr$K!R`KV;|ocFAj91cGRUJdW-_+H%#q>lG|M>Ww>U^i
zA(N3*_tfTSzwjAI7V*Au<yXvCL`sa246o%OxM5i`ko5d%&06R2Jdihn(8ud^rW*`6
zfrX|I3BZRM%t-E+erVuA{6=2{{O|eR^O`-Dz~f;9-NyI88qpO4++}?%QTo7zRco`2
zI~o)3vsCHyIi-N1l?-6!EK4eWk<RZrs~4l!)V%lE+#W4aN7*^3*>06^&aS2c(6)kg
ziv#fA*-Y_H)c|m;RyI0t@6CWP+MpFI3Es3_#-JQDPAM?H%2MdzOpm{6noIetq4eiS
zY5JC)%tLa(fPwNW;D0R2V2fYki6+M!rUb<8S4jzbF7n`qCH3Zp?q}yb;S|Y?<jE>3
z;WlQ3{7;2u2BJ71%LpP9aO+cvv$)JMvg8mbTqyr;g=Aw4I>=edU=r88GJTdfj>F)j
zj~;k9xbl5}|9f*UFLOij*I|QXsP`T(vEkRK5nJKz8C0*L&w3v_5Arp~V=RHHHH8{G
z2Uq}-a5(daIuJyo<~0Pg5w*&_H-A7Jq}g~@ex`&ykLxCVC(E{OL)Ukb*7Et4u<?a6
z*`aM=eyxyp20c_P`B=lOQPVuahZ@Zf$O`V?<MBd8(^uG@XYCpuOX6Zr->hs$bRo#d
zKAb8K6V({Ahs2K6E8<((cA&M(jxns{qx4tC?<rU-HY+Zm3hAO5`S?6CZTu~YH2w`L
z*ZK=W@GG4Tq8ytPDB5&=s$D#Jd16It8%NV))nKk<8*OY5Oy*++Lrj9S4$DuICg`NB
zV=)1zRI1h><%iPd?umcA`iiHy7IFyh7+j7dJ;C|L0<k-9t*KUgP4l@PQ3jKpD~}xb
zbl+8M1^0Of!&+_$JjqI|73Q4v=0c)v1>a4B$0ouy2X0;SQ46h%-0+sQ!aj2gNy{Fu
z$uqvTnLO{>yA3%FB_&x)>(DcI79<A!M1tg%flsellnHjW1VUXYU-WovI$O6UYGe9(
zQcE)WR#0og7ZP;WI?yZQjpLoQuZ69$Pg>3bzNmearm|WYh2m~j;`j5}GHjUY#Y99-
z&$;JD960FmR+m;)yA2!yco-k08ApA-2DWT(kVAyofSii|Tlyq3w1g;{qd%f!<Yqhx
z)Yx!{u+h@(;|A}6Byknn^a@X#K~0VG=uY{Z-!b>nT<=KUuhFAZX|)-|2wjC4?41?a
zy-CgBf>?IcF7Vbq7<^=la3oNJGdxBI^Vi)pANBC?T5f@btJvfR#L<5X{U@&5*J?e1
z^<ZjnvMoG^^%&OvnC$)av8=~^ct@itP(D+;HDw$2o)Ql^D`iT&u?!~3O+KfWRJ#1z
z(YB5ohOofvYLOskQl*jwqXBB>TUgdC{Q^6x01L-HlH8$U4Yha)9xMx%KE-r8v*}^S
z9cvn!bEYSVK~aGh;djZ17H8qt`eBuZTLly#4;mZ~0^3<nPy_`O7#oS(>|dLmJC5zQ
znP+{mR@f{uGR@0E<G^g|<_+)$={3UV^t^0c;&pyf{<G5boyN*l2n`Q0<72n>+R}go
zK9L}KDYqCVi%fSD&+$4_Pllf3F8@n#uyq~C>jJ#qOS_3zxZRfE+639LywKLtvb7p|
zJ?sppNf<oAbY%Kxf?P+5zduK7CvLf4o!&ij^1fi=3Ta(rc^SW~N+_}P{n3sgysLPZ
zaYZ=9Yp4{9^GgbA+>TopvP);4%&$>aT$J_*x<^ypR=4a}-zr&%9)HLN<H@SeN`D<o
zEN*9=VIfFY$5~%>|2_L(pI6FOhcHyLf-<7DDHoh~4#SuvT>qk=DL>b5cBbWG6qby&
zI*Jjb2dGvrcVG$B^<6b9t*A!)<DJlZf_5^D(RDP6&!9?Gman=FgYb(fS#j{~Z41iy
zS@-FKEzZxLSD;<4Rb`j47`r<8UJ=|Zym>hA9@Qxuannsazu>p<mXW&>VE)+|$*)!s
zdgGbN5iQ|Q#SurqVSD`rD&`hjDN1>a3?u&tADml0J?=>q9Zq%8lI@Q-RC!vt7~_mZ
zA4UK3luF@QsPMe;Ol%B_kDJ1huka3UqsFJ%IXY03R(zFVIw^x<#4~!ssS|uFQ8M;q
z@#u#3|1bx&?pyC)Rg679H&`V!SLhNbG}^2tp@!0WTtz;k6k_e6Fc;$ZcNQHfNR4Z(
z(#yy0c!Cx2qvyI;ZUF6A*28+J$tShVH2mEh_@fuR8?cPG!`w?HvVMtkxAsqscUr5@
zR{+zK(D8v^hjHvhqGVo(pc47q+LJF35heEQViylEyCPjq%c-tDo3AF}FLID)<6lCy
z%X&HuT3fSWj;DSZK5V|Xz5GIlel#{~1d=?trP%;gYV9t%^)mF>Vof>e85dVjgaoUN
zNj)9LJLC0ROFX-ZW+~koBp%08wkNS(e$N^6IFdAy^UQMI(MIg;gi=T~Fy%OH7tc-X
z<B*D3ayIL-TC_EEyp{&@Gd+`;@uBc7zq*ua`R?LT;r=-i<hkpqsq-a~$f@u9h|=$V
zLg%J``8_BL6zTaq1GFmL;ox$YbQ*Md$u|WdsAnTcqr+iF7`Mzih8V^8F{RaE@@hIE
zMz(CH@UCkp?;0FfZ-3lZ28XHS&HGnkaTi6bH_GGyw(}nOjbAmfZ)}m)pg-WM2H@k}
zU(cs6L&VsEw$|T|nfAjVbwrgq>zESC1EKY^g6bu2Og{wwWaE-57f;I%p7x&U0lB_;
zF&60M(?07OCfw>j4QJuQ7T!F5`i{_V+5gvo^q_g=n#ax_V|DWQg8nEVH>>KTLNs96
z2aM4t9$(NNjj+%u>|MPX!QU@vw1ovxC=lOM(#RDSM4>>86^((gAPNOyg=w^f1yT6?
z(wF29Hd7v%rf%<CsAV#M7eE8@yXoy*Gq){hYyI}KK{c9|OGhNM0BQBy3ULo!sNutX
za-D{ghX44*JI(glWj%E}pRzlN++0p4laBy?2Y~07iH_i$XF*$7=oAVB7GR+*h(dt~
z9F0a;5QPHqlecMf!h$Fih{pnrwy+=ywaCNGs)@yc?1XdimD64$9|I$P;shuL<V}pv
zt$M7i$izSlaLvdi_#TfzzoZExRx_v{U@Sc?iYZ;8*Od<j0|p8xN<d`G*A%O9&#@Ql
z8b^Ui?RG?C4NA-LK4%Qr#Fydh&1hDt&^;|asp8uHUS2&Z%#aGjSNYii(r)~wQE?OJ
ziY7SN&=)|HCU@9-cJWVBAdQZAp;P&C0a*J|MXn1#Dz5UX`GUuX#6wpz0o7p?u`+rh
zHCGUS6}7t6tu*zJ4r=Zx-co^et8MUQKlS_h0!qTq(n3?U=9}I5fs<~QWv;?(M#7`}
zzTklIr={<n%n;2!19j;AO=sI83eN$BM8G=XDSgpXMg>O-Q}ELRzq2@^hF1am;b|;_
z><Pq97^DN>zW}Td%_428<@)i|$JB&oqzLzYV!(l5Dv{0M&+Jd;M^M`0B+^rNy|Ts8
zSz{;d6amu%3MfhlKj;0WPlzy)aw+BhSsIjMh7CK$;fJ=PiLrUe!tQsm`7V6Qyk6>*
zKPoLnbzq*uxG^#N;?nLe_pg1JX-LDYc7~A#u`|=6A>t%MrLAh)0}(R?k4Qg;)Ga#F
zEI{{?-j$W9DccinuAIYN-kCX_YbonSNj$+cY^fV+&zPU<+c&cl3MTF4PK;{N$T*dU
zETz_5C@q%3Oi++M@<GML8>9~9M>=zplfC(j4Vi$x0Jejs+L|*NOHsTHA%JVN;@V^I
zXT@Cb;gfCr7d09|K~zZT5xH1tSlY00uWAtTm!XUNW&Tn)bYZwbFl@w_bpA4bDY8-W
z(K(TSp8oz^rV%#E5NCd2v+`sZ5igktPj?l9<GYFo^P{0)%e1WzAmKd6#b$+s`&TU4
zxx~AU#C1KXcJ)rxR;*NX$JS+hCFj|r!jwFZ9G#ajM57|!D`5+v5h~kg9~-p?GqUac
z`v~C{^w}k?sl4%%c2pn=Q+VFtQ)8U5^c(5uc!8)<7rR4Ane6rU4r;N!zIXE{=ZvUz
ztD=(dnta|bD0wjmQ*AL_p@kftU&lo{z}dYSmYkV(KyMZYM?}h(I};zs5b0JP_HtnC
zl%*AUCE-AXbo=19bcri}>{;6Q```GT=Kw`Oy1y8HF+r84c9V?$9TP~i{gMo97>dp@
zfmA6$6xOouV!V-rrGLs-M5*cltvUg3py%P(la&rzit(h0tqbKbA96KNpm3qvl7p5;
z)9++LKx8ZS7cnSfC7vqTQ=#d!6s@Giko+KG@eOo;%2^0EozOjc%|iEcfobI4D28AR
zW3oGqE78P|C70%zGI}mg)9-oI<j$<P5^q!)ZP0ol-}wGlGtKF7*EaTHi|J&x$JYyd
z>?um4v6O6P2&EK$suf)MW6#ngZ2Zx0aIxqT5lBQCq5vLJs@BG0NH4w8+#yPXG^9<5
z*kD~8hCn(Fb25OsQH2Sl&}KwoO_X|f9?sZGCV){A6Ck`wxNM$*g-Ow_kPyxYr=nB!
z*_(&qP9phG0Kn?wAXWw`;ccKlSZyTuQ8a4RxQ3(<vjzt3WJ#Rw;Y%EL=0`!hdl8h5
zNHCv`IxVM9gMRXwt?|7*&fR;w$Hp0Mc{BfHPJUQ?xbc6><?h)nv$ZHGplKZIb;G$a
zRn-K&dE~xP34DozZft&<Q9d7rLlQ;DHO0+3Sj*4P?0Exc&s$8Zgj%`dIf)uketHLo
zYgZ<^T#gKEg=_bYHraY-?6s|0u($c&VI)?fQx0<afB2-=x^U$dztUk`i7U~~{@B|i
zjY5AVgN?gh=sz>C%kgFO1{xL&_fP?F@y40)Tj>8DOl#Tq_#ZPbpZJG6J_hF0iVu<w
zy_dnGr{4KT0$N`7v~%<F<;!Tq!W+J&uobS2r|X84NMm}AdyuS!D|7K5QLX^LEHJ*4
zPkZ044kFZAsm2w-uQ@0OYOa&D4!*>JF%v`nF!u|Zpc_3(Vwrhu(>UQkG-5m3H->0(
z6uZ+jdT94EB2ZMMY>#JT4<b5tF?O4_#$Z;~lA*OUohxmQb6k6poim^^<rZ1m_@%Bi
z+N(I4SG;Jw2_CBQ+`3A#p6ynoUhOq9+LvKH&oVq8g-@JrL4*wyAaiT!BYWCO#rkB;
zdRZ`UAlabHX6`K7&GX%>##Q3u-2kMIzRZ+UvADg&h$5NT$Gx?2HNO2*0gMW%`CPZ*
zdoP6dI$rQ-=vPH%dSd!PnuvEx@dI9&C;qPs$Ct__PO>Ujd-qROu!%OoPXF7RA2D(B
zYcTIdBK^K_W~c<)2yFyA9N7QF6U@Eb;Nzwe+Xy?ypJL2LJGi-dxp^<#3C>lO5w;?u
zNg4RwcSGQ!FJ>x)e&TDnoB+!tK!0JosTs2aiNeyZCHFATE{|^5BSH4R%(JQEQPwXM
z;r1c(P327*3};03ELNlCXsIm4l37iODLqalUq6fdDSjTCruJI;eyo^y6AGuKc2P@p
zcjrilb*qk{O%?I(>?l%{-q1k1Qq+&D@fsRD{hDB=GQMl<!^*$bl=)Y-Q`jGINU8on
zO`BlzlO7uE9%#@RY0IclbHSaGTCHZCj?6%g&%!$lzGrRV6yiVrwQaf}RRK&9USYqb
z0DFGoh8RR3_G>Er-rGF@CIy-A%9+WAk0?_0*93agA;T{@2*Vu53IGB`k_$~tJw}#C
zKt2?Ao}g79UQMe*6&W(M+&`o7t`!>71DH7+O0zWO@+<@jHdzb4FavVjNlB-qEvF(D
z#6(eg)w$Gf?V>y%tS6KGBtpcE*ndRhp&F0bUf~tgCM)7XWJ+qn`jp=^s@iN^*%BSf
z+eQ@44%>Jc7ug68s^ihJF57(mSWC$OKgr%tn7ns_ziY3|958jEbno5>AaIL9RIc%s
z>&w2t`t)g`3t)<J&42jjpNY=(LQ%RBD1eDjs*ps$??RO^;)s7<S;Rst#6v7_#lq}6
zgN)4Ho79ShSkN^im%x{r=`s0BrlC@5XS<5?$JHUEZbwW)H)Hgoa4lG%ouO)wdFX1(
z$YK(+dWzgsMN%d0sOnDmzNVI^n2edlnfg(-z~yLha)o#t6vrvI$tK|w(UtO<5aV!K
zA{zp=hqO8fC}$*skBC7tjXvztz}&=@YTBgkN)lgjOW3!TWH2M3z{NbP>y>jYzjXXn
z3tS{Zdm4Y!#^{D~kX-lJkAwJ5<KDadr@t9r$GFsTY^d^lJ={s@A92s3I`}$=^8pY0
zpZQ0cfhkiuNHLcLLnj~kt($>tF3E)sd_g!2*F3BAn!~nb9ssqRBdEdO@Vp1nA^h9`
z2;a%^H+hBOf^!mqdc<*^kcHWK%zy<W8_cj(wxMXFsxjOsHeT<f!>d>j&;WMmb2c^m
z)biD=NXqf4SxS=G6ApoGA(=o_!|OWw$p`a$DJ2#ZH}@KsySw{|$n3TR1$SRb*zctT
z-6NOTV6|xCcocR40<;QM6a|jSr6=>9Sfpx!UeD~}c1d^DU1*~0OiCf{NHM|4QA#K!
z5?(MZ<w%g+W7DrV_=!pxYm_71Qp;!UH`#cIW8)lmEXPj$y?QmN5QbXWLR5%~iBi}r
zz9MlfAu48zrb4wC1(e)V<i%0Pkt3qq*Qpz{<6XmfIkUTI+Y`>ioU4jzGSy=jYfGvM
z8!})B6={;pY^p^(ngq|%G=3WQN@X6O<!j%oY`p->kv^vSj?|Vl|LBiZsw)?jREoef
zJ!0_^kpsSj$KuCn6KDX%#Ynqjd5y}M+ggA~YSB7%f~G($diKm4IF{EbP|BPQ&pCH~
zT%J<m(_4JWUv!j8Cg){(fgTmVyQXMqk>{o=E|ct43V^1cl1Hin1P<R#C}Hb|%*<NG
z`lsor3Yjs^s(iF=XwVM$I`6T#5%FfRMvl(HxQMeDqX5)`q5&!K_~GyfSSc73kdVSf
z@q@yHu`zyW0s6o{KmY*(yr+S`9Eq1m00eyq5cDB{3y$7U$kbo?afqMQ0o3IJs$317
z?uXO6`LNev@wg?sbGo0li~OSwDt~MQ;Y+D3)FphWZW^S!JY@u5^|^xQEiBZ_xcj`X
zZ40os*g_jZWg1}E*e@%Y{bny$f((t5wg{&Wa3+tNfyo+TS1r$*X&!$ZKNqpaBm1Oe
zIgGtMq({zDm~)%0keI}bnQdl>JxX`wC3PFy-+?h5)3AW2jE#=&9Wx=cyU-Y=)A>Bs
z7$T#7F#-j2P(X($W6gZ<U8))CsxBRmr)NJL7;9%wNevT-%-itLBTjPf*G`Ff9L4jv
z*GJ~WQWfh3P(Zh1TKk+CzPa88te09eW#L5EMPCLG2wCCL;kRZ?33528fzYc68LYZu
zJfYZJM7`=(wLZUN{+bBoKj+Y|V(Q>K%tr{3U6wgOyDV#CB8cGxID6)~RcF<^BEqg}
z0!hJVMwaoR?``#J>#Ea&8%}_`d@wT1d+PXbbT_|0`on2{-m(sZc(7X6ONJ>JQbQ?~
z$7Xa*GJ{xv#0hZKl3`m^BbY@YXwoA4mAaiHoWGJl@Y6Fz!M@hwbu#f?`XeW0aHrl6
z(H)CCfAOha*VC}4foFk3cVX0WAn76Sc(-pPSg#%aCRHT&ZcEd52I6PkAfA!3vX#o~
z|3R8o#C3f056lM@%-#a%>q0PE|Dl?m!YUCYQBQD?uAn}ce_jCb^RD6gY(ED(kKhkv
zA_JP_;{N5*OE@bM?K{SWAs>@QFmM8FunNBunzQ;mF<@#)5GS9u8a~uqZW~2O4m#g(
z<iK&#l^qZjO%$~U{FLWtaxPjwlznkH<|cLF**}(j`vXDaY88#ltr4F2K_^2L)UI00
z7qGCrHh05xH|aFS6DPo3tni4r-B(??KQq(LnP-ET$=HJoYRk>5m3`*lLZJoLy0&|Z
z_UtxUXV{&MUM|~sjCro93#PaZ6*owvrwt-PI%%LK+hCe<CJ?9?pPfu$)mcHB6jBur
zkf^(lb<p{a9Us86+WRBbnudQ+7;3l}I|<Sn=^rr`mHO@TBZkjm>=m46d65Nnj=Mqj
z(wPg2JUl$QQh`TN!GxoZ$q{(+15bY7iaeVI-Y_zoFKE)h;|JG7O&<mPAp7QafT$3E
zQ^g9_CL_GUwG7#q%V<YMHfDa5bnymP630=lT_LEhu@shUZ;)y^iU1<kRWkEIYB|65
zL0P}w?Xx5fXiF*?eEzPBp$<=iTF&{yv!P`y{V;Mj%EsPHLRBX~gBnz^;KvWDo5;#^
zC6Ox7sbjl$udj|?TwK%{>L}%J@%7q$UY&AL`qTpUrc5Ew4p&W2T(Ksg8irO|=b3ec
zVAPv&fG=vs<dfa2c$Tb16z?5A`I#GkJ&ocNaxp!q$Sh5QjX>oh2V4$jLG2!)==j~g
z8=|45)X@vEG9uhjm4;>cLKTEYEvAgfmFANG(irO&t5Cj2O5tn$qiDX}Fa-=e`|n?j
zz3247R;yv-Uh&@7PX+IVA@Us_DxV>ce^(T^iaX|x0ROXR(IV$SG>~MI7mx1q5{TqK
zDs@=``=5(B;A4Sm6aVw=7QyTv;Y>ck0;SxAU9$fonhjrJqQ~-er%nC$OGo~!Nz*2e
z5k6ZeCQV^=q^ke`!E%BUdh`o=FmX)jV2z<cxnMEG$<U_4G~C|fq+~adQ-<sz{_S2@
z98etv{VbhEQD7PS!&E8dQ(G(}l)2G`)Mk&Gs-20Ej4D2ytCFG9o$6_iCdgPzXExkR
zE8SPYWJ;q!7I+b*n-;PQ3*}P2mHv)|1|O$b@L;!zl$n1FDYB4-5yMFem2@9o3(`g!
zFySIUpk{H)7|1`61z1>9++hmgLz7eq=}_;=x^N!mff@+7D47a)DSoXpY-R+rp_rX7
zsCenLiPMFY;<V{R=erX36|nyOF-I1se}95l|GOeLc#nbBCS0TBKg3e41j%IGrGX(G
z$%4f$ZZOfn|J0%_f<bJMrV|nk2ntyAkLV-O!9Vat_dlbi<ODEg$dO&hDm0G6;c!%(
zF{5&ZoHP`Ff#bvRDMws;OWxKI&H5{YCkn0S)34Ve3$>OFqhYOT78uydga^gW3h7Yp
z0RgM|sRUmSL{s}6ECkT9v)yE@W#R@D`~F+f*va+4Y#LYVXCtIC$Kop6I?BJJv~vg0
zS0xP<Bla3P&Y&^rT@|om=q1`Kb9GA1#Rb2Um(Td9Wrlx{tJ4^%T18boStPx8v>LaD
zRkr(30@|56;wCtFqujHySI3Q-_ZY}C_Mn?#T=IdfR8UTCP$6yc?Sk^V118a@pe#Y3
zW$F3;{Z@K1ngT7R9c}vT;hq~%`gY=ha5^<lMu<IoE7+PQRlVJ3+;`+~7<fLLg@KzH
z=aug?d%a`$i9!FICbLq*7nH*d;uc-te@Ym8f{ZbyLc)P!k5)P~A7Fq;V;GpK5netA
zuRIY(T?2366v#1wQV#YV-WQ8h?U+|))FgRouCPx|rrIm$O+N#USj1OmK*%sDg_`Pk
z%TmOGq<sh`DktP6A%d5vK(Wh}G&V;z%18g-8fS}{#MxPzaBb`+rc}gTuNCo4ytS?A
zgurg2fI_^56q8~>YE)ITRX3bQEmgMe-n=mgFmQ<s6k9nddJ=I<IagM;F;b<0-{3O+
z2}jD4{WWsGR;6xz%c*#yDM>WD<NVuv<yVM}o8GJ6ROB(ALP_DS!1Z{Qkflj<C_5Z;
z&~Xw)59tst|9{h82d5OSO~B$rAyddokyKZDXAIF40Uc$S&TWjr#)>#AQBlEm=84S{
zstJcWYWiEiI%Zd~CKShx60VhC6dI&kIBXEby-cHO6X$C%<z;yUlssnXqV<Ns7phc(
z?F@7kj#LTNs_E;UpUu};>7qMlXg}yX*QGY0NQANj@};z(4FPU=xBi-5%e!)%r;?76
zpWxxJTt313ia%e*FxNTwXeox2l^;EV%z!2c&paHAO_WhA^5VyxMURF=<)X(Usn;OJ
z?{}>lmORi%qtNK|q4sCQP#66IHL_Iy9FzdG0RCK^c*fDG<}Nop_Sbj4xD4Nf#4&sw
z%jGfV^x6BaO_Q6WdFq6tTG@PEMpXvbJ`n4ZLPU|NJ0rp8Q>JWS+>>sHL+J?f>x%7e
zX4O~-gbD$0m{t16Oq-`cP(a-*dM1_*+C+y_AEYp8<Qo^9rfOA!M1uVUzk?ESr<q$-
zK}jXxaMX!JQ5xC4^1=Jzep=LI5#p-a%Z>Mzx8h}J+OR*}p<`7Ha0KjOY?<g|S^Std
z<1E2nMxFoh_gyqx56@E*p4WawSXSrLE2bdL!?pdk8+*o(&OaE>fQ(>ijvPu^4?U$M
z<Q?r(lcIu4J;V$@RX6pK5GWNC%$PLUnM`ao0VqlpqH>=2@pmJ2`r6;vKZ7M=YcX}r
z^(Q#Dr~YroG7^d{Wijah%}kB79x_E|D2<uB^K4*A9cq}JwF<%Ej@UfqnLkH1*Ev};
zu<l`|=658bnL<cs^OE|YY%R7w)9=fBR&UR7_Q82hf_|xdVuC4uz~r0`g$tU0%d}}Z
zOErb02w8-&Q*@DuCPH^iZjPP8b`_pD{n<`YGS!><HU8?IGNn0r@LHj(@8c(x1vDXU
zXbnhk+QUUdAy!jH1FB;;^6kk-c>rZRUX1TjE>!ag&5E15H>r3XJHS`tcgta!l_`E2
zw*D|!xpG<G+O_o;dHwPinPQ!OR7|NH)5-nIBmUA#X&|RJ@2pPigN+`8D*ekR>vxUb
z(7JI#c-j-9D4Ws9I3Hh9mv^juNbqS-{<=Zqg1;Wmr2G<#zF5cWYRF&o$CF<8>zMi}
z+dCu=)FA<fPmss>H{Y=lp=FjZf}cICBh%kV#@HcaD+W%)$ezrfmZpO~#;5DXDWS6J
z-02amLIubVPXhVS*iN<fI-my2<?yQzspS6VPNO3Pk`9>YliWt3zcHFxjK21eFr6;4
z<+vh7b90)~%G3>b_?^Dn|9NamM0Ti&&|{1~oib~b7-^Z2$m){_4=LS6y%m$%mGEg#
zTq37KW&v<Gamy!h;B>U0A#>xC!ivt!=iT7n<fBD!RJHLbP|O~;3XPp-%&6*nR%isb
z;WJmN?=d6Moz8NI**4alOx~68-bWr0-m6>`fWtjJ*U3+HL#rUq#z#5n5SbdP-EK|s
zVbL`4E!@XHkKJ|J>iZ;y0z2yFWy)Q?sj8Ah$9=hInc3sG4Q%X({^O>mAkOEPvkzC1
zct4qq3@{PU#K5v1XCHZqk{eE!kIY^>5zRVFGw*E1e+e!7wyMh>H2ugE)MEUb@7SeV
z6&iJU0o{zlC&~KoH=hL1qGjKVT5gP)o;D&W^J)78?-BgAQ7g1jtk{G9?Z@an;7>-q
z`ciWyiZtT+@odY!gpHj-YsCzaU<xIQf1|h?*zb3EF(W6Eq_CZCQ_P7}P&0%kqi86R
z&`$;-LKNdajLxuBd8giFNMB>G)@55a<>|5V+IFl{$ojD(5ni~##2^GUs(nyoB+)JL
zM3L(dH|#;%LT>x(Ott&wwCIWpn{S+6F~E4+@O9K1ZwY+4#Iup9>bOa*O(uvsV{$`4
zw;-T<&{*+mWv~VXHE7T@Ljv~>VN~mnq$<jN^Qvq#3d!lq*3vi9(An~{{NnJiz9^f5
z6Vc7?k|?6c|8>zi4004A#q|5{H$v;^DO}EO?zZXn2;$&+zEO?yV7u8M-@AIz3f&Ya
zBxKuy_x8C)IjY0TDt+xW0-I%?_f62G#<a6$p&<x3=~pwqV9f2>4aVBV`+n=UMZ30z
z`GjE{dA>vYK--FjjR~6OI#uo5F7boNI-MsfHiQ|Y*R-v{M;Cohw#Q`Qmh)RJm(ANe
z=&B-~d|Ty?1F_7ebLaL4qQ&j>@C$lfo4^J(ghA)MerR3w!m3g2#T}AE8*t8i*S(Dd
zYo<;IKfx9Nk-y1Rbia&#ZO)YmE;9HV3||@8EI`Zz8IEw}#>huh?700lIV@79hfq<r
z6}kZ2=8_)n<Ja<h9&R4)SwDkoy8zZ1%GsZz0n4Ert&a6L5I1&r=0`Mj{0yXrKMDM@
z-4u|d8c>u(m3?f}yw81!G*B@#i(%o>v<%o&by-&(orCZnAkg0gh3=fEZFha|+7D%&
z>?G3pZgYQM;A>vbLxIh_##j@VHW+U7z?r(;uxmg%w=Fg5r1d`0ez|~~AoGsSoNy1p
zX$&{qCJyj*i?Z5tVI_*z|7|~RNE29Q!x;RVoS7Icr}=Fk`|tElSz+GrKXCi(UyeKJ
zIdq7|wKfiZh$m$RW>~h)BMr2K=V@U+i7gpo%>L2w%-&1PP$o69)%WraLb$~#N4Vy<
zK=}bAdS|=dhVMb>sL_OdH{kxyu9g2EIKvZL24zP08aVZlbAuFEA-0r`nA>AcmJtP~
zevFfyjX7KqAgPUy>`_<lEfgjm)t}nbV&&|**q`6_8-_gX5-SdR*crkkaS;L$i#yRM
zzfBG2y5~X59A=<qC_l~4yz-aw2$79a-1?H<xp}KaSo?mIBhIqySR?ClFc$O;CIR)5
zUWRz)-)PxvA#4=$XGg}8oUu#{y1fVdU8wxr4e(j69N`7xPV3)WUD-S@*6nXm<TJ26
zUs#Xk>*}x&+>(?}z`*2cyG0fRfZ;uqjbhY8GC5%iKXLQT@ITuLjmMHh_n?zZz-%YX
zcESa6g2&{yf;m)L159|2_`K0P9PZD5j)9G=3-j79>!Bq%qXmBnCIaW%WJ&p`2>;%5
ze$dk)$j3g=pI>&p&SeDw9<uWcO#8@M(D^jrU(nUfcJ1bL6a2@_)5*IpYV00_wixla
zcG1O&BB9Jo<RPDjc^=ve!g<Rdu&#m-E_S}fmA-HU`iyUZU7WIx`v#&%`Qzpxsv;VF
z&P~&q_PuEg4j4Faz)*xwa_D`_lQ__8p4?9MG`w3-O1td=%#(0GKx5fgcTM4N_mJfx
z7ROEn_5;>c5a`4GfW1`^+{68Vb@70n1}W5Wua~pO2X1cSP~}Xzs30SEpu?xg=L`3%
zhnRE38EcHOB_I8<K}rJ=9?*wS-*;>xKp=a;VSi%Jx(zrZbyvQzW|YyMWZyw3SNM*#
zV)~Hz0R88!K$O}yOfn{NoS41}S8Y%u3eq=QDv2+Mj$Gh#31Y|xXGFJY-YA)}0r~8H
ze7PCCO5k5nw58JN_8g6v=9o3-Ii^qK*gU+Ut-3-6d7gVhi=2n!<<`qKpi3=hs}?~r
ztH}2XiDHnCIO^3pjvjDgOh}^i#VoME5Ys8L_o4J@9=k`{l<MRYPA($N>U*>_3SUH|
z%l&@kmvto>Fe%GE*}yaih!g7=V$wD!8AHofi&tcSlmt^b=$h(!Vqu)bBp^E(cB)Ox
zCKhP&h!Lq?@99EGUGxNViu~F3?(UGoBI{kZ$Ebk>#z%~R>Uk=1pB@91vCK(>^^r7c
zi!iWW5Se8EW%VLR;bygWcob$90F8K?&7lrY!H!(^?a$iCG0C$I%N6hUrrywL_u*C1
z;4Nr3DyR&J2<sZg^p9cmH6h(#zOD-$i#Q8XU{NsDxJsD^)Jzz_?jCx}O%ABKAlUA9
zNIfn{iuU}#)8{#yreK}>qJ%D+&W+Xa4Os6ZlBegN>v~!Cf}>^jss9|!qgCvu-yjOU
zMoYOEn$GR`8D68k{k_Mc?W7>zN*NnvC4UZ9x-NHhzevY(qZrHAERLJeo;53%^=>-%
zXgG^!vIfCZ>6{k@P^0ov(VxC9NZqBK1)?@%nug%kLrE4_cia?cOBn3_pC6$QO#>=&
zpFHecRwMJ9`CJ}mm)vY%WzX6Bu?f5l7cZ~F<XK{~AmPLWQ-wai0}Rci2ggB6f_|!;
z+)@7dQkFkg%+O5vmJZ1w&NpM`H)%=GmcC8nK1u^UPUo_C02`qE(uyzYn0RGEDX_}N
zlV7d|7pow(t9s&7w}Yi`Zb9czDkjwN%q(_$QaNQZ<mjei&H7{?=Z{Q8o(N1(<v@O}
z17(02r*qk`{|!(&8m-c?jk40S*8Ch{oDAh5+p+B&ge(y&%UJ^-tVz>DIi0)9G%sCP
zBb9@1gB$!=00TnQs2*<gLiT#wbEG!NFslGfDFwP!S8d<RMh!6l=vwI1`G`cxav$OX
zF#c)zR`riA34?|uB~CMkXLB1o?ogmKSB+19vH8%_qB;Fsb=8mD()nYr)?H9<3aY+j
zXBv04#!J1erzxy8b->V|{^iL_mlq_fxNx>m&%{xKQ$}M`Ag@zrG@IFBag&}(XA?=g
z=awkhT4tH+U#Jp>uUgh5&uz3<OVO(5-tHs1c+pAm&C~z1xFmS>_Vl6jhl}5$WaAGf
zrW048(({1u`qqFrWltL0Uo6k$dvF(v!Wr|KIkIS-<hx?Yt;SkPi{|yaOi6bnQF`)t
z-ri@ZMDALwL0;jX6~R6N{&chYxAw;cwJDCjP-dFMtv)qJ_)z?j1MO!5DciK<kljZB
zG_1dgOtFt~1hLNdbHY^Rz?+Y~L@Kv$s^{E4<EmJCzC54BhK%>eZR{`R!7WE@szZ}?
z1`0y9slvzO1g<3&zT$6y6^7mL?c(*7m-Ubt$MJYPo_z2o9G91?ch3$4z5G_bLaTQ)
zam_<oDDIS5(@9%XV@gqJ>q+vuZl&Df*yrMyP{j(g+MC!f(+6iWu!O2_)jN&d>p9Cg
zHzlYwxi%WJOe5NS1qfR2(Jqwoy{{0J*w>~f=(?<Y6d8zWlwXdFIUgHUom&%=fsgQN
zU>lUCNhky=ndLx-<FfLj=GoA%QQZX_rFa-vs?1|G9R3-Ki*sXeExkWGm48AWwydq5
zm787GkNMTh@rr*~T)rc!!gCi&DM9qc`(dtLsJrP){emRlS%(C?M|3istFNdO=5#Ik
zV>-NKaCUT)pIg?=#el-fxZrpRY{51`H@Fl&5qk;Ics34F3%pIuN)S<M-UDTyz#pos
zsZB+C?hoQZ2K#-8fW4Ak8Ph8Lp%eg+hFGI#JbaRJ?q`b}kWoXaTw>9OZM2oKF{XqE
z&hRb|ImZ&!!Hp^NvsR{cip`MisVaN!E0)0L|G<Fa@lvD=2}6WQHDvU%?KXfo5+jHP
zU3S`N!Ho*Hkt{fA$IWJ=C)5mBb`nL_uq8gr?=5_$#q{~TtIP7sB!D1}vaFIRBa4yS
z?yiyB@S?<@P;`)<iYPA|(OW;U{r7`X$MvUsgjjX;hE&WTFpAOT$NnnPph(Qt1}N-V
z5K9%DXYgBZI_D@KsVmj+pR$g(&W&+^mNjZ)CRi%H0stD->}}l$m-+aSJHT7A$Ye72
zA<N4gS!ptvN@jr6dU|Xs_p`L}kEXt)3DT{moIt6>X^);s@j}ixp0e;W@}rTRZO6{O
zI&B9RN8bT&N8;fbsUel0%pk&-kd)BDd@Q$a<c8JHb<*O0EXe2IE@bx>Jtt)4-uwh5
z5mMyT{4J$fSwTk%zrYHF4?66R%myCjBrEEnh_7$eb0fh|9l?ZI{6`jZPLT<SB0fVV
zAd2`LnSh8RKc*^5Vg*+53v9v+dpM^hdZW(6$In00HZY@%IylQd$q5C~17>6DQE)Na
zQ$8?}IhS=!nr0+JH-}CubXa~bA`<$Z3zq~!*MH%XI25uWzjrw{t<f$xf57jF3d_z<
zY`<G_9<=GGIbKs4;uUfCqn->0+evJ~j5-EiA`=jxXcFwBKnJLcaEwiu(e-NJj{-Ho
zrbS<H-cqLRAT6WtdDAptyu7_<)ONUq{TztyZRpNAJuu!+mc=?{HZS2Ao;5o$R>X`T
zXlV*Kl7@G9;Qq7|2T5Ah6_amCq=aGC{pYevSykXNGx8a=X`Z2EMe7jM=@eOafv}D^
zMBFt9XmxjfhUYb(dOa=Vvhuh8gc9)mPbe}WE0(wLilE$QYGJn&L$|`y&`%Pg!UoZv
zjaoNg(e$2El_nRr{L;yO-A`%P%fdIH2PDmT-Wb1Ejc3nOP)SpQ|MESTViRWk=Rf*9
z832D9n=qq@pCc0xvH8y7xBMJ`wu+Cj3A2;`ybJ1;1G1KlAuo13s&fl|5~}^79M;hg
zzUWD1fQpgP$VU9#rB~X@mm2idFl=W8F3;2uq8B}B5wT9FyJnN%v&)}63ElqdG?_L9
zk>BDI4)uy5nqq6NW)jc9FdKy7BR|F_%)s^!B|&v++@t8kE!uLOfLm<BjIQ73`9~e<
zJ<%z!0`6lIX69F^0L<ycF7SKWx%Nxpqx+R`S-8EWy~DPEymOhuh2SUFw*=@3k<6q>
z@6kCYd@lIO8`mJvj*o|vm5o547AI2Ts~XcpGbnhoC&AQHL~5#cU0l>$j-ZNK3spIn
z()L=zrqi49;mqe~P|76AK}r^?3{zpCb&=A#-Ib`KYx8j%N!Gp?#LhGnnbGdL_@%S~
zSZb39$$)VZ5ZQUv4#osX)m3ZK*4%#R;%ZsW;*U|KG_EyDx?qtJAE=EcOd0mhdH%fi
zu|V}5&s#g$offFC!L@H^+2|VF`PZ+>cU8CpVV^qf2l?1HiXYgMX3_mpl=E+&o!t~Z
z8x+txyQp)(TSNLg9TI7LJfE?*t3&Ih>_VJ5i?P#F+9J!cj5wAtg|$U7811e|BmIzH
z!T13r)QP^<N5z|Q)QKtkcZd7ewD6NQM9bytt@qShtNhl}U$`~15&ZZ$=lR3BQLY{g
zjGmDI-Boi*`P9<V_D`g3SZQmu^3MCq<Vba|aT~I^$_L3_r@F(k5hxBRv({fM{Tla_
zbBUM4&$-NpYFS4*=;yrC*g}2}hrKhAtFkkd&LjoczRVVN?=MI`X65co20^HInS|mr
zv6u~xbC<Azi#x3ek^ncH=bc$2I`Q%D)h9H#(oI~Q1NR52I$j0uyLTcx@cVy(6qxP0
zWPF+;b71n`)cD|ixLBnm11qH18Mck9b%<(kgT&unIYna2UT=Lix%I7kdw%@na+)AW
za=-{gM_Q5>&Iym6Z0hC~y$T>Ug=k(7MuaTf*rHdxMIHWyLR*DY?`J|O>P;9r!|w|;
z%7$<9BlEhZGO7=@4fAytwEBvkQF@V-p}aG+D7xMEX2Bj5-&%pW0#8pfbHcNd7E}CT
z*y5Bp6}s*b7NPxF$gvfx8)b+aLQ5S#Bgi$5R!h8sK3ZLKOd0y$G)*9>fKW*q@P_L(
zYV%?-z9k4FgM<Uq@uNXXSwsF*7kikuF&pL2p5Gm8kp8Q)XSm|odqoUe5|ZP$R9OD*
zdpQj!ejL<3W9R9WS~8+O-4dV3v*$eZQF=n(_NPUAVNc)efEQ51c+o?8xONkZ+e*IJ
zZ;DsVdvY7*_Y839-iHybC7XOQxuV80GJ}ojo%;TQ8jeD%6f>tN3{F;vB2`6-<0Sli
z#eNyJ=0w5RA=?2jAbvz9eA-ZVm{m8m3B{8+CW-DF3~B8%Q<Jg`uA@dSfP6&bv~y_U
z6Y;`Ojd^0GO$SBJ1Sd-t(N^~*Owwa6KTKMj{QK&Dn8Ph9WRPxw8`->#g&^jja8QV6
z^{|pUXA@3+y7Ohehr*PoxgT-LEIMyhMpB$BqB3n*nsHK!ETg{>b-ogCPuuu~jj~Ds
z_9|T6N(YoTBdc&r-g&B+a@>sRBdg{7)JFJC+9G`BU^szahJ?(RIU%MWev-oh)lHOq
zOQm1jHnB;|6NyK;m1R2&_0P+wy^Ps*Puvjdr<JE$Ml|4}u2Q(gpTsmE=5hFq3VELR
zAP;C@wZLc!#E|#?sw>l&RdVy7$y|N6m!BCOtKzWP;*w9klzT0kNkYVEHK#WPpp7=W
zD4BIbY@3xyZ9`+FqVXhja81cbjO=ipJWBy;pmErwkx}A8rX7^qqNpv^*&w4<%J+&)
zcwdX7_5PsPnAd>%#TC@PVqwsDOras0SQeilLpp+$m!3!&Ii+o{7NQKa8{`=L=_&ZH
z^pi5y51!G2FJd)3+oNZ|piCbTC^*ty+rv;?s@25O{ct`<B4nMAIHYme+p;XTAg189
zbmiwl>-RQqKSWiUGW6{BXyY95Gv>~?l}e`K)D9zmzaUt{e`{<OOW5>0s`;m3wn~6O
zLP8A;Le{1x2UYFMwoRj3x4J)ZiOx!^aag7X7jdH)%Mc0KN<zLVr-(GPtda4e7ejI{
zPc}6Z;8k@V$JD9GAl{{JRIz-*ai}X5W}PzmN+&852!f-?#ymFgvcRNtV3X~+e3&mw
zkGPW|2q*&q;Y}ZdQF4N09*}UFD=^JC>JBVEWyVIX)IN1QMaBCh%R*1@2<=ss#;GD(
zyx{n;Wpf+R&nHqAIy=x(p#dP6DxP>fEZjx~#UVAfdZk+;I2$NxtPOAo7zHmv69vUC
zlLH(w*)3d?$GZhUC88MUgRn{wM_(|JIH#zFv23IPhkymB1&VARFlZJRE5<A-BK3+s
z;!@>*Yu^Fc%+m&Ie3p8kIHVx7?SQN%1JWrZE%!w#=(RzQ(1Ve79Rlf&u#S`pdQ(B~
z>Ve3Tz)2#>+bU&U3w1)?=ZfG%SMj)wzy9d@11Rc4ld{va=nAdv;-a9XM5P?upISTP
zASK)4c5S?V%@{Lp1!m{A?}PhTjh4$Ln=YZ<FrA%32&)Zf0wWiWhbvL>?V3=6YPmVT
zfI@EsdLPsK0N&|;TEC%y|M*G#PVX@lAdk2pEja}GL+L48YlHinX}$+;s13R(Z~7KK
z1oZ})zkC2qdbvZWuTdgO-Ybz#BZ1Jtt!!-DF#rS{iE&4i?GsY$b9{*}`d@an&;niS
zdoH~XqPr_2&C*O+@;=#58UX>b5y~vv7O3@9;C5}ywh@b?0K!{9&vrS!C~itLW-1Yu
z#BYL#4uo^LXK*Eo|6n7?3sl?A`4Co?jew^$y$iIpJ8%tHKatW7BFMm@OpXSv^c6((
zdORyV{bLUTctTR&W5H%SKuq5--Y%=?pO<eB_NdmEGO?Xd--z;+E{)09<HToWvI`G&
z$684)28P#O`8+$&g%~Y3A)+;?U$!yYuvSkrHpIV<O(;0fn}J3wiBVHrUd1Mz5DzZZ
zu_n7t(!vFs!ywUP3&q<g$~zsdOYFl{{0lP=7IqlxlX5yNXBvtnfR&yy=TH(^-8W!%
zMo9E$4hGA=j|NS+!c3{Nvu=;aGbKzQVvn4nekRl15UNssEj&K+w($k%tXAGt{cO7q
z61Bmib!2)Ab?xhq2LIDg?8%vSZq0l-dlWA^ZUsDjC$oFS?}XwD4>A@H9ld~;Uaa9L
zk(@$^GTo2d-EhT$Ng`y)6|*X$QCu?JD>{GO8#CN>w$<k}?eO-BLlOR_*!X-Lwts|Y
z@%Cm2`9wqj6ym@994rth#9wQH1p>fg%G7jy{D}@0%&<xcQ%WNL#1<QnK8YnQR!9R(
zm6BzzW8D=FEJx0@emkQl2gKjUazUD>5aKX0x=%p|aUtsO!9#g2pVyhSS<MjhfIvdB
zf1L}NQ5YpEQ-3C~j;Z}#e9a~-T<e1ZaPWN5<rIwclx>*TSit~t2z5WE?lx6T9c5>q
zOmqbunfxThx};JP$+$)MmN1e2_t{ZPjlW>Rf|+9RVN<$OBXzLhm)uxylA<5Z0!88f
z;D?G4W0+F6%8;KB=$Xba9{|`w!2zP!M^;Su7hnFYiMq0fw^62NJl`d?517{fWNw7S
zc)L6<!oR3fh{8CEY=X4<X#<hXZ;rpFv+X;x<)xGF<fh+uIcz;sjKZ^}tMkAhO*miU
zVg-UH+hz7l53yuIua^xsd{?fH`F(>g?^m=@hALJMGWSa=&y{3Mws>|>!~)$-fTN^R
z*Rkvj1i_Fr37hAkd_}{zyIvs#WxfT;h!%nRCfkXY5FR0aSkVUm>B2fb?_723QYtCE
z|LWaaKZj9IM~S965>t+PtJ{W~0yjD@4|VcZ?`P_@u30X~VQI}bp1FVk>>Ug~Kt0d`
z<0c((SK9zUnY$65fsR|*UPVw!_JADezS_XQd#WM`?~r09;}hARBT@e9Z^13=Q#pKP
ztqc!p@SN?P{)0#GUq?v{Huy)OP8cJ{6cLFzkkZS^iOJq<nc{nK*L~a5e5hTo-7Lu6
z(UCPS<Yp_{<zSm_>MT~x3Org(9(>H{4EO~{rM2H8z;8_qpZ`w(mBn*YX3Y^Ph<(#M
z8Yzf9H}4^eV(ys11`wLRw4P1jo!`VG27c#tiQ00;6kVLl0|6X1($kHH1=Gwh;!s@6
zjri~s;%#5G9jTG8zM{utp$r-dFf!3fRhH;96~a3NAK-D-lt+|h1=U;|PSV>rfH|Sd
zu)ZEDoWjHbQJ^Tv{LQXAr<Jnb{Vs%-Oer!(*S3irLT-dq18<r*QN)=d0UVl33FRCh
z#n=iJP<2rrqx=!E4=et~y)c<uB$<J*_lK!L2%({p3D879^zByQLRID3l*AaK_(ziu
ztqzprEZH)as5`}|Zw+*e7=G1<(#ur@kTo|01IWpRkc>WeiaU-}PMXl2NHY0Vkssm&
ztmcL}`&kCzA}EMu<~dS)WzdSvlWmd?cncq1#VRJvEmGD8O`6-id%f*u1M5Sd@2dp*
zX$K7_N8m;qph1HTLYts1P(PF^#U-U|a0MkCDAk7W&;ZSTZz-J|t`$KW*EX3zQ!r{1
zn-J}pPB@aGkhHt4{VRp(7Q|_hCn;AH*&^?YKNg%c$*XPVW49ABq+B#cQo1m2L%S)s
zfONXwmX@H>Jy(pCFO%-4>jy7Ndt8?2+FI<Z_PPKFBxbX|6LSXDgUxkhLcAmw{7RW=
zI3rnVLptaacDD=j*B#L=6fOa@@$-5Tny-X+|4I&_?jH#V#^s0n_I{il6B60=!;Twu
z;pcVTP%ImVjmRGP3zN20JmXL{ClhSqbg6$HY}Z-|JjS(WW|-Vd&_;0e07z0qVq_F#
ziq<!9Xf*|jXXf!9OeR2^zme5J;=ER^K#Ie-rjkgwzUjLba;_eb*MFqzXp;pnTOQ_S
zK-6AZ$MRu}gAfAfB@u9ICa>0%p~?N!ks#g@kZzPa;(dzU6pav>hzSt|14oB|+Q|rc
zh`J;mMivobN~)a%8E@`Q(=@y@m$`V55Y9E`?)xD*xHk>iBQ}&!<}#O%)wmooR;&64
zE{IJB(hKg^c=}Dle!G}{H9Ui5xBnP<7tPk6s8hbb&=v0VgGP$5DPWDx5dy;oE>)!4
zL;cQ&2rG#7N|z%<zh6pb#OwSp6ZBQ^7cvwDPy*TDtS;6p)cy?OD!xY2aibj-CB{VQ
z#pY{>ljZ<E98umYu$ElpaZne3$ZNskF&F6Z%L?`2@Sg?XAlLluLDMYvi_2)JiN81Y
z|6M(Fmw|7~-ww&23SggyKpzpVUOoQR^c1)@6be7{P{90=0OH{>uvy~aW-xG3%}-(1
zj>d!;{tT)gq@V}f%^PUA4E$5*fUvXfH_+YsUl<p@-$W;!pS8mzI9CdirbWxdA_ybV
zzQ%f8vGDxntVQh%U8}(UiM6~#1o?&DB%38aY)>V47VaGlabh4~pH*dxu-I&ypS6>7
zhfb+QKOYV_Q1t<UfI)TzAQmBa<L|DgphUHxfG3BH3vUFk0vrK!KVg!Sst&tqwltu|
zdpOh}sE|PKTKTDV&X-naCes!fcMM!L$s|SxqmbGJBaFZxLyjmtu)fP4!t=x*tk>zx
zfZA{dYp`)3gmqF=N&ck!|7%K$SdWgd^7{n%z!Caw+o0>Z@V$eGeTzp&VvpzyeM3uG
z3&-Yr6Ub5Zwe;7fu0f~RMd$^H8B`5+uTKthg}8}}P?hjg#&znkOlO&e9r%xoDZ6`D
zo8Osr10ooXh{V?X5ABA}OL_>oYb#UP1Cm-#&)Q{X8=@A@i+W#OiMTNT7;+^+_u!dX
zcDUs~v^&f=Z7==S4O<DYQ7v^T9RbFo{7yMB3JY?Zf!@gXhvn=vX8&D`I}I9_H7sk)
zA%WANpx}}h_?=d~W`wOtEX1SBnUn3PGM`D8qhPN=11-(IOqdXK=crfbP0nfA_x*tp
zpXlo4@(o2;12PN+no)<7g^8uj0*$dtElT#h;B_pZ{>Scq9DC*CnPs%-8SX?%gV&qB
z??YLUq~8AI71o#^L3UQEXwydhX&MF!T5I-E6$>KOv(`>52382532t5lpt31>0!d37
zew(GC&<MQE18bHoeT_m`brNV^*SQ64p(z%}?)G)s)#A0#*IT^y4j;W1`nu#bqUC=x
z^l!I#?f5l<#L@Jd(*hP#udefnzc;$E&Hm7pjCD3Uo&}RK=i;{W%%|-_h>@IW%~1rQ
z5yBLUNSAvqfI<>hy3Xd~4+c=m<D~rjvxORHHC3*?jJ`#Py8YJ|-rJIE?PF{biTkfz
zj7lSPQzS~~o*(98XTM)z(8jkS61@L$Czho)x$WmxOQw5Y>m6o>pCo?IU#_i%wx1>@
z3b-!Ue|80fN+g4)U8nuHmj0b;Kha9~PPI2`J=NZ*^;G+bR*HA3{lv#f-4#)UEURs5
zOU2iUNJvO{nM^W!uVnk&4bqdHm%JpAL|&H6-Fy=#P7jI=dgQae;G6EyP4AfhBI7!J
z@n6#0<1{A%?4nI0m#@*2+0yt|>mBfR_*Ane9rQPyy|h=Ac@56qiIFcN1k<|j`=H&6
zQ{pKiijy=l{tjjc$N-646$hn#91}{XVwg2$wYr9wXlmjn^ptE-*7_v#tP5&3{7zQt
zp)@7AUMHZXLJ|x4!xL$Wt@oZ4faoZ+@RXUqaY9Y=(7YClkmmw6s?ZA9yCgdnH=4Le
zXfl125m--<(!n;=b<A&}i!z&gUw{$#@9FnuG<H~51B$>TNG7%2H&{rH$HTcyMehcg
zD}qcqmV;x<c`O;)wU@uJqc125G(K5k5$TeEtZPZh1ay{397ib@bN|;SN<Y_2l_}0q
zqxWO8?Q3B3nK$D>p(kS^lU&iI-rMnDmE0o^Mks?B%REyZ`<f*Y%y_=8$bN-HLlfZd
zdCo)gjL(I{+#8pYkA3{XJDWT`@aHv)8z9PecOK|ZD}Y35=|{L2StvIbgmVcocX3lA
z)fv{cZRbu|F(&MbvPKcu)oZVnnO`+f^qlEY*;$?g^UKj_bG!EA9~7N4<LI!MW|C$!
z+LaP7ywg-*N=qG*?r#%U1yj~kE2j~ML%|z{aa31Hbz=r@QRFrh!5V51(!MG*j7pAz
zTdXdMuJzv9IpkiOuSy4XH$KZng|a=vU}(_f-z@GaLH#Og!dw-@WV!d&Mjwudbxb5V
z@zzMAZS6F!mHSy(8}pyj@G2&}h&Mt%2aD&1i;v!IvNujh18e?Ou?ryfqkAQ^NNUf}
zX}wq6$|dc6$lRB9^OTcW+S=Rdq|vY+W_?VfEG@?Bb}x{P#5UV&`Vw|NE!ZPyt+brW
zCIP5YknA|*48di5Ed<m!1s|JC0OFR2utnl?ZM}MkzM7=E@8`sEaJ_Od>rNp-(Tibl
zApjwe|Fw?@p+)~L=gw=OvtY9lL?sVNwS!qc({M6Jo>o9HVM?PW11zM&@YPeY709<}
zkh6+#c!$S!N1W4uW9%tNK4h(m(-tFN-nK%(QT3;uB-S0w-lRluozOZTj%Nqva&+P7
zz6=qNf2d`55k>Bg0M!xapFA~aN=NTuq|ij36w4DlO?`QvHekL1qdwC32XNaGTyEAX
z1n5j^8TUJR@jYsMt5Vm0FQu1AH+wxn)Y3?)DA73im=*ynB^0Hh9I=-m|A7u$mL7RU
z`9N6|qi7#}cKs9vJJ1agqfPACCHffBW@-$Oj6rLd!276JnL%s@?%9NMHvZ^KMoiAf
zxRLVjqGk<(^b<vGL#hv2AsX~JBky!>L$D&8p4Qscm=uL(r4=h>)o9!O&{+N=5<5H5
zf3d0~QVh|&UbsebtQY~TE$>_#eIF>bUlb!eZ<dar#Y0~lEjqXIgv;K<^rx9+Uw8%s
zA7&XAhusEUN|5;|$qUlZMWzUTD4W!A9O_VCNOcg~Ttq|FOFN?UN17xtniQdRcYP*N
zXCfMn)y9;cJZX_AXIVHY8tx>qOGOx~YCiP+)Oy6cg6}TEf_qHx_){4Iu%R<->853t
zLxy`G=FiCjwjP(n`q~JhCGc*QF{sBz8ztS&y4ff}+=pWh;INJJj6faNIU66Qc#IS!
zNU~pykJDtNERd5i$2&?OrpB}E37PuYjl>hJ2U-_?H+kvYaTI-VmUjd2AOOu-I1qaY
zah$^rOS_S!!7iIlV%s;Rm%$`PmjA4cf6P>n526vIj4+NFx^@{NAR4(=2RPbPj!=nc
zyGSI;<O)oD2J%G__#6}lg<)KeD1&OzaLIj&Xw-Y|hzc=)@ak3NT67RmM##s=b>2}x
z=9{t#esQG@&eA5sB}iCjal{MU2EYe`5Yj%0mdkH%J4|vbGee(s6tgN~@5W;Z=n4^!
zW=2>9%_wB{H^(4!i9o_yKqq<IYNu^&u5-1mTq`0j#bhCu)+XOhh1F+wb1Sylv#2s|
zan2ABm9e?NjvyE`>22ZGPdXw%d2BTH{P&MsT>SiypOerc2aX(Z9$>jRf=M?QBF*p~
zRwxvhzrVBd@bGD5<b6jk{Z7ZtG>;hFp1^1<7w2h_m9-S+8LlN6%h(hU??p#-9cM1v
zD}_Dzphz>_?N&C$XzYlZ1}P=N6A06sx^R_X#=VwbDWD%m>C5MdsE$go{1TttA|#@U
zV}n?63P3Pq#=FNwsW#QD7oO&s()hIx^Dmtm>2X#515_8$F*1qqN0C6*z7SE1XsMPy
z5Rx3vmfyJx#8yAN{$3%+8xs*Mzwi?&zpPYTn8pY19io<SXPLgQV;OA-ej#Xbo)*y8
zsM7T-QCfTEy0U__R-&yBnR7+%)OiB*^+1bSNDh)y3=@mIkgUSsyhZ5Y|9Od1;kYT#
zXO8VqM*LCx={%Hd6`FXTrY&}sI7sPjW5dYlv|4sL4~_;a*1AP($HAp>R?E<S?U>d)
zZV&(NlLww3fAbl`%eVi(b$hqJ!RH#b6;(#WH#RKJ827^eaNMEON~p4iiizZAij;(|
zX2P^u@>&L!|LDzre^<Ua-SbZsCof>r-O`R$ZZ$z1jZ9NT@0_SOCT`kF3URYQ7eW!p
z*D(*7_k8i4yKvF=yIfiXD@EMAe*I>$9MA8*egDC|PP5@VxqfAa)oNJ~+6~pp6v4|u
z%1Zk$oG7%g@;>6rWBp38<HDB@w|3rs`1XUt%${CsIa}$bMHM(xd2=2@k$r&rTm`SJ
z4pv8&E1tNY>9=4Lu@fK(uu#o)z<tIA$U|W6yOp_<$D|MAQ>)c67hta}SaeDWx{*e-
zDhpH&l+GC)7irTSe_3{7{ZL`&{e7vI5{XHhGJKMCebmW`tZ-AyHXF9AYbmGLb@eJ=
zFpX;yIUbuk!D~In){pwGTbKlXSrC0*(|nrmjLE6B;PtQz!$|n`a%i;bwYBj<n?6Ca
z55}97q29~1a=TO%3R}6_N#R}Y-h~mB=A+{psVOVwZZ8>OQ<M&`RJBX0F`IR)7@=zD
zabrZ<$Jv##t$OCl%B_@Y1~)vdHgU~3dIBxALW3wTL!UpJkgm>7=ct4<mQ=F<jLYDD
z(dA*o^7UPs)=Z+w;@5ZDcz55m1LJI^LamwJ_MH_QUM+n2bJ-H%O#0gW{59tD{n<^q
z>#A7%k~!xp@|d#;sbM4}CbL6iXrrX~<G!j1m`YDB9?^fwl?_iF<g_`uNI`L;qFO+l
zxe>Chy@+C-$FYej0M_jxPSm_*-`FGZCt>lDKY7y+Qbuwq+z_iORCq7;ohsVcWfzH#
zO$EPpfBd>+=HV5&<fW-ZFn6JC&&+Q|a@<4<#XgeU@8VbAw+?}P$X_hJKvU_u#hz&;
zn@YRs+cr13OTp-Pnvo-oP2Dx9nbhxmtT`NBKOS*pBZ=c4=vWcSlg6E(ZQpjg^>IVk
zDt5VQ2b#1B2Za2YyRd~$oPMc(XQCg^xh&uJAC|JGZLh7Vc@9Q}!itFE;c9A5F7Dp|
zQb4W0bYu2#O2WEFbmf*p$abcu=4e*C?f{pIVMafhlLVb2H5yGgA|%D|sWmj2twI#;
zYr#Nq4t4lc1T61e1`xXw>dqujGBuMf1B%QrK2{KP%D@tfj;zQ4hh^<#%n$Wy2I;rc
zl~Ldm!qP@39Vflq?-_%G2x!=_)>0|lr{#W8560F;YDCAdLmA{$_A|4Bx+d0c{<M9{
zWKAX%ohHW;=6S6^?_?io!L)8Eh52#^PYFZl%Nn_1^9!od<)u<<ui=zptj;R&(kloN
zBkWe1bH7dDnD;#tJL0fHc_5altD0??)}s9gw|%>1wYWSO4*IhA(K`ODP+HqI=_;uQ
zb%9j<n=mQX93^p~(Dchf0x;uE236>>)^KWEUROVnT0iCjo%AA`_A?;{1Xlx3c$4rP
z;g!NWg+KQ`qt%Dmy+?Sx@R0Bs;W@j1zW2miPF(BsyK%?@@19$y!qccHAWS45W|DWH
zX^22^z7k8IfL8Khws}F{l3vyUrGO#H3A}3%BQHQUyg{>D_7L$jw7MZsKpV*((CPn2
zw4~T6V}a3GD1upElyfy8P(UmBZ~=Zn-;!R2+fpEG5wlqiB=1OnQM({x5oK9RKzg%A
z44ED`4-zP##hHyn$3H+fa7@irU49D$0@XR;f$}Q+9sc!;1+6Yr++$;oraQq?VbAN@
zfnaHE`#mQqXkL`!9^pf{(#e0tq=HYskRKJ?8YECaTfsLO7Y1`ndKp3hqcFn;8^dN1
zhFgAQ_y2tVYq;(IJ@Do+JaV&Krs`C3#nkWslTZiNp;%2=a0M`vb!H6$)+A%^)t6(5
z=hWCRxnZc;WetL}O9h~S7H8eahG1ezF|4qF>ro>sM|wecj*cQ=j4ii-j&FGAH>EG`
z(Ev@dx_}WK^KX)&krgDHnKfClagb_67NnAzYb;WcEj`OlB-hB!OY6pwzZTCOi9ic_
zKX0wa^~`}}OY9RvqD*08#sc|4l`*C;vClwNKI^qndRWxsn_*>DQFbsYTZ7;D$oUjA
zDL@wXJI>lTb8#F>9u_Ac>)~$}z-l(3(3lhl+XgO!bwM$CV3^B3Tcl*@0*(wU+(tDf
z6K19;Q?+UpxM4Xt+(%$nDCp`i3Y;A7BeV^8GpfWD;urlNe7Y~M_?bTo_)`Ce{tN!@
zo4(hRNmoA7>PjBgEH~7ZlXKcvxJKkAe}gw5x9D0U({aH<wGq%d;!04rg&a|W8b~u(
zAkB7RLx#7@^?KuGVQG~J7oNP7!BQjw5RJpp;OE?-V(V*-#hekKXsVtwA^2pjA-*BL
znN+51?hK1F`1Fueu?$?-?<uwtu*-N2L0=+(?~b6o!Danz$;u4xN^015Oakw#y^We>
zawrVfE)8*A6?M!^TXjf9E00UtiJk3s#9CZm$HUbaC5YN3J74jG_qI(q>2N(<0LJ6o
z?eAAh(?mfKJthY@`VzLqWrf_#pU%oScCA)8@&nV6A(^o@)&Z3|nSPD1XJ96>GGY?E
zb=<md(GQgkTGE6T^#%zMucZg2ZE$tSxU94CqGioqNVzS6GWJU!16K(Q8_yON2^DRY
zh4}g4&Hu$KxD|bWR9K!KHuD^TWbzwneEgj?JDKr*0Mb$8#(;L8kQA;|3DN|!vofo6
z<uO}Tl)_4ienAP;JYaLo6@7^fRqsh<J`n}Le7#U`RRZNl`%OQ9Ty5OlS(p7fi_$4r
z5F`ezp^tYviGA&Uuh)YYV3d8gKelH1fA`{{Li<~^m%7r@JuOcSK*z;%6DoX?ux{}C
zbLIKnxKA6+<w#&}cag8Ud%I`4j@}p(qY06TGELiHv2yx@@a0n|7W;2qjJ^MSU%{M+
zZw?d0>xOt3B7VW>{mVa>Jkqo*bjZw5U$$B_a2}ZFbKV|UrQ&Po11YfATo#sx5+3X0
z34BtEmDa=Q&__ci_HChPYU98NTkk|}+;&;#)+Mb8<JhB`dMR0r{Yv8Tg?S(H`RC#T
zQyk#F8hbzeQ$a)ayBG2HAC{c<BjAs(T)E+?;sSf4dwx+Ep}uOH6x#US6@R90uR7}(
zWF6@%6eybkGWfs<j>ggyN;LN-;n5}w0JACw8a>0NEFJ-djv^9K!+xGLs%<KPk~zcu
zBhp0|3e8xvpxN!6sXQ?KbiE>mxislRjJZ+BIR}XP5&<43piM4b95_X9%&?FYP$VK+
zNmN{o+^Sh7XJNQ@2@1NllF<}9q@vbalipJb)7|5Si<InU43nuF?CJOKHfXjI`lQ44
zZ~+(>roGGvXTJprmM{=mL<3i!CMHQxMUNv1#G`Tg=jM?d;TWkxwOO2^w`Rzapb}ec
z2!~MkMopHSgrQwx%}_kaD&}D6#xa0LU?s8jk!a)DDQil>99?OV@=(I6p4oF#4;O&(
zq4|44VEC+mL{;=@u@LH=h$QecwJ#7AZlud+4MCJr*XmqMr_J!3hHPcqqk#cU-x<ue
z0Q*;N9JJSo!TRFQo;ahgt{kW=+nlIP6rLMJ?1_bvExX-foT~iv*4ZoyxlK7MJ}5^Q
zsw<JKT?1@>Hl;P@n3_(m#~}gv%gDEVB5c<VLI42hT~LNOX>udD4u30#VQiX1L9%e+
zb`#*h^|A>@_;@bS!k1V`a5z^raC;mWw0o(zEPZ-in7iI?_hg%*iqsrxffycdVI)lD
zHCs{?$i>PA7ypxXOdkj<e~m!N{3fv6Rj)<~`VXO?8D&biX)}HFC>?Gxiv|^BQ7r1Z
zl90uGdycyV@`c078$r3K)$8J;843U?(h3xh;auy%R9VzJQ@0V-s)Hp8&XRGd2tmx_
z1XJ`8D4fD7QQ~vqMtOysMrh$4EI$j}a#^ybYs3YXX%g|}CsciYmj2gJv<zKfDWBtP
z7ppFOw8+TJoK{^;K9CIL{qTbhumR(DIyCA7DfWAm(K23BtBmV8(uK1xL=q6s%TAn;
znOScb=|CFpQCC++ty>U=BG8Zs6#2Ew*Y1&G;V5ReXy&@;OGbzHD{$3bDu80;(tnc6
z8PpPhE7@X=nc3E5Llly7O+eQ{ZIO5SgyM}Q&T5o@obQD4v+&V{k%5^tx9JCx5gFdX
z$K;&4PRrzZ`lgB3+qih(#_ypdAg-Qt;*8A9dc#Nu(y)8c)s@kCs$D~Y5n~F}d9Rdr
z=Mxv0nbXP->Vah7S9s-F$p@%T%UrqHh_VN}cb@AcAlCf-I3qK&-Z0XEG;&q<e{k*D
zxfyC{(z4W~7*Ta#w~o3n35aF)B+kgptT&8wAdN!Z{fusXE@R=E<rrMK0B4%|FG5+|
z!d?J~HH0`LGqc{D6%AIBibf9fc3}VHa@A0j5k-&ekT)rJ?unbs%$(-VPaa4HB9C`z
zctTDFGLf7M$YVS-N`yKgmj{@B*7sdiD>GP2z>Q(-ralX^uvH;-@eo$R^)B0?boKyw
zJEz@i&sM}xZ-YqZ;*L0ZKc)&mf;)rQr`ec>awvaJqCT~3TiJqBU@5GxhCvTu92x}D
z&@4<%`a^gKB@@S3oKskP&uI<#R!Wvh4z)x<Z#00Ydl3b<APa6m65N8j*Dc6BQd|}8
zf_JURTxjnPrRl<Me(xTdChk=8Jd=C!<kh=S>O+HvZ5Olgz{22`RXT;a54O6SKg7Kk
z@cV~B<g|ox2)7O(b}X$mRb?w$0_CP*&}&ckKL!`D29w}m0^PPUkqLPm!#H+H2*<dp
zj&Yhp5}TPV@Eg#t7E|aJx`luc6v9GS=oZ34x6myFg<wHYGjr@jV$+5L=Oes%`2Y6N
zU<|SK`gXqbOSv6~>}2SRLSo|7fuWAH)~AeNm0c@0a^B9Bj|22kz3epHz74|c%zxiQ
zlDTmYw@FFV26rE>jRe@*>cTwd?!$aRgY_GSKOOqrZ+Ry|&{vdh9u8d&Z4L1cmy>_y
z*jp2lF`<doG`3!WX0Xu%8*DwysY4q|ZARHT2CV?-f%rJdhpeQX(P3ij*tecfB1Fu9
zy@+k6U3Knaw@aRR7j*~~ph?AP_Bco+$`es;R|{4?F7ydWAt@yATmZ~53xdE42wO-9
zNlz&wB8o}&pj9GnefzA;JY%v9Y}LgcvXSb!7#4byjDy2M2U5@fn9AIdd0FOuAgcr|
zo&-@SOF>+#Tyd}GY7xmQsE$O0`uX^<9EaC@V<g_JQ?G9=cQ{oyZOG!8z}{a6plYJj
zp83y0R>|?T^)?w{oPF+%5=pK5plGM!n^k4J)HO-!=vld-#_!zsN2AZ&^S2hNQsq1S
zVNuNDor!^Cc$jpStS^ttr;GQBMEt)K>-9JNs?DUR)-U`vWF}n5Wd~5ns9qp>zigfN
z=zx@01SWd#v~CNSDQ%2F4_fT`7k)H`t1@+vSQ$DTrpzcNG*vJ|x6sBa3<ES{m$oR-
zm2i<oJKAp(=Cm-nn%~?;N~^Fb0{OpmL-6mvhBIqx`hzqabZ<8$vSo#ri_#b<ppGR+
zgS*;>{>)jVMWMT*C?Z;uIBD>`Z)ON?3qdoSwf}z(XH%J1i(C!R$-BBU<;w;6Bs4JO
zYqvp*`Q0!FrPQ-ma6KQdi=_b9-Sn+{b~ObHFI;AP`r|#&m-aROHV-Jffk$k)v~G^z
zuJ?)CEtkvU@-@(#JS*S%ru*b${9W&}fB5zKJ8bXvk9_OeZ+_eVy#CnbN8Rn$<~GD0
z?Rzia_4Z#Kef3cZ{?~Oa;h2sg1zLwJC1ZMzGc5qePh3!GeQA2w^O!~8`lQ+{8v4?H
z*I})7mF?iZTV@ULT~crEBIv4(v7+*OKixs?m5|lDtxM3R$(KxvtS@vAofxMU*nV2v
z3j=-O>yYpf5fBj(77-Q^prc54z|<1^t!t^5JI;H9%MBQux;|V*Im&Q)*k`z(PS1z_
zcAnpLizby*{pQ0z@0BGgez>Dvt)maPWBvA?DUp8v;;^#?S>_+v_?P_Y>R7wJ_B(Zi
zm$>K;%<kTyl=tGx&p4mgy}bqPJpAY|%2`&T4^Q3yRW4Sc{AxRSjo|eJ2b8WF<y^rn
zA?;glQyx8x=nV8_lrn>d%rQF|`cO`KEIk^$<#9L7EFn!fWSP9J!%pS2GgUyVt|4x(
zIvW?be_POgkR+GK8e|7snq53Y;S#IC=E=`3=qmSnEG)1p1KpL+!+ONTgv7-3i0Kg%
z60=EXS6=%XCp&b3jp%I@w|9WU8hBq_#`-#+&o2Dz!n{3f1#P^99Ot=z0QcfyP;E?)
z5xH>Bn($l+74sv9YN1-UbFRL8E7)-S<`4Z%f3#ClRr`uKd53;_xe^NAy?cLVUGfjL
z--j-T)nRDvaCmb2{)7K_<~%+>JNcph!Tl4wBTt3s9k@!W%@QtF3O%40Zv??^BLf0G
z4$JrNF|T4+>Ajhlk%!WCwvA(`J47d-P{yc9gKNE0wHv#|#P9UsdJdqH8G{GlwzayQ
zGdp`fUUBpG9^Uk~rIFadc8dGSAcsY+x;!uL1_WuG2pR_s8z5I&Qx|$eV!g3Di`k{f
zC1T(%2isWq#=!)%@^*_lh2}8Wr95BEMlM#oJKPGQs8eVTW3_SE%0kH4wsQ}~ZI)hk
z?p1yjyAL)WZMf#z@(0@TcegFa9dG^Sv`4MYPXos(G>54w;v3EJ^!|>^_Rmj#cr0&$
z5CdV)Fct)6S)gvAxeWGUxqL8{ligRgFLeyfX|S_udGBUIg=KawqPWh|tIowTmx1FL
zn$zUl*cqvc>Sp7v1y|C0pCRlPcVi(9z|s;2u#ggCfKp;v^l1q46BtHb$6b^foIcd9
z8?eg49}Ynm9HwWntW#<}-}vtbT7>fHbIYHFy0t)AaZ%6v_r_h^9fz-EhzB&ViPWxL
zM?6a;Z@R(P3ZeD1i68?&Gt!ly#N>LqS6LjoXl2W|r?uW3g}UI5czxZ*o>u%WtY=H;
z3SeFtJ%bV_mr=!~{CBT5ojf2q7F3{o_x(|CaQ>m~TE2U-OjjbZ%QW6wWbTuRAV+cg
zb@HTlx2+35!FDeiaqHTn@JnAzjDKUnP#!lV!H?hPLa?NevT|*%v@C|q8E>5IT<A`s
zv~x;alGzHiE4h^s`+a#w{MxYHt--dK%j_!V3=$#lAw0mAem5=P%BbK&hbMtMSh+4s
zGj{o0ek5r`lkAo$lGTr0pB+jQ^8%#X2I>pt>k?uTgEV%Ff<|-K5f|Mf$&Q!&T~eB-
z{tl;W)0-skne%4?Zl$kYDCK5QN!)kMCUx_Y1>8zs<yLHNmY<X4yE+)@)9Eb}a0`Fc
zT!by?p1yS1QcSf<15xNp=oIaI=#yx=k75V7qwU#);i?P0ufuQu%=4qa&JI7Rp6-0|
zFcz?v{;JAPOz*egkgmS$|90)aclEoSufDMkWWXtY&6t>{6dP;zIL2g4?Xwu+H^=32
zo#jrzt*jqF1s!zIL4mL0Tydhk4DFZnrMg<7{;PWjn+>31`I<lQ91Q*2MjG8iYYEUK
zgx8#B(q&oRplut-fRup-VG14^8E61xRrzMgkQ{a`yn%n%jPX&=G2lSU#1x^n!1NbN
z2+F7zOKk6SUAHsPa{u48p5I)bx+5Ap;AWnvmG)wh7YfrW?MJyxVYrqzt`}#)^`B82
z&qvOKczQ2)ehy;?2)g^4kLz9wk(+Zydob#-F+9(N2>>z0pWjweZGU8wce(&q(;>@&
z1}h+9u<f8vAzqc`xup@WJMU~TvA*mVT|9i}q7eEqte+S2K%k`)1}{Jip>P_~MMHfr
zQM`K%f`FfR?V|MAAME^2bFi5ponfMw!Hu7z)PWeVh?_SPc+NE#AkcoNlyyRkZWO{{
zyhwip#Uf|{*k7o@2!=B4oG0*nb@1$2;#0oLkYZ*BgamkmN=ue7KSD<ORK`mCH^kg&
zQc?x$J}7qZ{o|bJRo=!%L=+y;<VCCvO&E!olSv8ILjD2FunRm);SoR3n19gtf|KWY
zTdOQ-NWdf_dq|k=l%n)9)YMwgC(bE;s2HkL(*WE17Whpe!GVp4(18V3YX)Zvd=#ZX
zswC``50qMdwHZp4HkSgaQsAzuYNC(@Cm$TAF%tznVOs&VkJLFNNJGj!!VucZgElfK
zzt{kdcVj{XGhYs?N)WSix<M4hb|K}GnJ0Q%l|AQ0I=K9JuuR1q1^QjE&+!fbJjvO%
za8>atLT1D;G=9D6k{&R9*H*;v)O!FUE)8`<Wp^ss##HGh$OC_K6QJID=iB1mcc$}m
zc|6ta<eq|MC(X-GR-OO%nspqd4$whzHA{Eh^sm4B(w6%>pZ#%aPmVlHYrh<$@2`9D
zE4e9_Pv>p8Q>3PE-C0il-B4O20n)h<6UK>r!tGooaepz5acPYm1H?9ofMe(HtzkZb
z0#mav$8$p6+?c3!nxXDYkWo{+GOnEfn`^F;6-Oi-1y&>lj-+uM!zkuxj1&531`Z`1
zo@3YdE`)f$D}5M6(+-Jf88PciGgVmgN70|P=L0ZZG`#F2^r)?<6#~;aAh8)+8!72n
z3%v<4E(4B~flehaKXd#8#3Q*<2-?%c0*3Tl(`?YApnhK7Z}LL(Y61sW&Lrn_;juGU
zUO#j*@A`{oNc_whdZTul6Pt2|!(#1)cMr_#WIvty{@Ux^-TYL`E;x6NZ>Rfo#<Tw?
zdamzdc7N>5IuG02$>!`u4CKZhD9+3#LYB*_7_wz;ZtayUxiNirsN{d4G1Y2nZYF$_
z$h1rQ;#^9)#4sb-{5{4)*M=eO>z%JXAm3M@7dzOgqN~4GGj@u|pA2=(uSd{Xz5Axo
z1YTt~*FV7N+tu3vIC$WwbyV|5ZU>8yCXWc(%ksi6-UmAUzWZ5?@ZBa>8>Ju4IqXyp
z`d<n5bSC@ln=eayN2J+#7<=JY?^CpO-A<;0P=aspZJ`vKZ#>*E;mM_*J$k!opI7Os
zyz1+%XpwE<rTgbIy#F*Q9yCwV=hFTBG?SO~t>&zJRgc^bH9M*0vTOe7ePw~?4GUtc
z>_aa?@WjLt!qrtJM(u)V>XOQaOf_-{!jIQSD3%byfC6W_hh;(3G%Q0w{CLI@hk(m)
zR6J`gDjzxQ7Q+#3fHN)d%o`(O(Gimsy*Mm@NqT3(w5wnne8EYVVABYi1277I(hAcw
zvWq&NLX3Miaz}T5yNipg<7q6Ve7qgG93!5_gOrydiKU%5Ud+ZrvGIBs`_q9>4Nk3}
z!PWy*zK*B2W_s}JVY$n1YtZHNH!Oqstgh@o!R_<KDOR>rg!4JmN5*P29>`9`2<A+s
zMp9@FC!#B?kj?4^DK3SB-kX5lUy!8>gg>DyUS3A8>IqSrd#;3oa4lY=iRIhj>@weX
z=v3r3#(Y<bvBPbycK+Vqk@;!-AplY<uqxY!v&t;HlQ@?E&yO$B<*`_aWt^*c5-y6P
z47Thll)OH^3j53J4f}GV9CjOQRwLaaki>)On4bKkU|s4S|2eD_*2e~by48J7TLqJ3
zEpL|qH}RTq{4yHV^2@3J_{gbr)aO%1H4U)A!xUe${UQ4V**gxun{TWftOpO{{6=WX
z3|D{gZtwGdIQgiWCA|#sW-geyt&2H0HX?vuedX{ZKw<PZ*BeyDN!Rg*Cjk=!C}je}
zWo__ileMYY{y0~RshqFcQEEU>(mQ<p@k^}r!H(Two@$1NVFqHQDZD9(uA7h^&<co>
zS;x8qg>%oVrfgQxav|gVZW_ewwYUX8xT-*To<!`;#!-6>UKy-w%e<0Rb{X@4n7A{k
zpG&tEcw9V1C$X?5C{z&o#7r5@_pe?k0z`{Hp&WkbcT!ubLx98}`Mnlj#J99-16F6=
z)vlM_>C`AI-YZUB2ich+Ctxv;6@9#@-oKTRtR?5+bn=U=_?&mUA|)E;dG-(#4p18<
zgo^Zt%sP$*gNuB2`D*J=FFT*!DwR6J*9AO=D2e1GT(H1|^S5nq%vID-(W(zh@*`Wb
zxq1#UGPz!!8V_FCdzFIPX|$c(kM$725Byy9%a7`k{i)WYPfaU6^+^7h(~I_8iCgQS
z-m;B=H{X6F{O|XJGJ14q#^_n8cR$a3SLye=Vpl1>X8-TzE!9-->rVaw+^x<V7caHL
z$sNba?ZkZxJn=g1ntO%Oks?|7VrtlmTjg&dgR&u{%m#F)h3zQ$`i@eY7iC2YwR^C@
zsH@mcfekZMn-s<+N0FM8nNh{;a;}V}T>n!WWtS6_V8L)d;+}+{)^Xe?DrQ0oZr`0s
z^Vp2*5K$`}+ZnqDGf}9O@D5D64ZKMcS<Cq9$-H+p&^CapzOsi57s)}58~YheW#ck4
zji;fb%>nJ6PRj)*-D6N8L;qRJ#62MH0bxYQG!Oq24#Jdh1dU8SYHEa)<8Ao1(t~VW
zlzYuZ73WOOrnN#!z9Yo(Ut`XPP2Qs?i~NV)eaUG#iyKCCj?(L<g2pY!?FUi<`K^gN
z(Ce&Di?|SKaXl?7%k~W=<8Q5xKk`2?S$2?JX6J~^tk@}dQ%&K!xOaJHVr+`$ezn$~
z5UgNR0Br?qBF{>hUv2}eZ3F6ESkw}$MtZ0XFvm4aYEU6DpXFf&-f@{X;ABCsFeD-L
zm9nzg{S)e<@VZkGgA>8k-L`+><?jE=eyByxLkCvC*?zk-Dfo~~q&UuMc4j9_x}WdT
zC&H(Pzy6?i^<VUV|A*$WSxwN<!RPHlu~xE*7&!AuhK?{=TW`Q;bUu^mIJaA6tc=7{
z)dXA8$uc4qrn|FX8&r;Q%AA`HxJx^=7xUt??2I^erJZz|`YxJQ6Gn*1@ZyK#&KuK7
zO$!h=qY>cq+(k=3(&@5(;Bn67hCXhw@u2$7gB0Tw^u$?B%TLn#4Pg>CZ(z^&;i-=_
zirb7o(&nWL@E<@>a%)4topmP!HQc}YUJTp;Zoy<lCWnw3z`}Y+YF;Cp4uDJ*jB4Qm
zbxEqGBBsy8KewOSvw874J9c%Zfou_yI3$5mctm)lH!I|J%byfmoIqo<Ca&8M=ghgH
zRa>EyVGzOyoTmDPot^nqROyxATZ|pI&}t0%Nh6V*%Op_hEqJHUUO%Oea)A(AgnsH`
z+xKSWw^l`KM~RDRoNd~3#YO)50eT7F#a5zJA{djO$m$?wz&E)gV<^@?Z+l>C4K;|3
z@c<uJbB*jpM_>;p_Dur}Kc$pZH<p#&tEdzx3;sZ<%mo0udP?2Ben~1~#Bkw~#sA8}
zy7n)OUv{KB(AiDloi=&=M`?*fHlys!v?p}`$$XZCz~e8NC9lm7?)b)(WUBMs3D(tz
z(7*Dv2X?23WGvn*t8A#<Cn1=`C=JF8rLo=zg}k>Wsacq()Jr9ly5zvOqg&|L@S02Z
zB)b~*TgfRzRLWGluXfJ!($QkyV&!!i@egW0ar~>~izV!88Dy53ZC2E^oJmRjj>F`~
zS*~h2W3QA&>;r6nP7Eb8lr{_AdigQeAhl6Dy1s*J8s}WQqIQiY0FR@YDF&=)g3e#3
zrZlT1jknkl<$Bq_Q%c+Q??)w`G+A-<0q9ZEFe{3_KwYhysyr;9J`x;83uGuk<|xCb
z4UNb!*FT1$%B}knoF{h*Q*s5I^a%<)xyZ24v-x;nNoyg<0!#;q*2OIUAq2Q6IlSJu
zt>xa)ynge#1ciqd7hh(~^oJQU1}}(U#H#8VaTq#Mpl#h*b)Kd4bFE!fJJ7K(<f^KI
zNQ>g46tu0=HG9~pFEa78YYIX@HB>iyV%Su1x5L5ONhOY><V!X+piNuMGG>7QOe&ZU
zAEM-aY8$4Yn=2@#@iG9efDRN!WS1A;3jNB$?be5b08<oDcN4!;H7K;;xx5FuM4yGc
zUR+!i{{K7u0m^+cSWux)(PrqKKCfS13;FsSzsLT6t|~(aj(_iqZut7jPj7!m$-k9T
zdiX+}Ik>5I@c-<NPbb}TGyC!wL0PsT)*rx7E+fpwcn|Gs+_4?2CWzi6Di0z6$8=oI
z7#%F<0uWy=U4c1f431Rgb2Li7=}w?qcdt7Vpl!A0!Cgw%1stks4_YI1m2W1L(xz81
zC{Um|@5`iqGW3}ORC-`Mm`Z_{-j?P7x@sY4WM#%C$dqM+4iRHEA}F*2MmowP^V%%(
zk>U`H0WIDpTkMrzpIeXxDV(9or9JP!M;!)igIHx?PY+?&MHw8KVdV22=MQc?N7Lcx
zBWn!Pa7**4%%|;UHmMCg)PVe4c7OfFaIn}5dB<0VB8PU>K9<f<RN=UjN)#FnaRzG$
zg_E-5JZ7Opz~qDRB((@bfOwyT>1ccDX~MEZE9Uz@h+Qo#EUa5tn4e!*SXj3(zsqT)
z3)c^ZNL=|?p9nt6`2K9Y-Z)mC$Wa)Z*!oot`c$SiSZm6;dp+x|4qWGF&&P-UlR*S8
z2X$p(4qy(#mIn<o5Vs9<AL)o5C!c|A9pDoQ89CAc&9D?13qR#JXRPZ7Hi=7rA0)!b
z5kswmng4S#;8Bm^%5wsHP=f~wZi<c`7NMXi2q{8reUd^Jmz=~h<KD$318b?l+9!jE
z+XkXY8<NRqAn#itwKtySqyQxa@|P))0)iAl%B(Y=gVuD=pKWTbuIJo$t1jrf98~SR
zm|yQ<_xJ0(0$KXdxL!S+f8U=?Urm2&bsJtnDcB3R4DObmcwavYv;{s8LPD7w>P4&n
z^v`d;{adRO@c-M}@WMOJ^BeK;S0{Z{<alVk_daANt2X@XpUZluU{{mZI|A`EmX%(O
z9Dbdp1C1k?%G$fNUe_63U-h6_4%9ylmqBZ3;+;GR#G%=Uj1>QdOC5OE?c;q~j=)_B
zo%l&;3KoL`I0$$MhrXu(W&d~C)^(c3U4CZlU+!TpFX)RBdFxr2cGu}sKn-YV4XP0V
ze&(I0*QL)reY<b`qxe`EZ$EeQC#6^}gelRX(_zHjX=#tO@7Z~sb<KW!rQwL);n(mQ
zTs*$O$Ii39?t?zyy*})NzSjFze8>mA$2Ohcz2e|{gP{OrwjhqI1bT6*s7|xsZstS~
zpJj6Wy>`=>(5BMbZYSnbyIgS->Nu9I8!~OnG*EForCn0<H10&6R^k}j!r&}A<N(0R
z^OT64xB-!J)sZQlsU5ttQaZG4h0V(}YVp;@%lD8k9bfR<2gAStKRP)<V<pbZhsX-2
z$39P;J$ZcSU{lt#clrt2I@2q@r)1NAZBxXH1u!DAyG&MR2iJJb>PoZshLLlnIAnMx
zC$o&8ERQvq*PQ0OJinloCx*c;A;BLS1?`S=rO&JsCS}%DW-HIP2;AllO99AaA-vV|
zvY;n4#sp?6#)K3s@Ji?<wu$3%rzBm<xJ~Vd?K~G+Nu))s<fdY7*gT0@kQc)&nVMS5
z#F7o$GhqkQa>ZbbH@LrI3^fc8OPNL_L>;b{AWcVAbFMH%WVYjO1DYt?u1QsBCe(Vy
z(IH2)d}!TBXeRqn{=W9MTm(f!_&#e?Ts+c03S}EqL6)^#hc?%`?|T;yd&f3SoMyEg
zpp2Ug8(%SIO<7-wC`z2z2q7<85=omoA{AsE>d>P`Ki0RB`}}2JF1Lq{4G5Qg98`~Y
zcDvoOC<8O>kn?ih?)cUx9(9y+y|o45qksQ4V?(<Brn?Dkv3ryMU~_Gf$wHdmYo*8m
z?`~ELgW57nQRK?KE7VLor=#d|K_2i6x@<OE+DF1u{>;eT^-dwcCwsg7cdiXBT)PMc
zlxte+iD#lvND1P^Nt2)`*a&824$+6$<wOid)4h;0#Lrj~gCcEiQwAK^6hiP3i3poJ
zATf_42`-9_@D67@Ajb)g(ik%6aNyG^C!E^O-uc}i@WY}SA!@u~wX1)0_(_)%(`v5r
zZdXa-q439LOwdsXKh*|rxzyvgbz7T6TK1yZ1I*LXSuD`tB<nlgsr+yVFdmdaqm^sO
z5QgAth{WFYv2TxH{|Y9A-JyqG2bwZW(7U;1>;VzLZq&oCZr0!66x=dTks0k)MQ0y*
zyJ|MJtE8Q3B<;40g`ITHGf}fNNYjx>UNhoJAwIvU|5Tq`@jWH`-Row#IGJJ)nX0{%
zzEztmBy-k~q1KCRWpUWb?r6iHmP#8*Ygx)9W-{0Xr}(I!;&F{>$$2;=I?HZIyR2+(
zd!e$~tR1~+CJJr%p@d)}gIVI>jwTeAH*2xl#;PGxrA9SsyR4CIgNh5h6$!OD(pi=X
zs_ncJ<5m))0k+MIv!mMiB&kvMJ$LCb*_bsjkdmU1;$pw|a{6{YCrbs1dKQkPS=X-(
zC$8;Jm^h{+p_mg-EaxiZk14D((b_QSGddV_hd>R785-MM1O&9T43uJFxQfu=(r7Hj
zl;jt2j7Byv1QsB$IaR@U`xNYU+QjFbd4aoqX6#dNXo(f&*+nS%sVb86HUpjHi!RZ;
zQ<-!o9*M6s$*T9$A*f^Z6sUdfEZr6Bm~`N2IF)!`?z-028<<g6j*`3hMDp*+4G^20
zU)5^eSU&}Nyr5^Hg=EM(=K(}h2L%BHl6yZ^#i}V#*`-g~dYvmX66a}jY;q6ySRl|K
zWwTPDANj{2d{j=7>xq~L@W!2H^UrwJ=c_91mXPF>c_e=oszTzie%BAht{(nG;{EW7
z_sa<kJO?K3r^;XgHmMwmQ8JPk6=;1^3D*~B4v8c9bwx<*y9=aV?8X75*j9)r7m4Ov
z4QeCCO7BKtuJpnwOu66f>p;`U%6h%m{3`0G?4j=~JWSO?ZKmGUB3+$Fql6dHKrac2
z4it5?2XDfrTsy`h7GZn0;lTz~Ai)mnPQ(ljlijSJ>9TARGtpS#IGH&2i3tb5?SNo_
zO0wGO>951;UVkI9^t9ozMTq;voGb!k>jzx`B^eaqW64xD!9DL4a#i7xJbMABtGz)P
zM?fUCFjl&VQ7>u&fKdfZd7+EJC^+#S2t|Rx_eA_jJfDwk$;dv&_(X{I;ol#M0>Xd5
z!rurY{uqV5V_UbJDaik|s@?4NrxuCBq($=96iCOk^@-HPpv(~P0T`OIeIm4b?Xuhk
zCQBw<Yr6#gUewxw27m-AYEzqQ=!AT7kWIM|`sAecsZ_qn-QXcu)y`_2hju<A8D!bG
zD}ODw=TF&hz`Xk0u1YgcL<Q^jR12Xr%mtT*^r8Z>;=jOF0S+;yCJJdgIMq{1soRG^
z_dZD}830Kvgp{HIO$93%2o)*U6q`~?*)4dCP19u0S?AZMJR?3&Hd3!J$6;+F&W7u+
zj`HOEoK!7HNNK77yj!-E*E@$E3Lh%S3dnyb>C|34Z91qTLrvx`UtQ7Dfr=Dj&S|Ys
zBKKz@>*TqVvtKZ+V7cwmT}djZ{WV&}gG%0jI*@B8t<-T~w9N>uy`wP)&$!D<hn0Hs
zlpBSt=165vxuUAp9iSXqAHH>&p9l2+|7s+&xUyIz6bnroD}~gx?JK#+*sxQIdQAJm
zEmuK%c`xv}v61@u;NW_vQfpXC+KWcE7*%Q6hsSQj^8;bn?cI!p%cB?n^pemQ&tKli
zmZGK&Xtv{OV#Sfjg?Evv*;oOt;|4*tGA1javD|NGsV8tv?uzdG6qp_eekjTr%M<qO
z5-lhfDxxDOe`xzUzUlXdc|U8V9p?G#bhDLyx8DjpnJOQKL6pS4tqZ||mB>-{oOiZ7
z9NhG&9P64m{&z3F3iR437H&}Jqq1SC8D0>#J1x%$+wE@WD$=1tst5h5?SM;Oq_ASd
zH9WlOBL9K%-*!Q}aTTRTo{q^IaP@CL*x*>tK5KyZJlROiroX1@6(!pCL%lylKb5G#
z=(j$}JZ|O$xB;8<U|ft(8DgIrhmF7$M73o8$ZTkIVv#tyu*h|53a(pYvKbLGk0h+Z
z#8i}<j>|-n_!y?lq~?M<Yr`f`T>uHkRZ-|`YW6V_=jog<8-sK0i5l{B1={*Cq^PvA
zU8&>^=-N+hp@LxUL1cyrrRNa0GZn#NYQWz%sSK=hn;LT?RKSHQZ>6^O>-kctP(fGI
zgy^N8Bg(U^B<bv(J(qT@Nm988o$j!A4Pu`s8>;W)w3IWATIyq_kAb4%m4Zd65(#f8
z=7UVRnC1L8NNTAJ)!4<M_ckErxVc{>h?Rue#dO<X%J*0cO;?~d+qDQ|-|RW)$(rwe
zc_jV%2K4JpZE1>F+@q>F3jTA1sGF)U516>y#-3#a84CxpE3YZl`gpofm@v)MJ0(-A
z5Q_;RE7{Sv=DAQr$aGqx#(`_ONqnwctow5M^s~$A;nPn}BH9IHaREIJOy)*b7R5^-
z^Zi;Un&UAT)rK3+GlS5i5Sp$TqL{`Z79@BKA;oCMTihm8L~A9gNcf4{T1z>!wPB4p
zy2S*m6!Jx1Bt$=FKfSfE=3LP^HRV?hUROc2V<Q`)0*_zv9)r6Pk*CO;6++WCAz*kE
z6K5*0GFIwgRqG|6(65N3L$J0GPHdO{w`hSI6GYm;zkHOFd}VBuZRm;q6_wxLvKzI$
z#R*4*tkF#4VQkuA<Zeof5EFNt_5)%q5AhTyMjj#6;ZyCHm==+!Hv3xH&OlIz6qnf~
zT%!8zqYx38O@lgI-BmM_o9f4zcBqPgcUB>S24+EMH7u)?@Iw%BhrKca0wSWOtjIi}
z_gBudejlyumzBu=sR=r}IG(y;#Q$WAN#Ig|#uXefZQ8U;F1j>@FzQ04U2;L6^q><M
z@|iIf`612(>vKWLT1V~#bdTLqcF;N3_p;;0A+A~zOx_>V<5qEpDa^0dO@Z8cMu3g7
z7owNc&R$kitf1KrwH0i+!(P?Y*s26^nkNo+8*SN)VHbV9tCGJ+$fM!7<fB63fJ^&9
z?x)JEj`pVS$e=N|DfCD@)3Bq1YWXOTq(G~-=Y5)~kfzC^VyI)4p_{6%OR~r|Cuyp(
z#C7dhsjIgdrs3Z-Se!JFj>|+sq7;%P35hA$)<44uB%(3QSgQ2~Ib$4|U!>xp>pT1~
zNdtnwcY3`Dn+m99CEhN)&~5Cya?{#bbzUus9<yEBnb>)hQ1EG(g%p*y)Lz-9WE4Tw
zrP^On>l_t_x;kuQFR6Z8N8`4j!A6ZpEfXB2!S-gyNAtnf@k8l_7uV?8VujhiY^;j#
z|2W6bIl`w&wB76xJ3qw^r5#J)w%I~eElbxHS#?Y{Ak)&{J30UEOZ43#znwkTe?_P}
z9P+)Op=zM<XiSLifTw|dzK=%T?m$%(Ll>5Xw9J0RgV&3xJ6FYa-~hd1uH3w6weyWa
z!yR|?n*zI3kEQ9(K)7fQ=-9}cY9+9p1+gLXX~JZ;1DsJ)h^(y_@XR4tn#Nr!*wH5<
zEi?8@(}SW@L5FZ?4_mb09*m}X;x5Z?GHWOYi(M-fy%~&}lyZn9qJs8e8P-T|Gp+Nu
zK4vn4%(e57g~inNv3uZ>9}90$*(X;as7qdIU9!!qC%}^-XdjR%Az__*U$-@CjLsS*
zA)C_N!4<bT1dctoz~QX$hQ_$S&K6x5;M}jGgCxZL+_a%Cg=Qz)VzvE)ZO(max~?(P
z!)Wz9E|Feu?ZLl#nA{{?x*&2qsZ_yoia9q)LkbT~)0hq!76wHZjh*k#mM~Gs!n&^2
z>ZWNCNiwX$k$~E<J>E|d{~8#wuJnUfDw9;UT@4wDOrwz@(JPFrDK@3?0kVv1X6iE-
zQk?;+vjH7R+^)_{ZjyI;Z1I<@sOExrpLwIhBM5ceEc5nBFtq@I8Uu`HCuc^W-+NO)
z3kY64G}aI#XW`&{)s55rrR$Z{(5R$-{qM3D5_rK9V_?>nryzJNsUK?#^1pLm1@fyw
z`5&3UX+d2$1G_Hl`!f&s30bSOv2EoWiGnht^-W)BX5AxE3+l>OyZRAXCC{bY-<Yw*
zH*Vin<x8?SS$C4l`=0Z+nrrQIo`cH;39<8xxr`(iVVp!Vj)&DK$`famM@d4<RU%~~
z1T9-ogF@!!F6;4|U2M)XL9?exV;I!KJOJsz_7g=dH04Dy1XZV(jkD+Y{QO_<EH*7J
zxP2Z*!)o|hvH7Ch`>bhvPVdIeW<0YG^C75H1NY#8Gylh#O|JW@fiK1)7u4r=1ovB|
zje%=aJwl#;=5Tn&;h@(9oW(ITc*o(eJ`o5+V$Kf6v?Q182vmaw7_Y6}IZ!|b1@Eb?
zj1SDv=)JFO@^R9XiCR!~iuusvI386x<v|G-*0vR`FzypyA@Xy&D6B{=hYk-Nihe&8
z;v^hW1zKc=-5j<cc%OvD*{$nm9INl7@uE$XAAFfI`N){MjT0!db`M-oFGvi#PJ5;l
zg0<J&(OQ6jVGQ$pBQ7&q2j|Kl>YRtlH2!0%r!ppTwcHRUd`UOTLn1@0c3P(*?-Po&
z(msfUh^&#AiRmj8Uh`;x_}&%qYb)YMR>W_vL_hdSIW`SE3Y4K7BXNfFXG1^T2cRgY
zQ-K~F8MRRw1qORZcY#g%6OnagrqCBOH6`^lfg8XL)tX`?(fiCMzyZ533_zskL4e+9
zg;@X8eSjtNI`N)DVRRb5y;N2AJI^Z0d{>F~oLsc3s-~;u?Fog-jZ9)TbuI;yd9|QQ
zb(O6X-@WfL#&%xWM#Aa{(S<LO2W(Wra<YBnF2mID+I{o<AF%xT=-ppZk3M_%*025Z
zF9&;+EdO}USh=r|1lyT4PDz@|9;;1_l{af9F&scoE4i-@y>D4#Ar%&Gt%Cgku-5l!
zaRDD6+IFb1F?*T9(FN8jt1*HIJ=5Yh!341?a-Q99{RS01JOA2pT7<cPFIuz9<JB>@
z(r{gu`AzR3Ts5Y%0D9M`p(bg46l2=mbAL7{_C;nwwcZiu1l6RLO06j32p;&}t``J(
zB{Hq0tUBmSBWYIwZ^bdf2tp9}pce%j0?eb1=sHNK-S8<|7;_`xfDAy6Bb@Jaq>mm6
z4x3G3E5}G<&eP2e-4by}b0#$X`mRQBm<J8jBgp6#%%3oH?Man3?pI?rpejZmE5BwD
zt{vz+X3qs!QJgpRpOb!-sPp>W5K>InZ5fCy#BqkjqOK=5t*UB0%=SH-aOoK6G24rq
z-U2cNsA5<+8f1%2+F3{JX<{eFmVFrV6R??8^nF_Sh_~pSJ9IJ{P-PT03!6|3h*gW<
z1QD?+B8H9F@%-|cn^E5SPfSLrF2PUjwUiP;Xp|NU6r0ox*SI!=q79%I1v>)Fqh`3q
zNgfFFh7~mKJm@^w4^$l14STGTux{==aF2=T20gU^w6$=A3@bc{^#r8&=3Lh?EMe|+
z(a~rnf~^Bt;c_lCl0gKsveKO~{SoMqXTJP!-X}MH97?s7be3c7^|%xfwti=nsk`RY
zG^KNM>~8YU$GG<T-?uoNE*e`>mvWNV-FNGiyWUw|j@RL(+IQnG<Ecj*>Y;ysbv-pN
z;_a!WS&fU6$`2$NRa=p2UR<*stfAciY$OK}SZNK`AX0!PETu+7*~$TAYV;CYYf&YZ
zQYkd*^lXH%Bm;z!bcj=3s-q>uQ%|gm1Sn1k-eRY#;1Za1j91;kgioA&-@hM`WkJ#<
z0(aw6NGbWqKutga)gVqW0fX%m#snksuTD;!0xq`1WPvAbQYbXvzkcRYl1`s5$mODB
z$dpRX1?6o`xhpnsPRLCYGB*0s(Dsl~H#FIe=W~aJO7!_wVg~eZR~#oRlFWLq+lJoz
zv5J%lGn<3=V-}}VX%QR2hl!6p`o<W7E_PsH4cLNE1qlswf?y1S#YP)z1Qs9J!GzC5
zV1Wp9-1bIl5ESHP+YYj}HwfmS9Bhbw(u==2q|}MhNFU$Du^@#lf(1mQg3b(kqyj0@
z@MU14(slM2!J>#B;pAn!$u{wDyJ<l4A+!BFWlG?q5NQOd4AwoO6@iBhYg|?R5<wW{
z_T`gOi@&+h>+s`$L-I(nd<s`bM<o2c@HD6iN<0f+sz$w~%<U)X{=!?0=ZAA`Wt@9?
z=3Bus47difF$6^ViERzb4wx(G%+Au~G0v!vbGmKAHmA(&i^y-XFG-)C?Y$Z91}iF2
z6&A`28c)!VOQ=uI=d@+NscMtCM>#9!v}jgFjgx?;0J19+sO?PC=sSzgi@y+7YI%#6
zED{V66=>1UX`{_@L#Gl-y9T3AAn2=%GiCBag!0ySrv|2!8&l-|?v>#oMQnKe7eX2n
z5f#&)U60v?6xx>i0OoZ}wfzi&A-c%@fR>RylU~{$G0Fl;=^<OE^xE)hpWnpmut~MC
zt>{eb;u`42^w7aiPHQ@oOY)$)%f#PpBHpnI;qju!CV~USM@RQkTm>yEv5|77HPPS&
zDk#b|o^QBdQqh~6sn4wFhb}0QviXwgAW=t#sikardR6hL1)@yqo2M@e_)t!hIOU7W
zrx-S!;C|447<}Ea%zF=1XIKMN<9r=i$08MgzHnYWua4`Hb1>9fD0YQr?RREr?sm>9
z!KT@KhS_~ArZ4Ph8uCf1?&^rKS)nzjQ-VV)-B&KHV5JG=W0zoo2N`%AYpa1xL8#c2
z`466BB{H47vJJcS!-tr`TtD}9Q$XFgF3sJnGqbzls9qeE0}N*aQ1#*H=}~RrF!Jtx
zBk0dSo#WyPU~iIKum{c8=6o`1a*(@eyvs+EG*#c>rO9B-YPG9d!WqW1y3y=c`?ifg
z);H4Nn{Y7Dy|_vFSj@?6q~evHfwZK%!MY_no=uHr{~_scbvD0KNJvUZ5MpJ|kSc!b
zH@eOqd?>+XI4Z}!NgqD=f<0khhzW4}Tuiv1TbWFcK9Q=^i}<vf%PV`+v$6|;WusbN
z@~EiQ_+j){s!~L=&gwsxj6{Q&aySB|sL_V0kjV#`9Fbtk;Zp-dBg5G4LKC9|q+Pz|
zuBUZeLcky{BZOVS79Qki!_EaO_NC6S{u8(T&W@%bpVTh>!lPMjqS;Rg4z2L9JFe#P
z!LX-tGkX5c-l6eQxd4LpMCZet8@`Pty-!GfzWUB63yXRn1uDJpmegUsK$;KtyBua3
z^<d*VrQ|YfIqUG^X1Fj^RQN>R#sRxlwK+_Xzew=rWVGmV?s$@ggMB>eIJljT6$dMx
zQvBuVP`3WQlwWK8X#JDDt}}MqtX91o;2&_okA)2<LJN9dqZ{Rmc>v5mirgBcdlmT!
zujMAb+$7nB;}Wp(Ma+VO+wJEB_iVGEFuN&yW**nkQi*dsmOfpquVXO;ma}CvmTtv^
zQp<4=-#15B1Xrd(cy@g$y#ygXJ<5e}gkCVdVxSmbpoQ8v7`_88l?|Z)-?+y3R5PO=
zz-uSCqqxPj!8esSer4bW{t+y*k*s2eECEGN*4@p{ntfU(s-lxOYEp%bHM@w(>ADEH
z%c-EoT6hI_rt&NMdF9~$6|cTos?O93(o%%6h|6b<L}dG|5#;_~Es)0gNY`&+&3>uh
zk)GYKs-CB>PIso&%bh7y@AV|&Hkj6}bEqTZ>hyWKgz8@5l`W9rZqYyWn_}JEz`jDg
z*`m|wI=L!rl5*h?xTcd2cY*ckVtVFXon<{mobzu?qLAv@`9DAZqaWL={(~aN&e2}L
z-s!Ce^&kApUsc76H2z8%z|h3|u-^aMe=psy`o}-6UDZ#{H^<^XuKg|@#VqeZ!rJ9e
z)6ElaJN^G(u$2G1pTajV!_r2XVa3rV%rd{CBY{8$8?lrT{FE27gb9eO(kC>;3m6b&
zF<Xy`eMC`V-(fkrPKjgJw5%02eCJ8n1`3HEKe`l9jaYpqCiq-{F<7?*<8AneM3KnV
zf$ql<s}FF0o#1l;lFbXZ1mg`jUPsR_eR~(`<y}}?Z$c((leqQ|8d-9M++FX~SSMC+
zFDpM;y|()B-sbT6a-pkk6SYQHT`pJi6Ug(sD&#&sG*i}1s~_n_uUhA;mTxWp>h;a(
z?@QIA-IB#>8;i6&Iz3Tx{=5dc&-T?C>oum0&hlu`?;nz>n7j!vsW*q0ad;C#p@teB
zC<OQ6&Gl;m-t@=&^d|7=@pL+F``aj-O4Yen`hvsi;`#KA<r9&$9m6h{%i&(T?ef^A
zz7fJVu+ViY4%!##)+|WH!h0%lt%qysIAHfJ(vaB(30BaHYi-X&j1=a<hnf1k3@HsV
z2t+YTPZqoCR#0`q>KmpZb$}28-iuxCS&G?U5V<8>Ukj`6#>VFYFsQ;3jJLsSE^cTT
z2l4ov_GJQx0<@BV0gwSlwZgpUqB+5sek>7I5#R&@PMScFXd}!B;m+|-2G)QO2+B~J
z>`x6tQTQM28kPq>kK?l+>!<%Pr?BALMY6N&5QLfFlvJP2$6;YdV?tF}u_H^2=I710
z_~2$Nri*PQF^dsnmH9m#Oo4^L&2Ko|+SB9@dQc)@VOE~*slqW&pDCT%+~s$}o#EtG
zM-|*C>A0Um6$wzq<#l=U_I~OV)%z?!SvTIEfKr>to-^tA*CTf0H@iVe`!~B*<ez4e
z*SAu95ltplnBq($ndmlTw|c$(;@ikSB~Fy}v~UKgWAX1UigP#?eh*+M<%5{=@*O|@
zsNMEmYoeS#c(s9H66hGn1Yxgf8rgsr%^eR*-=EspfWRKD7;-JOaq(lpzNGI!yg&X-
z|Hajh6>&U0+WW7LapGct0IIKRJV_A2wTVeU#OjZ^`%}}z`&|3exLPa`Vf@M-wO|Hq
z-%>l_sBy^7-o^?~f4k-3{;+^AQm?+ac%6j?!SrEv+g<0>j$!b;JuR2#b!T|5?Rf@o
z!szh^-rT%F@8<RPs6!GVTCU}t&4&|>O5~xOH+VbAF<lr>cm=B>dyM?e=}LE+MRXM&
zX^Z7X*mdhS?d5Im8(H2Bxeb<d1h)6R2i}d#i|_av`G>r+upaD;-Y={$bK%*-7R&3_
zGOUl>=LQ7)H@3=oylJg{C&?ypz$LZaD7!AhB7@do;zXJftf>G%K)=6S?q%O)*&*9F
zB*2Q06(MWFL=kLJ({E*40)&KwgoG9$VV2DT9{O`&_d>CFc-WU+vL4?mJSV5HP_yS+
z8!c7A{{QRn&kbI|V^|Q$_vC*+*?NXP#}Nq#dw8!B>>So=liDgfnqa#oo%;a|JB*0J
zC)-yJ^b&(wrBLz_U<x<&-1|5PQ(wBMA`><y-MWNZ)hYOjnYS72Cza-%Y&k!NUDYOM
zN92NB#gE6-7!U)vt`ffSV@_cV^GDy-2-aXU215GfXZkw_nh&3BkKs8~(+W^nk-k6P
zJ4s(G;M=Bmxv~~?^CJ)W-hmxWsH{@9g^xv1em5`z94?aACijq!a-aYMQCU(8A2TIi
zGNoV%e}+Q^lzfwx5Ew|%K(P>mH=^)Y3;1L;c0MtK;SQY9OW83$7T)M4@FW47Vltg(
z<BG87hGHkC{wbb+Y#_yf7R5;;XkD-gamY0aLsK^7E(U7;9?|cuuBX}C1Vm`E38q#7
z(jew0$6wjAY@v3U<|`+g7OxX<mr!FPtepg;YIc||k-5mlp}ZBlGE|u2aA?`VSf`>-
z!3ny$6ra#DiQ|ME!p9=!cgjEqay7V0=7FAkL<LM>Mu(YTW90U<DRTH04nApLdtL*)
z0N55F0G25H)do7L<%5k=1Mb?n9Zt%@m=|cTgt&GjW=LFP^|v(5fyq132R4}S&o<L|
z56Zd|6L;)<vhSA+4CRqR%GW%lkp`NLZ76p<7D!>>7w4ZML5PuVJ-WpU!^h)fh2iHl
zWvf5y2RM*xTIW#(AHwek`s(evFs-kD4d&<k<b78eU+VcNqL9Y#DciAMc(%f`bwuQ=
zso{kN1N2xIuiRPiiS-7&LnrqfEwTIF-J&Krki^NUIuVhcn*c?Qi1T4`(Y(9Hs0vjR
z*8av-^GXr8rJ@#e{9--!TOW>VaBFSsDg&o3Rg*|j)UE^Wo&LN1PUp+JziUe<&E7#N
z{cRWE-%|w!yXW_-7iz=Xjx+bf=mbs+cMBh48w%Z^!k@TLd(4CLKL2J&h7_p}%Pu;E
zOo-yH+8>P($a%b*2s!}RCD2!7k<{|Fr1zC2>hfV0Lh=;?H3ogf?3;!F1)ru9(`7b!
z;8Y$aws&mGqSdcIM?10QeP4S5%<P>!=FBI7)j*q3ysLEcvDh~Ve<SXi_vevhx`LAD
z9x5APh=^Tm+=aZ4o_eJOqApFjgDFkj2dqg4n!tY?cGWhDAXwzM5CpRcyK3bY1wviq
zsYs`G#puKy`+N=h3HnNxv@wd2$8Vm>>ooJX^lP<vCiST!BJ=hTcGVj%<=iJfL@8D1
zEbFQ7h2{af9Fr^0utIKlP^uw+;JFSwG7iev&!P8tucue)_3-btxtHgM9<Uw0K{d_>
z&Vcx?UlfT2g$4fm6JjaB&aGjeN~*dPFl+Lu2;_>CgL!IVTn0rIoG6XbO4W<81@>AN
zgLGBTu8|eY^COJwr*+K<lMNCGJf<!xnIGq|FV(N4O5nY_vK`dyd<l|7_1Rh3tGWkK
z5+qWewS$4p3#TX5GOfUG@D{39m-zC^1wJ^2#$XUEo0(k;=>1i+lGDyR<yVDJN4mn{
zZK%x%xgYNsoz`kA(`0BSjbty|TaSf1vY+GLcEnS*?_zMKwp0`b7OHYC=a438mIyCG
zrvr~TMI1r-R!|yN`SW*&cn8RPledx)*;zM@;YBlC%Ye$Xf&7tK3tj@6KvP+9UG^L2
zwoD;m&8*7sdp+Mk<?z*QaN1(9U|i3#?(8|UL9PR*Xbe|xAc|U`hG#%p04p|-i%q&a
zqd{vs<J&hd-g1M`wr6lDEwSV%HOlq%N@<u<0!dTov$PX`n7md(>CFQ%o*fJ;KQTZ^
z%z5$;V(Uzi)*)3+bj(J;2{x{+4T(2;v^oHF*4m30U`%$p@`PEJ(Pbu6p6PMqj6s!2
z(~Pk92|JuUru;G9mx)~M*Ushlen7cK0BeasAl{4o)-$56?R8qOb2z}m#N&E6Wzz})
zcykisxU*!-iD<T1;w*P(4kyZ1M%j*AGzO~?eOPIzi7MQtiz4pcOMz0)GfQF|I89hO
z3cNVgMP{<X94BHZV!}k>yIN`5r-{)$T9fWErgTboISVV7(-WG}pnr5DZ&|n@aer4r
z=Hx^B1|g;fA-87|DK$8A-|i`-4gzR_kkHQpmv48{qn>0UZCNI&gDw3U)-pUwVW#{1
zY^QeXEn`>uY~Y=;`+}?0Bwf)N<IZ@icR&yXSqHh`j2W*teQD|fAia>@ONim|zoZ#i
z(-;3YROkj;yuuMtgC^Xwc{7oONEtet7ZRBooy`WMqR+I7rBb7FSm?8b%hj+T%q7z2
zsu~AJFhF!vJj#JKiuDtog7ln4?e+n^nL-2d+0CNJ@|&Z(QHbel_f%WaoBpAn-_7R*
z<+wk#?uLAJn>;`Z7RnhoOM%v;MT+vskT1R{T>04m54vY#euvS0Z0M+h8zz@$co(7b
zII8Z|jLos|L+$2~bgWBTfLsaYyNer?XL@vDTRa2>%E>X{60I&QJcG&_ZrHlp)*B@w
z-i(?lGZtnS{D$jyx0puJHA?@05fHYXH|H*+>o@n&X`b`y7w7*=6R$6iUS5sf9IUSm
z`=PzDS_=D-<09-GKNam9_a|?9?S-25rVdwO_GbKmHfWCf;thUKddcjMIr&BLCZHXC
zI&WSWq2Y98=yTp{+gW#BCid#l#r#}H@^$$k^_hETmxr$@jofXxA6W9riSMTOiI!Q-
z!L#-2>{Y07w!b`^Ced{qD@U&jJ4B7p_aWbBWqk{JpI-I7z>91TVYynza|XStOlUky
zo24Do+vdMM;l8HU9v<=}P&mMp9B7wnIRi8EJ(LhK`4|7WvBheEr9>tK?SQTpH!};&
z#G8J`;L=qK%+)$9GwtFCA`0=ZR8-w)ZDGEyJwYS{yPO>t@QrYU(6}8>2XkLeC!<bw
z4o~KEm;rM^FGoH2hC?NW8J6S7=c}@+pPUxJR_3i2E5Pgo7QqaB`f~=E`z3BO(xPzk
z!`(ICgxELKme>9d-JVXh1OBYb0lM1obbs_1AzU;eY>2s@;)kYqJc=E{oKFXhr^{G3
z<;~y-rL~ivuYkS-rGzE^d`7k1=>7AAjZ#imO`f;0vpWPVWqGVqg*wkVu^UFq<$W0_
zT*YPHQlB0l@o*U9t<tUNP1ikd&Dlz%Exkg3*ZORBoC7mh8zGVK@id4jq@z<IY?}RS
zPKQMtiLjow4@x$9tJTE9Q%VE$egBaAQ0>w-)s6=u4??#-ia^2U>`>+x_oY;LNV_kD
z?{3%I&pWu_il7cI+f7nIC{tlJ<UcDgei}s$eX=EMWojDw3o<R+6y#-Gm~kN)<DnR$
zqM%wsTG`6hTxCO{qM$YvS^b-jX+K6Y`wU|kwcze?+$A>FCI665JaR+h)S#`Ksczv~
z0da@38xHb2-NZ0|G3KebM?*e-<H%!(<UrEqxJYlp@sUA^0fW+haxim6K#Yvj#gwv|
zbxnJ4JBYp?NYC6U%i@|w7kyU(`;6u}RCxYrkAs=KQK{{06%+6H8%MV`BI3Qt^IW<y
zL7eQ=R(}V}?zn-w{>HqtbimGsW#S*Sj8M{DJ4xAQA1kZpY_!jendW%S=h65jR5M$#
z0RuH8O$@EIN=*m%E_4*Xag>g)5pj9H3*yc*x)~3j9%H>scsA=Qs@_;6HCt<oVQYkw
zHk*o{S7&4=u9L|4{#G{C*0*XHXK?=)&*(rVKizwF>iq~IAnygG9ipy%tC-*aj?~Hu
zqcwD8!z7RNHG<ubkOSAM286eRa&R_2H)w?i-(URgjW2Zf{JYI<SMPY30lOWo&4!eD
zbM@mZp!3(DO3nM<78J+BA3r)f^`_YG_pW}>)^_4f?_MoVzxPWE6PZ!RI6fO+S}EM(
z`HMfQ19PK8<6+{;n;(dIND6r&HLmtt?XhX%l1bC0t{W1~yi^}}>BamP$R!(I?7SD0
zj*gklyhElo{r)wHA3w4)44M9+6Q;cFj0zqRz5mW`^|_4laM{Zef2OKV$@qlDSYxs*
z1@bAVYH#B0VeT#khp7DJ=d`XHgp7p-syDjZ2@E-2enwKn6{=GEcBk6^<DX81T)^{;
z;+^L7)$aZvx0#UMey3jY-cuip%U_lx>u`b<8P`xVVe3@*u~^VVU~fHl<V*({Bc{-*
z<u<SoefN$6$7wk*qmuqIVmWNdz+5=$6VzxXB&3_6Ha~DQ(2B@ITdKT(@?haFYGQYX
z`Rt`bNF^Q&6{~&8L3g(~ClVMHN11!8Q?Ht-%bDlH9G%<=a>>-${DU=_Qn60wO~HZ+
zECH6!)e2itiQk20lg9{p;5!+24M7jw3Vi()tb>{zF@~O_R4d}gPB9mtyIM$BjaNnt
zY??7SHXVZ3{>D))K!(n`A?o1OhM(H%J8?M<i5S<T<1sK85$+rIW=5escPFa^{j;pD
zQ)yC%mU{>py^*UwRPS%$ZwLE(K{*kz3gX%L<MNobpc&oRP%-s=Og(%j=&UNR^K<|t
zG3c=wrli!nl<Q7Fw|!7(+OzYZ_M$*#8>*}CIszh?Ps-JkS~Wn(Z?o@=I?N8$i@Vm)
z(B*EMnMEq;jCK1tjei=vJWku2c*QW-;e4mI=vurRptDSN@@w>dYYyBO1g+xE^N;+7
zye)ovn(h?YPM>?O3|zaq8tt?keEubF1(!HVuC_)pQ=F(-3<_XY_lmFG^H>CLp+=;5
zhE)jy*)EGW+OgIEn!3A<dN6T4C=YHq;e2X)!wDA<Gx}qoo^~;Xkn|4D6jo6S&zOFW
z51I_I7L>=(%nH%r0wQ1B`v+*FmoFW1s{@pBl{7qK8yoWqsG3U#GO2*yAQ+W#!R;*I
z*F*NG22{jQKVLvr9RMsBvK8RXtmah<L-`@hLv%pKC`C3yLPoy>$TKMZ3{MBuj_cvZ
z(g(sbRy@bsO@>$t?u;Q<ewyCF1;mW~{{Z#0i#H+F@eVPptfV76WBNHhXfniFaAOSJ
zjCZDp3yA)tl1f(VTn%8Pbg~E*q*kneSBgbg*j|ZJCl*`44i0j{q|5^yN4}dWa-g23
zxP?1a?MU8QRte7-JI9+QL#zdU4AEkYw~ZJ6t>%qH1r*CI;aZj*k+h|y@r<!^ylFDx
z2#hd>XmKv!0%F;E*ljleZ5*hdYrttOe=aB}h)^1m<&}lvN1%p82+nyQu>fU?0MyeI
zHQa0ONFFWJ!ZXIs@uta$_h7g&1X*i`3y3t(z~165-r|kk>@B^?1UxkIM(eOzLD)sh
zYd$F}`rgSo$HZ8LsW7EV_!J>n#4?!9<Vki?O7Vk>UDY0PqM#7eBZUwp%3j9l(Pf$O
zLnAWM;J<wkZ|s&_b(k?s=2n#%b7ponz1_!Z@23;ZXRe$1F}kB9l4hc5kua8ox<33v
z#&*qp9mUSfg05m_htQdLe+Yxt(@d31s<LdagWLm~>)$JSx^o^YJEpnie2(ngXR8L)
zs0^XwP2F89q+y?$ec;XDS!Y-pOnW#l%U;zhirw9-ad^iyKH+emm1dpcG0Ds~V<sKJ
z*3pZE5UDCe3L8PXe@S0HYaI7VhyZQlKeTc~m9*i`wF5*#NWPp@G@G9V2@9f&Vu~m1
z5;w)0P9uAGXDt1nN3(l5V|hFW{i*8mH&z8e{P^%AX*agRM;tfE%6`I2W*?Qn9v)uz
zOpR}p;ZhYn?Dw-^OmKTIy%)xaF$KH2Slwj_<`!8?YEHvxGfA2$DL=!}c^&!VF=TzO
z+}3=+W3Q3hL+cJLw>E5VL)hZkA)x_WR}TnYm_-0e0BJhJpaNAV5j{4$HBLwoOE;Ug
z7ixTY(CWY+rulHx97;?%#+*oWV~?(b)I(H_UIWc2f)sJ>jmTtGzvK(pPHyvIv&zX(
zWG2-vs6@S>!R5-JwbJb53jS@mpxAJA`d{MoDfOAe)@IgZlyYj!npgrI3sJ#{^Wa3T
zv-p2oDO>U}9}Z`_a8x}tDO-`&21QSfW~ZiguiDyZ=nZnGV=5p2Qg#{#9U1D@tPS9J
zE~<q(&@nM5+a}lVL_5MposV4ctaG??(n7C@k(S`NL^`74j#5g%*{4bY4@H1IAO5<>
z>@xA5bQX;apHHQBLL^+lpYxC%OUfOhWb(FD{zi0S<Vg6Go2cUl%%V{kqb3{X6(fx@
z+&(gmBJ&Ff6ab-F|A;0oZyzHoAOZqH0-{{x&%yt+z5f9(8egBQmqj(|kp`aI7+YES
z?<OzGlKHxt#_`|~!WPO`nJnl`a6Ax)#hRk3mvJT8qeXUeZ>V<Roz+5o5EcE@j;co!
z^R|2@U|7<o*X4V<t>WZLXsiqI#gzDqX=<6VQZOqC1^@MxX-@Yb8;hyfQ_IBGYB_?@
zL}1j+rxvzsmrHkf)kUD|$v3z6+Km2gjBQ!0^Tt#9ySL>qT;1Nz^I}pa|9bc`JhcL+
z7@3|c4o<p5SQkjrbU57FDvGW}=gf7<G&_8hLwal;+oNu0G%TdKzvF`shoeqUaDsOT
zL8Z+Kj|u<NaXmh#N;OOtJjM}2u!k>Nrg`i+I^rf=1|F`S+R4LaSqZNeCqsv|N(<xn
zBt@F@JqcVxgr)|tf|5WGk=&{5QO7C@&R~`#Z^0ImA(Ex^Uw+v83-Molgnk(=Rh;<w
zh43Wmw^FJD&}_v0xpx5gP0bv@p9HWGUsE86T}=8oI;T{K#G<uxp0>ltXE8b#LXu2l
zuuF7-%L8$>--*X?4K^izmZ$_GVcN*6#Zb0i(U&&2SfrBY3!@khTl@^COh*$|rsTz@
zcq`MZkibninrRDoV(oD14g)iHJVQ%t)J?19kpz&5{OgEWF|*cCocq)!wzbI0iiKvy
z&5=wSi<ssrVZ^#xiKtqvUg~XpY;MYiMFUBG<uN_F9IWxM*Aqo<f>eBWvJH{tB0(H!
z7<QH}PvC+X3|~$r{XW+dQ0=cHi{(a<CeCUte7G3RTT>KctkK>HBlZ-}aAD0q3$-@Y
zK4{M%St#QBUEu-Lkvb>pR&P>2-XOwhRsv?zWFdr^0G1~<3jzU&`v0z{=D0i{E4Vm!
zwS>7otPbGnZ^R1^vzikB`VuyQHOZfXW?QzD19F()_(oecB}UNWim3IKbwWgt3l>a~
zNx7CuO^hIi$dVGClwd(wmwN=tU*#8{l0=-ezR&<ZK$F3sHr%?$G(Kp5jn4o7_?aqo
zb@BJT_nDb*5*mDC*y-+w-417ly(rfTr$?d?Usa+*ciQsSg__SFjwvNh>_aMdG~R6J
zjd0ZLs^7mpj=vI4g7Mp;^F|cMJ|&lFLS#0$kz;|II9KuipFMnS>E5pY^2ei3vQs`E
zwrq#jiRMov;dV}80ktuYXb9`V=;-!IWG?ZEzcpkD8Dv*|iXqX|^fX^6=fW6@9XM1J
zw(D<9xAxkMR4>7{f@-w!l=|)#^8MHiZVijTd2s;y&cB)FuNMAS!JC3M3(XDFeqL%G
z7y>8XE~-|Hj4h}mxoSjes>+l8q$x~>?iD8$&qjkncIa-W{^B3kK=<GOre|O4zQg?|
z{?z@jf3wdODKuiv0|0JA+!VIptXqxDrARcUw`?A?Z`?EB(&N|*!kf37M5Z6ga^TD0
zXYcz%dGhSNS`nX7ZpDJtC?iai6Jt#~%b$HE>?PL;@q@}&mT~*#pe+GkCRs%NIKn?V
zw1FcqWf=Sj-lrhxPa0+B{GT^_5NN;b0`g4C|M=o?Tlg~IHsjB(PoEXocKC4a|JUt2
z<GB>GQG)Qjxdg4vt#>m#3mgDI+b6htw;hylE@q}<Gix3A57BH<F}oohl}nJ&B~-(4
zxtk5K5|q~p$CC6AS7xLW-Kotf>zseZTsn#F6r?Y=k5(|=%KVMon_v*6{ctCWLs&@1
zGw9tYuhzE4h!{cwln(2><sxByHhE)2<C;5KgS+R1^&{G4S@_hpNQW^y1?ji$?^Qtm
za(I5$%|2u9fwKId;QHV_H0kK&VSnReb4$`K#~*!IdF&rujW$;71?W#WH79I?%m4p}
z;@z{8<$P7xv!U;>hQ#F>2gB_;#U2OmVcLl^DkVs`VH^@{8BCcp!d`-MZ4l`xv?3qz
zV6@c<ZR}CGkqp<(I_D!|YT*Mw{-mzPiT_o<LuA=-XQ;JB?XM~xHJ59M%Kj9q(i9?J
z%*2nOPH7BrodN(lBDgfn$8-b$Uk0Pi#vh+-{)m|cfJ#5y{g=jG+d#9v9x;B#LWf&6
z`~J`%SgQko@)#SXi#$NN40D9cuid<kkOsCbsGVC<e;HpKo{Wp<BYNc)X=DGqU2<q>
z-vCR1E3N+<gMUY`((BdZaiIQx>c@}fEl95pmPn$+9YPFQi&s2KBvGQp5^d!iU8&_+
zDs8y&I5OU1lPoq08Sk+K!XSwe!?Y5-?>6kV@^C>u#3rxC4mKV<xl<8V8L<c%1#B>}
zXOaiGw_>xrsO0eC|A--Zh(W|FeH!xG(Jov+Yz0qZb_eN}$6?ydlC)(cA8+iYKeBvV
z<sd%x?LllteOpH=>Si#Ejnxm24Vct7nDs{NG2+4nUX&hE1m51sXwm}7%p0{0nkWdV
z=Z7#0dwS$Abl;AIqX3iDhXvQxM^sbCNuuHfAT}952&g2HJU9+!G6twI3rGSAq#F|v
z&*OzW(nlCi@ZOWRas2XeV6?Rcn4>kD?BWPIkqSIn2crhJ&%k*hicM;$!X|qEs6W!*
z?%(g_<NtLujY;=AXWe&vli+T+9SzRT#t-l7ljY|BPm{O%SwuPcv|RSn(4}kU7HPj~
z#R~){UMf@N<^~ZT{&%K}?D7j_<(qBVz3Py)KfUE;L`S`ywDoT4#pkEe_OyJGy!SaX
zL{S%}_64TIOz#NA;*P%4S}Co3NOBdG;b02{`lsAUZXBlS!4qJj#XEIXjCo}VZZgF8
zQ0{O<XG~DoB~Gi03AKi0zPN*PB`mwxCB9%W3v%M#(-~q4Svs<ZnPA>mBY%7;ql?gU
zSqbKar1$1L@-m;xWp{ns!Hc>y{fNMCHII214i*1{1k~Yn;w|JJN&0h!(0q|I6F00c
zdQW|5FJ0C_I*^44m2J5<JZ)g|C<&r22&cQ0huA$xqaj^nK?vR?V#tBBpi+9RP~V;y
z@MZ(}rj5jKS5jfb8XgO0Qr61lu@Lbs<hew3B8whY5Cp&7XYmgO#u=SI+)dncH@>~N
zCcBwalKWu6fY~-nr`~Fza3#&6J2_G**nYm~2R|sU6bmku4ejvjkw^?#r&QEva(bKq
zf1c)3YnLxP3LyGudrSb>dcsKGRZ|g$03ux_FJa)>q(thXy>6eZn3d5Fu^HOzhw9Mt
zM7I#SusuGp!WUOFRUPnoM^2whDGY3p57e|F94`jcY6=LOrd7S~A$_U?q$e8zk7Wdy
zHBP?lr#J-$s#8ix=cgg(!rBk_Z%*L}OE?;m0y5|`Ydn!oH()PUK3u7{WxTPdhgC_6
zgTO7~-gAnJK1#papF*~pYewwRcYjV9Fvh1yS6@mPc$~EQLs5#Zl2-bDc&UG=r7OKZ
zMp`p&uGzNcCi1bLd=;lmON>S0z#g+ai8W-&4w=*CyjGMkA9&qat3Q>-JNNJDYE%FU
z<2OZA*v&HZoR`9UGuvLz?@PXv{X!VJk=x_=dXlr_yp49v?R<Pa>DhR^f%5g(ZKs&+
zZ2Z`1elrEu+-5axBqOIc%?o;gUZltLoJb^+mejP_!z?$`W6xKUv?Q$&!{X1c!Y7?K
zj&I_)hUE-r<1A7g()AUnkX5BzBn>=BkaK!)ywo8}rENQ1=xqeT;}xE;+LG#|@mkNk
z$!8%WYukdIcQ*Bz&Wk2D&MKv>^I&DS7r(r{w11;W@?gjav0bDvY%ul>Tcvp`2~y%E
zW3oJCLk33sXERz9W!0Z3ZN5ji{YorQy5mV+bTVf4Yc*Dpz48!;CxukVOQ&^vDab3%
z+!PV<VJhj!tgAT9crv=@V$2y4nKbMFC5s2J*1kU@Mvrd0#jyRkiLWaze7_$$8yhwQ
zBg;CYq~M$jsZ7P!!!U5(&bo|I9Zm)3+#pdHPIEf*^^u=k#o62f(>YMSEKBcC{p9^T
zZ)aDsVwk;PkmK)#gB(h))5B0lO}4rX)BH4zn5VVQswlm2mthz#gkcmjg^WidX#)sK
z>c;v{-9Bk=cX6D?AM*UAn$}>~cCx?^2K+COzm)%qVzmB=)l`y}{fmp^A$7Aa<bPS|
z0oIKvrxgh1Ie$s4nb-YCc%XWHxbJzP+B|a7)IklSUd8i#_vA`=J<>y&oMIeXY&PB?
zMUe|1BOUKH?JLCf|3I7?>KC=F?U5HeS_vx@gn)L0Ei@4(=pVvAQ7`o9aOd#h3@7VE
zr2`g*vWkVujMy0VUW~d?UegdK6}-kGP80K(6=pwuJ}gXBD^e5>sfk{-wJAsA$xk6<
z8~kSPbgAsRf%dFdf<EaMnzr8&7g+Awl3MvuEDj1W7GUS)EbmL<&m`ghC>(^YPbF>Z
z*+=VgrwTM#PdEyWpJ%IT=5s3UW<7+0;QiJ84Y6KE;g%GY1M1BLiq%epVjzUm&Kp@{
zI|xam)@?aEevOqRyGRNN77+R6EY)4gpH;N#-&8hu7STxCdZreOt?PESVUfZRv0y^0
z1&hqHVl&u=H+uqEN&Rw93S=m)wUhZ+7l@kxMF=0+_K-xP`#R6oBgt9e#t@#N7~;|-
zem?LRMtQ_zeV~3u5y8AYROL&-zMol^86x^TFvj@LI?vr8T_zSd;l7>-&aG88u3}z-
zw#nxPd?q0oGtP*$se%O;C|2u<q!Er2m$(VpRAergBT^vI@51j$FX+{!&>zAdXo6sk
z#t)5a4uk#>mPpaGHl%AhqhoBnYN`vlNFgh^YJefNov$;r<SAb{%T)?9|1o3r$GFk@
zMqcl=pk@TX_93r=*P55jcm4r7D={zZs8cM&yY@}}2L+(mwAlWBA%g=shZ2(Z!mjM3
z#rq&VQ30r|JZszv4-EM2gwdoLflPCI$*|CU)iEy2bBG3ImeQw!*3XG<6CtWbRPt5`
z{u(KbEiZR;2G(hvCRDrL+Yo`)B4e1ArIb??$snY7yq?F4^a71EWP(HP&Wf#&Ri8X;
zp(srI(YE7GUh4iz4w??;R_vx5X^4_>YpdLXwzA@uV|q?tLDl=ELZ}PoY??={Wzg^E
zd0EQL^`(kqP2va0fA-7mMHrFXT5bgd34<So1p29OF`UZbT&M}5lO!T%lkpad45?=z
zlF)B0O%(!M;h6s8FOxHe>9|0rD$(|-`{!daKmtRRiBO(|gfX5*EoabED%Qksj(}_Y
zBv@YdyLX73ze_neXtvM3sc&)H5c+P=smyi_{$c|H9HzUO4!m@2im(qv!lwUtI=?q%
zCul0Swx8vod6Me^H#vB_ll^QnCsqz~m4_*yHW?UT<7?T%eK(M{C$!5Zfy%imsEYk7
z)0zHq8xmep@%zPOzBpDgup(lMS^?i;epLyE#6-@#>tcngrBzE8^o|?Z33Uv1-fI%N
ze|bHXfV}R&kohb7`x`lgaQZ+AOxGHJ48#o?HvPzm8V3E^>t0#km{-sGQjp7S3d;}l
zclV|8PhXh>AWBl1mJ;i}u{#F}8R<bAUlEeCKHMM^uD92!DBES8S5-^w+&ws`JdFh1
z_n5C#8s==AX=Z`mI#H=Ok&}9S!OpTaXZ;Jf)ex-3!~&1!2PZKP=<a7S40vIex>ATf
z_u%vOS0U#ZP&g1%PT`-s@A<k*Sw;@cuU_1gdHYdoN7@{%$%MBkgViY5F9=UJLt~6F
zZiYQWM&*WE+QE>6pr4dQ8iGEg(sM<CBUaI3P>hV7arzCoKLGsrK{D^V!z#uL*xZpq
zOuIJAO?)O#9LFMm5B%(Tu$dUQTNr=t@z<#d{X~7i33zw<d>ys!O2MSiV*zFY^?>~G
zQolmPj$dSYX$v8w97<tGM*nX@449q=Q^rUNtI9t{^}59ic<+@4hzQ0eBsj7ZRzvor
zHdGmJ0Jj-WC2~s>+ViOVS5pqC=L3-=(8fz=(SURL$49CL#LNVy9+1G#X#|}57ITIJ
z#BA|N|3>;0ab0lM4xxu|-?-NGVPFy7uBe3hr)|MiPHK&8LPd_ENmhca?mC&^08@bG
z&qd`B64EjV%3?t6lAVJjkjq-OqsFGg>N)v{GW>2^8p5v2bihQa?P8r~o~ORW%03Nc
zzh}v)>Y&M^kf+&&;Ad$i6({^g9vY%yGkb2dT^6VrCX<@qMXSL|&W)ph^+u`IDjSAq
zOTU^?wHXGCT5i{l2G%EzW0-<Y6Dvq!lfU}J_DshDYVx8#G%9O3$M*>HTyEM4eyh=+
zClL*A-CWN+ynb*3uESFqLmPxPjh=HQiV~w##eLd@(H8mCIuC<nWUWtfv1n{}sC36Y
z**n`DQ=R#!!Hem$z>aRv3^C9e<pTx+_ioh)T2MEpKRTrig{34}HD);~7C9^~a^;%j
zx>v$i+RjT3tZ%J&&be)r)u%3`(+Sxww+W?DE|pz#!F>I(V#2t(GI`uusZpav%EPE^
z=c#Wozp2wh?m;9>9$abL2D;%m(`}dN`ZzIhoVdmO@{vUSl$K^|j=}58g-5IHaF8!4
zXB()I(N4`IG=UOC?UtEV>6mfTLv$_aDaJV83<AzI27v;Kc&NSFZ4~L@>G23;z`st7
zL0#!KN+(m)i)lc90`mEZr;2a0aWpQPWR3bbJRN#f6X3r*eXhZ-ijav)+h08+K$X@1
z<$b^F8BRdO9DH6K32wnUbt4NZ!Tu?LKlgkN5WGzhy*R+qrUNt&ESIlIOBV-HGD>O1
zroy0+jix>n`&4=4m<OzjH=8yGrA@3XGEdCtZo33+E!iEZ3z@O?5v$48oM+f+y@kyk
z2-@jrELi!V-3h~3Dsb$%#<$3pB>(D{#w^Y1)OfhJmP32{=2YmdRGy^D)`l5+FcCE8
zsh)x!hkgt_1)k~&@PsEl?)m7+D%fk9yqrs~LW9q|o5&8e!B6<IY8356d+U6b6_u|8
z7qUhH)S`{Gp~y5n^31?UVVZG{fWS^bj1Ow4v5uTET5-`DQssi?MnK;tWMAL>%wWlF
z=_-^p_IVX#nRnJ|QO3Id;&~CQHCi+SV0mV1iD45x0V0u)Ak-;K4ri3~z{Oaj+t%ux
zsWng_oVu%UX3Q;;91?j_l#VSd#Z<|?jdh)6JSS_>!Suh;Qt%!2h{*d7*Feg9m0J^5
zc$`2^xjjTFAsUOYPEkd}qa10blZ0ZPPmk3o^$fBkbZOXGmTeg*!=0*On}%i#!GEkG
z;%mo~y57aaX4`sCFBTAqc15O$fP^h^VkAmwt;^$(F<K4763#L#YNs+A@&eaynt<3D
zm8ejF*_NoF;ET$)tSL$}08u`8`%O^o5|JIrAsFjer<CIBVTYu%^?)glD3uZIPRcxH
z2$*u{#V2E10-NW-Wm$!+`K%gpr*(4$8LjNMU0jx15rUT5I%f?Sjz;?|Fm0^MsQ}SA
zXN-Bhz(z@Ig`(j73WypKGHnzQZGdZ9B{gF4AWyK2SvGdOVdiTH=j|pZI$Lb^VUWs%
zsSjl_!+J-a&7=5!yZd7~^k%*_ha04ZlwsR>6M{plr4GQG77;3A^I#BcxFX9;rYx@V
z-0pRMa7ZxZbI;^;d#k|#n^6u#K90=gp)7+jSg$O-F~ZX3RVbx&y2$Ie*lSKb2|Y>z
z-Ywf{oMs^fnmp>-4*XCU@hD-l>2%a?Z3b@mKimccu?@14?ZVS|tIXdxB2YK-KcOF`
zuUwvA4h6B#S*J-a@n~ouel#BLgm><a<QSwXOX9RkW;VL9Rg-2p8H+PQH<s;ty0$oJ
z4M!8}FZB4i{G;T}7hPdAxa8CvbL@9Ehz9sVHd6w7S-FVVL@p9s6rK)uNcW^h4Hg9H
zGV0!p6?(jV43lG}SyebH<J$VhYqg?)d#bG?pyI(+^Azk&+uqoYH##td&>TfK5Ymjt
zd=PHUn7xLu4^9tnMKuQdQOKNw_ESpsZxTu}N<S01*2-Yih&J9~S3k>Lzz&V(oRBG#
zl@Esssx_thUzv=0IJ+9O&>>TkzY#^~G;A-&h#C|%jho0+Z2KbmQ1BE;0GXWt45nei
zOe9Fld^%c{T5cPBOqjcad1C^xPoY-CCx)~T5ob-o$2nrtHceFIj4(;*AcEh<dA&?2
zTX3B&(>^riu=Ly}HBI8mwTfx+lx3<|B*}jkt1s|-CCuaHQq(-89Eb=BfzE6mNApON
z`nRgp3!`Ykj!vGhoER)6#jT1;=}}Ui3%jI-=WhptW7p*-nkeNS)}oMOFk#}GhVVAg
ztvV>&*e;t%A2}Z4rX0Xj@g3){C}92R7S)3?i&2Hel8Q!CpAlC6{k67bI52Nw0oapS
z)WXHa1sYLxQbnBRNr2&kit7o)-xm{2MHVuzjs^peffA{YAmVTlsOIp5wO3*-0tFVl
z;<K7H-R?5ku4~(_;YxWsKUmxTZD-lc_NGe$9QzsSGOUUyj`j(PMx=%Y8C%L3hXQX$
z>Fo0n=RiecxaO@ICZ&MIOfJoNNZ0R8$vc*BT-{~*M8aa<B-b&;QIZkN?x5Oq0B~qT
zhTzmSMRM5urwkI6$1syEkhhn03u$V7FqQS5xJ_fh5QAxN(7iHAh|+e5G~O{fUUbPt
z?H`+`YU}5X56^yiSBZzSICOdQ)_Fk`Q42<3x5hjMQ$?OyfwqI*!bZ#UN8Xy;b}_Dd
z<GOvQvk=Hah|GjksMb=D*+qHJ(Ly!vr`OxYBUl%9!w?AtB$~P8@Hjbk2>GiCsfq$x
zFkc+0m-7nE;4y3_GTNq}$9kZ(@Q6HV;0qI@wnp3%WSe)3Ng;wRXK*88&Ju-8M2oo~
z5nFT`S2$D93^22EaLzQ+7YM&c4QUS6W`G)@K%Y{n2B(@$)umK-`|Cy>E@?TJG!~|_
zs6CC2s;(wANz1v}v#1$&?BU4b)YY7*ih0ezLg3{rq-1fj277^hCq$*`;#TQBwgo*s
z;JynQPmNHo5LELapz(mCWcZN`njXzPQ=?LwPzJ+BDL2{TSOs%bu<^{asgxrh0_QiR
zpaJry(jC(DhxRMes(6M+S&Ew2zD{%|oFj-$xa5#$-cp55OV4|tZoAT?vOjSTetbSR
zng*E)0H=BG+W#qmzRBNYY?A*dUb2J9zT3t5z4Lb6J4D#2BSQGAPB-<HeHUAEz<>K+
z4+`@C2lmu_RG5pm>RIHo+SJ;jhxmcF@8sc80sE`H`_pOs!w&#@1%6y2!#>iiUT3O$
z>3NqrnBvkf&6lXzEvsLZPw6xsb^BlR_4wpLSr%EOvK(2^<4fmZ+3k6~q7maahS!<C
zGI63u+-{#O=8Z;g_s&oHBHn4L9|?lBj4`)m;qCFF7%nXT>Fwv!6bHxK9b;o1R@~z1
zZuc_7Y!d3@qO=4{>Utnx-K0`|SZOgEYNl3Hyw8_g0+iGNr=!LIsxps+a9R;i6>eJG
zfb)7(s@@-c|5a;FLVeu$wS4)h@6~`3-7qvworK%VE`mm(qXJw2(q#v?GsUr^vdI6z
zKj8b}bhO`nD_ReJ|G$6zPUX(K2ZI~`df)^MwtBs_+t-}{tJ?FL&W8}|9FRJ@y5#-M
zUwXT>1`Kta`XvuSw$QtLi49*W;x+ep3#<PxA-;$xYlBJtPnd$3?ETZpNuzSinI|FT
zmdnR9q<;y|RKuEYDENh@<de^B3d#tf2B>d*+8|qAh5e{(7eH;^WgekmRR<O!&O<+;
z2zF%Zz3|GT<75q#$9hR|@PxflwEE~w008yW^mpkqN`FG5-^jg*onAfq#<j_@-$U)w
z#Vw4$v(Gml9+u-P_GN96LKA{<es=vrOzx5&738&iebS@t7y!lpuqVk)HVu>(?ciiT
zA9GkVA2*dqDZx5rWXri5yKYh%(5dn^6%ZM|u#<ilpXtDvf#i7nFOMmml*ZY&89?yG
zPsXZt)opqV(7Zd(xHq0)9YrIk*c07KN^s0RlH<)iW_Wh|2UpI`uAu%t(pTW!y(O>1
zlHRoMSfJN0eAp=K_n+9=4W!p^e-L&MwQu$t_Ww6WU0uP0cVP9*9|kUA<a}%C51Dri
zsy3)LW+*k7HGE2`RcSuhqgIZH5JPAa5Q+C9U5#IBi3sF);9wG?NUYh|r0_p$g+AxB
z<X733Qzlf;T8CAB@b(_C@m+Mu#ZE?h!L|Nh=(YKOibJ`q3j?SJ1Hy1ZZ%<?8WGM6$
z@?Wkh!$sdB4FNueZ+iN+BllKL?LGBHb>X|TI94JA^2OPZ`tux2zWDO<=Jap=DD3rg
zPo0!}P**8p&-12;Z8BlE;}`MU#xVnyDyWK2|0auZBC4>Jdu3}g8OIcV!|%Q2&sl{c
zLW-IRivQQMtA9OClDf77@?TZ5$0bSW^`%b+iXfEtwfw%i+AIAr+To&KNp9-=aU^&4
zKx0dPQ962buk-*v)jv(g_CaSuboF^@<q*AO5+^c6xJ3t?q{iFfn%X3Wwi|i&Ia!-l
z-RD(@eFtG%&R_*2m~E5q9~Sz(UJZv!XrjBH#>1PHWq$btaqE^NDe*R8IWup46ngAp
z&Btu86gXUVu3Aor5ej581K5`-LR4DkezFjjfOy32*w@X~&5OoI?I8n>R;A-3H8H!D
z1!3ve?`nv+34<K%BFJqW#7h(IJ)8+m8Fof1{kI&~7K&=f6<=IYx_k2jECd4&(AZzN
z9XB{XivMk$(qF9IW2Fqr4}4*7b>cA#ZE_yP8D8pZ#G5-ydWk?mrY8e$UZJ~xy7^KI
zj^p^1@a!At_2bld*n~ni8AmPa=z5y?QV-^CzLm8lJjT1K^!C$5LHbcOKmfCPpC3!g
z{UAjle){cKg$*KUW@{?aeL94#B4I11Y}kxE@mb3RdVStvve(&fNlSf@<IP^zWUL{F
zBmLJY`Zej1BSW~Y4Ki=Ivl~&aVF{NW-n?@&n-Norhr=}C6p?4bA<`so{DeVq!`5Uq
zAC$Hf3=3Mjq7omOi94Okw+_ALhtir<`14n#kiK?Dk1mxNr^+9A>B_iyYjyJy+rz^C
zoiv1qM`DoYP30_@ilv}12dUR?)a{XE5tPLjks~PQavJZr<x|@+O^_k7!VL@juX@D%
zqMQl#?QmM`H^P_pV-8hNW99R5DWjrcMyP2t#3UW>cOKs9muIVxTI_HYDdVh;p}QHz
zkGqaTzX;H_4pm*M;Sd}90VSZyH)f_k1gh=UVg_gDgG~$A+W`V>c2X+NBZki#*P9G5
z@0FU4K=-vbV8_ctuWIRB%rcZ_7oBU%K7VC84DXjDG1DQ5Epwdz)V4lc+4<aO&9Qyo
z9!^sa|72GZ^wl_;rL3Vf2d0<Z7C2zJ{0>XyLc&>`{w>w=Th8TbZSWwg#g%2hvi0mE
znPo-?Ii`ixb1}R>?ma68X&QoO*IO_pgA2)4y~0v(fUi3TxYpT5Z<>Mr!*H#zx4N%?
zOJzbt5~X#0V)9usw^y5NP8}pw@KJz*2()>!=Zi)X6^M91os4KG0&aRD7EC`7kw>W{
zz-oBP%!j^aUgr^F(hzH)&##H~6pR>-X<nM#gqnTnR#vq*9S)OH-Fsb>XcjoYpcvMg
z_NFQ|>1}Lazhy|yXJoofEs(*(ylTCLk!=&1Mzl9*B+%!NAisgB$PU6fBz9dFg+)%O
zMCJ2WB`O!mNVxqb#Pph5HaqR+`_qUN#@VTeHy?Sgdpv0$DPIgj#uYasAD=bWY8zy7
z5AG>XSjtW0jn(kJTt?@1_1GLLm~v0mRW{SVj~zTeU(qQ?pSraeYn0u$Daz?BJy@>p
zuvoKPu#wzmG#lNI0k~8g2ZXoF#{r#f5SJl<{lbJ(nV#w<iGyo|pl*f8u$u39?qUVL
zBt=+znk9Fyc-HTX`KXF$Mu^cd-0wO_UQS0Y7nB>ybsBInqn^NUT|UIBjugyVZY2D1
z9aHqFl>!5=R1+m-fLbrR7&_;!>iu<C&TV~B3g-o4+5EBJA2MwDSy0|LDdLZHkM1{u
z3)0n7l(weFh;7A?wcHuw%{ujl^R`Z*s)>xr#MwxiL*<HCjQZV{9AL&p!O|XxR+0Ac
zj{9qWTVvSo__oHum|v9K%X2~A=pM?G<DMN#N<zFTwEW}Uz<;;z!#uw$wJ(xoJLD7G
zW+x)@>ZkbTx~Qx8BtF_z4E#uq_e}voScG%1|JA*{asia`9<WjgDX$0z*UH90455iS
zi(swx3TWob+OO=Sz2{u}C3Cswm^$W`51dpqsf*XGrLD9avmrqeyOPvS9ErRmAPHfp
z>(b0)%L2u+y$ws|(oL_sY2IG}2LJArXfWfV;DirEtw{T(<o<)L4;cMlr)^8<D4GO2
zV`$>6j5=iY{W{>7jzE8NX;?*q9yBltzyHQ+UwgDov2C|+^`X7xjL>pC^8ur7;@^WL
zL^OmF?gpi?Pqx*?4#Y&Z9^$KqxeZ!7$%xi860vk5WLZdIQ$oadA4ZdnRSPoO@vqJ&
z+O#jCHspc15*@1Q&0&`N8`nUHB#1)e)++0b01+u^M36mQwh&d#NHAm<+B_sU-=^|Q
zDA75eW=)0KQcy)i?fO3siS_6l6dN6ZHaaV_7GSDtvLOhh=APEBmQukoA!Pa;IH`6*
z`V><^k%(zGV;k>HSB%+u^KOQ_N|&_YI%~{^gb)LkI-QRFlSE>~zI@K{M!kF>fA0c=
zF`5<tk2C}$GLIJzKPW8vH<u!^3vwu<dEAsUuo`%*?%jEjEqJfBH$ry{7glb>y8G!-
zNM4E~PwO8YheBylkyYZ%Vb`t-dVWi)A>dpMwO}+UVTEBigfk!6Anszb&E1j$-w4OL
z-gDWy(*%Lw>dgYnP4P<jS-%lxvd8I9w(7)UOqT~ecrb75UJVsu%ZF9lZkG(Yjk^kj
zApo)(FM;6bwBapq&9g+><TJ2fb^YsU^l6g%0<^}^s})K)fQp>L{DVs_<FFj+3=<U3
zF-C!eh;kb{<_g$UI~H8#tP*#DfQSt=#m#QXG2gJNQ14u+4L~lgMu~uAVy+f{+>l85
z0;RLEmSx($L+|HmJhafnXo8AzWsoTJ{%Th3-q6fbk{F#_D?{uj9bF4S0LvfzoE+i}
zL52+;&?(g78YJXu;vXfEVTbj^4r72k?}q`4A*T5}G$0=v=W{VNqkv~?Lf{D=A1v0=
zsL0q{DE*}86l4SjraxwClX*ftMqq&<xk4JU+8|m<SG#rs%4<@(IA*4&SFnpDywWo7
zY*yD>@)D%)_TPA`A6HJt+GOCf!r>uNG?l(oXpkU=U}V2v@Wbn`J709x`=97{$a#xw
zUrOQb>h^(M_Wkg3z1940r$VFpM0NGmsT52f72e&;%jVtM%}e#6|M=>s6M*mlLj;d@
z+OUY3Ojn1l9Rtk65O8Rc!$3UYvAC8bXr`By+7Y^g0lccR=O|mPyt+%2if6UnLrs)X
zGNL0e3CBbyJP<b0L45S{7a@lsQ?L-8l{u3@N0Cw+!pKsYpe(-<w^SO?UR5HaAR!)x
z{*h)6`RbARyA+Pjq<ZVKA}}`I^F58i-WW{OKwApt(#H|AY?+Xlp;PpTDc)&E577SU
z@zCgHbbh5c&&)iE&{Cov`d*VaChcbii6g~W4{5lwK4kADXv@oz8YHg}U>nk)?#Da`
z3c~d<HYEsLc$f$J)AI1F;NfBw3}*F{X~oa*^a0l}L_kmc&|4o>DO#dMny&?@N>Kuf
zN+nf7DX2<efw)plVSvK*gTg{fA@yeEG_rOt;6B(bhSc~lh_5JMOn;8fQ=$+){RHx5
z6O@Tp(D0W}%+QHJ-sbT9W6yIzJwo-Qq!6D{N9B~%nw*?BLH)zShx-p8vDib2A=;Th
zLaVb-LsZsz61wSzYPaCAsBIZ3hzJsc%8rdSH8={-FHF2p^g>8v$n&5EJPLqAj0%hR
zmCIo*2b5Q`75R&2<5E&oY}fN%S3br_b&<T&dP*SNv#edIU7tsmLkN$I(h%HH6nzaj
zrxjsVt)fjX1bi7@auZt~^D1het2TC1>FjWp2ev#7r`aL(QaEE}19a;TFHjHA^CJK@
z1MVk1Rv2`XSIlAn);cl?oYDr@nuE{EeLC@k4Y*V)*$1G?Qh=RhjLz&j3GQkAa)F@2
zSI73i;^T<(Bp#GW<h^y$q-@ky;KE+olgyy{JmNO}_g@m|bSU~SE3!B|B~uWZp0*-C
zgo(-5C&IQ@Js=pkaoWi6#r>b(z=Qq(=!VcC*?{%qVNdnQ2)dLtG++Lu2_ZX8qb)`&
z?=<s()?CxF7;Ccp^$EM(=&f)rBb>Uh;?U*XUTWLMU4+qcvQ+=L#nItH0ybaJ^ZGjB
z3dnj8p+(>=v_8LXEJy#v`1;0!FPF*i`c+XBAs7viy!dzDO)OPgiw(QG>uY#?-UcW}
zO2OX`2$*{UFX7DuYBq!EV(unZ@%1>B4rl{ZJ6U$St7-FCU_wwdo9R^+1FMt@wM=!g
z8?r!`;S$*qN?HSc;b@KbAgR7medv4rO_{9rGlCJsS}Uy=Tn(oBc_4MLS9Xo#BJSO(
z0=#UhWDQ8%;My&60&e-N+^<Y}@?d~*U@Hl<-Pdi2Z{xkQu<m<Wzg!@+w?8_D3o;Yw
z*EVw^f(qUhR;EpLQZ;v45uEi$As_iQH6(^Ks4~Qq22`$IK9%Gf&&Mw>ZLr?KX`y0j
zJX(X3LsjveKVSYZqkOy_l(MY1JH1=~yWam8HgaWLlXA8f*d_wb?nT-(9F=T>1uX)|
zjnY`DFLK9X6&e<8NjnwX$5Lwl3};#eURe^#xgQOgAsSOxPQAcqTy8IC6V20QT(E)?
zw9(-+VZK<lCKj-0p@@z(VsT(puJ-ugx2mdM-a0pfD55zmss@78?~-T9P8-S^!)^$o
z+7MsOK68o<2unCIi)yGKEFwIuRG3dwk+EBZ9<^)rL^ovav$D*7;es>WH;WKp?0j0d
z<-tKJs$uvIHr@S6(sj6-^`I4c<Um`&qV@&Lz{driO^KwS3s|_Pn<=1QRed#3^_&R@
z!UM<^;S4cTFkjD9X{GK54Tui?cRTZw6?Or#G2ClhtW_vkVNLf@Nn^*yE^JeS?00KQ
z38Cu(sRS#=+xR4NLl!6RXLWk4OA!d5#5KlP&fWVrb`Cap9A7hr4N(MCMXJ1y85%?g
zrde1u*PS+t)U}N=BD{h)*1dKx1o6G;VIffOWYdudFCY69i*pg&*YQk<N8{<p>|9rE
zN&I$@9II=J<`Z|eDyCg2aB62OkrItI1<5?45O}G9A5<578Uv)9NuB~5GEu8T)}%|?
zso+s7@z}aGCFw2Ou^F@FSVg7wcXW<O6|hR74bD{o*#$Y45p-qOD1u3Kcn(SnSfClG
zx4-}8jG6by`{g0H{STb-igOXXy((B0UTElnyfaMGC%heWhtgB^w3tb~kC^pb$!pZs
zt<sj>3W8Pb`<b|aG7n;BhZRI^y2;>p5z5QeN2e>2Fs;b#bkQg_8pf(>88<f!#I`mZ
zU<@w_0z#9U2A^pfo62cp*&%Pw10*g9jiNsbfGZ2jaMgoO*#n(M7a~=DS&0J5t82h$
zWH=4lPbTq4tuzQ6w0#bR(%#_mJd!1gJkvZE6o4Eqk)h~ly#R^_IS6Sacu+~m2zE{w
z!(BG|u-UT!T0o`0b}N=eyW4?Qe$J(GgAc}I2>Rs~6G?)n>TZoSCtCkrT@5v{w=)w2
z)txOARHCZg7xpgbO~&i<gnL!nR3?6{$YSG27}5WU|LJq8MM?=ADJlN&Y~EqZn4LRp
z)Ytd)_c!!Zec|)%ym)bW*Xq@DF$~`V{#x*NYpy3X@N?@n^|Aky*oe<Q{`}N0??H4<
zDT2sW5$(a{B<oAIh4>={RPd*YAQ6bEvCsPXt?;Zsz!~*jMocIM))*U8@Mx8iJ&kzv
z($_fRPH}#W?90Gcaeojgg?xxIcqU~|;&tr|$K+NijhIX@I2`ZK?4{obHXPj~vx;Al
z=YbeXcBJmuk`Wa`S%CHhwO&RW>}2{ikLNYZIF?t$2f}9ty8hOwF3Y4yNNZ>XR$I_d
zmA*%Qt+oetyKNRLQi2SgL&K#9t>vdpANLl<t(`-E(A=$yTHvRjrhD}SY!K0sA{R=Z
zT6FRS1#~(16nJ2T<b`AhQYItOPt(160{SCM!(OLb`j*@CG4R(x@MJbD(RW@i*e)3V
zV^CBQx-K?|jAxTu{ZnP|ckz!MC|fV><wj`J?H1V0O+6h$CZHK802|fB;pY#=S@!zv
z>R^Y$)8C3BjNQ(0(!?*RS1*5`=7Kh89W$GzjYGsKVQj<FcElcc3cfa|+%oa2RdYFr
zfwQZ2{ARmCK>=O?Zrecmyxrh(qOkXZ#4dLSWfjGn8g7*=$`Zq&BmO_&`&`z`B~%7j
z>F!JhRvXJ8eL&3Fi78BA8AB&ENfUn*#~8Z~f2AL-;f$Z&=Hs&CwCNt~p-jhzp-@H4
zb4n}>8k`GXArD=X+Y@zz#2>iFLhm~9*CY*m^$Hj~*LV8$+x9!AzE}T;aq|gp=Y8Sm
zozc?&273<lmgwCo>$VNMrt8m8C;SuP`l<>GWSqvi$f$w)Kz2Ma75M5EF!f4SaCP@)
z<rQ`b{_H&7zv9$ZT`atE6zECOyId|Z%Wa02th?>`Yi73GnK_XY>P5FuN>Q|h5ykcj
zWyAdJX`P#uvmm<ysYh`asxGI=q5!5ilZHC!LX|#^diC<xIO0yNCFEvZ2;>V}m4k!f
znZVS7hfrLgQid=Cz*HWt^UCq1J}j;tqo>z>psJuzS|$Fvh@z=6G1rwh=}&(0X_{A0
zzs8a1^yn{GU1Ak}<d{hcSX!=D7D7q|sGclzP-+01mUOr{S0%<kQT9q7)W})*)c8o+
zrkEQIMM{vt(~nXHv-m;dp;VB*XYl#l>+>-#H|Bc2;77lv6jTtXfY1~bRHE$Y_*{u1
z><<0Ta0s}n2sk9T@Peg&&~C>oo}pK-e!)ok=m<sQx1I64vX7=5t)8upIJE$YSjXBW
z=mlVnREnEwkk?JFoxf<FwfFBIyf|l|QE^%^ZABO>c6`DSdiCmeg;yh=$^F`%TN|Bo
zGTE^WR!GEnXaoByY(=A9V6RSb+Yr3U8<fez7ly>nfW_YHc6x2ZmW!wC=cmI6diClT
z{P%}%InIfER6GznANJAFvuA&=QClGqYp(kd5Dg)zp7iDz)Pyz5%O4&WGSkJs|LyOe
z9RZ(;(~9YREr`bob9@@!La$!^+A>+CD9n&ecc#_;-#t>+1}kCWgTUyzuomGpEe5&6
zrVwbFd_dX7PekX@O{LfqSfV(sow{;0^<<Anm1|x-{eo|9B**FAoF|LoQH!@DO#2)E
zn6m<b0$8i03kY@vwWcNBY%{)o+_@PiL1U_z61IlXIEh|8{&;b0u`8M>+urC??@Xj2
zE4G<P=tDi=oLw3OZcd2Z&2doICv8JUw4>~q*3d%G`EDgnPuv0GE)a(RkAoBp0$`4q
zATS;RVw@M~atI~z9ym6A?|{=Wbt5<uIP(#XGhWfM0|OSpM){$dTmcolXBOW%lM}?p
zl>2B5D|Wm^q)&F_Oca|xGITG1>wm?mEvg`&A+QU;AcX)H5y)TwZUC&>Q36JZqQ)i>
zO|aD2Y6H0lCUili&8onmh<Gck6=%>jhYH8h$1?_Jk~I&ycAKz)*Msu0K6tLp9r})!
zgm?!nJpT>on?I*H4daJANs1jjGWt0%p1D;7@)qDlbLT#~V<3Lr92vY5fIiuga~+~K
z*wv-91a+5|j-rkQ8^M>LelRkO#w%KOWWXZWD8CG(02+8tJ9eK63h{>A{uUTJ8W-u4
z9XS)l4jvh;0r*}je=6d-4}|3^zEnqimAQKfIH3mUlN~veg&jOHx&byi&x=4RP=PBT
z4x9+0LcD@&!v>lMAPysaJY#SsS@WoC4}=ZIUJB+x2L{Y`EY4Vsc#rOQfSQmA`eaAW
zB+CvS8Et|MksVS>c#fsge?k8V{R8?lG*)MHmb1N*vzEMUNv;2cehr;A?Ml5&Eb)L#
zEn&6^d*Sr2A_?In8xNl^zk4&^+~<w?1JA8RSi|d=Sp4)i2Tv!Tigeru-#`?89-fA0
z;00<t^Kc8Vlqlfv;$h>HR<UTRbAa{Hky1u6l|FUeFL%aZW2euSFu0_~AwwSIcf%em
zcxF_uTxi)A@2M1w-Tq!)0DY+X<Y!V!N9%iQ^n;+e#G_Kc8ZHp9dEc9`ECpuIWV2ZW
z!8S4EK_ep*HoeeP&#6uuGj2_JEGslF%;$udw9-oMJZF?0Q!kh?P0ZL?Sswp1vC1;;
zdj|^0>oO?Ha$$fCBgnL4jCp$+4&vY}!KKLOT*#otS!S&k5g;1{LZwEdMnVe58;z_a
zS~>5dQklnpC;|Y|8OwgykouibntyWQMds@weD}5Cq=$hp76vTrJ8W*NkcQcvs?Cm_
zZRTWkBiR5Hi#E&^r8R&NVhxr6eDt$DI_n!{?ytm4KmOvWp^Kwcj}Pv{ZoAp6syr_{
zTMLao)z18$C>t1M&iN2R%34HY@d;;9?IKO;aSGuk;Z3n9^p6XlYG-^kh9|TLAr$5L
zdi2Yz{ZoyVJo?ZJ-edoF)vJ=n*Ka3xKX7%X`BiF($eMl0mObA*ikKVGpCBV5#?Dtr
zlWGk_1lS{@{|9ZV>q>3a7Rx}-V)-NNV&FU=UyoWbx4}4A<W0qFs*pwCiq++y2*l^*
zCxM0O`eYg*h`UYV8LV;WFMI<a5=GZnrGL<7fxYKFGdfA-Md*f)WidbZ&8(v1rGA@2
zj1}{GvCng5^71I5MF~5uVp=#Q=L=^<zcIa@^?Lf9<qg(_9ZV(Y`!7)6355k;W;a3x
zpiq?ey#j1z5Ze8CRQU|H?E7iyrvO*P7o!#meFU)fh0kX}ErT++!YghnC#ZxPg=hz-
z!0)tg9`=Yn+W5QNCL=a7nZC=kRy-RH9=jMj$>zf=$0uCE(aR4;lildz%15vPZ)$D<
z?rYKjIh-724WtO%BV7}zkjZHrNjCD6{6jDObvGR+<IT7Kp>wjx<uUi4|I*n|=yXOm
z=g&XldU*jmxC{QQ*Qk|{8AF~}qktkHy>FN}7-bA_Bavh}8o*IP7!_yR+6I;UwY@8u
zF^S*%zhVi)3wHfr){^qT*J&xf6otHa5cN2+$G*#KN97#uLmjx^07oJ{j!)>|m{i3E
zZ!EW}5m%AK@G!3Z2ki}07YE&1D?B3WhSbMtV5niJ8bR8*=1KyZRP_Hh5Oq@&VJa(2
z`u@fyU@M<kO_lUUZ(;tqq0R(>z3HPa$N1kDFIPemEkySKFC2p>5FCrdg=)@;v;?cJ
zL2WzvZj7f1RYsdfampnr$kGSj$VTbe6;G`0DaC2=$_}uQFv9g%TGLP?vb$-3weBjW
zgea~NM9WH>i9!X%Bt;d}!jxHwuqsQ!L~Y5F9p>=vFM6|$@>dLOSwf4l#3}dqz@c5r
zlL$o!cwnr|YkucYvmtY@vD<P0@($!$SFPmMz6&KxT*pp##N10eKka0UKohEQr*&UN
z#u4fJ5dlhQllO%ckWaa*K$j<8At5SI7MadEN*!2AVR^i=l#)XfN0!?0?c(L#QBD@e
zh)3E$6eG0QvC4;xx#XlW+-@%BuHPCvAjYrOj5Vcl0zT2HTt8{7kNPI1JbhmnU$CJ!
zprHCa$d6Ha)vrxiV14z1G2>EDVx+XGI~vy&u_iY;H;oCJ;kDtaQ88j1YwKVtq|G4}
z;=t9qcr<C)ssjiB3n>Q2;wKl03CD{Tu~satBz=qrQ8lb;qQo~gm?2aA;USKd30j1i
z_e=DsLwFcPnbJr9+=%$~B5BicFSw3$%~Q^AQ*DIzjn;z8Do(1LQx0J3k7zEH(?CR6
z;Waa{(5U1t`rzRE%x`z$id}@iNSVK#1KK&=OsrnzZ(w8{8TQN3M6qCt6c2C{0XK`-
zAQ5wWTGye~<h>@-)SgWFf3L_q6U<!XYq(qL>oG>yLJBMJH>i^3MIkW2t9jY6I-j-A
z_L@OCVC&2Rv;XUv5}a@_mpM)&885=0l5D=FPk%4y8%+;O6I&B2>}}t@P8t5c)XNK-
zSY|A=uUi<$YN8@yDh?8yDvPO^ny}Dl<kcF(d5G|vBpsq;*+_we|Iwn<wizRqS<(>Y
zNfgq4Z?X^~79VE9#7rb=W>cOmA`-I<oBBW#e`NagU7=&sR2Eeg_WMm(%6^^nm`hL*
z5fOZwu}>{;%C)RZf!*b@tfi3Zr%ln+^n;h0rkg&{CaT~`aud%Y{S)echXN1^UZ#k^
zYbnRZfjS|SO*rIgK%r@lr2#_Qr4%f=5RL_<l~!}vwvsEArWVH1i6{4zPECQ`ok83G
zZmVE~(nQ$45kwDuLQ=PL(g`lRW`%mgrX4dPsR%QRh*417v?m=!Q(QHr)LM}MMZhY*
zH*3sdYKr)aGldVe67OtgN+*cV63YjpTimvz+JLtyJqtrbw1qn}N>KWm|GRiqPy;7X
z2Y3--&>m0}wz#OQY~i(&JD}YNiqB|An*mZai$$zlA)&QG5y4=NBN~>RBS@j`2MWnt
z({+x#3KBYryA1iR@U}!EO9I7(*NG{36@$8AsR_|Q5|#@VL{X<$NFn8Rr;e%2q!893
zfne*s<lWS@s3lv-x$C+%$Cw%dMP#~C&<O-OX`1Pq=bU3~o7R;r5mpjqY$;WCdLj-=
zMeXY|muOZ=BSRz!8w6D|IdNVx;UwwiEC;m!NjBXGn~6AiZE7y6T5bxH_ZqSfd`l-}
zzGf0udTILW2FpLR{oI&U$!_~?!*X$!jA8F<C5J9}4$D^910YLXXbebuWRHA^88hL1
zBIX!2q@&ZR70;X9!h<q{2POaghj1mi%z=PgDMO&mO<{{c50wo_Q?sH1a-_QNU&sgt
z{Ab8D1GjYOxZ<1NU7KyI2d9%O=B@9tkG8tRG{NX~2fo{`Zo6RcqSz%%z7VXQ;<2RL
zVTfjzEcrsPC;nqmMzHOp+NpPGc(@DlyXbaF$D81Z0hnjT8V)x<eAc#}l8X1+K3um(
zBCh8wOVkqnmObHxAph6ClnhgOYb^%_F^p;$T>6w3g5AFpLZ`V?*6$i04wr?z5LA7~
zhm)ttCF3`{e<$R85h$v4bfe<3C69oD|3~`1+a$G739+)%$t-=T-!NMHoe**&Oe@;`
z#61X;%bxH;@LTA2+NF9fYOPJp>!n$qKS`hRLhyn6&VqVW8}+D1J?c@98mrQ%M>Xyr
zy59@g_9686F9)4<?tC6Y>EY50zTt>?6>~^kjU5Q1#}O^w{>XeOy}Kmvo+K;};9Cjs
zuGkPS`$Pr|FcvoKHV>`4=~uw$huFg;E<~W%P`f(25MEdC{{kW=eE8O1?@5GUJNiTd
zcvoSQ_)@l4Ht~MDbm}(Jt8vbzgE5EbyX*-s1XbVh(d+4Q$@uiD?}XT$x>qQrNS(MU
z6fc|cG*D0ry~Ks_^h#tgII0o(6F~e2>N|^7k9yRj9`&e4J?c@9dQ@Y8$lI>91h=YH
zA}peoC0rq3!W@PCfQo9R!%E3SLLwm%QFoigc%U;st6(E+TEso;J198c*VZnJW$(!G
z@N%~Es%z-;=qQ4P7h)2Raoc+EDz<86$Z6sBBCTGGy*B+R$g4rUyR2hv{Z?79?e~PX
z%$dqPxx7+@j?jL$MAzD1C~t^lLM6%rzewB~?+|NL-I(RIYUG<D$`#ao-^F3BH?6K0
zD>bW(W-?Ce*_%lFQw>!Zyjphg%D$JXcn@(|OzFETLQK}2va;WGnYCK7mLv^hx9GbT
z>XxHrIvOezyVZPG_e?yBOO<nZdd<iBxCtB+N;qOj)*nK=Y8^qjtrgk*Et_>?#D~ob
zLO|ASQ1O%cF$qwvEploysD}Cqf}*ZIh_;U<azyzhW9#gr0ku*ym^DZF+q_Bs(8=eY
z+&Zt5%c@IQlzZpj>bS;_L<3tX>Dr}!M5u35tSgxIfA8@9tXjNOJaqc}v+IjrR9swt
za_Q()vVf=h5w^7v)%V<4J>G8gnm+|m;wc!`o5gv`ZW|j*Nx|+oZ8duGQeYp@Fv5KD
zW1CI$%9BSM|9Hi}%BrsI?`z?MAc_L}iYBa39*w_^{Tev`Zzldu;J@>9e*TmyDgF*Y
zpf(hTqR}xJ+Qu9><~KA`tSzPM0dA}92v)<L$;|f(7k%c@W3@+FePxch)0Q(;IvSQe
zZF=@=PTVyJi4~N&JcbW;^j9xhCnuj27GeK7`s@!eFD>S@H@SVLea+nszppMnBGxEK
z((j{09hme#mq!vV$LMaRxo|MLWr(>q(qLO-rY#0$u*x{|mfaBw@aTxFKgHS79({?6
zaL%?d<x`I<X0_u7RT_n>4o1L6z2RY073?!MI*^>Jyj3nKEllhs@o>S}XWdMvOWaO2
z1xt3~tw}Gtfvxlc1rtZ#Emfn8R%W{0?Rj6tdAQx4^8j$Zv+(ubtMr#eh?#m}u6U$O
zvxhU9ovX~co`={F7@IBOD4#R)W0JIkQVTblHm|eok|}WcQm#-jGx?FN?X^zlUQO7C
zrrtnmX}=d>8z=2q+dDCteYah|xoUFP!R%&)S^p0kFH@XU)1A2AY*MEE(r)4yt;)7-
zFE(xe4?Npm%Tz*Co$}Vi+t2i8t8N9|Qt_@R4NtUqw)rmJ%dF1B+C5uc<&@)gGNw}{
z*CN|4!Q9XjM4kh)|1DAL!A<|vDF%`MHr=(91I&)8(JpATn}d+So=Z1WQEDsw9pg?o
zXgXjlDdi8OrjpXr@^yNVCW!A1P&^9>q$O`HCA>@u2*=TRNI-F9B#`XUOaIpST!I;=
zw~}=(CAku$wPY{3^HNf%xxiipXFssIx+_UZO4bsRrhJI(a(w)h1Q&}-U`|O|qIe{S
zgbN859c=Z{w)wzU%c{GL7GTkE@FD8y*@cwKq5u@b;Ot>p6&^3)0q(TWsjUD_xxEu>
zyFH~yt))UyP{3_D{T{3aJ&*yn%1&woLb=%DOs$!CE=%4>ySZ(zq7fMMz2I1Z;>K(%
zv`0M=js%e@D5SPpTRdcKHURwqvTJCG{#kGFNo-tjNFEiNEwR6=ak;sSfBuW8paw@1
z8z2#Gs&t~f<|FiJMjl41+HmoH7v_bAD`07P2Z<@Z;$gJP^L_=Ck8e~LtfHvhpUavj
ztu)WCLX3Nf-lw?&9B4eUmRGpQ1A0#(fXd7EWEb8|g(q;kR#el&vv5TkI3{~0$JIMp
zr45CzfYIBb-cqfnN8U$OL`{X&gL#p@!kjnRLrWTh^^W7y3jS5E=$j4eei;6L7H_8B
zXg&M#wlZ!czNZ*^Xu<8D(wkS_(F=L|i;)o&@JuTZfG&LLvN)_u>3ZKq90Og{!=Ro^
z&}ywrfh_K2&wCzupqmup5F4cvCw#}dw%vb1n;mg}`(wo{gf&PbKJSpw+^i)~t2%W*
zPSL}7PPW0x-K?)r3+}7P{I{@CKQ5I|HK$KmNt}KK`{J7v>fy(O*x50LebO=96EAgf
znwm+)+p*;25&gaxUrV36i{JazV*$Ed02|?;2lGAy;O)0q8kkP{oV0qf25ln&nA+8?
zzzAmkO=4<jfcokKbPe&(qmaLX1^I~}l!F03<$4oc{2aEkZ_<eDL$rd1g`cCDT?Jw>
zO#-fVeu8$#J9;GC9OOIC<$o>Seb_(by&mfE;kG38!&Bnim6#fY^-2e0+LXf+`+hO>
zX6FC3-Lf=Kwv!0B%NoB#%*b6Y;%O4o^^ySt0bD?fshQ$-h6<*<+alLaOdb>@a_msz
zqOOJ33GAt?93q9=b>6`I;N}bqGXc5U@f$d0(Zq>4Zr-nDZPHhSw>1P<4vZkg&03_d
zuy&S9CIYZdOGnE+#@z0b)@#xuQ#tT+i#_I=fFs&e7mzDxXW~()RN*6IJR)2yk;P+(
z2)Ds`ztN@gaQIkL3PhNVBJ0znTM}dBH@*>YNNhUUZ9u>Be}Z_{YGV;^I>@stAg-On
zUvEcm8GQ;xR@mg2wmezE*>BFtrb_j$YFJjN*qfi9>lEm~=ZI8%{N>tY_Ap#^6+n>@
zI7}~*Fc)ylTr|2?89rTrK_PZDHbUg3NMGR~*@39Ufsqh^e6il6Z7BaJ?j=8k+wzxW
zX_b8XfX5HWKm7<ccYl+1!_#*K;l}>gxi87G3W$&qs=TV^re!vy+q>ih?K-8<dm*VC
zmF$J<m=~}<uJY3N+o(=^JL=Q$TuMD}-!3m2V4BG}7+`Y`&vZ}jc}EYniS**R@og;a
zo(x*&Ih);TyE6kn{<aZb61n2^(1w(nDeFq2Dee)aM+!YYZcA0y{qsmYNw1EaCl{;S
zyuMf3JNu>T?^|BgR%_K)O?AgD*SJgM&RucMY0_0*<z%iXZrmkG?9mDro^VF`kw?Jd
zK$QhtpY-VrEW65em_9+7(~p>b_read`5?6a4Ol;pHN5$xaddzt?OcfWRUCcWS4SPW
z4u{^$X&gqQeCjPp(E9$vr3Fhi6k-Uq#tAXPnHpHGH%?0VOh#h232UippY?qdXja+Z
zYOc-a5Ymxe?l3=?$ba(M^f8QxUe|Tupw=}7<_$vnteB-`$rskT+!!@dU;{AV_`C@U
z)|mz-R2!2lFdXA4zsNIMwBwjXMl0;S|KYx(P8Y)LqU!&t^Yx!I;ca8bL&+p3#wq0Z
z(tRR_JYY7>RGWG5Gu2>Vn@iL=1v)7ALeVhR6qFW}-W^G7`vJ`fe@oYhSJ(S*8{2(h
z*-c-LVPu$h-vM#k9bp%Y$tUexx_04Wd*b6X+y<c{sctE4${V*L*ts-7sGkGa)LLw_
z?5D5i0z%nIqqfQHNF2+DicYFLY|>#Pr{zdvjn~<BdM=E#r{QXwXI0|VntMffnz*>l
zd{2qf3mrS}w}i~=(-iM+^ca4!HkB|*6<<j8g8DVA>H@05vnv^fq^w}B=g{Cg0sm$(
z)x^(O=`k4+35yUjX)^6S>=b(GpJ#Dk&VtoKSPNPL_!*izUzEyJAb#}mf)2M7&1kM|
ztY2#wA_05;5f&aU-RDl5f)6os5X8j@wzG%Ki~Hi4pE_=lZrIFRL8ff&KRT6oPZSC`
z25=PQpxkOSRei+gPMe$xw{3?iE?^*7T@GKqw=|<~*wKC_u<_gx0Y6D*egxbCUJ`&G
zG)XH>$i~A4vqK!L(*#XH9Qii?&2q(WHv--E5f$irddq$q`*W}tw~l%9^FA+58`2IR
z1id46f>&<Hs%|F!0RQI8Yv*m-8gIkCStZ+x=N%8Vs&|xTU{4*q$f*#cK<j-!CXhJo
zpN9q)V_UkMkV>#l`>`1U8zPF8#oaD+c%evu7Fyd-f`gkWZ2iyb7Zp%wT(zKz#R64f
zuo|so(v(OyqF|ai{o;%i)jR#WN#kL5KvluH3N=NVcHDH=yd<D}8<Q@P5bmD4bSzX<
z%kY*!nOrnM`nTyVrFvtiZ}E?)0u+Z%D1xP|a_aOoZyS}qjp&c+9DS@RZONzSI;OkL
z5gOX7T!34t3h3RUOD`)nfZwjfqIVU)MoM7YptjRuh76C@i$pWP4Mr9FJcitBijZLP
z%AnHZ03%{M@Q$zBOrz3BsI(+ENmlfJ0Me2d&6xKb(N(JNDnP1J-}V)J*mU6>Fsv1c
z`rnM->_4*k9096dmTjx2uIsA>0ybcaS<i_xp1HWBA&>c5lTy<gblX<JPNI}b<X^so
zwl!QOSljvG42$8T+W=6IgiuVyy6XfF=`ugr7$9*~jU~ny6qJ#btWiYA0AtZ&nYO0K
zQw0W#^)&yGhPYY#`^VMC4*v#$-vL~KUp7ULtdO=#WT<Gc0-y(+f)G`upA%9z8iJpR
zDoft!ExSbf4&#wgoqQ$!<^9s%XhIe_Si!s`kTfwD{H|zqOL6kA1i%ah!D(^o%5&L<
zc<;$3<4o4Rnkwl#i~D*Ru=AP+5y_iV5fI&?)P~Nq!!FN~^<C#|-ONMEwMvv=G*^XB
z2;sMDSKQM$exOOw1#{5|_`DTbknSaCJ_m8ml4djs1M6miscu>PH<5D-Ck_M{?bt?=
z*Y8JZ8MYSh0WsC1fSzuw1Kc5iF)!33sB99;!!*WpR^v#bI)?N~A=*-Adutn2S;~%#
zOla1~L|7rz3Y*L=jF9Y@Q83Ryp?Swwyy!b%HrNg_0eWh*2}{~>z6^rL3Fz?DJ7ZUS
zHOI`CGT;wh5N`EWEXv_5ixl3Ih1X$^Q-}hf2L*=7`j3V1uxnJ9o+z-k8hCnyt`^8T
zYd0&F$k*YX4(|lPOlL8nsDkoh!sM>4T<-M56)?)T%BKbajnbQwjTKj)$oL*ZELst9
zQJ8ORGmn!R4Q0F--0bk<{YQ`X75Q&v^WZ@(@8t34TulC*8Vi$q>a9-ucaLaywyU4C
zshR?#Jkh*31+~N;6VBdv%4NjVCev>a!q~GBy<9W|bviUnVDnZC7tFesqZy^jE5+8a
zu`a}_*6<JKm%BTEMYVZC!^|2PIh9+q5{Z+jnu==>laeVp4jrkRYPG_q5B7TJl*t6v
ze2NTp@b`oU0i;PV;NkgL&nKArUDA=6*S{|1!&a&cVVy4EYCj4n+isEV%c0rSfs$N-
zuh8Z4tbX@j{yPh6R=2ijWl<nCDUZ@v`gfq=inQ#Czz7AQP{Eh4MW`=dh~CkYicYQs
zUHm|>(QP!8iX!KYt{ikf8xy0j<A3Ze${A-gy3W)T*3?Y$?+&)#etYqsx+J#PB!O*m
z5u94gBOCIr<NoDg;p*lf5|4RLW>gX2Gb<wP=Y!cb00BnPq$kBG22~%`@4tYW$W>B<
zKyH05Kt%ZtFP4EWZgnGuuT!RPu3pLjI0N8Mkf>YD=)kzb4h$MG0q<I4_<;lo_mcMq
zgV|sxATyUqdo7JvI&`_XZfJ!WY{ku|i@A`FX&Q)q<Y2CD=Gi>*8T=wbjZ`w#em<D$
zds(Xj)cBrS*oHNXx&0L_RAOX00@Lvghp=2bruG(ns*Q0mV<nR(zv=^<$w5cUT>W6|
z7elcNjWMhi5Y(R)&`j31kcZGZVo2ta9{WDX&NV6~l_pwuwWba#dqgv>Sm~@xeZ>`w
z@nX}@@`k~}&4Om9+EUAR8&QZSR#(o;v)7?;LZ6BkT=jr5S!NX8**IEb7&cVKbdR03
z#SJslOb^bPU8D~+>qG=ulwvQxDT@(GL!CPDc5M3}2}g@E^EemdM9O&PuX9et1vkxi
z-82gCH9K;#v(?13!g^#T8kJq+*yO1q7DYTYx2}<<=SI(SqbHd7koUOZ%a!L20XK;S
zbb0P+iZSK7c#xUROVY&aWyFgJQ#f&>p@|d5LLI;alM^&V?>U;$)@Jz}lgHA7HkuLS
z(Dt&m7?Qt6E`$|1;CqAO`LCW4jZOz(D>#PGzJxB$0RH%3VGXbXFd4lM?--?Y#M_rB
zcW?WH!L?0bx#G6q(9$80Gw(&6DEh)VKnR8&b=-D{r&G9Ebcv*`JOmyjpAl=VOHlF!
zaH1-A1ks9QVHt}ZB2R&x*+w~wK0)-bpB(_UZX8g?Y7cQn<NGg>0R_e~M~W@t*-*^G
zN}@q_oYMq~IB>sEFk3j#zHw@Anf4I|CfPHMsxFS95Rv&9T0I*l#pJyxQ>dvCVc38s
z(NJWHmE)k0WChNjki)x31ZIa_P~5L+D;cj*bZkbIDrKd6sgF5IfoILu6NxC#+ipe{
zBy~M%3jLNck~Gh~mLL4#eP&W}{C`P|AyyFBPPv4X@!O4okU_)X(9?I0y8hFMnNZLK
zK?2YG?aPLR)k#)%=By0U+s#@W%mc6enO}X?==$sNNB@>rucTpP?@{A&BpUn2&Eo4Q
zU~2Kv1Nm7$R4Oo_R~c><1-R$Keo@&`tg){o(jzbV+!E@tM4CG=0etJXYYAAo4~)`c
z+q5^8-+K>W%cV?G(2H?cXI?EJ*N=s0E#EXu^7?(+g9<DX_X#tmCfDeN@A@GHVP@X(
z#d&KcZ*~NO2Le~!jpb5;@hQ1MhW*P<=V&m6@ul_G?~hgd3H!kx4Vx-|b;YaZpJI68
z^aAF$Yi6P}$<4ES!=%ew#`bB|N{g!(8&#xK6fzcO{^};(<Zha&gA*QqCT1GW%ekPr
zrwmIU;XDLRjM2y;dFoM2gURD`Ob(E;HiK4sTXT=gtuyl}<0e56<M%lTDMi#IE_he?
zP%+{)5}y}vFjGKa`k7EBAwg_D@;sgm&<afJJ;;vhK@V9rj8<#s{o}!UY${PTSwL}8
zg(~+`DykL}Yr8Kh@@XYOG}b_hk<v;!fCdAcFnga)1G{yiY)^(9MK`*skR*Be4nQL2
zXMRd8(CVObmE>6itMZW-MK8=~=z(`~rR<M(93EV1=3&yTW^c#dM3HLSfvseT(Xh6k
z=eO1)3}Y|&o-^I(2rF866IMAx3>Iy~m39sHTAZE~(hU4z%%~bJ*b#l^H(Wm8n4I%5
z8iN*X>Npy5NDuf+3<(;rFhmem@nG9559Dz^Y98n<LKFpg2_qsRA|itF9yTIp%19v)
z5z$~_q|cLiK5>`LE&gU1TKsi*?S!1Pe;(hAmxiQZN<S#$^CKKm@Rh4C&A(2dYF+<^
zi+6q&=!66JL(63xIft!f+eRIxEP5+vBtvY36$?_*;3_*h4BUh1<3vhM@OoDGc(PuO
z3EjRBM1S$5TLolkG~wbbO6<#<UImapDtu_X%0UFI9$ci`%;8)_ekwn@&&qUN(IBEp
zJxy<>PN%oX8+$~jBb`)G-+!eE0N#Rk8mb;)>>Fj)NMhjR#%pL{j~elGqg!<xC$=yG
zgPqQ0fT5g%tr7IEvYt}F3%u$!_oIi89)56qbX?!x(V|Np69y$ie~n<Xx?H%++imz(
z(!$wUD<hNl3G?E7DQoXVke#<YXuSk&0`ga!-kY!yPWzeHeNR|1{`eaR(vhE>v4+H#
zW(Wc3i8?0Y3+NMo*349s49VVtq;0(oztTIb7}oF^<+-zeVmL_wU(b1?-sY6neIJaC
zym}f(pJo}eDB-fvmhR6%!-LXc-)0QPM}X+3J}ESbwo$D3#E&<&wkOg#?!+mF_LQX%
zsbM4xz9(gY9q@?0!YP5%w+mDqDi+LQrFEgq9~~GlPZgL223sxAoyv90`=SH@WOorq
z?tW|8NgN_7u4t6lJT?&&wk(02KNJU`_PRfjtuJ=o`r7oA%M~R^$&><|Tz~LfUe2j1
zA7POJN#Z7+VMC$7q+3-(t7hi}`65bld19=QXpJR61QKs7m>P4sTP*-tAOtY|y@*?h
zOz=NzTlxv`jsWEN^T^0@dqOj4>F(tabOCBNO|YjVp)d+VBm=ei{~#8FC2U2H(inlh
zF|73Fqa`>&#_J-k;rTL%lLS4aXZ!|$$lilUWC<PBaUItY?UmN4jEtk{x^>e!&=J)m
zBO~KMW(Jqcsi9Be_Wldt?7`3O4j!5azhQ2_bjX>3`5A#wu4|5?C)w6V$>9B6!G<E^
zb}qBz*sH)0I5+A)HY<%-V|(pcpp*>Ar>oE>3Q<$AwmE<)={aK;#s0n|4-|cd40>l-
zP8<n=?@k^W#YS=Vs~MoTBF(@6w;i@k3vEcd#556E5CKgk;AUdb1IF}xhygLDoHG+u
z4|$e2(WUW7W4jHnAx#Y_Zp(w)N*FZ72a-c}j2$OC3eT_MrZwS?Ordz(?PMrYfZMNy
zQNQ2Sci%X%u^zgul3;-QwZ1^tinsi5HF(9fo24SIW!Df2v&7xpM=n4*$%-i-I=gNo
zsjn6QlCq~SeL<GAVDwuZ`!%Brz*Z;Q?pJBsZscsqeZAM9wGJ5((g^HAb%yBi=G}V3
zW8jT-GgUQzcH74(Fkt7&(;G2iMMA}{;kJ+G4qKCSU(32e^~bz#m52=q2OQG2p`Gz#
zipKA)U48)7?l9h|4`x~%Y1}PZl!o13(A|F6!)@zIuHD7z+}tgLQ)IvU29cEy8x7*q
z*Ar%fl>#Jnsgwf@1DOV>mw0%i8`EleZ;zG?j9+0NiaTc8y}83-dspzMUM4)P8I^ov
zFJX9a?U}gVt`r7SRYo@Z8m4(D`0{bn0Ie5;r53@5*I=NF^0RG=;1+JQeFsk(2-dnh
ze*@vi2lFz3`=>`I{d~6aA@tzU$G#RBE`Ijqj@d?spZKVZO;Gl^>#hDT+IL~VknRH4
z*r$Uob10zI_AjRAM9Z##;OW<WK2hg@&I1i2J%3tO-lY$#{#*P0Y64&_f6<OVSVQgq
zUU#j}19Pd+1yM23io^NTG(CUSYGvcX3Ut;Il99?5+Gfm+Z1=oo;I3-pj<(%yx>W}s
zS3g!N#-$Fz{nQbVI)dsP^2iYF*K)?W!LZI97vng@OE!MZaMh?`U)^?)+OOhOzh48C
zh~7tW$M+_tl&7d>&P2>e4lOV`IGp0a_&PQ$Wvvw!+<k7w$ANMtVqo%V2gZCi#xNyc
zX3j8pFI<-K9<scO-xaW9DmT3@&+u1qcR9m@-K`>@?>gW`EPGW~xANWX?M8w>_2WtO
zfpUIvsa$y<+=i2|d55)H=hRbATNZVDfH2_e_ODVMb^Y(0tA0l13J0e0cUInBbV|-A
zwPU%GCTMZN(ZrndfSLByQpIV9^M217I=IM6<LR>9HICpj6yybO{6|k#SP0&J^pY4M
z%ec=`ler24g^D|*CMj0OD(8~$cxtRryBHKA>X)atc>tMO1qB2!vq}gdXptQek%5{0
z-W{r`2@yFcMV4vG3SlNI=A?9EFgKjOZsHzdLvu>m66AB@;7~4*jzsXoC!*MYbD2~K
zeCm}6%AC8dUO#bh^K(gwVkWAVwsj@objcX)ZR}C@Yc~QRQti5&vw>46W4gdFsfLA(
zGC+i(aT{gVe@zsmn8nori=EJMOIe%&rhY?nCTx*Oz0}F-iW0chQ)J2jQ~i^NCXOl+
zCxUTi-L{GO|L*?!u{qGR^lIN!nHdPX4BboH<wyk0MI5JT#zr^U6pHrD7FZkj=232N
zbx&!Hu_GFDGqd$fDVX`OltKt+tf;&^b_0Qs+KyB3RuAuc`1WeB4Z*p4Ok2KVENSs7
zAp_WvK>SOL&0saaHA7mw>;<>x?N8-68?5cgtYJAZ+g=?r56c1Cp&=x6H9YJoLfG^S
zD)oA!6xe6h+kFRE@~g1>|Mmj&ltK;%Y<dlYt(5C+_`7-1JT==cYVXQk9l#q_i8MAw
z*r==O5DOlH3ldhZ(y1!bZ4F%EwtiES$}3%X^;M{Lo4u!qa2ijUW8c(efNE~qe7T|S
zcH0PRf!m@I%tH0knwFaFcJ7`zel<s1Q)VZPG@es!<1U$op+C3~R#wwJ$3$7_v4LT6
zf6xr<Yri~yTRAPQGpYk9)Hpj-&4cD;8*5S2h3^I>kwI|PHpWa5;}Fi}KS&l4WtC=a
zaD~qMH4sH2k}Oj=(RAi#3RSR0eIiP%HQ%F)VlW#MYwNSLgNB>j);6j-DpNZll`^j^
z))#7jI5f=oUK4+Wx7(lk)F<}WR%LJ2^w*9uAV}IxrT<)9>i$$IAcuHGesw>}QB$av
zOV`V~T!cdNSfz(DbP$iWbJ2=z_=?3k>e?8cT&Ky|W~YYo5@u^+Imq623|g;k(4a_1
zB~j%l2RWL8i)W+f!Ptej7*FgL412}|6pUm@h>YMg$2r62{tBPpYqsdI_&Gg+T+URc
zj9$iRM!M~9VBm;;#akykM(UFg#KbqLeu}d|Q0E%q3zlX|!C_g(?v@Z+uNZo)`aE61
zwlbt!?oz(X^mgtjhd!#rx-+Fs`dCJB2)!9b|K0mCFlnURF~vK_itwcsMUdDeypUuD
z9NvonFQ7~^X^wW}7Ss&ie>Eg4$q&Cu7<`guM9zX47Mjq}f{g5Q*h_z&FIKP`9J$ZF
zb6*~&T>DV9h^)@?r@=E4-j>`B29voNR2#CsKs6;^BF>xDkujp!Cd^kXblh}$U(jMU
zUe}!FUB#?1Op8E3+dHJmHCi0UQ)tzhOj6t@UHrn1%uF&B4V-MHLtTA-swm{_GEjw#
zf@Jl9aPz~eUmT~+ltSZcRoY6fZ-(1Dvxv($(G{Cuqo&9d(gfooY}`R5HC6Nzu~4bS
zETobHODB_c@l_s}n|j5s0J~641l2FR_-j-4=G71X<kly@)8PruF3ba?|MSQHxU1fe
z-#M=3AI0d-M)|CtEm(TXAY!+X_S3s$2*r)R6XO^wm+L-PlI^WR_Ga2^ZZ-zwqv+9w
zFpCp7{gWqBY88Q5ypscTLwnXcEs9s}m4m&|W**Pf-joNTY&i4mC-wwTXMzlaJe`ZM
z(*Bjo2G2X7GhpnxU~rzvUP(y);CVWVilS1bqo{*1f4n%F=}9_yo8QPDG9EnmN`RXu
zGYo6_eq-Ru$;&|uH$MdHqsJ@j9|?KIj+H6(pMLfjnE!iav0n1smpA<y;ZLqF;E6xd
z)aY0NF;Pmx(j&!IN7w@D+wT!;H5V)qBQ04^U1#vx6brL}-%QZGKYnfP;CQ6#>7L}q
zOT|mQN=umf3HE3tX7sgvv$Tw&jdrd5Yn;7AIy15V+jq?Lln*Ld+JU)pW*m-JlJ{c4
zqCm&PS%^!1qkou6d*#gSaS%?f(&E_x7ondXzhZ#xC>NckK{Dhe$_CU-T>R533NBD!
zlL&3Fkaek!(_1Y}oR=B*ry>}mbI8BRZ+N&OTl`&x)ma^EIfq6fNY4Qx8aUuyiQAGa
zcmmCIxJ<~lJ$a~8f-Lj60*H{F*E2s=p$Pr84J6#t)n^Z&!HYy@_#j}NTN5L$^cmCK
zRbVbo^ZkfO+rDOw>bdJ4FKSsH2#w)NMmNjpEE|2xQo-sXuYdV=m6@oOCXW6lgb=-M
zTY0QtiIuw-kK1}CA!-D<H&P*Gp4=Ia#{tJon6aElN>4jk^s@#rwrRvpI|=A+C!71+
z<C)!&N<-pUoT!@qM(l&wD`pro`kBkh!{=NIf;l*62cx|KJhgY4<+Oo17Gx}u(V|^^
zX#Ly^U^~COV-q9sW+=$IGX3rm25M&p96(y0&SZt5+|R`|ShvO8F*DcQR_GaWCH_{A
z!r8}HVELBs_SEsv?7xarD4#NSY>ZFe>+0Np_}sah|NUS;z%O29%t*nb$4NZ2`zdz@
zwtfxVsZCY>;{4)rFcjZPY+%;Ruri5CJ}<NDHXu0eJ8o>6<=G@V#P)<<dArS+&9G@U
z#qw+-+@rICm^qmVzIJ|b`QzYtgCP1YNwk!JKla}~g|wueLRxYX=_NPXYl2Ge>MOxG
zEE|!?ik3S|P~DLYhlrjHC3+_LdROGkEE4Y?K<Z$3!3(WM)1{A2$6Ur`cae$ZXci2+
zIsEAY#5P*j%>Oi5e^Q@LkH~f7p~EfT>Vr>5ORo)7c2d1v@*qa``VI<vcY9-(Hk5fz
z1jViz*>a9dunpzAzN3##EPt$(TlHw+^B_SD4Olb;jjx}+C@(JP@Op9er(#>3)DHab
z(po*etB%Vqf=RZ|Pm%iNE&4@ZdQS<OSG}JpJj$eUUN8F~<C2H{ZaWMD&hL-R<NhbD
z<sdE`sMeXdj9M=&WAvL^;Jp1G2o=#HB6UN2tnd>^{s0U75f^X$o&Viu!F>m~AMu@{
zi*^PdrDp^Qsfdn9(?5zG*0=n<%2sObqw=6}SCd5vix2M9h{n>4yjU$~_1Ndg>pL0M
z!}p7km!TD}?sEb$T2K8y)+wmW=FC8Kj9Wo%3zG+0>lXN3bE7cMB}3wAXvw!^Mt;TT
zEj0nu??|YTc7$vpcO<jLKmF+AN!IVoz7fTBrdb2mV*?8(W*e);!Yo}`YYXGD>`3U*
zESPvhY3<s0q$ob}qVK$nTJ7qJDIOD<Sa+DGtY);0-8;7=9)s#@E6?g4RHfeJR{n6;
za>tn4BZ7k7BgiD2Y+~=!g%**X$E5{BrE4O3Q3Cayjvk5Pns#y^Ett9l{s(E|KIi+t
zKKg-<Ga5O(%-h9*4A|QT6zQ?AzJnA~y538~DlhTlzDzkng%nGD$J*<@AJD%8hF)Md
zxAF#_S<5tg8ocw@OBr##=j)`&B9&*#*S_aAk(5;l+re)?cD(@Fe{wC~QS!A`4V^BV
zCq)BSO<-&m*u33^R8V1?Y<g;czX+M?o}tNw_pM#Mn=2JTMjkW;?^e(G%f$EHP5|{Q
zwkt4S1e?q`Ee~)qdfR~j^qnSGRBaWY;#!D&>uZ)9nZ=JNWa|5Df)@tYWR}}^{@GH-
zobP!~(hjZkeCvCjL#-~cRBzwav!X0>j<H%AQ+`|eDRm%TjPBnZ=8ru_;D4V8dTw%>
z{a`WBw80X1MGOeS4vWIb*K>h%5&}NKEK&8}76h-@6nmoaW$d=lmxd<UBzwB?33hX<
zpH}B%-g~Vk454nH-e-%Pt{OEeeJWHWa`v-ee!y~9L3<`$`$&wnQiO#T@~K@9w`-D{
z9m^I;Iy$=e13q3ymW#V%M-$}c4}t5={=qL<+_983^_S+lz09w=?V0;;IsUGutz&YZ
zxqV`7!}e-E5%zznvA^tA9Xi$9n)3PX{{z^sEixS{r7DNiXle)F*V2~8p&gnW`2^5^
zZC|88c(@IH{iovNb}$P0JjCnjIlCZlyl@eWdHXz8F}w^D<KeDgy6Ih)CJNla43vZ3
z=vVbUt`AJybhlCE?69cGt_maU#ZuKj=}8GaVi!Mfopq+(^LhHnMiX(oSo9R~ER{Xc
z5u^K#X9Z$0U+EqFr}e3!Hmf=d2Ue<x{>DBvS2yyY;4}FMqQ3(nb^o+JU6qT(glq6>
z&GR7l6gNn0S8e`Gy6~P)G6z*kkM?7^mt(${wD8Bj#Jq{t4M)Vt6KU`i`-`hgxP(}(
zdSNyuj&4?~KO-Qr&~-2FSjTF1FbT#>Lv0m_-{gMNtJIn+d!K;o4Zay(T}JM9?&$_A
z@*K#7MA|p;bgaO{xCKC?>rle|K+U&8ez-6<LVnna8!XSVEXPtT75bXDQ=l~88~0e2
zWh<KiqX!Dl4V98DoH})abI+K0bm~OPJy~#P*O8ht)I_D06tAi%M^2qHyh;^b+;^#i
z=<^$2E30vj&!byejZ2km&nxmQJw_^Lw!_Vv>(shlJCih3m*kf^qf}06=SI~;Q|p*^
z(j)WqxF2z2zlaFXQE1ARbPn@$SC|UT=%SGtEt^Cw0d`0TTZr^zqdBJT>!YU)zKC*0
zT4MU7uLs??!*}ATk`bcT3R$3hS!#y)l{+sjJyu-HX>qnHW_FiaQnpG*tDAYG;+Jy7
z*B%9j%<SY#w%Yb?+zY?e5sRwlv()J%PZZUg#=Fp8s`+uquNLORkYBa<kVgW&-#fhD
zIr+~sBB$Qrir0ISbIMwsR_C3YfgKm>^-aFZ(r>^u2wYncC9|dGm4h=IvHfqk6|2M3
zolG+!PsvG0iltR$_9r~!5vzaM@6TrMozwNTD3!ep-rJJviN-09Y>D6`B%cqB$)Y3&
z?fLRL-)U_d(B3?&BKRW|_xh&wS@8NH?M~~5uBmm+`~j8HbR5(Ob@w`E2iW2m%K5%j
zGoiUE@Bc=szJG`?9fPTu|6S=!SXNi@afpLOI=Fr&#ou!0U&k+GCRML}J>|&eSb`fz
z#{T@|`=#8;qrxv><PYsCc(*#4_#)5rTwWKZe36#r9Kg!&tIa_poB84a?pkg9vf1GG
zR)?jbiw%5R4CvtK^?f!_D5O-pYTos+J2N`rciPtnd~{8tmefS7-6CN$i#JvV+h6Y6
zvBKO#QW5?`>#zxqm$!@CUx3~<zKtO1Py$4z$--y?ZWqwCDAoLgbsyI>sV*BBH)<aE
zPx=x04|g@Dc(q4a`}3hSKVB`Qg}<;7zSc{C=8>d|#m@P<_4qCY2-GGErwMqA`qv(n
zxrej<!<uK;i}Q|4s~-4|JfI$!jw$!w3pOUX%VG^9FO=0S6Ytyp?_BITRPpJu^Nss5
zBbl(LG=rvN|825{!%f-RyB7LGwC^L>BNBQ_&7&dth3O4B+Tx^fX>7*12zhfch5N@H
zd$1`vzplk|mC%t(0IG4(3sD=`eRsnN%815drx{bkW*zJVp3hx+Da_Ujf7%-Y;)L2n
z@=Kmw!`o?WU6@1r>RI6}ndORNl;PFQp}qr0Yue6|mn_McoFZv=a5a30M&6GQZHsgy
z25ws9s3;7BQib2BP)fjbVn5ou$PYhlcVvIyHKwtmlx6vlJ*kpen4vU~sTh7Kyu3@f
z<cUSsU*7OHsyT!k7m`GM8@D$rIi)9b&wm8xk=T>9<OfLHS&HZfn3;^uZ1ClU?@(SX
zfl^KBBu5788*v}FGp=6|;U+~Hivq_@Vk1aqL!U1Ypk%~3ARE-1Q8t%B5=aN8uJ55X
zDR<K|RyJ(i)2$cMf1-@=wmte>S<&snhAZnvs06VfT0n7VcvZV!V2Bo<n8}kX+!q=O
z+j?z<av+SW@;z~G!|f2GT@TRO_l66F>LwMU&eDk=Xxt^GOI*|`;O>u)kR{S3uJDQY
z-9RZ*U@yZ)p0yZe;;5j~S<6y3SQ!yai5m^eS993971L8*C;IlyYgV;bJP|((;E_7I
zdnpEezL;IlzbVT%tF>Hj`2v@~Uoz_5tMpX)R(1PoaN#x@@=H_|%KS=1!>g@HEd0tK
z<DNvS+M0FcTH0vs&fv?1*vs9MiC#~ELVh>BS;|=YNrS+YbWz-W`L!D2t=46KPg0`T
zr&3)#j=$xvXOcJO)*epH^SKYV7%Oc$_R$CC2FJMS(C8L$Di$}fK(Aan=4w!5GhiOc
z400i;u)xBlD-${%!F~(Fx=A%L^7;I5B$Uf>9pGT0k2;(?gNCIn%Mc!{IsGkXvunI=
z;F<yG?g0@$qnaYD93>NRj>m%)o&ex^$g->t=NiFJ9?S9gEg0U+v#sav%8lv8aStf%
zhh3h7JXgKQ*x$;Wn88t>SDN9ZDWW}E{{cZfLQI@PAJu*reK$I-b&(PRE{G$1Sc`Pu
zb2^op4vE^o6Y*aK;C}*%{~idx?LgKPfPbwV{&O(1;kK|v{C6V$+Y(G$txd)imUF2J
zfgz?QHz_cL7s!sgliF)L<HC^DLXa7>$lLNjLjP{&WsoIfVvF3#1|zIBNMe9$iJ`nH
z7(#lG%-m&D^2BQsLumS()f&T~$ILHO={BYiG6kM7GC8$f50e%nm0<jTP?ZSrvooBS
zc90=+zysUcG)W1}G7!rhOkcMyg}XA?k_T0UHcZ9G%#jV7ORg?Qjg4GcC0%dRA6iG#
zymoCck&nPs3DtneSi!NWt7?sO8%huWOqkf=EVvNXc_}X%H43tTW*NLiS?ScvIJPF|
z?TiN!Umgx+oHG(a8m`F%Q8QPr>H&sp!`g@yN<mKBnTE2j0(T~Bq9$*G7cwJT$I`bc
zwK)O$4F&QAx3-tX*wxzseZ#UzDOEY8ZJ$$++>|Y251P1)tSDbB?dt=hnb|Fxz0=lZ
z!h?Ee%v#Lt*tm|CuybxJIptDw#-SUE#{-{3xvU}~R;?GWU9bGPIld)D?DSQPgat1a
z+_=`jGuULZKvT<OS5>Iy(rIltZc=a2bL_W!Wah3(X3)mzR}Da=?9z}7bZL{$mZtr?
z_ai%?BO@xMIO2@!;kva??!lx&fmJFg7N`8){Ex1IReg3$V?dYVju1NWXV)@e7i9v-
z&d>?BW?=$!zsgW=?dCRu&h58pmv2VHO2*EPFAlx4l?Zm!FREb8_58xJ3{@2FU;6n}
zTBC7j6o2{>?nu0Deku!j2)R0lgU7CW+tyV@(+oj#b)As4wnCI;VYP^gn~JWj7eUw#
zbX69`o8Fg-ZwV|xkMBViu0osouyM<N{iSF{6*V+xlGzZKJDN1{&IU+C8dBS~uG4uG
zHe!k9=9ai!$QOimP%R(U*u<tmRdY&G08D{7s$4EFTJ{oHan<R7X4Vrd$#EcPA4n}0
zrS@7NRj4FAcF(AI?-WDI$aJwjlM}INbN{X*V?~=BH#1GODh{kGf&^T1Z4x5gu2Zv)
zF%@GOQ!@^|<W*{+P83v3n*<zN7u#Lr65+l>6b69-ctqCV$hdXc=1s@*q@mb*NO?6+
zS|8vSb-c<aq<d7QH2<{9>4>^R={E5-;;4LqH$PeJ^%N>~MqvFMQh%eunhb`}`)lDw
z!ixGx3ZSv9%|#W0Dw!u$KDD4aS8B*!gc%YwwoZyP>ptoTg0<zz^Y<}kWQ}a9YZK4H
zwXu$&Mty(5;$mX%A{M*~F{pwVgx0Al7#Yk4R#ib2h2VCb<Qkkc*hj%;S;S1OM@1P}
zg^>!u35KBz8uZ12>vh7~LB_M=NenwBUB%4}h^t4(ysoQuI1NpI*ld?AMZLikTXImr
z?YZ&qUZo*DW!IKUlh9Yx>j9@8x*g3_0GWx_^}+FS^(2%lF0bTSm#!-PJhV9@N4^Op
zNkaf`cQQ<xStGi-kxxg_2HtaGAV07Q^RjNauKg-WK~o3_sjfAEG9mZ0R*{#w-#J!7
z(1Zkv7&CDFw8}E>b5@K2-^zH|$d26A<&@V4Z(Hz)7w6<oQ;3nb4|@tWxXVP51x~z8
z4_@Ate3!G7g0kpZIbSm#m}4&bJcSl<j7L-}lpPUrd)W@#yf+1F2*4<$vONsNt))FA
zhMt<Zp<EE_mJ%{R5~Ma0P6W1!luTMnA}AnNQf@Rvh-6i2vIW4T@J&qi{vt3*h1oVW
zcL}g33=pCbGE|6zRe|K-1jsGFMgr>lDoQr&A-q5uvDAd9FQQ_3OBW}!w_wDe_?j^S
z)<-&XlOo-^qKG!SU?QK+zLrG5Psfl$Xbm~dM39c74wAa;eo0hGb(QH?t-G?YdKS4_
zH-V@gGXsiiqV&5kC1+H%V{X=%lWtm|PI6Uf5>TITLYX1geke+EpkDeR8%i_1DN#aG
zorLLN2}{##rOkq(+m%C%(!nB(GTq5Mq!>##2)wl#*kwYgWeF?9B2|+6L{%i53{U-L
zthXP5+C;*+Q{)%FRTxCpb7|;`A`%P$FpGc<L`pUkEJLvt92(z05Y;1#3wU2qo4J@E
zNI<KT7TV09j7uKz^_ZO^gyYs2GoRHLMppd_F^HRW(jP(w1Q!7mS%4|-lZLXHS=vn1
znZeXX6TujR1qrmpAqb_pzOYt{nbb31aamd63HFCfQ7dB<v$h`rpqEH!O5SOY4MXyA
zu(GmLCX$wzkNZ?CC?gUVTeS{JEupDIxuOr*;IX{Hl%-J+j<$lVkLRW##3nVY5*)YM
zUSHZhs4#(TCB5w~(MWVQO4b?d7q)PWo0`nH&!8Vr0YDS5T{r=Ofjk{AI;ibi7LcaP
zri=p&{G?=6XC!9{guJJE&6n&#?r!0$i{Jy(Y1g;W$iR5Dc+A(U&DadsqgPX4x)}m-
zqn435PZxPINf?f-jq|yc8#N9{RurtJr1M3Gs3tK_QQaZqcx~L<$}CXJK&7p2(YwBj
zCO0i8R}M}ATw7@yNn6JUUY1*zk(8?wjA~x@v>U&<ecKBe)R>H^^0yc4QdYUNs3|u>
zHIfjqg&<@t9BYhwMj5A4D@N*COvofEN170;qYngHt$-wr)sR#|dBf3>WPrq)3YJD{
z>4=4+U=D1%4gj$H`*ao3z5v5fr65v3{Sq3?t021R)2HANz~F46zq4Ezz-eF-5QALO
zEaX)e#+@Pv^d}}|pnH>SY6hEi*stjPwk`k`Wn`wAN%troj0FYPBW?CWMFl4a=9nZ~
z&O&S?l%01{fr`@wO-veA#rNr8B%8>^&SbJedx8MAri^t_`(5Oe==5S0iF|KKVtDLB
zO+`#u@dcKo-3r0`k#DV95c1t<>?6)jG)jQ`3$L{!MVlL8J-)`D{Qu8gh}YNM9zPsv
z{^Bf6vu>~75A(Mv?x-fRDx;B%9^ypCo}&ji#q=es5?zGxOH~>pO+#^d4~|33=}(8Y
z?FwoAFe&)<;lVlUZVg14S?>Xp&4j!NAuH@*7^9q*-XEe;JHJ;J9~v5;SBS3=ZLNQ+
z<cg!0g^@VEFvI&mm5f*cw+aB#k<ni2d&QOaDZs?UlT6t#SzYH_1oqs-BYgB-(<%){
zh>t2iOnU!(@$U3<bGK}5Z*6Rl7dkIqJpbbP^`CdyMSG(s&INgQ>>c*HuU?(MvI=f$
zyFK=Bd|zu)w*qG_now{yylNC$%Rf9Z8LkPPh~t~8Sjad|5}s7?#)sXl(9a%zSaK>Z
zLMc#|*@X-RXAXZBIj_eW9lCaCVnETGH)?*Pw6lhoF;+XDMJ!}Kr(uE_QO}6zV~V}+
zL)km`xk&6EZR)(OcoN4l3_f#gi{Z&82_?dF>CK*2)5o!Y60Wc&vPRleP#68F7ls%&
zCVR~+r3Rb0fEAEmy1p?wWi2*b@umf#dI_XSV-jxyC}H@MJ1tjDn!GVX*F|c7Fios!
zs%k5Po2JMk&m={cl>=gOQiL{6)trl;kEXM&7YSQ&N^S6cHOnR`EmrX1=icQsf1308
z!)3R}0!)DE84zU$jDO1j0W{Wt%mUa6sTl!Kt^xR`O)bUXeG$Hkk+EjwS|wU(QG(LK
z9g;Jtn!K<WI=ht=d=Q8pxK1#j5V$<~@*JMd#sxeF0S_%Mj&}d1L)bVG9rlJh8yq83
zzS#tLfVH&L;5stL^ssT@EZlQj0{a?VOdlNR<deI>?PAptJpTUFmvOq(l?v_FHhSE3
zO5nfu>iF}2y!Ge(@n|d<JTJ>R724{!oAie@%eHC05xhVrCrAqS=|bzgsc<Uv1;F}H
z3argu3^A6tEsm44E;p`JGJ%l^X$+MWiDV37&_aeRvUV$-nkDlx-*IAd-<v$<pJ0rT
z%MV!pC17u8Ze|+OwUvt-Ecl0Zk<n?eH?qgdqiDd)?^I)vp)CS_a%VGN&w2-VC$g24
zZ1Og&YWYM88Sve%O$FH*hRue>AAdHgT%HylxE`|J6cc;mo9_z_S-bkXC*Rw+C$Q;%
z^}pmGJ+o=DfdS3Dm<jH~$uw=`)y^Na`G(sJ@uZf1AZyw$7hBiHkK^M)oL&Fs@h7Lx
z|K;v2{O_v67AgU?B)H!>!nG=V1pli9oyG4Secq$^n3I<>D`ug-jTGVW!)9Io-o?2r
zA91N?e6S{DVEd4ajGIcsbXFmx>^<?AWgbNB+O5VpC9M~k!Dcj-PF^VwiKK00;nW!L
zqmOu?Z}xKw@#rKkx4SYDArJjp(vm27^32boa1p3Y)0theEMv@ea`4_Zm0`(qg2N{=
zfa6(6LN(m--nVc9Vfu!^?q)X5%quI`Fq{<Cox^>V#z_>@lZFrnDUu5hb(+k*TUXrb
zGudv-(8*LsWd39#brAbc5f2$J6Iw2Y6_^+_<h-0ll{htz@TB^_;m($(vDSr3fIM=U
zwAV8%Kz1o{A;xln1|gowN+>_c8;Xn9+*aT^odHN$C}x7|qN*v)CTYP$p)T~8VUd-5
zQ?m%&j0M2;Bs+}|n7j3*OPNr*EVs63TQL9v0Bqo3<5brfOANfeGcddl0O0jkM!VkE
zceK=hW4pV7UjzUWFbG)$@c#mW56MROmUd{ES&32_lyhS9>MBFD44T&q6Cc7UL^jKd
zQ7$NR5GIbp=7z9f!Rr$M|0s~)?x7*i>!L~V%G&O>aje3Loy)ZVVhG$zy^~su=j;%%
z(4-L$V#CNTIT|U(KFY@jky!>vCm&ew-gt7bEK^bph<~<+sS*GPaDWaHPNMWm5pJ?z
z^Z7|M69Rx^qZvelS+Fkg{QyTVAea|G{9tboNL@pY0S`)Z9AY%*1SovVX<#wjZX&^F
zDDQ#*7-&z9fQ2e^3<RS&$AN=Rk~lrLKc@kI+#q>(?#oEWf*_1@KjciH#*dr@42;a#
zz`=Oru<vgHellfQZ<S?KQmr8*<vg~!5(<)OUa~YP49E3;oCxWgC9RHbvDF8rylynB
ztaT=zH4zdx5-wY)e)??drAw3<iu-1k>@CyGG8VK`m7Ou+f>Pb>&Vw^gL1&yb`#k|?
zFXmtLObO35o<8BF&1vLn&oX5MgwH1`22ya!Aa%;*;*KTD*)R#E|8fK4+)=X5m<q5a
zKu$o@Fg!oKRT15MSk9Jiwn@4vFxAQL63JB*eK36VeGLxlWeCcD=JXvyzyAWU8&qs9
A8UO$Q

diff --git a/scripts/python/subset_fonts/material-icons.txt b/scripts/python/subset_fonts/material-icons.txt
index 7fb2255759..e499435cc5 100644
--- a/scripts/python/subset_fonts/material-icons.txt
+++ b/scripts/python/subset_fonts/material-icons.txt
@@ -1,11 +1,13 @@
 360
 account_circle
 account_circle_off
+add
 android
 animation
 api
 arrow_back_ios
 arrow_forward_ios
+auto_delete
 block
 border_color
 box
@@ -20,6 +22,7 @@ code
 colors
 create
 css
+delete
 description
 details
 devices
@@ -43,6 +46,7 @@ function
 functions
 height
 hide
+highlight
 home
 html
 http
@@ -71,6 +75,7 @@ merge
 message
 mode
 more
+note
 opacity
 outlet
 padding
@@ -80,6 +85,8 @@ password
 pattern
 pending
 person
+person_check
+person_remove
 phone
 phone_iphone
 photo
@@ -94,6 +101,7 @@ public
 qr_code
 radio
 refresh
+remove
 repeat
 restore
 rule
@@ -137,6 +145,7 @@ try
 update
 upload
 uppercase
+verified
 verified_user
 visibility
 visibility_off

From 97a63b5636416d6791f44e56ba1d2d79648b2c9d Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 17:45:43 +0800
Subject: [PATCH 05/17] Generate translations

---
 .make-lint-translation-keys-expect            |  71 +++++++++-
 .../authgear/templates/de/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/el/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/en/translation.json    |  18 +--
 .../templates/es-419/translation.json         | 121 +++++++++++++++++-
 .../authgear/templates/es-ES/translation.json | 121 +++++++++++++++++-
 .../authgear/templates/es/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/fil/translation.json   | 121 +++++++++++++++++-
 .../authgear/templates/fr/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/id/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/it/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/ja/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/ko/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/ms/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/nl/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/pl/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/pt-BR/translation.json | 121 +++++++++++++++++-
 .../authgear/templates/pt-PT/translation.json | 121 +++++++++++++++++-
 .../authgear/templates/pt/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/th/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/vi/translation.json    | 121 +++++++++++++++++-
 .../authgear/templates/zh-CN/translation.json | 121 +++++++++++++++++-
 .../authgear/templates/zh-HK/translation.json | 121 +++++++++++++++++-
 .../authgear/templates/zh-TW/translation.json | 121 +++++++++++++++++-
 24 files changed, 2582 insertions(+), 169 deletions(-)

diff --git a/.make-lint-translation-keys-expect b/.make-lint-translation-keys-expect
index a8bb58b3a4..5a6f8fcbda 100644
--- a/.make-lint-translation-keys-expect
+++ b/.make-lint-translation-keys-expect
@@ -7,14 +7,19 @@ resources/authgear/templates/en/web/authflowv2/__country_input.html:10:21: trans
 resources/authgear/templates/en/web/authflowv2/__csrf_error_page_layout.html:28:18: template translation is forbidden: `page-content`
 resources/authgear/templates/en/web/authflowv2/__dialog.html:27:14: template translation is forbidden: `dialog-attr`
 resources/authgear/templates/en/web/authflowv2/__direct_access_disable_page_frame.html:7:16: template translation is forbidden: `page-content`
-resources/authgear/templates/en/web/authflowv2/__error.html:134:18: template translation is forbidden: `authflowv2/__error_account`
-resources/authgear/templates/en/web/authflowv2/__error.html:166:20: template translation is forbidden: `authflowv2/__error_account`
+resources/authgear/templates/en/web/authflowv2/__error.html:135:18: template translation is forbidden: `authflowv2/__error_account`
+resources/authgear/templates/en/web/authflowv2/__error.html:170:20: template translation is forbidden: `authflowv2/__error_account`
 resources/authgear/templates/en/web/authflowv2/__locale_input.html:6:16: invalid translation key: "$labelKey"
 resources/authgear/templates/en/web/authflowv2/__locale_input.html:10:21: translation key not defined: "%s %s"
-resources/authgear/templates/en/web/authflowv2/__new_password_field.html:53:33: translation key not defined: "%s %s"
-resources/authgear/templates/en/web/authflowv2/__new_password_field.html:77:38: translation key not defined: "%s %s"
+resources/authgear/templates/en/web/authflowv2/__new_password_field.html:54:33: translation key not defined: "%s %s"
+resources/authgear/templates/en/web/authflowv2/__new_password_field.html:79:38: translation key not defined: "%s %s"
 resources/authgear/templates/en/web/authflowv2/__page_frame.html:12:18: template translation is forbidden: `page-content`
 resources/authgear/templates/en/web/authflowv2/__password_field.html:21:20: translation key not defined: "%s %s"
+resources/authgear/templates/en/web/authflowv2/__password_input.html:31:31: template translation is forbidden: `v2.component.password-input.default.placeholder-password`
+resources/authgear/templates/en/web/authflowv2/__password_input.html:33:31: template translation is forbidden: `v2.component.password-input.default.placeholder-new-password`
+resources/authgear/templates/en/web/authflowv2/__password_input.html:35:31: template translation is forbidden: `v2.component.password-input.default.placeholder-confirm-password`
+resources/authgear/templates/en/web/authflowv2/__settings_action_item.html:22:20: template translation is forbidden: `__settings_action_item_content`
+resources/authgear/templates/en/web/authflowv2/__settings_action_item.html:26:20: template translation is forbidden: `__settings_action_item_content`
 resources/authgear/templates/en/web/authflowv2/__settings_page_frame.html:17:15: template translation is forbidden: `page-navbar`
 resources/authgear/templates/en/web/authflowv2/__settings_page_frame.html:19:18: template translation is forbidden: `page-content`
 resources/authgear/templates/en/web/authflowv2/__settings_radio.html:16:16: translation key not defined: "radio-%s-%s"
@@ -25,7 +30,43 @@ resources/authgear/templates/en/web/authflowv2/forgot_password.html:103:30: temp
 resources/authgear/templates/en/web/authflowv2/forgot_password.html:159:26: template translation is forbidden: `__forgot_password_alternative`
 resources/authgear/templates/en/web/authflowv2/layout.html:5:14: template translation is forbidden: `widget`
 resources/authgear/templates/en/web/authflowv2/login.html:252:37: translation key not defined: "%s-icon"
+resources/authgear/templates/en/web/authflowv2/settings_biometric.html:33:24: translation key not defined: "__settings_biometric_item_remove_btn"
+resources/authgear/templates/en/web/authflowv2/settings_biometric.html:43:23: translation key not defined: "__settings_biometric_dialog_remove_input"
+resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_email.html:29:19: translation key not defined: "__settgins_identity_change_primary_email_item_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_change_primary_phone.html:28:21: translation key not defined: "__settgins_identity_change_primary_phone_item_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_edit_email.html:33:22: translation key not defined: "__settings_identity_edit_email_inline_breakable"
+resources/authgear/templates/en/web/authflowv2/settings_identity_edit_phone.html:38:22: translation key not defined: "__settings_identity_edit_phone_inline_bold"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html:40:31: translation key not defined: "settings_identity_email_verification_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_email.html:71:26: translation key not defined: "settings_identity_email_change_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html:40:31: translation key not defined: "settings_identity_phone_verification_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_list_phone.html:71:26: translation key not defined: "settings_identity_phone_change_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_verify_email.html:21:30: translation key not defined: "__settings_identity_verify_mask_claim"
+resources/authgear/templates/en/web/authflowv2/settings_identity_verify_phone.html:21:32: translation key not defined: "__settings_identity_verify_phone_inline_breakable"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html:57:24: translation key not defined: "settings_identity_email_verification_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html:70:23: translation key not defined: "settings_identity_email_verification_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html:73:24: translation key not defined: "settings_identity_email_edit_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html:97:22: translation key not defined: "__settings_identity_view_email_inline_breakable"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_email.html:100:23: translation key not defined: "__settings_identity_view_email_remove_dialog_form_content"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html:53:24: translation key not defined: "settings_identity_phone_verification_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html:66:23: translation key not defined: "settings_identity_phone_verification_label"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html:69:24: translation key not defined: "settings_identity_phone_edit_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html:94:22: translation key not defined: "__settings_identity_view_phone_inline_breakable"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_phone.html:97:23: translation key not defined: "__settings_identity_view_phone_remove_dialog_form_content"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html:18:24: translation key not defined: "__settings_identity_view_username_edit_button"
+resources/authgear/templates/en/web/authflowv2/settings_identity_view_username.html:45:21: translation key not defined: "__settings_identity_view_username_delete_username_form_content"
 resources/authgear/templates/en/web/authflowv2/settings_layout.html:3:14: template translation is forbidden: `widget`
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:22:16: template translation is forbidden: `__settings_mfa_item`
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:37:16: template translation is forbidden: `__settings_mfa_item`
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:52:16: template translation is forbidden: `__settings_mfa_item`
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:67:16: template translation is forbidden: `__settings_mfa_item`
+resources/authgear/templates/en/web/authflowv2/settings_mfa.html:136:23: translation key not defined: "__settings_mfa_item_status"
+resources/authgear/templates/en/web/authflowv2/settings_mfa_password.html:25:31: translation key not defined: "__settings_mfa_password_description"
+resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html:30:31: translation key not defined: "__settings_oob_otp_item_added_at"
+resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html:31:32: translation key not defined: "__settings_oob_otp_item_delete_button"
+resources/authgear/templates/en/web/authflowv2/settings_oob_otp.html:39:31: translation key not defined: "/settings/mfa/new_oob_otp_%s"
+resources/authgear/templates/en/web/authflowv2/settings_passkey.html:25:24: translation key not defined: "__settings_passkey_item_description"
+resources/authgear/templates/en/web/authflowv2/settings_passkey.html:26:24: translation key not defined: "__settings_passkey_item_remove_btn"
+resources/authgear/templates/en/web/authflowv2/settings_passkey.html:34:21: translation key not defined: "__settings_passkey_dialog_remove_input"
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:29:18: template translation is forbidden: `__settings_profile_item`
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:51:18: template translation is forbidden: `__settings_profile_item`
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:68:22: translation key not defined: "__settings_profile_date_item"
@@ -35,9 +76,27 @@ resources/authgear/templates/en/web/authflowv2/settings_profile.html:89:18: temp
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:107:18: template translation is forbidden: `__settings_profile_item`
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:123:23: translation key not defined: "__settings_profile_locale_item"
 resources/authgear/templates/en/web/authflowv2/settings_profile.html:125:18: template translation is forbidden: `__settings_profile_item`
-resources/authgear/templates/en/web/authflowv2/settings_profile.html:174:22: invalid translation key: "$label"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:139:22: translation key not defined: "custom-attribute-label-%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:140:20: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:144:21: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:147:18: template translation is forbidden: `__settings_profile_item`
+resources/authgear/templates/en/web/authflowv2/settings_profile.html:196:22: invalid translation key: "$label"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:6:18: translation key not defined: "custom-attribute-label-%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:7:16: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:11:17: invalid translation key: "$labelKey"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:70:9: translation key not defined: "__settings_profile_edit_custom_numerical_range_label"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:83:9: translation key not defined: "__settings_profile_edit_custom_numerical_range_label"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:91:30: translation key not defined: "custom-attribute-enum-label-%s-%s"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:92:28: invalid translation key: "$enum_label_key"
+resources/authgear/templates/en/web/authflowv2/settings_profile_edit_custom.html:95:28: invalid translation key: "$enum_label_key"
 resources/authgear/templates/en/web/authflowv2/settings_profile_edit_gender.html:57:33: translation key not defined: "__settings_gender_edit_custom_gender_input"
+resources/authgear/templates/en/web/authflowv2/settings_sessions.html:19:21: translation key not defined: "__settings_session_item_remove_btn"
+resources/authgear/templates/en/web/authflowv2/settings_sessions.html:25:23: translation key not defined: "__settings_session_dialog_remove_input"
+resources/authgear/templates/en/web/authflowv2/settings_sessions.html:45:23: translation key not defined: "__settings_session_item_description"
+resources/authgear/templates/en/web/authflowv2/settings_sessions.html:66:21: translation key not defined: "__settings_session_dialog_remove_all_input"
+resources/authgear/templates/en/web/authflowv2/settings_totp.html:22:31: translation key not defined: "__settings_totp_item_added_at"
+resources/authgear/templates/en/web/authflowv2/settings_totp.html:23:32: translation key not defined: "__settings_totp_item_delete_button"
 resources/authgear/templates/en/web/authflowv2/signup.html:91:26: translation key not defined: "v2.page.signup.continue.subtitle-%v"
 resources/authgear/templates/en/web/authflowv2/signup.html:264:35: translation key not defined: "%s-icon"
-41 errors found
+100 errors found
 exit status 1
diff --git a/resources/authgear/templates/de/translation.json b/resources/authgear/templates/de/translation.json
index 58980a1e4d..7fa50c76ce 100644
--- a/resources/authgear/templates/de/translation.json
+++ b/resources/authgear/templates/de/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript wird für die Captcha-Überprüfung benötigt. Bitte aktivieren Sie JavaScript in Ihrem Browser, um fortzufahren.",
   "v2.component.button.default.copy": "Kopieren",
   "v2.component.button.default.download": "Herunterladen",
+  "v2.component.button.default.label-cancel": "Abbrechen",
   "v2.component.button.default.label-continue": "Weiter",
   "v2.component.button.default.label-continue-with-passkey": "Weiter mit Passkey",
   "v2.component.button.default.label-continue-with-phone": "Mit Telefonnummer fortfahren",
   "v2.component.button.default.label-continue-with-text-login-id": "Weiter mit {variant, select, email {E-Mail} username {Benutzername} other {E-Mail / Benutzername}}",
+  "v2.component.button.default.label-edit": "Bearbeiten",
   "v2.component.button.default.label-login": "Anmelden",
+  "v2.component.button.default.label-remove": "Entfernen",
   "v2.component.button.default.label-save": "Speichern",
   "v2.component.button.default.label-send": "Senden",
+  "v2.component.button.default.label-terminate": "Beenden",
   "v2.component.device-token-checkbox.default.label": "Dieses Gerät merken und nicht erneut fragen",
   "v2.component.divider.default.or-label": "oder",
   "v2.component.input.default.placeholder-email": "E-Mail-Adresse",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Code in %s erneut senden",
   "v2.component.oob-otp-resend-button.default.label": "Code erneut senden",
   "v2.component.password-input.default.hide-password": "Passwort verbergen",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Geben Sie das neue Passwort erneut ein",
   "v2.component.password-input.default.placeholder-confirm-password": "Passwort erneut eingeben",
   "v2.component.password-input.default.placeholder-new-password": "Neues Passwort",
   "v2.component.password-input.default.placeholder-password": "Aktuelles Passwort",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Keine Ergebnisse gefunden",
   "v2.component.select-input.default.not-provided-label": "Nicht angegeben",
   "v2.component.select-input.default.search-label": "Suchen",
-  "v2.component.select-input.default.unset-label": "Nicht gesetzt",
   "v2.component.toc-pp-footer.default.label": "Durch die Registrierung stimmen Sie den {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Nutzungsbedingungen</a> und der <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Datenschutzerklärung</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Nutzungsbedingungen</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Datenschutzerklärung</a>} other{}} zu.",
   "v2.component.verify-bot-protection.default.description": "Du wirst kurz nach Abschluss der Herausforderung weitergeleitet",
   "v2.component.verify-bot-protection.default.title": "Überprüfung deines Systems...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Sie haben sich mit {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}} angemeldet. Fahren Sie fort, um fortzufahren.",
   "v2.page.select-account.default.title": "Melden Sie sich bei {AppOrClientName} an",
   "v2.page.select-account.default.use-another-account": "Verwenden Sie ein anderes Konto",
+  "v2.page.settings-advanced-settings.default.title": "Erweiterte Einstellungen",
+  "v2.page.settings-biometric.default.dialog-description": "Sind Sie sicher, dass Sie die biometrische Anmeldung für dieses Gerät trennen möchten?",
+  "v2.page.settings-biometric.default.dialog-title": "Biometrische Anmeldung trennen",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Trennen",
+  "v2.page.settings-biometric.default.item-description": "Erstellt am <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Sie haben keine Geräte mit aktivierter Biometrie.",
+  "v2.page.settings-biometric.default.title": "Biometrische Anmeldung",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Unbekanntes Gerät",
+  "v2.page.settings-change-password.default.title": "Passwort ändern",
+  "v2.page.settings-delete-account-success.default.button-label": "Fertig",
+  "v2.page.settings-delete-account-success.default.description": "Ihr Konto wurde deaktiviert und die Daten werden am <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> gelöscht",
+  "v2.page.settings-delete-account-success.default.title": "Kontolöschung geplant",
+  "v2.page.settings-delete-account.default.button-label": "Konto löschen",
+  "v2.page.settings-delete-account.default.description": "Durch das Löschen des Kontos werden alle Daten dauerhaft gelöscht und wir können sie nicht mehr abrufen. Wenn Sie fortfahren, wird Ihr Konto am <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> gelöscht",
+  "v2.page.settings-delete-account.default.input-placeholder": "Geben Sie <b>{input}</b> ein, um zu bestätigen",
+  "v2.page.settings-delete-account.default.title": "Konto löschen",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Bitte geben Sie eine Zahl ein, die kleiner oder gleich {maximum} ist",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Bitte geben Sie eine Zahl ein, die größer oder gleich {minimum} ist",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Bitte geben Sie eine Zahl zwischen {minimum} und {maximum} ein",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Neue E-Mail-Adresse",
+  "v2.page.settings-identity-add-email.default.title": "Neue E-Mail hinzufügen",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Telefonnummer",
+  "v2.page.settings-identity-add-phone.default.title": "Neues Telefon hinzufügen",
+  "v2.page.settings-identity-change-primary-email.default.title": "Primäre E-Mail",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Primäres Telefon",
+  "v2.page.settings-identity-edit-email.default.description": "Deine aktuelle E-Mail ist {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Neue E-Mail-Adresse",
+  "v2.page.settings-identity-edit-email.default.title": "E-Mail bearbeiten",
+  "v2.page.settings-identity-edit-phone.default.description": "Ihre aktuelle Telefonnummer ist {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Telefonnummer",
+  "v2.page.settings-identity-edit-phone.default.title": "Telefon bearbeiten",
+  "v2.page.settings-identity-edit-username.default.title": "Benutzernamen ändern",
+  "v2.page.settings-identity-email.default.title": "E-Mail",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ E-Mail hinzufügen",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Ändern",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Primäre E-Mail-Adresse",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Neue Telefonnummer hinzufügen",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Ändern",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Primäres Telefon",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Benutzernamen hinzufügen",
+  "v2.page.settings-identity-list-username.default.title": "Benutzername",
+  "v2.page.settings-identity-new-username.default.title": "Benutzernamen hinzufügen",
+  "v2.page.settings-identity-phone.default.title": "Telefon",
+  "v2.page.settings-identity-verify-email.default.title": "Verifizierung",
+  "v2.page.settings-identity-verify-phone.default.title": "Verifizierung",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Bearbeiten",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Diese E-Mail entfernen",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verifizieren",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Sind Sie sicher, dass Sie die E-Mail-Adresse {target} von Ihrem Konto entfernen möchten?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "E-Mail-Adresse entfernen",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Bearbeiten",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Dieses Telefon entfernen",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verifizieren",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Sind Sie sicher, dass Sie die Telefonnummer {target} von Ihrem Konto entfernen möchten?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Telefonnummer entfernen",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Benutzernamen entfernen",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Sind Sie sicher, dass Sie den Benutzernamen <span class=\"settings-dialog__description-text--highlight\">{Username}</span> von Ihrem Konto entfernen möchten?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Benutzernamen entfernen",
+  "v2.page.settings-identity-view-username.default.title": "Benutzername",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Nicht verifiziert",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verifiziert",
+  "v2.page.settings-mfa-create-password.default.title": "Zusätzliches Passwort",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Hinzugefügt um <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Zusätzliches Passwort",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Aktualisiert um <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Sind Sie sicher, dass Sie das zusätzliche Passwort entfernen möchten?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Zusätzliches Passwort entfernen",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Zusätzliches Passwort entfernen",
+  "v2.page.settings-mfa-password.default.title": "Zusätzliches Passwort",
+  "v2.page.settings-mfa.default.activated-label": "Aktiviert",
+  "v2.page.settings-mfa.default.additional-password-label": "Zusätzliches Passwort",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Sie haben {NumberOfDeviceTokens, plural, one{# vertrauenswürdiges Gerät} other{# vertrauenswürdige Geräte}}, die mit Ihrem Konto verknüpft sind. Möchten Sie alle vertrauenswürdigen Geräte entfernen?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Vertrauenswürdige Geräte entfernen",
+  "v2.page.settings-mfa.default.inactive-label": "Inaktiv",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "E-Mail",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/SMS-Nachricht",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Authenticator-App/Gerät",
+  "v2.page.settings-mfa.default.title": "2-Faktor-Authentifizierung",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Sie haben {NumberOfDeviceTokens, plural, one{# vertrauenswürdiges Gerät} other{# vertrauenswürdige Geräte}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Vertrauenswürdige Geräte",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Sie haben keine vertrauenswürdigen Geräte, die die 2-Stufen-Verifizierung überspringen können.",
+  "v2.page.settings-oob-otp-email.default.title": "E-Mail",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/SMS-Nachricht",
+  "v2.page.settings-oob-otp.default.added-at-label": "Hinzugefügt um <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ E-Mail hinzufügen",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ WhatsApp/SMS-Telefonnummer hinzufügen",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Passkey hinzufügen",
+  "v2.page.settings-passkey.default.dialog-description": "Sind Sie sicher, dass Sie diese Passkey entfernen möchten?",
+  "v2.page.settings-passkey.default.dialog-title": "Passkey entfernen",
+  "v2.page.settings-passkey.default.item-description": "Hinzugefügt um <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Land",
   "v2.page.settings-profile-edit-address.default.locality-label": "Stadt",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Adresse",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Postleitzahl",
   "v2.page.settings-profile-edit-address.default.region-label": "Region",
   "v2.page.settings-profile-edit-address.default.street-label": "Straßenadresse",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Geburtsdatum",
+  "v2.page.settings-profile-edit-address.default.title": "Adresse",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Geburtsdatum",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Benutzerdefiniert",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Weiblich",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Männlich",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Nicht angegeben",
   "v2.page.settings-profile-edit-gender.default.title": "Geschlecht",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Sprache",
+  "v2.page.settings-profile-edit-locale.default.title": "Sprache",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Nachname",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Vollständiger Name",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Vorname",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Zweiter Vorname",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Name",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Spitzname",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zeitzone",
+  "v2.page.settings-profile-edit-name.default.title": "Name",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zeitzone",
   "v2.page.settings-profile-no-permission.default.content": "Nicht autorisiert",
   "v2.page.settings-profile-no-permission.default.title": "Unerwartete Probleme",
   "v2.page.settings-profile.default.address-title": "Adresse",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Geschlecht",
   "v2.page.settings-profile.default.language-title": "Sprache",
   "v2.page.settings-profile.default.name-title": "Name",
-  "v2.page.settings-profile.default.navbar-title": "Profil",
   "v2.page.settings-profile.default.profile-picture-title": "Profilbild",
+  "v2.page.settings-profile.default.title": "Profil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zeitzone",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Dies wird den Zugriff auf Ihr Konto von allen anderen Geräten entfernen",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Alle anderen Sitzungen beenden",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Jetzt aktiv</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Alle anderen Sitzungen beenden",
+  "v2.page.settings-sessions.default.session-dialog-description": "Dies wird den Zugriff auf Ihr Konto auf diesem Gerät entfernen",
+  "v2.page.settings-sessions.default.session-dialog-title": "Sitzung beenden",
+  "v2.page.settings-sessions.default.title": "Angemeldete Geräte",
+  "v2.page.settings-totp.default.added-at-label": "Hinzugefügt um <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Authenticator-App/Gerät hinzufügen",
+  "v2.page.settings-totp.default.title": "Authenticator-App/Gerät",
+  "v2.page.settings.default.button-label-account-deletion": "Konto löschen",
   "v2.page.settings.default.button-label-advanced-settings": "Erweiterte Einstellungen",
   "v2.page.settings.default.button-label-and-more": "{item} und mehr",
   "v2.page.settings.default.button-label-back-to-app": "Zurück zu meiner App",
diff --git a/resources/authgear/templates/el/translation.json b/resources/authgear/templates/el/translation.json
index a38916a8d7..2aed570eac 100644
--- a/resources/authgear/templates/el/translation.json
+++ b/resources/authgear/templates/el/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "Απαιτείται JavaScript για την επαλήθευση captcha. Παρακαλώ ενεργοποιήστε το JavaScript στον περιηγητή σας για να συνεχίσετε.",
   "v2.component.button.default.copy": "Αντιγραφή",
   "v2.component.button.default.download": "Λήψη",
+  "v2.component.button.default.label-cancel": "Ακύρωση",
   "v2.component.button.default.label-continue": "Συνέχεια",
   "v2.component.button.default.label-continue-with-passkey": "Συνέχεια με Passkey",
   "v2.component.button.default.label-continue-with-phone": "Συνέχεια με Αριθμό Τηλεφώνου",
   "v2.component.button.default.label-continue-with-text-login-id": "Συνέχεια με {variant, select, email {Email} username {Όνομα χρήστη} other {Email / Όνομα χρήστη}}",
+  "v2.component.button.default.label-edit": "Επεξεργασία",
   "v2.component.button.default.label-login": "Σύνδεση",
+  "v2.component.button.default.label-remove": "Αφαίρεση",
   "v2.component.button.default.label-save": "Αποθήκευση",
   "v2.component.button.default.label-send": "Αποστολή",
+  "v2.component.button.default.label-terminate": "Τερματισμός",
   "v2.component.device-token-checkbox.default.label": "Απομνημονεύστε αυτήν τη συσκευή και μην ρωτάτε ξανά",
   "v2.component.divider.default.or-label": "ή",
   "v2.component.input.default.placeholder-email": "Διεύθυνση email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Επανάληψη αποστολής κωδικού σε %s",
   "v2.component.oob-otp-resend-button.default.label": "Επανάληψη αποστολής κωδικού",
   "v2.component.password-input.default.hide-password": "Απόκρυψη κωδικού πρόσβασης",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Επανεισάγετε νέο κωδικό πρόσβασης",
   "v2.component.password-input.default.placeholder-confirm-password": "Επαναλάβετε Κωδικό Πρόσβασης",
   "v2.component.password-input.default.placeholder-new-password": "Νέος Κωδικός Πρόσβασης",
   "v2.component.password-input.default.placeholder-password": "Τρέχων Κωδικός Πρόσβασης",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Δεν βρέθηκαν αποτελέσματα",
   "v2.component.select-input.default.not-provided-label": "Δεν παρασχέθηκε",
   "v2.component.select-input.default.search-label": "Αναζήτηση",
-  "v2.component.select-input.default.unset-label": "Μη ορισμένο",
   "v2.component.toc-pp-footer.default.label": "Με την εγγραφή, συμφωνείτε με τους <a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Όρους Παροχής Υπηρεσιών</a> και την <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Πολιτική Απορρήτου</a>",
   "v2.component.verify-bot-protection.default.description": "Θα ανακατευθυνθείτε σύντομα αφού ολοκληρώσετε την πρόκληση",
   "v2.component.verify-bot-protection.default.title": "Έλεγχος του συστήματός σας...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Έχετε συνδεθεί με {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Συνεχίστε για να προχωρήσετε.",
   "v2.page.select-account.default.title": "Συνδεθείτε στο {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Χρησιμοποιήστε άλλον λογαριασμό",
+  "v2.page.settings-advanced-settings.default.title": "Προχωρημένες Ρυθμίσεις",
+  "v2.page.settings-biometric.default.dialog-description": "Είστε βέβαιοι ότι θέλετε να αποσυνδέσετε τη βιομετρική σύνδεση για αυτήν τη συσκευή;",
+  "v2.page.settings-biometric.default.dialog-title": "Αποσύνδεση Βιομετρικής Σύνδεσης",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Αποσύνδεση",
+  "v2.page.settings-biometric.default.item-description": "Δημιουργήθηκε στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Δεν έχετε καμία συσκευή με ενεργοποιημένη βιομετρική σύνδεση.",
+  "v2.page.settings-biometric.default.title": "Βιομετρική Σύνδεση",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Άγνωστη Συσκευή",
+  "v2.page.settings-change-password.default.title": "Αλλαγή Κωδικού Πρόσβασης",
+  "v2.page.settings-delete-account-success.default.button-label": "Τέλος",
+  "v2.page.settings-delete-account-success.default.description": "Ο λογαριασμός σας έχει απενεργοποιηθεί και τα δεδομένα θα διαγραφούν στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Η διαγραφή λογαριασμού έχει προγραμματιστεί",
+  "v2.page.settings-delete-account.default.button-label": "Διαγραφή Λογαριασμού",
+  "v2.page.settings-delete-account.default.description": "Με τη διαγραφή του λογαριασμού, όλα τα δεδομένα θα διαγραφούν οριστικά και δεν θα μπορούμε να τα ανακτήσουμε. Εάν συνεχίσετε, ο λογαριασμός σας θα διαγραφεί στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Πληκτρολογήστε <b>{input}</b> για επιβεβαίωση",
+  "v2.page.settings-delete-account.default.title": "Διαγραφή Λογαριασμού",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Παρακαλώ εισάγετε έναν αριθμό μικρότερο ή ίσο με {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Παρακαλώ εισάγετε έναν αριθμό μεγαλύτερο ή ίσο με {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Παρακαλώ εισάγετε έναν αριθμό μεταξύ {minimum} και {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Νέα Διεύθυνση Ηλεκτρονικού Ταχυδρομείου",
+  "v2.page.settings-identity-add-email.default.title": "Προσθήκη Νέου Ηλεκτρονικού Ταχυδρομείου",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Αριθμός Τηλεφώνου",
+  "v2.page.settings-identity-add-phone.default.title": "Προσθήκη Νέου Τηλεφώνου",
+  "v2.page.settings-identity-change-primary-email.default.title": "Κύρια ηλεκτρονική διεύθυνση",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Κύριο Τηλέφωνο",
+  "v2.page.settings-identity-edit-email.default.description": "Η τρέχουσα διεύθυνση ηλεκτρονικού ταχυδρομείου σας είναι {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Νέα Διεύθυνση Ηλεκτρονικού Ταχυδρομείου",
+  "v2.page.settings-identity-edit-email.default.title": "Επεξεργασία Ηλεκτρονικού Ταχυδρομείου",
+  "v2.page.settings-identity-edit-phone.default.description": "Ο τρέχων αριθμός τηλεφώνου σας είναι {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Αριθμός Τηλεφώνου",
+  "v2.page.settings-identity-edit-phone.default.title": "Επεξεργασία Τηλεφώνου",
+  "v2.page.settings-identity-edit-username.default.title": "Αλλαγή Ονόματος Χρήστη",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Προσθήκη email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Αλλαγή",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Κύρια ηλεκτρονική διεύθυνση",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Προσθήκη νέου αριθμού τηλεφώνου",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Αλλαγή",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Κύριο τηλέφωνο",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Προσθήκη ονόματος χρήστη",
+  "v2.page.settings-identity-list-username.default.title": "Όνομα χρήστη",
+  "v2.page.settings-identity-new-username.default.title": "Προσθήκη Ονόματος Χρήστη",
+  "v2.page.settings-identity-phone.default.title": "Τηλέφωνο",
+  "v2.page.settings-identity-verify-email.default.title": "Επαλήθευση",
+  "v2.page.settings-identity-verify-phone.default.title": "Επαλήθευση",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Επεξεργασία",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Αφαίρεση αυτού του email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Επαλήθευση",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Είστε σίγουροι ότι θέλετε να αφαιρέσετε τη διεύθυνση email {target} από τον λογαριασμό σας;",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Αφαίρεση Διεύθυνσης Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Επεξεργασία",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Αφαίρεση αυτού του τηλεφώνου",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Επαλήθευση",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Είστε βέβαιοι ότι θέλετε να αφαιρέσετε τον αριθμό τηλεφώνου {target} από τον λογαριασμό σας;",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Αφαίρεση Αριθμού Τηλεφώνου",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Αφαίρεση ονόματος χρήστη",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Είστε βέβαιοι ότι θέλετε να αφαιρέσετε το όνομα χρήστη <span class=\"settings-dialog__description-text--highlight\">{Username}</span> από τον λογαριασμό σας;",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Αφαίρεση Ονόματος Χρήστη",
+  "v2.page.settings-identity-view-username.default.title": "Όνομα Χρήστη",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Μη επαληθευμένο",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Επαληθευμένο",
+  "v2.page.settings-mfa-create-password.default.title": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Προστέθηκε στις <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Ενημερώθηκε στις <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Είστε σίγουροι ότι θέλετε να αφαιρέσετε τον πρόσθετο κωδικό πρόσβασης;",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Αφαίρεση πρόσθετου κωδικού πρόσβασης",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Αφαίρεση πρόσθετου κωδικού πρόσβασης",
+  "v2.page.settings-mfa-password.default.title": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa.default.activated-label": "Ενεργοποιημένο",
+  "v2.page.settings-mfa.default.additional-password-label": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Έχετε {NumberOfDeviceTokens, plural, one{# έμπιστη συσκευή} other{# έμπιστες συσκευές}} συσκευές που σχετίζονται με τον λογαριασμό σας. Θέλετε να αφαιρέσετε όλες τις έμπιστες συσκευές;",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Αφαίρεση έμπιστων συσκευών",
+  "v2.page.settings-mfa.default.inactive-label": "Ανενεργό",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Μήνυμα Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Εφαρμογή/συσκευή ελέγχου ταυτότητας",
+  "v2.page.settings-mfa.default.title": "Έλεγχος Ταυτότητας Δύο Παραγόντων (2-Factor Authentication)",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Έχετε {NumberOfDeviceTokens, plural, one{# έμπιστη συσκευή} other{# έμπιστες συσκευές}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Έμπιστες συσκευές",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Δεν έχετε καμία έμπιστη συσκευή που μπορεί να παρακάμψει την επαλήθευση ταυτότητας δύο παραγόντων (2-step verification).",
+  "v2.page.settings-oob-otp-email.default.title": "Ηλεκτρονικό ταχυδρομείο",
+  "v2.page.settings-oob-otp-sms.default.title": "Μήνυμα WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Προστέθηκε στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Προσθήκη ηλεκτρονικού ταχυδρομείου",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Προσθήκη αριθμού τηλεφώνου WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Προσθήκη Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Είστε βέβαιοι ότι θέλετε να αφαιρέσετε αυτό το κλειδί πρόσβασης;",
+  "v2.page.settings-passkey.default.dialog-title": "Αφαίρεση Κλειδιού Πρόσβασης",
+  "v2.page.settings-passkey.default.item-description": "Προστέθηκε στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Κλειδί Πρόσβασης",
   "v2.page.settings-profile-edit-address.default.country-label": "Χώρα",
   "v2.page.settings-profile-edit-address.default.locality-label": "Πόλη",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Διεύθυνση",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Ταχυδρομικός κώδικας",
   "v2.page.settings-profile-edit-address.default.region-label": "Περιοχή",
   "v2.page.settings-profile-edit-address.default.street-label": "Οδός",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Ημερομηνία γέννησης",
+  "v2.page.settings-profile-edit-address.default.title": "Διεύθυνση",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Ημερομηνία γέννησης",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Προσαρμοσμένο",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Γυναίκα",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Άνδρας",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Δεν παρασχέθηκε",
   "v2.page.settings-profile-edit-gender.default.title": "Φύλο",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Γλώσσα",
+  "v2.page.settings-profile-edit-locale.default.title": "Γλώσσα",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Επώνυμο",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Πλήρες όνομα",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Όνομα",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Μεσαίο όνομα",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Όνομα",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Παρατσούκλι",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Ζώνη ώρας",
+  "v2.page.settings-profile-edit-name.default.title": "Όνομα",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Ζώνη ώρας",
   "v2.page.settings-profile-no-permission.default.content": "Μη εξουσιοδοτημένος",
   "v2.page.settings-profile-no-permission.default.title": "Απροσδόκητα Προβλήματα",
   "v2.page.settings-profile.default.address-title": "Διεύθυνση",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Φύλο",
   "v2.page.settings-profile.default.language-title": "Γλώσσα",
   "v2.page.settings-profile.default.name-title": "Όνομα",
-  "v2.page.settings-profile.default.navbar-title": "Προφίλ",
   "v2.page.settings-profile.default.profile-picture-title": "Εικόνα Προφίλ",
+  "v2.page.settings-profile.default.title": "Προφίλ",
   "v2.page.settings-profile.default.zoneinfo-title": "Ζώνη Ώρας",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Αυτό θα αφαιρέσει την πρόσβαση στον λογαριασμό σας από όλες τις άλλες συσκευές",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Τερματισμός όλων των άλλων συνεδριών",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Ενεργό Τώρα</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Τερματισμός όλων των άλλων συνεδριών",
+  "v2.page.settings-sessions.default.session-dialog-description": "Αυτό θα αφαιρέσει την πρόσβαση στον λογαριασμό σας σε αυτή τη συσκευή",
+  "v2.page.settings-sessions.default.session-dialog-title": "Τερματισμός συνεδρίας",
+  "v2.page.settings-sessions.default.title": "Συνδεδεμένες Συσκευές",
+  "v2.page.settings-totp.default.added-at-label": "Προστέθηκε στις <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Προσθήκη εφαρμογής/συσκευής ελέγχου ταυτότητας",
+  "v2.page.settings-totp.default.title": "Εφαρμογή/συσκευή ελέγχου ταυτότητας",
+  "v2.page.settings.default.button-label-account-deletion": "Διαγραφή Λογαριασμού",
   "v2.page.settings.default.button-label-advanced-settings": "Προχωρημένες Ρυθμίσεις",
   "v2.page.settings.default.button-label-and-more": "{item} και περισσότερα",
   "v2.page.settings.default.button-label-back-to-app": "Επιστροφή στην εφαρμογή μου",
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index 4e3e6e71f2..5d6bf33d1a 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -1124,8 +1124,8 @@
   "v2.page.settings-biometric.default.dialog-title": "Disconnect Biometric Login",
   "v2.page.settings-biometric.default.disconnect-button-label": "Disconnect",
   "v2.page.settings-biometric.default.item-description": "Created at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
-  "v2.page.settings-biometric.default.title": "Biometric Login",
   "v2.page.settings-biometric.default.no-biometric-description": "You do not have any devices with biometrics enabled.",
+  "v2.page.settings-biometric.default.title": "Biometric Login",
   "v2.page.settings-biometric.default.unknown-name-item-label": "Unknown Device",
   "v2.page.settings-change-password.default.title": "Change Password",
   "v2.page.settings-delete-account-success.default.button-label": "Done",
@@ -1140,16 +1140,16 @@
   "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Please enter a number between {minimum} and {maximum}",
   "v2.page.settings-identity-add-email.default.email-input-placeholder": "New Email Address",
   "v2.page.settings-identity-add-email.default.title": "Add New Email",
-  "v2.page.settings-identity-add-phone.default.title": "Add New Phone",
   "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Phone Number",
+  "v2.page.settings-identity-add-phone.default.title": "Add New Phone",
   "v2.page.settings-identity-change-primary-email.default.title": "Primary Email",
   "v2.page.settings-identity-change-primary-phone.default.title": "Primary Phone",
   "v2.page.settings-identity-edit-email.default.description": "Your current email is {target}",
   "v2.page.settings-identity-edit-email.default.email-input-placeholder": "New Email Address",
   "v2.page.settings-identity-edit-email.default.title": "Edit Email",
   "v2.page.settings-identity-edit-phone.default.description": "Your current phone number is {target}",
-  "v2.page.settings-identity-edit-phone.default.title": "Edit Phone",
   "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Phone Number",
+  "v2.page.settings-identity-edit-phone.default.title": "Edit Phone",
   "v2.page.settings-identity-edit-username.default.title": "Change Username",
   "v2.page.settings-identity-email.default.title": "Email",
   "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Add new email",
@@ -1186,17 +1186,17 @@
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.dialog-delete-description": "Are you sure you want to remove additional password?",
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Remove additional password",
-  "v2.page.settings-mfa-password.default.title": "Additional password",
   "v2.page.settings-mfa-password.default.remove-button-label": "Remove additional password",
+  "v2.page.settings-mfa-password.default.title": "Additional password",
   "v2.page.settings-mfa.default.activated-label": "Activated",
   "v2.page.settings-mfa.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "You have {NumberOfDeviceTokens, plural, one{# trusted device} other{# trusted devices}} trusted devices associated with your account. Do you want to remove all trusted devices?",
   "v2.page.settings-mfa.default.dialog-revoke-device-title": "Remove trusted devices",
   "v2.page.settings-mfa.default.inactive-label": "Inactive",
-  "v2.page.settings-mfa.default.title": "2-Factor Authentication",
   "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
   "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/SMS message",
   "v2.page.settings-mfa.default.secondary-totp-label": "Authenticator app/device",
+  "v2.page.settings-mfa.default.title": "2-Factor Authentication",
   "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "You have {NumberOfDeviceTokens, plural, one{# trusted device} other{# trusted devices}}",
   "v2.page.settings-mfa.default.trusted-devices-label": "Trusted devices",
   "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "You do not have any trusted devices that can skip 2-step verification.",
@@ -1212,10 +1212,10 @@
   "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Country",
   "v2.page.settings-profile-edit-address.default.locality-label": "City",
-  "v2.page.settings-profile-edit-address.default.title": "Address",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Postal code",
   "v2.page.settings-profile-edit-address.default.region-label": "Region",
   "v2.page.settings-profile-edit-address.default.street-label": "Street address",
+  "v2.page.settings-profile-edit-address.default.title": "Address",
   "v2.page.settings-profile-edit-birthdate.default.title": "Birthdate",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Custom",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Female",
@@ -1227,8 +1227,8 @@
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Full name",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "First name",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Middle name",
-  "v2.page.settings-profile-edit-name.default.title": "Name",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Nick name",
+  "v2.page.settings-profile-edit-name.default.title": "Name",
   "v2.page.settings-profile-edit-zoneinfo.default.title": "Timezone",
   "v2.page.settings-profile-no-permission.default.content": "Not authorized",
   "v2.page.settings-profile-no-permission.default.title": "Unexpected Issues",
@@ -1241,17 +1241,17 @@
   "v2.page.settings-profile.default.gender-title": "Gender",
   "v2.page.settings-profile.default.language-title": "Language",
   "v2.page.settings-profile.default.name-title": "Name",
-  "v2.page.settings-profile.default.title": "Profile",
   "v2.page.settings-profile.default.profile-picture-title": "Profile Picture",
+  "v2.page.settings-profile.default.title": "Profile",
   "v2.page.settings-profile.default.zoneinfo-title": "Timezone",
   "v2.page.settings-sessions.default.all-sessions-dialog-description": "This will remove access to your account from all other devices",
   "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminate all other sessions",
   "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
   "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Active Now</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
-  "v2.page.settings-sessions.default.title": "Signed in Devices",
   "v2.page.settings-sessions.default.revoke-all-label": "Terminate all other sessions",
   "v2.page.settings-sessions.default.session-dialog-description": "This will remove access to your account on this device",
   "v2.page.settings-sessions.default.session-dialog-title": "Terminate session",
+  "v2.page.settings-sessions.default.title": "Signed in Devices",
   "v2.page.settings-totp.default.added-at-label": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
   "v2.page.settings-totp.default.button-add-authenticator-label": "+ Add authenticator app/device",
   "v2.page.settings-totp.default.title": "Authenticator app/device",
diff --git a/resources/authgear/templates/es-419/translation.json b/resources/authgear/templates/es-419/translation.json
index 292f34fcf3..90109d9d5b 100644
--- a/resources/authgear/templates/es-419/translation.json
+++ b/resources/authgear/templates/es-419/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "Se requiere JavaScript para la verificación de captcha. Por favor, habilite JavaScript en su navegador para continuar.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Descargar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continuar con Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar con el número de teléfono",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar con {variant, select, email {Correo electrónico} username {Nombre de usuario} other {Correo electrónico / Nombre de usuario}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Iniciar sesión",
+  "v2.component.button.default.label-remove": "Eliminar",
   "v2.component.button.default.label-save": "Guardar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Recordar este dispositivo y no preguntar de nuevo",
   "v2.component.divider.default.or-label": "o",
   "v2.component.input.default.placeholder-email": "Dirección de correo electrónico",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código en %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar contraseña",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Vuelva a ingresar la nueva contraseña",
   "v2.component.password-input.default.placeholder-confirm-password": "Vuelve a ingresar la contraseña",
   "v2.component.password-input.default.placeholder-new-password": "Nueva contraseña",
   "v2.component.password-input.default.placeholder-password": "Contraseña actual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "No se encontraron resultados",
   "v2.component.select-input.default.not-provided-label": "No proporcionado",
   "v2.component.select-input.default.search-label": "Buscar",
-  "v2.component.select-input.default.unset-label": "Sin establecer",
   "v2.component.toc-pp-footer.default.label": "Al registrarte, aceptas los {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Términos de Servicio</a> y <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidad</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Términos de Servicio</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidad</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Serás redirigido poco después de que completes el desafío",
   "v2.component.verify-bot-protection.default.title": "Verificando tu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Has iniciado sesión con {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Procede para continuar.",
   "v2.page.select-account.default.title": "Iniciar sesión en {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar otra cuenta",
+  "v2.page.settings-advanced-settings.default.title": "Configuración avanzada",
+  "v2.page.settings-biometric.default.dialog-description": "¿Estás seguro de que deseas desconectar el inicio de sesión biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Creado a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "No tienes ningún dispositivo con biométricos habilitados.",
+  "v2.page.settings-biometric.default.title": "Inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo desconocido",
+  "v2.page.settings-change-password.default.title": "Cambiar contraseña",
+  "v2.page.settings-delete-account-success.default.button-label": "Listo",
+  "v2.page.settings-delete-account-success.default.description": "Tu cuenta ha sido desactivada y los datos serán eliminados el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Eliminación de cuenta programada",
+  "v2.page.settings-delete-account.default.button-label": "Eliminar cuenta",
+  "v2.page.settings-delete-account.default.description": "Al eliminar la cuenta, todos los datos se eliminarán permanentemente y no podremos recuperarlos. Si continúas, tu cuenta será eliminada el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Escribe <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Eliminar cuenta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor ingrese un número menor o igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor ingrese un número mayor o igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor ingrese un número entre {minimum} y {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-add-email.default.title": "Agregar nuevo correo electrónico",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-add-phone.default.title": "Agregar nuevo teléfono",
+  "v2.page.settings-identity-change-primary-email.default.title": "Correo electrónico principal",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Teléfono principal",
+  "v2.page.settings-identity-edit-email.default.description": "Tu correo electrónico actual es {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-edit-email.default.title": "Editar correo electrónico",
+  "v2.page.settings-identity-edit-phone.default.description": "Tu número de teléfono actual es {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar teléfono",
+  "v2.page.settings-identity-edit-username.default.title": "Cambiar nombre de usuario",
+  "v2.page.settings-identity-email.default.title": "Correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Agregar correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Cambiar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Correo electrónico principal",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Agregar nuevo número de teléfono",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Cambiar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "teléfono principal",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Agregar nombre de usuario",
+  "v2.page.settings-identity-list-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity-new-username.default.title": "Agregar nombre de usuario",
+  "v2.page.settings-identity-phone.default.title": "Teléfono",
+  "v2.page.settings-identity-verify-email.default.title": "Verificación",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificación",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Eliminar este correo electrónico",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar la dirección de correo electrónico {target} de tu cuenta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Eliminar dirección de correo electrónico",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Eliminar este teléfono",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar el número de teléfono {target} de tu cuenta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Eliminar número de teléfono",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "¿Estás seguro de que deseas eliminar el nombre de usuario <span class=\"settings-dialog__description-text--highlight\">{Username}</span> de tu cuenta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Agregada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "¿Estás seguro de que deseas eliminar la contraseña adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa.default.activated-label": "Activada",
+  "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados con tu cuenta. ¿Deseas eliminar todos los dispositivos de confianza?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Eliminar dispositivos de confianza",
+  "v2.page.settings-mfa.default.inactive-label": "Inactiva",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Correo electrónico",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensaje de Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings-mfa.default.title": "Autenticación de 2 Factores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos de confianza",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "No tienes ningún dispositivo de confianza que pueda omitir la verificación de 2 pasos.",
+  "v2.page.settings-oob-otp-email.default.title": "Correo electrónico",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensaje de WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Agregado a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Agregar correo electrónico",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Agregar número de teléfono de WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Agregar passkey",
+  "v2.page.settings-passkey.default.dialog-description": "¿Está seguro de que desea eliminar esta passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Eliminar Passkey",
+  "v2.page.settings-passkey.default.item-description": "Agregado a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Ciudad",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Dirección",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Región",
   "v2.page.settings-profile-edit-address.default.street-label": "Dirección de calle",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Fecha de nacimiento",
+  "v2.page.settings-profile-edit-address.default.title": "Dirección",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Fecha de nacimiento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Femenino",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Masculino",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "No proporcionado",
   "v2.page.settings-profile-edit-gender.default.title": "Género",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Idioma",
+  "v2.page.settings-profile-edit-locale.default.title": "Idioma",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Apellido",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nombre completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nombre",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Segundo nombre",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nombre",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Apodo",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zona horaria",
+  "v2.page.settings-profile-edit-name.default.title": "Nombre",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zona horaria",
   "v2.page.settings-profile-no-permission.default.content": "No autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas inesperados",
   "v2.page.settings-profile.default.address-title": "Dirección",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Género",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nombre",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zona horaria",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Esto eliminará el acceso a tu cuenta desde todos los demás dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Activo ahora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.session-dialog-description": "Esto eliminará el acceso a tu cuenta en este dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sesión",
+  "v2.page.settings-sessions.default.title": "Dispositivos con sesión iniciada",
+  "v2.page.settings-totp.default.added-at-label": "Agregado a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Agregar aplicación/dispositivo de autenticación",
+  "v2.page.settings-totp.default.title": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings.default.button-label-account-deletion": "Eliminar cuenta",
   "v2.page.settings.default.button-label-advanced-settings": "Configuración avanzada",
   "v2.page.settings.default.button-label-and-more": "{item} y más",
   "v2.page.settings.default.button-label-back-to-app": "Volver a mi aplicación",
diff --git a/resources/authgear/templates/es-ES/translation.json b/resources/authgear/templates/es-ES/translation.json
index 481315c4cd..b35740c5f4 100644
--- a/resources/authgear/templates/es-ES/translation.json
+++ b/resources/authgear/templates/es-ES/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "Se requiere JavaScript para la verificación de captcha. Por favor, habilite JavaScript en su navegador para continuar.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Descargar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continuar con Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar con el número de teléfono",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar con {variant, select, email {Correo electrónico} username {Nombre de usuario} other {Correo electrónico / Nombre de usuario}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Iniciar sesión",
+  "v2.component.button.default.label-remove": "Eliminar",
   "v2.component.button.default.label-save": "Guardar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Recordar este dispositivo y no preguntar de nuevo",
   "v2.component.divider.default.or-label": "o",
   "v2.component.input.default.placeholder-email": "Dirección de correo electrónico",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código en %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar contraseña",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Vuelva a ingresar la nueva contraseña",
   "v2.component.password-input.default.placeholder-confirm-password": "Vuelve a introducir la contraseña",
   "v2.component.password-input.default.placeholder-new-password": "Nueva contraseña",
   "v2.component.password-input.default.placeholder-password": "Contraseña actual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "No se encontraron resultados",
   "v2.component.select-input.default.not-provided-label": "No proporcionado",
   "v2.component.select-input.default.search-label": "Buscar",
-  "v2.component.select-input.default.unset-label": "Sin establecer",
   "v2.component.toc-pp-footer.default.label": "Al registrarse, acepta los {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Términos de servicio</a> y <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de privacidad</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Términos de servicio</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de privacidad</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Serás redirigido poco después de que hayas completado el desafío",
   "v2.component.verify-bot-protection.default.title": "Comprobando tu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Has iniciado sesión con {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Procede para continuar.",
   "v2.page.select-account.default.title": "Iniciar sesión en {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar otra cuenta",
+  "v2.page.settings-advanced-settings.default.title": "Configuración avanzada",
+  "v2.page.settings-biometric.default.dialog-description": "¿Estás seguro de que quieres desconectar el inicio de sesión biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Creado en <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "No tienes ningún dispositivo con biométricos habilitados.",
+  "v2.page.settings-biometric.default.title": "Inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo desconocido",
+  "v2.page.settings-change-password.default.title": "Cambiar contraseña",
+  "v2.page.settings-delete-account-success.default.button-label": "Hecho",
+  "v2.page.settings-delete-account-success.default.description": "Tu cuenta ha sido desactivada y los datos serán eliminados el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Eliminación de cuenta programada",
+  "v2.page.settings-delete-account.default.button-label": "Eliminar cuenta",
+  "v2.page.settings-delete-account.default.description": "Al eliminar la cuenta, todos los datos se eliminarán permanentemente y no podremos recuperarlos. Si continúas, tu cuenta se eliminará el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Escribe <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Eliminar cuenta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor, introduzca un número menor o igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor, introduzca un número mayor o igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor, introduzca un número entre {minimum} y {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-add-email.default.title": "Añadir nuevo correo electrónico",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-add-phone.default.title": "Añadir nuevo teléfono",
+  "v2.page.settings-identity-change-primary-email.default.title": "Correo electrónico principal",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Teléfono principal",
+  "v2.page.settings-identity-edit-email.default.description": "Tu correo electrónico actual es {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-edit-email.default.title": "Editar correo electrónico",
+  "v2.page.settings-identity-edit-phone.default.description": "Tu número de teléfono actual es {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar teléfono",
+  "v2.page.settings-identity-edit-username.default.title": "Cambiar nombre de usuario",
+  "v2.page.settings-identity-email.default.title": "Correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Añadir correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Cambiar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Correo electrónico principal",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Añadir nuevo número de teléfono",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Cambiar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "teléfono principal",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Añadir nombre de usuario",
+  "v2.page.settings-identity-list-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity-new-username.default.title": "Añadir nombre de usuario",
+  "v2.page.settings-identity-phone.default.title": "Teléfono",
+  "v2.page.settings-identity-verify-email.default.title": "Verificación",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificación",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Eliminar este correo electrónico",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar la dirección de correo electrónico {target} de tu cuenta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Eliminar dirección de correo electrónico",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Eliminar este teléfono",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar el número de teléfono {target} de tu cuenta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Eliminar número de teléfono",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "¿Estás seguro de que quieres eliminar el nombre de usuario <span class=\"settings-dialog__description-text--highlight\">{Username}</span> de tu cuenta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Añadida a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "¿Estás seguro de que quieres eliminar la contraseña adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa.default.activated-label": "Activada",
+  "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados a tu cuenta. ¿Quieres eliminar todos los dispositivos de confianza?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Eliminar dispositivos de confianza",
+  "v2.page.settings-mfa.default.inactive-label": "Inactiva",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Correo electrónico",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensaje de Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings-mfa.default.title": "Autenticación de 2 Factores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos de confianza",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "No tienes ningún dispositivo de confianza que pueda omitir la verificación de 2 pasos.",
+  "v2.page.settings-oob-otp-email.default.title": "Correo electrónico",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensaje de WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Añadir correo electrónico",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Añadir número de teléfono de WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Añadir Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "¿Estás seguro de que quieres eliminar esta passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Eliminar Passkey",
+  "v2.page.settings-passkey.default.item-description": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Ciudad",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Dirección",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Región",
   "v2.page.settings-profile-edit-address.default.street-label": "Dirección de calle",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Fecha de nacimiento",
+  "v2.page.settings-profile-edit-address.default.title": "Dirección",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Fecha de nacimiento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Mujer",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Hombre",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "No proporcionado",
   "v2.page.settings-profile-edit-gender.default.title": "Género",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Idioma",
+  "v2.page.settings-profile-edit-locale.default.title": "Idioma",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Apellido",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nombre completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nombre",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Segundo nombre",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nombre",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Apodo",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zona horaria",
+  "v2.page.settings-profile-edit-name.default.title": "Nombre",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zona horaria",
   "v2.page.settings-profile-no-permission.default.content": "No autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas inesperados",
   "v2.page.settings-profile.default.address-title": "Dirección",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Género",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nombre",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zona horaria",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Esto eliminará el acceso a tu cuenta desde todos los demás dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Activo ahora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.session-dialog-description": "Esto eliminará el acceso a tu cuenta en este dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sesión",
+  "v2.page.settings-sessions.default.title": "Dispositivos con sesión iniciada",
+  "v2.page.settings-totp.default.added-at-label": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Añadir aplicación/dispositivo de autenticación",
+  "v2.page.settings-totp.default.title": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings.default.button-label-account-deletion": "Eliminar cuenta",
   "v2.page.settings.default.button-label-advanced-settings": "Configuración avanzada",
   "v2.page.settings.default.button-label-and-more": "{item} y más",
   "v2.page.settings.default.button-label-back-to-app": "Volver a mi aplicación",
diff --git a/resources/authgear/templates/es/translation.json b/resources/authgear/templates/es/translation.json
index df4dd24d03..6c4de3727b 100644
--- a/resources/authgear/templates/es/translation.json
+++ b/resources/authgear/templates/es/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "Se requiere JavaScript para la verificación de captcha. Por favor, habilite JavaScript en su navegador para continuar.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Descargar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continuar con Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar con número de teléfono",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar con {variant, select, email {Correo electrónico} username {Nombre de usuario} other {Correo electrónico / Nombre de usuario}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Iniciar Sesión",
+  "v2.component.button.default.label-remove": "Eliminar",
   "v2.component.button.default.label-save": "Guardar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Recordar este dispositivo y no preguntar de nuevo",
   "v2.component.divider.default.or-label": "o",
   "v2.component.input.default.placeholder-email": "Dirección de correo electrónico",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código en %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar contraseña",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Vuelva a ingresar la nueva contraseña",
   "v2.component.password-input.default.placeholder-confirm-password": "Vuelva a ingresar la Contraseña",
   "v2.component.password-input.default.placeholder-new-password": "Nueva Contraseña",
   "v2.component.password-input.default.placeholder-password": "Contraseña actual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "No se encontraron resultados",
   "v2.component.select-input.default.not-provided-label": "No proporcionado",
   "v2.component.select-input.default.search-label": "Buscar",
-  "v2.component.select-input.default.unset-label": "Sin establecer",
   "v2.component.toc-pp-footer.default.label": "Al registrarse, acepta los {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Términos de Servicio</a> y la <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidad</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Términos de Servicio</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidad</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Serás redirigido poco después de que hayas completado el desafío",
   "v2.component.verify-bot-protection.default.title": "Comprobando tu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Ha iniciado sesión con {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Proceda para continuar.",
   "v2.page.select-account.default.title": "Iniciar sesión en {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar otra cuenta",
+  "v2.page.settings-advanced-settings.default.title": "Configuración avanzada",
+  "v2.page.settings-biometric.default.dialog-description": "¿Estás seguro de que deseas desconectar el inicio de sesión biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Creado en <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "No tienes ningún dispositivo con biométricos habilitados.",
+  "v2.page.settings-biometric.default.title": "Inicio de sesión biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo desconocido",
+  "v2.page.settings-change-password.default.title": "Cambiar contraseña",
+  "v2.page.settings-delete-account-success.default.button-label": "Hecho",
+  "v2.page.settings-delete-account-success.default.description": "Tu cuenta ha sido desactivada y los datos serán eliminados el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Eliminación de cuenta programada",
+  "v2.page.settings-delete-account.default.button-label": "Eliminar cuenta",
+  "v2.page.settings-delete-account.default.description": "Al eliminar la cuenta, todos los datos se eliminarán permanentemente y no podremos recuperarlos. Si continúas, tu cuenta será eliminada el <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Escribe <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Eliminar cuenta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor ingrese un número menor o igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor ingrese un número mayor o igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor ingrese un número entre {minimum} y {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-add-email.default.title": "Añadir nuevo correo electrónico",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-add-phone.default.title": "Añadir nuevo teléfono",
+  "v2.page.settings-identity-change-primary-email.default.title": "Correo electrónico principal",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Teléfono principal",
+  "v2.page.settings-identity-edit-email.default.description": "Tu correo electrónico actual es {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nueva dirección de correo electrónico",
+  "v2.page.settings-identity-edit-email.default.title": "Editar correo electrónico",
+  "v2.page.settings-identity-edit-phone.default.description": "Tu número de teléfono actual es {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de teléfono",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar teléfono",
+  "v2.page.settings-identity-edit-username.default.title": "Cambiar nombre de usuario",
+  "v2.page.settings-identity-email.default.title": "Correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Añadir correo electrónico",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Cambiar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Correo electrónico principal",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Añadir nuevo número de teléfono",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Cambiar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "teléfono principal",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Añadir nombre de usuario",
+  "v2.page.settings-identity-list-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity-new-username.default.title": "Añadir nombre de usuario",
+  "v2.page.settings-identity-phone.default.title": "Teléfono",
+  "v2.page.settings-identity-verify-email.default.title": "Verificación",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificación",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Eliminar este correo electrónico",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar la dirección de correo electrónico {target} de tu cuenta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Eliminar dirección de correo electrónico",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Eliminar este teléfono",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "¿Estás seguro de que quieres eliminar el número de teléfono {target} de tu cuenta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Eliminar número de teléfono",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "¿Estás seguro de que quieres eliminar el nombre de usuario <span class=\"settings-dialog__description-text--highlight\">{Username}</span> de tu cuenta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Eliminar nombre de usuario",
+  "v2.page.settings-identity-view-username.default.title": "Nombre de usuario",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Añadido a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizado a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "¿Estás seguro de que quieres eliminar la contraseña adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
+  "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa.default.activated-label": "Activado",
+  "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados con tu cuenta. ¿Quieres eliminar todos los dispositivos de confianza?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Eliminar dispositivos de confianza",
+  "v2.page.settings-mfa.default.inactive-label": "Inactivo",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Correo electrónico",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensaje de Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings-mfa.default.title": "Autenticación de 2 Factores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos de confianza",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "No tienes ningún dispositivo de confianza que pueda omitir la verificación de 2 pasos.",
+  "v2.page.settings-oob-otp-email.default.title": "Correo electrónico",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensaje de WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Añadir correo electrónico",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Añadir número de teléfono de WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Añadir 'Passkey'",
+  "v2.page.settings-passkey.default.dialog-description": "¿Estás seguro de que quieres eliminar esta passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Eliminar Passkey",
+  "v2.page.settings-passkey.default.item-description": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Ciudad",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Dirección",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Región",
   "v2.page.settings-profile-edit-address.default.street-label": "Dirección de calle",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Fecha de nacimiento",
+  "v2.page.settings-profile-edit-address.default.title": "Dirección",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Fecha de nacimiento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Femenino",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Masculino",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "No proporcionado",
   "v2.page.settings-profile-edit-gender.default.title": "Género",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Idioma",
+  "v2.page.settings-profile-edit-locale.default.title": "Idioma",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Apellido",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nombre completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nombre",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Segundo nombre",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nombre",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Apodo",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zona horaria",
+  "v2.page.settings-profile-edit-name.default.title": "Nombre",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zona horaria",
   "v2.page.settings-profile-no-permission.default.content": "No autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas inesperados",
   "v2.page.settings-profile.default.address-title": "Dirección",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Género",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nombre",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zona horaria",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Esto eliminará el acceso a tu cuenta desde todos los demás dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Activo Ahora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas las demás sesiones",
+  "v2.page.settings-sessions.default.session-dialog-description": "Esto eliminará el acceso a tu cuenta en este dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sesión",
+  "v2.page.settings-sessions.default.title": "Dispositivos con sesión iniciada",
+  "v2.page.settings-totp.default.added-at-label": "Añadido a las <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Añadir aplicación/dispositivo de autenticación",
+  "v2.page.settings-totp.default.title": "Aplicación/dispositivo de autenticación",
+  "v2.page.settings.default.button-label-account-deletion": "Eliminar cuenta",
   "v2.page.settings.default.button-label-advanced-settings": "Configuración avanzada",
   "v2.page.settings.default.button-label-and-more": "{item} y más",
   "v2.page.settings.default.button-label-back-to-app": "Volver a mi aplicación",
diff --git a/resources/authgear/templates/fil/translation.json b/resources/authgear/templates/fil/translation.json
index f02ac54de2..c0326bb6f6 100644
--- a/resources/authgear/templates/fil/translation.json
+++ b/resources/authgear/templates/fil/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "Kinakailangan ang JavaScript para sa pag-verify ng captcha. Mangyaring paganahin ang JavaScript sa iyong browser para magpatuloy.",
   "v2.component.button.default.copy": "Kopyahin",
   "v2.component.button.default.download": "I-download",
+  "v2.component.button.default.label-cancel": "Kanselahin",
   "v2.component.button.default.label-continue": "Magpatuloy",
   "v2.component.button.default.label-continue-with-passkey": "Magpatuloy gamit ang Passkey",
   "v2.component.button.default.label-continue-with-phone": "Magpatuloy gamit ang Numero ng Telepono",
   "v2.component.button.default.label-continue-with-text-login-id": "Magpatuloy gamit ang {variant, select, email {Email} username {Username} other {Email / Username}}",
+  "v2.component.button.default.label-edit": "Baguhin",
   "v2.component.button.default.label-login": "Mag-log in",
+  "v2.component.button.default.label-remove": "Alisin",
   "v2.component.button.default.label-save": "I-save",
   "v2.component.button.default.label-send": "Ipadala",
+  "v2.component.button.default.label-terminate": "Tapusin",
   "v2.component.device-token-checkbox.default.label": "Tandaan ang device na ito, at huwag nang tanungin muli",
   "v2.component.divider.default.or-label": "o",
   "v2.component.input.default.placeholder-email": "Email address",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Ipadala muli ang code sa %s",
   "v2.component.oob-otp-resend-button.default.label": "Ipadala muli ang code",
   "v2.component.password-input.default.hide-password": "Itago ang password",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Ipasok muli ang bagong password",
   "v2.component.password-input.default.placeholder-confirm-password": "I-reenter ang Password",
   "v2.component.password-input.default.placeholder-new-password": "Bagong Password",
   "v2.component.password-input.default.placeholder-password": "Kasalukuyang Password",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Walang natagpuang resulta",
   "v2.component.select-input.default.not-provided-label": "Hindi ibinigay",
   "v2.component.select-input.default.search-label": "Maghanap",
-  "v2.component.select-input.default.unset-label": "Hindi naka-set",
   "v2.component.toc-pp-footer.default.label": "Sa pamamagitan ng pagpaparehistro, sumasang-ayon ka sa {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Mga Tuntunin ng Serbisyo</a> at <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Patakaran sa Pagkapribado</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Mga Tuntunin ng Serbisyo</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Patakaran sa Pagkapribado</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Mailalipat ka sa ibang pahina pagkatapos mong makumpleto ang hamon na ito",
   "v2.component.verify-bot-protection.default.title": "Sinusuri ang iyong sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Nag-log in ka gamit ang {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Magpatuloy upang magpatuloy.",
   "v2.page.select-account.default.title": "Mag-log in sa {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Gumamit ng ibang account",
+  "v2.page.settings-advanced-settings.default.title": "Mga Advanced na Setting",
+  "v2.page.settings-biometric.default.dialog-description": "Sigurado ka bang gusto mong idiskonekta ang pag-login gamit ang biometrics para sa device na ito?",
+  "v2.page.settings-biometric.default.dialog-title": "Idiskonekta ang Pag-login gamit ang Biometrics",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Idiskonekta",
+  "v2.page.settings-biometric.default.item-description": "Nalikha noong <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Wala kang mga device na pinagana ang biometrics.",
+  "v2.page.settings-biometric.default.title": "Pag-login gamit ang Biometrics",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Hindi Kilalang Device",
+  "v2.page.settings-change-password.default.title": "Palitan ang Password",
+  "v2.page.settings-delete-account-success.default.button-label": "Tapos na",
+  "v2.page.settings-delete-account-success.default.description": "Na-deactivate na ang iyong account at made-delete ang data sa <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Naka-iskedyul na ang pag-delete ng Account",
+  "v2.page.settings-delete-account.default.button-label": "I-delete ang Account",
+  "v2.page.settings-delete-account.default.description": "Sa pag-delete ng account, ang lahat ng data ay permanenteng made-delete at hindi na namin maibabalik. Kung ipagpapatuloy mo, ang iyong account ay made-delete sa <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "I-type ang <b>{input}</b> para kumpirmahin",
+  "v2.page.settings-delete-account.default.title": "I-delete ang Account",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Mangyaring magpasok ng numero na mas mababa o katumbas ng {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Mangyaring magpasok ng numero na mas malaki o katumbas ng {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Mangyaring magpasok ng numero sa pagitan ng {minimum} at {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Bagong Address ng Email",
+  "v2.page.settings-identity-add-email.default.title": "Magdagdag ng Bagong Email",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Numero ng Telepono",
+  "v2.page.settings-identity-add-phone.default.title": "Magdagdag ng Bagong Telepono",
+  "v2.page.settings-identity-change-primary-email.default.title": "Pangunahing Email",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Pangunahing Telepono",
+  "v2.page.settings-identity-edit-email.default.description": "Ang kasalukuyang email mo ay {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Bagong Email Address",
+  "v2.page.settings-identity-edit-email.default.title": "Baguhin ang Email",
+  "v2.page.settings-identity-edit-phone.default.description": "Ang iyong kasalukuyang numero ng telepono ay {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Numero ng Telepono",
+  "v2.page.settings-identity-edit-phone.default.title": "I-edit ang Telepono",
+  "v2.page.settings-identity-edit-username.default.title": "Palitan ang Username",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Magdagdag ng email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Palitan",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Pangunahing email",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Magdagdag ng bagong numero ng telepono",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Baguhin",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "pangunahing telepono",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Magdagdag ng username",
+  "v2.page.settings-identity-list-username.default.title": "Username (Passkey)",
+  "v2.page.settings-identity-new-username.default.title": "Magdagdag ng Username",
+  "v2.page.settings-identity-phone.default.title": "Telepono",
+  "v2.page.settings-identity-verify-email.default.title": "Pagpapatunay",
+  "v2.page.settings-identity-verify-phone.default.title": "Pagpapatunay",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "I-edit",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Alisin ang email na ito",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "I-verify",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Sigurado ka bang gusto mong alisin ang email address na {target} mula sa iyong account?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Alisin ang Email Address",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "I-edit",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Alisin ang telepono na ito",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Patunayan",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Sigurado ka bang gusto mong alisin ang numero ng telepono {target} mula sa iyong account?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Alisin ang Numero ng Telepono",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Alisin ang username",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Sigurado ka bang gusto mong alisin ang username <span class=\"settings-dialog__description-text--highlight\">{Username}</span> mula sa iyong account?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Alisin ang Username",
+  "v2.page.settings-identity-view-username.default.title": "Username",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Hindi Napatunayan",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Napatunayan",
+  "v2.page.settings-mfa-create-password.default.title": "Karagdagang password",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Naidagdag sa <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Karagdagang password",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Na-update sa <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Sigurado ka bang gusto mong alisin ang karagdagang password?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Alisin ang karagdagang password",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Alisin ang karagdagang password",
+  "v2.page.settings-mfa-password.default.title": "Karagdagang password",
+  "v2.page.settings-mfa.default.activated-label": "Naka-activate",
+  "v2.page.settings-mfa.default.additional-password-label": "Karagdagang password",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Mayroon kang {NumberOfDeviceTokens, plural, one{# pinagkakatiwalaang device} other{# pinagkakatiwalaang mga device}} na pinagkakatiwalaang mga device na naka-associate sa iyong account. Gusto mo bang alisin lahat ng pinagkakatiwalaang mga device?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Alisin ang pinagkakatiwalaang mga device",
+  "v2.page.settings-mfa.default.inactive-label": "Hindi naka-activate",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensahe sa Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "App/device ng authenticator",
+  "v2.page.settings-mfa.default.title": "2-Factor Awtentikasyon",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Mayroon kang {NumberOfDeviceTokens, plural, one{# pinagkakatiwalaan na device} other{# pinagkakatiwalaan na mga device}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Pinagkakatiwalaan na mga device",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Wala kang anumang pinagkakatiwalaan na device na maaaring laktawan ang 2-step na pag-verify.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/Mensahe sa SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Naidagdag sa <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Magdagdag ng email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Magdagdag ng WhatsApp/Numero ng telepono para sa SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Idagdag ang Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Sigurado ka bang gusto mong alisin ang passkey na ito?",
+  "v2.page.settings-passkey.default.dialog-title": "Alisin ang Passkey",
+  "v2.page.settings-passkey.default.item-description": "Idinagdag sa <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Bansa",
   "v2.page.settings-profile-edit-address.default.locality-label": "Lungsod",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Adres",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Zip code",
   "v2.page.settings-profile-edit-address.default.region-label": "Rehiyon",
   "v2.page.settings-profile-edit-address.default.street-label": "Kalye",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Petsa ng kapanganakan",
+  "v2.page.settings-profile-edit-address.default.title": "Adres",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Petsa ng kapanganakan",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Pasadya",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Babae",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Lalaki",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Hindi ibinigay",
   "v2.page.settings-profile-edit-gender.default.title": "Kasarian",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Wika",
+  "v2.page.settings-profile-edit-locale.default.title": "Wika",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Huling pangalan",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Buong pangalan",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Pangalan",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Gitnang pangalan",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Pangalan",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Palayaw",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zona ng oras",
+  "v2.page.settings-profile-edit-name.default.title": "Pangalan",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zona ng oras",
   "v2.page.settings-profile-no-permission.default.content": "Hindi awtorisado",
   "v2.page.settings-profile-no-permission.default.title": "Di-inaasahang Isyu",
   "v2.page.settings-profile.default.address-title": "Adres",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Kasarian",
   "v2.page.settings-profile.default.language-title": "Wika",
   "v2.page.settings-profile.default.name-title": "Pangalan",
-  "v2.page.settings-profile.default.navbar-title": "Profile",
   "v2.page.settings-profile.default.profile-picture-title": "Larawan ng Profile",
+  "v2.page.settings-profile.default.title": "Profile",
   "v2.page.settings-profile.default.zoneinfo-title": "Zona ng Oras",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Ito ay aalisin ang access sa iyong account mula sa lahat ng iba pang device",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Tapusin ang lahat ng iba pang sesyon",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Aktibo Ngayon</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Tapusin ang lahat ng iba pang sesyon",
+  "v2.page.settings-sessions.default.session-dialog-description": "Ito ay aalisin ang access sa iyong account sa device na ito",
+  "v2.page.settings-sessions.default.session-dialog-title": "Tapusin ang sesyon",
+  "v2.page.settings-sessions.default.title": "Naka-sign in na mga Device",
+  "v2.page.settings-totp.default.added-at-label": "Naidagdag sa <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Magdagdag ng authenticator app/device",
+  "v2.page.settings-totp.default.title": "Authenticator app/device",
+  "v2.page.settings.default.button-label-account-deletion": "I-delete ang Account",
   "v2.page.settings.default.button-label-advanced-settings": "Mga Advanced na Setting",
   "v2.page.settings.default.button-label-and-more": "{item} at higit pa",
   "v2.page.settings.default.button-label-back-to-app": "Bumalik sa aking app",
diff --git a/resources/authgear/templates/fr/translation.json b/resources/authgear/templates/fr/translation.json
index c0764fe79d..da01524fd0 100644
--- a/resources/authgear/templates/fr/translation.json
+++ b/resources/authgear/templates/fr/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript est requis pour la vérification du captcha. Veuillez activer JavaScript dans votre navigateur pour continuer.",
   "v2.component.button.default.copy": "Copier",
   "v2.component.button.default.download": "Télécharger",
+  "v2.component.button.default.label-cancel": "Annuler",
   "v2.component.button.default.label-continue": "Continuer",
   "v2.component.button.default.label-continue-with-passkey": "Continuer avec Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuer avec le numéro de téléphone",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuer avec {variant, select, email {Email} username {Nom d''utilisateur} other {Email / Nom d''utilisateur}}",
+  "v2.component.button.default.label-edit": "Modifier",
   "v2.component.button.default.label-login": "Se connecter",
+  "v2.component.button.default.label-remove": "Supprimer",
   "v2.component.button.default.label-save": "Enregistrer",
   "v2.component.button.default.label-send": "Envoyer",
+  "v2.component.button.default.label-terminate": "Terminer",
   "v2.component.device-token-checkbox.default.label": "Mémoriser cet appareil et ne plus me le demander",
   "v2.component.divider.default.or-label": "ou",
   "v2.component.input.default.placeholder-email": "Adresse email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Renvoyer le code dans %s",
   "v2.component.oob-otp-resend-button.default.label": "Renvoyer le code",
   "v2.component.password-input.default.hide-password": "Masquer le mot de passe",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Ressaisissez le nouveau mot de passe",
   "v2.component.password-input.default.placeholder-confirm-password": "Ressaisir le mot de passe",
   "v2.component.password-input.default.placeholder-new-password": "Nouveau mot de passe",
   "v2.component.password-input.default.placeholder-password": "Mot de passe actuel",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Aucun résultat trouvé",
   "v2.component.select-input.default.not-provided-label": "Non fourni",
   "v2.component.select-input.default.search-label": "Rechercher",
-  "v2.component.select-input.default.unset-label": "Non défini",
   "v2.component.toc-pp-footer.default.label": "En vous inscrivant, vous acceptez les {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Conditions d''utilisation</a> et <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Politique de confidentialité</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Conditions d''utilisation</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Politique de confidentialité</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Vous serez redirigé peu après avoir terminé le défi",
   "v2.component.verify-bot-protection.default.title": "Vérification de votre système...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Vous vous êtes connecté avec {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Continuez pour poursuivre.",
   "v2.page.select-account.default.title": "Connectez-vous à {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Utiliser un autre compte",
+  "v2.page.settings-advanced-settings.default.title": "Paramètres avancés",
+  "v2.page.settings-biometric.default.dialog-description": "Êtes-vous sûr de vouloir déconnecter la connexion biométrique pour cet appareil ?",
+  "v2.page.settings-biometric.default.dialog-title": "Déconnecter la connexion biométrique",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Déconnecter",
+  "v2.page.settings-biometric.default.item-description": "Créé à <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Vous n''avez aucun appareil avec la biométrie activée.",
+  "v2.page.settings-biometric.default.title": "Connexion biométrique",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Appareil inconnu",
+  "v2.page.settings-change-password.default.title": "Changer le mot de passe",
+  "v2.page.settings-delete-account-success.default.button-label": "Terminé",
+  "v2.page.settings-delete-account-success.default.description": "Votre compte a été désactivé et les données seront supprimées le <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Suppression du compte programmée",
+  "v2.page.settings-delete-account.default.button-label": "Supprimer le compte",
+  "v2.page.settings-delete-account.default.description": "En supprimant le compte, toutes les données seront définitivement supprimées et nous ne pourrons pas les récupérer. Si vous continuez, votre compte sera supprimé le <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Tapez <b>{input}</b> pour confirmer",
+  "v2.page.settings-delete-account.default.title": "Supprimer le compte",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Veuillez entrer un nombre inférieur ou égal à {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Veuillez entrer un nombre supérieur ou égal à {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Veuillez entrer un nombre entre {minimum} et {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nouvelle adresse e-mail",
+  "v2.page.settings-identity-add-email.default.title": "Ajouter un nouvel e-mail",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Numéro de téléphone",
+  "v2.page.settings-identity-add-phone.default.title": "Ajouter un nouveau téléphone",
+  "v2.page.settings-identity-change-primary-email.default.title": "Courriel principal",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Téléphone principal",
+  "v2.page.settings-identity-edit-email.default.description": "Votre adresse e-mail actuelle est {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nouvelle adresse e-mail",
+  "v2.page.settings-identity-edit-email.default.title": "Modifier l''e-mail",
+  "v2.page.settings-identity-edit-phone.default.description": "Votre numéro de téléphone actuel est {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Numéro de téléphone",
+  "v2.page.settings-identity-edit-phone.default.title": "Modifier le téléphone",
+  "v2.page.settings-identity-edit-username.default.title": "Changer le nom d''utilisateur",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Ajouter un courriel",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Changer",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Courriel principal",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Ajouter un nouveau numéro de téléphone",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Changer",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Téléphone principal",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Ajouter un nom d''utilisateur",
+  "v2.page.settings-identity-list-username.default.title": "Nom d''utilisateur",
+  "v2.page.settings-identity-new-username.default.title": "Ajouter un nom d''utilisateur",
+  "v2.page.settings-identity-phone.default.title": "Téléphone",
+  "v2.page.settings-identity-verify-email.default.title": "Vérification",
+  "v2.page.settings-identity-verify-phone.default.title": "Vérification",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Modifier",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Supprimer cet email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Vérifier",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Êtes-vous sûr de vouloir supprimer l''adresse email {target} de votre compte ?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Supprimer l''adresse email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Modifier",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Supprimer ce téléphone",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Vérifier",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Êtes-vous sûr de vouloir supprimer le numéro de téléphone {target} de votre compte ?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Supprimer le numéro de téléphone",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Supprimer le nom d''utilisateur",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Êtes-vous sûr de vouloir supprimer le nom d''utilisateur <span class=\"settings-dialog__description-text--highlight\">{Username}</span> de votre compte ?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Supprimer le nom d''utilisateur",
+  "v2.page.settings-identity-view-username.default.title": "Nom d''utilisateur",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Non vérifié",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Vérifié",
+  "v2.page.settings-mfa-create-password.default.title": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Ajouté à <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Mis à jour à <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Êtes-vous sûr de vouloir supprimer le mot de passe supplémentaire ?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Supprimer le mot de passe supplémentaire",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Supprimer le mot de passe supplémentaire",
+  "v2.page.settings-mfa-password.default.title": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa.default.activated-label": "Activé",
+  "v2.page.settings-mfa.default.additional-password-label": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Vous avez {NumberOfDeviceTokens, plural, one{# appareil de confiance} other{# appareils de confiance}} associés à votre compte. Voulez-vous supprimer tous les appareils de confiance ?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Supprimer les appareils de confiance",
+  "v2.page.settings-mfa.default.inactive-label": "Inactif",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Message Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Application/appareil d''authentification",
+  "v2.page.settings-mfa.default.title": "Authentification à 2 facteurs",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Vous avez {NumberOfDeviceTokens, plural, one{# appareil de confiance} other{# appareils de confiance}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Appareils de confiance",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Vous n''avez aucun appareil de confiance qui peut ignorer la vérification en 2 étapes.",
+  "v2.page.settings-oob-otp-email.default.title": "Courriel",
+  "v2.page.settings-oob-otp-sms.default.title": "Message WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Ajouté à <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Ajouter un courriel",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Ajouter un numéro de téléphone WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Ajouter une clé d''accès",
+  "v2.page.settings-passkey.default.dialog-description": "Êtes-vous sûr de vouloir supprimer cette clé d''accès ?",
+  "v2.page.settings-passkey.default.dialog-title": "Supprimer la clé d''accès",
+  "v2.page.settings-passkey.default.item-description": "Ajouté à <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Clé d''accès",
   "v2.page.settings-profile-edit-address.default.country-label": "Pays",
   "v2.page.settings-profile-edit-address.default.locality-label": "Ville",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Adresse",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Code postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Région",
   "v2.page.settings-profile-edit-address.default.street-label": "Adresse de rue",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Date de naissance",
+  "v2.page.settings-profile-edit-address.default.title": "Adresse",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Date de naissance",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personnalisé",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Femme",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Homme",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Non fourni",
   "v2.page.settings-profile-edit-gender.default.title": "Genre",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Langue",
+  "v2.page.settings-profile-edit-locale.default.title": "Langue",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Nom de famille",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nom complet",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Prénom",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Deuxième prénom",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nom",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Surnom",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Fuseau horaire",
+  "v2.page.settings-profile-edit-name.default.title": "Nom",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Fuseau horaire",
   "v2.page.settings-profile-no-permission.default.content": "Non autorisé",
   "v2.page.settings-profile-no-permission.default.title": "Problèmes inattendus",
   "v2.page.settings-profile.default.address-title": "Adresse",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Genre",
   "v2.page.settings-profile.default.language-title": "Langue",
   "v2.page.settings-profile.default.name-title": "Nom",
-  "v2.page.settings-profile.default.navbar-title": "Profil",
   "v2.page.settings-profile.default.profile-picture-title": "Photo de profil",
+  "v2.page.settings-profile.default.title": "Profil",
   "v2.page.settings-profile.default.zoneinfo-title": "Fuseau horaire",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Cela supprimera l''accès à votre compte depuis tous les autres appareils",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminer toutes les autres sessions",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Active maintenant</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminer toutes les autres sessions",
+  "v2.page.settings-sessions.default.session-dialog-description": "Cela supprimera l''accès à votre compte sur cet appareil",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminer la session",
+  "v2.page.settings-sessions.default.title": "Appareils connectés",
+  "v2.page.settings-totp.default.added-at-label": "Ajouté à <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Ajouter une application/un appareil d''authentification",
+  "v2.page.settings-totp.default.title": "Application/appareil d''authentification",
+  "v2.page.settings.default.button-label-account-deletion": "Supprimer le compte",
   "v2.page.settings.default.button-label-advanced-settings": "Paramètres avancés",
   "v2.page.settings.default.button-label-and-more": "{item} et plus",
   "v2.page.settings.default.button-label-back-to-app": "Retour à mon application",
diff --git a/resources/authgear/templates/id/translation.json b/resources/authgear/templates/id/translation.json
index e91b9c4e1a..dc41f02760 100644
--- a/resources/authgear/templates/id/translation.json
+++ b/resources/authgear/templates/id/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript diperlukan untuk verifikasi captcha. Silakan aktifkan JavaScript di peramban Anda untuk melanjutkan.",
   "v2.component.button.default.copy": "Salin",
   "v2.component.button.default.download": "Unduh",
+  "v2.component.button.default.label-cancel": "Batal",
   "v2.component.button.default.label-continue": "Lanjutkan",
   "v2.component.button.default.label-continue-with-passkey": "Lanjutkan dengan Passkey",
   "v2.component.button.default.label-continue-with-phone": "Lanjutkan dengan Nomor Telepon",
   "v2.component.button.default.label-continue-with-text-login-id": "Lanjutkan dengan {variant, select, email {Email} username {Nama Pengguna} other {Email / Nama Pengguna}}",
+  "v2.component.button.default.label-edit": "Sunting",
   "v2.component.button.default.label-login": "Masuk",
+  "v2.component.button.default.label-remove": "Hapus",
   "v2.component.button.default.label-save": "Simpan",
   "v2.component.button.default.label-send": "Kirim",
+  "v2.component.button.default.label-terminate": "Mengakhiri",
   "v2.component.device-token-checkbox.default.label": "Ingat perangkat ini, dan jangan tanya lagi",
   "v2.component.divider.default.or-label": "atau",
   "v2.component.input.default.placeholder-email": "Alamat email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Kirim ulang kode dalam %s",
   "v2.component.oob-otp-resend-button.default.label": "Kirim ulang kode",
   "v2.component.password-input.default.hide-password": "Sembunyikan kata sandi",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Masukkan kembali kata sandi baru",
   "v2.component.password-input.default.placeholder-confirm-password": "Masukkan Ulang Kata Sandi",
   "v2.component.password-input.default.placeholder-new-password": "Kata Sandi Baru",
   "v2.component.password-input.default.placeholder-password": "Kata Sandi Saat Ini",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Tidak ada hasil yang ditemukan",
   "v2.component.select-input.default.not-provided-label": "Tidak disediakan",
   "v2.component.select-input.default.search-label": "Cari",
-  "v2.component.select-input.default.unset-label": "Tidak diatur",
   "v2.component.toc-pp-footer.default.label": "Dengan mendaftar, Anda setuju dengan {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Syarat Layanan</a> dan <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Kebijakan Privasi</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Syarat Layanan</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Kebijakan Privasi</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Anda akan dialihkan setelah Anda menyelesaikan tantangan ini",
   "v2.component.verify-bot-protection.default.title": "Memeriksa sistem Anda...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Anda telah masuk dengan {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Lanjutkan untuk melanjutkan.",
   "v2.page.select-account.default.title": "Masuk ke {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Gunakan akun lain",
+  "v2.page.settings-advanced-settings.default.title": "Pengaturan Lanjutan",
+  "v2.page.settings-biometric.default.dialog-description": "Apakah Anda yakin ingin memutuskan login biometrik untuk perangkat ini?",
+  "v2.page.settings-biometric.default.dialog-title": "Putuskan Login Biometrik",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Putuskan",
+  "v2.page.settings-biometric.default.item-description": "Dibuat pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Anda tidak memiliki perangkat dengan biometrik yang diaktifkan.",
+  "v2.page.settings-biometric.default.title": "Login Biometrik",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Perangkat Tidak Dikenal",
+  "v2.page.settings-change-password.default.title": "Ubah Kata Sandi",
+  "v2.page.settings-delete-account-success.default.button-label": "Selesai",
+  "v2.page.settings-delete-account-success.default.description": "Akun Anda telah dinonaktifkan dan data akan dihapus pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Penghapusan akun dijadwalkan",
+  "v2.page.settings-delete-account.default.button-label": "Hapus Akun",
+  "v2.page.settings-delete-account.default.description": "Dengan menghapus akun, semua data akan dihapus secara permanen dan kami tidak akan dapat mengambilnya kembali. Jika Anda melanjutkan, akun Anda akan dihapus pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Ketik <b>{input}</b> untuk konfirmasi",
+  "v2.page.settings-delete-account.default.title": "Hapus Akun",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Silakan masukkan angka kurang dari atau sama dengan {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Silakan masukkan angka lebih besar dari atau sama dengan {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Silakan masukkan angka antara {minimum} dan {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Alamat Email Baru",
+  "v2.page.settings-identity-add-email.default.title": "Tambahkan Email Baru",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Nomor Telepon",
+  "v2.page.settings-identity-add-phone.default.title": "Tambahkan Nomor Telepon Baru",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email Utama",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telepon Utama",
+  "v2.page.settings-identity-edit-email.default.description": "Email Anda saat ini adalah {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Alamat Email Baru",
+  "v2.page.settings-identity-edit-email.default.title": "Edit Email",
+  "v2.page.settings-identity-edit-phone.default.description": "Nomor telepon Anda saat ini adalah {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Nomor Telepon",
+  "v2.page.settings-identity-edit-phone.default.title": "Edit Nomor Telepon",
+  "v2.page.settings-identity-edit-username.default.title": "Ubah Nama Pengguna",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Tambahkan email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Ubah",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "email utama",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Tambahkan nomor telepon baru",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Ubah",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telepon utama",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Tambahkan nama pengguna",
+  "v2.page.settings-identity-list-username.default.title": "Nama pengguna",
+  "v2.page.settings-identity-new-username.default.title": "Tambah Nama Pengguna",
+  "v2.page.settings-identity-phone.default.title": "Telepon",
+  "v2.page.settings-identity-verify-email.default.title": "Verifikasi",
+  "v2.page.settings-identity-verify-phone.default.title": "Verifikasi",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Sunting",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Hapus email ini",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verifikasi",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Apakah Anda yakin ingin menghapus alamat email {target} dari akun Anda?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Hapus Alamat Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Sunting",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Hapus telepon ini",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verifikasi",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Apakah Anda yakin ingin menghapus nomor telepon {target} dari akun Anda?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Hapus Nomor Telepon",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Hapus nama pengguna",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Apakah Anda yakin ingin menghapus nama pengguna <span class=\"settings-dialog__description-text--highlight\">{Username}</span> dari akun Anda?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Hapus Nama Pengguna",
+  "v2.page.settings-identity-view-username.default.title": "Nama Pengguna",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Tidak Diverifikasi",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Diverifikasi",
+  "v2.page.settings-mfa-create-password.default.title": "Kata sandi tambahan",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Ditambahkan pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Kata sandi tambahan",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Diperbarui pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Apakah Anda yakin ingin menghapus kata sandi tambahan?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Hapus kata sandi tambahan",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Hapus kata sandi tambahan",
+  "v2.page.settings-mfa-password.default.title": "Kata sandi tambahan",
+  "v2.page.settings-mfa.default.activated-label": "Diaktifkan",
+  "v2.page.settings-mfa.default.additional-password-label": "Kata sandi tambahan",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Anda memiliki {NumberOfDeviceTokens, plural, one{# perangkat terpercaya} other{# perangkat terpercaya}} yang terkait dengan akun Anda. Apakah Anda ingin menghapus semua perangkat terpercaya?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Hapus perangkat terpercaya",
+  "v2.page.settings-mfa.default.inactive-label": "Tidak aktif",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Pesan Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplikasi/perangkat autentikator",
+  "v2.page.settings-mfa.default.title": "Otentikasi 2-Faktor",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Anda memiliki {NumberOfDeviceTokens, plural, one{# perangkat terpercaya} other{# perangkat terpercaya}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Perangkat terpercaya",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Anda tidak memiliki perangkat terpercaya yang dapat melewati verifikasi 2-langkah.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Pesan WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Ditambahkan pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Tambahkan email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Tambahkan nomor telepon WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Tambahkan Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Apakah Anda yakin ingin menghapus Passkey ini?",
+  "v2.page.settings-passkey.default.dialog-title": "Hapus Passkey",
+  "v2.page.settings-passkey.default.item-description": "Ditambahkan pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Negara",
   "v2.page.settings-profile-edit-address.default.locality-label": "Kota",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Alamat",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Kode pos",
   "v2.page.settings-profile-edit-address.default.region-label": "Wilayah",
   "v2.page.settings-profile-edit-address.default.street-label": "Alamat jalan",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Tanggal lahir",
+  "v2.page.settings-profile-edit-address.default.title": "Alamat",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Tanggal lahir",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Kustom",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Perempuan",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Laki-laki",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Tidak diberikan",
   "v2.page.settings-profile-edit-gender.default.title": "Jenis Kelamin",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Bahasa",
+  "v2.page.settings-profile-edit-locale.default.title": "Bahasa",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Nama keluarga",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nama lengkap",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nama depan",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Nama tengah",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nama",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Nama panggilan",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zona waktu",
+  "v2.page.settings-profile-edit-name.default.title": "Nama",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zona waktu",
   "v2.page.settings-profile-no-permission.default.content": "Tidak diotorisasi",
   "v2.page.settings-profile-no-permission.default.title": "Masalah yang Tidak Terduga",
   "v2.page.settings-profile.default.address-title": "Alamat",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Jenis Kelamin",
   "v2.page.settings-profile.default.language-title": "Bahasa",
   "v2.page.settings-profile.default.name-title": "Nama",
-  "v2.page.settings-profile.default.navbar-title": "Profil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto Profil",
+  "v2.page.settings-profile.default.title": "Profil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zona Waktu",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Ini akan menghapus akses ke akun Anda dari semua perangkat lain",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Mengakhiri semua sesi lainnya",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Aktif Sekarang</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Mengakhiri semua sesi lainnya",
+  "v2.page.settings-sessions.default.session-dialog-description": "Ini akan menghapus akses ke akun Anda di perangkat ini",
+  "v2.page.settings-sessions.default.session-dialog-title": "Mengakhiri sesi",
+  "v2.page.settings-sessions.default.title": "Perangkat yang Masuk",
+  "v2.page.settings-totp.default.added-at-label": "Ditambahkan pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Tambahkan aplikasi/perangkat autentikator",
+  "v2.page.settings-totp.default.title": "Aplikasi/perangkat autentikator",
+  "v2.page.settings.default.button-label-account-deletion": "Hapus Akun",
   "v2.page.settings.default.button-label-advanced-settings": "Pengaturan Lanjutan",
   "v2.page.settings.default.button-label-and-more": "{item} dan lainnya",
   "v2.page.settings.default.button-label-back-to-app": "Kembali ke aplikasi saya",
diff --git a/resources/authgear/templates/it/translation.json b/resources/authgear/templates/it/translation.json
index 06de2344c7..72d13a21c2 100644
--- a/resources/authgear/templates/it/translation.json
+++ b/resources/authgear/templates/it/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript è richiesto per la verifica del captcha. Abilita JavaScript nel tuo browser per procedere.",
   "v2.component.button.default.copy": "Copia",
   "v2.component.button.default.download": "Scarica",
+  "v2.component.button.default.label-cancel": "Annulla",
   "v2.component.button.default.label-continue": "Continua",
   "v2.component.button.default.label-continue-with-passkey": "Continua con Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continua con il numero di telefono",
   "v2.component.button.default.label-continue-with-text-login-id": "Continua con {variant, select, email {Email} username {Nome utente} other {Email / Nome utente}}",
+  "v2.component.button.default.label-edit": "Modifica",
   "v2.component.button.default.label-login": "Accedi",
+  "v2.component.button.default.label-remove": "Rimuovi",
   "v2.component.button.default.label-save": "Salva",
   "v2.component.button.default.label-send": "Invia",
+  "v2.component.button.default.label-terminate": "Terminare",
   "v2.component.device-token-checkbox.default.label": "Ricorda questo dispositivo e non chiedere più",
   "v2.component.divider.default.or-label": "oppure",
   "v2.component.input.default.placeholder-email": "Indirizzo email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reinvia codice tra %s",
   "v2.component.oob-otp-resend-button.default.label": "Reinvia codice",
   "v2.component.password-input.default.hide-password": "Nascondi password",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Reinserisci la nuova password",
   "v2.component.password-input.default.placeholder-confirm-password": "Reinserisci la password",
   "v2.component.password-input.default.placeholder-new-password": "Nuova password",
   "v2.component.password-input.default.placeholder-password": "Password attuale",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Nessun risultato trovato",
   "v2.component.select-input.default.not-provided-label": "Non fornito",
   "v2.component.select-input.default.search-label": "Cerca",
-  "v2.component.select-input.default.unset-label": "Non impostato",
   "v2.component.toc-pp-footer.default.label": "Registrandoti, accetti {variant, select, both{i <a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Termini di servizio</a> e l''<a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Informativa sulla privacy</a>} termsOnly{i <a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Termini di servizio</a>} privacyOnly{l''<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Informativa sulla privacy</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Verrai reindirizzato a breve dopo aver completato la sfida",
   "v2.component.verify-bot-protection.default.title": "Verifica del tuo sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Hai effettuato l''accesso con {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Procedi per continuare.",
   "v2.page.select-account.default.title": "Accedi a {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usa un altro account",
+  "v2.page.settings-advanced-settings.default.title": "Impostazioni Avanzate",
+  "v2.page.settings-biometric.default.dialog-description": "Sei sicuro di voler disconnettere l''accesso biometrico per questo dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Disconnetti Accesso Biometrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Disconnetti",
+  "v2.page.settings-biometric.default.item-description": "Creato alle <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Non hai dispositivi con biometria abilitata.",
+  "v2.page.settings-biometric.default.title": "Accesso Biometrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo Sconosciuto",
+  "v2.page.settings-change-password.default.title": "Cambia Password",
+  "v2.page.settings-delete-account-success.default.button-label": "Fatto",
+  "v2.page.settings-delete-account-success.default.description": "Il tuo account è stato disattivato e i dati verranno eliminati il <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Eliminazione account programmata",
+  "v2.page.settings-delete-account.default.button-label": "Elimina Account",
+  "v2.page.settings-delete-account.default.description": "Eliminando l''account, tutti i dati verranno eliminati permanentemente e non saremo in grado di recuperarli. Se continui, il tuo account verrà eliminato il <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Digita <b>{input}</b> per confermare",
+  "v2.page.settings-delete-account.default.title": "Elimina Account",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Inserisci un numero minore o uguale a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Inserisci un numero maggiore o uguale a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Inserisci un numero compreso tra {minimum} e {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nuovo Indirizzo Email",
+  "v2.page.settings-identity-add-email.default.title": "Aggiungi Nuova Email",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Numero di Telefono",
+  "v2.page.settings-identity-add-phone.default.title": "Aggiungi Nuovo Telefono",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email principale",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telefono principale",
+  "v2.page.settings-identity-edit-email.default.description": "Il tuo indirizzo email attuale è {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nuovo indirizzo email",
+  "v2.page.settings-identity-edit-email.default.title": "Modifica email",
+  "v2.page.settings-identity-edit-phone.default.description": "Il tuo attuale numero di telefono è {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Numero di Telefono",
+  "v2.page.settings-identity-edit-phone.default.title": "Modifica Telefono",
+  "v2.page.settings-identity-edit-username.default.title": "Cambia Nome Utente",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Aggiungi email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Cambia",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Email principale",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Aggiungi nuovo numero di telefono",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Cambia",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telefono principale",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Aggiungi nome utente",
+  "v2.page.settings-identity-list-username.default.title": "Nome utente",
+  "v2.page.settings-identity-new-username.default.title": "Aggiungi Nome Utente",
+  "v2.page.settings-identity-phone.default.title": "Telefono",
+  "v2.page.settings-identity-verify-email.default.title": "Verifica",
+  "v2.page.settings-identity-verify-phone.default.title": "Verifica",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Modifica",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Rimuovi questa email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verifica",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Sei sicuro di voler rimuovere l''indirizzo email {target} dal tuo account?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Rimuovi indirizzo email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Modifica",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Rimuovi questo telefono",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verifica",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Sei sicuro di voler rimuovere il numero di telefono {target} dal tuo account?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Rimuovi numero di telefono",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Rimuovi nome utente",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Sei sicuro di voler rimuovere il nome utente <span class=\"settings-dialog__description-text--highlight\">{Username}</span> dal tuo account?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Rimuovi Nome Utente",
+  "v2.page.settings-identity-view-username.default.title": "Nome Utente",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Non verificato",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificato",
+  "v2.page.settings-mfa-create-password.default.title": "Password aggiuntiva",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Aggiunta alle <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Password aggiuntiva",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Aggiornata alle <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Sei sicuro di voler rimuovere la password aggiuntiva?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Rimuovi password aggiuntiva",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Rimuovi password aggiuntiva",
+  "v2.page.settings-mfa-password.default.title": "Password aggiuntiva",
+  "v2.page.settings-mfa.default.activated-label": "Attivata",
+  "v2.page.settings-mfa.default.additional-password-label": "Password aggiuntiva",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Hai {NumberOfDeviceTokens, plural, one{# dispositivo attendibile} other{# dispositivi attendibili}} associati al tuo account. Vuoi rimuovere tutti i dispositivi attendibili?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Rimuovi dispositivi attendibili",
+  "v2.page.settings-mfa.default.inactive-label": "Inattiva",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Messaggio Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "App/dispositivo di autenticazione",
+  "v2.page.settings-mfa.default.title": "Autenticazione a 2 Fattori",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Hai {NumberOfDeviceTokens, plural, one{# dispositivo attendibile} other{# dispositivi attendibili}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivi attendibili",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Non hai dispositivi attendibili che possano saltare la verifica in due passaggi.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Messaggio WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Aggiunto alle <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Aggiungi email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Aggiungi numero di telefono WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Aggiungi passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Sei sicuro di voler rimuovere questa passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Rimuovi Passkey",
+  "v2.page.settings-passkey.default.item-description": "Aggiunto alle <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Paese",
   "v2.page.settings-profile-edit-address.default.locality-label": "Città",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Indirizzo",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Codice postale",
   "v2.page.settings-profile-edit-address.default.region-label": "Regione",
   "v2.page.settings-profile-edit-address.default.street-label": "Indirizzo stradale",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Data di nascita",
+  "v2.page.settings-profile-edit-address.default.title": "Indirizzo",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Data di nascita",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizzato",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Femmina",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Maschio",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Non fornito",
   "v2.page.settings-profile-edit-gender.default.title": "Genere",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Lingua",
+  "v2.page.settings-profile-edit-locale.default.title": "Lingua",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Cognome",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nome completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nome",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Secondo nome",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nome",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Soprannome",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Fuso orario",
+  "v2.page.settings-profile-edit-name.default.title": "Nome",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Fuso orario",
   "v2.page.settings-profile-no-permission.default.content": "Non autorizzato",
   "v2.page.settings-profile-no-permission.default.title": "Problemi imprevisti",
   "v2.page.settings-profile.default.address-title": "Indirizzo",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Genere",
   "v2.page.settings-profile.default.language-title": "Lingua",
   "v2.page.settings-profile.default.name-title": "Nome",
-  "v2.page.settings-profile.default.navbar-title": "Profilo",
   "v2.page.settings-profile.default.profile-picture-title": "Immagine del profilo",
+  "v2.page.settings-profile.default.title": "Profilo",
   "v2.page.settings-profile.default.zoneinfo-title": "Fuso orario",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Questo rimuoverà l''accesso al tuo account da tutti gli altri dispositivi",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Termina tutte le altre sessioni",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Attivo Ora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Termina tutte le altre sessioni",
+  "v2.page.settings-sessions.default.session-dialog-description": "Questo rimuoverà l''accesso al tuo account su questo dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Termina sessione",
+  "v2.page.settings-sessions.default.title": "Dispositivi Connessi",
+  "v2.page.settings-totp.default.added-at-label": "Aggiunto alle <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Aggiungi app/dispositivo di autenticazione",
+  "v2.page.settings-totp.default.title": "App/dispositivo di autenticazione",
+  "v2.page.settings.default.button-label-account-deletion": "Elimina Account",
   "v2.page.settings.default.button-label-advanced-settings": "Impostazioni avanzate",
   "v2.page.settings.default.button-label-and-more": "{item} e altro",
   "v2.page.settings.default.button-label-back-to-app": "Torna alla mia app",
diff --git a/resources/authgear/templates/ja/translation.json b/resources/authgear/templates/ja/translation.json
index 8604084bb0..31ba3978f1 100644
--- a/resources/authgear/templates/ja/translation.json
+++ b/resources/authgear/templates/ja/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "キャプチャ検証にはJavaScriptが必要です。続行するには、ブラウザでJavaScriptを有効にしてください。",
   "v2.component.button.default.copy": "コピー",
   "v2.component.button.default.download": "ダウンロード",
+  "v2.component.button.default.label-cancel": "キャンセル",
   "v2.component.button.default.label-continue": "続ける",
   "v2.component.button.default.label-continue-with-passkey": "Passkeyで続ける",
   "v2.component.button.default.label-continue-with-phone": "電話番号で続ける",
   "v2.component.button.default.label-continue-with-text-login-id": "{variant, select, email {メール} username {ユーザー名} other {メール / ユーザー名}}で続ける",
+  "v2.component.button.default.label-edit": "編集",
   "v2.component.button.default.label-login": "ログイン",
+  "v2.component.button.default.label-remove": "削除",
   "v2.component.button.default.label-save": "保存",
   "v2.component.button.default.label-send": "送信",
+  "v2.component.button.default.label-terminate": "終了する",
   "v2.component.device-token-checkbox.default.label": "このデバイスを記憶し、次回以降の確認を省略する",
   "v2.component.divider.default.or-label": "または",
   "v2.component.input.default.placeholder-email": "メールアドレス",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "%sでコードを再送",
   "v2.component.oob-otp-resend-button.default.label": "コードを再送",
   "v2.component.password-input.default.hide-password": "パスワードを隠す",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "新しいパスワードを再入力してください",
   "v2.component.password-input.default.placeholder-confirm-password": "パスワードを再入力",
   "v2.component.password-input.default.placeholder-new-password": "新しいパスワード",
   "v2.component.password-input.default.placeholder-password": "現在のパスワード",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "結果が見つかりません",
   "v2.component.select-input.default.not-provided-label": "未提供",
   "v2.component.select-input.default.search-label": "検索",
-  "v2.component.select-input.default.unset-label": "未設定",
   "v2.component.toc-pp-footer.default.label": "登録することで、{variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">利用規約</a>と<a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">プライバシーポリシー</a>}termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">利用規約</a>}privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">プライバシーポリシー</a>}other{}}に同意したことになります。",
   "v2.component.verify-bot-protection.default.description": "チャレンジを完了した後、すぐにリダイレクトされます。",
   "v2.component.verify-bot-protection.default.title": "システムを確認しています...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "{email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}でログインしました。続行するにはこのアカウントを使用してください。",
   "v2.page.select-account.default.title": "{AppOrClientName}にログイン",
   "v2.page.select-account.default.use-another-account": "別のアカウントを使用",
+  "v2.page.settings-advanced-settings.default.title": "高度な設定",
+  "v2.page.settings-biometric.default.dialog-description": "生体認証ログインをこのデバイスから切断してもよろしいですか?",
+  "v2.page.settings-biometric.default.dialog-title": "生体認証ログインの切断",
+  "v2.page.settings-biometric.default.disconnect-button-label": "切断",
+  "v2.page.settings-biometric.default.item-description": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>に作成されました",
+  "v2.page.settings-biometric.default.no-biometric-description": "生体認証が有効になっているデバイスはありません。",
+  "v2.page.settings-biometric.default.title": "生体認証ログイン",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "不明なデバイス",
+  "v2.page.settings-change-password.default.title": "パスワードの変更",
+  "v2.page.settings-delete-account-success.default.button-label": "完了",
+  "v2.page.settings-delete-account-success.default.description": "アカウントは非活性化され、データは<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>に削除されます",
+  "v2.page.settings-delete-account-success.default.title": "アカウント削除がスケジュールされました",
+  "v2.page.settings-delete-account.default.button-label": "アカウントを削除",
+  "v2.page.settings-delete-account.default.description": "アカウントを削除すると、すべてのデータが永久に削除され、復元することはできません。続行すると、アカウントは<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>に削除されます",
+  "v2.page.settings-delete-account.default.input-placeholder": "<b>{input}</b>と入力して確認してください",
+  "v2.page.settings-delete-account.default.title": "アカウントを削除",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "{maximum}以下の数値を入力してください",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "{minimum}以上の数値を入力してください",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "{minimum}から{maximum}の間の数値を入力してください",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "新しいメールアドレス",
+  "v2.page.settings-identity-add-email.default.title": "新しいメールを追加",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "電話番号",
+  "v2.page.settings-identity-add-phone.default.title": "新しい電話番号を追加",
+  "v2.page.settings-identity-change-primary-email.default.title": "プライマリーメール",
+  "v2.page.settings-identity-change-primary-phone.default.title": "主要な電話番号",
+  "v2.page.settings-identity-edit-email.default.description": "現在のメールアドレスは {target} です",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "新しいメールアドレス",
+  "v2.page.settings-identity-edit-email.default.title": "メールアドレスを編集する",
+  "v2.page.settings-identity-edit-phone.default.description": "現在の電話番号は {target} です",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "電話番号",
+  "v2.page.settings-identity-edit-phone.default.title": "電話番号を編集",
+  "v2.page.settings-identity-edit-username.default.title": "ユーザー名を変更",
+  "v2.page.settings-identity-email.default.title": "メール",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ メールアドレスを追加",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "変更する",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "プライマリーメール",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ 新しい電話番号を追加する",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "変更",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "主要な電話番号",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ ユーザー名を追加",
+  "v2.page.settings-identity-list-username.default.title": "ユーザー名",
+  "v2.page.settings-identity-new-username.default.title": "ユーザー名を追加",
+  "v2.page.settings-identity-phone.default.title": "電話番号",
+  "v2.page.settings-identity-verify-email.default.title": "確認",
+  "v2.page.settings-identity-verify-phone.default.title": "認証",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "編集",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "このメールアドレスを削除",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "検証",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "本当にメールアドレス{target}をアカウントから削除しますか?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "メールアドレスを削除",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "編集",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "この電話番号を削除",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "確認",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "本当にアカウントから電話番号{target}を削除しますか?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "電話番号を削除",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "ユーザー名を削除",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "本当にユーザー名<span class=\"settings-dialog__description-text--highlight\">{Username}</span>をアカウントから削除しますか?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "ユーザー名を削除",
+  "v2.page.settings-identity-view-username.default.title": "ユーザー名",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "未検証",
+  "v2.page.settings-identity.default.verification-status-verified-label": "検証済み",
+  "v2.page.settings-mfa-create-password.default.title": "追加のパスワード",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "追加日時: <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "追加のパスワード",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "更新日時: <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "追加のパスワードを削除してもよろしいですか?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "追加のパスワードを削除",
+  "v2.page.settings-mfa-password.default.remove-button-label": "追加のパスワードを削除する",
+  "v2.page.settings-mfa-password.default.title": "追加のパスワード",
+  "v2.page.settings-mfa.default.activated-label": "有効化済み",
+  "v2.page.settings-mfa.default.additional-password-label": "追加のパスワード",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "あなたのアカウントには{NumberOfDeviceTokens, plural, one{#つの信頼されたデバイス} other{#つの信頼されたデバイス}}が関連付けられています。すべての信頼されたデバイスを削除しますか?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "信頼されたデバイスを削除",
+  "v2.page.settings-mfa.default.inactive-label": "無効",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "メール",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/SMSメッセージ",
+  "v2.page.settings-mfa.default.secondary-totp-label": "認証アプリ/デバイス",
+  "v2.page.settings-mfa.default.title": "2要素認証",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "あなたは{NumberOfDeviceTokens, plural, one{# 信頼済みデバイス} other{# 信頼済みデバイス}}を持っています",
+  "v2.page.settings-mfa.default.trusted-devices-label": "信頼済みデバイス",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "2段階認証をスキップできる信頼済みデバイスはありません。",
+  "v2.page.settings-oob-otp-email.default.title": "メール",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/SMSメッセージ",
+  "v2.page.settings-oob-otp.default.added-at-label": "追加日時 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ メールを追加",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ WhatsApp/SMS電話番号を追加",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Passkeyを追加",
+  "v2.page.settings-passkey.default.dialog-description": "本当にこのPasskeyを削除しますか?",
+  "v2.page.settings-passkey.default.dialog-title": "Passkeyを削除",
+  "v2.page.settings-passkey.default.item-description": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>に追加されました",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "国",
   "v2.page.settings-profile-edit-address.default.locality-label": "市区町村",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "住所",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "郵便番号",
   "v2.page.settings-profile-edit-address.default.region-label": "地域",
   "v2.page.settings-profile-edit-address.default.street-label": "住所",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "生年月日",
+  "v2.page.settings-profile-edit-address.default.title": "住所",
+  "v2.page.settings-profile-edit-birthdate.default.title": "生年月日",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "カスタム",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "女性",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "男性",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "提供されていません",
   "v2.page.settings-profile-edit-gender.default.title": "性別",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "言語",
+  "v2.page.settings-profile-edit-locale.default.title": "言語",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "姓",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "フルネーム",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "名",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "ミドルネーム",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "名前",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "ニックネーム",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "タイムゾーン",
+  "v2.page.settings-profile-edit-name.default.title": "名前",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "タイムゾーン",
   "v2.page.settings-profile-no-permission.default.content": "権限がありません",
   "v2.page.settings-profile-no-permission.default.title": "予期しない問題",
   "v2.page.settings-profile.default.address-title": "住所",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "性別",
   "v2.page.settings-profile.default.language-title": "言語",
   "v2.page.settings-profile.default.name-title": "名前",
-  "v2.page.settings-profile.default.navbar-title": "プロフィール",
   "v2.page.settings-profile.default.profile-picture-title": "プロフィール画像",
+  "v2.page.settings-profile.default.title": "プロフィール",
   "v2.page.settings-profile.default.zoneinfo-title": "タイムゾーン",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "これにより、他のすべてのデバイスからアカウントへのアクセスが削除されます",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "他のすべてのセッションを終了する",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">現在アクティブ</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "他のすべてのセッションを終了する",
+  "v2.page.settings-sessions.default.session-dialog-description": "これにより、このデバイスからアカウントへのアクセスが削除されます",
+  "v2.page.settings-sessions.default.session-dialog-title": "セッションを終了する",
+  "v2.page.settings-sessions.default.title": "サインインしたデバイス",
+  "v2.page.settings-totp.default.added-at-label": "追加日時 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ 認証アプリ/デバイスを追加",
+  "v2.page.settings-totp.default.title": "認証アプリ/デバイス",
+  "v2.page.settings.default.button-label-account-deletion": "アカウントを削除",
   "v2.page.settings.default.button-label-advanced-settings": "高度な設定",
   "v2.page.settings.default.button-label-and-more": "{item} 他",
   "v2.page.settings.default.button-label-back-to-app": "アプリに戻る",
diff --git a/resources/authgear/templates/ko/translation.json b/resources/authgear/templates/ko/translation.json
index 3ebc5b5b8f..d1ee9f3d6a 100644
--- a/resources/authgear/templates/ko/translation.json
+++ b/resources/authgear/templates/ko/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "캡차 인증을 위해서는 JavaScript가 필요합니다. 계속하려면 브라우저에서 JavaScript를 활성화하세요.",
   "v2.component.button.default.copy": "복사",
   "v2.component.button.default.download": "다운로드",
+  "v2.component.button.default.label-cancel": "취소",
   "v2.component.button.default.label-continue": "계속",
   "v2.component.button.default.label-continue-with-passkey": "Passkey로 계속하기",
   "v2.component.button.default.label-continue-with-phone": "전화번호로 계속하기",
   "v2.component.button.default.label-continue-with-text-login-id": "{variant, select, email {이메일} username {사용자 이름} other {이메일 / 사용자 이름}}로 계속하기",
+  "v2.component.button.default.label-edit": "수정",
   "v2.component.button.default.label-login": "로그인",
+  "v2.component.button.default.label-remove": "제거",
   "v2.component.button.default.label-save": "저장",
   "v2.component.button.default.label-send": "보내기",
+  "v2.component.button.default.label-terminate": "종료",
   "v2.component.device-token-checkbox.default.label": "이 기기를 기억하고 다시 묻지 않기",
   "v2.component.divider.default.or-label": "또는",
   "v2.component.input.default.placeholder-email": "이메일 주소",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "%s 후 코드 다시 보내기",
   "v2.component.oob-otp-resend-button.default.label": "코드 다시 보내기",
   "v2.component.password-input.default.hide-password": "비밀번호 숨기기",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "새 비밀번호 재입력",
   "v2.component.password-input.default.placeholder-confirm-password": "비밀번호 다시 입력",
   "v2.component.password-input.default.placeholder-new-password": "새 비밀번호",
   "v2.component.password-input.default.placeholder-password": "현재 비밀번호",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "결과가 없습니다",
   "v2.component.select-input.default.not-provided-label": "제공되지 않음",
   "v2.component.select-input.default.search-label": "검색",
-  "v2.component.select-input.default.unset-label": "설정 해제",
   "v2.component.toc-pp-footer.default.label": "가입하면 {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">서비스 약관</a> 및 <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">개인정보 보호정책</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">서비스 약관</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">개인정보 보호정책</a>} other{}}에 동의하는 것으로 간주됩니다.",
   "v2.component.verify-bot-protection.default.description": "챌린지를 완료한 후 곧 리디렉션됩니다.",
   "v2.component.verify-bot-protection.default.title": "시스템 확인 중...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "당신은 {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}로 로그인했습니다. 계속하려면 진행하세요.",
   "v2.page.select-account.default.title": "{AppOrClientName}에 로그인",
   "v2.page.select-account.default.use-another-account": "다른 계정 사용",
+  "v2.page.settings-advanced-settings.default.title": "고급 설정",
+  "v2.page.settings-biometric.default.dialog-description": "바이오메트릭 로그인을 이 기기에서 해제하시겠습니까?",
+  "v2.page.settings-biometric.default.dialog-title": "바이오메트릭 로그인 해제",
+  "v2.page.settings-biometric.default.disconnect-button-label": "해제",
+  "v2.page.settings-biometric.default.item-description": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>에 생성됨",
+  "v2.page.settings-biometric.default.no-biometric-description": "바이오메트릭이 활성화된 기기가 없습니다.",
+  "v2.page.settings-biometric.default.title": "바이오메트릭 로그인",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "알 수 없는 기기",
+  "v2.page.settings-change-password.default.title": "비밀번호 변경",
+  "v2.page.settings-delete-account-success.default.button-label": "완료",
+  "v2.page.settings-delete-account-success.default.description": "귀하의 계정이 비활성화되었으며 데이터는 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>에 삭제될 것입니다.",
+  "v2.page.settings-delete-account-success.default.title": "계정 삭제 예약됨",
+  "v2.page.settings-delete-account.default.button-label": "계정 삭제",
+  "v2.page.settings-delete-account.default.description": "계정을 삭제하면 모든 데이터가 영구적으로 삭제되며 복구할 수 없습니다. 계속하시면 귀하의 계정은 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>에 삭제될 것입니다.",
+  "v2.page.settings-delete-account.default.input-placeholder": "<b>{input}</b>을(를) 입력하여 확인",
+  "v2.page.settings-delete-account.default.title": "계정 삭제",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "{maximum} 이하의 숫자를 입력하세요",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "{minimum} 이상의 숫자를 입력하세요",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "{minimum}과 {maximum} 사이의 숫자를 입력하세요",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "새 이메일 주소",
+  "v2.page.settings-identity-add-email.default.title": "새 이메일 추가",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "전화번호",
+  "v2.page.settings-identity-add-phone.default.title": "새 전화번호 추가",
+  "v2.page.settings-identity-change-primary-email.default.title": "기본 이메일",
+  "v2.page.settings-identity-change-primary-phone.default.title": "주 전화번호",
+  "v2.page.settings-identity-edit-email.default.description": "현재 이메일은 {target}입니다",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "새 이메일 주소",
+  "v2.page.settings-identity-edit-email.default.title": "이메일 편집",
+  "v2.page.settings-identity-edit-phone.default.description": "현재 전화번호는 {target}입니다",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "전화번호",
+  "v2.page.settings-identity-edit-phone.default.title": "전화번호 편집",
+  "v2.page.settings-identity-edit-username.default.title": "사용자 이름 변경",
+  "v2.page.settings-identity-email.default.title": "이메일",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ 이메일 추가",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "변경",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "기본 이메일",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ 새 전화번호 추가",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "변경",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "주 전화번호",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ 사용자 이름 추가",
+  "v2.page.settings-identity-list-username.default.title": "사용자 이름",
+  "v2.page.settings-identity-new-username.default.title": "사용자 이름 추가",
+  "v2.page.settings-identity-phone.default.title": "전화번호",
+  "v2.page.settings-identity-verify-email.default.title": "인증",
+  "v2.page.settings-identity-verify-phone.default.title": "인증",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "편집",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "이 이메일 제거",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "인증",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "계정에서 이메일 주소 {target}을(를) 제거하시겠습니까?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "이메일 주소 제거",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "편집",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "이 전화번호 제거",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "확인",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "계정에서 전화번호 {target}를 제거하시겠습니까?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "전화번호 제거",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "사용자 이름 제거",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "계정에서 사용자 이름 <span class=\"settings-dialog__description-text--highlight\">{Username}</span>을(를) 제거하시겠습니까?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "사용자 이름 제거",
+  "v2.page.settings-identity-view-username.default.title": "사용자 이름",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "인증되지 않음",
+  "v2.page.settings-identity.default.verification-status-verified-label": "인증됨",
+  "v2.page.settings-mfa-create-password.default.title": "추가 비밀번호",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "<span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>에 추가됨",
+  "v2.page.settings-mfa-password.default.additional-password-label": "추가 비밀번호",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "<span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>에 업데이트됨",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "추가 비밀번호를 제거하시겠습니까?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "추가 비밀번호 제거",
+  "v2.page.settings-mfa-password.default.remove-button-label": "추가 비밀번호 제거",
+  "v2.page.settings-mfa-password.default.title": "추가 비밀번호",
+  "v2.page.settings-mfa.default.activated-label": "활성화됨",
+  "v2.page.settings-mfa.default.additional-password-label": "추가 비밀번호",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "귀하의 계정에 {NumberOfDeviceTokens, plural, one{# 신뢰할 수 있는 기기} other{# 신뢰할 수 있는 기기들}}이 연결되어 있습니다. 모든 신뢰할 수 있는 기기를 제거하시겠습니까?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "신뢰할 수 있는 기기 제거",
+  "v2.page.settings-mfa.default.inactive-label": "비활성화",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "이메일",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/SMS 메시지",
+  "v2.page.settings-mfa.default.secondary-totp-label": "인증 앱/기기",
+  "v2.page.settings-mfa.default.title": "2단계 인증",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "신뢰할 수 있는 기기가 {NumberOfDeviceTokens, plural, one{# 개} other{# 개}} 있습니다.",
+  "v2.page.settings-mfa.default.trusted-devices-label": "신뢰할 수 있는 기기",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "2단계 인증을 건너뛸 수 있는 신뢰할 수 있는 기기가 없습니다.",
+  "v2.page.settings-oob-otp-email.default.title": "이메일",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/SMS 메시지",
+  "v2.page.settings-oob-otp.default.added-at-label": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>에 추가됨",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ 이메일 추가",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ WhatsApp/SMS 전화번호 추가",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Passkey 추가",
+  "v2.page.settings-passkey.default.dialog-description": "이 Passkey를 제거하시겠습니까?",
+  "v2.page.settings-passkey.default.dialog-title": "Passkey 제거",
+  "v2.page.settings-passkey.default.item-description": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>에 추가됨",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "국가",
   "v2.page.settings-profile-edit-address.default.locality-label": "도시",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "주소",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "우편번호",
   "v2.page.settings-profile-edit-address.default.region-label": "지역",
   "v2.page.settings-profile-edit-address.default.street-label": "거리 주소",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "생년월일",
+  "v2.page.settings-profile-edit-address.default.title": "주소",
+  "v2.page.settings-profile-edit-birthdate.default.title": "생년월일",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "사용자 정의",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "여성",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "남성",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "제공되지 않음",
   "v2.page.settings-profile-edit-gender.default.title": "성별",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "언어",
+  "v2.page.settings-profile-edit-locale.default.title": "언어",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "성",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "전체 이름",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "이름",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "중간 이름",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "이름",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "닉네임",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "시간대",
+  "v2.page.settings-profile-edit-name.default.title": "이름",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "시간대",
   "v2.page.settings-profile-no-permission.default.content": "권한 없음",
   "v2.page.settings-profile-no-permission.default.title": "예기치 않은 문제",
   "v2.page.settings-profile.default.address-title": "주소",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "성별",
   "v2.page.settings-profile.default.language-title": "언어",
   "v2.page.settings-profile.default.name-title": "이름",
-  "v2.page.settings-profile.default.navbar-title": "프로필",
   "v2.page.settings-profile.default.profile-picture-title": "프로필 사진",
+  "v2.page.settings-profile.default.title": "프로필",
   "v2.page.settings-profile.default.zoneinfo-title": "시간대",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "이렇게 하면 다른 모든 기기에서 계정에 대한 액세스 권한이 제거됩니다",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "다른 모든 세션 종료",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">현재 활성화됨</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "다른 모든 세션 종료",
+  "v2.page.settings-sessions.default.session-dialog-description": "이렇게 하면 이 기기에서 계정에 대한 액세스 권한이 제거됩니다",
+  "v2.page.settings-sessions.default.session-dialog-title": "세션 종료",
+  "v2.page.settings-sessions.default.title": "로그인한 기기",
+  "v2.page.settings-totp.default.added-at-label": "<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>에 추가됨",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ 인증 앱/기기 추가",
+  "v2.page.settings-totp.default.title": "인증 앱/기기",
+  "v2.page.settings.default.button-label-account-deletion": "계정 삭제",
   "v2.page.settings.default.button-label-advanced-settings": "고급 설정",
   "v2.page.settings.default.button-label-and-more": "{item} 및 기타",
   "v2.page.settings.default.button-label-back-to-app": "앱으로 돌아가기",
diff --git a/resources/authgear/templates/ms/translation.json b/resources/authgear/templates/ms/translation.json
index a0d83d8a8a..8c32d0adce 100644
--- a/resources/authgear/templates/ms/translation.json
+++ b/resources/authgear/templates/ms/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript diperlukan untuk pengesahan captcha. Sila membolehkan JavaScript dalam pelayar anda untuk meneruskan.",
   "v2.component.button.default.copy": "Salin",
   "v2.component.button.default.download": "Muat turun",
+  "v2.component.button.default.label-cancel": "Batal",
   "v2.component.button.default.label-continue": "Teruskan",
   "v2.component.button.default.label-continue-with-passkey": "Teruskan dengan Passkey",
   "v2.component.button.default.label-continue-with-phone": "Teruskan dengan Nombor Telefon",
   "v2.component.button.default.label-continue-with-text-login-id": "Teruskan dengan {variant, select, email {Email} username {Nama Pengguna} other {Email / Nama Pengguna}}",
+  "v2.component.button.default.label-edit": "Sunting",
   "v2.component.button.default.label-login": "Log masuk",
+  "v2.component.button.default.label-remove": "Buang",
   "v2.component.button.default.label-save": "Simpan",
   "v2.component.button.default.label-send": "Hantar",
+  "v2.component.button.default.label-terminate": "Menamatkan",
   "v2.component.device-token-checkbox.default.label": "Ingat peranti ini, dan jangan tanya lagi",
   "v2.component.divider.default.or-label": "atau",
   "v2.component.input.default.placeholder-email": "Alamat email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Hantar semula kod dalam %s",
   "v2.component.oob-otp-resend-button.default.label": "Hantar semula kod",
   "v2.component.password-input.default.hide-password": "Sembunyikan kata laluan",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Masukkan semula kata laluan baharu",
   "v2.component.password-input.default.placeholder-confirm-password": "Masukkan Semula Kata Laluan",
   "v2.component.password-input.default.placeholder-new-password": "Kata Laluan Baru",
   "v2.component.password-input.default.placeholder-password": "Kata Laluan Semasa",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Tiada hasil ditemui",
   "v2.component.select-input.default.not-provided-label": "Tidak disediakan",
   "v2.component.select-input.default.search-label": "Carian",
-  "v2.component.select-input.default.unset-label": "Nyahtetap",
   "v2.component.toc-pp-footer.default.label": "Dengan mendaftar, anda bersetuju dengan {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Terma Perkhidmatan</a> dan <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Dasar Privasi</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Terma Perkhidmatan</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Dasar Privasi</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Anda akan dialihkan tidak lama selepas anda melengkapkan cabaran",
   "v2.component.verify-bot-protection.default.title": "Menyemak sistem anda...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Anda telah log masuk dengan {IdentityDisplayName}. Teruskan untuk meneruskan.",
   "v2.page.select-account.default.title": "Log masuk ke {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Gunakan akaun lain",
+  "v2.page.settings-advanced-settings.default.title": "Tetapan Lanjutan",
+  "v2.page.settings-biometric.default.dialog-description": "Adakah anda pasti ingin memutuskan sambungan log masuk biometrik untuk peranti ini?",
+  "v2.page.settings-biometric.default.dialog-title": "Putuskan Sambungan Log Masuk Biometrik",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Putuskan Sambungan",
+  "v2.page.settings-biometric.default.item-description": "Dicipta pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Anda tidak mempunyai sebarang peranti dengan biometrik yang didayakan.",
+  "v2.page.settings-biometric.default.title": "Log Masuk Biometrik",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Peranti Tidak Dikenali",
+  "v2.page.settings-change-password.default.title": "Tukar Kata Laluan",
+  "v2.page.settings-delete-account-success.default.button-label": "Selesai",
+  "v2.page.settings-delete-account-success.default.description": "Akaun anda telah dinyahaktifkan dan data akan dipadamkan pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Penghapusan akaun dijadualkan",
+  "v2.page.settings-delete-account.default.button-label": "Padam Akaun",
+  "v2.page.settings-delete-account.default.description": "Dengan memadamkan akaun, semua data akan dipadamkan secara kekal dan kami tidak akan dapat mendapatkannya semula. Jika anda meneruskan, akaun anda akan dipadamkan pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Taip <b>{input}</b> untuk mengesahkan",
+  "v2.page.settings-delete-account.default.title": "Padam Akaun",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Sila masukkan nombor yang kurang atau sama dengan {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Sila masukkan nombor yang lebih besar atau sama dengan {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Sila masukkan nombor antara {minimum} dan {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Alamat E-mel Baharu",
+  "v2.page.settings-identity-add-email.default.title": "Tambah E-mel Baharu",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Nombor Telefon",
+  "v2.page.settings-identity-add-phone.default.title": "Tambah Telefon Baru",
+  "v2.page.settings-identity-change-primary-email.default.title": "E-mel Utama",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telefon Utama",
+  "v2.page.settings-identity-edit-email.default.description": "Email semasa anda adalah {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Alamat Email Baharu",
+  "v2.page.settings-identity-edit-email.default.title": "Sunting Email",
+  "v2.page.settings-identity-edit-phone.default.description": "Nombor telefon anda sekarang ialah {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Nombor Telefon",
+  "v2.page.settings-identity-edit-phone.default.title": "Edit Telefon",
+  "v2.page.settings-identity-edit-username.default.title": "Tukar Nama Pengguna",
+  "v2.page.settings-identity-email.default.title": "Emel",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Tambah emel",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Tukar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "e-mel utama",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Tambah nombor telefon baru",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Tukar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telefon utama",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Tambah nama pengguna",
+  "v2.page.settings-identity-list-username.default.title": "Nama pengguna",
+  "v2.page.settings-identity-new-username.default.title": "Tambah Nama Pengguna",
+  "v2.page.settings-identity-phone.default.title": "Telefon",
+  "v2.page.settings-identity-verify-email.default.title": "Pengesahan",
+  "v2.page.settings-identity-verify-phone.default.title": "Pengesahan",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Edit",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Buang emel ini",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Sahkan",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Adakah anda pasti untuk membuang alamat emel {target} daripada akaun anda?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Buang Alamat Emel",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Edit",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Buang telefon ini",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Sahkan",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Adakah anda pasti untuk membuang nombor telefon {target} dari akaun anda?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Buang Nombor Telefon",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Buang nama pengguna",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Adakah anda pasti untuk membuang nama pengguna <span class=\"settings-dialog__description-text--highlight\">{Username}</span> daripada akaun anda?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Buang Nama Pengguna",
+  "v2.page.settings-identity-view-username.default.title": "Nama Pengguna",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Tidak Disahkan",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Disahkan",
+  "v2.page.settings-mfa-create-password.default.title": "Kata laluan tambahan",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Ditambah pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Kata laluan tambahan",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Dikemaskini pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Adakah anda pasti ingin mengalih keluar kata laluan tambahan?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Alih keluar kata laluan tambahan",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Buang kata laluan tambahan",
+  "v2.page.settings-mfa-password.default.title": "Kata laluan tambahan",
+  "v2.page.settings-mfa.default.activated-label": "Diaktifkan",
+  "v2.page.settings-mfa.default.additional-password-label": "Kata laluan tambahan",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Anda mempunyai {NumberOfDeviceTokens, plural, one{# peranti dipercayai} other{# peranti dipercayai}} peranti dipercayai yang dikaitkan dengan akaun anda. Adakah anda ingin mengalih keluar semua peranti dipercayai?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Alih keluar peranti dipercayai",
+  "v2.page.settings-mfa.default.inactive-label": "Tidak aktif",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "E-mel",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mesej Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplikasi/peranti pengesah",
+  "v2.page.settings-mfa.default.title": "Pengesahan 2-Faktor",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Anda mempunyai {NumberOfDeviceTokens, plural, one{# peranti yang dipercayai} other{# peranti yang dipercayai}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Peranti yang dipercayai",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Anda tidak mempunyai sebarang peranti yang dipercayai yang boleh melangkau pengesahan 2-langkah.",
+  "v2.page.settings-oob-otp-email.default.title": "E-mel",
+  "v2.page.settings-oob-otp-sms.default.title": "Mesej WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Ditambah pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Tambah e-mel",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Tambah nombor telefon WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Tambah Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Adakah anda pasti ingin mengalih keluar passkey ini?",
+  "v2.page.settings-passkey.default.dialog-title": "Alih Keluar Passkey",
+  "v2.page.settings-passkey.default.item-description": "Ditambah pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Negara",
   "v2.page.settings-profile-edit-address.default.locality-label": "Bandar",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Alamat",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Kod pos",
   "v2.page.settings-profile-edit-address.default.region-label": "Wilayah",
   "v2.page.settings-profile-edit-address.default.street-label": "Alamat jalan",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Tarikh lahir",
+  "v2.page.settings-profile-edit-address.default.title": "Alamat",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Tarikh lahir",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Tersuai",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Perempuan",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Lelaki",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Tidak diberikan",
   "v2.page.settings-profile-edit-gender.default.title": "Jantina",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Bahasa",
+  "v2.page.settings-profile-edit-locale.default.title": "Bahasa",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Nama keluarga",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nama penuh",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nama pertama",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Nama tengah",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nama",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Nama samaran",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Zon masa",
+  "v2.page.settings-profile-edit-name.default.title": "Nama",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Zon masa",
   "v2.page.settings-profile-no-permission.default.content": "Tidak dibenarkan",
   "v2.page.settings-profile-no-permission.default.title": "Isu Tidak Dijangka",
   "v2.page.settings-profile.default.address-title": "Alamat",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Jantina",
   "v2.page.settings-profile.default.language-title": "Bahasa",
   "v2.page.settings-profile.default.name-title": "Nama",
-  "v2.page.settings-profile.default.navbar-title": "Profil",
   "v2.page.settings-profile.default.profile-picture-title": "Gambar Profil",
+  "v2.page.settings-profile.default.title": "Profil",
   "v2.page.settings-profile.default.zoneinfo-title": "Zon Masa",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Ini akan mengalih keluar akses kepada akaun anda daripada semua peranti lain",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Menamatkan semua sesi lain",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Aktif Sekarang</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Menamatkan semua sesi lain",
+  "v2.page.settings-sessions.default.session-dialog-description": "Ini akan mengalih keluar akses kepada akaun anda pada peranti ini",
+  "v2.page.settings-sessions.default.session-dialog-title": "Menamatkan sesi",
+  "v2.page.settings-sessions.default.title": "Peranti Dilog Masuk",
+  "v2.page.settings-totp.default.added-at-label": "Ditambah pada <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Tambah aplikasi/peranti pengesah",
+  "v2.page.settings-totp.default.title": "Aplikasi/peranti pengesah",
+  "v2.page.settings.default.button-label-account-deletion": "Padam Akaun",
   "v2.page.settings.default.button-label-advanced-settings": "Tetapan Lanjutan",
   "v2.page.settings.default.button-label-and-more": "{item} dan lagi",
   "v2.page.settings.default.button-label-back-to-app": "Kembali ke aplikasi saya",
diff --git a/resources/authgear/templates/nl/translation.json b/resources/authgear/templates/nl/translation.json
index 27e022cf79..5f45e8cfbf 100644
--- a/resources/authgear/templates/nl/translation.json
+++ b/resources/authgear/templates/nl/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript is vereist voor captcha-verificatie. Schakel JavaScript in uw browser in om door te gaan.",
   "v2.component.button.default.copy": "Kopiëren",
   "v2.component.button.default.download": "Downloaden",
+  "v2.component.button.default.label-cancel": "Annuleren",
   "v2.component.button.default.label-continue": "Doorgaan",
   "v2.component.button.default.label-continue-with-passkey": "Ga verder met Passkey",
   "v2.component.button.default.label-continue-with-phone": "Doorgaan met telefoonnummer",
   "v2.component.button.default.label-continue-with-text-login-id": "Ga verder met {variant, select, email {E-mail} username {Gebruikersnaam} other {E-mail / Gebruikersnaam}}",
+  "v2.component.button.default.label-edit": "Bewerken",
   "v2.component.button.default.label-login": "Inloggen",
+  "v2.component.button.default.label-remove": "Verwijderen",
   "v2.component.button.default.label-save": "Opslaan",
   "v2.component.button.default.label-send": "Verzenden",
+  "v2.component.button.default.label-terminate": "Beëindigen",
   "v2.component.device-token-checkbox.default.label": "Onthoud dit apparaat, en vraag niet opnieuw",
   "v2.component.divider.default.or-label": "of",
   "v2.component.input.default.placeholder-email": "E-mailadres",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Code opnieuw verzenden in %s",
   "v2.component.oob-otp-resend-button.default.label": "Code opnieuw verzenden",
   "v2.component.password-input.default.hide-password": "Wachtwoord verbergen",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Voer nieuwe wachtwoord opnieuw in",
   "v2.component.password-input.default.placeholder-confirm-password": "Voer wachtwoord opnieuw in",
   "v2.component.password-input.default.placeholder-new-password": "Nieuw wachtwoord",
   "v2.component.password-input.default.placeholder-password": "Huidig wachtwoord",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Geen resultaten gevonden",
   "v2.component.select-input.default.not-provided-label": "Niet opgegeven",
   "v2.component.select-input.default.search-label": "Zoeken",
-  "v2.component.select-input.default.unset-label": "Niet ingesteld",
   "v2.component.toc-pp-footer.default.label": "Door je te registreren, ga je akkoord met de {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Servicevoorwaarden</a> en <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Privacybeleid</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Servicevoorwaarden</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Privacybeleid</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "U wordt binnenkort doorgestuurd nadat u de uitdaging heeft voltooid",
   "v2.component.verify-bot-protection.default.title": "Uw systeem controleren...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "U bent ingelogd met {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Ga verder om door te gaan.",
   "v2.page.select-account.default.title": "Log in op {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Gebruik een ander account",
+  "v2.page.settings-advanced-settings.default.title": "Geavanceerde instellingen",
+  "v2.page.settings-biometric.default.dialog-description": "Weet je zeker dat je de biometrische aanmelding voor dit apparaat wilt loskoppelen?",
+  "v2.page.settings-biometric.default.dialog-title": "Biometrische Aanmelding Loskoppelen",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Loskoppelen",
+  "v2.page.settings-biometric.default.item-description": "Aangemaakt op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Je hebt geen apparaten met ingeschakelde biometrie.",
+  "v2.page.settings-biometric.default.title": "Biometrische Aanmelding",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Onbekend Apparaat",
+  "v2.page.settings-change-password.default.title": "Wachtwoord wijzigen",
+  "v2.page.settings-delete-account-success.default.button-label": "Klaar",
+  "v2.page.settings-delete-account-success.default.description": "Uw account is gedeactiveerd en de gegevens worden verwijderd op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Account verwijdering gepland",
+  "v2.page.settings-delete-account.default.button-label": "Account verwijderen",
+  "v2.page.settings-delete-account.default.description": "Door het account te verwijderen, worden alle gegevens permanent verwijderd en kunnen we ze niet meer terughalen. Als u doorgaat, wordt uw account verwijderd op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Typ <b>{input}</b> om te bevestigen",
+  "v2.page.settings-delete-account.default.title": "Account verwijderen",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Voer een getal in dat kleiner dan of gelijk is aan {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Voer een getal in dat groter dan of gelijk is aan {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Voer een getal in tussen {minimum} en {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nieuw e-mailadres",
+  "v2.page.settings-identity-add-email.default.title": "Voeg nieuwe e-mail toe",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Telefoonnummer",
+  "v2.page.settings-identity-add-phone.default.title": "Nieuw telefoonnummer toevoegen",
+  "v2.page.settings-identity-change-primary-email.default.title": "Primair e-mailadres",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Primair telefoonnummer",
+  "v2.page.settings-identity-edit-email.default.description": "Uw huidige e-mailadres is {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nieuw e-mailadres",
+  "v2.page.settings-identity-edit-email.default.title": "E-mailadres bewerken",
+  "v2.page.settings-identity-edit-phone.default.description": "Uw huidige telefoonnummer is {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Telefoonnummer",
+  "v2.page.settings-identity-edit-phone.default.title": "Telefoonnummer bewerken",
+  "v2.page.settings-identity-edit-username.default.title": "Gebruikersnaam wijzigen",
+  "v2.page.settings-identity-email.default.title": "E-mail",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ E-mail toevoegen",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Wijzigen",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Primair e-mailadres",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Voeg nieuw telefoonnummer toe",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Wijzigen",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Primair telefoonnummer",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Gebruikersnaam toevoegen",
+  "v2.page.settings-identity-list-username.default.title": "Gebruikersnaam",
+  "v2.page.settings-identity-new-username.default.title": "Gebruikersnaam toevoegen",
+  "v2.page.settings-identity-phone.default.title": "Telefoon",
+  "v2.page.settings-identity-verify-email.default.title": "Verificatie",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificatie",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Bewerken",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Verwijder deze e-mail",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verifiëren",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Weet je zeker dat je het e-mailadres {target} van je account wilt verwijderen?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "E-mailadres verwijderen",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Bewerken",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Verwijder dit telefoonnummer",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verifiëren",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Weet je zeker dat je het telefoonnummer {target} van je account wilt verwijderen?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Verwijder telefoonnummer",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Gebruikersnaam verwijderen",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Weet je zeker dat je de gebruikersnaam <span class=\"settings-dialog__description-text--highlight\">{Username}</span> van je account wilt verwijderen?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Gebruikersnaam verwijderen",
+  "v2.page.settings-identity-view-username.default.title": "Gebruikersnaam",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Niet geverifieerd",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Geverifieerd",
+  "v2.page.settings-mfa-create-password.default.title": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Toegevoegd op <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Bijgewerkt op <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Weet u zeker dat u het extra wachtwoord wilt verwijderen?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Verwijder extra wachtwoord",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Verwijder aanvullend wachtwoord",
+  "v2.page.settings-mfa-password.default.title": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa.default.activated-label": "Geactiveerd",
+  "v2.page.settings-mfa.default.additional-password-label": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "U heeft {NumberOfDeviceTokens, plural, one{# vertrouwd apparaat} other{# vertrouwde apparaten}} die zijn gekoppeld aan uw account. Wilt u alle vertrouwde apparaten verwijderen?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Verwijder vertrouwde apparaten",
+  "v2.page.settings-mfa.default.inactive-label": "Inactief",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "E-mail",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Whatsapp/SMS-bericht",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Authenticator-app/apparaat",
+  "v2.page.settings-mfa.default.title": "2-Factor Authenticatie",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Je hebt {NumberOfDeviceTokens, plural, one{# vertrouwd apparaat} other{# vertrouwde apparaten}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Vertrouwde apparaten",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Je hebt geen vertrouwde apparaten die de 2-stapsverificatie kunnen overslaan.",
+  "v2.page.settings-oob-otp-email.default.title": "E-mail",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/SMS-bericht",
+  "v2.page.settings-oob-otp.default.added-at-label": "Toegevoegd op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ E-mailadres toevoegen",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ WhatsApp/telefoonnummer toevoegen",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Passkey toevoegen",
+  "v2.page.settings-passkey.default.dialog-description": "Weet je zeker dat je deze passkey wilt verwijderen?",
+  "v2.page.settings-passkey.default.dialog-title": "Passkey verwijderen",
+  "v2.page.settings-passkey.default.item-description": "Toegevoegd op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Land",
   "v2.page.settings-profile-edit-address.default.locality-label": "Stad",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Adres",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Postcode",
   "v2.page.settings-profile-edit-address.default.region-label": "Regio",
   "v2.page.settings-profile-edit-address.default.street-label": "Straatnaam",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Geboortedatum",
+  "v2.page.settings-profile-edit-address.default.title": "Adres",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Geboortedatum",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Aangepast",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Vrouw",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Man",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Niet opgegeven",
   "v2.page.settings-profile-edit-gender.default.title": "Geslacht",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Taal",
+  "v2.page.settings-profile-edit-locale.default.title": "Taal",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Achternaam",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Volledige naam",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Voornaam",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Tweede naam",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Naam",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Bijnaam",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Tijdzone",
+  "v2.page.settings-profile-edit-name.default.title": "Naam",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Tijdzone",
   "v2.page.settings-profile-no-permission.default.content": "Niet geautoriseerd",
   "v2.page.settings-profile-no-permission.default.title": "Onverwachte problemen",
   "v2.page.settings-profile.default.address-title": "Adres",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Geslacht",
   "v2.page.settings-profile.default.language-title": "Taal",
   "v2.page.settings-profile.default.name-title": "Naam",
-  "v2.page.settings-profile.default.navbar-title": "Profiel",
   "v2.page.settings-profile.default.profile-picture-title": "Profielfoto",
+  "v2.page.settings-profile.default.title": "Profiel",
   "v2.page.settings-profile.default.zoneinfo-title": "Tijdzone",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Dit zal de toegang tot uw account vanaf alle andere apparaten verwijderen",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Alle andere sessies beëindigen",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Nu actief</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Alle andere sessies beëindigen",
+  "v2.page.settings-sessions.default.session-dialog-description": "Dit zal de toegang tot uw account op dit apparaat verwijderen",
+  "v2.page.settings-sessions.default.session-dialog-title": "Sessie beëindigen",
+  "v2.page.settings-sessions.default.title": "Aangemelde apparaten",
+  "v2.page.settings-totp.default.added-at-label": "Toegevoegd op <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Authenticator-app/apparaat toevoegen",
+  "v2.page.settings-totp.default.title": "Authenticator-app/apparaat",
+  "v2.page.settings.default.button-label-account-deletion": "Account verwijderen",
   "v2.page.settings.default.button-label-advanced-settings": "Geavanceerde Instellingen",
   "v2.page.settings.default.button-label-and-more": "{item} en meer",
   "v2.page.settings.default.button-label-back-to-app": "Terug naar mijn app",
diff --git a/resources/authgear/templates/pl/translation.json b/resources/authgear/templates/pl/translation.json
index 47ded6ffad..b805b71738 100644
--- a/resources/authgear/templates/pl/translation.json
+++ b/resources/authgear/templates/pl/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript jest wymagany do weryfikacji captcha. Włącz JavaScript w przeglądarce, aby kontynuować.",
   "v2.component.button.default.copy": "Kopiuj",
   "v2.component.button.default.download": "Pobierz",
+  "v2.component.button.default.label-cancel": "Anuluj",
   "v2.component.button.default.label-continue": "Kontynuuj",
   "v2.component.button.default.label-continue-with-passkey": "Kontynuuj przez Passkey",
   "v2.component.button.default.label-continue-with-phone": "Kontynuuj z numerem telefonu",
   "v2.component.button.default.label-continue-with-text-login-id": "Kontynuuj przez {variant, select, email {Email} username {Nazwę użytkownika} other {Email / Nazwę użytkownika}}",
+  "v2.component.button.default.label-edit": "Edytuj",
   "v2.component.button.default.label-login": "Zaloguj się",
+  "v2.component.button.default.label-remove": "Usuń",
   "v2.component.button.default.label-save": "Zapisz",
   "v2.component.button.default.label-send": "Wyślij",
+  "v2.component.button.default.label-terminate": "Zakończ",
   "v2.component.device-token-checkbox.default.label": "Zapamiętaj to urządzenie i nie pytaj ponownie",
   "v2.component.divider.default.or-label": "lub",
   "v2.component.input.default.placeholder-email": "Adres email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Wyślij kod ponownie za %s",
   "v2.component.oob-otp-resend-button.default.label": "Wyślij kod ponownie",
   "v2.component.password-input.default.hide-password": "Ukryj hasło",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Wprowadź ponownie nowe hasło",
   "v2.component.password-input.default.placeholder-confirm-password": "Powtórz hasło",
   "v2.component.password-input.default.placeholder-new-password": "Nowe hasło",
   "v2.component.password-input.default.placeholder-password": "Obecne hasło",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Nie znaleziono wyników",
   "v2.component.select-input.default.not-provided-label": "Nie podano",
   "v2.component.select-input.default.search-label": "Szukaj",
-  "v2.component.select-input.default.unset-label": "Niezdefiniowane",
   "v2.component.toc-pp-footer.default.label": "Rejestrując się, zgadzasz się na {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Warunki Korzystania</a> i <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Politykę Prywatności</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Warunki Korzystania</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Politykę Prywatności</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Zostaniesz przekierowany wkrótce po ukończeniu wyzwania",
   "v2.component.verify-bot-protection.default.title": "Sprawdzanie Twojego systemu...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Zalogowałeś się za pomocą {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Kontynuuj, aby przejść dalej.",
   "v2.page.select-account.default.title": "Zaloguj się do {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Użyj innego konta",
+  "v2.page.settings-advanced-settings.default.title": "Zaawansowane ustawienia",
+  "v2.page.settings-biometric.default.dialog-description": "Czy na pewno chcesz odłączyć logowanie biometryczne dla tego urządzenia?",
+  "v2.page.settings-biometric.default.dialog-title": "Odłącz logowanie biometryczne",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Odłącz",
+  "v2.page.settings-biometric.default.item-description": "Utworzono o <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Nie masz żadnych urządzeń z włączoną biometryką.",
+  "v2.page.settings-biometric.default.title": "Logowanie biometryczne",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Nieznane urządzenie",
+  "v2.page.settings-change-password.default.title": "Zmień hasło",
+  "v2.page.settings-delete-account-success.default.button-label": "Gotowe",
+  "v2.page.settings-delete-account-success.default.description": "Twoje konto zostało dezaktywowane, a dane zostaną usunięte <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Zaplanowano usunięcie konta",
+  "v2.page.settings-delete-account.default.button-label": "Usuń konto",
+  "v2.page.settings-delete-account.default.description": "Usunięcie konta spowoduje trwałe usunięcie wszystkich danych i nie będziemy mogli ich odzyskać. Jeśli kontynuujesz, Twoje konto zostanie usunięte <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Wpisz <b>{input}</b> aby potwierdzić",
+  "v2.page.settings-delete-account.default.title": "Usuń konto",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Wprowadź liczbę mniejszą lub równą {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Wprowadź liczbę większą lub równą {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Wprowadź liczbę pomiędzy {minimum} a {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Nowy adres e-mail",
+  "v2.page.settings-identity-add-email.default.title": "Dodaj nowy e-mail",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Numer telefonu",
+  "v2.page.settings-identity-add-phone.default.title": "Dodaj nowy numer telefonu",
+  "v2.page.settings-identity-change-primary-email.default.title": "Podstawowy email",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Główny numer telefonu",
+  "v2.page.settings-identity-edit-email.default.description": "Twój obecny adres e-mail to {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Nowy adres e-mail",
+  "v2.page.settings-identity-edit-email.default.title": "Edytuj e-mail",
+  "v2.page.settings-identity-edit-phone.default.description": "Twój aktualny numer telefonu to {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Numer telefonu",
+  "v2.page.settings-identity-edit-phone.default.title": "Edytuj telefon",
+  "v2.page.settings-identity-edit-username.default.title": "Zmień nazwę użytkownika",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Dodaj email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Zmień",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Podstawowy email",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Dodaj nowy numer telefonu",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Zmień",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "Główny numer telefonu",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Dodaj nazwę użytkownika",
+  "v2.page.settings-identity-list-username.default.title": "Nazwa użytkownika",
+  "v2.page.settings-identity-new-username.default.title": "Dodaj nazwę użytkownika",
+  "v2.page.settings-identity-phone.default.title": "Telefon",
+  "v2.page.settings-identity-verify-email.default.title": "Weryfikacja",
+  "v2.page.settings-identity-verify-phone.default.title": "Weryfikacja",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Edytuj",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Usuń ten email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Zweryfikuj",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Czy na pewno chcesz usunąć adres email {target} z Twojego konta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Usuń adres email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Edytuj",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Usuń ten numer telefonu",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Zweryfikuj",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Czy na pewno chcesz usunąć numer telefonu {target} z Twojego konta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Usuń numer telefonu",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Usuń nazwę użytkownika",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Czy na pewno chcesz usunąć nazwę użytkownika <span class=\"settings-dialog__description-text--highlight\">{Username}</span> z Twojego konta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Usuń nazwę użytkownika",
+  "v2.page.settings-identity-view-username.default.title": "Nazwa użytkownika",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Niezweryfikowane",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Zweryfikowane",
+  "v2.page.settings-mfa-create-password.default.title": "Dodatkowe hasło",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Dodane o <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Dodatkowe hasło",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Zaktualizowane o <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Czy na pewno chcesz usunąć dodatkowe hasło?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Usuń dodatkowe hasło",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Usuń dodatkowe hasło",
+  "v2.page.settings-mfa-password.default.title": "Dodatkowe hasło",
+  "v2.page.settings-mfa.default.activated-label": "Aktywowane",
+  "v2.page.settings-mfa.default.additional-password-label": "Dodatkowe hasło",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Masz {NumberOfDeviceTokens, plural, one{# zaufane urządzenie} other{# zaufanych urządzeń}} powiązanych z Twoim kontem. Czy chcesz usunąć wszystkie zaufane urządzenia?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Usuń zaufane urządzenia",
+  "v2.page.settings-mfa.default.inactive-label": "Nieaktywne",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Wiadomość Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplikacja/urządzenie uwierzytelniające",
+  "v2.page.settings-mfa.default.title": "Uwierzytelnianie dwuskładnikowe",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Masz {NumberOfDeviceTokens, plural, one{# zaufane urządzenie} other{# zaufane urządzenia}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Zaufane urządzenia",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Nie masz żadnych zaufanych urządzeń, które mogą pominąć weryfikację dwuetapową.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Wiadomość WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Dodano o <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Dodaj email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Dodaj numer telefonu WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Dodaj Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Czy na pewno chcesz usunąć ten klucz dostępu?",
+  "v2.page.settings-passkey.default.dialog-title": "Usuń klucz dostępu",
+  "v2.page.settings-passkey.default.item-description": "Dodano o <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Kraj",
   "v2.page.settings-profile-edit-address.default.locality-label": "Miasto",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Adres",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Kod pocztowy",
   "v2.page.settings-profile-edit-address.default.region-label": "Region",
   "v2.page.settings-profile-edit-address.default.street-label": "Adres ulicy",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Data urodzenia",
+  "v2.page.settings-profile-edit-address.default.title": "Adres",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Data urodzenia",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Niestandardowa",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Kobieta",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Mężczyzna",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Nie podano",
   "v2.page.settings-profile-edit-gender.default.title": "Płeć",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Język",
+  "v2.page.settings-profile-edit-locale.default.title": "Język",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Nazwisko",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Pełne imię i nazwisko",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Imię",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Drugie imię",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Imię",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Przezwisko",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Strefa czasowa",
+  "v2.page.settings-profile-edit-name.default.title": "Imię",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Strefa czasowa",
   "v2.page.settings-profile-no-permission.default.content": "Brak autoryzacji",
   "v2.page.settings-profile-no-permission.default.title": "Nieoczekiwane problemy",
   "v2.page.settings-profile.default.address-title": "Adres",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Płeć",
   "v2.page.settings-profile.default.language-title": "Język",
   "v2.page.settings-profile.default.name-title": "Nazwa",
-  "v2.page.settings-profile.default.navbar-title": "Profil",
   "v2.page.settings-profile.default.profile-picture-title": "Zdjęcie profilowe",
+  "v2.page.settings-profile.default.title": "Profil",
   "v2.page.settings-profile.default.zoneinfo-title": "Strefa czasowa",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Spowoduje to usunięcie dostępu do Twojego konta ze wszystkich innych urządzeń",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Zakończ wszystkie inne sesje",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Aktywne teraz</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Zakończ wszystkie inne sesje",
+  "v2.page.settings-sessions.default.session-dialog-description": "Spowoduje to usunięcie dostępu do Twojego konta na tym urządzeniu",
+  "v2.page.settings-sessions.default.session-dialog-title": "Zakończ sesję",
+  "v2.page.settings-sessions.default.title": "Zalogowane urządzenia",
+  "v2.page.settings-totp.default.added-at-label": "Dodano o <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Dodaj aplikację/urządzenie uwierzytelniające",
+  "v2.page.settings-totp.default.title": "Aplikacja/urządzenie uwierzytelniające",
+  "v2.page.settings.default.button-label-account-deletion": "Usuń konto",
   "v2.page.settings.default.button-label-advanced-settings": "Zaawansowane ustawienia",
   "v2.page.settings.default.button-label-and-more": "{item} i więcej",
   "v2.page.settings.default.button-label-back-to-app": "Powrót do mojej aplikacji",
diff --git a/resources/authgear/templates/pt-BR/translation.json b/resources/authgear/templates/pt-BR/translation.json
index ef1c1dd66d..3175bac4ff 100644
--- a/resources/authgear/templates/pt-BR/translation.json
+++ b/resources/authgear/templates/pt-BR/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript é necessário para verificação de captcha. Por favor, habilite o JavaScript no seu navegador para prosseguir.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Baixar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continuar com Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar com o Número de Telefone",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar com {variant, select, email {Email} username {Nome de Usuário} other {Email / Nome de Usuário}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Entrar",
+  "v2.component.button.default.label-remove": "Remover",
   "v2.component.button.default.label-save": "Salvar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Lembrar este dispositivo e não perguntar novamente",
   "v2.component.divider.default.or-label": "ou",
   "v2.component.input.default.placeholder-email": "Endereço de email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código em %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar senha",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Insira novamente a nova senha",
   "v2.component.password-input.default.placeholder-confirm-password": "Redigite a Senha",
   "v2.component.password-input.default.placeholder-new-password": "Nova Senha",
   "v2.component.password-input.default.placeholder-password": "Senha atual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Nenhum resultado encontrado",
   "v2.component.select-input.default.not-provided-label": "Não fornecido",
   "v2.component.select-input.default.search-label": "Pesquisar",
-  "v2.component.select-input.default.unset-label": "Não definido",
   "v2.component.toc-pp-footer.default.label": "Ao se registrar, você concorda com os {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a> e <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Você será redirecionado em breve após concluir o desafio",
   "v2.component.verify-bot-protection.default.title": "Verificando seu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Você entrou com {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Prossiga para continuar.",
   "v2.page.select-account.default.title": "Entrar no {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar outra conta",
+  "v2.page.settings-advanced-settings.default.title": "Configurações Avançadas",
+  "v2.page.settings-biometric.default.dialog-description": "Tem certeza de que deseja desconectar o login biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar Login Biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Criado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Você não tem nenhum dispositivo com biometria habilitada.",
+  "v2.page.settings-biometric.default.title": "Login Biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo Desconhecido",
+  "v2.page.settings-change-password.default.title": "Alterar Senha",
+  "v2.page.settings-delete-account-success.default.button-label": "Concluído",
+  "v2.page.settings-delete-account-success.default.description": "Sua conta foi desativada e os dados serão excluídos em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Exclusão de conta agendada",
+  "v2.page.settings-delete-account.default.button-label": "Excluir Conta",
+  "v2.page.settings-delete-account.default.description": "Ao excluir a conta, todos os dados serão permanentemente excluídos e não poderemos recuperá-los. Se você continuar, sua conta será excluída em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Digite <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Excluir Conta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor, insira um número menor ou igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor, insira um número maior ou igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor, insira um número entre {minimum} e {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Novo Endereço de Email",
+  "v2.page.settings-identity-add-email.default.title": "Adicionar Novo Email",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-add-phone.default.title": "Adicionar Novo Telefone",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email Primário",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telefone Primário",
+  "v2.page.settings-identity-edit-email.default.description": "Seu e-mail atual é {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Novo Endereço de E-mail",
+  "v2.page.settings-identity-edit-email.default.title": "Editar E-mail",
+  "v2.page.settings-identity-edit-phone.default.description": "Seu número de telefone atual é {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar Telefone",
+  "v2.page.settings-identity-edit-username.default.title": "Alterar Nome de Usuário",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Adicionar email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Alterar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Email primário",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Adicionar novo número de telefone",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Alterar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telefone primário",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Adicionar nome de usuário",
+  "v2.page.settings-identity-list-username.default.title": "Nome de usuário",
+  "v2.page.settings-identity-new-username.default.title": "Adicionar Nome de Usuário",
+  "v2.page.settings-identity-phone.default.title": "Telefone",
+  "v2.page.settings-identity-verify-email.default.title": "Verificação",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificação",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Remover este email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Tem certeza de que deseja remover o endereço de email {target} da sua conta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Remover Endereço de Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Remover este telefone",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Tem certeza de que deseja remover o número de telefone {target} da sua conta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Remover Número de Telefone",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Remover nome de usuário",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Tem certeza de que deseja remover o nome de usuário <span class=\"settings-dialog__description-text--highlight\">{Username}</span> da sua conta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Remover Nome de Usuário",
+  "v2.page.settings-identity-view-username.default.title": "Nome de Usuário",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionada em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Senha adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizada em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Tem certeza de que deseja remover a senha adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover senha adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Remover senha adicional",
+  "v2.page.settings-mfa-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa.default.activated-label": "Ativada",
+  "v2.page.settings-mfa.default.additional-password-label": "Senha adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Remover dispositivos confiáveis",
+  "v2.page.settings-mfa.default.inactive-label": "Inativa",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensagem do Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicativo/dispositivo autenticador",
+  "v2.page.settings-mfa.default.title": "Autenticação de 2 Fatores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos confiáveis",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Você não tem nenhum dispositivo confiável que possa ignorar a verificação de 2 etapas.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensagem WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Adicionar email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Adicionar número de telefone WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Adicionar Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Tem certeza de que deseja remover esta Passkey?",
+  "v2.page.settings-passkey.default.dialog-title": "Remover Passkey",
+  "v2.page.settings-passkey.default.item-description": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Cidade",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Endereço",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Região",
   "v2.page.settings-profile-edit-address.default.street-label": "Endereço residencial",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Data de nascimento",
+  "v2.page.settings-profile-edit-address.default.title": "Endereço",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Data de nascimento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Feminino",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Masculino",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Não fornecido",
   "v2.page.settings-profile-edit-gender.default.title": "Gênero",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Idioma",
+  "v2.page.settings-profile-edit-locale.default.title": "Idioma",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Sobrenome",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nome completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Primeiro nome",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Nome do meio",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nome",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Apelido",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Fuso horário",
+  "v2.page.settings-profile-edit-name.default.title": "Nome",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Fuso horário",
   "v2.page.settings-profile-no-permission.default.content": "Não autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas Inesperados",
   "v2.page.settings-profile.default.address-title": "Endereço",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Gênero",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nome",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de Perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Fuso Horário",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Isso removerá o acesso à sua conta de todos os outros dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Ativo Agora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.session-dialog-description": "Isso removerá o acesso à sua conta neste dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sessão",
+  "v2.page.settings-sessions.default.title": "Dispositivos Conectados",
+  "v2.page.settings-totp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Adicionar app/dispositivo autenticador",
+  "v2.page.settings-totp.default.title": "App/dispositivo autenticador",
+  "v2.page.settings.default.button-label-account-deletion": "Excluir Conta",
   "v2.page.settings.default.button-label-advanced-settings": "Configurações Avançadas",
   "v2.page.settings.default.button-label-and-more": "{item} e mais",
   "v2.page.settings.default.button-label-back-to-app": "Voltar para meu aplicativo",
diff --git a/resources/authgear/templates/pt-PT/translation.json b/resources/authgear/templates/pt-PT/translation.json
index bb3c9ffb63..9851fb8f90 100644
--- a/resources/authgear/templates/pt-PT/translation.json
+++ b/resources/authgear/templates/pt-PT/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "O JavaScript é necessário para a verificação de captcha. Por favor, ative o JavaScript no seu navegador para prosseguir.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Descarregar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continuar com Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar com o Número de Telefone",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar com {variant, select, email {Email} username {Nome de utilizador} other {Email / Nome de utilizador}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Iniciar sessão",
+  "v2.component.button.default.label-remove": "Remover",
   "v2.component.button.default.label-save": "Guardar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Lembrar este dispositivo e não perguntar novamente",
   "v2.component.divider.default.or-label": "ou",
   "v2.component.input.default.placeholder-email": "Endereço de email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código em %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar senha",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Voltar a introduzir a nova palavra-passe",
   "v2.component.password-input.default.placeholder-confirm-password": "Reintroduza a Palavra-passe",
   "v2.component.password-input.default.placeholder-new-password": "Nova Palavra-passe",
   "v2.component.password-input.default.placeholder-password": "Palavra-passe atual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Nenhum resultado encontrado",
   "v2.component.select-input.default.not-provided-label": "Não fornecido",
   "v2.component.select-input.default.search-label": "Pesquisar",
-  "v2.component.select-input.default.unset-label": "Não definido",
   "v2.component.toc-pp-footer.default.label": "Ao se registrar, você concorda com os {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a> e <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Será redirecionado brevemente após concluir o desafio",
   "v2.component.verify-bot-protection.default.title": "A verificar o seu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Iniciaste sessão com {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Continua para prosseguir.",
   "v2.page.select-account.default.title": "Iniciar sessão em {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar outra conta",
+  "v2.page.settings-advanced-settings.default.title": "Definições Avançadas",
+  "v2.page.settings-biometric.default.dialog-description": "Tem a certeza de que deseja desconectar o login biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar Login Biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Criado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Não tem nenhum dispositivo com biometria ativada.",
+  "v2.page.settings-biometric.default.title": "Login Biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo Desconhecido",
+  "v2.page.settings-change-password.default.title": "Alterar Palavra-passe",
+  "v2.page.settings-delete-account-success.default.button-label": "Concluído",
+  "v2.page.settings-delete-account-success.default.description": "A sua conta foi desativada e os dados serão eliminados em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Eliminação de conta agendada",
+  "v2.page.settings-delete-account.default.button-label": "Eliminar Conta",
+  "v2.page.settings-delete-account.default.description": "Ao eliminar a conta, todos os dados serão permanentemente eliminados e não poderemos recuperá-los. Se continuar, a sua conta será eliminada em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Digite <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Eliminar Conta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor, insira um número menor ou igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor, insira um número maior ou igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor, insira um número entre {minimum} e {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Novo Endereço de Email",
+  "v2.page.settings-identity-add-email.default.title": "Adicionar Novo Email",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-add-phone.default.title": "Adicionar Novo Telefone",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email Primário",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telefone Primário",
+  "v2.page.settings-identity-edit-email.default.description": "O seu email atual é {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Novo Endereço de Email",
+  "v2.page.settings-identity-edit-email.default.title": "Editar Email",
+  "v2.page.settings-identity-edit-phone.default.description": "O seu número de telefone atual é {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar Telefone",
+  "v2.page.settings-identity-edit-username.default.title": "Alterar Nome de Utilizador",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Adicionar email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Alterar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Email primário",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Adicionar novo número de telefone",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Alterar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telefone primário",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Adicionar nome de utilizador",
+  "v2.page.settings-identity-list-username.default.title": "Nome de utilizador",
+  "v2.page.settings-identity-new-username.default.title": "Adicionar Nome de Utilizador",
+  "v2.page.settings-identity-phone.default.title": "Telefone",
+  "v2.page.settings-identity-verify-email.default.title": "Verificação",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificação",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Remover este email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Tem a certeza de que deseja remover o endereço de email {target} da sua conta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Remover Endereço de Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Remover este telefone",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Tem a certeza de que deseja remover o número de telefone {target} da sua conta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Remover Número de Telefone",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Remover nome de utilizador",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Tem a certeza de que deseja remover o nome de utilizador <span class=\"settings-dialog__description-text--highlight\">{Username}</span> da sua conta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Remover Nome de Utilizador",
+  "v2.page.settings-identity-view-username.default.title": "Nome de Utilizador",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Palavra-passe adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionada às <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Palavra-passe adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizada às <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Tem a certeza de que deseja remover a palavra-passe adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover palavra-passe adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Remover palavra-passe adicional",
+  "v2.page.settings-mfa-password.default.title": "Palavra-passe adicional",
+  "v2.page.settings-mfa.default.activated-label": "Ativada",
+  "v2.page.settings-mfa.default.additional-password-label": "Palavra-passe adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Remover dispositivos confiáveis",
+  "v2.page.settings-mfa.default.inactive-label": "Inativa",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensagem Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicação/dispositivo de autenticação",
+  "v2.page.settings-mfa.default.title": "Autenticação de 2 Fatores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos confiáveis",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Não tem quaisquer dispositivos confiáveis que possam ignorar a verificação de 2 passos.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensagem WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Adicionar email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Adicionar número de telemóvel WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Adicionar 'Passkey'",
+  "v2.page.settings-passkey.default.dialog-description": "Tem a certeza de que deseja remover esta chave de acesso?",
+  "v2.page.settings-passkey.default.dialog-title": "Remover Chave de Acesso",
+  "v2.page.settings-passkey.default.item-description": "Adicionado às <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Chave de Acesso",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Cidade",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Endereço",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Região",
   "v2.page.settings-profile-edit-address.default.street-label": "Endereço de rua",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Data de nascimento",
+  "v2.page.settings-profile-edit-address.default.title": "Endereço",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Data de nascimento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Feminino",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Masculino",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Não fornecido",
   "v2.page.settings-profile-edit-gender.default.title": "Género",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Língua",
+  "v2.page.settings-profile-edit-locale.default.title": "Língua",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Apelido",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nome completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Nome próprio",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Nome do meio",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nome",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Alcunha",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Fuso horário",
+  "v2.page.settings-profile-edit-name.default.title": "Nome",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Fuso horário",
   "v2.page.settings-profile-no-permission.default.content": "Não autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas Inesperados",
   "v2.page.settings-profile.default.address-title": "Endereço",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Género",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nome",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de Perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Fuso Horário",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Isto irá remover o acesso à sua conta de todos os outros dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Ativo Agora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.session-dialog-description": "Isto irá remover o acesso à sua conta neste dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sessão",
+  "v2.page.settings-sessions.default.title": "Dispositivos com Sessão Iniciada",
+  "v2.page.settings-totp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Adicionar aplicação/dispositivo de autenticação",
+  "v2.page.settings-totp.default.title": "Aplicação/dispositivo de autenticação",
+  "v2.page.settings.default.button-label-account-deletion": "Eliminar Conta",
   "v2.page.settings.default.button-label-advanced-settings": "Definições Avançadas",
   "v2.page.settings.default.button-label-and-more": "{item} e mais",
   "v2.page.settings.default.button-label-back-to-app": "Voltar à minha aplicação",
diff --git a/resources/authgear/templates/pt/translation.json b/resources/authgear/templates/pt/translation.json
index 53af5bcfb2..79092c1331 100644
--- a/resources/authgear/templates/pt/translation.json
+++ b/resources/authgear/templates/pt/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript é necessário para a verificação de captcha. Por favor, ative o JavaScript no seu navegador para prosseguir.",
   "v2.component.button.default.copy": "Copiar",
   "v2.component.button.default.download": "Baixar",
+  "v2.component.button.default.label-cancel": "Cancelar",
   "v2.component.button.default.label-continue": "Continuar",
   "v2.component.button.default.label-continue-with-passkey": "Continue with Passkey",
   "v2.component.button.default.label-continue-with-phone": "Continuar com Número de Telefone",
   "v2.component.button.default.label-continue-with-text-login-id": "Continuar com {variant, select, email {Email} username {Nome de Usuário} other {Email / Nome de Usuário}}",
+  "v2.component.button.default.label-edit": "Editar",
   "v2.component.button.default.label-login": "Entrar",
+  "v2.component.button.default.label-remove": "Remover",
   "v2.component.button.default.label-save": "Salvar",
   "v2.component.button.default.label-send": "Enviar",
+  "v2.component.button.default.label-terminate": "Terminar",
   "v2.component.device-token-checkbox.default.label": "Lembrar este dispositivo e não perguntar novamente",
   "v2.component.divider.default.or-label": "ou",
   "v2.component.input.default.placeholder-email": "Endereço de email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Reenviar código em %s",
   "v2.component.oob-otp-resend-button.default.label": "Reenviar código",
   "v2.component.password-input.default.hide-password": "Ocultar senha",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Insira novamente a nova senha",
   "v2.component.password-input.default.placeholder-confirm-password": "Confirmar Senha",
   "v2.component.password-input.default.placeholder-new-password": "Nova Senha",
   "v2.component.password-input.default.placeholder-password": "Senha atual",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Nenhum resultado encontrado",
   "v2.component.select-input.default.not-provided-label": "Não fornecido",
   "v2.component.select-input.default.search-label": "Pesquisar",
-  "v2.component.select-input.default.unset-label": "Não definido",
   "v2.component.toc-pp-footer.default.label": "Ao se registrar, você concorda com {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a> e <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Termos de Serviço</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Política de Privacidade</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Você será redirecionado em breve após concluir o desafio 'Passkey'",
   "v2.component.verify-bot-protection.default.title": "Verificando o seu sistema...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Você fez login com {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Prossiga para continuar.",
   "v2.page.select-account.default.title": "Faça login em {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Usar outra conta",
+  "v2.page.settings-advanced-settings.default.title": "Configurações Avançadas",
+  "v2.page.settings-biometric.default.dialog-description": "Tem certeza de que deseja desconectar o login biométrico para este dispositivo?",
+  "v2.page.settings-biometric.default.dialog-title": "Desconectar Login Biométrico",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Desconectar",
+  "v2.page.settings-biometric.default.item-description": "Criado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Você não tem nenhum dispositivo com biometria ativada.",
+  "v2.page.settings-biometric.default.title": "Login Biométrico",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Dispositivo Desconhecido",
+  "v2.page.settings-change-password.default.title": "Alterar Senha",
+  "v2.page.settings-delete-account-success.default.button-label": "Concluído",
+  "v2.page.settings-delete-account-success.default.description": "Sua conta foi desativada e os dados serão excluídos em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Exclusão de conta agendada",
+  "v2.page.settings-delete-account.default.button-label": "Excluir Conta",
+  "v2.page.settings-delete-account.default.description": "Ao excluir a conta, todos os dados serão permanentemente excluídos e não poderemos recuperá-los. Se você continuar, sua conta será excluída em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Digite <b>{input}</b> para confirmar",
+  "v2.page.settings-delete-account.default.title": "Excluir Conta",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Por favor, insira um número menor ou igual a {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Por favor, insira um número maior ou igual a {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Por favor, insira um número entre {minimum} e {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Novo Endereço de Email",
+  "v2.page.settings-identity-add-email.default.title": "Adicionar Novo Email",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-add-phone.default.title": "Adicionar Novo Telefone",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email Primário",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Telefone Primário",
+  "v2.page.settings-identity-edit-email.default.description": "Seu e-mail atual é {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Novo Endereço de E-mail",
+  "v2.page.settings-identity-edit-email.default.title": "Editar E-mail",
+  "v2.page.settings-identity-edit-phone.default.description": "Seu número de telefone atual é {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Número de Telefone",
+  "v2.page.settings-identity-edit-phone.default.title": "Editar Telefone",
+  "v2.page.settings-identity-edit-username.default.title": "Alterar Nome de Usuário",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Adicionar email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Alterar",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Email primário",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Adicionar novo número de telefone",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Alterar",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "telefone primário",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Adicionar nome de usuário",
+  "v2.page.settings-identity-list-username.default.title": "Nome de usuário",
+  "v2.page.settings-identity-new-username.default.title": "Adicionar Nome de Usuário",
+  "v2.page.settings-identity-phone.default.title": "Telefone",
+  "v2.page.settings-identity-verify-email.default.title": "Verificação",
+  "v2.page.settings-identity-verify-phone.default.title": "Verificação",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Editar",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Remover este email",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Verificar",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Tem certeza de que deseja remover o endereço de email {target} da sua conta?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Remover Endereço de Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Editar",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Remover este telefone",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Verificar",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Tem certeza de que deseja remover o número de telefone {target} da sua conta?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Remover Número de Telefone",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Remover nome de usuário",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Tem certeza de que deseja remover o nome de usuário <span class=\"settings-dialog__description-text--highlight\">{Username}</span> da sua conta?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Remover Nome de Usuário",
+  "v2.page.settings-identity-view-username.default.title": "Nome de Usuário",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
+  "v2.page.settings-mfa-create-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionado em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Senha adicional",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizado em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Tem certeza de que deseja remover a senha adicional?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover senha adicional",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Remover senha adicional",
+  "v2.page.settings-mfa-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa.default.activated-label": "Ativado",
+  "v2.page.settings-mfa.default.additional-password-label": "Senha adicional",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Remover dispositivos confiáveis",
+  "v2.page.settings-mfa.default.inactive-label": "Inativo",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Mensagem do Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Aplicativo/dispositivo autenticador",
+  "v2.page.settings-mfa.default.title": "Autenticação de 2 Fatores",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Dispositivos confiáveis",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Você não tem nenhum dispositivo confiável que possa ignorar a verificação de 2 etapas.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Mensagem WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Adicionar email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Adicionar número de telefone WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Adicionar 'Passkey'",
+  "v2.page.settings-passkey.default.dialog-description": "Tem certeza de que deseja remover esta chave de acesso?",
+  "v2.page.settings-passkey.default.dialog-title": "Remover Chave de Acesso",
+  "v2.page.settings-passkey.default.item-description": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Chave de Acesso",
   "v2.page.settings-profile-edit-address.default.country-label": "País",
   "v2.page.settings-profile-edit-address.default.locality-label": "Cidade",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Endereço",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Código postal",
   "v2.page.settings-profile-edit-address.default.region-label": "Região",
   "v2.page.settings-profile-edit-address.default.street-label": "Endereço de rua",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Data de nascimento",
+  "v2.page.settings-profile-edit-address.default.title": "Endereço",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Data de nascimento",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Personalizado",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Feminino",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Masculino",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Não fornecido",
   "v2.page.settings-profile-edit-gender.default.title": "Gênero",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Idioma",
+  "v2.page.settings-profile-edit-locale.default.title": "Idioma",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Sobrenome",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Nome completo",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Primeiro nome",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Nome do meio",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Nome",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Apelido",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Fuso horário",
+  "v2.page.settings-profile-edit-name.default.title": "Nome",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Fuso horário",
   "v2.page.settings-profile-no-permission.default.content": "Não autorizado",
   "v2.page.settings-profile-no-permission.default.title": "Problemas Inesperados",
   "v2.page.settings-profile.default.address-title": "Endereço",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Gênero",
   "v2.page.settings-profile.default.language-title": "Idioma",
   "v2.page.settings-profile.default.name-title": "Nome",
-  "v2.page.settings-profile.default.navbar-title": "Perfil",
   "v2.page.settings-profile.default.profile-picture-title": "Foto de Perfil",
+  "v2.page.settings-profile.default.title": "Perfil",
   "v2.page.settings-profile.default.zoneinfo-title": "Fuso Horário",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Isto irá remover o acesso à sua conta de todos os outros dispositivos",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Ativo Agora</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Terminar todas as outras sessões",
+  "v2.page.settings-sessions.default.session-dialog-description": "Isto irá remover o acesso à sua conta neste dispositivo",
+  "v2.page.settings-sessions.default.session-dialog-title": "Terminar sessão",
+  "v2.page.settings-sessions.default.title": "Dispositivos com Sessão Iniciada",
+  "v2.page.settings-totp.default.added-at-label": "Adicionado em <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Adicionar aplicativo/dispositivo autenticador",
+  "v2.page.settings-totp.default.title": "Aplicativo/dispositivo autenticador",
+  "v2.page.settings.default.button-label-account-deletion": "Excluir Conta",
   "v2.page.settings.default.button-label-advanced-settings": "Configurações Avançadas",
   "v2.page.settings.default.button-label-and-more": "{item} e mais",
   "v2.page.settings.default.button-label-back-to-app": "Voltar para meu aplicativo",
diff --git a/resources/authgear/templates/th/translation.json b/resources/authgear/templates/th/translation.json
index 5949631d11..b1b9e2a219 100644
--- a/resources/authgear/templates/th/translation.json
+++ b/resources/authgear/templates/th/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "จำเป็นต้องใช้ JavaScript สำหรับการยืนยันแคปท์ชา โปรดเปิดใช้งาน JavaScript ในเบราว์เซอร์ของคุณเพื่อดำเเนินการต่อ",
   "v2.component.button.default.copy": "คัดลอก",
   "v2.component.button.default.download": "ดาวน์โหลด",
+  "v2.component.button.default.label-cancel": "ยกเลิก",
   "v2.component.button.default.label-continue": "ดำเนินการต่อ",
   "v2.component.button.default.label-continue-with-passkey": "ดำเนินการต่อด้วย Passkey",
   "v2.component.button.default.label-continue-with-phone": "ดำเนินการต''อด''วยหมายเลขโทรศัพท''",
   "v2.component.button.default.label-continue-with-text-login-id": "ดำเนินการต่อด้วย {variant, select, email {อีเมล} username {ชื่อผู้ใช้} other {อีเมล / ชื่อผู้ใช้}}",
+  "v2.component.button.default.label-edit": "แก้ไข",
   "v2.component.button.default.label-login": "เข้าสู่ระบบ",
+  "v2.component.button.default.label-remove": "นำออก",
   "v2.component.button.default.label-save": "บันทึก",
   "v2.component.button.default.label-send": "ส่ง",
+  "v2.component.button.default.label-terminate": "สิ้นสุด",
   "v2.component.device-token-checkbox.default.label": "จดจำอุปกรณ์นี้ และอย่าถามอีก",
   "v2.component.divider.default.or-label": "หรือ",
   "v2.component.input.default.placeholder-email": "ที่อยู่อีเมล",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "ส่งรหัสอีกครั้งใน %s",
   "v2.component.oob-otp-resend-button.default.label": "ส่งรหัสอีกครั้ง",
   "v2.component.password-input.default.hide-password": "ซ่อนรหัสผ่าน",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "ใส่รหัสผ่านใหม่อีกครั้ง",
   "v2.component.password-input.default.placeholder-confirm-password": "ป้อนรหัสผ่านอีกครั้ง",
   "v2.component.password-input.default.placeholder-new-password": "รหัสผ่านใหม่",
   "v2.component.password-input.default.placeholder-password": "รหัสผ่านปัจจุบัน",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "ไม่พบผลลัพธ์",
   "v2.component.select-input.default.not-provided-label": "ไม่ได้ระบุ",
   "v2.component.select-input.default.search-label": "ค้นหา",
-  "v2.component.select-input.default.unset-label": "ยกเลิก",
   "v2.component.toc-pp-footer.default.label": "โดยการลงทะเบียน คุณตกลงกับ {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">ข้อกำหนดการให้บริการ</a> และ <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">นโยบายความเป็นส่วนตัว</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">ข้อกำหนดการให้บริการ</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">นโยบายความเป็นส่วนตัว</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "คุณจะถูกเปลี่ยนเส้นทางหลังจากที่คุณผ่านการทดสอบแล้ว",
   "v2.component.verify-bot-protection.default.title": "กำลังตรวจสอบระบบของคุณ...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "คุณได้เข้าสู่ระบบด้วย {IdentityDisplayName} ดำเนินการต่อเพื่อดำเนินการต่อ.",
   "v2.page.select-account.default.title": "เข้าสู่ระบบ {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "ใช้บัญชีอื่น",
+  "v2.page.settings-advanced-settings.default.title": "การตั้งค่าขั้นสูง",
+  "v2.page.settings-biometric.default.dialog-description": "คุณแน่ใจหรือไม่ว่าต้องการยกเลิกการเชื่อมต่อการเข้าสู่ระบบด้วยชีวภาพสำหรับอุปกรณ์นี้?",
+  "v2.page.settings-biometric.default.dialog-title": "ยกเลิกการเชื่อมต่อการเข้าสู่ระบบด้วยชีวภาพ",
+  "v2.page.settings-biometric.default.disconnect-button-label": "ยกเลิกการเชื่อมต่อ",
+  "v2.page.settings-biometric.default.item-description": "สร้างเมื่อ <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "คุณไม่มีอุปกรณ์ที่เปิดใช้งานชีวภาพ",
+  "v2.page.settings-biometric.default.title": "การเข้าสู่ระบบด้วยชีวภาพ",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "อุปกรณ์ที่ไม่รู้จัก",
+  "v2.page.settings-change-password.default.title": "เปลี่ยนรหัสผ่าน",
+  "v2.page.settings-delete-account-success.default.button-label": "เสร็จสิ้น",
+  "v2.page.settings-delete-account-success.default.description": "บัญชีของคุณถูกปิดการใช้งานแล้ว และข้อมูลจะถูกลบใน <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "กำหนดการลบบัญชีแล้ว",
+  "v2.page.settings-delete-account.default.button-label": "ลบบัญชี",
+  "v2.page.settings-delete-account.default.description": "การลบบัญชีจะทำให้ข้อมูลทั้งหมดถูกลบอย่างถาวร และเราจะไม่สามารถกู้คืนได้ หากคุณดำเนินการต่อ บัญชีของคุณจะถูกลบใน <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "พิมพ์ <b>{input}</b> เพื่อยืนยัน",
+  "v2.page.settings-delete-account.default.title": "ลบบัญชี",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "กรุณาป้อนตัวเลขที่น้อยกว่าหรือเท่ากับ {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "กรุณาป้อนตัวเลขที่มากกว่าหรือเท่ากับ {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "กรุณาป้อนตัวเลขระหว่าง {minimum} และ {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "ที่อยู่อีเมลใหม่",
+  "v2.page.settings-identity-add-email.default.title": "เพิ่มอีเมลใหม่",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "หมายเลขโทรศัพท์",
+  "v2.page.settings-identity-add-phone.default.title": "เพิ่มหมายเลขโทรศัพท์ใหม่",
+  "v2.page.settings-identity-change-primary-email.default.title": "อีเมลหลัก",
+  "v2.page.settings-identity-change-primary-phone.default.title": "หมายเลขโทรศัพท์หลัก",
+  "v2.page.settings-identity-edit-email.default.description": "อีเมลปัจจุบันของคุณคือ {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "ที่อยู่อีเมลใหม่",
+  "v2.page.settings-identity-edit-email.default.title": "แก้ไขอีเมล",
+  "v2.page.settings-identity-edit-phone.default.description": "หมายเลขโทรศัพท์ปัจจุบันของคุณคือ {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "หมายเลขโทรศัพท์",
+  "v2.page.settings-identity-edit-phone.default.title": "แก้ไขหมายเลขโทรศัพท์",
+  "v2.page.settings-identity-edit-username.default.title": "เปลี่ยนชื่อผู้ใช้",
+  "v2.page.settings-identity-email.default.title": "อีเมล",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ เพิ่มอีเมล",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "เปลี่ยน",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "อีเมลหลัก",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ เพิ่มหมายเลขโทรศัพท์ใหม่",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "เปลี่ยน",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "หมายเลขโทรศัพท์หลัก",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ เพิ่มชื่อผู้ใช้",
+  "v2.page.settings-identity-list-username.default.title": "ชื่อผู้ใช้",
+  "v2.page.settings-identity-new-username.default.title": "เพิ่มชื่อผู้ใช้",
+  "v2.page.settings-identity-phone.default.title": "โทรศัพท์",
+  "v2.page.settings-identity-verify-email.default.title": "การยืนยัน",
+  "v2.page.settings-identity-verify-phone.default.title": "การยืนยัน",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "แก้ไข",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "นำอีเมลนี้ออก",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "ยืนยัน",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "คุณแน่ใจหรือไม่ว่าต้องการนำที่อยู่อีเมล {target} ออกจากบัญชีของคุณ?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "นำที่อยู่อีเมลออก",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "แก้ไข",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "ลบหมายเลขโทรศัพท์นี้",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "ยืนยัน",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "คุณแน่ใจหรือไม่ว่าต้องการลบหมายเลขโทรศัพท์ {target} ออกจากบัญชีของคุณ?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "ลบหมายเลขโทรศัพท์",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "ลบชื่อผู้ใช้",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "คุณแน่ใจหรือไม่ว่าต้องการลบชื่อผู้ใช้ <span class=\"settings-dialog__description-text--highlight\">{Username}</span> ออกจากบัญชีของคุณ?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "ลบชื่อผู้ใช้",
+  "v2.page.settings-identity-view-username.default.title": "ชื่อผู้ใช้",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "ยังไม่ได้รับการยืนยัน",
+  "v2.page.settings-identity.default.verification-status-verified-label": "ได้รับการยืนยันแล้ว",
+  "v2.page.settings-mfa-create-password.default.title": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "เพิ่มเมื่อ <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "อัปเดตเมื่อ <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "คุณแน่ใจหรือไม่ว่าต้องการลบรหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "ลบรหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-password.default.remove-button-label": "ลบรหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-password.default.title": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa.default.activated-label": "เปิดใช้งานแล้ว",
+  "v2.page.settings-mfa.default.additional-password-label": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "คุณมี {NumberOfDeviceTokens, plural, one{# อุปกรณ์ที่ได้รับการไว้วางใจ} other{# อุปกรณ์ที่ได้รับการไว้วางใจ}} ที่เชื่อมโยงกับบัญชีของคุณ คุณต้องการลบอุปกรณ์ที่ได้รับการไว้วางใจทั้งหมดหรือไม่",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "ลบอุปกรณ์ที่ได้รับการไว้วางใจ",
+  "v2.page.settings-mfa.default.inactive-label": "ไม่ได้ใช้งาน",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "อีเมล",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "ข้อความ Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "แอปพลิเคชันหรืออุปกรณ์ตรวจสอบสิทธิ์",
+  "v2.page.settings-mfa.default.title": "การยืนยันตัวตนสองปัจจัย",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "คุณมี {NumberOfDeviceTokens, plural, one{# อุปกรณ์ที่เชื่อถือได้} other{# อุปกรณ์ที่เชื่อถือได้}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "อุปกรณ์ที่เชื่อถือได้",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "คุณไม่มีอุปกรณ์ที่เชื่อถือได้ที่สามารถข้ามการตรวจสอบสิทธิ์ 2 ขั้นตอน",
+  "v2.page.settings-oob-otp-email.default.title": "อีเมล",
+  "v2.page.settings-oob-otp-sms.default.title": "ข้อความ WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "เพิ่มเมื่อ <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ เพิ่มอีเมล",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ เพิ่มหมายเลขโทรศัพท์ WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ เพิ่ม Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "คุณแน่ใจหรือไม่ว่าต้องการลบ Passkey นี้?",
+  "v2.page.settings-passkey.default.dialog-title": "ลบ Passkey",
+  "v2.page.settings-passkey.default.item-description": "เพิ่มเมื่อ <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "ประเทศ",
   "v2.page.settings-profile-edit-address.default.locality-label": "เมือง",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "ที่อยู่",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "รหัสไปรษณีย์",
   "v2.page.settings-profile-edit-address.default.region-label": "ภูมิภาค",
   "v2.page.settings-profile-edit-address.default.street-label": "ที่อยู่ถนน",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "วันเกิด",
+  "v2.page.settings-profile-edit-address.default.title": "ที่อยู่",
+  "v2.page.settings-profile-edit-birthdate.default.title": "วันเกิด",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "กำหนดเอง",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "หญิง",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "ชาย",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "ไม่ได้ระบุ",
   "v2.page.settings-profile-edit-gender.default.title": "เพศ",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "ภาษา",
+  "v2.page.settings-profile-edit-locale.default.title": "ภาษา",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "นามสกุล",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "ชื่อเต็ม",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "ชื่อจริง",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "ชื่อกลาง",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "ชื่อ",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "ชื่อเล่น",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "เขตเวลา",
+  "v2.page.settings-profile-edit-name.default.title": "ชื่อ",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "เขตเวลา",
   "v2.page.settings-profile-no-permission.default.content": "ไม่ได้รับอนุญาต",
   "v2.page.settings-profile-no-permission.default.title": "ปัญหาที่ไม่คาดคิด",
   "v2.page.settings-profile.default.address-title": "ที่อยู่",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "เพศ",
   "v2.page.settings-profile.default.language-title": "ภาษา",
   "v2.page.settings-profile.default.name-title": "ชื่อ",
-  "v2.page.settings-profile.default.navbar-title": "โปรไฟล์",
   "v2.page.settings-profile.default.profile-picture-title": "รูปโปรไฟล์",
+  "v2.page.settings-profile.default.title": "โปรไฟล์",
   "v2.page.settings-profile.default.zoneinfo-title": "เขตเวลา",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "สิ่งนี้จะลบการเข้าถึงบัญชีของคุณจากอุปกรณ์อื่นๆ ทั้งหมด",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "สิ้นสุดเซสชันอื่นๆ ทั้งหมด",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">ใช้งานอยู่ในขณะนี้</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "สิ้นสุดเซสชันอื่นๆ ทั้งหมด",
+  "v2.page.settings-sessions.default.session-dialog-description": "สิ่งนี้จะลบการเข้าถึงบัญชีของคุณบนอุปกรณ์นี้",
+  "v2.page.settings-sessions.default.session-dialog-title": "สิ้นสุดเซสชัน",
+  "v2.page.settings-sessions.default.title": "อุปกรณ์ที่เข้าสู่ระบบ",
+  "v2.page.settings-totp.default.added-at-label": "เพิ่มเมื่อ <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ เพิ่มแอปพลิเคชันหรืออุปกรณ์ตรวจสอบสิทธิ์",
+  "v2.page.settings-totp.default.title": "แอปพลิเคชันหรืออุปกรณ์ตรวจสอบสิทธิ์ Passkey",
+  "v2.page.settings.default.button-label-account-deletion": "ลบบัญชี",
   "v2.page.settings.default.button-label-advanced-settings": "การตั้งค่าขั้นสูง",
   "v2.page.settings.default.button-label-and-more": "{item} และอื่นๆ",
   "v2.page.settings.default.button-label-back-to-app": "กลับไปที่แอปพลิเคชันของฉัน",
diff --git a/resources/authgear/templates/vi/translation.json b/resources/authgear/templates/vi/translation.json
index 856e65698f..3d73e9798e 100644
--- a/resources/authgear/templates/vi/translation.json
+++ b/resources/authgear/templates/vi/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "JavaScript cần thiết để xác minh captcha. Vui lòng bật JavaScript trong trình duyệt của bạn để tiếp tục.",
   "v2.component.button.default.copy": "Sao chép",
   "v2.component.button.default.download": "Tải xuống",
+  "v2.component.button.default.label-cancel": "Hủy",
   "v2.component.button.default.label-continue": "Tiếp tục",
   "v2.component.button.default.label-continue-with-passkey": "Tiếp tục với Passkey",
   "v2.component.button.default.label-continue-with-phone": "Tiếp tục với Số điện thoại",
   "v2.component.button.default.label-continue-with-text-login-id": "Tiếp tục với {variant, select, email {Email} username {Tên đăng nhập} other {Email / Tên đăng nhập}}",
+  "v2.component.button.default.label-edit": "Chỉnh sửa",
   "v2.component.button.default.label-login": "Đăng nhập",
+  "v2.component.button.default.label-remove": "Xóa",
   "v2.component.button.default.label-save": "Lưu",
   "v2.component.button.default.label-send": "Gửi",
+  "v2.component.button.default.label-terminate": "Kết thúc",
   "v2.component.device-token-checkbox.default.label": "Nhớ thiết bị này, và không hỏi lại",
   "v2.component.divider.default.or-label": "hoặc",
   "v2.component.input.default.placeholder-email": "Địa chỉ email",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "Gửi lại mã sau %s",
   "v2.component.oob-otp-resend-button.default.label": "Gửi lại mã",
   "v2.component.password-input.default.hide-password": "Ẩn mật khẩu",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "Nhập lại mật khẩu mới",
   "v2.component.password-input.default.placeholder-confirm-password": "Nhập lại mật khẩu",
   "v2.component.password-input.default.placeholder-new-password": "Mật khẩu mới",
   "v2.component.password-input.default.placeholder-password": "Mật khẩu hiện tại",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "Không tìm thấy kết quả",
   "v2.component.select-input.default.not-provided-label": "Không cung cấp",
   "v2.component.select-input.default.search-label": "Tìm kiếm",
-  "v2.component.select-input.default.unset-label": "Bỏ đặt",
   "v2.component.toc-pp-footer.default.label": "Bằng cách đăng ký, bạn đồng ý với {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">Điều khoản dịch vụ</a> và <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">Chính sách bảo mật</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">Điều khoản dịch vụ</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">Chính sách bảo mật</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "Bạn sẽ được chuyển hướng ngay sau khi hoàn thành thử thách",
   "v2.component.verify-bot-protection.default.title": "Đang kiểm tra hệ thống của bạn...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "Bạn đã đăng nhập với {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}}. Tiếp tục để tiến hành.",
   "v2.page.select-account.default.title": "Đăng nhập vào {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "Sử dụng tài khoản khác",
+  "v2.page.settings-advanced-settings.default.title": "Cài đặt nâng cao",
+  "v2.page.settings-biometric.default.dialog-description": "Bạn có chắc chắn muốn ngắt kết nối đăng nhập sinh trắc học cho thiết bị này không?",
+  "v2.page.settings-biometric.default.dialog-title": "Ngắt kết nối Đăng nhập Sinh trắc học",
+  "v2.page.settings-biometric.default.disconnect-button-label": "Ngắt kết nối",
+  "v2.page.settings-biometric.default.item-description": "Được tạo lúc <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "Bạn không có bất kỳ thiết bị nào được kích hoạt sinh trắc học.",
+  "v2.page.settings-biometric.default.title": "Đăng nhập Sinh trắc học",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "Thiết bị Không xác định",
+  "v2.page.settings-change-password.default.title": "Thay đổi Mật khẩu",
+  "v2.page.settings-delete-account-success.default.button-label": "Xong",
+  "v2.page.settings-delete-account-success.default.description": "Tài khoản của bạn đã bị vô hiệu hóa và dữ liệu sẽ bị xóa vào <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account-success.default.title": "Đã lên lịch xóa tài khoản",
+  "v2.page.settings-delete-account.default.button-label": "Xóa Tài khoản",
+  "v2.page.settings-delete-account.default.description": "Bằng cách xóa tài khoản, tất cả dữ liệu sẽ bị xóa vĩnh viễn và chúng tôi sẽ không thể khôi phục lại. Nếu bạn tiếp tục, tài khoản của bạn sẽ bị xóa vào <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>",
+  "v2.page.settings-delete-account.default.input-placeholder": "Nhập <b>{input}</b> để xác nhận",
+  "v2.page.settings-delete-account.default.title": "Xóa Tài khoản",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "Vui lòng nhập số nhỏ hơn hoặc bằng {maximum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "Vui lòng nhập số lớn hơn hoặc bằng {minimum}",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "Vui lòng nhập số nằm trong khoảng từ {minimum} đến {maximum}",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "Địa chỉ Email mới",
+  "v2.page.settings-identity-add-email.default.title": "Thêm Email mới",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "Số Điện Thoại",
+  "v2.page.settings-identity-add-phone.default.title": "Thêm Số Điện Thoại Mới",
+  "v2.page.settings-identity-change-primary-email.default.title": "Email chính",
+  "v2.page.settings-identity-change-primary-phone.default.title": "Số điện thoại chính",
+  "v2.page.settings-identity-edit-email.default.description": "Email hiện tại của bạn là {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "Địa chỉ Email mới",
+  "v2.page.settings-identity-edit-email.default.title": "Chỉnh sửa Email",
+  "v2.page.settings-identity-edit-phone.default.description": "Số điện thoại hiện tại của bạn là {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "Số Điện Thoại",
+  "v2.page.settings-identity-edit-phone.default.title": "Chỉnh Sửa Số Điện Thoại",
+  "v2.page.settings-identity-edit-username.default.title": "Thay đổi Tên người dùng",
+  "v2.page.settings-identity-email.default.title": "Email",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ Thêm email",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "Thay đổi",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "Email chính",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ Thêm số điện thoại mới",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "Thay đổi",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "số điện thoại chính",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ Thêm tên người dùng",
+  "v2.page.settings-identity-list-username.default.title": "Tên người dùng",
+  "v2.page.settings-identity-new-username.default.title": "Thêm Tên người dùng",
+  "v2.page.settings-identity-phone.default.title": "Điện thoại",
+  "v2.page.settings-identity-verify-email.default.title": "Xác minh",
+  "v2.page.settings-identity-verify-phone.default.title": "Xác Minh",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "Chỉnh sửa",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "Xóa email này",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "Xác minh",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "Bạn có chắc chắn muốn xóa địa chỉ email {target} khỏi tài khoản của bạn không?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "Xóa Địa Chỉ Email",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "Chỉnh sửa",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "Xóa số điện thoại này",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "Xác minh",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "Bạn có chắc chắn muốn xóa số điện thoại {target} khỏi tài khoản của mình không?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "Xóa Số Điện Thoại",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "Xóa tên người dùng",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "Bạn có chắc chắn muốn xóa tên người dùng <span class=\"settings-dialog__description-text--highlight\">{Username}</span> khỏi tài khoản của bạn không?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "Xóa Tên người dùng",
+  "v2.page.settings-identity-view-username.default.title": "Tên người dùng",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "Chưa được xác minh",
+  "v2.page.settings-identity.default.verification-status-verified-label": "Đã xác minh",
+  "v2.page.settings-mfa-create-password.default.title": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "Đã thêm vào <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "Đã cập nhật vào <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "Bạn có chắc chắn muốn xóa mật khẩu bổ sung không?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "Xóa mật khẩu bổ sung",
+  "v2.page.settings-mfa-password.default.remove-button-label": "Xóa mật khẩu bổ sung",
+  "v2.page.settings-mfa-password.default.title": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa.default.activated-label": "Đã kích hoạt",
+  "v2.page.settings-mfa.default.additional-password-label": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "Bạn có {NumberOfDeviceTokens, plural, one{# thiết bị đáng tin cậy} other{# thiết bị đáng tin cậy}} được liên kết với tài khoản của bạn. Bạn có muốn xóa tất cả các thiết bị đáng tin cậy không?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "Xóa các thiết bị đáng tin cậy",
+  "v2.page.settings-mfa.default.inactive-label": "Không hoạt động",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "Email",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Tin nhắn Whatsapp/SMS",
+  "v2.page.settings-mfa.default.secondary-totp-label": "Ứng dụng/thiết bị xác thực",
+  "v2.page.settings-mfa.default.title": "Xác thực 2 Yếu tố",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "Bạn có {NumberOfDeviceTokens, plural, one{# thiết bị đáng tin cậy} other{# thiết bị đáng tin cậy}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "Thiết bị đáng tin cậy",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "Bạn không có bất kỳ thiết bị đáng tin cậy nào có thể bỏ qua xác thực 2 bước.",
+  "v2.page.settings-oob-otp-email.default.title": "Email",
+  "v2.page.settings-oob-otp-sms.default.title": "Tin nhắn WhatsApp/SMS",
+  "v2.page.settings-oob-otp.default.added-at-label": "Đã thêm vào <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ Thêm email",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ Thêm số điện thoại WhatsApp/SMS",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ Thêm Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "Bạn có chắc chắn muốn xóa Passkey này không?",
+  "v2.page.settings-passkey.default.dialog-title": "Xóa Passkey",
+  "v2.page.settings-passkey.default.item-description": "Đã thêm vào <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "Quốc gia",
   "v2.page.settings-profile-edit-address.default.locality-label": "Thành phố",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "Địa chỉ",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "Mã bưu chính",
   "v2.page.settings-profile-edit-address.default.region-label": "Vùng",
   "v2.page.settings-profile-edit-address.default.street-label": "Địa chỉ đường phố",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "Ngày sinh",
+  "v2.page.settings-profile-edit-address.default.title": "Địa chỉ",
+  "v2.page.settings-profile-edit-birthdate.default.title": "Ngày sinh",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "Tùy chỉnh",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "Nữ",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "Nam",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "Không cung cấp",
   "v2.page.settings-profile-edit-gender.default.title": "Giới tính",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "Ngôn ngữ",
+  "v2.page.settings-profile-edit-locale.default.title": "Ngôn ngữ",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "Họ",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "Tên đầy đủ",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "Tên",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "Tên đệm",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "Tên",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "Biệt danh",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "Múi giờ",
+  "v2.page.settings-profile-edit-name.default.title": "Tên",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "Múi giờ",
   "v2.page.settings-profile-no-permission.default.content": "Không được ủy quyền",
   "v2.page.settings-profile-no-permission.default.title": "Vấn đề bất ngờ",
   "v2.page.settings-profile.default.address-title": "Địa chỉ",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "Giới tính",
   "v2.page.settings-profile.default.language-title": "Ngôn ngữ",
   "v2.page.settings-profile.default.name-title": "Tên",
-  "v2.page.settings-profile.default.navbar-title": "Hồ sơ",
   "v2.page.settings-profile.default.profile-picture-title": "Ảnh đại diện",
+  "v2.page.settings-profile.default.title": "Hồ sơ",
   "v2.page.settings-profile.default.zoneinfo-title": "Múi giờ",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "Điều này sẽ gỡ bỏ quyền truy cập vào tài khoản của bạn từ tất cả các thiết bị khác",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "Kết thúc tất cả các phiên khác",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">Đang hoạt động</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "Kết thúc tất cả các phiên khác",
+  "v2.page.settings-sessions.default.session-dialog-description": "Điều này sẽ gỡ bỏ quyền truy cập vào tài khoản của bạn trên thiết bị này",
+  "v2.page.settings-sessions.default.session-dialog-title": "Kết thúc phiên",
+  "v2.page.settings-sessions.default.title": "Thiết bị đã đăng nhập",
+  "v2.page.settings-totp.default.added-at-label": "Đã thêm vào <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ Thêm ứng dụng/thiết bị xác thực",
+  "v2.page.settings-totp.default.title": "Ứng dụng/thiết bị xác thực",
+  "v2.page.settings.default.button-label-account-deletion": "Xóa Tài khoản",
   "v2.page.settings.default.button-label-advanced-settings": "Cài đặt Nâng cao",
   "v2.page.settings.default.button-label-and-more": "{item} và nhiều hơn nữa",
   "v2.page.settings.default.button-label-back-to-app": "Quay lại ứng dụng của tôi",
diff --git a/resources/authgear/templates/zh-CN/translation.json b/resources/authgear/templates/zh-CN/translation.json
index 37adf95a05..eb071edee5 100644
--- a/resources/authgear/templates/zh-CN/translation.json
+++ b/resources/authgear/templates/zh-CN/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "需要启用JavaScript才能进行验证码验证。请在浏览器中启用JavaScript以继续。",
   "v2.component.button.default.copy": "复制",
   "v2.component.button.default.download": "下载",
+  "v2.component.button.default.label-cancel": "取消",
   "v2.component.button.default.label-continue": "继续",
   "v2.component.button.default.label-continue-with-passkey": "继续使用Passkey",
   "v2.component.button.default.label-continue-with-phone": "继续使用手机号码",
   "v2.component.button.default.label-continue-with-text-login-id": "继续使用{variant, select, email {电子邮箱} username {用户名} other {电子邮箱 / 用户名}}",
+  "v2.component.button.default.label-edit": "编辑",
   "v2.component.button.default.label-login": "登录",
+  "v2.component.button.default.label-remove": "移除",
   "v2.component.button.default.label-save": "保存",
   "v2.component.button.default.label-send": "发送",
+  "v2.component.button.default.label-terminate": "终止",
   "v2.component.device-token-checkbox.default.label": "记住此设备,不要再次询问",
   "v2.component.divider.default.or-label": "或",
   "v2.component.input.default.placeholder-email": "电子邮箱地址",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "%s 后重新发送代码",
   "v2.component.oob-otp-resend-button.default.label": "重新发送代码",
   "v2.component.password-input.default.hide-password": "隐藏密码",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "重新输入新密码",
   "v2.component.password-input.default.placeholder-confirm-password": "重新输入密码",
   "v2.component.password-input.default.placeholder-new-password": "新密码",
   "v2.component.password-input.default.placeholder-password": "当前密码",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "未找到结果",
   "v2.component.select-input.default.not-provided-label": "未提供",
   "v2.component.select-input.default.search-label": "搜索",
-  "v2.component.select-input.default.unset-label": "未设置",
   "v2.component.toc-pp-footer.default.label": "注册后, 您同意 {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">服务条款</a> 和 <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">隐私政策</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">服务条款</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">隐私政策</a>} other{}}",
   "v2.component.verify-bot-protection.default.description": "您完成挑战后将很快被重定向",
   "v2.component.verify-bot-protection.default.title": "正在检查您的系统...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "您已使用 {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}} 登录。请继续操作。",
   "v2.page.select-account.default.title": "登录到 {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "使用其他帐户",
+  "v2.page.settings-advanced-settings.default.title": "高级设置",
+  "v2.page.settings-biometric.default.dialog-description": "您确定要断开此设备的生物识别登录吗?",
+  "v2.page.settings-biometric.default.dialog-title": "断开生物识别登录",
+  "v2.page.settings-biometric.default.disconnect-button-label": "断开",
+  "v2.page.settings-biometric.default.item-description": "创建于 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "您没有任何启用生物识别的设备。",
+  "v2.page.settings-biometric.default.title": "生物识别登录",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "未知设备",
+  "v2.page.settings-change-password.default.title": "更改密码",
+  "v2.page.settings-delete-account-success.default.button-label": "完成",
+  "v2.page.settings-delete-account-success.default.description": "您的账户已被停用,数据将在<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>被删除",
+  "v2.page.settings-delete-account-success.default.title": "账户删除已安排",
+  "v2.page.settings-delete-account.default.button-label": "删除账户",
+  "v2.page.settings-delete-account.default.description": "删除账户后,所有数据将被永久删除,我们将无法检索它。如果继续,您的账户将在<span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span>被删除",
+  "v2.page.settings-delete-account.default.input-placeholder": "输入<b>{input}</b>以确认",
+  "v2.page.settings-delete-account.default.title": "删除账户",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "请输入小于或等于{maximum}的数字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "请输入大于或等于{minimum}的数字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "请输入{minimum}和{maximum}之间的数字",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "新电子邮件地址",
+  "v2.page.settings-identity-add-email.default.title": "添加新电子邮件",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "手机号码",
+  "v2.page.settings-identity-add-phone.default.title": "添加新手机号码",
+  "v2.page.settings-identity-change-primary-email.default.title": "主要电子邮件",
+  "v2.page.settings-identity-change-primary-phone.default.title": "主要电话",
+  "v2.page.settings-identity-edit-email.default.description": "您当前的电子邮件是 {target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "新电子邮件地址",
+  "v2.page.settings-identity-edit-email.default.title": "编辑电子邮件",
+  "v2.page.settings-identity-edit-phone.default.description": "您当前的手机号码是 {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "手机号码",
+  "v2.page.settings-identity-edit-phone.default.title": "编辑手机号码",
+  "v2.page.settings-identity-edit-username.default.title": "更改用户名",
+  "v2.page.settings-identity-email.default.title": "电子邮件",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ 添加电子邮件",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "更改",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "主要电子邮件",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ 添加新手机号码",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "更改",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "主要电话",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ 添加用户名",
+  "v2.page.settings-identity-list-username.default.title": "用户名",
+  "v2.page.settings-identity-new-username.default.title": "添加用户名",
+  "v2.page.settings-identity-phone.default.title": "电话",
+  "v2.page.settings-identity-verify-email.default.title": "验证",
+  "v2.page.settings-identity-verify-phone.default.title": "验证",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "编辑",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "移除此电子邮件",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "验证",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "您确定要从您的账户中移除电子邮件地址 {target} 吗?",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "移除电子邮件地址",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "编辑",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "移除此电话",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "验证",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "您确定要从您的账户中移除电话号码 {target} 吗?",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "移除电话号码",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "移除用户名",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "您确定要从您的账户中移除用户名<span class=\"settings-dialog__description-text--highlight\">{Username}</span>吗?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "移除用户名",
+  "v2.page.settings-identity-view-username.default.title": "用户名",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "未验证",
+  "v2.page.settings-identity.default.verification-status-verified-label": "已验证",
+  "v2.page.settings-mfa-create-password.default.title": "额外密码",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "添加于 <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "额外密码",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "更新于 <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "您确定要删除额外的密码吗?",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "删除额外密码",
+  "v2.page.settings-mfa-password.default.remove-button-label": "移除额外密码",
+  "v2.page.settings-mfa-password.default.title": "额外密码",
+  "v2.page.settings-mfa.default.activated-label": "已激活",
+  "v2.page.settings-mfa.default.additional-password-label": "额外密码",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "您的账户关联了 {NumberOfDeviceTokens, plural, one{# 个受信任的设备} other{# 个受信任的设备}}。您想要删除所有受信任的设备吗?",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "删除受信任的设备",
+  "v2.page.settings-mfa.default.inactive-label": "未激活",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "电子邮件",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "Whatsapp/短信",
+  "v2.page.settings-mfa.default.secondary-totp-label": "认证器应用程序/设备",
+  "v2.page.settings-mfa.default.title": "双重身份验证",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "您有 {NumberOfDeviceTokens, plural, one{#个受信任的设备} other{#个受信任的设备}}",
+  "v2.page.settings-mfa.default.trusted-devices-label": "受信任的设备",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "您没有任何可以跳过双重验证的受信任设备。",
+  "v2.page.settings-oob-otp-email.default.title": "电子邮件",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/短信",
+  "v2.page.settings-oob-otp.default.added-at-label": "添加于 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ 添加电子邮件",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ 添加 WhatsApp/手机号码",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ 添加 Passkey",
+  "v2.page.settings-passkey.default.dialog-description": "您确定要移除此 Passkey 吗?",
+  "v2.page.settings-passkey.default.dialog-title": "移除 Passkey",
+  "v2.page.settings-passkey.default.item-description": "添加于 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "Passkey",
   "v2.page.settings-profile-edit-address.default.country-label": "国家",
   "v2.page.settings-profile-edit-address.default.locality-label": "城市",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "地址",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "邮政编码",
   "v2.page.settings-profile-edit-address.default.region-label": "地区",
   "v2.page.settings-profile-edit-address.default.street-label": "街道地址",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "出生日期",
+  "v2.page.settings-profile-edit-address.default.title": "地址",
+  "v2.page.settings-profile-edit-birthdate.default.title": "出生日期",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "自定义",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "女性",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "男性",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "未提供",
   "v2.page.settings-profile-edit-gender.default.title": "性别",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "语言",
+  "v2.page.settings-profile-edit-locale.default.title": "语言",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "姓氏",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "全名",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "名字",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "中间名",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "名字",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "昵称",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "时区",
+  "v2.page.settings-profile-edit-name.default.title": "名字",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "时区",
   "v2.page.settings-profile-no-permission.default.content": "未经授权",
   "v2.page.settings-profile-no-permission.default.title": "意外问题",
   "v2.page.settings-profile.default.address-title": "地址",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "性别",
   "v2.page.settings-profile.default.language-title": "语言",
   "v2.page.settings-profile.default.name-title": "名称",
-  "v2.page.settings-profile.default.navbar-title": "个人资料",
   "v2.page.settings-profile.default.profile-picture-title": "个人头像",
+  "v2.page.settings-profile.default.title": "个人资料",
   "v2.page.settings-profile.default.zoneinfo-title": "时区",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "这将从所有其他设备上移除对您账户的访问权限",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "终止所有其他会话",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">当前活动</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "终止所有其他会话",
+  "v2.page.settings-sessions.default.session-dialog-description": "这将从此设备上移除对您账户的访问权限",
+  "v2.page.settings-sessions.default.session-dialog-title": "终止会话",
+  "v2.page.settings-sessions.default.title": "已登录设备",
+  "v2.page.settings-totp.default.added-at-label": "添加于 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ 添加身份验证器应用/设备",
+  "v2.page.settings-totp.default.title": "身份验证器应用/设备",
+  "v2.page.settings.default.button-label-account-deletion": "删除账户",
   "v2.page.settings.default.button-label-advanced-settings": "高级设置",
   "v2.page.settings.default.button-label-and-more": "{item}等",
   "v2.page.settings.default.button-label-back-to-app": "返回我的应用程序",
diff --git a/resources/authgear/templates/zh-HK/translation.json b/resources/authgear/templates/zh-HK/translation.json
index 04ce2dde7f..ed4e4104d6 100644
--- a/resources/authgear/templates/zh-HK/translation.json
+++ b/resources/authgear/templates/zh-HK/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "需要JavaScript來驗證captcha。請在您的瀏覽器中啟用JavaScript以繼續。",
   "v2.component.button.default.copy": "複製",
   "v2.component.button.default.download": "下載",
+  "v2.component.button.default.label-cancel": "取消",
   "v2.component.button.default.label-continue": "繼續",
   "v2.component.button.default.label-continue-with-passkey": "以通行密匙繼續",
   "v2.component.button.default.label-continue-with-phone": "以電話號碼繼續",
   "v2.component.button.default.label-continue-with-text-login-id": "使用{variant, select, email {電郵} username {使用者名稱} other {電郵 / 使用者名稱}}繼續",
+  "v2.component.button.default.label-edit": "編輯",
   "v2.component.button.default.label-login": "登入",
+  "v2.component.button.default.label-remove": "移除",
   "v2.component.button.default.label-save": "儲存",
   "v2.component.button.default.label-send": "傳送",
+  "v2.component.button.default.label-terminate": "終止",
   "v2.component.device-token-checkbox.default.label": "記住此裝置，不要再詢問",
   "v2.component.divider.default.or-label": "或",
   "v2.component.input.default.placeholder-email": "電郵地址",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "%s 後重發",
   "v2.component.oob-otp-resend-button.default.label": "重發",
   "v2.component.password-input.default.hide-password": "隱藏密碼",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "再次輸入新密碼",
   "v2.component.password-input.default.placeholder-confirm-password": "再次輸入新密碼",
   "v2.component.password-input.default.placeholder-new-password": "新密碼",
   "v2.component.password-input.default.placeholder-password": "目前密碼",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "未找到結果",
   "v2.component.select-input.default.not-provided-label": "未提供",
   "v2.component.select-input.default.search-label": "搜尋",
-  "v2.component.select-input.default.unset-label": "取消設定",
   "v2.component.toc-pp-footer.default.label": "註冊即表示我已同意 {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">條款和細則</a> 及 <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">隱私政策</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">條款和細則</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">隱私政策</a>} other{}}。",
   "v2.component.verify-bot-protection.default.description": "在您完成驗證後，您將很快被重新導向",
   "v2.component.verify-bot-protection.default.title": "正在驗證你的系統...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "您正在使用 {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}} 登入。",
   "v2.page.select-account.default.title": "登入 {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "使用另一個帳戶",
+  "v2.page.settings-advanced-settings.default.title": "進階設定",
+  "v2.page.settings-biometric.default.dialog-description": "您確定要移除此生物驗證登入嗎？",
+  "v2.page.settings-biometric.default.dialog-title": "移除生物驗證登入",
+  "v2.page.settings-biometric.default.disconnect-button-label": "移除連結",
+  "v2.page.settings-biometric.default.item-description": "新增時間： <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "您沒有任何啟用生物辨識功能的裝置。",
+  "v2.page.settings-biometric.default.title": "生物驗證登入",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "未知的裝置",
+  "v2.page.settings-change-password.default.title": "更改密碼",
+  "v2.page.settings-delete-account-success.default.button-label": "完成",
+  "v2.page.settings-delete-account-success.default.description": "您的帳號已停用，資料將於 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> 刪除",
+  "v2.page.settings-delete-account-success.default.title": "已安排帳戶刪除",
+  "v2.page.settings-delete-account.default.button-label": "刪除帳戶",
+  "v2.page.settings-delete-account.default.description": "刪除帳戶後，新增的資料將會永久刪除，我們將無法找回。如果您繼續，您的帳戶將於 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> 被刪除",
+  "v2.page.settings-delete-account.default.input-placeholder": "輸入 <b>{input}</b> 以確認",
+  "v2.page.settings-delete-account.default.title": "刪除帳戶",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "請輸入少於或等於{maximum}的數字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "請輸入大於或等於{minimum}的數字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "請輸入介乎{minimum}與{maximum}之間的數字",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "新電郵地址",
+  "v2.page.settings-identity-add-email.default.title": "新增電郵地址",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "電話號碼",
+  "v2.page.settings-identity-add-phone.default.title": "新增電話",
+  "v2.page.settings-identity-change-primary-email.default.title": "主要電子郵件",
+  "v2.page.settings-identity-change-primary-phone.default.title": "主要電話號碼",
+  "v2.page.settings-identity-edit-email.default.description": "您目前的電子郵件地址是{target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "新電子郵件地址",
+  "v2.page.settings-identity-edit-email.default.title": "編輯電子郵件",
+  "v2.page.settings-identity-edit-phone.default.description": "您目前的電話號碼是 {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "電話號碼",
+  "v2.page.settings-identity-edit-phone.default.title": "編輯電話",
+  "v2.page.settings-identity-edit-username.default.title": "更改用戶名稱",
+  "v2.page.settings-identity-email.default.title": "電子郵件",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ 新增電子郵件",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "更改",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "主要電子郵件",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ 新增電話號碼",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "更改",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "主要電話",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ 新增用戶名稱",
+  "v2.page.settings-identity-list-username.default.title": "用戶名稱",
+  "v2.page.settings-identity-new-username.default.title": "新增用戶名稱",
+  "v2.page.settings-identity-phone.default.title": "電話",
+  "v2.page.settings-identity-verify-email.default.title": "驗證",
+  "v2.page.settings-identity-verify-phone.default.title": "驗證",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "編輯",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "刪除電子郵件",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "驗證",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "您確定要從您的帳戶中刪除電子郵件地址{target}嗎？",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "刪除電子郵件",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "編輯",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "刪除電話號碼",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "驗證",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "您確定要從您的帳戶中刪除電話號碼{target}嗎？",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "刪除電話號碼",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "刪除用戶名稱",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "您確定要刪除來自您的帳戶的用戶名稱<span class=\"settings-dialog__description-text--highlight\"> {Username }</span>?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "刪除用戶名稱",
+  "v2.page.settings-identity-view-username.default.title": "用戶名稱",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "未驗證",
+  "v2.page.settings-identity.default.verification-status-verified-label": "已驗證",
+  "v2.page.settings-mfa-create-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "輔助密碼",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "上次更新時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "您確定要刪除輔助密碼嗎？",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "刪除輔助密碼",
+  "v2.page.settings-mfa-password.default.remove-button-label": "刪除輔助密碼",
+  "v2.page.settings-mfa-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa.default.activated-label": "已啟用",
+  "v2.page.settings-mfa.default.additional-password-label": "輔助密碼",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "您有{NumberOfDeviceTokens}個與您的帳戶關聯的受信任設備",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "刪除受信任的裝置",
+  "v2.page.settings-mfa.default.inactive-label": "未啟用",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "電郵",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/短信訊息",
+  "v2.page.settings-mfa.default.secondary-totp-label": "驗證器應用程式／裝置",
+  "v2.page.settings-mfa.default.title": "多重驗證",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "您有{NumberOfDeviceTokens}個受信任裝置",
+  "v2.page.settings-mfa.default.trusted-devices-label": "受信任裝置",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "您沒有任何可以跳過兩個步驟驗證的受信任裝置。",
+  "v2.page.settings-oob-otp-email.default.title": "電子郵件",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/短信訊息",
+  "v2.page.settings-oob-otp.default.added-at-label": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ 新增電子郵件",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ 新增WhatsApp/短信電話號碼",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ 新增通行密匙",
+  "v2.page.settings-passkey.default.dialog-description": "您確定要刪除此密鑰嗎？",
+  "v2.page.settings-passkey.default.dialog-title": "移除 Passkey",
+  "v2.page.settings-passkey.default.item-description": "新增時間： <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "通行密鑰",
   "v2.page.settings-profile-edit-address.default.country-label": "國家",
   "v2.page.settings-profile-edit-address.default.locality-label": "城市",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "地址",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "郵遞區號",
   "v2.page.settings-profile-edit-address.default.region-label": "區域",
   "v2.page.settings-profile-edit-address.default.street-label": "街道地址",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "出生日期",
+  "v2.page.settings-profile-edit-address.default.title": "地址",
+  "v2.page.settings-profile-edit-birthdate.default.title": "出生日期",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "自訂",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "女性",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "男性",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "未提供",
   "v2.page.settings-profile-edit-gender.default.title": "性別",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "語言",
+  "v2.page.settings-profile-edit-locale.default.title": "語言",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "姓",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "全名",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "名",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "中間名",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "姓名",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "暱稱",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "時區",
+  "v2.page.settings-profile-edit-name.default.title": "姓名",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "時區",
   "v2.page.settings-profile-no-permission.default.content": "未經授權",
   "v2.page.settings-profile-no-permission.default.title": "系統錯誤",
   "v2.page.settings-profile.default.address-title": "地址",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "性別",
   "v2.page.settings-profile.default.language-title": "語言",
   "v2.page.settings-profile.default.name-title": "名稱",
-  "v2.page.settings-profile.default.navbar-title": "個人資料",
   "v2.page.settings-profile.default.profile-picture-title": "頭像",
+  "v2.page.settings-profile.default.title": "個人資料",
   "v2.page.settings-profile.default.zoneinfo-title": "時區",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "你確認要登出所有其他裝置嗎？",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "登出所有其他裝置",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">使用中</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "登出所有其他裝置",
+  "v2.page.settings-sessions.default.session-dialog-description": "你確認要登出此裝置嗎？",
+  "v2.page.settings-sessions.default.session-dialog-title": "登出裝置",
+  "v2.page.settings-sessions.default.title": "已登入的裝置",
+  "v2.page.settings-totp.default.added-at-label": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ 新增驗證器應用程式／裝置",
+  "v2.page.settings-totp.default.title": "驗證器應用程式／裝置",
+  "v2.page.settings.default.button-label-account-deletion": "刪除帳戶",
   "v2.page.settings.default.button-label-advanced-settings": "進階設定",
   "v2.page.settings.default.button-label-and-more": "{item} 還有更多",
   "v2.page.settings.default.button-label-back-to-app": "返回我的App",
diff --git a/resources/authgear/templates/zh-TW/translation.json b/resources/authgear/templates/zh-TW/translation.json
index 8970aeb765..d1fc937b78 100644
--- a/resources/authgear/templates/zh-TW/translation.json
+++ b/resources/authgear/templates/zh-TW/translation.json
@@ -879,13 +879,17 @@
   "v2.component.bot-protection-widget.default.noscript": "需要JavaScript來驗證captcha。請在您的瀏覽器中啟用JavaScript以繼續。",
   "v2.component.button.default.copy": "複製",
   "v2.component.button.default.download": "下載",
+  "v2.component.button.default.label-cancel": "取消",
   "v2.component.button.default.label-continue": "繼續",
   "v2.component.button.default.label-continue-with-passkey": "使用通行密鑰繼續",
   "v2.component.button.default.label-continue-with-phone": "使用電話號碼繼續",
   "v2.component.button.default.label-continue-with-text-login-id": "使用{variant, select, email {電郵} username {使用者名稱} other {電郵 / 使用者名稱}}繼續",
+  "v2.component.button.default.label-edit": "編輯",
   "v2.component.button.default.label-login": "登入",
+  "v2.component.button.default.label-remove": "移除",
   "v2.component.button.default.label-save": "儲存",
   "v2.component.button.default.label-send": "傳送",
+  "v2.component.button.default.label-terminate": "終止",
   "v2.component.device-token-checkbox.default.label": "記住此裝置，不要再詢問",
   "v2.component.divider.default.or-label": "或",
   "v2.component.input.default.placeholder-email": "電郵地址",
@@ -923,6 +927,7 @@
   "v2.component.oob-otp-resend-button.default.countdown-unit": "%s 後重發",
   "v2.component.oob-otp-resend-button.default.label": "重發",
   "v2.component.password-input.default.hide-password": "隱藏密碼",
+  "v2.component.password-input.default.placeholder-confirm-new-password": "再次輸入新密碼",
   "v2.component.password-input.default.placeholder-confirm-password": "再次輸入新密碼",
   "v2.component.password-input.default.placeholder-new-password": "新密碼",
   "v2.component.password-input.default.placeholder-password": "目前密碼",
@@ -932,7 +937,6 @@
   "v2.component.select-input.default.no-results-found": "未找到結果",
   "v2.component.select-input.default.not-provided-label": "未提供",
   "v2.component.select-input.default.search-label": "搜尋",
-  "v2.component.select-input.default.unset-label": "取消設定",
   "v2.component.toc-pp-footer.default.label": "註冊即表示我已同意 {variant, select, both{<a class=\"link-btn\" target=\"_blank\" href=\"{termsOfService}\">條款和細則</a> 及 <a class=\"link-btn\" target=\"_blank\" href=\"{privacyPolicy}\">隱私政策</a>} termsOnly{<a class=\"link\" target=\"_blank\" href=\"{termsOfService}\">條款和細則</a>} privacyOnly{<a class=\"link\" target=\"_blank\" href=\"{privacyPolicy}\">隱私政策</a>} other{}}。",
   "v2.component.verify-bot-protection.default.description": "在您完成驗證後，您將很快被重新導向",
   "v2.component.verify-bot-protection.default.title": "正在驗證你的系統...",
@@ -1115,26 +1119,117 @@
   "v2.page.select-account.default.description": "您正在使用 {email_is_present,select,true{{email}} other{{phone_number_is_present,select,true{{phone_number}} other{{preferred_username}}}}} 登入。",
   "v2.page.select-account.default.title": "登入 {AppOrClientName}",
   "v2.page.select-account.default.use-another-account": "使用另一個帳號",
+  "v2.page.settings-advanced-settings.default.title": "進階設定",
+  "v2.page.settings-biometric.default.dialog-description": "您確定要移除此生物驗證登入嗎？",
+  "v2.page.settings-biometric.default.dialog-title": "移除生物驗證登入",
+  "v2.page.settings-biometric.default.disconnect-button-label": "移除連結",
+  "v2.page.settings-biometric.default.item-description": "新增時間： <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-biometric.default.no-biometric-description": "您沒有任何啟用生物辨識功能的裝置。",
+  "v2.page.settings-biometric.default.title": "生物驗證登入",
+  "v2.page.settings-biometric.default.unknown-name-item-label": "未知的裝置",
+  "v2.page.settings-change-password.default.title": "更改密碼",
+  "v2.page.settings-delete-account-success.default.button-label": "完成",
+  "v2.page.settings-delete-account-success.default.description": "您的帳號已停用，資料將於 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> 刪除",
+  "v2.page.settings-delete-account-success.default.title": "已安排帳戶刪除",
+  "v2.page.settings-delete-account.default.button-label": "刪除帳戶",
+  "v2.page.settings-delete-account.default.description": "刪除帳戶後，新增的資料將會永久刪除，我們將無法找回。如果您繼續，您的帳戶將於 <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long data-date-time-style>{date, date, long}</span> 被刪除",
+  "v2.page.settings-delete-account.default.input-placeholder": "輸入 <b>{input}</b> 以確認",
+  "v2.page.settings-delete-account.default.title": "刪除帳戶",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-maximum": "請輸入少於或等於{maximum}的數字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum": "請輸入大於或等於{minimum}的數字",
+  "v2.page.settings-edit-custom-attribute.default.custom-attribute-numeric-hint-minimum-maximum": "請輸入介乎{minimum}與{maximum}之間的數字",
+  "v2.page.settings-identity-add-email.default.email-input-placeholder": "新電郵地址",
+  "v2.page.settings-identity-add-email.default.title": "新增電郵地址",
+  "v2.page.settings-identity-add-phone.default.phone-input-placeholder": "電話號碼",
+  "v2.page.settings-identity-add-phone.default.title": "新增電話",
+  "v2.page.settings-identity-change-primary-email.default.title": "主要電子郵件",
+  "v2.page.settings-identity-change-primary-phone.default.title": "主要電話號碼",
+  "v2.page.settings-identity-edit-email.default.description": "您目前的電子郵件地址是{target}",
+  "v2.page.settings-identity-edit-email.default.email-input-placeholder": "新電子郵件地址",
+  "v2.page.settings-identity-edit-email.default.title": "編輯電子郵件",
+  "v2.page.settings-identity-edit-phone.default.description": "您目前的電話號碼是 {target}",
+  "v2.page.settings-identity-edit-phone.default.phone-input-placeholder": "電話號碼",
+  "v2.page.settings-identity-edit-phone.default.title": "編輯電話",
+  "v2.page.settings-identity-edit-username.default.title": "更改用戶名稱",
+  "v2.page.settings-identity-email.default.title": "電子郵件",
+  "v2.page.settings-identity-list-email.default.button-add-email-label": "+ 新增電子郵件",
+  "v2.page.settings-identity-list-email.default.button-change-primary-email-label": "更改",
+  "v2.page.settings-identity-list-email.default.primary-email-label": "主要電子郵件",
+  "v2.page.settings-identity-list-phone.default.button-add-phone-label": "+ 新增電話號碼",
+  "v2.page.settings-identity-list-phone.default.button-change-primary-phone-label": "更改",
+  "v2.page.settings-identity-list-phone.default.primary-phone-label": "主要電話",
+  "v2.page.settings-identity-list-username.default.button-add-username-label": "+ 新增用戶名稱",
+  "v2.page.settings-identity-list-username.default.title": "用戶名稱",
+  "v2.page.settings-identity-new-username.default.title": "新增用戶名稱",
+  "v2.page.settings-identity-phone.default.title": "電話",
+  "v2.page.settings-identity-verify-email.default.title": "驗證",
+  "v2.page.settings-identity-verify-phone.default.title": "驗證",
+  "v2.page.settings-identity-view-email.default.button-edit-email-label": "編輯",
+  "v2.page.settings-identity-view-email.default.button-remove-email-label": "刪除電子郵件",
+  "v2.page.settings-identity-view-email.default.button-verify-email-label": "驗證",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-description": "您確定要從您的帳戶中刪除電子郵件地址{target}嗎？",
+  "v2.page.settings-identity-view-email.default.remove-identity-dialog-title": "刪除電子郵件",
+  "v2.page.settings-identity-view-phone.default.button-edit-phone-label": "編輯",
+  "v2.page.settings-identity-view-phone.default.button-remove-phone-label": "刪除電話號碼",
+  "v2.page.settings-identity-view-phone.default.button-verify-phone-label": "驗證",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-description": "您確定要從您的帳戶中刪除電話號碼{target}嗎？",
+  "v2.page.settings-identity-view-phone.default.remove-identity-dialog-title": "刪除電話號碼",
+  "v2.page.settings-identity-view-username.default.button-remove-label": "刪除用戶名稱",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-description": "您確定要刪除來自您的帳戶的用戶名稱<span class=\"settings-dialog__description-text--highlight\"> {Username }</span>?",
+  "v2.page.settings-identity-view-username.default.dialog-delete-username-title": "刪除用戶名稱",
+  "v2.page.settings-identity-view-username.default.title": "用戶名稱",
+  "v2.page.settings-identity.default.verification-status-unverified-label": "未驗證",
+  "v2.page.settings-identity.default.verification-status-verified-label": "已驗證",
+  "v2.page.settings-mfa-create-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-password.default.additional-password-added-at": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.additional-password-label": "輔助密碼",
+  "v2.page.settings-mfa-password.default.additional-password-updated-at": "上次更新時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-mfa-password.default.dialog-delete-description": "您確定要刪除輔助密碼嗎？",
+  "v2.page.settings-mfa-password.default.dialog-delete-title": "刪除輔助密碼",
+  "v2.page.settings-mfa-password.default.remove-button-label": "刪除輔助密碼",
+  "v2.page.settings-mfa-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa.default.activated-label": "已啟用",
+  "v2.page.settings-mfa.default.additional-password-label": "輔助密碼",
+  "v2.page.settings-mfa.default.dialog-revoke-device-description": "您有{NumberOfDeviceTokens}個與您的帳戶關聯的受信任設備",
+  "v2.page.settings-mfa.default.dialog-revoke-device-title": "刪除受信任的裝置",
+  "v2.page.settings-mfa.default.inactive-label": "未啟用",
+  "v2.page.settings-mfa.default.secondary-oob-otp-email-label": "電郵",
+  "v2.page.settings-mfa.default.secondary-oob-otp-sms-label": "WhatsApp/短信訊息",
+  "v2.page.settings-mfa.default.secondary-totp-label": "驗證器應用程式／裝置",
+  "v2.page.settings-mfa.default.title": "多重驗證",
+  "v2.page.settings-mfa.default.trusted-devices-has-device-tokens-message": "您有{NumberOfDeviceTokens}個受信任裝置",
+  "v2.page.settings-mfa.default.trusted-devices-label": "受信任裝置",
+  "v2.page.settings-mfa.default.trusted-devices-no-device-tokens-message": "您沒有任何可以跳過兩個步驟驗證的受信任裝置。",
+  "v2.page.settings-oob-otp-email.default.title": "電子郵件",
+  "v2.page.settings-oob-otp-sms.default.title": "WhatsApp/短信訊息",
+  "v2.page.settings-oob-otp.default.added-at-label": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-oob-otp.default.button-oob-otp-email-label": "+ 新增電子郵件",
+  "v2.page.settings-oob-otp.default.button-oob-otp-sms-label": "+ 新增WhatsApp/短信電話號碼",
+  "v2.page.settings-passkey.default.add-passkey-button-label": "+ 新增通行密匙",
+  "v2.page.settings-passkey.default.dialog-description": "您確定要刪除此密鑰嗎？",
+  "v2.page.settings-passkey.default.dialog-title": "移除 Passkey",
+  "v2.page.settings-passkey.default.item-description": "新增時間： <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
+  "v2.page.settings-passkey.default.title": "通行密鑰",
   "v2.page.settings-profile-edit-address.default.country-label": "國家",
   "v2.page.settings-profile-edit-address.default.locality-label": "城市",
-  "v2.page.settings-profile-edit-address.default.navbar-title": "地址",
   "v2.page.settings-profile-edit-address.default.postal-code-label": "郵遞區號",
   "v2.page.settings-profile-edit-address.default.region-label": "區域",
   "v2.page.settings-profile-edit-address.default.street-label": "街道地址",
-  "v2.page.settings-profile-edit-birthdate.default.navbar-title": "出生日期",
+  "v2.page.settings-profile-edit-address.default.title": "地址",
+  "v2.page.settings-profile-edit-birthdate.default.title": "出生日期",
   "v2.page.settings-profile-edit-gender.default.gender-label-custom": "自訂",
   "v2.page.settings-profile-edit-gender.default.gender-label-female": "女性",
   "v2.page.settings-profile-edit-gender.default.gender-label-male": "男性",
   "v2.page.settings-profile-edit-gender.default.gender-label-unspecified": "未提供",
   "v2.page.settings-profile-edit-gender.default.title": "性別",
-  "v2.page.settings-profile-edit-locale.default.navbar-title": "語言",
+  "v2.page.settings-profile-edit-locale.default.title": "語言",
   "v2.page.settings-profile-edit-name.default.family-name-input-label": "姓",
   "v2.page.settings-profile-edit-name.default.fullname-input-label": "全名",
   "v2.page.settings-profile-edit-name.default.given-name-input-label": "名",
   "v2.page.settings-profile-edit-name.default.middle-name-input-label": "中間名",
-  "v2.page.settings-profile-edit-name.default.navbar-title": "姓名",
   "v2.page.settings-profile-edit-name.default.nickname-input-label": "暱稱",
-  "v2.page.settings-profile-edit-zoneinfo.default.navbar-title": "時區",
+  "v2.page.settings-profile-edit-name.default.title": "姓名",
+  "v2.page.settings-profile-edit-zoneinfo.default.title": "時區",
   "v2.page.settings-profile-no-permission.default.content": "未經授權",
   "v2.page.settings-profile-no-permission.default.title": "系統錯誤",
   "v2.page.settings-profile.default.address-title": "地址",
@@ -1146,9 +1241,21 @@
   "v2.page.settings-profile.default.gender-title": "性別",
   "v2.page.settings-profile.default.language-title": "語言",
   "v2.page.settings-profile.default.name-title": "名稱",
-  "v2.page.settings-profile.default.navbar-title": "個人資料",
   "v2.page.settings-profile.default.profile-picture-title": "頭像",
+  "v2.page.settings-profile.default.title": "個人資料",
   "v2.page.settings-profile.default.zoneinfo-title": "時區",
+  "v2.page.settings-sessions.default.all-sessions-dialog-description": "你確認要登出所有其他裝置嗎？",
+  "v2.page.settings-sessions.default.all-sessions-dialog-title": "登出所有其他裝置",
+  "v2.page.settings-sessions.default.country-ip-item-description": "{countryName} ({countryCode}) - {ip}",
+  "v2.page.settings-sessions.default.device-item-description": "{isCurrent, select, true {{desc} · <span class=\"settings-description--primary-color\">使用中</span>} other {{desc} · <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>}}",
+  "v2.page.settings-sessions.default.revoke-all-label": "登出所有其他裝置",
+  "v2.page.settings-sessions.default.session-dialog-description": "你確認要登出此裝置嗎？",
+  "v2.page.settings-sessions.default.session-dialog-title": "登出裝置",
+  "v2.page.settings-sessions.default.title": "已登入的裝置",
+  "v2.page.settings-totp.default.added-at-label": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=long>{time, datetime, short} UTC</span>",
+  "v2.page.settings-totp.default.button-add-authenticator-label": "+ 新增驗證器應用程式／裝置",
+  "v2.page.settings-totp.default.title": "驗證器應用程式／裝置",
+  "v2.page.settings.default.button-label-account-deletion": "刪除帳戶",
   "v2.page.settings.default.button-label-advanced-settings": "進階設定",
   "v2.page.settings.default.button-label-and-more": "{item} 還有更多",
   "v2.page.settings.default.button-label-back-to-app": "返回我的App",

From b883619c66b36912a8e8918fca67720077325083 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 17:56:32 +0800
Subject: [PATCH 06/17] Rename account management UIInfoResolver

---
 pkg/auth/deps.go                     | 2 +-
 pkg/lib/accountmanagement/service.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/auth/deps.go b/pkg/auth/deps.go
index 82e92d23cf..a9e4d65006 100644
--- a/pkg/auth/deps.go
+++ b/pkg/auth/deps.go
@@ -249,7 +249,7 @@ var DependencySet = wire.NewSet(
 	wire.Bind(new(api.JSONResponseWriter), new(*httputil.JSONResponseWriter)),
 	wire.Bind(new(authenticationflow.JSONResponseWriter), new(*httputil.JSONResponseWriter)),
 	wire.Bind(new(accountmanagement.RateLimitMiddlewareJSONResponseWriter), new(*httputil.JSONResponseWriter)),
-	wire.Bind(new(accountmanagement.SettingsDeleteAccountSuccessUIInfoResolver), new(*authenticationinfo.UIService)),
+	wire.Bind(new(accountmanagement.UIInfoResolver), new(*authenticationinfo.UIService)),
 
 	wire.Bind(new(handlerwebapp.PanicMiddlewareUIImplementationService), new(*web.UIImplementationService)),
 	wire.Bind(new(handlerwebapp.CSRFMiddlewareUIImplementationService), new(*web.UIImplementationService)),
diff --git a/pkg/lib/accountmanagement/service.go b/pkg/lib/accountmanagement/service.go
index 5a59b10261..3f8f9ac9a5 100644
--- a/pkg/lib/accountmanagement/service.go
+++ b/pkg/lib/accountmanagement/service.go
@@ -76,7 +76,7 @@ type PasskeyService interface {
 	ConsumeAttestationResponse(attestationResponse []byte) (err error)
 }
 
-type SettingsDeleteAccountSuccessUIInfoResolver interface {
+type UIInfoResolver interface {
 	SetAuthenticationInfoInQuery(redirectURI string, e *authenticationinfo.Entry) string
 }
 
@@ -110,7 +110,7 @@ type Service struct {
 	AuthenticationInfoService AuthenticationInfoService
 	PasskeyService            PasskeyService
 	Verification              VerificationService
-	UIInfoResolver            SettingsDeleteAccountSuccessUIInfoResolver
+	UIInfoResolver            UIInfoResolver
 }
 
 type StartAddingInput struct {

From 0390025c5bc4b34366904a9dcb54b01e44d3453f Mon Sep 17 00:00:00 2001
From: YinYin Chiu <cychiuae@connect.ust.hk>
Date: Thu, 19 Sep 2024 16:03:51 +0800
Subject: [PATCH 07/17] Implement update secondary password

---
 .../authflowv2/settings_change_password.go    |   4 +-
 .../service_authenticator.go                  | 155 ++++++++++++------
 2 files changed, 104 insertions(+), 55 deletions(-)

diff --git a/pkg/auth/handler/webapp/authflowv2/settings_change_password.go b/pkg/auth/handler/webapp/authflowv2/settings_change_password.go
index d90c1577ba..6105925c19 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings_change_password.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings_change_password.go
@@ -103,14 +103,14 @@ func (h *AuthflowV2SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWrite
 			redirectURI = webappSession.RedirectURI
 		}
 
-		input := &accountmanagement.ChangePasswordInput{
+		input := &accountmanagement.ChangePrimaryPasswordInput{
 			OAuthSessionID: oAuthSessionID,
 			RedirectURI:    redirectURI,
 			OldPassword:    oldPassword,
 			NewPassword:    newPassword,
 		}
 
-		changePasswordOutput, err := h.AccountManagementService.ChangePassword(s, input)
+		changePasswordOutput, err := h.AccountManagementService.ChangePrimaryPassword(s, input)
 		if err != nil {
 			return err
 		}
diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index b1c4cf7fc8..33bb9312ed 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -10,77 +10,47 @@ import (
 	"github.com/authgear/authgear-server/pkg/util/uuid"
 )
 
-type ChangePasswordInput struct {
+type ChangePrimaryPasswordInput struct {
 	OAuthSessionID string
 	RedirectURI    string
 	OldPassword    string
 	NewPassword    string
 }
 
-type ChangePasswordOutput struct {
+type ChangePrimaryPasswordOutput struct {
 	RedirectURI string
 }
 
 // If have OAuthSessionID, it means the user is changing password after login with SDK.
 // Then do special handling such as authenticationInfo
-func (s *Service) ChangePassword(resolvedSession session.ResolvedSession, input *ChangePasswordInput) (*ChangePasswordOutput, error) {
-	userID := resolvedSession.GetAuthenticationInfo().UserID
+func (s *Service) ChangePrimaryPassword(resolvedSession session.ResolvedSession, input *ChangePrimaryPasswordInput) (*ChangePrimaryPasswordOutput, error) {
 	redirectURI := input.RedirectURI
 
-	err := s.Database.WithTx(func() error {
-		ais, err := s.Authenticators.List(
-			userID,
-			authenticator.KeepType(model.AuthenticatorTypePassword),
-			authenticator.KeepKind(authenticator.KindPrimary),
-		)
-		if err != nil {
-			return err
-		}
-		if len(ais) == 0 {
-			return api.ErrNoPassword
-		}
-		oldInfo := ais[0]
-		_, err = s.Authenticators.VerifyWithSpec(oldInfo, &authenticator.Spec{
-			Password: &authenticator.PasswordSpec{
-				PlainPassword: input.OldPassword,
-			},
-		}, nil)
-		if err != nil {
-			err = api.ErrInvalidCredentials
-			return err
-		}
-		changed, newInfo, err := s.Authenticators.UpdatePassword(oldInfo, &authenticatorservice.UpdatePasswordOptions{
-			SetPassword:    true,
-			PlainPassword:  input.NewPassword,
-			SetExpireAfter: true,
-		})
-		if err != nil {
-			return err
-		}
-		if changed {
-			err = s.Authenticators.Update(newInfo)
-			if err != nil {
-				return err
-			}
-		}
-		// If is changing password with SDK.
-		if input.OAuthSessionID != "" {
-			authInfo := resolvedSession.GetAuthenticationInfo()
-			authenticationInfoEntry := authenticationinfo.NewEntry(authInfo, input.OAuthSessionID, "")
-
-			err = s.AuthenticationInfoService.Save(authenticationInfoEntry)
-			if err != nil {
-				return err
-			}
-			redirectURI = s.UIInfoResolver.SetAuthenticationInfoInQuery(input.RedirectURI, authenticationInfoEntry)
-		}
-		return nil
+	_, err := s.changePassword(resolvedSession, &changePasswordInput{
+		Kind:        authenticator.KindPrimary,
+		OldPassword: input.OldPassword,
+		NewPassword: input.NewPassword,
 	})
+
 	if err != nil {
 		return nil, err
 	}
-	return &ChangePasswordOutput{RedirectURI: redirectURI}, nil
 
+	// If is changing password with SDK.
+	if input.OAuthSessionID != "" {
+		authInfo := resolvedSession.GetAuthenticationInfo()
+		authenticationInfoEntry := authenticationinfo.NewEntry(authInfo, input.OAuthSessionID, "")
+
+		err = s.AuthenticationInfoService.Save(authenticationInfoEntry)
+		if err != nil {
+			return nil, err
+		}
+		redirectURI = s.UIInfoResolver.SetAuthenticationInfoInQuery(input.RedirectURI, authenticationInfoEntry)
+	}
+
+	return &ChangePrimaryPasswordOutput{
+		RedirectURI: redirectURI,
+	}, nil
 }
 
 type CreateAdditionalPasswordInput struct {
@@ -124,3 +94,82 @@ func (s *Service) createAuthenticator(authenticatorInfo *authenticator.Info) err
 	}
 	return nil
 }
+
+type ChangeSecondaryPasswordInput struct {
+	OldPassword string
+	NewPassword string
+}
+
+type ChangeSecondaryPasswordOutput struct {
+}
+
+func (s *Service) ChangeSecondaryPassword(resolvedSession session.ResolvedSession, input *ChangeSecondaryPasswordInput) (*ChangeSecondaryPasswordOutput, error) {
+	_, err := s.changePassword(resolvedSession, &changePasswordInput{
+		Kind:        authenticator.KindSecondary,
+		OldPassword: input.OldPassword,
+		NewPassword: input.NewPassword,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &ChangeSecondaryPasswordOutput{}, nil
+}
+
+type changePasswordInput struct {
+	Kind        authenticator.Kind
+	OldPassword string
+	NewPassword string
+}
+
+type changePasswordOutput struct {
+}
+
+func (s *Service) changePassword(resolvedSession session.ResolvedSession, input *changePasswordInput) (*changePasswordOutput, error) {
+	userID := resolvedSession.GetAuthenticationInfo().UserID
+
+	err := s.Database.WithTx(func() error {
+		ais, err := s.Authenticators.List(
+			userID,
+			authenticator.KeepType(model.AuthenticatorTypePassword),
+			authenticator.KeepKind(input.Kind),
+		)
+		if err != nil {
+			return err
+		}
+		if len(ais) == 0 {
+			return api.ErrNoPassword
+		}
+		oldInfo := ais[0]
+		_, err = s.Authenticators.VerifyWithSpec(oldInfo, &authenticator.Spec{
+			Password: &authenticator.PasswordSpec{
+				PlainPassword: input.OldPassword,
+			},
+		}, nil)
+		if err != nil {
+			err = api.ErrInvalidCredentials
+			return err
+		}
+		changed, newInfo, err := s.Authenticators.UpdatePassword(oldInfo, &authenticatorservice.UpdatePasswordOptions{
+			SetPassword:    true,
+			PlainPassword:  input.NewPassword,
+			SetExpireAfter: true,
+		})
+		if err != nil {
+			return err
+		}
+		if changed {
+			err = s.Authenticators.Update(newInfo)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &changePasswordOutput{}, nil
+
+}

From 3bff65e20b8299453c4fee30ec8addef657b4aa3 Mon Sep 17 00:00:00 2001
From: YinYin Chiu <cychiuae@connect.ust.hk>
Date: Thu, 19 Sep 2024 16:06:11 +0800
Subject: [PATCH 08/17] Align terminology

Change additional password to secondary password
---
 .../settings_mfa_create_password.go           |  2 +-
 .../service_authenticator.go                  | 51 +++++++++++--------
 2 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
index 404605eabf..fbb7c08edd 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_password.go
@@ -96,7 +96,7 @@ func (h *AuthflowV2SettingsMFACreatePasswordHandler) ServeHTTP(w http.ResponseWr
 		}
 
 		s := session.GetSession(r.Context())
-		err = h.AccountManagementService.CreateAdditionalPassword(s, accountmanagement.CreateAdditionalPasswordInput{
+		_, err = h.AccountManagementService.CreateSecondaryPassword(s, accountmanagement.CreateSecondaryPasswordInput{
 			PlainPassword: newPassword,
 		})
 		if err != nil {
diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index 33bb9312ed..60a3213619 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -53,11 +53,14 @@ func (s *Service) ChangePrimaryPassword(resolvedSession session.ResolvedSession,
 	}, nil
 }
 
-type CreateAdditionalPasswordInput struct {
+type CreateSecondaryPasswordInput struct {
 	PlainPassword string
 }
 
-func (s *Service) CreateAdditionalPassword(resolvedSession session.ResolvedSession, input CreateAdditionalPasswordInput) error {
+type CreateSecondaryPasswordOutput struct {
+}
+
+func (s *Service) CreateSecondaryPassword(resolvedSession session.ResolvedSession, input CreateSecondaryPasswordInput) (*CreateSecondaryPasswordOutput, error) {
 	userID := resolvedSession.GetAuthenticationInfo().UserID
 	spec := &authenticator.Spec{
 		UserID:    userID,
@@ -70,29 +73,13 @@ func (s *Service) CreateAdditionalPassword(resolvedSession session.ResolvedSessi
 	}
 	info, err := s.Authenticators.NewWithAuthenticatorID(uuid.New(), spec)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return s.createAuthenticator(info)
-}
-
-func (s *Service) createAuthenticator(authenticatorInfo *authenticator.Info) error {
-	err := s.Database.WithTx(func() error {
-		err := s.Authenticators.Create(authenticatorInfo, false)
-		if err != nil {
-			return err
-		}
-		if authenticatorInfo.Kind == authenticator.KindSecondary {
-			err = s.Users.UpdateMFAEnrollment(authenticatorInfo.UserID, nil)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
+	err = s.createAuthenticator(info)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	return nil
+	return &CreateSecondaryPasswordOutput{}, nil
 }
 
 type ChangeSecondaryPasswordInput struct {
@@ -173,3 +160,23 @@ func (s *Service) changePassword(resolvedSession session.ResolvedSession, input
 	return &changePasswordOutput{}, nil
 
 }
+
+func (s *Service) createAuthenticator(authenticatorInfo *authenticator.Info) error {
+	err := s.Database.WithTx(func() error {
+		err := s.Authenticators.Create(authenticatorInfo, false)
+		if err != nil {
+			return err
+		}
+		if authenticatorInfo.Kind == authenticator.KindSecondary {
+			err = s.Users.UpdateMFAEnrollment(authenticatorInfo.UserID, nil)
+			if err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	return nil
+}

From f4f623ec00ee2b9b441ab44eface5c42b2c086e7 Mon Sep 17 00:00:00 2001
From: YinYin Chiu <cychiuae@connect.ust.hk>
Date: Thu, 19 Sep 2024 16:20:13 +0800
Subject: [PATCH 09/17] Add totp secret to token

---
 pkg/lib/accountmanagement/redis_store.go      | 31 ++++++++++++++-----
 pkg/lib/accountmanagement/service_identity.go | 20 ++++++------
 pkg/lib/accountmanagement/token.go            |  8 +++++
 3 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/pkg/lib/accountmanagement/redis_store.go b/pkg/lib/accountmanagement/redis_store.go
index 5093f42d65..72151efeb4 100644
--- a/pkg/lib/accountmanagement/redis_store.go
+++ b/pkg/lib/accountmanagement/redis_store.go
@@ -31,13 +31,15 @@ type GenerateTokenOptions struct {
 	RedirectURI string
 
 	// Phone
-	PhoneNumber string
-
+	IdentityPhoneNumber string
 	// Email
-	Email string
-
+	IdentityEmail string
 	// IdentityID for updating identity
 	IdentityID string
+
+	// AuthenticatorID for updating identity
+	AuthenticatorID         string
+	AuthenticatorTOTPSecret string
 }
 
 func (s *RedisStore) GenerateToken(options GenerateTokenOptions) (string, error) {
@@ -48,10 +50,21 @@ func (s *RedisStore) GenerateToken(options GenerateTokenOptions) (string, error)
 	ttl := duration.UserInteraction
 	expireAt := now.Add(ttl)
 
-	tokenIdentity := &TokenIdentity{
-		IdentityID:  options.IdentityID,
-		PhoneNumber: options.PhoneNumber,
-		Email:       options.Email,
+	var tokenIdentity *TokenIdentity
+	if options.IdentityID != "" || options.IdentityPhoneNumber != "" || options.IdentityEmail != "" {
+		tokenIdentity = &TokenIdentity{
+			IdentityID:  options.IdentityID,
+			PhoneNumber: options.IdentityPhoneNumber,
+			Email:       options.IdentityEmail,
+		}
+	}
+
+	var tokenAuthenticator *TokenAuthenticator
+	if options.AuthenticatorID != "" || options.AuthenticatorTOTPSecret != "" {
+		tokenAuthenticator = &TokenAuthenticator{
+			AuthenticatorID: options.AuthenticatorID,
+			TOTPSecret:      options.AuthenticatorTOTPSecret,
+		}
 	}
 
 	token := &Token{
@@ -68,6 +81,8 @@ func (s *RedisStore) GenerateToken(options GenerateTokenOptions) (string, error)
 
 		// Identity
 		Identity: tokenIdentity,
+
+		Authenticator: tokenAuthenticator,
 	}
 
 	tokenBytes, err := json.Marshal(token)
diff --git a/pkg/lib/accountmanagement/service_identity.go b/pkg/lib/accountmanagement/service_identity.go
index 766265b50f..6266800e50 100644
--- a/pkg/lib/accountmanagement/service_identity.go
+++ b/pkg/lib/accountmanagement/service_identity.go
@@ -189,8 +189,8 @@ func (s *Service) StartAddIdentityEmail(resolvedSession session.ResolvedSession,
 				return err
 			}
 			token, err = s.Store.GenerateToken(GenerateTokenOptions{
-				UserID: userID,
-				Email:  info.LoginID.LoginID,
+				UserID:        userID,
+				IdentityEmail: info.LoginID.LoginID,
 			})
 			if err != nil {
 				return err
@@ -342,9 +342,9 @@ func (s *Service) StartUpdateIdentityEmail(resolvedSession session.ResolvedSessi
 				return err
 			}
 			token, err = s.Store.GenerateToken(GenerateTokenOptions{
-				UserID:     userID,
-				Email:      newInfo.LoginID.LoginID,
-				IdentityID: newInfo.ID,
+				UserID:        userID,
+				IdentityEmail: newInfo.LoginID.LoginID,
+				IdentityID:    newInfo.ID,
 			})
 			if err != nil {
 				return err
@@ -577,8 +577,8 @@ func (s *Service) StartAddIdentityPhone(resolvedSession session.ResolvedSession,
 				return err
 			}
 			token, err = s.Store.GenerateToken(GenerateTokenOptions{
-				UserID:      userID,
-				PhoneNumber: info.LoginID.LoginID,
+				UserID:              userID,
+				IdentityPhoneNumber: info.LoginID.LoginID,
 			})
 			if err != nil {
 				return err
@@ -728,9 +728,9 @@ func (s *Service) StartUpdateIdentityPhone(resolvedSession session.ResolvedSessi
 				return err
 			}
 			token, err = s.Store.GenerateToken(GenerateTokenOptions{
-				UserID:      userID,
-				PhoneNumber: info.LoginID.LoginID,
-				IdentityID:  info.ID,
+				UserID:              userID,
+				IdentityPhoneNumber: info.LoginID.LoginID,
+				IdentityID:          info.ID,
 			})
 			if err != nil {
 				return err
diff --git a/pkg/lib/accountmanagement/token.go b/pkg/lib/accountmanagement/token.go
index 2d8e50bac1..775f97169f 100644
--- a/pkg/lib/accountmanagement/token.go
+++ b/pkg/lib/accountmanagement/token.go
@@ -22,6 +22,9 @@ type Token struct {
 
 	// Adding Identity
 	Identity *TokenIdentity `json:"token_identity,omitempty"`
+
+	// Authenticator
+	Authenticator *TokenAuthenticator `json:"token_authenticator,omitempty"`
 }
 
 type TokenIdentity struct {
@@ -30,6 +33,11 @@ type TokenIdentity struct {
 	Email       string `json:"email,omitempty"`
 }
 
+type TokenAuthenticator struct {
+	AuthenticatorID string `json:"authenticator_id,omitempty"`
+	TOTPSecret      string `json:"totp_secret,omitempty"`
+}
+
 func (t *Token) CheckUser(userID string) error {
 	if subtle.ConstantTimeCompare([]byte(t.UserID), []byte(userID)) == 1 {
 		return nil

From 65fcb6da379b7f0f0dd2b9fb41c6441973550505 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 13:05:05 +0800
Subject: [PATCH 10/17] Add start create totp in account management

---
 pkg/lib/accountmanagement/redis_store.go      | 22 ++++++---
 pkg/lib/accountmanagement/service.go          | 10 ++++
 .../service_authenticator.go                  | 49 ++++++++++++++++++-
 pkg/lib/accountmanagement/token.go            |  9 +++-
 pkg/lib/deps/deps_common.go                   |  1 +
 5 files changed, 82 insertions(+), 9 deletions(-)

diff --git a/pkg/lib/accountmanagement/redis_store.go b/pkg/lib/accountmanagement/redis_store.go
index 72151efeb4..c3647bcafb 100644
--- a/pkg/lib/accountmanagement/redis_store.go
+++ b/pkg/lib/accountmanagement/redis_store.go
@@ -37,9 +37,14 @@ type GenerateTokenOptions struct {
 	// IdentityID for updating identity
 	IdentityID string
 
-	// AuthenticatorID for updating identity
-	AuthenticatorID         string
-	AuthenticatorTOTPSecret string
+	// AuthenticatorID for updating authenticator
+	AuthenticatorID                   string
+	AuthenticatorRecoveryCodes        []string
+	AuthenticatorTOTPIssuer           string
+	AuthenticatorTOTPEndUserAccountID string
+	AuthenticatorTOTPDisplayName      string
+	AuthenticatorTOTPSecret           string
+	AuthenticatorTOTPVerified         bool
 }
 
 func (s *RedisStore) GenerateToken(options GenerateTokenOptions) (string, error) {
@@ -60,10 +65,15 @@ func (s *RedisStore) GenerateToken(options GenerateTokenOptions) (string, error)
 	}
 
 	var tokenAuthenticator *TokenAuthenticator
-	if options.AuthenticatorID != "" || options.AuthenticatorTOTPSecret != "" {
+	if options.AuthenticatorID != "" || options.AuthenticatorTOTPSecret != "" || options.AuthenticatorTOTPVerified || len(options.AuthenticatorRecoveryCodes) > 0 {
 		tokenAuthenticator = &TokenAuthenticator{
-			AuthenticatorID: options.AuthenticatorID,
-			TOTPSecret:      options.AuthenticatorTOTPSecret,
+			AuthenticatorID:      options.AuthenticatorID,
+			TOTPIssuer:           options.AuthenticatorTOTPIssuer,
+			TOTPDisplayName:      options.AuthenticatorTOTPDisplayName,
+			TOTPEndUserAccountID: options.AuthenticatorTOTPEndUserAccountID,
+			TOTPSecret:           options.AuthenticatorTOTPSecret,
+			TOTPVerified:         options.AuthenticatorTOTPVerified,
+			RecoveryCodes:        options.AuthenticatorRecoveryCodes,
 		}
 	}
 
diff --git a/pkg/lib/accountmanagement/service.go b/pkg/lib/accountmanagement/service.go
index 3f8f9ac9a5..3a1d2b01bb 100644
--- a/pkg/lib/accountmanagement/service.go
+++ b/pkg/lib/accountmanagement/service.go
@@ -15,6 +15,7 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
 	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
 	"github.com/authgear/authgear-server/pkg/lib/authn/identity"
+	"github.com/authgear/authgear-server/pkg/lib/authn/mfa"
 	"github.com/authgear/authgear-server/pkg/lib/authn/otp"
 	"github.com/authgear/authgear-server/pkg/lib/config"
 	"github.com/authgear/authgear-server/pkg/lib/facade"
@@ -24,6 +25,7 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/session"
 	"github.com/authgear/authgear-server/pkg/lib/translation"
 	"github.com/authgear/authgear-server/pkg/util/accesscontrol"
+	"github.com/authgear/authgear-server/pkg/util/httputil"
 )
 
 type UserService interface {
@@ -60,6 +62,7 @@ type EventService interface {
 }
 
 type AuthenticatorService interface {
+	New(spec *authenticator.Spec) (*authenticator.Info, error)
 	NewWithAuthenticatorID(authenticatorID string, spec *authenticator.Spec) (*authenticator.Info, error)
 	List(userID string, filters ...authenticator.Filter) ([]*authenticator.Info, error)
 	Create(authenticatorInfo *authenticator.Info, markVerified bool) error
@@ -72,6 +75,11 @@ type AuthenticationInfoService interface {
 	Save(entry *authenticationinfo.Entry) error
 }
 
+type MFAService interface {
+	GenerateRecoveryCodes() []string
+	ReplaceRecoveryCodes(userID string, codes []string) ([]*mfa.RecoveryCode, error)
+}
+
 type PasskeyService interface {
 	ConsumeAttestationResponse(attestationResponse []byte) (err error)
 }
@@ -99,6 +107,7 @@ type VerificationService interface {
 type Service struct {
 	Database                  *appdb.Handle
 	Config                    *config.AppConfig
+	HTTPOrigin                httputil.HTTPOrigin
 	Users                     UserService
 	Store                     Store
 	OAuthProvider             OAuthProvider
@@ -108,6 +117,7 @@ type Service struct {
 	OTPCodeService            OTPCodeService
 	Authenticators            AuthenticatorService
 	AuthenticationInfoService AuthenticationInfoService
+	MFA                       MFAService
 	PasskeyService            PasskeyService
 	Verification              VerificationService
 	UIInfoResolver            UIInfoResolver
diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index 60a3213619..13d5f6815d 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -7,7 +7,7 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
 	authenticatorservice "github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
 	"github.com/authgear/authgear-server/pkg/lib/session"
-	"github.com/authgear/authgear-server/pkg/util/uuid"
+	"github.com/authgear/authgear-server/pkg/util/secretcode"
 )
 
 type ChangePrimaryPasswordInput struct {
@@ -104,6 +104,53 @@ func (s *Service) ChangeSecondaryPassword(resolvedSession session.ResolvedSessio
 	return &ChangeSecondaryPasswordOutput{}, nil
 }
 
+type StartAddTOTPAuthenticatorInput struct{}
+type StartAddTOTPAuthenticatorOutput struct {
+	Token                   string
+	EndUserAccountID        string
+	AuthenticatorTOTPIssuer string
+	AuthenticatorTOTPSecret string
+}
+
+func (s *Service) StartAddTOTPAuthenticator(resolvedSession session.ResolvedSession, input *StartAddTOTPAuthenticatorInput) (*StartAddTOTPAuthenticatorOutput, error) {
+	userID := resolvedSession.GetAuthenticationInfo().UserID
+
+	var endUserAccountID string
+	err := s.Database.WithTx(func() error {
+		user, err := s.Users.Get(userID, accesscontrol.RoleGreatest)
+		if err != nil {
+			return err
+		}
+		endUserAccountID = user.EndUserAccountID
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	totp, err := secretcode.NewTOTPFromRNG()
+	if err != nil {
+		return nil, err
+	}
+	token, err := s.Store.GenerateToken(GenerateTokenOptions{
+		UserID:                            userID,
+		AuthenticatorTOTPIssuer:           string(s.HTTPOrigin),
+		AuthenticatorTOTPEndUserAccountID: endUserAccountID,
+		AuthenticatorTOTPSecret:           totp.Secret,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &StartAddTOTPAuthenticatorOutput{
+		Token:                   token,
+		EndUserAccountID:        endUserAccountID,
+		AuthenticatorTOTPIssuer: string(s.HTTPOrigin),
+		AuthenticatorTOTPSecret: totp.Secret,
+	}, nil
+}
+
+
 type changePasswordInput struct {
 	Kind        authenticator.Kind
 	OldPassword string
diff --git a/pkg/lib/accountmanagement/token.go b/pkg/lib/accountmanagement/token.go
index 775f97169f..b597ace5ea 100644
--- a/pkg/lib/accountmanagement/token.go
+++ b/pkg/lib/accountmanagement/token.go
@@ -34,8 +34,13 @@ type TokenIdentity struct {
 }
 
 type TokenAuthenticator struct {
-	AuthenticatorID string `json:"authenticator_id,omitempty"`
-	TOTPSecret      string `json:"totp_secret,omitempty"`
+	AuthenticatorID      string   `json:"authenticator_id,omitempty"`
+	TOTPIssuer           string   `json:"totp_issuer,omitempty"`
+	TOTPDisplayName      string   `json:"totp_display_name,omitempty"`
+	TOTPEndUserAccountID string   `json:"end_user_account_id,omitempty"`
+	TOTPSecret           string   `json:"totp_secret,omitempty"`
+	TOTPVerified         bool     `json:"totp_verified,omitempty"`
+	RecoveryCodes        []string `json:"recovery_codes,omitempty"`
 }
 
 func (t *Token) CheckUser(userID string) error {
diff --git a/pkg/lib/deps/deps_common.go b/pkg/lib/deps/deps_common.go
index f877b859ac..8611bd1041 100644
--- a/pkg/lib/deps/deps_common.go
+++ b/pkg/lib/deps/deps_common.go
@@ -327,6 +327,7 @@ var CommonDependencySet = wire.NewSet(
 		wire.Bind(new(userimport.IdentityService), new(*facade.IdentityFacade)),
 		wire.Bind(new(userimport.AuthenticatorService), new(*facade.AuthenticatorFacade)),
 		wire.Bind(new(accountmanagement.IdentityService), new(*facade.IdentityFacade)),
+		wire.Bind(new(accountmanagement.MFAService), new(*facade.MFAFacade)),
 		wire.Bind(new(oauth.AccessTokenEncodingIdentityService), new(*facade.IdentityFacade)),
 		wire.Bind(new(authenticationflow.UserFacade), new(*facade.UserFacade)),
 		wire.Bind(new(handlersaml.SAMLUserFacade), new(*facade.UserFacade)),

From 139f6b2db81f1c3ba3e0066a1d792c663a362786 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 13:50:11 +0800
Subject: [PATCH 11/17] Add resume create totp in account management

---
 .../service_authenticator.go                  | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)

diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index 13d5f6815d..b90fc76e07 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -150,6 +150,85 @@ func (s *Service) StartAddTOTPAuthenticator(resolvedSession session.ResolvedSess
 	}, nil
 }
 
+type ResumeAddTOTPAuthenticatorInput struct {
+	DisplayName string
+	Code        string
+}
+type ResumeAddTOTPAuthenticatorOutput struct {
+	Token string
+}
+
+func (s *Service) ResumeAddTOTPAuthenticator(resolvedSession session.ResolvedSession, tokenString string, input *ResumeAddTOTPAuthenticatorInput) (output *ResumeAddTOTPAuthenticatorOutput, err error) {
+	userID := resolvedSession.GetAuthenticationInfo().UserID
+	token, err := s.Store.GetToken(tokenString)
+	defer func() {
+		if err == nil {
+			_, err = s.Store.ConsumeToken(tokenString)
+		}
+	}()
+
+	if err != nil {
+		return
+	}
+
+	err = token.CheckUser(userID)
+	if err != nil {
+		return
+	}
+
+	info, err := s.Authenticators.New(
+		&authenticator.Spec{
+			UserID:    userID,
+			IsDefault: false,
+			Kind:      model.AuthenticatorKindSecondary,
+			Type:      model.AuthenticatorTypeTOTP,
+			TOTP: &authenticator.TOTPSpec{
+				DisplayName: input.DisplayName,
+				Secret:      token.Authenticator.TOTPSecret,
+			},
+		},
+	)
+	if err != nil {
+		return
+	}
+	_, err = s.Authenticators.VerifyWithSpec(
+		info,
+		&authenticator.Spec{
+			UserID:    userID,
+			IsDefault: false,
+			Kind:      model.AuthenticatorKindSecondary,
+			Type:      model.AuthenticatorTypeTOTP,
+			TOTP: &authenticator.TOTPSpec{
+				DisplayName: input.DisplayName,
+				Code:        input.Code,
+			},
+		},
+		nil,
+	)
+
+	if err != nil {
+		return
+	}
+
+	recoveryCodes := s.MFA.GenerateRecoveryCodes()
+
+	newToken, err := s.Store.GenerateToken(GenerateTokenOptions{
+		UserID:                       userID,
+		AuthenticatorTOTPDisplayName: input.DisplayName,
+		AuthenticatorTOTPSecret:      token.Authenticator.TOTPSecret,
+		AuthenticatorTOTPVerified:    true,
+		AuthenticatorRecoveryCodes:   recoveryCodes,
+	})
+	if err != nil {
+		return
+	}
+
+	output = &ResumeAddTOTPAuthenticatorOutput{
+		Token: newToken,
+	}
+	return
+}
+
 
 type changePasswordInput struct {
 	Kind        authenticator.Kind

From 06c04ff76e0a00fe5fa7c26df2b00bfa7d36e977 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 13:52:35 +0800
Subject: [PATCH 12/17] Add finish create totp in account management

---
 .../service_authenticator.go                  | 146 ++++++++++++------
 1 file changed, 98 insertions(+), 48 deletions(-)

diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index b90fc76e07..12d1dfa29c 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -7,7 +7,9 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
 	authenticatorservice "github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
 	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/accesscontrol"
 	"github.com/authgear/authgear-server/pkg/util/secretcode"
+	"github.com/authgear/authgear-server/pkg/util/uuid"
 )
 
 type ChangePrimaryPasswordInput struct {
@@ -229,80 +231,128 @@ func (s *Service) ResumeAddTOTPAuthenticator(resolvedSession session.ResolvedSes
 	return
 }
 
-
-type changePasswordInput struct {
-	Kind        authenticator.Kind
-	OldPassword string
-	NewPassword string
+type FinishAddTOTPAuthenticatorInput struct {
 }
 
-type changePasswordOutput struct {
+type FinishAddTOTPAuthenticatorOutput struct {
+	Info *authenticator.Info
 }
 
-func (s *Service) changePassword(resolvedSession session.ResolvedSession, input *changePasswordInput) (*changePasswordOutput, error) {
+func (s *Service) FinishAddTOTPAuthenticator(resolvedSession session.ResolvedSession, tokenString string, input *FinishAddTOTPAuthenticatorInput) (output *FinishAddTOTPAuthenticatorOutput, err error) {
 	userID := resolvedSession.GetAuthenticationInfo().UserID
-
-	err := s.Database.WithTx(func() error {
-		ais, err := s.Authenticators.List(
-			userID,
-			authenticator.KeepType(model.AuthenticatorTypePassword),
-			authenticator.KeepKind(input.Kind),
-		)
-		if err != nil {
-			return err
-		}
-		if len(ais) == 0 {
-			return api.ErrNoPassword
+	token, err := s.Store.GetToken(tokenString)
+	defer func() {
+		if err == nil {
+			_, err = s.Store.ConsumeToken(tokenString)
 		}
-		oldInfo := ais[0]
-		_, err = s.Authenticators.VerifyWithSpec(oldInfo, &authenticator.Spec{
-			Password: &authenticator.PasswordSpec{
-				PlainPassword: input.OldPassword,
+	}()
+
+	if err != nil {
+		return
+	}
+
+	err = token.CheckUser(userID)
+	if err != nil {
+		return
+	}
+
+	info, err := s.Authenticators.New(
+		&authenticator.Spec{
+			UserID:    userID,
+			IsDefault: false,
+			Kind:      model.AuthenticatorKindSecondary,
+			Type:      model.AuthenticatorTypeTOTP,
+			TOTP: &authenticator.TOTPSpec{
+				DisplayName: token.Authenticator.TOTPDisplayName,
+				Secret:      token.Authenticator.TOTPSecret,
 			},
-		}, nil)
+		},
+	)
+	if err != nil {
+		return
+	}
+	err = s.Database.WithTx(func() error {
+		err = s.createAuthenticator(info)
 		if err != nil {
-			err = api.ErrInvalidCredentials
 			return err
 		}
-		changed, newInfo, err := s.Authenticators.UpdatePassword(oldInfo, &authenticatorservice.UpdatePasswordOptions{
-			SetPassword:    true,
-			PlainPassword:  input.NewPassword,
-			SetExpireAfter: true,
-		})
+
+		_, err = s.MFA.ReplaceRecoveryCodes(userID, token.Authenticator.RecoveryCodes)
 		if err != nil {
 			return err
 		}
-		if changed {
-			err = s.Authenticators.Update(newInfo)
-			if err != nil {
-				return err
-			}
-		}
+
 		return nil
 	})
+
+	output = &FinishAddTOTPAuthenticatorOutput{
+		Info: info,
+	}
+	return
+}
+
+type changePasswordInput struct {
+	Kind        authenticator.Kind
+	OldPassword string
+	NewPassword string
+}
+
+type changePasswordOutput struct {
+}
+
+func (s *Service) changePassword(resolvedSession session.ResolvedSession, input *changePasswordInput) (*changePasswordOutput, error) {
+	userID := resolvedSession.GetAuthenticationInfo().UserID
+
+	ais, err := s.Authenticators.List(
+		userID,
+		authenticator.KeepType(model.AuthenticatorTypePassword),
+		authenticator.KeepKind(input.Kind),
+	)
+	if err != nil {
+		return nil, err
+	}
+	if len(ais) == 0 {
+		return nil, api.ErrNoPassword
+	}
+	oldInfo := ais[0]
+	_, err = s.Authenticators.VerifyWithSpec(oldInfo, &authenticator.Spec{
+		Password: &authenticator.PasswordSpec{
+			PlainPassword: input.OldPassword,
+		},
+	}, nil)
 	if err != nil {
+		err = api.ErrInvalidCredentials
 		return nil, err
 	}
+	changed, newInfo, err := s.Authenticators.UpdatePassword(oldInfo, &authenticatorservice.UpdatePasswordOptions{
+		SetPassword:    true,
+		PlainPassword:  input.NewPassword,
+		SetExpireAfter: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if changed {
+		err = s.Authenticators.Update(newInfo)
+		if err != nil {
+			return nil, err
+		}
+	}
 	return &changePasswordOutput{}, nil
 
 }
 
 func (s *Service) createAuthenticator(authenticatorInfo *authenticator.Info) error {
-	err := s.Database.WithTx(func() error {
-		err := s.Authenticators.Create(authenticatorInfo, false)
+	err := s.Authenticators.Create(authenticatorInfo, true)
+	if err != nil {
+		return err
+	}
+	if authenticatorInfo.Kind == authenticator.KindSecondary {
+		err = s.Users.UpdateMFAEnrollment(authenticatorInfo.UserID, nil)
 		if err != nil {
 			return err
 		}
-		if authenticatorInfo.Kind == authenticator.KindSecondary {
-			err = s.Users.UpdateMFAEnrollment(authenticatorInfo.UserID, nil)
-			if err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-	if err != nil {
-		return err
 	}
+
 	return nil
 }

From 84f25879cc6a0f27260cf76e278b700a824344ab Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 14:00:04 +0800
Subject: [PATCH 13/17] Add settings v2 create totp page

---
 pkg/auth/handler/webapp/authflowv2/deps.go    |   1 +
 pkg/auth/handler/webapp/authflowv2/routes.go  |  10 +-
 .../authflowv2/settings_mfa_create_totp.go    | 118 ++++++++++++++++++
 ...{settings_totp.go => settings_mfa_totp.go} |  30 ++++-
 pkg/auth/routes.go                            |   1 +
 pkg/auth/wire_handler.go                      |   7 ++
 .../authgear/templates/en/translation.json    |   3 +
 .../en/web/authflowv2/settings_mfa.html       |   2 +-
 .../authflowv2/settings_mfa_create_totp.html  |  59 +++++++++
 ...tings_totp.html => settings_mfa_totp.html} |  16 ++-
 10 files changed, 236 insertions(+), 11 deletions(-)
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa_create_totp.go
 rename pkg/auth/handler/webapp/authflowv2/{settings_totp.go => settings_mfa_totp.go} (75%)
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
 rename resources/authgear/templates/en/web/authflowv2/{settings_totp.html => settings_mfa_totp.html} (86%)

diff --git a/pkg/auth/handler/webapp/authflowv2/deps.go b/pkg/auth/handler/webapp/authflowv2/deps.go
index 3a671f4869..d4d2b35633 100644
--- a/pkg/auth/handler/webapp/authflowv2/deps.go
+++ b/pkg/auth/handler/webapp/authflowv2/deps.go
@@ -55,6 +55,7 @@ var DependencySet = wire.NewSet(
 	wire.Struct(new(AuthflowV2SettingsMFACreatePasswordHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsMFAPasswordHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsTOTPHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFACreateTOTPHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsOOBOTPHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsIdentityAddEmailHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsIdentityEditEmailHandler), "*"),
diff --git a/pkg/auth/handler/webapp/authflowv2/routes.go b/pkg/auth/handler/webapp/authflowv2/routes.go
index 9fb6d90e79..ebc10b16da 100644
--- a/pkg/auth/handler/webapp/authflowv2/routes.go
+++ b/pkg/auth/handler/webapp/authflowv2/routes.go
@@ -79,12 +79,16 @@ const (
 
 	AuthflowV2RouteFinishFlow = "/authflow/v2/finish"
 
-	AuthflowV2RouteSettingsProfile = "/settings/v2/profile"
-	AuthflowV2RouteSettingsMFA     = "/settings/mfa"
+	AuthflowV2RouteSettingsProfile             = "/settings/v2/profile"
+	AuthflowV2RouteSettingsMFA                 = "/settings/mfa"
+	AuthflowV2RouteSettingsMFAViewRecoveryCode = "/settings/mfa/view_recovery_code"
+
 	// nolint: gosec
 	AuthflowV2RouteSettingsMFACreatePassword = "/settings/mfa/create_password"
 	// nolint: gosec
-	AuthflowV2RouteSettingsMFAPassword = "/settings/mfa/password"
+	AuthflowV2RouteSettingsMFAPassword   = "/settings/mfa/password"
+	AuthflowV2RouteSettingsMFACreateTOTP = "/settings/mfa/create_totp"
+	AuthflowV2RouteSettingsMFAEnterTOTP  = "/settings/mfa/enter_totp"
 
 	AuthflowV2RouteSettingsIdentityListEmail          = "/settings/identity/email"
 	AuthflowV2RouteSettingsIdentityAddEmail           = "/settings/identity/add_email"
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_totp.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_totp.go
new file mode 100644
index 0000000000..433052a817
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_create_totp.go
@@ -0,0 +1,118 @@
+package authflowv2
+
+import (
+	htmltemplate "html/template"
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	coreimage "github.com/authgear/authgear-server/pkg/util/image"
+	"github.com/authgear/authgear-server/pkg/util/secretcode"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsMFACreateTOTPHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa_create_totp.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsMFACreateTOTPSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_totp": { "type": "string" },
+			"x_confirm_totp": { "type": "string" }
+		},
+		"required": ["x_totp", "x_confirm_totp"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsMFACreateTOTPRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsMFACreateTOTP)
+}
+
+type AuthflowV2SettingsMFACreateTOTPViewModel struct {
+	Token    string
+	Secret   string
+	ImageURI htmltemplate.URL
+}
+
+type AuthflowV2SettingsMFACreateTOTPHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	SettingsViewModel *viewmodels.SettingsViewModeler
+	Renderer          handlerwebapp.Renderer
+
+	AccountManagement *accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsMFACreateTOTPHandler) GetData(r *http.Request, rw http.ResponseWriter, tokenString string, totpSecret string, otpauthURI string) (map[string]interface{}, error) {
+	data := make(map[string]interface{})
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	img, err := secretcode.QRCodeImageFromURI(otpauthURI, 512, 512)
+	if err != nil {
+		return nil, err
+	}
+	dataURI, err := coreimage.DataURIFromImage(coreimage.CodecPNG, img)
+	if err != nil {
+		return nil, err
+	}
+
+	screenViewModel := AuthflowV2SettingsMFACreateTOTPViewModel{
+		Token:    tokenString,
+		Secret:   totpSecret,
+		ImageURI: htmltemplate.URL(dataURI),
+	}
+	viewmodels.Embed(data, screenViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsMFACreateTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		token, err := h.AccountManagement.GetToken(s, tokenString)
+		if err != nil {
+			return err
+		}
+
+		opts := secretcode.URIOptions{
+			Issuer:      string(token.Authenticator.TOTPIssuer),
+			AccountName: token.Authenticator.TOTPEndUserAccountID,
+		}
+		totp, err := secretcode.NewTOTPFromSecret(token.Authenticator.TOTPSecret)
+		if err != nil {
+			return err
+		}
+		totpauthURI := totp.GetURI(opts).String()
+
+		data, err := h.GetData(r, w, tokenString, totp.Secret, totpauthURI)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFACreateTOTPHTML, data)
+		return nil
+	})
+}
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_totp.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_totp.go
similarity index 75%
rename from pkg/auth/handler/webapp/authflowv2/settings_totp.go
rename to pkg/auth/handler/webapp/authflowv2/settings_mfa_totp.go
index 1760f8b272..47a16519ab 100644
--- a/pkg/auth/handler/webapp/authflowv2/settings_totp.go
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_totp.go
@@ -2,10 +2,13 @@ package authflowv2
 
 import (
 	"net/http"
+	"net/url"
 
 	"github.com/authgear/authgear-server/pkg/api/model"
 	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
 	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
 	"github.com/authgear/authgear-server/pkg/lib/authn/authenticator"
 	authenticatorservice "github.com/authgear/authgear-server/pkg/lib/authn/authenticator/service"
 	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
@@ -14,7 +17,7 @@ import (
 )
 
 var TemplateWebSettingsTOTPHTML = template.RegisterHTML(
-	"web/authflowv2/settings_totp.html",
+	"web/authflowv2/settings_mfa_totp.html",
 	handlerwebapp.SettingsComponents...,
 )
 
@@ -27,6 +30,8 @@ type AuthflowV2SettingsTOTPHandler struct {
 	ControllerFactory handlerwebapp.ControllerFactory
 	BaseViewModel     *viewmodels.BaseViewModeler
 	Renderer          handlerwebapp.Renderer
+
+	AccountManagement *accountmanagement.Service
 	Authenticators    authenticatorservice.Service
 }
 
@@ -80,4 +85,27 @@ func (h *AuthflowV2SettingsTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http
 		h.Renderer.RenderHTML(w, r, TemplateWebSettingsTOTPHTML, data)
 		return nil
 	})
+
+	ctrl.PostAction("create_totp", func() error {
+		s := session.GetSession(r.Context())
+		output, err := h.AccountManagement.StartAddTOTPAuthenticator(s, &accountmanagement.StartAddTOTPAuthenticatorInput{})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsMFACreateTOTP)
+		if err != nil {
+			return err
+		}
+
+		q := redirectURI.Query()
+		q.Set("q_token", output.Token)
+
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
 }
diff --git a/pkg/auth/routes.go b/pkg/auth/routes.go
index f33e4fad36..a5d0838834 100644
--- a/pkg/auth/routes.go
+++ b/pkg/auth/routes.go
@@ -490,6 +490,7 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) *h
 		SettingV1: p.Handler(newWebAppSettingsTOTPHandler),
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsTOTPHandler),
 	})
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFACreateTOTPRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFACreateTOTPHandler))
 	router.Add(webapphandler.ConfigureSettingsPasskeyRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
 		SettingV1: p.Handler(newWebAppSettingsPasskeyHandler),
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsChangePasskeyHandler),
diff --git a/pkg/auth/wire_handler.go b/pkg/auth/wire_handler.go
index 833c8aa454..43e8a59e59 100644
--- a/pkg/auth/wire_handler.go
+++ b/pkg/auth/wire_handler.go
@@ -506,6 +506,13 @@ func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handle
 	))
 }
 
+func newWebAppAuthflowV2SettingsMFACreateTOTPHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFACreateTOTPHandler)),
+	))
+}
+
 func newWebAppAuthflowV2SettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index 5d6bf33d1a..b6022397c3 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -1181,6 +1181,9 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Not Verified",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verified",
   "v2.page.settings-mfa-create-password.default.title": "Additional password",
+  "v2.page.settings-mfa-create-totp.default.navbar-title": "Set up authenticator",
+  "v2.page.settings-mfa-create-totp.default.description": "First, download Google Authenticator App from the <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> or <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scan the QR code or enter the key with your authenticator device / app.",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa.html
index baa408cd2b..f810d1a42c 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_mfa.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa.html
@@ -15,7 +15,7 @@
 {{ if $.ShowMFA }}
 <div>
   {{ if $.ShowSecondaryTOTP }}
-    {{ $href := (call $.MakeURL "/settings/mfa/new_totp") }}
+    {{ $href := (call $.MakeURL "/settings/mfa/create_totp") }}
     {{ if $.SecondaryPassword }}
       {{ $href = (call $.MakeURL "/settings/mfa/totp") }}
     {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
new file mode 100644
index 0000000000..516c7c15cc
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
@@ -0,0 +1,59 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa/totp")
+        "Title" (translate "v2.page.settings-mfa-create-totp.default.navbar-title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+<div
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+>
+  <div class="screen-title-description">
+    <h2 class="screen-description">
+      {{ include "v2.page.settings-mfa-create-totp.default.description" nil }}
+    </h2>
+
+    {{ template "authflowv2/__alert_message.html"
+      (dict
+        "Type" "error"
+        "Classname" "mt-4"
+        "Message" (ternary (include "authflowv2/__error.html" .) nil (not $.display_otp_input_error))
+      )
+    }}
+  </div>
+
+  <img class="w-48 place-self-center" src="{{ $.ImageURI }}">
+
+  <div>
+    <div class="code-block code-block--single gap-x-8">
+      <p
+        id="copy-button-source"
+        class="code-block__text"
+      >{{ include "v2.page.settings-mfa-create-totp.default.raw-secret" (dict "secret" $.Secret) }}</p>
+
+      <button
+        class="tertiary-btn"
+        type="button"
+        data-controller="copy-button"
+        data-copy-button-source-value="#copy-button-source"
+        data-action="copy-button#copy"
+      >
+        {{ include "v2.component.button.default.copy" nil }}
+      </button>
+    </div>
+
+    <a
+      class="primary-btn w-full mt-10"
+      href="{{ call $.MakeURL "enter_totp" "q_token" $.Token }}"
+    >
+      {{ include "v2.component.button.default.label-continue" nil }}
+    </a>
+  </div>
+</div>
+{{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_totp.html
similarity index 86%
rename from resources/authgear/templates/en/web/authflowv2/settings_totp.html
rename to resources/authgear/templates/en/web/authflowv2/settings_mfa_totp.html
index b96dc24e13..9c70f71d56 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_totp.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_totp.html
@@ -28,13 +28,17 @@
     </ul>
   {{ end }}
 
-  {{ $href := (call $.MakeURL "/settings/mfa/new_totp") }}
-  <a
-    class="settings-link-btn mt-6 block"
-    href="{{ $href }}"
-  >
+  <form method="post" novalidate>
+    {{ $.CSRFField }}
+    <button
+      class="settings-link-btn mx-auto mt-6 block"
+      type="submit"
+      name="x_action"
+      value="create_totp"
+    >
     {{ translate "v2.page.settings-totp.default.button-add-authenticator-label" nil }}
-  </a>
+    </button>
+  </form>
 </div>
 {{ end }}
 

From 1fcfa8cf4ef526550407a97acd5c43ca39e2410e Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 14:10:59 +0800
Subject: [PATCH 14/17] Add settings v2 enter totp page

---
 pkg/auth/handler/webapp/authflowv2/deps.go    |   1 +
 .../authflowv2/settings_mfa_enter_totp.go     | 132 ++++++++++++++++++
 pkg/auth/routes.go                            |   1 +
 pkg/auth/wire_handler.go                      |   7 +
 .../authgear/templates/en/translation.json    |   3 +
 .../authflowv2/settings_mfa_enter_totp.html   |  79 +++++++++++
 6 files changed, 223 insertions(+)
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa_enter_totp.go
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html

diff --git a/pkg/auth/handler/webapp/authflowv2/deps.go b/pkg/auth/handler/webapp/authflowv2/deps.go
index d4d2b35633..8227a71081 100644
--- a/pkg/auth/handler/webapp/authflowv2/deps.go
+++ b/pkg/auth/handler/webapp/authflowv2/deps.go
@@ -56,6 +56,7 @@ var DependencySet = wire.NewSet(
 	wire.Struct(new(AuthflowV2SettingsMFAPasswordHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsTOTPHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsMFACreateTOTPHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFAEnterTOTPHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsOOBOTPHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsIdentityAddEmailHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsIdentityEditEmailHandler), "*"),
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_enter_totp.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_enter_totp.go
new file mode 100644
index 0000000000..8f1549ce6d
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_enter_totp.go
@@ -0,0 +1,132 @@
+package authflowv2
+
+import (
+	"fmt"
+	htmltemplate "html/template"
+	"net/http"
+	"net/url"
+	"time"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/infra/db/appdb"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/clock"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+	"github.com/authgear/authgear-server/pkg/util/validation"
+)
+
+var TemplateWebSettingsMFAEnterTOTPHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa_enter_totp.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+var AuthflowV2SettingsMFAEnterTOTPSchema = validation.NewSimpleSchema(`
+	{
+		"type": "object",
+		"properties": {
+			"x_code": { "type": "string" }
+		},
+		"required": ["x_code"]
+	}
+`)
+
+func ConfigureAuthflowV2SettingsMFAEnterTOTPRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsMFAEnterTOTP)
+}
+
+type AuthflowV2SettingsMFAEnterTOTPViewModel struct {
+	Secret   string
+	ImageURI htmltemplate.URL
+}
+
+type AuthflowV2SettingsMFAEnterTOTPHandler struct {
+	Database          *appdb.Handle
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	SettingsViewModel *viewmodels.SettingsViewModeler
+	Renderer          handlerwebapp.Renderer
+	Clock             clock.Clock
+
+	AccountManagement *accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsMFAEnterTOTPHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
+	data := make(map[string]interface{})
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsMFAEnterTOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		_, err := h.AccountManagement.GetToken(s, tokenString)
+		if err != nil {
+			return err
+		}
+
+		data, err := h.GetData(r, w)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFAEnterTOTPHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("submit", func() error {
+		err := AuthflowV2SettingsMFAEnterTOTPSchema.Validator().ValidateValue(handlerwebapp.FormToJSON(r.Form))
+		if err != nil {
+			return err
+		}
+
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		code := r.Form.Get("x_code")
+
+		now := h.Clock.NowUTC()
+		displayName := fmt.Sprintf("TOTP @ %s", now.Format(time.RFC3339))
+
+		output, err := h.AccountManagement.ResumeAddTOTPAuthenticator(s, tokenString, &accountmanagement.ResumeAddTOTPAuthenticatorInput{
+			DisplayName: displayName,
+			Code:        code,
+		})
+		if err != nil {
+			return err
+		}
+
+		redirectURI, err := url.Parse(AuthflowV2RouteSettingsMFAViewRecoveryCode)
+		if err != nil {
+			return err
+		}
+
+		q := redirectURI.Query()
+		q.Set("q_token", output.Token)
+
+		redirectURI.RawQuery = q.Encode()
+
+		result := webapp.Result{RedirectURI: redirectURI.String()}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/routes.go b/pkg/auth/routes.go
index a5d0838834..1c4d470d00 100644
--- a/pkg/auth/routes.go
+++ b/pkg/auth/routes.go
@@ -491,6 +491,7 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) *h
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsTOTPHandler),
 	})
 	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFACreateTOTPRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFACreateTOTPHandler))
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFAEnterTOTPRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFAEnterTOTPHandler))
 	router.Add(webapphandler.ConfigureSettingsPasskeyRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
 		SettingV1: p.Handler(newWebAppSettingsPasskeyHandler),
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsChangePasskeyHandler),
diff --git a/pkg/auth/wire_handler.go b/pkg/auth/wire_handler.go
index 43e8a59e59..62162b1688 100644
--- a/pkg/auth/wire_handler.go
+++ b/pkg/auth/wire_handler.go
@@ -513,6 +513,13 @@ func newWebAppAuthflowV2SettingsMFACreateTOTPHandler(p *deps.RequestProvider) ht
 	))
 }
 
+func newWebAppAuthflowV2SettingsMFAEnterTOTPHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFAEnterTOTPHandler)),
+	))
+}
+
 func newWebAppAuthflowV2SettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index b6022397c3..945cb3155c 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -1184,6 +1184,9 @@
   "v2.page.settings-mfa-create-totp.default.navbar-title": "Set up authenticator",
   "v2.page.settings-mfa-create-totp.default.description": "First, download Google Authenticator App from the <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> or <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scan the QR code or enter the key with your authenticator device / app.",
   "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.navbar-title": "Verification Code",
+  "v2.page.settings-mfa-enter-totp.default.description": "Enter the 6-digit code you see in the authenticator device/app.",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Rescan QR code",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html
new file mode 100644
index 0000000000..af349e4f19
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html
@@ -0,0 +1,79 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa")
+        "Title" (translate "v2.page.settings-mfa-enter-totp.default.navbar-title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+  {{ $err_map := (resolveError $.RawError (dict
+    "otpInput" (dict
+      "by_reason"                    (list "InvalidCredentials")
+    )
+  )) }}
+
+  {{ $otp_err := index $err_map "otpInput" }}
+  {{ $unknown_err := index $err_map "unknown" }}
+  {{ $has_otp_err := not (isNil $otp_err) }}
+  {{ $has_unknown_err := not (isNil $unknown_err )}}
+
+  {{ $otp_error_message := "" }}
+  {{ if $has_otp_err }}
+    {{ $otp_error_message = include "authflowv2/__error.html" (merge (dict "Error" $otp_err) $) }}
+  {{ end }}
+
+  {{ $unknown_error_message := "" }}
+  {{ if $has_unknown_err }}
+    {{ $unknown_error_message = (include "authflowv2/__error.html" (merge (dict "Error" $unknown_err) $)) }}
+  {{ end }}
+
+<div
+  class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0"
+>
+  <div class="screen-title-description">
+    <h2 class="screen-description">
+      {{ include "v2.page.settings-mfa-enter-totp.default.description" nil }}
+    </h2>
+
+    {{ template "authflowv2/__alert_message.html"
+      (dict
+        "Type" "error"
+        "Classname" "mt-4"
+        "Message" (ternary (include "authflowv2/__error.html" .) nil (not $.display_otp_input_error))
+      )
+    }}
+  </div>
+
+  <div>
+    <form
+      id="main-form"
+      method="post"
+      novalidate
+      data-restore-form="false"
+      data-controller="turbo-form"
+      data-action="submit->turbo-form#submitForm"
+    >
+      {{ $.CSRFField }}
+    </form>
+
+    {{ template "authflowv2/__otp_input.html"
+      (dict
+        "CSRFField" $.CSRFField
+        "FormName" "main-form"
+        "CodeLength" 6
+        "AutoFocus" $.ShouldFocusInput
+        "Disabled" $.FailedAttemptRateLimitExceeded
+        "SubmitEvent" "authgear.button.setup_totp"
+        "ErrorMessage" $otp_error_message
+        "ResendButtonHidden" true
+      )
+    }}
+  </div>
+</div>
+{{ end }}

From 11183c9ee28cca0329c6c3c5acf56707624613a5 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Mon, 30 Sep 2024 14:11:27 +0800
Subject: [PATCH 15/17] Add settings v2 view recovery code page

---
 pkg/auth/handler/webapp/authflowv2/deps.go    |    1 +
 .../settings_mfa_view_recovery_code.go        |  116 +
 pkg/auth/routes.go                            |    1 +
 pkg/auth/wire_gen.go                          | 3202 ++++++++++++++++-
 pkg/auth/wire_handler.go                      |    7 +
 .../authgear/templates/en/translation.json    |    2 +
 .../settings_mfa_view_recovery_code.html      |   81 +
 7 files changed, 3297 insertions(+), 113 deletions(-)
 create mode 100644 pkg/auth/handler/webapp/authflowv2/settings_mfa_view_recovery_code.go
 create mode 100644 resources/authgear/templates/en/web/authflowv2/settings_mfa_view_recovery_code.html

diff --git a/pkg/auth/handler/webapp/authflowv2/deps.go b/pkg/auth/handler/webapp/authflowv2/deps.go
index 8227a71081..c51b63e045 100644
--- a/pkg/auth/handler/webapp/authflowv2/deps.go
+++ b/pkg/auth/handler/webapp/authflowv2/deps.go
@@ -52,6 +52,7 @@ var DependencySet = wire.NewSet(
 	wire.Struct(new(AuthflowV2SettingsAdvancedSettingsHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsDeleteAccountHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsDeleteAccountSuccessHandler), "*"),
+	wire.Struct(new(AuthflowV2SettingsMFAViewRecoveryCodeHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsMFACreatePasswordHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsMFAPasswordHandler), "*"),
 	wire.Struct(new(AuthflowV2SettingsTOTPHandler), "*"),
diff --git a/pkg/auth/handler/webapp/authflowv2/settings_mfa_view_recovery_code.go b/pkg/auth/handler/webapp/authflowv2/settings_mfa_view_recovery_code.go
new file mode 100644
index 0000000000..d0a1023560
--- /dev/null
+++ b/pkg/auth/handler/webapp/authflowv2/settings_mfa_view_recovery_code.go
@@ -0,0 +1,116 @@
+package authflowv2
+
+import (
+	"net/http"
+
+	handlerwebapp "github.com/authgear/authgear-server/pkg/auth/handler/webapp"
+	"github.com/authgear/authgear-server/pkg/auth/handler/webapp/viewmodels"
+	"github.com/authgear/authgear-server/pkg/auth/webapp"
+	"github.com/authgear/authgear-server/pkg/lib/accountmanagement"
+	"github.com/authgear/authgear-server/pkg/lib/session"
+	"github.com/authgear/authgear-server/pkg/util/httproute"
+	"github.com/authgear/authgear-server/pkg/util/template"
+)
+
+var TemplateWebSettingsMFAViewRecoveryCodeHTML = template.RegisterHTML(
+	"web/authflowv2/settings_mfa_view_recovery_code.html",
+	handlerwebapp.SettingsComponents...,
+)
+
+func ConfigureAuthflowV2SettingsMFAViewRecoveryCodeRoute(route httproute.Route) httproute.Route {
+	return route.
+		WithMethods("OPTIONS", "POST", "GET").
+		WithPathPattern(AuthflowV2RouteSettingsMFAViewRecoveryCode)
+}
+
+type AuthflowV2SettingsMFAViewRecoveryCodeViewModel struct {
+	RecoveryCodes []string
+}
+
+type AuthflowV2SettingsMFAViewRecoveryCodeHandler struct {
+	ControllerFactory handlerwebapp.ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          handlerwebapp.Renderer
+
+	AccountManagement *accountmanagement.Service
+}
+
+func (h *AuthflowV2SettingsMFAViewRecoveryCodeHandler) GetData(r *http.Request, rw http.ResponseWriter, recoveryCodes []string) (map[string]interface{}, error) {
+	data := map[string]interface{}{}
+
+	baseViewModel := h.BaseViewModel.ViewModel(r, rw)
+	viewmodels.Embed(data, baseViewModel)
+
+	screenViewModel := AuthflowV2SettingsMFAViewRecoveryCodeViewModel{
+		RecoveryCodes: handlerwebapp.FormatRecoveryCodes(recoveryCodes),
+	}
+	viewmodels.Embed(data, screenViewModel)
+
+	return data, nil
+}
+
+func (h *AuthflowV2SettingsMFAViewRecoveryCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctrl, err := h.ControllerFactory.New(r, w)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	defer ctrl.ServeWithoutDBTx()
+
+	ctrl.Get(func() error {
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		token, err := h.AccountManagement.GetToken(s, tokenString)
+		if err != nil {
+			return err
+		}
+
+		data, err := h.GetData(r, w, token.Authenticator.RecoveryCodes)
+		if err != nil {
+			return err
+		}
+
+		h.Renderer.RenderHTML(w, r, TemplateWebSettingsMFAViewRecoveryCodeHTML, data)
+		return nil
+	})
+
+	ctrl.PostAction("download", func() error {
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		token, err := h.AccountManagement.GetToken(s, tokenString)
+		if err != nil {
+			return err
+		}
+
+		data, err := h.GetData(r, w, token.Authenticator.RecoveryCodes)
+		if err != nil {
+			return err
+		}
+
+		handlerwebapp.SetRecoveryCodeAttachmentHeaders(w)
+		h.Renderer.Render(w, r, handlerwebapp.TemplateWebDownloadRecoveryCodeTXT, data)
+		return nil
+	})
+
+	ctrl.PostAction("proceed", func() error {
+		s := session.GetSession(r.Context())
+
+		tokenString := r.Form.Get("q_token")
+		_, err := h.AccountManagement.GetToken(s, tokenString)
+		if err != nil {
+			return err
+		}
+
+		_, err = h.AccountManagement.FinishAddTOTPAuthenticator(s, tokenString, &accountmanagement.FinishAddTOTPAuthenticatorInput{})
+		if err != nil {
+			return err
+		}
+
+		result := webapp.Result{RedirectURI: AuthflowV2RouteSettingsMFA}
+		result.WriteResponse(w, r)
+
+		return nil
+	})
+}
diff --git a/pkg/auth/routes.go b/pkg/auth/routes.go
index 1c4d470d00..1702ece1e5 100644
--- a/pkg/auth/routes.go
+++ b/pkg/auth/routes.go
@@ -484,6 +484,7 @@ func NewRouter(p *deps.RootProvider, configSource *configsource.ConfigSource) *h
 		SettingV1: p.Handler(newWebAppSettingsMFAHandler),
 		SettingV2: p.Handler(newWebAppAuthflowV2SettingsMFAHandler),
 	})
+	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFAViewRecoveryCodeRoute(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFAViewRecoveryCodeHandler))
 	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFACreatePassword(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFACreatePasswordHandler))
 	router.Add(webapphandlerauthflowv2.ConfigureAuthflowV2SettingsMFAPassword(webappSettingsSubRoutesRoute), p.Handler(newWebAppAuthflowV2SettingsMFAPasswordHandler))
 	router.Add(webapphandler.ConfigureSettingsTOTPRoute(webappSettingsSubRoutesRoute), &webapphandler.SettingsImplementationSwitcherHandler{
diff --git a/pkg/auth/wire_gen.go b/pkg/auth/wire_gen.go
index c2bbebdc9f..ed4c974f0b 100644
--- a/pkg/auth/wire_gen.go
+++ b/pkg/auth/wire_gen.go
@@ -50081,6 +50081,7 @@ func newWebAppAuthflowV2SettingsBiometricHandler(p *deps.RequestProvider) http.H
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -50090,6 +50091,7 @@ func newWebAppAuthflowV2SettingsBiometricHandler(p *deps.RequestProvider) http.H
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -51995,6 +51997,969 @@ func newWebAppAuthflowV2SettingsMFAHandler(p *deps.RequestProvider) http.Handler
 	return authflowV2SettingsMFAHandler
 }
 
+func newWebAppAuthflowV2SettingsMFAViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsMFAViewRecoveryCodeHandler := &authflowv2.AuthflowV2SettingsMFAViewRecoveryCodeHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		AccountManagement: accountmanagementService,
+	}
+	return authflowV2SettingsMFAViewRecoveryCodeHandler
+}
+
 func newWebAppAuthflowV2SettingsMFACreatePasswordHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	factory := appProvider.LoggerFactory
@@ -52922,50 +53887,1932 @@ func newWebAppAuthflowV2SettingsMFACreatePasswordHandler(p *deps.RequestProvider
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	biometricConfig := identityConfig.Biometric
-	settingsViewModeler := &viewmodels.SettingsViewModeler{
-		Authenticators: service3,
-		MFA:            mfaService,
-		Authentication: authenticationConfig,
-		Biometric:      biometricConfig,
-	}
-	redisStore := &accountmanagement.RedisStore{
-		Context: contextContext,
-		AppID:   appID,
-		Redis:   appredisHandle,
-		Clock:   clockClock,
-	}
-	facadeIdentityFacade := &facade.IdentityFacade{
-		Coordinator: coordinator,
-	}
-	accountmanagementService := &accountmanagement.Service{
-		Database:                  handle,
-		Config:                    appConfig,
-		Users:                     userProvider,
-		Store:                     redisStore,
-		OAuthProvider:             oAuthProviderFactory,
-		Identities:                facadeIdentityFacade,
-		Events:                    eventService,
-		OTPSender:                 messageSender,
-		OTPCodeService:            otpService,
-		Authenticators:            authenticatorFacade,
-		AuthenticationInfoService: authenticationinfoStoreRedis,
-		PasskeyService:            passkeyService,
-		Verification:              verificationService,
-		UIInfoResolver:            uiService,
-	}
-	authflowV2SettingsMFACreatePasswordHandler := &authflowv2.AuthflowV2SettingsMFACreatePasswordHandler{
-		ControllerFactory:        controllerFactory,
-		BaseViewModel:            baseViewModeler,
-		SettingsViewModel:        settingsViewModeler,
-		PasswordPolicy:           passwordChecker,
-		Renderer:                 responseRenderer,
-		AccountManagementService: accountmanagementService,
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsMFACreatePasswordHandler := &authflowv2.AuthflowV2SettingsMFACreatePasswordHandler{
+		ControllerFactory:        controllerFactory,
+		BaseViewModel:            baseViewModeler,
+		SettingsViewModel:        settingsViewModeler,
+		PasswordPolicy:           passwordChecker,
+		Renderer:                 responseRenderer,
+		AccountManagementService: accountmanagementService,
+	}
+	return authflowV2SettingsMFACreatePasswordHandler
+}
+
+func newWebAppAuthflowV2SettingsMFAPasswordHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	authflowV2SettingsMFAPasswordHandler := &authflowv2.AuthflowV2SettingsMFAPasswordHandler{
+		Database:          handle,
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
+		Renderer:          responseRenderer,
+	}
+	return authflowV2SettingsMFAPasswordHandler
+}
+
+func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
+	appProvider := p.AppProvider
+	factory := appProvider.LoggerFactory
+	handle := appProvider.AppDatabase
+	appredisHandle := appProvider.Redis
+	appContext := appProvider.AppContext
+	config := appContext.Config
+	appConfig := config.AppConfig
+	appID := appConfig.ID
+	serviceLogger := webapp2.NewServiceLogger(factory)
+	request := p.Request
+	sessionStoreRedis := &webapp2.SessionStoreRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	sessionCookieDef := webapp2.NewSessionCookieDef()
+	signedUpCookieDef := webapp2.NewSignedUpCookieDef()
+	authenticationConfig := appConfig.Authentication
+	cookieDef := mfa.NewDeviceTokenCookieDef(authenticationConfig)
+	errorTokenCookieDef := webapp2.NewErrorTokenCookieDef()
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpConfig := appConfig.HTTP
+	cookieManager := deps.NewCookieManager(request, trustProxy, httpConfig)
+	errorService := &webapp2.ErrorService{
+		AppID:       appID,
+		Cookie:      errorTokenCookieDef,
+		RedisHandle: appredisHandle,
+		Cookies:     cookieManager,
+	}
+	oAuthConfig := appConfig.OAuth
+	uiConfig := appConfig.UI
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	globalUIImplementation := environmentConfig.UIImplementation
+	globalUISettingsImplementation := environmentConfig.UISettingsImplementation
+	uiImplementationService := &web.UIImplementationService{
+		UIConfig:                       uiConfig,
+		GlobalUIImplementation:         globalUIImplementation,
+		GlobalUISettingsImplementation: globalUISettingsImplementation,
+	}
+	endpointsEndpoints := &endpoints.Endpoints{
+		HTTPHost:                httpHost,
+		HTTPProto:               httpProto,
+		UIImplementationService: uiImplementationService,
+	}
+	uiService := &authenticationinfo.UIService{
+		EndpointsProvider: endpointsEndpoints,
+	}
+	resolver := &oauthclient.Resolver{
+		OAuthConfig:     oAuthConfig,
+		TesterEndpoints: endpointsEndpoints,
+	}
+	logger := interaction.NewLogger(factory)
+	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
+	contextContext := deps.ProvideRequestContext(request)
+	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
+	clockClock := _wireSystemClockValue
+	featureConfig := config.FeatureConfig
+	redisLogger := redis.NewLogger(factory)
+	secretConfig := config.SecretConfig
+	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
+	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
+	store := &redis.Store{
+		Context:     contextContext,
+		Redis:       appredisHandle,
+		AppID:       appID,
+		Logger:      redisLogger,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	userAgentString := deps.ProvideUserAgentString(request)
+	eventLogger := event.NewLogger(factory)
+	localizationConfig := appConfig.Localization
+	sqlBuilder := appdb.NewSQLBuilder(databaseCredentials)
+	storeImpl := event.NewStoreImpl(sqlBuilder, sqlExecutor)
+	userStore := &user.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+		AppID:       appID,
+	}
+	rawQueries := &user.RawQueries{
+		Store: userStore,
+	}
+	identityConfig := appConfig.Identity
+	identityFeatureConfig := featureConfig.Identity
+	serviceStore := &service.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginidStore := &loginid.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	loginIDConfig := identityConfig.LoginID
+	manager := appContext.Resources
+	typeCheckerFactory := &loginid.TypeCheckerFactory{
+		UIConfig:      uiConfig,
+		LoginIDConfig: loginIDConfig,
+		Resources:     manager,
+	}
+	checker := &loginid.Checker{
+		Config:             loginIDConfig,
+		TypeCheckerFactory: typeCheckerFactory,
+	}
+	normalizerFactory := &loginid.NormalizerFactory{
+		Config: loginIDConfig,
+	}
+	provider := &loginid.Provider{
+		Store:             loginidStore,
+		Config:            loginIDConfig,
+		Checker:           checker,
+		NormalizerFactory: normalizerFactory,
+		Clock:             clockClock,
+	}
+	oauthStore := &oauth3.Store{
+		SQLBuilder:     sqlBuilderApp,
+		SQLExecutor:    sqlExecutor,
+		IdentityConfig: identityConfig,
+	}
+	oauthProvider := &oauth3.Provider{
+		Store:          oauthStore,
+		Clock:          clockClock,
+		IdentityConfig: identityConfig,
+	}
+	anonymousStore := &anonymous.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	anonymousProvider := &anonymous.Provider{
+		Store: anonymousStore,
+		Clock: clockClock,
+	}
+	biometricStore := &biometric.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	biometricProvider := &biometric.Provider{
+		Store: biometricStore,
+		Clock: clockClock,
+	}
+	passkeyStore := &passkey.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	store2 := &passkey2.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	defaultLanguageTag := deps.ProvideDefaultLanguageTag(config)
+	supportedLanguageTags := deps.ProvideSupportedLanguageTags(config)
+	templateResolver := &template.Resolver{
+		Resources:             manager,
+		DefaultLanguageTag:    defaultLanguageTag,
+		SupportedLanguageTags: supportedLanguageTags,
+	}
+	engine := &template.Engine{
+		Resolver: templateResolver,
+	}
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
+	webAppCDNHost := environmentConfig.WebAppCDNHost
+	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
+	staticAssetResolver := &web.StaticAssetResolver{
+		Context:           contextContext,
+		Localization:      localizationConfig,
+		HTTPOrigin:        httpOrigin,
+		HTTPProto:         httpProto,
+		WebAppCDNHost:     webAppCDNHost,
+		Resources:         manager,
+		EmbeddedResources: globalEmbeddedResourceManager,
+	}
+	translationService := &translation.Service{
+		Context:        contextContext,
+		TemplateEngine: engine,
+		StaticAssets:   staticAssetResolver,
+	}
+	configService := &passkey2.ConfigService{
+		Request:            request,
+		TrustProxy:         trustProxy,
+		TranslationService: translationService,
+	}
+	passkeyService := &passkey2.Service{
+		Store:         store2,
+		ConfigService: configService,
+	}
+	passkeyProvider := &passkey.Provider{
+		Store:   passkeyStore,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	siweStore := &siwe.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	web3Config := appConfig.Web3
+	storeRedis := &siwe2.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	ratelimitLogger := ratelimit.NewLogger(factory)
+	storageRedis := &ratelimit.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	rateLimitsFeatureConfig := featureConfig.RateLimits
+	limiter := &ratelimit.Limiter{
+		Logger:  ratelimitLogger,
+		Storage: storageRedis,
+		Config:  rateLimitsFeatureConfig,
+	}
+	siweLogger := siwe2.NewLogger(factory)
+	siweService := &siwe2.Service{
+		RemoteIP:             remoteIP,
+		HTTPOrigin:           httpOrigin,
+		Web3Config:           web3Config,
+		AuthenticationConfig: authenticationConfig,
+		Clock:                clockClock,
+		NonceStore:           storeRedis,
+		RateLimiter:          limiter,
+		Logger:               siweLogger,
+	}
+	siweProvider := &siwe.Provider{
+		Store: siweStore,
+		Clock: clockClock,
+		SIWE:  siweService,
+	}
+	ldapStore := &ldap.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	normalizer := &stdattrs.Normalizer{
+		LoginIDNormalizerFactory: normalizerFactory,
+	}
+	ldapProvider := &ldap.Provider{
+		Store:                        ldapStore,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+	}
+	serviceService := &service.Service{
+		Authentication:        authenticationConfig,
+		Identity:              identityConfig,
+		IdentityFeatureConfig: identityFeatureConfig,
+		Store:                 serviceStore,
+		LoginID:               provider,
+		OAuth:                 oauthProvider,
+		Anonymous:             anonymousProvider,
+		Biometric:             biometricProvider,
+		Passkey:               passkeyProvider,
+		SIWE:                  siweProvider,
+		LDAP:                  ldapProvider,
+	}
+	store3 := &service2.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	passwordStore := &password.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorConfig := appConfig.Authenticator
+	authenticatorPasswordConfig := authenticatorConfig.Password
+	passwordLogger := password.NewLogger(factory)
+	historyStore := &password.HistoryStore{
+		Clock:       clockClock,
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorFeatureConfig := featureConfig.Authenticator
+	passwordChecker := password.ProvideChecker(authenticatorPasswordConfig, authenticatorFeatureConfig, historyStore)
+	expiry := password.ProvideExpiry(authenticatorPasswordConfig, clockClock)
+	housekeeperLogger := password.NewHousekeeperLogger(factory)
+	housekeeper := &password.Housekeeper{
+		Store:  historyStore,
+		Logger: housekeeperLogger,
+		Config: authenticatorPasswordConfig,
+	}
+	passwordProvider := &password.Provider{
+		Store:           passwordStore,
+		Config:          authenticatorPasswordConfig,
+		Clock:           clockClock,
+		Logger:          passwordLogger,
+		PasswordHistory: historyStore,
+		PasswordChecker: passwordChecker,
+		Expiry:          expiry,
+		Housekeeper:     housekeeper,
+	}
+	store4 := &passkey3.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	provider2 := &passkey3.Provider{
+		Store:   store4,
+		Clock:   clockClock,
+		Passkey: passkeyService,
+	}
+	totpStore := &totp.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	authenticatorTOTPConfig := authenticatorConfig.TOTP
+	totpProvider := &totp.Provider{
+		Store:  totpStore,
+		Config: authenticatorTOTPConfig,
+		Clock:  clockClock,
+	}
+	oobStore := &oob.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	oobProvider := &oob.Provider{
+		Store:                    oobStore,
+		LoginIDNormalizerFactory: normalizerFactory,
+		Clock:                    clockClock,
+	}
+	testModeConfig := appConfig.TestMode
+	testModeFeatureConfig := featureConfig.TestMode
+	codeStoreRedis := &otp.CodeStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	lookupStoreRedis := &otp.LookupStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	attemptTrackerRedis := &otp.AttemptTrackerRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	otpLogger := otp.NewLogger(factory)
+	otpService := &otp.Service{
+		Clock:                 clockClock,
+		AppID:                 appID,
+		TestModeConfig:        testModeConfig,
+		TestModeFeatureConfig: testModeFeatureConfig,
+		RemoteIP:              remoteIP,
+		CodeStore:             codeStoreRedis,
+		LookupStore:           lookupStoreRedis,
+		AttemptTracker:        attemptTrackerRedis,
+		Logger:                otpLogger,
+		RateLimiter:           limiter,
+	}
+	rateLimits := service2.RateLimits{
+		IP:          remoteIP,
+		Config:      authenticationConfig,
+		RateLimiter: limiter,
+	}
+	authenticationLockoutConfig := authenticationConfig.Lockout
+	lockoutLogger := lockout.NewLogger(factory)
+	lockoutStorageRedis := &lockout.StorageRedis{
+		AppID: appID,
+		Redis: appredisHandle,
+	}
+	lockoutService := &lockout.Service{
+		Logger:  lockoutLogger,
+		Storage: lockoutStorageRedis,
+	}
+	serviceLockout := service2.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	service3 := &service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	verificationConfig := appConfig.Verification
+	userProfileConfig := appConfig.UserProfile
+	storePQ := &verification.StorePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	verificationService := &verification.Service{
+		Config:            verificationConfig,
+		UserProfileConfig: userProfileConfig,
+		Clock:             clockClock,
+		ClaimStore:        storePQ,
+	}
+	imagesCDNHost := environmentConfig.ImagesCDNHost
+	pictureTransformer := &stdattrs2.PictureTransformer{
+		HTTPProto:     httpProto,
+		HTTPHost:      httpHost,
+		ImagesCDNHost: imagesCDNHost,
+	}
+	serviceNoEvent := &stdattrs2.ServiceNoEvent{
+		UserProfileConfig: userProfileConfig,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		ClaimStore:        storePQ,
+		Transformer:       pictureTransformer,
+	}
+	customattrsServiceNoEvent := &customattrs.ServiceNoEvent{
+		Config:      userProfileConfig,
+		UserQueries: rawQueries,
+		UserStore:   userStore,
+	}
+	nftIndexerAPIEndpoint := environmentConfig.NFTIndexerAPIEndpoint
+	web3Service := &web3.Service{
+		APIEndpoint: nftIndexerAPIEndpoint,
+		Web3Config:  web3Config,
+	}
+	rolesgroupsStore := &rolesgroups.Store{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+		Clock:       clockClock,
+	}
+	queries := &rolesgroups.Queries{
+		Store: rolesgroupsStore,
+	}
+	userQueries := &user.Queries{
+		RawQueries:         rawQueries,
+		Store:              userStore,
+		Identities:         serviceService,
+		Authenticators:     service3,
+		Verification:       verificationService,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	resolverImpl := &event.ResolverImpl{
+		Users: userQueries,
+	}
+	hookLogger := hook.NewLogger(factory)
+	hookConfig := appConfig.Hook
+	webHookLogger := hook.NewWebHookLogger(factory)
+	webhookKeyMaterials := deps.ProvideWebhookKeyMaterials(secretConfig)
+	webHookImpl := hook.WebHookImpl{
+		Logger: webHookLogger,
+		Secret: webhookKeyMaterials,
+	}
+	syncHTTPClient := hook.NewSyncHTTPClient(hookConfig)
+	asyncHTTPClient := hook.NewAsyncHTTPClient()
+	eventWebHookImpl := &hook.EventWebHookImpl{
+		WebHookImpl: webHookImpl,
+		SyncHTTP:    syncHTTPClient,
+		AsyncHTTP:   asyncHTTPClient,
+	}
+	denoHookLogger := hook.NewDenoHookLogger(factory)
+	denoHook := hook.DenoHook{
+		Context:         contextContext,
+		ResourceManager: manager,
+		Logger:          denoHookLogger,
+	}
+	denoEndpoint := environmentConfig.DenoEndpoint
+	syncDenoClient := hook.NewSyncDenoClient(denoEndpoint, hookConfig, hookLogger)
+	asyncDenoClient := hook.NewAsyncDenoClient(denoEndpoint, hookLogger)
+	eventDenoHookImpl := &hook.EventDenoHookImpl{
+		DenoHook:        denoHook,
+		SyncDenoClient:  syncDenoClient,
+		AsyncDenoClient: asyncDenoClient,
+	}
+	commands := &rolesgroups.Commands{
+		Store: rolesgroupsStore,
+	}
+	sink := &hook.Sink{
+		Logger:             hookLogger,
+		Config:             hookConfig,
+		Clock:              clockClock,
+		EventWebHook:       eventWebHookImpl,
+		EventDenoHook:      eventDenoHookImpl,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		RolesAndGroups:     commands,
+	}
+	auditLogger := audit.NewLogger(factory)
+	writeHandle := appProvider.AuditWriteDatabase
+	auditDatabaseCredentials := deps.ProvideAuditDatabaseCredentials(secretConfig)
+	auditdbSQLBuilderApp := auditdb.NewSQLBuilderApp(auditDatabaseCredentials, appID)
+	writeSQLExecutor := auditdb.NewWriteSQLExecutor(contextContext, writeHandle)
+	writeStore := &audit.WriteStore{
+		SQLBuilder:  auditdbSQLBuilderApp,
+		SQLExecutor: writeSQLExecutor,
+	}
+	auditSink := &audit.Sink{
+		Logger:   auditLogger,
+		Database: writeHandle,
+		Store:    writeStore,
+	}
+	elasticsearchLogger := elasticsearch.NewLogger(factory)
+	elasticsearchServiceLogger := elasticsearch.NewElasticsearchServiceLogger(factory)
+	elasticsearchCredentials := deps.ProvideElasticsearchCredentials(secretConfig)
+	client := elasticsearch.NewClient(elasticsearchCredentials)
+	queue := appProvider.TaskQueue
+	userReindexProducer := redisqueue.NewUserReindexProducer(appredisHandle, clockClock)
+	elasticsearchService := elasticsearch.Service{
+		Clock:           clockClock,
+		Context:         contextContext,
+		Database:        handle,
+		Logger:          elasticsearchServiceLogger,
+		AppID:           appID,
+		Client:          client,
+		Users:           userQueries,
+		UserStore:       userStore,
+		IdentityService: serviceService,
+		RolesGroups:     rolesgroupsStore,
+		TaskQueue:       queue,
+		Producer:        userReindexProducer,
+	}
+	elasticsearchSink := &elasticsearch.Sink{
+		Logger:   elasticsearchLogger,
+		Service:  elasticsearchService,
+		Database: handle,
+	}
+	eventService := event.NewService(contextContext, appID, remoteIP, userAgentString, eventLogger, handle, clockClock, localizationConfig, storeImpl, resolverImpl, sink, auditSink, elasticsearchSink)
+	storeDeviceTokenRedis := &mfa.StoreDeviceTokenRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	storeRecoveryCodePQ := &mfa.StoreRecoveryCodePQ{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	mfaLockout := mfa.Lockout{
+		Config:   authenticationLockoutConfig,
+		RemoteIP: remoteIP,
+		Provider: lockoutService,
+	}
+	mfaService := &mfa.Service{
+		IP:            remoteIP,
+		DeviceTokens:  storeDeviceTokenRedis,
+		RecoveryCodes: storeRecoveryCodePQ,
+		Clock:         clockClock,
+		Config:        authenticationConfig,
+		RateLimiter:   limiter,
+		Lockout:       mfaLockout,
+	}
+	messagingLogger := messaging.NewLogger(factory)
+	usageLogger := usage.NewLogger(factory)
+	usageLimiter := &usage.Limiter{
+		Logger: usageLogger,
+		Clock:  clockClock,
+		AppID:  appID,
+		Redis:  appredisHandle,
+	}
+	messagingConfig := appConfig.Messaging
+	messagingRateLimitsConfig := messagingConfig.RateLimits
+	messagingFeatureConfig := featureConfig.Messaging
+	rateLimitsEnvironmentConfig := &environmentConfig.RateLimits
+	limits := messaging.Limits{
+		Logger:        messagingLogger,
+		RateLimiter:   limiter,
+		UsageLimiter:  usageLimiter,
+		RemoteIP:      remoteIP,
+		Config:        messagingRateLimitsConfig,
+		FeatureConfig: messagingFeatureConfig,
+		EnvConfig:     rateLimitsEnvironmentConfig,
+	}
+	whatsappServiceLogger := whatsapp.NewServiceLogger(factory)
+	devMode := environmentConfig.DevMode
+	featureTestModeWhatsappSuppressed := deps.ProvideTestModeWhatsappSuppressed(testModeFeatureConfig)
+	testModeWhatsappConfig := testModeConfig.Whatsapp
+	whatsappConfig := messagingConfig.Whatsapp
+	whatsappOnPremisesCredentials := deps.ProvideWhatsappOnPremisesCredentials(secretConfig)
+	tokenStore := &whatsapp.TokenStore{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	onPremisesClient := whatsapp.NewWhatsappOnPremisesClient(whatsappConfig, whatsappOnPremisesCredentials, tokenStore)
+	whatsappService := &whatsapp.Service{
+		Context:                           contextContext,
+		Logger:                            whatsappServiceLogger,
+		DevMode:                           devMode,
+		FeatureTestModeWhatsappSuppressed: featureTestModeWhatsappSuppressed,
+		TestModeWhatsappConfig:            testModeWhatsappConfig,
+		WhatsappConfig:                    whatsappConfig,
+		LocalizationConfig:                localizationConfig,
+		OnPremisesClient:                  onPremisesClient,
+		TokenStore:                        tokenStore,
+	}
+	sender := &messaging.Sender{
+		Limits:                 limits,
+		TaskQueue:              queue,
+		Events:                 eventService,
+		Whatsapp:               whatsappService,
+		MessagingFeatureConfig: messagingFeatureConfig,
+	}
+	forgotpasswordSender := &forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	rawCommands := &user.RawCommands{
+		Store: userStore,
+		Clock: clockClock,
+	}
+	userCommands := &user.Commands{
+		RawCommands:        rawCommands,
+		RawQueries:         rawQueries,
+		Events:             eventService,
+		Verification:       verificationService,
+		UserProfileConfig:  userProfileConfig,
+		StandardAttributes: serviceNoEvent,
+		CustomAttributes:   customattrsServiceNoEvent,
+		Web3:               web3Service,
+		RolesAndGroups:     queries,
+	}
+	stdattrsService := &stdattrs2.Service{
+		UserProfileConfig: userProfileConfig,
+		ServiceNoEvent:    serviceNoEvent,
+		Identities:        serviceService,
+		UserQueries:       rawQueries,
+		UserStore:         userStore,
+		Events:            eventService,
+	}
+	authorizationStore := &pq.AuthorizationStore{
+		SQLBuilder:  sqlBuilderApp,
+		SQLExecutor: sqlExecutor,
+	}
+	storeRedisLogger := idpsession.NewStoreRedisLogger(factory)
+	idpsessionStoreRedis := &idpsession.StoreRedis{
+		Redis:  appredisHandle,
+		AppID:  appID,
+		Clock:  clockClock,
+		Logger: storeRedisLogger,
+	}
+	sessionConfig := appConfig.Session
+	cookieDef2 := session.NewSessionCookieDef(sessionConfig)
+	idpsessionManager := &idpsession.Manager{
+		Store:     idpsessionStoreRedis,
+		Config:    sessionConfig,
+		Cookies:   cookieManager,
+		CookieDef: cookieDef2,
+	}
+	eventStoreRedis := &access.EventStoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	eventProvider := &access.EventProvider{
+		Store: eventStoreRedis,
+	}
+	idpsessionRand := _wireRandValue
+	idpsessionProvider := &idpsession.Provider{
+		Context:         contextContext,
+		RemoteIP:        remoteIP,
+		UserAgentString: userAgentString,
+		AppID:           appID,
+		Redis:           appredisHandle,
+		Store:           idpsessionStoreRedis,
+		AccessEvents:    eventProvider,
+		TrustProxy:      trustProxy,
+		Config:          sessionConfig,
+		Clock:           clockClock,
+		Random:          idpsessionRand,
+	}
+	offlineGrantService := oauth2.OfflineGrantService{
+		OAuthConfig:    oAuthConfig,
+		Clock:          clockClock,
+		IDPSessions:    idpsessionProvider,
+		ClientResolver: resolver,
+		OfflineGrants:  store,
+	}
+	sessionManager := &oauth2.SessionManager{
+		Store:   store,
+		Config:  oAuthConfig,
+		Service: offlineGrantService,
+	}
+	accountDeletionConfig := appConfig.AccountDeletion
+	accountAnonymizationConfig := appConfig.AccountAnonymization
+	maxTrials := _wireMaxTrialsValue
+	passwordRand := password.NewRandSource()
+	generator := &password.Generator{
+		MaxTrials:      maxTrials,
+		Checker:        passwordChecker,
+		Rand:           passwordRand,
+		PasswordConfig: authenticatorPasswordConfig,
+	}
+	coordinator := &facade.Coordinator{
+		Events:                     eventService,
+		Identities:                 serviceService,
+		Authenticators:             service3,
+		Verification:               verificationService,
+		MFA:                        mfaService,
+		SendPassword:               forgotpasswordSender,
+		UserCommands:               userCommands,
+		UserQueries:                userQueries,
+		RolesGroupsCommands:        commands,
+		StdAttrsService:            stdattrsService,
+		PasswordHistory:            historyStore,
+		OAuth:                      authorizationStore,
+		IDPSessions:                idpsessionManager,
+		OAuthSessions:              sessionManager,
+		IdentityConfig:             identityConfig,
+		AccountDeletionConfig:      accountDeletionConfig,
+		AccountAnonymizationConfig: accountAnonymizationConfig,
+		AuthenticationConfig:       authenticationConfig,
+		Clock:                      clockClock,
+		PasswordGenerator:          generator,
+	}
+	identityFacade := facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	authenticatorFacade := facade.AuthenticatorFacade{
+		Coordinator: coordinator,
+	}
+	anonymousStoreRedis := &anonymous.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+		Clock:   clockClock,
+	}
+	messageSender := &otp.MessageSender{
+		AppID:           appID,
+		Translation:     translationService,
+		Endpoints:       endpointsEndpoints,
+		Sender:          sender,
+		WhatsappService: whatsappService,
+	}
+	oAuthSSOProviderCredentials := deps.ProvideOAuthSSOProviderCredentials(secretConfig)
+	oAuthHTTPClient := sso.ProvideOAuthHTTPClient(environmentConfig)
+	simpleStoreRedisFactory := &sso.SimpleStoreRedisFactory{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+	}
+	oAuthProviderFactory := &sso.OAuthProviderFactory{
+		IdentityConfig:               identityConfig,
+		Credentials:                  oAuthSSOProviderCredentials,
+		Clock:                        clockClock,
+		StandardAttributesNormalizer: normalizer,
+		HTTPClient:                   oAuthHTTPClient,
+		SimpleStoreRedisFactory:      simpleStoreRedisFactory,
+	}
+	webappoauthStore := &webappoauth.Store{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
+	forgotpasswordLogger := forgotpassword.NewLogger(factory)
+	sender2 := forgotpassword.Sender{
+		AppConfg:    appConfig,
+		Identities:  serviceService,
+		Sender:      sender,
+		Translation: translationService,
+	}
+	forgotpasswordService := &forgotpassword.Service{
+		Logger:         forgotpasswordLogger,
+		Config:         appConfig,
+		FeatureConfig:  featureConfig,
+		Identities:     serviceService,
+		Authenticators: authenticatorFacade,
+		OTPCodes:       otpService,
+		OTPSender:      messageSender,
+		PasswordSender: sender2,
+	}
+	responseWriter := p.ResponseWriter
+	nonceService := &nonce.Service{
+		Cookies:        cookieManager,
+		Request:        request,
+		ResponseWriter: responseWriter,
+	}
+	challengeProvider := &challenge.Provider{
+		Redis: appredisHandle,
+		AppID: appID,
+		Clock: clockClock,
+	}
+	userProvider := &user.Provider{
+		Commands: userCommands,
+		Queries:  userQueries,
+	}
+	authenticationinfoStoreRedis := &authenticationinfo.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	manager2 := &session.Manager{
+		IDPSessions:         idpsessionManager,
+		AccessTokenSessions: sessionManager,
+		Events:              eventService,
+	}
+	oauthsessionStoreRedis := &oauthsession.StoreRedis{
+		Context: contextContext,
+		Redis:   appredisHandle,
+		AppID:   appID,
+	}
+	interactionContext := &interaction.Context{
+		Request:                         request,
+		RemoteIP:                        remoteIP,
+		Database:                        sqlExecutor,
+		Clock:                           clockClock,
+		Config:                          appConfig,
+		FeatureConfig:                   featureConfig,
+		OAuthClientResolver:             resolver,
+		OfflineGrants:                   store,
+		Identities:                      identityFacade,
+		Authenticators:                  authenticatorFacade,
+		AnonymousIdentities:             anonymousProvider,
+		AnonymousUserPromotionCodeStore: anonymousStoreRedis,
+		BiometricIdentities:             biometricProvider,
+		OTPCodeService:                  otpService,
+		OTPSender:                       messageSender,
+		OAuthProviderFactory:            oAuthProviderFactory,
+		OAuthRedirectURIBuilder:         endpointsEndpoints,
+		OAuthStateStore:                 webappoauthStore,
+		MFA:                             mfaFacade,
+		ForgotPassword:                  forgotpasswordService,
+		ResetPassword:                   forgotpasswordService,
+		Passkey:                         passkeyService,
+		Verification:                    verificationService,
+		RateLimiter:                     limiter,
+		PasswordGenerator:               generator,
+		Nonces:                          nonceService,
+		Challenges:                      challengeProvider,
+		Users:                           userProvider,
+		StdAttrsService:                 stdattrsService,
+		Events:                          eventService,
+		CookieManager:                   cookieManager,
+		AuthenticationInfoService:       authenticationinfoStoreRedis,
+		Sessions:                        idpsessionProvider,
+		SessionManager:                  manager2,
+		SessionCookie:                   cookieDef2,
+		OAuthSessions:                   oauthsessionStoreRedis,
+		MFADeviceTokenCookie:            cookieDef,
+	}
+	interactionStoreRedis := &interaction.StoreRedis{
+		Redis: appredisHandle,
+		AppID: appID,
+	}
+	interactionService := &interaction.Service{
+		Logger:  logger,
+		Context: interactionContext,
+		Store:   interactionStoreRedis,
+	}
+	webappService2 := &webapp2.Service2{
+		Logger:               serviceLogger,
+		Request:              request,
+		Sessions:             sessionStoreRedis,
+		SessionCookie:        sessionCookieDef,
+		SignedUpCookie:       signedUpCookieDef,
+		MFADeviceTokenCookie: cookieDef,
+		ErrorService:         errorService,
+		Cookies:              cookieManager,
+		OAuthConfig:          oAuthConfig,
+		UIConfig:             uiConfig,
+		TrustProxy:           trustProxy,
+		UIInfoResolver:       uiService,
+		OAuthClientResolver:  resolver,
+		Graph:                interactionService,
+	}
+	uiFeatureConfig := featureConfig.UI
+	forgotPasswordConfig := appConfig.ForgotPassword
+	googleTagManagerConfig := appConfig.GoogleTagManager
+	botProtectionConfig := appConfig.BotProtection
+	flashMessage := &httputil.FlashMessage{
+		Cookies: cookieManager,
+	}
+	authUISentryDSN := environmentConfig.AuthUISentryDSN
+	authUIWindowMessageAllowedOrigins := environmentConfig.AuthUIWindowMessageAllowedOrigins
+	baseLogger := viewmodels.NewBaseLogger(factory)
+	baseViewModeler := &viewmodels.BaseViewModeler{
+		TrustProxy:                        trustProxy,
+		OAuth:                             oAuthConfig,
+		AuthUI:                            uiConfig,
+		AuthUIFeatureConfig:               uiFeatureConfig,
+		StaticAssets:                      staticAssetResolver,
+		ForgotPassword:                    forgotPasswordConfig,
+		Authentication:                    authenticationConfig,
+		GoogleTagManager:                  googleTagManagerConfig,
+		BotProtection:                     botProtectionConfig,
+		ErrorService:                      errorService,
+		Translations:                      translationService,
+		Clock:                             clockClock,
+		FlashMessage:                      flashMessage,
+		DefaultLanguageTag:                defaultLanguageTag,
+		SupportedLanguageTags:             supportedLanguageTags,
+		AuthUISentryDSN:                   authUISentryDSN,
+		AuthUIWindowMessageAllowedOrigins: authUIWindowMessageAllowedOrigins,
+		OAuthClientResolver:               resolver,
+		Logger:                            baseLogger,
+	}
+	responseRenderer := &webapp.ResponseRenderer{
+		TemplateEngine: engine,
+	}
+	publisher := webapp.NewPublisher(appID, appredisHandle)
+	authflowNavigator := &webapp2.AuthflowNavigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	authflowV2Navigator := &authflowv2.AuthflowV2Navigator{
+		Endpoints:       endpointsEndpoints,
+		OAuthStateStore: webappoauthStore,
+	}
+	errorRenderer := &webapp.ErrorRenderer{
+		ErrorService:            errorService,
+		UIImplementationService: uiImplementationService,
+		AuthflowV1Navigator:     authflowNavigator,
+		AuthflowV2Navigator:     authflowV2Navigator,
+	}
+	controllerDeps := webapp.ControllerDeps{
+		Database:                handle,
+		RedisHandle:             appredisHandle,
+		AppID:                   appID,
+		Page:                    webappService2,
+		BaseViewModel:           baseViewModeler,
+		Renderer:                responseRenderer,
+		Publisher:               publisher,
+		Clock:                   clockClock,
+		TesterEndpointsProvider: endpointsEndpoints,
+		ErrorRenderer:           errorRenderer,
+		TrustProxy:              trustProxy,
+	}
+	controllerFactory := webapp.ControllerFactory{
+		LoggerFactory:  factory,
+		ControllerDeps: controllerDeps,
+	}
+	settingsTOTPHandler := &webapp.SettingsTOTPHandler{
+		ControllerFactory: controllerFactory,
+		BaseViewModel:     baseViewModeler,
+		Renderer:          responseRenderer,
+		Authenticators:    service3,
 	}
-	return authflowV2SettingsMFACreatePasswordHandler
+	return settingsTOTPHandler
 }
 
-func newWebAppAuthflowV2SettingsMFAPasswordHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	handle := appProvider.AppDatabase
 	factory := appProvider.LoggerFactory
@@ -53892,27 +56739,59 @@ func newWebAppAuthflowV2SettingsMFAPasswordHandler(p *deps.RequestProvider) http
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	biometricConfig := identityConfig.Biometric
-	settingsViewModeler := &viewmodels.SettingsViewModeler{
-		Authenticators: service3,
-		MFA:            mfaService,
-		Authentication: authenticationConfig,
-		Biometric:      biometricConfig,
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
 	}
-	authflowV2SettingsMFAPasswordHandler := &authflowv2.AuthflowV2SettingsMFAPasswordHandler{
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	service4 := service2.Service{
+		Store:          store3,
+		Config:         appConfig,
+		Password:       passwordProvider,
+		Passkey:        provider2,
+		TOTP:           totpProvider,
+		OOBOTP:         oobProvider,
+		OTPCodeService: otpService,
+		RateLimits:     rateLimits,
+		Lockout:        serviceLockout,
+	}
+	authflowV2SettingsTOTPHandler := &authflowv2.AuthflowV2SettingsTOTPHandler{
 		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
-		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
+		AccountManagement: accountmanagementService,
+		Authenticators:    service4,
 	}
-	return authflowV2SettingsMFAPasswordHandler
+	return authflowV2SettingsTOTPHandler
 }
 
-func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsMFACreateTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
-	factory := appProvider.LoggerFactory
 	handle := appProvider.AppDatabase
+	factory := appProvider.LoggerFactory
 	appredisHandle := appProvider.Redis
 	appContext := appProvider.AppContext
 	config := appContext.Config
@@ -54836,16 +57715,52 @@ func newWebAppSettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	settingsTOTPHandler := &webapp.SettingsTOTPHandler{
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
+	}
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsMFACreateTOTPHandler := &authflowv2.AuthflowV2SettingsMFACreateTOTPHandler{
+		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
-		Authenticators:    service3,
+		AccountManagement: accountmanagementService,
 	}
-	return settingsTOTPHandler
+	return authflowV2SettingsMFACreateTOTPHandler
 }
 
-func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handler {
+func newWebAppAuthflowV2SettingsMFAEnterTOTPHandler(p *deps.RequestProvider) http.Handler {
 	appProvider := p.AppProvider
 	handle := appProvider.AppDatabase
 	factory := appProvider.LoggerFactory
@@ -55772,25 +58687,50 @@ func newWebAppAuthflowV2SettingsTOTPHandler(p *deps.RequestProvider) http.Handle
 		LoggerFactory:  factory,
 		ControllerDeps: controllerDeps,
 	}
-	service4 := service2.Service{
-		Store:          store3,
-		Config:         appConfig,
-		Password:       passwordProvider,
-		Passkey:        provider2,
-		TOTP:           totpProvider,
-		OOBOTP:         oobProvider,
-		OTPCodeService: otpService,
-		RateLimits:     rateLimits,
-		Lockout:        serviceLockout,
+	biometricConfig := identityConfig.Biometric
+	settingsViewModeler := &viewmodels.SettingsViewModeler{
+		Authenticators: service3,
+		MFA:            mfaService,
+		Authentication: authenticationConfig,
+		Biometric:      biometricConfig,
 	}
-	authflowV2SettingsTOTPHandler := &authflowv2.AuthflowV2SettingsTOTPHandler{
+	redisStore := &accountmanagement.RedisStore{
+		Context: contextContext,
+		AppID:   appID,
+		Redis:   appredisHandle,
+		Clock:   clockClock,
+	}
+	facadeIdentityFacade := &facade.IdentityFacade{
+		Coordinator: coordinator,
+	}
+	accountmanagementService := &accountmanagement.Service{
+		Database:                  handle,
+		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
+		Users:                     userProvider,
+		Store:                     redisStore,
+		OAuthProvider:             oAuthProviderFactory,
+		Identities:                facadeIdentityFacade,
+		Events:                    eventService,
+		OTPSender:                 messageSender,
+		OTPCodeService:            otpService,
+		Authenticators:            authenticatorFacade,
+		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
+		PasskeyService:            passkeyService,
+		Verification:              verificationService,
+		UIInfoResolver:            uiService,
+	}
+	authflowV2SettingsMFAEnterTOTPHandler := &authflowv2.AuthflowV2SettingsMFAEnterTOTPHandler{
 		Database:          handle,
 		ControllerFactory: controllerFactory,
 		BaseViewModel:     baseViewModeler,
+		SettingsViewModel: settingsViewModeler,
 		Renderer:          responseRenderer,
-		Authenticators:    service4,
+		Clock:             clockClock,
+		AccountManagement: accountmanagementService,
 	}
-	return authflowV2SettingsTOTPHandler
+	return authflowV2SettingsMFAEnterTOTPHandler
 }
 
 func newWebAppAuthflowV2SettingsOOBOTPHandler(p *deps.RequestProvider) http.Handler {
@@ -58629,6 +61569,7 @@ func newWebAppAuthflowV2SettingsChangePasskeyHandler(p *deps.RequestProvider) ht
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -58638,6 +61579,7 @@ func newWebAppAuthflowV2SettingsChangePasskeyHandler(p *deps.RequestProvider) ht
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -65267,6 +68209,7 @@ func newWebAppAuthflowV2SettingsChangePasswordHandler(p *deps.RequestProvider) h
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -65276,6 +68219,7 @@ func newWebAppAuthflowV2SettingsChangePasswordHandler(p *deps.RequestProvider) h
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -91635,11 +94579,17 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
@@ -91656,9 +94606,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
@@ -91745,9 +94692,6 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -92360,12 +95304,16 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -92375,6 +95323,7 @@ func newAPIAccountManagementV1IdentificationHandler(p *deps.RequestProvider) htt
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -92397,11 +95346,17 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
@@ -92418,9 +95373,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	logger := event.NewLogger(factory)
@@ -92507,9 +95459,6 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -93122,12 +96071,16 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -93137,6 +96090,7 @@ func newAPIAccountManagementV1IdentificationOAuthHandler(p *deps.RequestProvider
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -152873,6 +155827,7 @@ func newWebAppAuthflowV2SettingsIdentityAddEmailHandler(p *deps.RequestProvider)
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -152882,6 +155837,7 @@ func newWebAppAuthflowV2SettingsIdentityAddEmailHandler(p *deps.RequestProvider)
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -153834,6 +156790,7 @@ func newWebAppAuthflowV2SettingsIdentityEditEmailHandler(p *deps.RequestProvider
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -153843,6 +156800,7 @@ func newWebAppAuthflowV2SettingsIdentityEditEmailHandler(p *deps.RequestProvider
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -155747,6 +158705,7 @@ func newWebAppAuthflowV2SettingsIdentityVerifyEmailHandler(p *deps.RequestProvid
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -155756,6 +158715,7 @@ func newWebAppAuthflowV2SettingsIdentityVerifyEmailHandler(p *deps.RequestProvid
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -156719,6 +159679,7 @@ func newWebAppAuthflowV2SettingsIdentityViewEmailHandler(p *deps.RequestProvider
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     accountmanagementRedisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -156728,6 +159689,7 @@ func newWebAppAuthflowV2SettingsIdentityViewEmailHandler(p *deps.RequestProvider
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -158638,6 +161600,7 @@ func newWebAppAuthflowV2SettingsIdentityAddPhoneHandler(p *deps.RequestProvider)
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -158647,6 +161610,7 @@ func newWebAppAuthflowV2SettingsIdentityAddPhoneHandler(p *deps.RequestProvider)
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -159600,6 +162564,7 @@ func newWebAppAuthflowV2SettingsIdentityEditPhoneHandler(p *deps.RequestProvider
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -159609,6 +162574,7 @@ func newWebAppAuthflowV2SettingsIdentityEditPhoneHandler(p *deps.RequestProvider
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -161514,6 +164480,7 @@ func newWebAppAuthflowV2SettingsIdentityViewPhoneHandler(p *deps.RequestProvider
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     accountmanagementRedisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -161523,6 +164490,7 @@ func newWebAppAuthflowV2SettingsIdentityViewPhoneHandler(p *deps.RequestProvider
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -163434,6 +166402,7 @@ func newWebAppAuthflowV2SettingsIdentityVerifyPhoneHandler(p *deps.RequestProvid
 	accountmanagementService := accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -163443,6 +166412,7 @@ func newWebAppAuthflowV2SettingsIdentityVerifyPhoneHandler(p *deps.RequestProvid
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -164405,11 +167375,17 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
@@ -164426,9 +167402,6 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	factory := appProvider.LoggerFactory
@@ -164516,9 +167489,6 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -165131,12 +168101,16 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -165146,6 +168120,7 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -165180,9 +168155,6 @@ func newWebAppAuthflowV2SettingsIdentityNewUsernameHandler(p *deps.RequestProvid
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
 		AppConfg:    appConfig,
@@ -165367,11 +168339,17 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
@@ -165388,9 +168366,6 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	factory := appProvider.LoggerFactory
@@ -165478,9 +168453,6 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -166093,12 +169065,16 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -166108,6 +169084,7 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -166142,9 +169119,6 @@ func newWebAppAuthflowV2SettingsIdentityViewUsernameHandler(p *deps.RequestProvi
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
 		AppConfg:    appConfig,
@@ -166331,11 +169305,17 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 	appContext := appProvider.AppContext
 	config := appContext.Config
 	appConfig := config.AppConfig
+	request := p.Request
+	rootProvider := appProvider.RootProvider
+	environmentConfig := rootProvider.EnvironmentConfig
+	trustProxy := environmentConfig.TrustProxy
+	httpProto := deps.ProvideHTTPProto(request, trustProxy)
+	httpHost := deps.ProvideHTTPHost(request, trustProxy)
+	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	secretConfig := config.SecretConfig
 	databaseCredentials := deps.ProvideDatabaseCredentials(secretConfig)
 	appID := appConfig.ID
 	sqlBuilderApp := appdb.NewSQLBuilderApp(databaseCredentials, appID)
-	request := p.Request
 	contextContext := deps.ProvideRequestContext(request)
 	sqlExecutor := appdb.NewSQLExecutor(contextContext, handle)
 	clockClock := _wireSystemClockValue
@@ -166352,9 +169332,6 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 	rawQueries := &user.RawQueries{
 		Store: store,
 	}
-	rootProvider := appProvider.RootProvider
-	environmentConfig := rootProvider.EnvironmentConfig
-	trustProxy := environmentConfig.TrustProxy
 	remoteIP := deps.ProvideRemoteIP(request, trustProxy)
 	userAgentString := deps.ProvideUserAgentString(request)
 	factory := appProvider.LoggerFactory
@@ -166442,9 +169419,6 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 	engine := &template.Engine{
 		Resolver: resolver,
 	}
-	httpProto := deps.ProvideHTTPProto(request, trustProxy)
-	httpHost := deps.ProvideHTTPHost(request, trustProxy)
-	httpOrigin := httputil.MakeHTTPOrigin(httpProto, httpHost)
 	webAppCDNHost := environmentConfig.WebAppCDNHost
 	globalEmbeddedResourceManager := rootProvider.EmbeddedResources
 	staticAssetResolver := &web.StaticAssetResolver{
@@ -167057,12 +170031,16 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
+	mfaFacade := &facade.MFAFacade{
+		Coordinator: coordinator,
+	}
 	uiService := &authenticationinfo.UIService{
 		EndpointsProvider: endpointsEndpoints,
 	}
 	accountmanagementService := &accountmanagement.Service{
 		Database:                  handle,
 		Config:                    appConfig,
+		HTTPOrigin:                httpOrigin,
 		Users:                     userProvider,
 		Store:                     redisStore,
 		OAuthProvider:             oAuthProviderFactory,
@@ -167072,6 +170050,7 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 		OTPCodeService:            otpService,
 		Authenticators:            authenticatorFacade,
 		AuthenticationInfoService: authenticationinfoStoreRedis,
+		MFA:                       mfaFacade,
 		PasskeyService:            passkeyService,
 		Verification:              verificationService,
 		UIInfoResolver:            uiService,
@@ -167106,9 +170085,6 @@ func newWebAppAuthflowV2SettingsIdentityEditUsernameHandler(p *deps.RequestProvi
 		Redis:   appredisHandle,
 		AppID:   appID,
 	}
-	mfaFacade := &facade.MFAFacade{
-		Coordinator: coordinator,
-	}
 	forgotpasswordLogger := forgotpassword.NewLogger(factory)
 	sender2 := forgotpassword.Sender{
 		AppConfg:    appConfig,
diff --git a/pkg/auth/wire_handler.go b/pkg/auth/wire_handler.go
index 62162b1688..368dccdc1a 100644
--- a/pkg/auth/wire_handler.go
+++ b/pkg/auth/wire_handler.go
@@ -478,6 +478,13 @@ func newWebAppAuthflowV2SettingsMFAHandler(p *deps.RequestProvider) http.Handler
 	))
 }
 
+func newWebAppAuthflowV2SettingsMFAViewRecoveryCodeHandler(p *deps.RequestProvider) http.Handler {
+	panic(wire.Build(
+		DependencySet,
+		wire.Bind(new(http.Handler), new(*handlerwebappauthflowv2.AuthflowV2SettingsMFAViewRecoveryCodeHandler)),
+	))
+}
+
 func newWebAppAuthflowV2SettingsMFACreatePasswordHandler(p *deps.RequestProvider) http.Handler {
 	panic(wire.Build(
 		DependencySet,
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index 945cb3155c..43f254e3a4 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -1187,6 +1187,8 @@
   "v2.page.settings-mfa-enter-totp.default.navbar-title": "Verification Code",
   "v2.page.settings-mfa-enter-totp.default.description": "Enter the 6-digit code you see in the authenticator device/app.",
   "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Rescan QR code",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "If you lost access to your authentication device, use these recovery codes to recover your account. \nKeep them somewhere safe but accessible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Recovery code",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_view_recovery_code.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_view_recovery_code.html
new file mode 100644
index 0000000000..c86a8afddb
--- /dev/null
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_view_recovery_code.html
@@ -0,0 +1,81 @@
+{{ template "authflowv2/__settings_page_frame.html" . }}
+
+{{ define "page-navbar" }}
+  {{ template "authflowv2/__navbar.html"
+     (dict
+        "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
+        "BackHref" (call $.MakeURL "/settings/mfa/totp")
+        "Title" (translate "v2.page.settings-mfa-view-recovery-code.default.title" nil)
+     )
+  }}
+{{ end }}
+
+{{ define "page-content" }}
+
+<div class="settings-content flex flex-col gap-y-4 py-5 tablet:py-0">
+  <div class="screen-title-description">
+    <h2 class="screen-description">
+      {{ include "v2.page.settings-mfa-view-recovery-code.default.storage-description" nil }}
+    </h2>
+
+    {{ template "authflowv2/__alert_message.html"
+      (dict
+        "Type" "error"
+        "Classname" "mt-4"
+        "Message" (include "authflowv2/__error.html" .)
+      )
+    }}
+  </div>
+
+  <div class="my-6 code-block">
+    <p class="code-block__text">{{ range $.RecoveryCodes }}{{ . }}
+{{ end }}</p>
+
+    <code id="copy-button-source" class="hidden">{{ template "__recovery_code.html" . }}</code>
+    <div class="mt-5 w-full grid gap-4 {{ if not .IsNativePlatform }}grid-cols-2{{ else }}grid-cols-1{{ end }}">
+      {{ if not .IsNativePlatform }}
+      {{/* Form with disabled turbo drive */}}
+      <form
+        id="download-form"
+        method="post"
+        novalidate
+        target="_blank"
+        data-turbo="false"
+      >
+        {{ $.CSRFField }}
+        <button
+          form="download-form"
+          class="tertiary-btn w-full"
+          type="submit"
+          name="x_action"
+          value="download"
+        >
+          {{ include "v2.component.button.default.download" nil }}
+        </button>
+      </form>
+      {{ end }}
+      <button
+        class="tertiary-btn w-full"
+        type="button"
+        data-controller="copy-button"
+        data-copy-button-source-value="#copy-button-source"
+        data-action="copy-button#copy"
+      >
+        {{ include "v2.component.button.default.copy" nil }}
+      </button>
+    </div>
+  </div>
+
+  <form
+    method="post"
+    novalidate
+    data-controller="turbo-form"
+    data-action="submit->turbo-form#submitForm"
+  >
+    {{ $.CSRFField }}
+    <button class="btn primary-btn w-full" type="submit" name="x_action" value="proceed">
+    {{ include "v2.component.button.default.label-continue" nil }}
+    </button>
+  </form>
+</div>
+{{ end }}

From 858924ddfbac0f7f4379b792b96bc80736e26815 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 18:47:32 +0800
Subject: [PATCH 16/17] Generate translations

---
 resources/authgear/templates/de/translation.json          | 8 ++++++++
 resources/authgear/templates/el/translation.json          | 8 ++++++++
 resources/authgear/templates/en/translation.json          | 8 ++++----
 .../en/web/authflowv2/settings_mfa_create_totp.html       | 2 +-
 .../en/web/authflowv2/settings_mfa_enter_totp.html        | 2 +-
 resources/authgear/templates/es-419/translation.json      | 8 ++++++++
 resources/authgear/templates/es-ES/translation.json       | 8 ++++++++
 resources/authgear/templates/es/translation.json          | 8 ++++++++
 resources/authgear/templates/fil/translation.json         | 8 ++++++++
 resources/authgear/templates/fr/translation.json          | 8 ++++++++
 resources/authgear/templates/id/translation.json          | 8 ++++++++
 resources/authgear/templates/it/translation.json          | 8 ++++++++
 resources/authgear/templates/ja/translation.json          | 8 ++++++++
 resources/authgear/templates/ko/translation.json          | 8 ++++++++
 resources/authgear/templates/ms/translation.json          | 8 ++++++++
 resources/authgear/templates/nl/translation.json          | 8 ++++++++
 resources/authgear/templates/pl/translation.json          | 8 ++++++++
 resources/authgear/templates/pt-BR/translation.json       | 8 ++++++++
 resources/authgear/templates/pt-PT/translation.json       | 8 ++++++++
 resources/authgear/templates/pt/translation.json          | 8 ++++++++
 resources/authgear/templates/th/translation.json          | 8 ++++++++
 resources/authgear/templates/vi/translation.json          | 8 ++++++++
 resources/authgear/templates/zh-CN/translation.json       | 8 ++++++++
 resources/authgear/templates/zh-HK/translation.json       | 8 ++++++++
 resources/authgear/templates/zh-TW/translation.json       | 8 ++++++++
 25 files changed, 182 insertions(+), 6 deletions(-)

diff --git a/resources/authgear/templates/de/translation.json b/resources/authgear/templates/de/translation.json
index 7fa50c76ce..175e80508d 100644
--- a/resources/authgear/templates/de/translation.json
+++ b/resources/authgear/templates/de/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Nicht verifiziert",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verifiziert",
   "v2.page.settings-mfa-create-password.default.title": "Zusätzliches Passwort",
+  "v2.page.settings-mfa-create-totp.default.description": "Laden Sie zuerst die Google Authenticator App aus dem <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> oder dem <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a> herunter.<br><br>Scannen Sie den QR-Code oder geben Sie den Schlüssel mit Ihrem Authenticator-Gerät / App ein.",
+  "v2.page.settings-mfa-create-totp.default.title": "Authenticator einrichten",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Geben Sie den 6-stelligen Code ein, den Sie in der Authenticator-Gerät/App sehen.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Verifizierungscode",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "QR-Code erneut scannen",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Hinzugefügt um <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Zusätzliches Passwort",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Aktualisiert um <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Zusätzliches Passwort entfernen",
   "v2.page.settings-mfa-password.default.remove-button-label": "Zusätzliches Passwort entfernen",
   "v2.page.settings-mfa-password.default.title": "Zusätzliches Passwort",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Wenn Sie den Zugriff auf Ihr Authentifizierungsgerät verloren haben, verwenden Sie diese Wiederherstellungscodes, um Ihr Konto wiederherzustellen. \nBewahren Sie sie an einem sicheren, aber zugänglichen Ort auf.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Wiederherstellungscode",
   "v2.page.settings-mfa.default.activated-label": "Aktiviert",
   "v2.page.settings-mfa.default.additional-password-label": "Zusätzliches Passwort",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Sie haben {NumberOfDeviceTokens, plural, one{# vertrauenswürdiges Gerät} other{# vertrauenswürdige Geräte}}, die mit Ihrem Konto verknüpft sind. Möchten Sie alle vertrauenswürdigen Geräte entfernen?",
diff --git a/resources/authgear/templates/el/translation.json b/resources/authgear/templates/el/translation.json
index 2aed570eac..18dc7795ec 100644
--- a/resources/authgear/templates/el/translation.json
+++ b/resources/authgear/templates/el/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Μη επαληθευμένο",
   "v2.page.settings-identity.default.verification-status-verified-label": "Επαληθευμένο",
   "v2.page.settings-mfa-create-password.default.title": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa-create-totp.default.description": "Πρώτα, κατεβάστε την εφαρμογή Google Authenticator από το <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> ή το <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Σαρώστε τον κωδικό QR ή εισάγετε το κλειδί με τη συσκευή/εφαρμογή ελέγχου ταυτότητας.",
+  "v2.page.settings-mfa-create-totp.default.title": "Ρύθμιση ελέγχου ταυτότητας",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Εισάγετε τον 6ψήφιο κωδικό που βλέπετε στη συσκευή/εφαρμογή ελέγχου ταυτότητας.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Κωδικός Επαλήθευσης",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Επανασάρωση κωδικού QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Προστέθηκε στις <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Πρόσθετος κωδικός πρόσβασης",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Ενημερώθηκε στις <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Αφαίρεση πρόσθετου κωδικού πρόσβασης",
   "v2.page.settings-mfa-password.default.remove-button-label": "Αφαίρεση πρόσθετου κωδικού πρόσβασης",
   "v2.page.settings-mfa-password.default.title": "Πρόσθετος κωδικός πρόσβασης",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Αν έχασες την πρόσβαση στη συσκευή ελέγχου ταυτότητας, χρησιμοποίησε αυτούς τους κωδικούς ανάκτησης για να ανακτήσεις τον λογαριασμό σου. \nΦύλαξέ τους σε ασφαλές αλλά προσβάσιμο μέρος.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Κωδικός Ανάκτησης",
   "v2.page.settings-mfa.default.activated-label": "Ενεργοποιημένο",
   "v2.page.settings-mfa.default.additional-password-label": "Πρόσθετος κωδικός πρόσβασης",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Έχετε {NumberOfDeviceTokens, plural, one{# έμπιστη συσκευή} other{# έμπιστες συσκευές}} συσκευές που σχετίζονται με τον λογαριασμό σας. Θέλετε να αφαιρέσετε όλες τις έμπιστες συσκευές;",
diff --git a/resources/authgear/templates/en/translation.json b/resources/authgear/templates/en/translation.json
index 43f254e3a4..70e3e121de 100644
--- a/resources/authgear/templates/en/translation.json
+++ b/resources/authgear/templates/en/translation.json
@@ -1181,14 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Not Verified",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verified",
   "v2.page.settings-mfa-create-password.default.title": "Additional password",
-  "v2.page.settings-mfa-create-totp.default.navbar-title": "Set up authenticator",
   "v2.page.settings-mfa-create-totp.default.description": "First, download Google Authenticator App from the <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> or <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scan the QR code or enter the key with your authenticator device / app.",
+  "v2.page.settings-mfa-create-totp.default.title": "Set up authenticator",
   "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
-  "v2.page.settings-mfa-enter-totp.default.navbar-title": "Verification Code",
   "v2.page.settings-mfa-enter-totp.default.description": "Enter the 6-digit code you see in the authenticator device/app.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Verification Code",
   "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Rescan QR code",
-  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "If you lost access to your authentication device, use these recovery codes to recover your account. \nKeep them somewhere safe but accessible.",
-  "v2.page.settings-mfa-view-recovery-code.default.title": "Recovery code",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Added at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Updated at <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
@@ -1196,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Remove additional password",
   "v2.page.settings-mfa-password.default.remove-button-label": "Remove additional password",
   "v2.page.settings-mfa-password.default.title": "Additional password",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "If you lost access to your authentication device, use these recovery codes to recover your account. \nKeep them somewhere safe but accessible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Recovery code",
   "v2.page.settings-mfa.default.activated-label": "Activated",
   "v2.page.settings-mfa.default.additional-password-label": "Additional password",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "You have {NumberOfDeviceTokens, plural, one{# trusted device} other{# trusted devices}} trusted devices associated with your account. Do you want to remove all trusted devices?",
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
index 516c7c15cc..ee5bfada0c 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_create_totp.html
@@ -5,7 +5,7 @@
      (dict
         "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings/mfa/totp")
-        "Title" (translate "v2.page.settings-mfa-create-totp.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-mfa-create-totp.default.title" nil)
      )
   }}
 {{ end }}
diff --git a/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html b/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html
index af349e4f19..4dd1b11c74 100644
--- a/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html
+++ b/resources/authgear/templates/en/web/authflowv2/settings_mfa_enter_totp.html
@@ -5,7 +5,7 @@
      (dict
         "BackTitle" (translate "v2.component.navbar.default.item-back-button-label" nil)
         "BackHref" (call $.MakeURL "/settings/mfa")
-        "Title" (translate "v2.page.settings-mfa-enter-totp.default.navbar-title" nil)
+        "Title" (translate "v2.page.settings-mfa-enter-totp.default.title" nil)
      )
   }}
 {{ end }}
diff --git a/resources/authgear/templates/es-419/translation.json b/resources/authgear/templates/es-419/translation.json
index 90109d9d5b..fe2710500d 100644
--- a/resources/authgear/templates/es-419/translation.json
+++ b/resources/authgear/templates/es-419/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primero, descargue la aplicación Google Authenticator desde la <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> o <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Escanee el código QR o ingrese la clave con su dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Ingrese el código de 6 dígitos que ve en el dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de verificación",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Volver a escanear código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Agregada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Si perdió acceso a su dispositivo de autenticación, use estos códigos de recuperación para recuperar su cuenta. \nGuárdelos en un lugar seguro pero accesible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperación",
   "v2.page.settings-mfa.default.activated-label": "Activada",
   "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados con tu cuenta. ¿Deseas eliminar todos los dispositivos de confianza?",
diff --git a/resources/authgear/templates/es-ES/translation.json b/resources/authgear/templates/es-ES/translation.json
index b35740c5f4..677332a493 100644
--- a/resources/authgear/templates/es-ES/translation.json
+++ b/resources/authgear/templates/es-ES/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primero, descargue la aplicación Google Authenticator desde la <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> o la <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Escanee el código QR o ingrese la clave con su dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Ingrese el código de 6 dígitos que ve en el dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de verificación",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Volver a escanear el código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Añadida a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizada a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Si perdió el acceso a su dispositivo de autenticación, use estos códigos de recuperación para recuperar su cuenta. \nGuárdelos en un lugar seguro pero accesible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperación",
   "v2.page.settings-mfa.default.activated-label": "Activada",
   "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados a tu cuenta. ¿Quieres eliminar todos los dispositivos de confianza?",
diff --git a/resources/authgear/templates/es/translation.json b/resources/authgear/templates/es/translation.json
index 6c4de3727b..487826d0f6 100644
--- a/resources/authgear/templates/es/translation.json
+++ b/resources/authgear/templates/es/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "No verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primero, descargue la aplicación Google Authenticator desde la <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> o <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Escanee el código QR o ingrese la clave con su dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Ingrese el código de 6 dígitos que ve en el dispositivo/aplicación de autenticación.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de verificación",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Volver a escanear código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Añadido a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Actualizado a las <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Eliminar contraseña adicional",
   "v2.page.settings-mfa-password.default.title": "Contraseña adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Si perdió acceso a su dispositivo de autenticación, use estos códigos de recuperación para recuperar su cuenta. \nGuárdelos en un lugar seguro pero accesible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperación",
   "v2.page.settings-mfa.default.activated-label": "Activado",
   "v2.page.settings-mfa.default.additional-password-label": "Contraseña adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tienes {NumberOfDeviceTokens, plural, one{# dispositivo de confianza} other{# dispositivos de confianza}} asociados con tu cuenta. ¿Quieres eliminar todos los dispositivos de confianza?",
diff --git a/resources/authgear/templates/fil/translation.json b/resources/authgear/templates/fil/translation.json
index c0326bb6f6..1233cd9ede 100644
--- a/resources/authgear/templates/fil/translation.json
+++ b/resources/authgear/templates/fil/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Hindi Napatunayan",
   "v2.page.settings-identity.default.verification-status-verified-label": "Napatunayan",
   "v2.page.settings-mfa-create-password.default.title": "Karagdagang password",
+  "v2.page.settings-mfa-create-totp.default.description": "Una, i-download ang Google Authenticator App mula sa <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> o <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>I-scan ang QR code o ipasok ang key gamit ang iyong authenticator device / app.",
+  "v2.page.settings-mfa-create-totp.default.title": "Mag-set up ng authenticator",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Ipasok ang 6-digit na code na nakikita mo sa authenticator device/app.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Code para sa Pag-verify",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "I-scan muli ang QR code",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Naidagdag sa <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Karagdagang password",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Na-update sa <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Alisin ang karagdagang password",
   "v2.page.settings-mfa-password.default.remove-button-label": "Alisin ang karagdagang password",
   "v2.page.settings-mfa-password.default.title": "Karagdagang password",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Kung nawalan ka ng access sa iyong authentication device, gamitin ang mga recovery code na ito para ma-recover ang iyong account. \nItagong ligtas ngunit naa-access ang mga ito.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Recovery code",
   "v2.page.settings-mfa.default.activated-label": "Naka-activate",
   "v2.page.settings-mfa.default.additional-password-label": "Karagdagang password",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Mayroon kang {NumberOfDeviceTokens, plural, one{# pinagkakatiwalaang device} other{# pinagkakatiwalaang mga device}} na pinagkakatiwalaang mga device na naka-associate sa iyong account. Gusto mo bang alisin lahat ng pinagkakatiwalaang mga device?",
diff --git a/resources/authgear/templates/fr/translation.json b/resources/authgear/templates/fr/translation.json
index da01524fd0..22e00f4e1b 100644
--- a/resources/authgear/templates/fr/translation.json
+++ b/resources/authgear/templates/fr/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Non vérifié",
   "v2.page.settings-identity.default.verification-status-verified-label": "Vérifié",
   "v2.page.settings-mfa-create-password.default.title": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa-create-totp.default.description": "Tout d''abord, téléchargez l''application Google Authenticator depuis le <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> ou <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scannez le code QR ou entrez la clé avec votre appareil/application d''authentification.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurer l''authentificateur",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Entrez le code à 6 chiffres que vous voyez dans l''appareil/application d''authentification.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Code de vérification",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Rescanner le code QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Ajouté à <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Mot de passe supplémentaire",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Mis à jour à <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Supprimer le mot de passe supplémentaire",
   "v2.page.settings-mfa-password.default.remove-button-label": "Supprimer le mot de passe supplémentaire",
   "v2.page.settings-mfa-password.default.title": "Mot de passe supplémentaire",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Si vous avez perdu l''accès à votre appareil d''authentification, utilisez ces codes de récupération pour récupérer votre compte. \nConservez-les dans un endroit sûr mais accessible.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Code de récupération",
   "v2.page.settings-mfa.default.activated-label": "Activé",
   "v2.page.settings-mfa.default.additional-password-label": "Mot de passe supplémentaire",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Vous avez {NumberOfDeviceTokens, plural, one{# appareil de confiance} other{# appareils de confiance}} associés à votre compte. Voulez-vous supprimer tous les appareils de confiance ?",
diff --git a/resources/authgear/templates/id/translation.json b/resources/authgear/templates/id/translation.json
index dc41f02760..5ffb0fd520 100644
--- a/resources/authgear/templates/id/translation.json
+++ b/resources/authgear/templates/id/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Tidak Diverifikasi",
   "v2.page.settings-identity.default.verification-status-verified-label": "Diverifikasi",
   "v2.page.settings-mfa-create-password.default.title": "Kata sandi tambahan",
+  "v2.page.settings-mfa-create-totp.default.description": "Pertama, unduh Aplikasi Google Authenticator dari <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> atau <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Pindai kode QR atau masukkan kunci dengan perangkat/aplikasi pengautentikasi Anda.",
+  "v2.page.settings-mfa-create-totp.default.title": "Mengatur pengautentikasi",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Masukkan kode 6 digit yang Anda lihat di perangkat/aplikasi pengautentikasi.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Kode Verifikasi",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Pindai Ulang Kode QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Ditambahkan pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Kata sandi tambahan",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Diperbarui pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Hapus kata sandi tambahan",
   "v2.page.settings-mfa-password.default.remove-button-label": "Hapus kata sandi tambahan",
   "v2.page.settings-mfa-password.default.title": "Kata sandi tambahan",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Jika Anda kehilangan akses ke perangkat autentikasi Anda, gunakan kode pemulihan ini untuk memulihkan akun Anda. \nSimpan di tempat yang aman tetapi dapat diakses.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Kode Pemulihan",
   "v2.page.settings-mfa.default.activated-label": "Diaktifkan",
   "v2.page.settings-mfa.default.additional-password-label": "Kata sandi tambahan",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Anda memiliki {NumberOfDeviceTokens, plural, one{# perangkat terpercaya} other{# perangkat terpercaya}} yang terkait dengan akun Anda. Apakah Anda ingin menghapus semua perangkat terpercaya?",
diff --git a/resources/authgear/templates/it/translation.json b/resources/authgear/templates/it/translation.json
index 72d13a21c2..ef4eabfe8b 100644
--- a/resources/authgear/templates/it/translation.json
+++ b/resources/authgear/templates/it/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Non verificato",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificato",
   "v2.page.settings-mfa-create-password.default.title": "Password aggiuntiva",
+  "v2.page.settings-mfa-create-totp.default.description": "Per prima cosa, scarica l'app Google Authenticator dal <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> o dall'<a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scansiona il codice QR o inserisci la chiave con il tuo dispositivo/app di autenticazione.",
+  "v2.page.settings-mfa-create-totp.default.title": "Imposta l''autenticatore",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Inserisci il codice a 6 cifre che vedi nel dispositivo/app di autenticazione.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Codice di verifica",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Riscansiona il codice QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Aggiunta alle <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Password aggiuntiva",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Aggiornata alle <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Rimuovi password aggiuntiva",
   "v2.page.settings-mfa-password.default.remove-button-label": "Rimuovi password aggiuntiva",
   "v2.page.settings-mfa-password.default.title": "Password aggiuntiva",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Se hai perso l''accesso al tuo dispositivo di autenticazione, usa questi codici di recupero per recuperare il tuo account. \nConservali in un luogo sicuro ma accessibile.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Codice di recupero",
   "v2.page.settings-mfa.default.activated-label": "Attivata",
   "v2.page.settings-mfa.default.additional-password-label": "Password aggiuntiva",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Hai {NumberOfDeviceTokens, plural, one{# dispositivo attendibile} other{# dispositivi attendibili}} associati al tuo account. Vuoi rimuovere tutti i dispositivi attendibili?",
diff --git a/resources/authgear/templates/ja/translation.json b/resources/authgear/templates/ja/translation.json
index 31ba3978f1..9edb89ca26 100644
--- a/resources/authgear/templates/ja/translation.json
+++ b/resources/authgear/templates/ja/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "未検証",
   "v2.page.settings-identity.default.verification-status-verified-label": "検証済み",
   "v2.page.settings-mfa-create-password.default.title": "追加のパスワード",
+  "v2.page.settings-mfa-create-totp.default.description": "最初に、<a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play ストア</a>または<a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>からGoogle Authenticator Appをダウンロードしてください。<br><br>QRコードをスキャンするか、認証デバイス/アプリにキーを入力してください。",
+  "v2.page.settings-mfa-create-totp.default.title": "認証アプリの設定",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "認証デバイス/アプリに表示されている6桁のコードを入力してください。",
+  "v2.page.settings-mfa-enter-totp.default.title": "確認コード",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "QRコードを再スキャン",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "追加日時: <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "追加のパスワード",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "更新日時: <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "追加のパスワードを削除",
   "v2.page.settings-mfa-password.default.remove-button-label": "追加のパスワードを削除する",
   "v2.page.settings-mfa-password.default.title": "追加のパスワード",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "認証デバイスにアクセスできなくなった場合は、これらの復旧コードを使ってアカウントを復旧できます。\n安全で利用可能な場所に保管してください。",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "復旧コード",
   "v2.page.settings-mfa.default.activated-label": "有効化済み",
   "v2.page.settings-mfa.default.additional-password-label": "追加のパスワード",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "あなたのアカウントには{NumberOfDeviceTokens, plural, one{#つの信頼されたデバイス} other{#つの信頼されたデバイス}}が関連付けられています。すべての信頼されたデバイスを削除しますか?",
diff --git a/resources/authgear/templates/ko/translation.json b/resources/authgear/templates/ko/translation.json
index d1ee9f3d6a..b44bdf3845 100644
--- a/resources/authgear/templates/ko/translation.json
+++ b/resources/authgear/templates/ko/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "인증되지 않음",
   "v2.page.settings-identity.default.verification-status-verified-label": "인증됨",
   "v2.page.settings-mfa-create-password.default.title": "추가 비밀번호",
+  "v2.page.settings-mfa-create-totp.default.description": "첫째, <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play 스토어</a> 또는 <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple 앱스토어</a>에서 Google Authenticator 앱을 다운로드하세요.<br><br>QR 코드를 스캔하거나 인증기기/앱에 키를 입력하세요.",
+  "v2.page.settings-mfa-create-totp.default.title": "인증기기 설정",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "인증기기/앱에 표시된 6자리 코드를 입력하세요.",
+  "v2.page.settings-mfa-enter-totp.default.title": "인증 코드",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "QR 코드 다시 스캔",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "<span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>에 추가됨",
   "v2.page.settings-mfa-password.default.additional-password-label": "추가 비밀번호",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "<span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>에 업데이트됨",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "추가 비밀번호 제거",
   "v2.page.settings-mfa-password.default.remove-button-label": "추가 비밀번호 제거",
   "v2.page.settings-mfa-password.default.title": "추가 비밀번호",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "인증기기에 접근할 수 없는 경우, 이 복구 코드를 사용하여 계정을 복구할 수 있습니다.\n안전하고 접근 가능한 곳에 보관하세요.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "복구 코드",
   "v2.page.settings-mfa.default.activated-label": "활성화됨",
   "v2.page.settings-mfa.default.additional-password-label": "추가 비밀번호",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "귀하의 계정에 {NumberOfDeviceTokens, plural, one{# 신뢰할 수 있는 기기} other{# 신뢰할 수 있는 기기들}}이 연결되어 있습니다. 모든 신뢰할 수 있는 기기를 제거하시겠습니까?",
diff --git a/resources/authgear/templates/ms/translation.json b/resources/authgear/templates/ms/translation.json
index 8c32d0adce..44d721f1a5 100644
--- a/resources/authgear/templates/ms/translation.json
+++ b/resources/authgear/templates/ms/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Tidak Disahkan",
   "v2.page.settings-identity.default.verification-status-verified-label": "Disahkan",
   "v2.page.settings-mfa-create-password.default.title": "Kata laluan tambahan",
+  "v2.page.settings-mfa-create-totp.default.description": "Pertama, muat turun Aplikasi Google Authenticator dari <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> atau <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Imbas kod QR atau masukkan kunci dengan peranti / aplikasi penguat sah anda.",
+  "v2.page.settings-mfa-create-totp.default.title": "Sediakan pengaut sah",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Masukkan kod 6 digit yang anda lihat dalam peranti/aplikasi pengaut sah.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Kod Pengesahan",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Imbas semula kod QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Ditambah pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Kata laluan tambahan",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Dikemaskini pada <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Alih keluar kata laluan tambahan",
   "v2.page.settings-mfa-password.default.remove-button-label": "Buang kata laluan tambahan",
   "v2.page.settings-mfa-password.default.title": "Kata laluan tambahan",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Jika anda kehilangan akses kepada peranti pengesahan anda, gunakan kod pemulihan ini untuk memulihkan akaun anda. \nSimpan di tempat yang selamat tetapi boleh diakses.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Kod Pemulihan",
   "v2.page.settings-mfa.default.activated-label": "Diaktifkan",
   "v2.page.settings-mfa.default.additional-password-label": "Kata laluan tambahan",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Anda mempunyai {NumberOfDeviceTokens, plural, one{# peranti dipercayai} other{# peranti dipercayai}} peranti dipercayai yang dikaitkan dengan akaun anda. Adakah anda ingin mengalih keluar semua peranti dipercayai?",
diff --git a/resources/authgear/templates/nl/translation.json b/resources/authgear/templates/nl/translation.json
index 5f45e8cfbf..8ff19c684f 100644
--- a/resources/authgear/templates/nl/translation.json
+++ b/resources/authgear/templates/nl/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Niet geverifieerd",
   "v2.page.settings-identity.default.verification-status-verified-label": "Geverifieerd",
   "v2.page.settings-mfa-create-password.default.title": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa-create-totp.default.description": "Download eerst de Google Authenticator App van de <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> of <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Scan de QR-code of voer de sleutel in met uw authenticator-apparaat / app.",
+  "v2.page.settings-mfa-create-totp.default.title": "Authenticator instellen",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Voer de 6-cijferige code in die u ziet in de authenticator-app.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Verificatiecode",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "QR-code opnieuw scannen",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Toegevoegd op <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Aanvullend wachtwoord",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Bijgewerkt op <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Verwijder extra wachtwoord",
   "v2.page.settings-mfa-password.default.remove-button-label": "Verwijder aanvullend wachtwoord",
   "v2.page.settings-mfa-password.default.title": "Aanvullend wachtwoord",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Als u geen toegang meer hebt tot uw authenticatie-apparaat, gebruik dan deze herstelcodes om uw account te herstellen. \nBewaar ze op een veilige maar toegankelijke plek.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Herstelcode",
   "v2.page.settings-mfa.default.activated-label": "Geactiveerd",
   "v2.page.settings-mfa.default.additional-password-label": "Aanvullend wachtwoord",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "U heeft {NumberOfDeviceTokens, plural, one{# vertrouwd apparaat} other{# vertrouwde apparaten}} die zijn gekoppeld aan uw account. Wilt u alle vertrouwde apparaten verwijderen?",
diff --git a/resources/authgear/templates/pl/translation.json b/resources/authgear/templates/pl/translation.json
index b805b71738..0da1da1b90 100644
--- a/resources/authgear/templates/pl/translation.json
+++ b/resources/authgear/templates/pl/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Niezweryfikowane",
   "v2.page.settings-identity.default.verification-status-verified-label": "Zweryfikowane",
   "v2.page.settings-mfa-create-password.default.title": "Dodatkowe hasło",
+  "v2.page.settings-mfa-create-totp.default.description": "Najpierw pobierz aplikację Google Authenticator z <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> lub <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Zeskanuj kod QR lub wprowadź klucz za pomocą urządzenia/aplikacji uwierzytelniającej.",
+  "v2.page.settings-mfa-create-totp.default.title": "Skonfiguruj uwierzytelnianie",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Wprowadź 6-cyfrowy kod, który widzisz w urządzeniu/aplikacji uwierzytelniającej.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Kod weryfikacyjny",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Zeskanuj ponownie kod QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Dodane o <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Dodatkowe hasło",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Zaktualizowane o <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Usuń dodatkowe hasło",
   "v2.page.settings-mfa-password.default.remove-button-label": "Usuń dodatkowe hasło",
   "v2.page.settings-mfa-password.default.title": "Dodatkowe hasło",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Jeśli utraciłeś dostęp do swojego urządzenia uwierzytelniającego, użyj tych kodów odzyskiwania, aby odzyskać dostęp do konta. \nPrzechowuj je w bezpiecznym, ale dostępnym miejscu.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Kod odzyskiwania",
   "v2.page.settings-mfa.default.activated-label": "Aktywowane",
   "v2.page.settings-mfa.default.additional-password-label": "Dodatkowe hasło",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Masz {NumberOfDeviceTokens, plural, one{# zaufane urządzenie} other{# zaufanych urządzeń}} powiązanych z Twoim kontem. Czy chcesz usunąć wszystkie zaufane urządzenia?",
diff --git a/resources/authgear/templates/pt-BR/translation.json b/resources/authgear/templates/pt-BR/translation.json
index 3175bac4ff..1ddd534cad 100644
--- a/resources/authgear/templates/pt-BR/translation.json
+++ b/resources/authgear/templates/pt-BR/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primeiro, baixe o aplicativo Google Authenticator da <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> ou <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Escaneie o código QR ou insira a chave com seu dispositivo/aplicativo autenticador.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Digite o código de 6 dígitos que você vê no dispositivo/aplicativo autenticador.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de Verificação",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Ler novamente o código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionada em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Senha adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizada em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover senha adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Remover senha adicional",
   "v2.page.settings-mfa-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Se você perder o acesso ao seu dispositivo de autenticação, use esses códigos de recuperação para recuperar sua conta. \nGuarde-os em um lugar seguro, mas acessível.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperação",
   "v2.page.settings-mfa.default.activated-label": "Ativada",
   "v2.page.settings-mfa.default.additional-password-label": "Senha adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
diff --git a/resources/authgear/templates/pt-PT/translation.json b/resources/authgear/templates/pt-PT/translation.json
index 9851fb8f90..ba6c80cf4f 100644
--- a/resources/authgear/templates/pt-PT/translation.json
+++ b/resources/authgear/templates/pt-PT/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Palavra-passe adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primeiro, descarregue a aplicação Google Authenticator da <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> ou <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Digitalize o código QR ou introduza a chave com o seu dispositivo/aplicação de autenticação.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Introduza o código de 6 dígitos que vê no dispositivo/aplicação de autenticação.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de Verificação",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Redigitalizar código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionada às <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Palavra-passe adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizada às <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover palavra-passe adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Remover palavra-passe adicional",
   "v2.page.settings-mfa-password.default.title": "Palavra-passe adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Se perder o acesso ao seu dispositivo de autenticação, utilize estes códigos de recuperação para recuperar a sua conta. \nGuarde-os num local seguro, mas acessível.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperação",
   "v2.page.settings-mfa.default.activated-label": "Ativada",
   "v2.page.settings-mfa.default.additional-password-label": "Palavra-passe adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
diff --git a/resources/authgear/templates/pt/translation.json b/resources/authgear/templates/pt/translation.json
index 79092c1331..d80ecaaea0 100644
--- a/resources/authgear/templates/pt/translation.json
+++ b/resources/authgear/templates/pt/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Não Verificado",
   "v2.page.settings-identity.default.verification-status-verified-label": "Verificado",
   "v2.page.settings-mfa-create-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-create-totp.default.description": "Primeiro, baixe o aplicativo Google Authenticator da <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> ou <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Escaneie o código QR ou insira a chave com seu dispositivo/aplicativo autenticador.",
+  "v2.page.settings-mfa-create-totp.default.title": "Configurar autenticador",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Digite o código de 6 dígitos que você vê no dispositivo/aplicativo autenticador.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Código de Verificação",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Ler novamente o código QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Adicionado em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Senha adicional",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Atualizado em <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Remover senha adicional",
   "v2.page.settings-mfa-password.default.remove-button-label": "Remover senha adicional",
   "v2.page.settings-mfa-password.default.title": "Senha adicional",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Se você perder o acesso ao seu dispositivo de autenticação, use esses códigos de recuperação para recuperar sua conta. \nGuarde-os em um lugar seguro, mas acessível.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Código de recuperação",
   "v2.page.settings-mfa.default.activated-label": "Ativado",
   "v2.page.settings-mfa.default.additional-password-label": "Senha adicional",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Você tem {NumberOfDeviceTokens, plural, one{# dispositivo confiável} other{# dispositivos confiáveis}} associados à sua conta. Deseja remover todos os dispositivos confiáveis?",
diff --git a/resources/authgear/templates/th/translation.json b/resources/authgear/templates/th/translation.json
index b1b9e2a219..3f917d646b 100644
--- a/resources/authgear/templates/th/translation.json
+++ b/resources/authgear/templates/th/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "ยังไม่ได้รับการยืนยัน",
   "v2.page.settings-identity.default.verification-status-verified-label": "ได้รับการยืนยันแล้ว",
   "v2.page.settings-mfa-create-password.default.title": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-create-totp.default.description": "เริ่มแรก ดาวน์โหลดแอป Google Authenticator จาก <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> หรือ <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>สแกนรหัส QR หรือป้อนคีย์ด้วยอุปกรณ์/แอปรับรองความถูกต้อง",
+  "v2.page.settings-mfa-create-totp.default.title": "ตั้งค่าตัวรับรองความถูกต้อง",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "ป้อนรหัส 6 หลักที่คุณเห็นในอุปกรณ์/แอปรับรองความถูกต้อง",
+  "v2.page.settings-mfa-enter-totp.default.title": "รหัสยืนยัน",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "สแกนรหัส QR ใหม่",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "เพิ่มเมื่อ <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "รหัสผ่านเพิ่มเติม",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "อัปเดตเมื่อ <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "ลบรหัสผ่านเพิ่มเติม",
   "v2.page.settings-mfa-password.default.remove-button-label": "ลบรหัสผ่านเพิ่มเติม",
   "v2.page.settings-mfa-password.default.title": "รหัสผ่านเพิ่มเติม",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "หากคุณสูญเสียการเข้าถึงอุปกรณ์รับรองความถูกต้อง ให้ใช้รหัสกู้คืนเหล่านี้เพื่อกู้คืนบัญชีของคุณ \nเก็บรหัสไว้ในที่ปลอดภัยแต่สามารถเข้าถึงได้",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "รหัสกู้คืน",
   "v2.page.settings-mfa.default.activated-label": "เปิดใช้งานแล้ว",
   "v2.page.settings-mfa.default.additional-password-label": "รหัสผ่านเพิ่มเติม",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "คุณมี {NumberOfDeviceTokens, plural, one{# อุปกรณ์ที่ได้รับการไว้วางใจ} other{# อุปกรณ์ที่ได้รับการไว้วางใจ}} ที่เชื่อมโยงกับบัญชีของคุณ คุณต้องการลบอุปกรณ์ที่ได้รับการไว้วางใจทั้งหมดหรือไม่",
diff --git a/resources/authgear/templates/vi/translation.json b/resources/authgear/templates/vi/translation.json
index 3d73e9798e..0eafdcd212 100644
--- a/resources/authgear/templates/vi/translation.json
+++ b/resources/authgear/templates/vi/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "Chưa được xác minh",
   "v2.page.settings-identity.default.verification-status-verified-label": "Đã xác minh",
   "v2.page.settings-mfa-create-password.default.title": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa-create-totp.default.description": "Đầu tiên, tải ứng dụng Google Authenticator từ <a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play Store</a> hoặc <a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>.<br><br>Quét mã QR hoặc nhập khóa với thiết bị/ứng dụng xác thực của bạn.",
+  "v2.page.settings-mfa-create-totp.default.title": "Thiết lập xác thực",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "Nhập mã 6 chữ số bạn thấy trong thiết bị/ứng dụng xác thực.",
+  "v2.page.settings-mfa-enter-totp.default.title": "Mã xác minh",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "Quét lại mã QR",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "Đã thêm vào <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "Mật khẩu bổ sung",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "Đã cập nhật vào <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "Xóa mật khẩu bổ sung",
   "v2.page.settings-mfa-password.default.remove-button-label": "Xóa mật khẩu bổ sung",
   "v2.page.settings-mfa-password.default.title": "Mật khẩu bổ sung",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "Nếu bạn mất quyền truy cập vào thiết bị xác thực, hãy sử dụng các mã khôi phục này để khôi phục tài khoản của bạn. \nGiữ chúng ở nơi an toàn nhưng có thể truy cập.",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "Mã khôi phục",
   "v2.page.settings-mfa.default.activated-label": "Đã kích hoạt",
   "v2.page.settings-mfa.default.additional-password-label": "Mật khẩu bổ sung",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "Bạn có {NumberOfDeviceTokens, plural, one{# thiết bị đáng tin cậy} other{# thiết bị đáng tin cậy}} được liên kết với tài khoản của bạn. Bạn có muốn xóa tất cả các thiết bị đáng tin cậy không?",
diff --git a/resources/authgear/templates/zh-CN/translation.json b/resources/authgear/templates/zh-CN/translation.json
index eb071edee5..46f1826522 100644
--- a/resources/authgear/templates/zh-CN/translation.json
+++ b/resources/authgear/templates/zh-CN/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "未验证",
   "v2.page.settings-identity.default.verification-status-verified-label": "已验证",
   "v2.page.settings-mfa-create-password.default.title": "额外密码",
+  "v2.page.settings-mfa-create-totp.default.description": "首先,从<a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play商店</a>或<a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>下载Google Authenticator App。<br><br>使用您的身份验证器设备/应用程序扫描二维码或输入密钥。",
+  "v2.page.settings-mfa-create-totp.default.title": "设置身份验证器",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "输入您在身份验证器设备/应用程序中看到的6位数字代码。",
+  "v2.page.settings-mfa-enter-totp.default.title": "验证码",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "重新扫描二维码",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "添加于 <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "额外密码",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "更新于 <span data-date=\"{rfc3339}\">{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "删除额外密码",
   "v2.page.settings-mfa-password.default.remove-button-label": "移除额外密码",
   "v2.page.settings-mfa-password.default.title": "额外密码",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "如果您无法访问您的身份验证设备,请使用这些恢复代码来恢复您的账户。\n请将它们存放在安全且可访问的地方。",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "恢复代码",
   "v2.page.settings-mfa.default.activated-label": "已激活",
   "v2.page.settings-mfa.default.additional-password-label": "额外密码",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "您的账户关联了 {NumberOfDeviceTokens, plural, one{# 个受信任的设备} other{# 个受信任的设备}}。您想要删除所有受信任的设备吗?",
diff --git a/resources/authgear/templates/zh-HK/translation.json b/resources/authgear/templates/zh-HK/translation.json
index ed4e4104d6..14ee5374de 100644
--- a/resources/authgear/templates/zh-HK/translation.json
+++ b/resources/authgear/templates/zh-HK/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "未驗證",
   "v2.page.settings-identity.default.verification-status-verified-label": "已驗證",
   "v2.page.settings-mfa-create-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-create-totp.default.description": "首先，從<a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play 商店</a>或<a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>下載Google Authenticator App。<br><br>使用您的驗證器設備/應用程式掃描QR碼或輸入密鑰。",
+  "v2.page.settings-mfa-create-totp.default.title": "設置驗證器",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "輸入您在驗證器設備/應用程式中看到的6位數字代碼。",
+  "v2.page.settings-mfa-enter-totp.default.title": "驗證碼",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "重新掃描QR碼",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "輔助密碼",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "上次更新時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "刪除輔助密碼",
   "v2.page.settings-mfa-password.default.remove-button-label": "刪除輔助密碼",
   "v2.page.settings-mfa-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "如果您無法訪問您的驗證設備，請使用這些恢復代碼來恢復您的帳戶。\n請將它們存放在安全且可訪問的地方。",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "恢復代碼",
   "v2.page.settings-mfa.default.activated-label": "已啟用",
   "v2.page.settings-mfa.default.additional-password-label": "輔助密碼",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "您有{NumberOfDeviceTokens}個與您的帳戶關聯的受信任設備",
diff --git a/resources/authgear/templates/zh-TW/translation.json b/resources/authgear/templates/zh-TW/translation.json
index d1fc937b78..ee5176866a 100644
--- a/resources/authgear/templates/zh-TW/translation.json
+++ b/resources/authgear/templates/zh-TW/translation.json
@@ -1181,6 +1181,12 @@
   "v2.page.settings-identity.default.verification-status-unverified-label": "未驗證",
   "v2.page.settings-identity.default.verification-status-verified-label": "已驗證",
   "v2.page.settings-mfa-create-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-create-totp.default.description": "首先，從<a class=\"link-btn\" target=\"_blank\" href=\"https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2\">Google Play 商店</a>或<a class=\"link-btn\" target=\"_blank\" href=\"https://apps.apple.com/app/google-authenticator/id388497605\">Apple App Store</a>下載 Google Authenticator App。<br><br>使用您的驗證器設備/應用程式掃描 QR 碼或輸入密鑰。",
+  "v2.page.settings-mfa-create-totp.default.title": "設置驗證器",
+  "v2.page.settings-mfa-create-totp.default.raw-secret": "{secret}",
+  "v2.page.settings-mfa-enter-totp.default.description": "輸入您在驗證器設備/應用程式中看到的 6 位數字代碼。",
+  "v2.page.settings-mfa-enter-totp.default.title": "驗證碼",
+  "v2.page.settings-mfa-enter-totp.default.rescan-button-label": "重新掃描 QR 碼",
   "v2.page.settings-mfa-password.default.additional-password-added-at": "新增時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
   "v2.page.settings-mfa-password.default.additional-password-label": "輔助密碼",
   "v2.page.settings-mfa-password.default.additional-password-updated-at": "上次更新時間: <span data-date=\"{rfc3339}\" data-date-type=absolute data-date-date-style=short data-date-time-style=short>{time, datetime, short} UTC</span>",
@@ -1188,6 +1194,8 @@
   "v2.page.settings-mfa-password.default.dialog-delete-title": "刪除輔助密碼",
   "v2.page.settings-mfa-password.default.remove-button-label": "刪除輔助密碼",
   "v2.page.settings-mfa-password.default.title": "輔助密碼",
+  "v2.page.settings-mfa-view-recovery-code.default.storage-description": "如果您無法訪問您的驗證設備，請使用這些恢復代碼來恢復您的帳戶。\n請將它們存放在安全且可訪問的地方。",
+  "v2.page.settings-mfa-view-recovery-code.default.title": "恢復代碼",
   "v2.page.settings-mfa.default.activated-label": "已啟用",
   "v2.page.settings-mfa.default.additional-password-label": "輔助密碼",
   "v2.page.settings-mfa.default.dialog-revoke-device-description": "您有{NumberOfDeviceTokens}個與您的帳戶關聯的受信任設備",

From f79e39f5d09fead53767f2383c6a9cbab98240e1 Mon Sep 17 00:00:00 2001
From: Newman Chow <newman@oursky.com>
Date: Wed, 2 Oct 2024 18:53:18 +0800
Subject: [PATCH 17/17] Fix transaction not started error when update password
 in settings v2

---
 .../service_authenticator.go                  | 30 ++++++++++++-------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/pkg/lib/accountmanagement/service_authenticator.go b/pkg/lib/accountmanagement/service_authenticator.go
index 12d1dfa29c..0391355160 100644
--- a/pkg/lib/accountmanagement/service_authenticator.go
+++ b/pkg/lib/accountmanagement/service_authenticator.go
@@ -9,7 +9,6 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/session"
 	"github.com/authgear/authgear-server/pkg/util/accesscontrol"
 	"github.com/authgear/authgear-server/pkg/util/secretcode"
-	"github.com/authgear/authgear-server/pkg/util/uuid"
 )
 
 type ChangePrimaryPasswordInput struct {
@@ -28,10 +27,14 @@ type ChangePrimaryPasswordOutput struct {
 func (s *Service) ChangePrimaryPassword(resolvedSession session.ResolvedSession, input *ChangePrimaryPasswordInput) (*ChangePrimaryPasswordOutput, error) {
 	redirectURI := input.RedirectURI
 
-	_, err := s.changePassword(resolvedSession, &changePasswordInput{
-		Kind:        authenticator.KindPrimary,
-		OldPassword: input.OldPassword,
-		NewPassword: input.NewPassword,
+	var err error
+	err = s.Database.WithTx(func() error {
+		_, err = s.changePassword(resolvedSession, &changePasswordInput{
+			Kind:        authenticator.KindPrimary,
+			OldPassword: input.OldPassword,
+			NewPassword: input.NewPassword,
+		})
+		return err
 	})
 
 	if err != nil {
@@ -73,11 +76,13 @@ func (s *Service) CreateSecondaryPassword(resolvedSession session.ResolvedSessio
 			PlainPassword: input.PlainPassword,
 		},
 	}
-	info, err := s.Authenticators.NewWithAuthenticatorID(uuid.New(), spec)
+	info, err := s.Authenticators.New(spec)
 	if err != nil {
 		return nil, err
 	}
-	err = s.createAuthenticator(info)
+	err = s.Database.WithTx(func() error {
+		return s.createAuthenticator(info)
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -93,10 +98,13 @@ type ChangeSecondaryPasswordOutput struct {
 }
 
 func (s *Service) ChangeSecondaryPassword(resolvedSession session.ResolvedSession, input *ChangeSecondaryPasswordInput) (*ChangeSecondaryPasswordOutput, error) {
-	_, err := s.changePassword(resolvedSession, &changePasswordInput{
-		Kind:        authenticator.KindSecondary,
-		OldPassword: input.OldPassword,
-		NewPassword: input.NewPassword,
+	err := s.Database.WithTx(func() error {
+		_, err := s.changePassword(resolvedSession, &changePasswordInput{
+			Kind:        authenticator.KindSecondary,
+			OldPassword: input.OldPassword,
+			NewPassword: input.NewPassword,
+		})
+		return err
 	})
 
 	if err != nil {