feat: move email sending into background jobs for retry support

Each direct mailer.sendMail() call is replaced by a dedicated background job so that email delivery failures can be retried independently. New jobs: send-pending-email, send-completed-email, send-forgot-password-email, send-document-super-delete-email, send-recipient-removed-email, send-document-deleted-emails, send-2fa-token-email, send-resend-document-email, send-direct-template-created-email. Existing handlers (send-document-cancelled-emails, send-organisation-member-*, send-recipient-signed-email) have io.runTask wrappers removed since they interfere with the job scheduler. Job triggers are dispatched after transactions commit to avoid race conditions with uncommitted data.
feat: better ratelimiting (#2520 )
2026-06-22 04:12:06 +10:00 · 2026-02-20 23:25:37 +11:00 · 2026-02-20 12:23:02 +11:00 · 2026-02-20 11:36:20 +11:00 · 2026-02-18 21:57:10 +11:00 · 2026-02-18 17:07:46 +11:00
187 changed files with 10926 additions and 2504 deletions
@@ -0,0 +1,519 @@
+---
+date: 2026-02-10
+title: Envelope Expiration
+---
+
+## Summary
+
+Envelopes (documents sent for signing) should automatically expire after a configurable period, preventing recipients from completing stale documents. Expiration is tracked **per-recipient** — when a recipient's signing window lapses, the document owner is notified and can resend (extending the deadline) or cancel. The document itself stays PENDING so other recipients can continue signing.
+
+**Settings cascade**: Organisation → Team → Document (each level can override the prior).
+**Default**: 1 month from when the envelope is sent (transitions to PENDING).
+
+---
+
+## 1. Database Schema Changes
+
+### 1.1 Expiration period data shape
+
+Store expiration as a structured JSON object rather than an enum or raw milliseconds. This avoids the enum treadmill (adding `FOUR_MONTHS` later requires a migration) while keeping values validated and meaningful.
+
+**Zod schema** (defined in `packages/lib/constants/envelope-expiration.ts`):
+
+```typescript
+export const ZEnvelopeExpirationPeriod = z.union([
+  z.object({ unit: z.enum(['day', 'week', 'month', 'year']), amount: z.number().int().min(1) }),
+  z.object({ disabled: z.literal(true) }),
+]);
+
+export type TEnvelopeExpirationPeriod = z.infer<typeof ZEnvelopeExpirationPeriod>;
+```
+
+Semantics:
+
+- `null` on `DocumentMeta` / `TeamGlobalSettings` = inherit from parent
+- `{ disabled: true }` = explicitly never expires
+- `{ unit: 'month', amount: 1 }` = expires in 1 month
+
+No Prisma enum is needed — the period is stored as `Json?` on the relevant models (see sections 1.3 and 1.4).
+
+### 1.2 Add expiration fields to `Recipient`
+
+```prisma
+model Recipient {
+  // ... existing fields
+  expiresAt              DateTime?
+  expirationNotifiedAt   DateTime?   // null = not yet notified; set when owner notification sent
+
+  @@index([expiresAt])
+}
+```
+
+`expiresAt` is a computed timestamp set when the envelope transitions to PENDING (at send time). It is calculated from the effective expiration period. Storing the concrete timestamp rather than a relative duration means:
+
+- Sweep queries are simple (`WHERE expiresAt <= NOW() AND expirationNotifiedAt IS NULL`)
+- No need to re-resolve the settings cascade at query time
+- The sender can see the exact deadline in the UI
+- The index on `expiresAt` ensures the expiration sweep query is efficient
+
+`expirationNotifiedAt` tracks whether the owner has already been notified about this recipient's expiration, making the notification job idempotent.
+
+### 1.3 Add expiration period to settings models
+
+**OrganisationGlobalSettings** (JSON, application-level default):
+
+```prisma
+model OrganisationGlobalSettings {
+  // ... existing fields
+  envelopeExpirationPeriod Json?
+}
+```
+
+Prisma `@default` doesn't work for `Json` columns, so the application-level default (`{ unit: 'month', amount: 1 }`) is applied in `extractDerivedTeamSettings` / `extractDerivedDocumentMeta` when the value is null. The migration should backfill existing rows with `{ "unit": "month", "amount": 1 }`.
+
+**TeamGlobalSettings** (nullable, null = inherit from org):
+
+```prisma
+model TeamGlobalSettings {
+  // ... existing fields
+  envelopeExpirationPeriod Json?
+}
+```
+
+### 1.4 Add expiration period to DocumentMeta
+
+This allows per-document override during the document editing flow:
+
+```prisma
+model DocumentMeta {
+  // ... existing fields
+  envelopeExpirationPeriod Json?
+}
+```
+
+When null on DocumentMeta, the resolved team/org setting is used at send time. Validated at write time using `ZEnvelopeExpirationPeriod.nullable()`.
+
+**Important**: `envelopeExpirationPeriod` on `DocumentMeta` is a user-facing preference that may be set during the draft editing flow. It does NOT determine the final expiration — that is resolved at send time (see section 2.3). The value stored here is just the user's selection in the document editor.
+
+---
+
+## 2. Expiration Period Resolution
+
+### 2.1 Duration mapping
+
+Add to `packages/lib/constants/envelope-expiration.ts` alongside the Zod schema:
+
+```typescript
+import { Duration } from 'luxon';
+
+const UNIT_TO_LUXON_KEY: Record<TEnvelopeExpirationPeriod['unit'], string> = {
+  day: 'days',
+  week: 'weeks',
+  month: 'months',
+  year: 'years',
+};
+
+export const DEFAULT_ENVELOPE_EXPIRATION_PERIOD: TEnvelopeExpirationPeriod = {
+  unit: 'month',
+  amount: 1,
+};
+
+export const getEnvelopeExpirationDuration = (period: TEnvelopeExpirationPeriod): Duration => {
+  return Duration.fromObject({ [UNIT_TO_LUXON_KEY[period.unit]]: period.amount });
+};
+```
+
+### 2.2 Settings cascade integration
+
+`extractDerivedTeamSettings()` in `packages/lib/utils/teams.ts` needs **no code changes** — it iterates `Object.keys(derivedSettings)` and overrides with non-null team values at runtime. The new `envelopeExpirationPeriod` field on both `OrganisationGlobalSettings` and `TeamGlobalSettings` will be automatically picked up.
+
+Update `extractDerivedDocumentMeta()` in `packages/lib/utils/document.ts` to include the new field:
+
+```typescript
+envelopeExpirationPeriod: meta.envelopeExpirationPeriod ?? settings.envelopeExpirationPeriod,
+```
+
+### 2.3 Compute `expiresAt` at send time
+
+The expiration period is **locked at send time** — when the envelope transitions to PENDING. The concrete `expiresAt` timestamp is computed for each recipient when the document is actually sent.
+
+In `packages/lib/server-only/document/send-document.ts`:
+
+```typescript
+// Resolve effective period: document meta -> team/org settings -> default
+const rawPeriod =
+  envelope.documentMeta?.envelopeExpirationPeriod ?? settings.envelopeExpirationPeriod;
+
+const expiresAt = resolveExpiresAt(rawPeriod);
+
+// Inside the $transaction, for each recipient:
+await tx.recipient.updateMany({
+  where: { envelopeId: envelope.id },
+  data: { expiresAt },
+});
+```
+
+### 2.4 Compute `expiresAt` in the direct template flow
+
+`create-document-from-direct-template.ts` creates envelopes directly as PENDING and then calls `sendDocument` afterward. Since `sendDocument` handles setting `expiresAt` on recipients, the direct template flow doesn't need to set it directly — `sendDocument` handles it.
+
+---
+
+## 3. Cron Job Infrastructure (New)
+
+The current job system is purely event-triggered. Inngest natively supports cron-triggered functions, but the local provider (used in dev and by self-hosters who don't want a third-party dependency) has no scheduling capability. This section adds cron support to the local provider to maintain feature parity.
+
+### 3.1 Extend `JobDefinition` with cron support
+
+Add an optional `cron` field to the trigger type in `packages/lib/jobs/client/_internal/job.ts`:
+
+```typescript
+export type JobDefinition<Name extends string = string, Schema = any> = {
+  id: string;
+  name: string;
+  version: string;
+  enabled?: boolean;
+  optimizeParallelism?: boolean;
+  trigger: {
+    name: Name;
+    schema?: z.ZodType<Schema>;
+    /** Cron expression (e.g. "* * * * *"). When set, the job runs on a schedule. */
+    cron?: string;
+  };
+  handler: (options: { payload: Schema; io: JobRunIO }) => Promise<Json | void>;
+};
+```
+
+### 3.2 Inngest provider: wire up native cron
+
+In `packages/lib/jobs/client/inngest.ts`, when defining a function, check for `cron`:
+
+```typescript
+defineJob(job) {
+  if (job.trigger.cron) {
+    this._functions.push(
+      this._client.createFunction(
+        { id: job.id, name: job.name },
+        { cron: job.trigger.cron },
+        async ({ step, logger }) => {
+          const io = convertInngestIoToJobRunIo(step, logger, this);
+          await job.handler({ payload: {} as any, io });
+        },
+      ),
+    );
+  } else {
+    // Existing event-triggered logic (unchanged)
+  }
+}
+```
+
+### 3.3 Local provider: poller + deterministic `BackgroundJob` IDs
+
+Use the existing `BackgroundJob` table for multi-instance dedupe instead of advisory locks. This approach keeps implementation Prisma-only (no raw SQL), works for single-instance and multi-instance deployments, and preserves existing retry/visibility behavior.
+
+**On `defineJob()`**: If the job has a `cron` field, register an in-process scheduler entry and start a lightweight poller (every 30s with jitter).
+
+**Each poll tick**:
+
+1. Evaluate whether the cron schedule has one or more due run slots since the last tick (use a real cron parser, e.g. `cron-parser`)
+2. For each due slot, build a deterministic run ID from job ID + scheduled slot time
+3. Create a `BackgroundJob` row with that deterministic ID using Prisma
+4. If insert succeeds → enqueue via the existing local job pipeline
+5. If insert fails with Prisma `P2002` (unique violation) → another node already enqueued that run, skip
+
+### 3.4 Summary of changes to the job system
+
+| File                                        | Change                                                           |
+| ------------------------------------------- | ---------------------------------------------------------------- |
+| `packages/lib/jobs/client/_internal/job.ts` | Add optional `cron` field to `trigger` type                      |
+| `packages/lib/jobs/client/local.ts`         | Add cron poller + deterministic `BackgroundJob.id` dedupe        |
+| `packages/lib/jobs/client/inngest.ts`       | Wire up `{ cron: ... }` in `createFunction` for cron jobs        |
+| `packages/lib/jobs/client/_internal/*`      | Add cron helper utilities (`getDueCronSlots`, run ID generation) |
+
+---
+
+## 4. Expiration Processing
+
+### 4.1 Two-job architecture
+
+Expiration uses two jobs: a **sweep dispatcher** that runs on a cron schedule and finds expired recipients, and an **individual notification job** that handles the audit log, owner notification email, and webhook for a single recipient. This separation means:
+
+- The sweep is lightweight and fast (just a query + N job triggers)
+- Each recipient's expiration notification is independently retryable
+- The individual jobs are idempotent — they check `expirationNotifiedAt IS NULL` before processing
+
+### 4.2 Sweep job: `EXPIRE_RECIPIENTS_SWEEP_JOB`
+
+A cron-triggered job that runs every minute to find and dispatch notifications for expired recipients.
+
+**Definition:** `packages/lib/jobs/definitions/internal/expire-recipients-sweep.ts`
+
+**Handler:** `packages/lib/jobs/definitions/internal/expire-recipients-sweep.handler.ts`
+
+```typescript
+const expiredRecipients = await prisma.recipient.findMany({
+  where: {
+    expiresAt: { lte: new Date() },
+    expirationNotifiedAt: null,
+    signingStatus: { notIn: [SigningStatus.SIGNED, SigningStatus.REJECTED] },
+    envelope: { status: DocumentStatus.PENDING },
+  },
+  select: { id: true },
+  take: 100,
+});
+
+for (const recipient of expiredRecipients) {
+  await jobs.triggerJob({
+    name: 'internal.notify-recipient-expired',
+    payload: { recipientId: recipient.id },
+  });
+}
+```
+
+### 4.3 Individual notification job: `NOTIFY_RECIPIENT_EXPIRED_JOB`
+
+An event-triggered job that handles a single recipient's expiration.
+
+**Definition:** `packages/lib/jobs/definitions/internal/notify-recipient-expired.ts`
+
+**Handler:** `packages/lib/jobs/definitions/internal/notify-recipient-expired.handler.ts`
+
+The handler:
+
+1. Fetches the recipient (with guard: `expirationNotifiedAt IS NULL` + not signed/rejected)
+2. Sets `recipient.expirationNotifiedAt = now()` (idempotency)
+3. Creates audit log entry with `DOCUMENT_RECIPIENT_EXPIRED` type
+4. Sends email notification to the **document owner** (inline — no separate email job)
+5. The document stays PENDING — the owner decides whether to resend or cancel
+
+### 4.4 Register in job client
+
+Add `EXPIRE_RECIPIENTS_SWEEP_JOB_DEFINITION` and `NOTIFY_RECIPIENT_EXPIRED_JOB_DEFINITION` to the job registry in `packages/lib/jobs/client.ts`.
+
+### 4.5 Email template: Recipient Expired
+
+Target the **document owner**:
+
+- Subject: `Signing window expired for "{recipientName}" on "{documentTitle}"`
+- Body: "The signing window for {recipientName} ({recipientEmail}) on document {title} has expired. You can resend the document to extend their deadline or cancel the document."
+- Include a "View Document" link to the document page in the app
+
+Template files:
+
+- `packages/email/templates/recipient-expired.tsx` — wrapper
+- `packages/email/template-components/template-recipient-expired.tsx` — body
+
+### 4.6 Recipient signing guard
+
+In the signing flow, check `recipient.expiresAt` before allowing any signing action. Note that the document stays PENDING even after recipient expiration, so the existing `status !== PENDING` guard does not block expired recipients — an explicit expiration check is required:
+
+```typescript
+if (recipient.expiresAt && recipient.expiresAt <= new Date()) {
+  throw new AppError(AppErrorCode.RECIPIENT_EXPIRED, {
+    message: 'Recipient signing window has expired',
+  });
+}
+```
+
+**Files to update:**
+
+- `packages/lib/server-only/document/complete-document-with-token.ts`
+- `packages/lib/server-only/field/sign-field-with-token.ts`
+- `packages/lib/server-only/field/remove-signed-field-with-token.ts`
+- `packages/lib/server-only/document/reject-document-with-token.ts`
+
+---
+
+## 5. UI Design
+
+### 5.1 Expiration Period Selector Component
+
+Use a number input + unit selector combo. This gives organisations full flexibility to configure any duration without needing schema changes for new options.
+
+**Layout**: A horizontal group with:
+
+- A number `<Input>` (min 1, integer)
+- A `<Select>` for the unit (`day`, `week`, `month`, `year`)
+- A "Never expires" toggle/checkbox that disables the duration inputs and sets the value to `{ disabled: true }`
+
+At the team level, include an "Inherit from organisation" option that clears the value to `null`.
+
+**Validation**: Use `ZEnvelopeExpirationPeriod` for form validation.
+
+### 5.2 Organisation Settings → Document Preferences
+
+Add a "Default Envelope Expiration" field to the `DocumentPreferencesForm` component. At the org level, there is no "Inherit" option — it must have a concrete value (default: `{ unit: 'month', amount: 1 }`).
+
+### 5.3 Team Settings → Document Preferences
+
+Same field as org, but with the additional "Inherit from organisation" option (stored as `null`).
+
+### 5.4 Document Editor → Settings Step
+
+Add the expiration selector to `packages/ui/primitives/document-flow/add-settings.tsx` inside the "Advanced Options" accordion.
+
+Label: **"Expiration"**
+Description: _"How long recipients have to complete this document after it is sent."_
+
+### 5.5 Recipient Signing Page — Expired State
+
+When a recipient visits a signing link for an expired recipient:
+
+- Redirect to `/sign/{token}/expired`
+- Show a clear, non-alarming message: "Your signing window has expired. Please contact the sender for a new invitation."
+- Do not show the signing form or fields
+- The `isExpired` flag in `get-envelope-for-recipient-signing.ts` is derived from `recipient.expiresAt`
+
+### 5.6 Embed Signing — Expired State
+
+Embed signing routes handle recipient expiration by throwing `embed-recipient-expired`:
+
+- `apps/remix/app/routes/embed+/_v0+/sign.$token.tsx` — both V1 and V2 loaders check expiration
+- The embed error boundary renders an `EmbedRecipientExpired` component
+- Direct templates (`direct.$token.tsx`) create fresh recipients so `isExpired` is always `false`
+
+---
+
+## 6. API / TRPC Changes
+
+### 6.1 Update settings mutation schemas
+
+- `packages/trpc/server/organisation-router/update-organisation-settings.types.ts` — add `envelopeExpirationPeriod: ZEnvelopeExpirationPeriod` (non-nullable at org level)
+- `packages/trpc/server/team-router/update-team-settings.types.ts` — add `envelopeExpirationPeriod: ZEnvelopeExpirationPeriod.nullable()` (null = inherit from org)
+
+### 6.2 Update document mutation schemas
+
+- `packages/lib/types/document-meta.ts` — add `envelopeExpirationPeriod: ZEnvelopeExpirationPeriod.nullable()` to the meta schema
+- `packages/trpc/server/document-router/create-document.types.ts` — include in meta
+- `packages/trpc/server/document-router/update-document.types.ts` — include in meta
+- `packages/trpc/server/document-router/distribute-document.types.ts` — include in meta
+
+### 6.3 Expose `expiresAt` in recipient responses
+
+Ensure `expiresAt` and `expirationNotifiedAt` are returned when fetching recipients/documents so the UI can display expiration status.
+
+### 6.4 Webhook / API schema updates
+
+- Recipient schema includes `expiresAt` and `expirationNotifiedAt` fields (replacing the old `expired` field)
+- Update `packages/api/v1/schema.ts`, webhook payload types, zapier integration, and sample data generators
+
+---
+
+## 7. Edge Cases & Considerations
+
+### 7.1 Already-sent documents
+
+The migration should NOT retroactively expire existing recipients. `expiresAt` will be null for all existing recipients, meaning they never expire (backward-compatible).
+
+### 7.2 Re-sending / redistributing
+
+When `redistribute` is called on a PENDING document, `expiresAt` should be refreshed on all eligible recipients. Redistributing signals active intent, so the clock should restart.
+
+**Implementation**: `resendDocument` refreshes `recipient.expiresAt` for all recipients that haven't signed/rejected yet.
+
+### 7.3 Multi-recipient partial expiration
+
+If some recipients have signed and others expire, the document stays PENDING. This is the key advantage over document-level expiration — the owner can resend to extend the expired recipients' deadlines without affecting those who've already signed.
+
+### 7.4 Partial completion
+
+Partial signatures are preserved. The document is not sealed/completed until all required recipients have signed (or the owner cancels).
+
+### 7.5 Timezone handling
+
+`expiresAt` is stored as UTC. Display in the sender's configured timezone.
+
+### 7.6 Race condition: signing at expiration time
+
+The signing guard checks `recipient.expiresAt` in application code before the signing operation. The notification job's guard (`expirationNotifiedAt IS NULL` + `signingStatus NOT IN (SIGNED, REJECTED)`) prevents double-notifications. If a recipient signs just before expiration, the sweep's `signingStatus` filter skips them.
+
+### 7.7 Direct template flow
+
+`create-document-from-direct-template.ts` creates envelopes directly as PENDING then calls `sendDocument`. Since `sendDocument` sets `recipient.expiresAt`, no special handling is needed in the direct template flow.
+
+---
+
+## 8. Migration Plan
+
+1. Add Prisma schema changes (`expiresAt` + `expirationNotifiedAt` on Recipient, `Json?` fields on settings models, index)
+2. Generate and run migration
+3. Backfill: set `envelopeExpirationPeriod` to `{ "unit": "month", "amount": 1 }` on all existing `OrganisationGlobalSettings` rows
+4. No backfill on `Recipient.expiresAt` — existing recipients keep null (never expire)
+5. Deploy backend changes (jobs, guards, email template)
+6. Deploy frontend changes (settings UI, document editor, signing page, embeds)
+
+---
+
+## 9. Files to Create or Modify
+
+### New Files
+
+- `packages/lib/constants/envelope-expiration.ts` — `ZEnvelopeExpirationPeriod` schema, types, `DEFAULT_ENVELOPE_EXPIRATION_PERIOD`, `getEnvelopeExpirationDuration()`, `resolveExpiresAt()` helper
+- `packages/lib/jobs/definitions/internal/expire-recipients-sweep.ts` — cron sweep job definition
+- `packages/lib/jobs/definitions/internal/expire-recipients-sweep.handler.ts` — cron sweep handler
+- `packages/lib/jobs/definitions/internal/notify-recipient-expired.ts` — individual notification job definition
+- `packages/lib/jobs/definitions/internal/notify-recipient-expired.handler.ts` — notification handler (includes inline email sending)
+- `packages/email/templates/recipient-expired.tsx` — email template wrapper
+- `packages/email/template-components/template-recipient-expired.tsx` — email template body
+- `apps/remix/app/components/embed/embed-recipient-expired.tsx` — embed expired component
+
+### Modified Files
+
+**Job system (cron infrastructure):**
+
+- `packages/lib/jobs/client/_internal/job.ts` — add optional `cron` field to `trigger` type
+- `packages/lib/jobs/client/local.ts` — add cron poller + deterministic `BackgroundJob.id` dedupe
+- `packages/lib/jobs/client/inngest.ts` — wire up `{ cron: ... }` in `createFunction`
+- `packages/lib/jobs/client/_internal/*` — add cron helper utilities (slot calc + run ID)
+- `packages/lib/jobs/client.ts` — register new jobs
+
+**Schema & data layer:**
+
+- `packages/prisma/schema.prisma` — model changes + index
+- `packages/lib/utils/document.ts` — `extractDerivedDocumentMeta` (add `envelopeExpirationPeriod`)
+- `packages/lib/server-only/document/send-document.ts` — resolve settings + compute and set `recipient.expiresAt`
+- `packages/lib/server-only/template/create-document-from-direct-template.ts` — no changes (sendDocument handles it)
+- `packages/lib/server-only/document/resend-document.ts` — refresh `recipient.expiresAt` on redistribute
+- `packages/lib/server-only/document/complete-document-with-token.ts` — recipient expiration guard
+- `packages/lib/server-only/field/sign-field-with-token.ts` — recipient expiration guard
+- `packages/lib/server-only/field/remove-signed-field-with-token.ts` — recipient expiration guard
+- `packages/lib/server-only/document/reject-document-with-token.ts` — recipient expiration guard
+
+**Error handling:**
+
+- `packages/lib/errors/app-error.ts` — add `RECIPIENT_EXPIRED` error code
+
+**Audit logs:**
+
+- `packages/lib/types/document-audit-logs.ts` — add `DOCUMENT_RECIPIENT_EXPIRED` type with `recipientEmail`/`recipientName` data fields
+- `packages/lib/utils/document-audit-logs.ts` — add human-readable rendering for `DOCUMENT_RECIPIENT_EXPIRED`
+
+**Signing page:**
+
+- `packages/lib/server-only/envelope/get-envelope-for-recipient-signing.ts` — derive `isExpired` from `recipient.expiresAt`
+- `apps/remix/app/routes/_recipient+/sign.$token+/_index.tsx` — keep redirect to expired page using `isExpired`
+
+**Embeds:**
+
+- `apps/remix/app/routes/embed+/_v0+/sign.$token.tsx` — check recipient expiration in V1/V2 loaders
+- `apps/remix/app/routes/embed+/_v0+/_layout.tsx` — handle `embed-recipient-expired` in error boundary
+
+**Webhook / API:**
+
+- `packages/lib/types/recipient.ts` — add `expiresAt`/`expirationNotifiedAt` to recipient type
+- `packages/lib/types/webhook-payload.ts` — add `expiresAt`/`expirationNotifiedAt` to webhook recipient
+- `packages/lib/server-only/webhooks/trigger/generate-sample-data.ts` — update sample data
+- `packages/lib/server-only/webhooks/zapier/list-documents.ts` — update zapier recipient shape
+- `packages/api/v1/schema.ts` — add `expiresAt` to API recipient schema
+
+**TRPC / settings:**
+
+- `packages/trpc/server/organisation-router/update-organisation-settings.types.ts`
+- `packages/trpc/server/team-router/update-team-settings.types.ts`
+- `packages/lib/types/document-meta.ts`
+
+**UI:**
+
+- `apps/remix/app/components/forms/document-preferences-form.tsx` — add expiration period picker
+- `packages/ui/primitives/document-flow/add-settings.tsx` — add expiration field
+- `packages/ui/primitives/document-flow/add-settings.types.ts` — add to schema
@@ -0,0 +1,168 @@
+---
+date: 2026-02-11
+title: Cert Page Width Mismatch
+---
+
+## Problem
+
+Certificate and audit log pages are generated with hardcoded A4 dimensions (`PDF_SIZE_A4_72PPI`: 595×842) regardless of the actual document page sizes. When the source document uses a different page size (e.g., Letter, Legal, or custom dimensions), the certificate/audit log pages end up with a different width than the document pages. This causes problems with courts that expect uniform page dimensions throughout a PDF.
+
+**Both width and height must match** the last page of the document so the entire PDF prints uniformly.
+
+**Root cause**: In `seal-document.handler.ts` (lines 186-187), the certificate payload always uses:
+
+```ts
+pageWidth: PDF_SIZE_A4_72PPI.width,  // 595
+pageHeight: PDF_SIZE_A4_72PPI.height, // 842
+```
+
+These hardcoded values flow into `generateCertificatePdf`, `generateAuditLogPdf`, `renderCertificate`, and `renderAuditLogs` — all of which use `pageWidth`/`pageHeight` to set Konva stage dimensions and layout content.
+
+## Key Files
+
+| File                                                                    | Role                                                                                  |
+| ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| `packages/lib/jobs/definitions/internal/seal-document.handler.ts`       | Orchestrates sealing; passes page dimensions to cert/audit generators                 |
+| `packages/lib/constants/pdf.ts`                                         | Defines `PDF_SIZE_A4_72PPI` (595×842)                                                 |
+| `packages/lib/server-only/pdf/generate-certificate-pdf.ts`              | Generates certificate PDF; accepts `pageWidth`/`pageHeight`                           |
+| `packages/lib/server-only/pdf/generate-audit-log-pdf.ts`                | Generates audit log PDF; accepts `pageWidth`/`pageHeight`                             |
+| `packages/lib/server-only/pdf/render-certificate.ts`                    | Renders certificate pages via Konva; uses `pageWidth`/`pageHeight` for stage + layout |
+| `packages/lib/server-only/pdf/render-audit-logs.ts`                     | Renders audit log pages via Konva; uses `pageWidth`/`pageHeight` for stage + layout   |
+| `packages/lib/server-only/pdf/get-page-size.ts`                         | Existing utility — extend with `@libpdf/core` version                                 |
+| `packages/trpc/server/document-router/download-document-certificate.ts` | Standalone certificate download (also hardcodes A4)                                   |
+| `packages/trpc/server/document-router/download-document-audit-logs.ts`  | Standalone audit log download (also hardcodes A4)                                     |
+
+## Architecture
+
+### Current Flow
+
+1. **One cert PDF + one audit log PDF** generated per envelope with hardcoded A4 dims
+2. Both appended to **every** envelope item (document) via `decorateAndSignPdf` → `pdfDoc.copyPagesFrom()`
+3. The audit log is envelope-level (all recipients, all events across all docs) — one per envelope, not per document
+
+### Multi-Document Envelopes
+
+- V1 envelopes: single document only
+- V2 envelopes: support multiple documents (envelope items)
+- Each envelope item gets both cert + audit log pages appended to it
+- If documents have different page sizes → need size-matched cert/audit for each
+
+### Reading Page Dimensions (`@libpdf/core` only)
+
+Use `@libpdf/core`'s `PDF` class — NOT `@cantoo/pdf-lib`:
+
+```ts
+const pdfDoc = await PDF.load(pdfData);
+const lastPage = pdfDoc.getPage(pdfDoc.getPageCount() - 1);
+const { width, height } = lastPage; // e.g. 612, 792 for Letter
+```
+
+Already used this way in `seal-document.handler.ts` lines 403-410 for V2 field insertion.
+"Last page" = last page of the original document, before cert/audit pages are appended.
+
+### Content Layout Adaptation
+
+Both renderers already handle variable dimensions gracefully:
+
+- **Width**: `render-certificate.ts:713` / `render-audit-logs.ts:588` — `Math.min(pageWidth - minimumMargin * 2, contentMaxWidth)` with `contentMaxWidth = 768`. Wider pages get more margin, narrower pages tighter margins.
+- **Height**: Both renderers paginate content into pages using `groupRowsIntoPages()` which respects `pageHeight` via `maxTableHeight = pageHeight - pageTopMargin - pageBottomMargin`. Shorter pages just mean more pages; taller pages fit more rows per page.
+
+### Playwright PDF Path — Out of Scope
+
+The `NEXT_PRIVATE_USE_PLAYWRIGHT_PDF` toggle enables a deprecated Playwright-based PDF generation path (`get-certificate-pdf.ts`, `get-audit-logs-pdf.ts`) that also hardcodes `format: 'A4'` in `page.pdf()`. This path is **not being updated** as part of this fix:
+
+- Both files are marked `@deprecated`
+- The Konva-based path is the default and recommended path
+- The Playwright path is behind a feature flag and will be removed
+
+No changes needed. Add a code comment noting the A4 limitation if the Playwright path is ever re-enabled.
+
+## Plan
+
+### 1. Extend `get-page-size.ts` with `@libpdf/core` utility
+
+Add a `getLastPageDimensions` function to the existing `packages/lib/server-only/pdf/get-page-size.ts` file. This consolidates page-size logic in one place (the file already has the legacy `@cantoo/pdf-lib` version).
+
+```ts
+export const getLastPageDimensions = (pdfDoc: PDF): { width: number; height: number } => {
+  const lastPage = pdfDoc.getPage(pdfDoc.getPageCount() - 1);
+  const width = Math.round(lastPage.width);
+  const height = Math.round(lastPage.height);
+
+  if (width < MIN_CERT_PAGE_WIDTH || height < MIN_CERT_PAGE_HEIGHT) {
+    return { width: PDF_SIZE_A4_72PPI.width, height: PDF_SIZE_A4_72PPI.height };
+  }
+
+  return { width, height };
+};
+```
+
+**Dimension rounding**: `Math.round()` both width and height. PDF points at 72ppi are typically whole numbers; rounding avoids spurious float-precision mismatches (e.g., 612.0 vs 612.00001) that would cause unnecessary duplicate cert/audit PDF generation.
+
+**Minimum page dimensions**: Enforce a minimum threshold (e.g., 300pt for both width and height). If either dimension falls below the minimum, fall back to A4 (595×842). The certificate and audit log renderers have headers, table rows, margins, and QR codes that require a minimum viable area.
+
+### 2. Read last page dimensions from each envelope item's PDF
+
+In `seal-document.handler.ts`, before generating cert/audit PDFs:
+
+- For each `envelopeItem`, load the PDF and read the **last page's width and height** using `getLastPageDimensions`
+- Use `PDF.load()` then pass the loaded doc to the utility
+
+**Resealing consideration**: When `isResealing` is true, envelope items are remapped to use `initialData` (lines 152-158) before this point. Page-size extraction must operate on the same data source that `decorateAndSignPdf` will use. Since the `envelopeItems` array is already remapped by the time we read dimensions, reading from `envelopeItem.documentData` will naturally give the correct (initial) data. No special handling needed beyond ensuring the dimension read happens **after** the resealing remap.
+
+### 3. Generate cert/audit PDFs per unique page size
+
+Current flow generates one cert + one audit log doc per envelope. Change to:
+
+1. Collect `{ width, height }` of the last page for each envelope item
+2. Deduplicate by `"${width}x${height}"` key (using the already-rounded integers)
+3. For each unique size, generate cert PDF and audit log PDF with those dimensions
+4. Store in a `Map<string, { certificateDoc, auditLogDoc }>` keyed by `"${width}x${height}"`
+
+For the common single-document case, this is one generation — same perf as today.
+
+### 4. Thread the correct docs into `decorateAndSignPdf`
+
+In the envelope item loop, look up the item's last-page dimensions in the map and pass the matching cert/audit docs. Signature of `decorateAndSignPdf` doesn't change — it still receives a single `certificateDoc` and `auditLogDoc`, just the right ones per item.
+
+### 5. Update standalone download routes
+
+`download-document-certificate.ts` and `download-document-audit-logs.ts` also hardcode A4:
+
+- Both routes have `documentId` which maps to a specific envelope item
+- Fetch **that specific document's** PDF data, load it, read last page width + height via `getLastPageDimensions`
+- Pass `{ pageWidth, pageHeight }` to the generator
+- This ensures the standalone download matches the dimensions the user would see in the sealed PDF for that document
+
+### 6. Edge cases
+
+| Scenario                                | Behavior                                                                                    |
+| --------------------------------------- | ------------------------------------------------------------------------------------------- |
+| Mixed page sizes within one PDF         | Use last page's dimensions (per spec)                                                       |
+| Page dimensions below minimum threshold | Fall back to A4 (595×842)                                                                   |
+| Landscape pages                         | width/height just swap roles; renderers adapt via `Math.min()` capping. No special handling |
+| Fallback if page dims unreadable        | Default to A4 (595×842)                                                                     |
+| Resealing                               | Dimensions read after `initialData` remap — correct source automatically                    |
+| Playwright PDF path enabled             | Remains A4 — out of scope, deprecated                                                       |
+| Single-doc envelope (most common)       | One generation, same perf as today                                                          |
+| Multi-doc envelope, same page sizes     | Dedup key matches → one generation                                                          |
+| Multi-doc envelope, different sizes     | One generation per unique size                                                              |
+
+### 7. Tests
+
+- Add assertion-based E2E test (no visual regression / reference images needed)
+- Seal a Letter-size (612×792) PDF through the full flow
+- Load the sealed output and assert all pages (document + cert + audit) have matching width/height
+- Can be added to `envelope-alignment.spec.ts` or as a new focused test
+
+## Implementation Steps
+
+1. **Extend `get-page-size.ts`** — add `getLastPageDimensions(pdfDoc: PDF): { width: number; height: number }` using `@libpdf/core`, with `Math.round()` and minimum dimension enforcement
+2. **In `seal-document.handler.ts`**:
+   a. After the resealing remap (line ~159), load each envelope item's PDF via `PDF.load()` and collect last page `{ width, height }` using `getLastPageDimensions`
+   b. Deduplicate by `"${width}x${height}"` key
+   c. Generate cert/audit PDFs per unique size (parallel via `Promise.all`)
+   d. In envelope item loop, look up matching cert/audit doc by size key
+3. **Fix `download-document-certificate.ts`** — load the specific document's PDF, read last page dims via `getLastPageDimensions`, pass to generator
+4. **Fix `download-document-audit-logs.ts`** — same as above, using the specific `documentId`'s PDF
+5. **Add E2E test** — assertion-based test with a Letter-size document verifying all page dimensions match after sealing
@@ -0,0 +1,551 @@
+---
+date: 2026-02-19
+title: Database Rate Limiting
+---
+
+## Summary
+
+Replace the in-memory `hono-rate-limiter` with a database-backed rate limiting system using Prisma and PostgreSQL. The current in-memory approach is ineffective in multi-instance deployments since there are no sticky sessions. The new system uses **bucketed counters** (one row per key/action/time-bucket with atomic increment) to efficiently handle both high-throughput API rate limiting and granular auth/email rate limiting.
+
+### Design Decisions
+
+- **Bucketed counters** over row-per-request: high-throughput consumers would create thousands of rows per minute; bucketed counters reduce this to one row per key per time bucket
+- **Fixed time windows**: simpler than sliding windows, the 2x burst-at-boundary scenario is acceptable for rate limiting purposes
+- **Dual-key rate limiting**: per-identifier (`max`) and per-IP (`globalMax`) checked independently via separate rows with a `key` prefix (`id:` / `ip:`)
+- **Accept slight over-count**: the upsert is atomic (increment + return count in one operation) but concurrent requests near the limit may both see a count just under the threshold before either commits, allowing a slight overshoot
+- **Fail-open on errors**: if the rate limit DB query fails, allow the request through rather than blocking legitimate users
+- **Prisma upsert** with `{ increment: 1 }` for atomic counter updates, returns the updated row so count check is a single operation
+- **Application cron job** for cleanup of expired bucket rows
+
+### Rate Limit Check Flow
+
+```
+check({ ip, identifier }) ->
+  1. Upsert IP row (ip:{ip} / action / bucket) with count + 1, RETURNING count
+     -> if globalMax is set and count >= globalMax, return { isLimited: true }
+  2. Upsert identifier row (id:{identifier} / action / bucket) with count + 1, RETURNING count
+     -> if count >= max, return { isLimited: true }
+  3. Neither limited -> return { isLimited: false }
+```
+
+Each upsert atomically increments and returns the new count in a single operation. Both counters always increment on every check — there's no conditional logic to skip one based on the other. This keeps the implementation simple and avoids read-then-write race conditions. If only IP is provided (API rate limiting), only step 1 runs.
+
+---
+
+## 1. Database Schema
+
+### 1.1 Prisma model
+
+Add to `packages/prisma/schema.prisma` after the `Counter` model:
+
+```prisma
+model RateLimit {
+  key       String
+  action    String
+  bucket    DateTime
+  count     Int      @default(1)
+
+  createdAt DateTime @default(now())
+
+  @@id([key, action, bucket])
+  @@index([createdAt])
+}
+```
+
+- **Composite primary key** `(key, action, bucket)` serves as both the unique constraint for upserts and the lookup index
+- **`key`** is prefixed: `ip:1.2.3.4` or `id:user@example.com`
+- **`action`** is the rate limit action name: `auth.forgot-password`, `api.v1`, etc.
+- **`bucket`** is the start of the time window, truncated to the window size (e.g., `2026-02-19T10:05:00Z` for a 5-minute bucket)
+- **`createdAt` index** is for the cleanup job to efficiently delete old rows
+- **`count`** starts at 1 (set by the create side of the upsert)
+
+### 1.2 Migration
+
+Generate with `npx prisma migrate dev --name add-rate-limits`.
+
+---
+
+## 2. Rate Limit Library
+
+### 2.1 Core module
+
+Create `packages/lib/server-only/rate-limit/rate-limit.ts`:
+
+```typescript
+type WindowUnit = 's' | 'm' | 'h' | 'd';
+type WindowStr = `${number}${WindowUnit}`;
+
+type RateLimitConfig = {
+  action: string;
+  max: number;
+  globalMax?: number;
+  window: WindowStr;
+};
+
+type CheckParams = {
+  ip: string;
+  identifier?: string;
+};
+
+export const rateLimit = (config: RateLimitConfig) => {
+  return {
+    async check(params: CheckParams): Promise<{
+      isLimited: boolean;
+      remaining: number;
+      limit: number;
+      reset: Date;
+    }> { ... }
+  };
+};
+```
+
+### 2.2 Window parsing and bucket computation
+
+```typescript
+const parseWindow = (window: WindowStr): number => {
+  const value = parseInt(window.slice(0, -1), 10);
+  const unit = window.slice(-1) as WindowUnit;
+  const multipliers: Record<WindowUnit, number> = {
+    s: 1000,
+    m: 60 * 1000,
+    h: 60 * 60 * 1000,
+    d: 24 * 60 * 60 * 1000,
+  };
+  return value * multipliers[unit];
+};
+
+const getBucket = (windowMs: number): Date => {
+  const now = Date.now();
+  return new Date(now - (now % windowMs));
+};
+```
+
+### 2.3 Check implementation
+
+The `check()` method:
+
+1. Compute the current bucket from the window
+2. Compute `reset` as `bucket + windowMs` (the start of the next window)
+3. If `globalMax` is set, upsert the IP row and check count
+4. If `identifier` is provided, upsert the identifier row and check count
+5. Wrap in try/catch — **fail-open** on any database error (log the error, return `{ isLimited: false }`)
+
+Each upsert uses Prisma's `upsert` with `{ increment: 1 }`:
+
+```typescript
+const result = await prisma.rateLimit.upsert({
+  where: {
+    key_action_bucket: {
+      key: `ip:${params.ip}`,
+      action: config.action,
+      bucket,
+    },
+  },
+  create: {
+    key: `ip:${params.ip}`,
+    action: config.action,
+    bucket,
+    count: 1,
+  },
+  update: {
+    count: { increment: 1 },
+  },
+});
+
+if (config.globalMax && result.count >= config.globalMax) {
+  return { isLimited: true, remaining: 0, limit: config.globalMax };
+}
+```
+
+### 2.4 Rate limit definitions
+
+Create `packages/lib/server-only/rate-limit/rate-limits.ts` with all rate limit instances:
+
+```typescript
+// ---- Auth (Tier 1 - Critical, sends emails) ----
+export const signupRateLimit = rateLimit({
+  action: 'auth.signup',
+  max: 5,
+  globalMax: 10,
+  window: '1h',
+});
+
+export const forgotPasswordRateLimit = rateLimit({
+  action: 'auth.forgot-password',
+  max: 3,
+  globalMax: 20,
+  window: '1h',
+});
+
+export const resendVerifyEmailRateLimit = rateLimit({
+  action: 'auth.resend-verify-email',
+  max: 3,
+  globalMax: 20,
+  window: '1h',
+});
+
+export const request2FAEmailRateLimit = rateLimit({
+  action: 'auth.request-2fa-email',
+  max: 5,
+  globalMax: 20,
+  window: '15m',
+});
+
+// ---- Auth (Tier 2 - Unauthenticated) ----
+export const loginRateLimit = rateLimit({
+  action: 'auth.login',
+  max: 10,
+  globalMax: 50,
+  window: '15m',
+});
+
+export const resetPasswordRateLimit = rateLimit({
+  action: 'auth.reset-password',
+  max: 5,
+  globalMax: 20,
+  window: '1h',
+});
+
+export const verifyEmailRateLimit = rateLimit({
+  action: 'auth.verify-email',
+  max: 5,
+  globalMax: 20,
+  window: '15m',
+});
+
+export const passkeyRateLimit = rateLimit({
+  action: 'auth.passkey',
+  max: 10,
+  globalMax: 50,
+  window: '15m',
+});
+
+export const oauthRateLimit = rateLimit({
+  action: 'auth.oauth',
+  max: 10,
+  globalMax: 50,
+  window: '15m',
+});
+
+export const linkOrgAccountRateLimit = rateLimit({
+  action: 'auth.link-org-account',
+  max: 5,
+  globalMax: 20,
+  window: '1h',
+});
+
+// ---- API (Tier 4 - Standard) ----
+export const apiV1RateLimit = rateLimit({
+  action: 'api.v1',
+  max: 100,
+  window: '1m',
+});
+
+export const apiV2RateLimit = rateLimit({
+  action: 'api.v2',
+  max: 100,
+  window: '1m',
+});
+
+export const apiTrpcRateLimit = rateLimit({
+  action: 'api.trpc',
+  max: 100,
+  window: '1m',
+});
+
+export const aiRateLimit = rateLimit({
+  action: 'api.ai',
+  max: 3,
+  window: '1m',
+});
+
+export const fileUploadRateLimit = rateLimit({
+  action: 'api.file-upload',
+  max: 20,
+  window: '1m',
+});
+```
+
+Exact limits are initial values — tune based on observed traffic patterns. These should be easy to adjust.
+
+---
+
+## 3. Integration Points
+
+### 3.1 Hono middleware for API routes
+
+Create a reusable Hono middleware factory in `packages/lib/server-only/rate-limit/rate-limit-middleware.ts` that wraps the `rateLimit` checker into Hono middleware:
+
+```typescript
+import { type MiddlewareHandler } from 'hono';
+
+import { getIpAddress } from '@documenso/lib/universal/get-ip-address';
+
+export const createRateLimitMiddleware = (
+  limiter: ReturnType<typeof rateLimit>,
+  options?: { identifierFn?: (c: Context) => string | undefined },
+): MiddlewareHandler => {
+  return async (c, next) => {
+    let ip: string;
+    try {
+      ip = getIpAddress(c.req.raw);
+    } catch {
+      ip = 'unknown';
+    }
+
+    const identifier = options?.identifierFn?.(c);
+
+    const result = await limiter.check({ ip, identifier });
+
+    c.header('X-RateLimit-Limit', String(result.limit));
+    c.header('X-RateLimit-Remaining', String(result.remaining));
+    c.header('X-RateLimit-Reset', String(Math.ceil(result.reset.getTime() / 1000)));
+
+    if (result.isLimited) {
+      c.header('Retry-After', String(Math.ceil((result.reset.getTime() - Date.now()) / 1000)));
+      return c.json({ error: 'Too many requests, please try again later.' }, 429);
+    }
+
+    await next();
+  };
+};
+```
+
+### 3.2 Replace existing Hono rate limiters
+
+In `apps/remix/server/router.ts`:
+
+- Remove `hono-rate-limiter` import and both `rateLimiter()` instances
+- Replace with `createRateLimitMiddleware()` calls using the defined rate limits
+- API routes use IP-only limiting (no identifier)
+- AI route uses IP-only limiting with the stricter 3/min limit
+
+```typescript
+// Before
+import { rateLimiter } from 'hono-rate-limiter';
+const rateLimitMiddleware = rateLimiter({ ... });
+
+// After
+import { createRateLimitMiddleware } from '@documenso/lib/server-only/rate-limit/rate-limit-middleware';
+import { apiV1RateLimit, apiV2RateLimit, aiRateLimit } from '@documenso/lib/server-only/rate-limit/rate-limits';
+
+const apiV1RateLimitMiddleware = createRateLimitMiddleware(apiV1RateLimit);
+const apiV2RateLimitMiddleware = createRateLimitMiddleware(apiV2RateLimit);
+const aiRateLimitMiddleware = createRateLimitMiddleware(aiRateLimit);
+```
+
+### 3.3 Response helpers for inline checks
+
+For auth routes (Hono handlers) and tRPC routes where rate limiting is applied inline rather than via middleware, provide helpers that handle the response formatting and headers consistently.
+
+**Hono helper** — returns a 429 `Response` with headers if limited, or `null` if allowed:
+
+```typescript
+export const rateLimitResponse = (c: Context, result: RateLimitCheckResult): Response | null => {
+  c.header('X-RateLimit-Limit', String(result.limit));
+  c.header('X-RateLimit-Remaining', String(result.remaining));
+  c.header('X-RateLimit-Reset', String(Math.ceil(result.reset.getTime() / 1000)));
+
+  if (result.isLimited) {
+    c.header('Retry-After', String(Math.ceil((result.reset.getTime() - Date.now()) / 1000)));
+    return c.json({ error: 'Too many requests, please try again later.' }, 429);
+  }
+
+  return null;
+};
+```
+
+Usage in auth routes:
+
+```typescript
+const result = await loginRateLimit.check({
+  ip: requestMetadata.ipAddress ?? 'unknown',
+  identifier: input.email,
+});
+
+const limited = rateLimitResponse(c, result);
+if (limited) return limited;
+```
+
+**tRPC helper** — throws a `TRPCError` with rate limit headers if limited:
+
+```typescript
+export const assertRateLimit = (result: RateLimitCheckResult): void => {
+  if (result.isLimited) {
+    throw new TRPCError({
+      code: 'TOO_MANY_REQUESTS',
+    });
+  }
+};
+```
+
+Usage in tRPC routes:
+
+```typescript
+const result = await request2FAEmailRateLimit.check({
+  ip: ctx.requestMetadata.ipAddress ?? 'unknown',
+  identifier: input.recipientId,
+});
+
+assertRateLimit(result);
+```
+
+Both helpers live in `packages/lib/server-only/rate-limit/rate-limit-middleware.ts` alongside the Hono middleware.
+
+### 3.4 Auth endpoint rate limiting
+
+In `packages/auth/server/routes/email-password.ts`, add rate limit checks at the start of each handler using the `rateLimitResponse` helper.
+
+Apply to each endpoint per the tier list:
+
+| Endpoint                    | Rate Limit                                            |
+| --------------------------- | ----------------------------------------------------- |
+| `POST /signup`              | `signupRateLimit` with `identifier: email`            |
+| `POST /authorize` (login)   | `loginRateLimit` with `identifier: email`             |
+| `POST /forgot-password`     | `forgotPasswordRateLimit` with `identifier: email`    |
+| `POST /resend-verify-email` | `resendVerifyEmailRateLimit` with `identifier: email` |
+| `POST /verify-email`        | `verifyEmailRateLimit` with `identifier: token`       |
+| `POST /reset-password`      | `resetPasswordRateLimit` with `identifier: token`     |
+| `POST /passkey/authorize`   | `passkeyRateLimit` (IP only, no identifier)           |
+| `POST /oauth/authorize/*`   | `oauthRateLimit` (IP only)                            |
+
+### 3.4 tRPC unauthenticated route rate limiting
+
+For unauthenticated tRPC routes that send emails, add rate limit checks at the start of the route handler:
+
+| Route                                                      | Rate Limit                           | Identifier             |
+| ---------------------------------------------------------- | ------------------------------------ | ---------------------- |
+| `document.accessAuth.request2FAEmail`                      | `request2FAEmailRateLimit`           | `recipientId` or token |
+| `enterprise.organisation.authenticationPortal.linkAccount` | `linkOrgAccountRateLimit`            | email                  |
+| `template.createDocumentFromDirectTemplate`                | Dedicated direct template rate limit | IP only                |
+
+Access `requestMetadata` from the tRPC context (`ctx.requestMetadata.ipAddress`).
+
+### 3.5 tRPC and file routes — general API rate limiting
+
+Add rate limit middleware for currently unprotected routes:
+
+- `/api/trpc/*` — apply `apiTrpcRateLimit` middleware
+- `/api/files/*` — apply `fileUploadRateLimit` middleware
+
+---
+
+## 4. Cleanup Job
+
+### 4.1 Job definition
+
+Create `packages/lib/jobs/definitions/internal/cleanup-rate-limits.ts`:
+
+```typescript
+export const CLEANUP_RATE_LIMITS_JOB_DEFINITION = {
+  id: 'internal.cleanup-rate-limits',
+  name: 'Cleanup Rate Limits',
+  version: '1.0.0',
+  trigger: {
+    name: 'internal.cleanup-rate-limits',
+    schema: z.object({}),
+    cron: '*/15 * * * *', // Every 15 minutes
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./cleanup-rate-limits.handler');
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<...>;
+```
+
+### 4.2 Job handler
+
+Create `packages/lib/jobs/definitions/internal/cleanup-rate-limits.handler.ts`:
+
+- Delete all `RateLimit` rows where `createdAt` is older than 24 hours (covers all possible windows with margin)
+- Use batched deletes to avoid long-running transactions
+- Batch in chunks of 10,000 rows
+
+```typescript
+export const run = async () => {
+  const cutoff = new Date(Date.now() - 24 * 60 * 60 * 1000);
+
+  let deleted = 0;
+  do {
+    // Prisma doesn't support DELETE with LIMIT, so use raw SQL for batching
+    deleted = await prisma.$executeRaw`
+      DELETE FROM "RateLimit"
+      WHERE "createdAt" < ${cutoff}
+      AND ctid IN (
+        SELECT ctid FROM "RateLimit"
+        WHERE "createdAt" < ${cutoff}
+        LIMIT 10000
+      )
+    `;
+  } while (deleted > 0);
+};
+```
+
+### 4.3 Register in job client
+
+Add `CLEANUP_RATE_LIMITS_JOB_DEFINITION` to the job registry in `packages/lib/jobs/client.ts`.
+
+---
+
+## 5. Remove hono-rate-limiter Dependency
+
+After the migration is complete:
+
+- Remove `hono-rate-limiter` from `apps/remix/package.json`
+- Run `npm install` to clean up
+
+---
+
+## 6. Files to Create or Modify
+
+### New Files
+
+| File                                                                    | Purpose                                                                                                         |
+| ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
+| `packages/lib/server-only/rate-limit/rate-limit.ts`                     | Core rate limit factory (`rateLimit()`) with window parsing, bucket computation, Prisma upsert, fail-open       |
+| `packages/lib/server-only/rate-limit/rate-limits.ts`                    | All rate limit instances (auth, API, AI, file upload)                                                           |
+| `packages/lib/server-only/rate-limit/rate-limit-middleware.ts`          | Hono middleware factory, `rateLimitResponse` helper for Hono handlers, `assertRateLimit` helper for tRPC routes |
+| `packages/lib/jobs/definitions/internal/cleanup-rate-limits.ts`         | Cleanup cron job definition                                                                                     |
+| `packages/lib/jobs/definitions/internal/cleanup-rate-limits.handler.ts` | Cleanup handler (batched deletes)                                                                               |
+
+### Modified Files
+
+| File                                                                    | Change                                                                                                      |
+| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
+| `packages/prisma/schema.prisma`                                         | Add `RateLimit` model                                                                                       |
+| `apps/remix/server/router.ts`                                           | Replace `hono-rate-limiter` with DB-backed middleware, add rate limits for `/api/trpc/*` and `/api/files/*` |
+| `apps/remix/package.json`                                               | Remove `hono-rate-limiter` dependency                                                                       |
+| `packages/auth/server/routes/email-password.ts`                         | Add rate limit checks to signup, login, forgot-password, resend-verify-email, verify-email, reset-password  |
+| `packages/auth/server/routes/passkey.ts`                                | Add rate limit check to passkey authorize                                                                   |
+| `packages/auth/server/routes/oauth.ts`                                  | Add rate limit check to OAuth authorize endpoints                                                           |
+| `packages/trpc/server/document-router/access-auth-request-2fa-email.ts` | Add rate limit check (sends email, unauthenticated)                                                         |
+| `packages/trpc/server/enterprise-router/link-organisation-account.ts`   | Add rate limit check (sends email, unauthenticated)                                                         |
+| `packages/lib/jobs/client.ts`                                           | Register cleanup-rate-limits job definition                                                                 |
+
+---
+
+## 7. Considerations
+
+### 7.1 Fail-open
+
+All rate limit checks must be wrapped in try/catch. On any DB error, log the error and allow the request through. Rate limiting should never block legitimate traffic due to infrastructure issues.
+
+### 7.2 Performance
+
+- Each API request adds 1 upsert query (~1ms)
+- Auth requests add 2 upsert queries (~2ms total)
+- The composite primary key ensures all lookups and upserts are index-only operations
+- No `COUNT(*)` queries — the count is stored directly in the row
+
+### 7.3 Monitoring
+
+Log rate limit hits at `warn` level with the action, key type (IP/identifier), and count. This provides visibility into traffic patterns and helps tune limits.
+
+### 7.4 Testing
+
+The rate limit module should be mockable in tests. Consider exporting the bucket computation and window parsing as standalone functions for unit testing. Integration tests can verify the upsert + count logic against a test database.
+
+### 7.5 Future improvements
+
+- **Redis backend**: if DB pressure from rate limiting becomes measurable, swap the Prisma upsert for Redis `INCR` + `EXPIRE` with no API changes
+- **System-wide circuit breaker**: add a `systemMax` config option that counts all requests for an action regardless of key
@@ -175,6 +175,8 @@ GOOGLE_VERTEX_API_KEY=""
 E2E_TEST_AUTHENTICATE_USERNAME="Test User"
 E2E_TEST_AUTHENTICATE_USER_EMAIL="testuser@mail.com"
 E2E_TEST_AUTHENTICATE_USER_PASSWORD="test_Password123"
+# OPTIONAL: Set to "true" to disable all rate limiting. Only use for E2E tests.
+DANGEROUS_BYPASS_RATE_LIMITS=

 # [[LOGGER]]
 # OPTIONAL: The file to save the logger output to. Will disable stdout if provided.
@@ -41,6 +41,7 @@ jobs:
        env:
          # Needed since we use next start which will set the NODE_ENV to production
          NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH: './example/cert.p12'
+          DANGEROUS_BYPASS_RATE_LIMITS: 'true'

      - uses: actions/upload-artifact@v4
        if: always()
@@ -116,9 +116,11 @@ export function AssistantConfirmationDialog({
                    {!isEditingNextSigner && (
                      <div>
                        <p className="text-muted-foreground text-sm">
-                          The next recipient to sign this document will be{' '}
-                          <span className="font-semibold">{form.watch('name')}</span> (
-                          <span className="font-semibold">{form.watch('email')}</span>).
+                          <Trans>
+                            The next recipient to sign this document will be{' '}
+                            <span className="font-semibold">{form.watch('name')}</span> (
+                            <span className="font-semibold">{form.watch('email')}</span>).
+                          </Trans>
                        </p>

                        <Button
@@ -258,10 +258,10 @@ export const EnvelopeDistributeDialog = ({
                >
                  <TabsList className="w-full">
                    <TabsTrigger className="w-full" value={DocumentDistributionMethod.EMAIL}>
-                      Email
+                      <Trans>Email</Trans>
                    </TabsTrigger>
                    <TabsTrigger className="w-full" value={DocumentDistributionMethod.NONE}>
-                      None
+                      <Trans>None</Trans>
                    </TabsTrigger>
                  </TabsList>
                </Tabs>
@@ -127,7 +127,11 @@ export const TeamCreateDialog = ({ trigger, onCreated, ...props }: TeamCreateDia
  };

  const mapTextToUrl = (text: string) => {
-    return text.toLowerCase().replace(/\s+/g, '-');
+    return text
+      .normalize('NFD')
+      .replace(/[\u0300-\u036f]/g, '')
+      .toLowerCase()
+      .replace(/\s+/g, '-');
  };

  const dialogState = useMemo(() => {
@@ -260,7 +264,7 @@ export const TeamCreateDialog = ({ trigger, onCreated, ...props }: TeamCreateDia
                        <Input className="bg-background" {...field} />
                      </FormControl>
                      {!form.formState.errors.teamUrl && (
-                        <span className="text-foreground/50 text-xs font-normal">
+                        <span className="text-xs font-normal text-foreground/50">
                          {field.value ? (
                            `${NEXT_PUBLIC_WEBAPP_URL()}/t/${field.value}`
                          ) : (
@@ -288,7 +292,7 @@ export const TeamCreateDialog = ({ trigger, onCreated, ...props }: TeamCreateDia
                          />

                          <label
-                            className="text-muted-foreground ml-2 text-sm"
+                            className="ml-2 text-sm text-muted-foreground"
                            htmlFor="inherit-members"
                          >
                            <Trans>Allow all organisation members to access this team</Trans>
@@ -115,7 +115,9 @@ export const ConfigureFieldsView = ({
      templateId: null,
      token: '',
      documentDeletedAt: null,
-      expired: null,
+      expired: null, // !: deprecated Not in use. To be removed in a future migration.
+      expiresAt: null,
+      expirationNotifiedAt: null,
      signedAt: null,
      authOptions: null,
      rejectionReason: null,
@@ -1,3 +1,4 @@
+import { Trans } from '@lingui/react/macro';
 import { Loader } from 'lucide-react';

 export const EmbedClientLoading = () => {
@@ -5,7 +6,9 @@ export const EmbedClientLoading = () => {
    <div className="bg-background fixed left-0 top-0 z-[9999] flex h-full w-full items-center justify-center">
      <Loader className="mr-2 h-4 w-4 animate-spin" />

-      <span>Loading...</span>
+      <span>
+        <Trans>Loading...</Trans>
+      </span>
    </div>
  );
 };
@@ -499,7 +499,9 @@ export const EmbedDirectTemplateClientPage = ({

      {!hidePoweredBy && (
        <div className="fixed bottom-0 left-0 z-40 rounded-tr bg-primary px-2 py-1 text-xs font-medium text-primary-foreground opacity-60 hover:opacity-100">
-          <span>Powered by</span>
+          <span>
+            <Trans>Powered by</Trans>
+          </span>
          <BrandingLogo className="ml-2 inline-block h-[14px]" />
        </div>
      )}
@@ -510,7 +510,9 @@ export const EmbedSignDocumentV1ClientPage = ({

        {!hidePoweredBy && (
          <div className="fixed bottom-0 left-0 z-40 rounded-tr bg-primary px-2 py-1 text-xs font-medium text-primary-foreground opacity-60 hover:opacity-100">
-            <span>Powered by</span>
+            <span>
+              <Trans>Powered by</Trans>
+            </span>
            <BrandingLogo className="ml-2 inline-block h-[14px]" />
          </div>
        )}
@@ -1,6 +1,7 @@
 import { useEffect, useLayoutEffect, useState } from 'react';

 import { useLingui } from '@lingui/react';
+import { EnvelopeType } from '@prisma/client';

 import { mapSecondaryIdToDocumentId } from '@documenso/lib/utils/envelope';

@@ -25,7 +26,7 @@ export const EmbedSignDocumentV2ClientPage = ({
 }: EmbedSignDocumentV2ClientPageProps) => {
  const { _ } = useLingui();

-  const { envelope, recipient, envelopeData, setFullName, fullName } =
+  const { envelope, recipient, envelopeData, setFullName, setEmail, fullName } =
    useRequiredEnvelopeSigningContext();

  const { isCompleted, isRejected, recipientSignature } = envelopeData;
@@ -35,6 +36,7 @@ export const EmbedSignDocumentV2ClientPage = ({
  const [hasFinishedInit, setHasFinishedInit] = useState(false);
  const [allowDocumentRejection, setAllowDocumentRejection] = useState(false);
  const [isNameLocked, setIsNameLocked] = useState(false);
+  const [isEmailLocked, setIsEmailLocked] = useState(envelope.type === EnvelopeType.DOCUMENT);

  const onDocumentCompleted = (data: {
    token: string;
@@ -132,6 +134,17 @@ export const EmbedSignDocumentV2ClientPage = ({
      // Since a recipient can be provided a name we can lock it without requiring
      // a to be provided by the parent application, unlike direct templates.
      setIsNameLocked(!!data.lockName);
+
+      if (envelope.type === EnvelopeType.TEMPLATE) {
+        if (!isCompleted && data.email) {
+          setEmail(data.email);
+        }
+
+        if (data.email) {
+          setIsEmailLocked(!!data.lockEmail);
+        }
+      }
+
      setAllowDocumentRejection(!!data.allowDocumentRejection);

      if (data.darkModeDisabled) {
@@ -213,6 +226,7 @@ export const EmbedSignDocumentV2ClientPage = ({
  return (
    <EmbedSigningProvider
      isNameLocked={isNameLocked}
+      isEmailLocked={isEmailLocked}
      hidePoweredBy={hidePoweredBy}
      allowDocumentRejection={allowDocumentRejection}
      onDocumentCompleted={onDocumentCompleted}
@@ -0,0 +1,46 @@
+import { useEffect, useState } from 'react';
+
+import { Trans } from '@lingui/react/macro';
+
+export const EmbedRecipientExpired = () => {
+  const [hasPostedMessage, setHasPostedMessage] = useState(false);
+
+  useEffect(() => {
+    if (window.parent && !hasPostedMessage) {
+      window.parent.postMessage(
+        {
+          action: 'recipient-expired',
+          data: null,
+        },
+        '*',
+      );
+    }
+
+    setHasPostedMessage(true);
+  }, [hasPostedMessage]);
+
+  if (!hasPostedMessage) {
+    return null;
+  }
+
+  return (
+    <div className="embed--RecipientExpired relative mx-auto flex min-h-[100dvh] max-w-screen-lg flex-col items-center justify-center p-6">
+      <h3 className="text-center text-2xl font-bold text-foreground">
+        <Trans>Signing Window Expired</Trans>
+      </h3>
+
+      <div className="mt-8 max-w-[50ch] text-center">
+        <p className="text-sm text-muted-foreground">
+          <Trans>
+            Your signing window for this document has expired. Please contact the sender for a new
+            invitation.
+          </Trans>
+        </p>
+
+        <p className="mt-4 text-sm text-muted-foreground">
+          <Trans>Please check with the parent application for more information.</Trans>
+        </p>
+      </div>
+    </div>
+  );
+};
@@ -11,6 +11,10 @@ import { useCurrentOrganisation } from '@documenso/lib/client-only/providers/org
 import { useSession } from '@documenso/lib/client-only/providers/session';
 import { DATE_FORMATS } from '@documenso/lib/constants/date-formats';
 import { DOCUMENT_SIGNATURE_TYPES, DocumentSignatureType } from '@documenso/lib/constants/document';
+import {
+  type TEnvelopeExpirationPeriod,
+  ZEnvelopeExpirationPeriod,
+} from '@documenso/lib/constants/envelope-expiration';
 import {
  SUPPORTED_LANGUAGES,
  SUPPORTED_LANGUAGE_CODES,
@@ -27,6 +31,7 @@ import { isPersonalLayout } from '@documenso/lib/utils/organisations';
 import { recipientAbbreviation } from '@documenso/lib/utils/recipient-formatter';
 import { extractTeamSignatureSettings } from '@documenso/lib/utils/teams';
 import { DocumentSignatureSettingsTooltip } from '@documenso/ui/components/document/document-signature-settings-tooltip';
+import { ExpirationPeriodPicker } from '@documenso/ui/components/document/expiration-period-picker';
 import { RecipientRoleSelect } from '@documenso/ui/components/recipient/recipient-role-select';
 import { Alert } from '@documenso/ui/primitives/alert';
 import { AvatarWithText } from '@documenso/ui/primitives/avatar';
@@ -70,6 +75,7 @@ export type TDocumentPreferencesFormSchema = {
  defaultRecipients: TDefaultRecipients | null;
  delegateDocumentOwnership: boolean | null;
  aiFeaturesEnabled: boolean | null;
+  envelopeExpirationPeriod: TEnvelopeExpirationPeriod | null;
 };

 type SettingsSubset = Pick<
@@ -87,6 +93,7 @@ type SettingsSubset = Pick<
  | 'defaultRecipients'
  | 'delegateDocumentOwnership'
  | 'aiFeaturesEnabled'
+  | 'envelopeExpirationPeriod'
 >;

 export type DocumentPreferencesFormProps = {
@@ -126,6 +133,7 @@ export const DocumentPreferencesForm = ({
    defaultRecipients: ZDefaultRecipientsSchema.nullable(),
    delegateDocumentOwnership: z.boolean().nullable(),
    aiFeaturesEnabled: z.boolean().nullable(),
+    envelopeExpirationPeriod: ZEnvelopeExpirationPeriod.nullable(),
  });

  const form = useForm<TDocumentPreferencesFormSchema>({
@@ -146,6 +154,7 @@ export const DocumentPreferencesForm = ({
        : null,
      delegateDocumentOwnership: settings.delegateDocumentOwnership,
      aiFeaturesEnabled: settings.aiFeaturesEnabled,
+      envelopeExpirationPeriod: settings.envelopeExpirationPeriod ?? null,
    },
    resolver: zodResolver(ZDocumentPreferencesFormSchema),
  });
@@ -669,6 +678,35 @@ export const DocumentPreferencesForm = ({
            )}
          />

+          <FormField
+            control={form.control}
+            name="envelopeExpirationPeriod"
+            render={({ field }) => (
+              <FormItem className="flex-1">
+                <FormLabel>
+                  <Trans>Default Envelope Expiration</Trans>
+                </FormLabel>
+
+                <FormControl>
+                  <ExpirationPeriodPicker
+                    value={field.value}
+                    onChange={field.onChange}
+                    inheritLabel={canInherit ? t`Inherit from organisation` : undefined}
+                  />
+                </FormControl>
+
+                <FormDescription>
+                  <Trans>
+                    Controls how long recipients have to complete signing before the document
+                    expires. After expiration, recipients can no longer sign the document.
+                  </Trans>
+                </FormDescription>
+
+                <FormMessage />
+              </FormItem>
+            )}
+          />
+
          {isAiFeaturesConfigured && (
            <FormField
              control={form.control}
@@ -124,7 +124,9 @@ export const AppNavMobile = ({ isMenuOpen, onMenuOpenChange }: AppNavMobileProps
          </div>

          <p className="text-muted-foreground text-sm">
-            © {new Date().getFullYear()} Documenso, Inc. <br /> All rights reserved.
+            © {new Date().getFullYear()} Documenso, Inc.
+            <br />
+            <Trans>All rights reserved.</Trans>
          </p>
        </div>
      </SheetContent>
@@ -118,7 +118,9 @@ export const BillingPlans = ({ plans }: BillingPlansProps) => {

                {price.product.features && price.product.features.length > 0 && (
                  <div className="mt-4 text-muted-foreground">
-                    <div className="text-sm font-medium">Includes:</div>
+                    <div className="text-sm font-medium">
+                      <Trans>Includes:</Trans>
+                    </div>

                    <ul className="mt-1 divide-y text-sm">
                      {price.product.features.map((feature, index) => (
@@ -4,6 +4,7 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { Trans } from '@lingui/react/macro';
 import { RecipientRole } from '@prisma/client';
 import { useForm } from 'react-hook-form';
+import { match } from 'ts-pattern';
 import { z } from 'zod';

 import { AppError } from '@documenso/lib/errors/app-error';
@@ -27,7 +28,6 @@ import { useRequiredDocumentSigningAuthContext } from './document-signing-auth-p

 export type DocumentSigningAuth2FAProps = {
  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
  open: boolean;
  onOpenChange: (value: boolean) => void;
  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
@@ -44,7 +44,6 @@ type T2FAAuthFormSchema = z.infer<typeof Z2FAAuthFormSchema>;

 export const DocumentSigningAuth2FA = ({
  actionTarget = 'FIELD',
-  actionVerb = 'sign',
  onReauthFormSubmit,
  open,
  onOpenChange,
@@ -101,14 +100,39 @@ export const DocumentSigningAuth2FA = ({
        <Alert variant="warning">
          <AlertDescription>
            <p>
-              {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT' ? (
-                <Trans>You need to setup 2FA to mark this document as viewed.</Trans>
-              ) : (
-                // Todo: Translate
-                `You need to setup 2FA to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`
-              )}
+              {match({ role: recipient.role, actionTarget })
+                .with({ role: RecipientRole.SIGNER, actionTarget: 'FIELD' }, () => (
+                  <Trans>You need to setup 2FA to sign this field.</Trans>
+                ))
+                .with({ role: RecipientRole.SIGNER, actionTarget: 'DOCUMENT' }, () => (
+                  <Trans>You need to setup 2FA to sign this document.</Trans>
+                ))
+                .with({ role: RecipientRole.APPROVER, actionTarget: 'FIELD' }, () => (
+                  <Trans>You need to setup 2FA to approve this field.</Trans>
+                ))
+                .with({ role: RecipientRole.APPROVER, actionTarget: 'DOCUMENT' }, () => (
+                  <Trans>You need to setup 2FA to approve this document.</Trans>
+                ))
+                .with({ role: RecipientRole.VIEWER, actionTarget: 'FIELD' }, () => (
+                  <Trans>You need to setup 2FA to view this field.</Trans>
+                ))
+                .with({ role: RecipientRole.VIEWER, actionTarget: 'DOCUMENT' }, () => (
+                  <Trans>You need to setup 2FA to mark this document as viewed.</Trans>
+                ))
+                .with({ role: RecipientRole.CC, actionTarget: 'FIELD' }, () => (
+                  <Trans>You need to setup 2FA to view this field.</Trans>
+                ))
+                .with({ role: RecipientRole.CC, actionTarget: 'DOCUMENT' }, () => (
+                  <Trans>You need to setup 2FA to view this document.</Trans>
+                ))
+                .with({ role: RecipientRole.ASSISTANT, actionTarget: 'FIELD' }, () => (
+                  <Trans>You need to setup 2FA to assist with this field.</Trans>
+                ))
+                .with({ role: RecipientRole.ASSISTANT, actionTarget: 'DOCUMENT' }, () => (
+                  <Trans>You need to setup 2FA to assist with this document.</Trans>
+                ))
+                .exhaustive()}
            </p>
-
            <p className="mt-2">
              <Trans>
                By enabling 2FA, you will be required to enter a code from your authenticator app
@@ -138,7 +162,9 @@ export const DocumentSigningAuth2FA = ({
              name="token"
              render={({ field }) => (
                <FormItem>
-                  <FormLabel required>2FA token</FormLabel>
+                  <FormLabel required>
+                    <Trans>2FA token</Trans>
+                  </FormLabel>

                  <FormControl>
                    <PinInput {...field} value={field.value ?? ''} maxLength={6}>
@@ -2,6 +2,7 @@ import { useState } from 'react';

 import { Trans, useLingui } from '@lingui/react/macro';
 import { RecipientRole } from '@prisma/client';
+import { match } from 'ts-pattern';

 import { authClient } from '@documenso/auth/client';
 import { Alert, AlertDescription } from '@documenso/ui/primitives/alert';
@@ -13,13 +14,11 @@ import { useRequiredDocumentSigningAuthContext } from './document-signing-auth-p

 export type DocumentSigningAuthAccountProps = {
  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
  onOpenChange: (value: boolean) => void;
 };

 export const DocumentSigningAuthAccount = ({
  actionTarget = 'FIELD',
-  actionVerb = 'sign',
  onOpenChange,
 }: DocumentSigningAuthAccountProps) => {
  const { recipient, isDirectTemplate } = useRequiredDocumentSigningAuthContext();
@@ -55,32 +54,110 @@ export const DocumentSigningAuthAccount = ({
    <fieldset disabled={isSigningOut} className="space-y-4">
      <Alert variant="warning">
        <AlertDescription>
-          {actionTarget === 'DOCUMENT' && recipient.role === RecipientRole.VIEWER ? (
-            <span>
-              {isDirectTemplate ? (
-                <Trans>To mark this document as viewed, you need to be logged in.</Trans>
-              ) : (
-                <Trans>
-                  To mark this document as viewed, you need to be logged in as{' '}
-                  <strong>{recipient.email}</strong>
-                </Trans>
-              )}
-            </span>
-          ) : (
-            <span>
-              {isDirectTemplate ? (
-                <Trans>
-                  To {actionVerb.toLowerCase()} this {actionTarget.toLowerCase()}, you need to be
-                  logged in.
-                </Trans>
-              ) : (
-                <Trans>
-                  To {actionVerb.toLowerCase()} this {actionTarget.toLowerCase()}, you need to be
-                  logged in as <strong>{recipient.email}</strong>
-                </Trans>
-              )}
-            </span>
-          )}
+          <span>
+            {match({ role: recipient.role, actionTarget })
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'FIELD' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To sign this field, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To sign this field, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'DOCUMENT' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To sign this document, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To sign this document, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'FIELD' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To approve this field, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To approve this field, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'DOCUMENT' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To approve this document, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To approve this document, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'FIELD' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To view this field, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To view this field, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'DOCUMENT' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To mark this document as viewed, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To mark this document as viewed, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.CC, actionTarget: 'FIELD' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To view this field, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To view this field, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.CC, actionTarget: 'DOCUMENT' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To view this document, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To view this document, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'FIELD' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To assist with this field, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To assist with this field, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'DOCUMENT' }, () =>
+                isDirectTemplate ? (
+                  <Trans>To assist with this document, you need to be logged in.</Trans>
+                ) : (
+                  <Trans>
+                    To assist with this document, you need to be logged in as{' '}
+                    <strong>{recipient.email}</strong>
+                  </Trans>
+                ),
+              )
+              .exhaustive()}
+          </span>
        </AlertDescription>
      </Alert>

@@ -8,6 +8,7 @@ import { RecipientRole } from '@prisma/client';
 import { browserSupportsWebAuthn, startAuthentication } from '@simplewebauthn/browser';
 import { Loader } from 'lucide-react';
 import { useForm } from 'react-hook-form';
+import { match } from 'ts-pattern';
 import { z } from 'zod';

 import { AppError } from '@documenso/lib/errors/app-error';
@@ -38,7 +39,6 @@ import { useRequiredDocumentSigningAuthContext } from './document-signing-auth-p

 export type DocumentSigningAuthPasskeyProps = {
  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
  open: boolean;
  onOpenChange: (value: boolean) => void;
  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
@@ -52,7 +52,6 @@ type TPasskeyAuthFormSchema = z.infer<typeof ZPasskeyAuthFormSchema>;

 export const DocumentSigningAuthPasskey = ({
  actionTarget = 'FIELD',
-  actionVerb = 'sign',
  onReauthFormSubmit,
  open,
  onOpenChange,
@@ -128,9 +127,62 @@ export const DocumentSigningAuthPasskey = ({
      <div className="space-y-4">
        <Alert variant="warning">
          <AlertDescription>
-            {/* Todo: Translate */}
-            Your browser does not support passkeys, which is required to {actionVerb.toLowerCase()}{' '}
-            this {actionTarget.toLowerCase()}.
+            {match({ role: recipient.role, actionTarget })
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'FIELD' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to sign this field.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to sign this document.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'FIELD' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to approve this field.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to approve this
+                  document.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'FIELD' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to view this field.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to mark this document as
+                  viewed.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.CC, actionTarget: 'FIELD' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to view this field.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.CC, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to view this document.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'FIELD' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to assist with this
+                  field.
+                </Trans>
+              ))
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>
+                  Your browser does not support passkeys, which is required to assist with this
+                  document.
+                </Trans>
+              ))
+              .exhaustive()}
          </AlertDescription>
        </Alert>

@@ -178,10 +230,38 @@ export const DocumentSigningAuthPasskey = ({
      <div className="space-y-4">
        <Alert variant="warning">
          <AlertDescription>
-            {/* Todo: Translate */}
-            {recipient.role === RecipientRole.VIEWER && actionTarget === 'DOCUMENT'
-              ? 'You need to setup a passkey to mark this document as viewed.'
-              : `You need to setup a passkey to ${actionVerb.toLowerCase()} this ${actionTarget.toLowerCase()}.`}
+            {match({ role: recipient.role, actionTarget })
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'FIELD' }, () => (
+                <Trans>You need to setup a passkey to sign this field.</Trans>
+              ))
+              .with({ role: RecipientRole.SIGNER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>You need to setup a passkey to sign this document.</Trans>
+              ))
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'FIELD' }, () => (
+                <Trans>You need to setup a passkey to approve this field.</Trans>
+              ))
+              .with({ role: RecipientRole.APPROVER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>You need to setup a passkey to approve this document.</Trans>
+              ))
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'FIELD' }, () => (
+                <Trans>You need to setup a passkey to view this field.</Trans>
+              ))
+              .with({ role: RecipientRole.VIEWER, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>You need to setup a passkey to mark this document as viewed.</Trans>
+              ))
+              .with({ role: RecipientRole.CC, actionTarget: 'FIELD' }, () => (
+                <Trans>You need to setup a passkey to view this field.</Trans>
+              ))
+              .with({ role: RecipientRole.CC, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>You need to setup a passkey to view this document.</Trans>
+              ))
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'FIELD' }, () => (
+                <Trans>You need to setup a passkey to assist with this field.</Trans>
+              ))
+              .with({ role: RecipientRole.ASSISTANT, actionTarget: 'DOCUMENT' }, () => (
+                <Trans>You need to setup a passkey to assist with this document.</Trans>
+              ))
+              .exhaustive()}
          </AlertDescription>
        </Alert>

@@ -213,7 +293,9 @@ export const DocumentSigningAuthPasskey = ({
              name="passkeyId"
              render={({ field }) => (
                <FormItem>
-                  <FormLabel required>Passkey</FormLabel>
+                  <FormLabel required>
+                    <Trans>Passkey</Trans>
+                  </FormLabel>

                  <FormControl>
                    <Select {...field} onValueChange={field.onChange}>
@@ -241,20 +323,24 @@ export const DocumentSigningAuthPasskey = ({

            {formErrorCode && (
              <Alert variant="destructive">
-                <AlertTitle>Unauthorized</AlertTitle>
+                <AlertTitle>
+                  <Trans>Unauthorized</Trans>
+                </AlertTitle>
                <AlertDescription>
-                  We were unable to verify your details. Please try again or contact support
+                  <Trans>
+                    We were unable to verify your details. Please try again or contact support
+                  </Trans>
                </AlertDescription>
              </Alert>
            )}

            <DialogFooter>
              <Button type="button" variant="secondary" onClick={() => onOpenChange(false)}>
-                Cancel
+                <Trans>Cancel</Trans>
              </Button>

              <Button type="submit" loading={isCurrentlyAuthenticating}>
-                Sign
+                <Trans>Sign</Trans>
              </Button>
            </DialogFooter>
          </div>
@@ -23,8 +23,6 @@ import { Input } from '@documenso/ui/primitives/input';
 import { useRequiredDocumentSigningAuthContext } from './document-signing-auth-provider';

 export type DocumentSigningAuthPasswordProps = {
-  actionTarget?: 'FIELD' | 'DOCUMENT';
-  actionVerb?: string;
  open: boolean;
  onOpenChange: (value: boolean) => void;
  onReauthFormSubmit: (values?: TRecipientActionAuth) => Promise<void> | void;
@@ -40,8 +38,6 @@ const ZPasswordAuthFormSchema = z.object({
 type TPasswordAuthFormSchema = z.infer<typeof ZPasswordAuthFormSchema>;

 export const DocumentSigningAuthPassword = ({
-  actionTarget = 'FIELD',
-  actionVerb = 'sign',
  onReauthFormSubmit,
  open,
  onOpenChange,
@@ -162,7 +162,9 @@ export const DocumentSigningAutoSign = ({ recipient, fields }: DocumentSigningAu
    <Dialog open={open} onOpenChange={setOpen}>
      <DialogContent>
        <DialogHeader>
-          <DialogTitle>Automatically sign fields</DialogTitle>
+          <DialogTitle>
+            <Trans>Automatically sign fields</Trans>
+          </DialogTitle>
        </DialogHeader>

        <div className="text-muted-foreground max-w-[50ch]">
@@ -122,7 +122,9 @@ export const DocumentSigningMobileWidget = () => {

              {!hidePoweredBy && (
                <div className="mt-2 inline-block rounded bg-primary px-2 py-1 text-xs font-medium text-primary-foreground opacity-60 hover:opacity-100 lg:hidden">
-                  <span>Powered by</span>
+                  <span>
+                    <Trans>Powered by</Trans>
+                  </span>
                  <BrandingLogo className="ml-2 inline-block h-[14px]" />
                </div>
              )}
@@ -252,7 +252,9 @@ export const DocumentSigningPageViewV2 = () => {
                  target="_blank"
                  className="fixed bottom-0 right-0 z-40 hidden cursor-pointer rounded-tl bg-primary px-2 py-1 text-xs font-medium text-primary-foreground opacity-60 hover:opacity-100 lg:block"
                >
-                  <span>Powered by</span>
+                  <span>
+                    <Trans>Powered by</Trans>
+                  </span>
                  <BrandingLogo className="ml-2 inline-block h-[14px]" />
                </a>
              )}
@@ -9,19 +9,21 @@ import {
  AlertTriangle,
  CheckIcon,
  Clock,
+  Clock8Icon,
  MailIcon,
  MailOpenIcon,
  PenIcon,
  PlusIcon,
  UserIcon,
 } from 'lucide-react';
+import { DateTime } from 'luxon';
 import { Link, useSearchParams } from 'react-router';
 import { match } from 'ts-pattern';

 import { RECIPIENT_ROLES_DESCRIPTION } from '@documenso/lib/constants/recipient-roles';
 import type { TEnvelope } from '@documenso/lib/types/envelope';
 import { isDocumentCompleted } from '@documenso/lib/utils/document';
-import { formatSigningLink } from '@documenso/lib/utils/recipients';
+import { formatSigningLink, isRecipientExpired } from '@documenso/lib/utils/recipients';
 import { CopyTextButton } from '@documenso/ui/components/common/copy-text-button';
 import { SignatureIcon } from '@documenso/ui/icons/signature';
 import { AvatarWithText } from '@documenso/ui/primitives/avatar';
@@ -44,7 +46,7 @@ export const DocumentPageViewRecipients = ({
  envelope,
  documentRootPath,
 }: DocumentPageViewRecipientsProps) => {
-  const { _ } = useLingui();
+  const { _, i18n } = useLingui();
  const { toast } = useToast();
  const [searchParams, setSearchParams] = useSearchParams();

@@ -66,9 +68,9 @@ export const DocumentPageViewRecipients = ({
  }, [searchParams, setSearchParams]);

  return (
-    <section className="dark:bg-background border-border bg-widget flex flex-col rounded-xl border">
+    <section className="flex flex-col rounded-xl border border-border bg-widget dark:bg-background">
      <div className="flex flex-row items-center justify-between px-4 py-3">
-        <h1 className="text-foreground font-medium">
+        <h1 className="font-medium text-foreground">
          <Trans>Recipients</Trans>
        </h1>

@@ -87,7 +89,7 @@ export const DocumentPageViewRecipients = ({
        )}
      </div>

-      <ul className="text-muted-foreground divide-y border-t">
+      <ul className="divide-y border-t text-muted-foreground">
        {recipients.length === 0 && (
          <li className="flex flex-col items-center justify-center py-6 text-sm">
            <Trans>No recipients</Trans>
@@ -98,9 +100,9 @@ export const DocumentPageViewRecipients = ({
          <li key={recipient.id} className="flex items-center justify-between px-4 py-2.5 text-sm">
            <AvatarWithText
              avatarFallback={recipient.email.slice(0, 1).toUpperCase()}
-              primaryText={<p className="text-muted-foreground text-sm">{recipient.email}</p>}
+              primaryText={<p className="text-sm text-muted-foreground">{recipient.email}</p>}
              secondaryText={
-                <p className="text-muted-foreground/70 text-xs">
+                <p className="text-xs text-muted-foreground/70">
                  {_(RECIPIENT_ROLES_DESCRIPTION[recipient.role].roleName)}
                </p>
              }
@@ -154,12 +156,41 @@ export const DocumentPageViewRecipients = ({
                )}

              {envelope.status !== DocumentStatus.DRAFT &&
-                recipient.signingStatus === SigningStatus.NOT_SIGNED && (
+                recipient.signingStatus === SigningStatus.NOT_SIGNED &&
+                isRecipientExpired(recipient) && (
+                  <Badge variant="destructive">
+                    <Clock8Icon className="mr-1 h-3 w-3" />
+                    <Trans>Expired</Trans>
+                  </Badge>
+                )}
+
+              {envelope.status !== DocumentStatus.DRAFT &&
+                recipient.signingStatus === SigningStatus.NOT_SIGNED &&
+                !isRecipientExpired(recipient) &&
+                (recipient.expiresAt ? (
+                  <PopoverHover
+                    trigger={
+                      <Badge variant="secondary">
+                        <Clock className="mr-1 h-3 w-3" />
+                        <Trans>Pending</Trans>
+                      </Badge>
+                    }
+                  >
+                    <p className="text-xs text-muted-foreground">
+                      <Trans>
+                        Expires{' '}
+                        {recipient.expiresAt
+                          ? i18n.date(recipient.expiresAt, DateTime.DATETIME_MED)
+                          : 'N/A'}
+                      </Trans>
+                    </p>
+                  </PopoverHover>
+                ) : (
                  <Badge variant="secondary">
                    <Clock className="mr-1 h-3 w-3" />
                    <Trans>Pending</Trans>
                  </Badge>
-                )}
+                ))}

              {envelope.status !== DocumentStatus.DRAFT &&
                recipient.signingStatus === SigningStatus.REJECTED && (
@@ -175,7 +206,7 @@ export const DocumentPageViewRecipients = ({
                      <Trans>Reason for rejection: </Trans>
                    </p>

-                    <p className="text-muted-foreground mt-1 text-sm">
+                    <p className="mt-1 text-sm text-muted-foreground">
                      {recipient.rejectionReason}
                    </p>
                  </PopoverHover>
@@ -183,7 +214,8 @@ export const DocumentPageViewRecipients = ({

              {envelope.status === DocumentStatus.PENDING &&
                recipient.signingStatus === SigningStatus.NOT_SIGNED &&
-                recipient.role !== RecipientRole.CC && (
+                recipient.role !== RecipientRole.CC &&
+                !isRecipientExpired(recipient) && (
                  <TooltipProvider>
                    <Tooltip open={shouldHighlightCopyButtons && i === 0}>
                      <TooltipTrigger asChild>
@@ -434,15 +434,31 @@ export default function EnvelopeEditorFieldsPageRenderer() {
      renderFieldOnLayer(field);
    });

+    // Reconcile selection state with live field nodes after flush/sync updates.
+    const liveSelectedFieldGroups = selectedKonvaFieldGroups.filter((fieldGroup) => {
+      if (!fieldGroup.getStage() || !fieldGroup.getParent()) {
+        return false;
+      }
+
+      return localPageFields.some((field) => field.formId === fieldGroup.id());
+    });
+
+    if (liveSelectedFieldGroups.length !== selectedKonvaFieldGroups.length) {
+      setSelectedFields(liveSelectedFieldGroups);
+    }
+
    // Rerender the transformer
    interactiveTransformer.current?.forceUpdate();

    pageLayer.current.batchDraw();
-  }, [localPageFields]);
+  }, [localPageFields, selectedKonvaFieldGroups]);

  const setSelectedFields = (nodes: Konva.Node[]) => {
    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    const fieldGroups = nodes.filter((node) => node.hasName('field-group')) as Konva.Group[];
+    const fieldGroups = nodes.filter(
+      (node) =>
+        node.hasName('field-group') && Boolean(node.getStage()) && Boolean(node.getParent()),
+    ) as Konva.Group[];

    interactiveTransformer.current?.nodes(fieldGroups);
    setSelectedKonvaFieldGroups(fieldGroups);
@@ -674,6 +690,10 @@ const FieldActionButtons = ({
      selectedFieldFormId.includes(field.formId),
    );

+    if (fields.length === 0) {
+      return null;
+    }
+
    const recipient = envelope.recipients.find(
      (recipient) => recipient.id === fields[0].recipientId,
    );
@@ -689,7 +709,7 @@ const FieldActionButtons = ({
    }

    return null;
-  }, [editorFields.localFields]);
+  }, [editorFields.localFields, envelope.recipients, selectedFieldFormId]);

  return (
    <div className="flex flex-col items-center" {...props}>
@@ -296,19 +296,31 @@ export const EnvelopeEditorFieldsPage = () => {

                      <div className="space-y-2 rounded-md border border-border bg-muted/50 p-3 text-sm text-foreground">
                        <p>
-                          <span className="min-w-12 text-muted-foreground">Pos X:&nbsp;</span>
+                          <span className="min-w-12 text-muted-foreground">
+                            <Trans>Pos X:</Trans>
+                          </span>
+                          &nbsp;
                          {selectedField.positionX.toFixed(2)}
                        </p>
                        <p>
-                          <span className="min-w-12 text-muted-foreground">Pos Y:&nbsp;</span>
+                          <span className="min-w-12 text-muted-foreground">
+                            <Trans>Pos Y:</Trans>
+                          </span>
+                          &nbsp;
                          {selectedField.positionY.toFixed(2)}
                        </p>
                        <p>
-                          <span className="min-w-12 text-muted-foreground">Width:&nbsp;</span>
+                          <span className="min-w-12 text-muted-foreground">
+                            <Trans>Width:</Trans>
+                          </span>
+                          &nbsp;
                          {selectedField.width.toFixed(2)}
                        </p>
                        <p>
-                          <span className="min-w-12 text-muted-foreground">Height:&nbsp;</span>
+                          <span className="min-w-12 text-muted-foreground">
+                            <Trans>Height:</Trans>
+                          </span>
+                          &nbsp;
                          {selectedField.height.toFixed(2)}
                        </p>
                      </div>
@@ -22,6 +22,7 @@ import {
  DOCUMENT_DISTRIBUTION_METHODS,
  DOCUMENT_SIGNATURE_TYPES,
 } from '@documenso/lib/constants/document';
+import { ZEnvelopeExpirationPeriod } from '@documenso/lib/constants/envelope-expiration';
 import {
  SUPPORTED_LANGUAGES,
  SUPPORTED_LANGUAGE_CODES,
@@ -62,6 +63,7 @@ import {
  DocumentVisibilitySelect,
  DocumentVisibilityTooltip,
 } from '@documenso/ui/components/document/document-visibility-select';
+import { ExpirationPeriodPicker } from '@documenso/ui/components/document/expiration-period-picker';
 import { cn } from '@documenso/ui/lib/utils';
 import { Button } from '@documenso/ui/primitives/button';
 import { CardDescription, CardHeader, CardTitle } from '@documenso/ui/primitives/card';
@@ -135,6 +137,7 @@ export const ZAddSettingsFormSchema = z.object({
    signatureTypes: z.array(z.nativeEnum(DocumentSignatureType)).min(1, {
      message: msg`At least one signature type must be enabled`.id,
    }),
+    envelopeExpirationPeriod: ZEnvelopeExpirationPeriod.nullish(),
  }),
 });

@@ -207,6 +210,7 @@ export const EnvelopeEditorSettingsDialog = ({
        emailReplyTo: envelope.documentMeta.emailReplyTo ?? undefined,
        emailSettings: ZDocumentEmailSettingsSchema.parse(envelope.documentMeta.emailSettings),
        signatureTypes: extractTeamSignatureSettings(envelope.documentMeta),
+        envelopeExpirationPeriod: envelope.documentMeta?.envelopeExpirationPeriod ?? null,
      },
    };
  };
@@ -245,6 +249,7 @@ export const EnvelopeEditorSettingsDialog = ({
      message,
      subject,
      emailReplyTo,
+      envelopeExpirationPeriod,
    } = data.meta;

    const parsedGlobalAccessAuth = z
@@ -273,6 +278,7 @@ export const EnvelopeEditorSettingsDialog = ({
          drawSignatureEnabled: signatureTypes.includes(DocumentSignatureType.DRAW),
          typedSignatureEnabled: signatureTypes.includes(DocumentSignatureType.TYPE),
          uploadSignatureEnabled: signatureTypes.includes(DocumentSignatureType.UPLOAD),
+          envelopeExpirationPeriod,
        },
      });

@@ -373,7 +379,7 @@ export const EnvelopeEditorSettingsDialog = ({
          <Form {...form}>
            <form onSubmit={form.handleSubmit(onFormSubmit)}>
              <fieldset
-                className="flex h-[45rem] max-h-[calc(100vh-14rem)] w-full flex-col space-y-6 overflow-y-auto px-6 pt-6"
+                className="flex h-[45rem] max-h-[calc(100vh-14rem)] w-full flex-col space-y-6 overflow-y-auto px-6 py-6"
                disabled={form.formState.isSubmitting}
                key={activeTab}
              >
@@ -636,6 +642,40 @@ export const EnvelopeEditorSettingsDialog = ({
                          </FormItem>
                        )}
                      />
+
+                      <FormField
+                        control={form.control}
+                        name="meta.envelopeExpirationPeriod"
+                        render={({ field }) => (
+                          <FormItem>
+                            <FormLabel className="flex flex-row items-center">
+                              <Trans>Expiration</Trans>
+                              <Tooltip>
+                                <TooltipTrigger>
+                                  <InfoIcon className="mx-2 h-4 w-4" />
+                                </TooltipTrigger>
+
+                                <TooltipContent className="max-w-xs text-muted-foreground">
+                                  <Trans>
+                                    How long recipients have to complete this document after it is
+                                    sent. Uses the team default when set to inherit.
+                                  </Trans>
+                                </TooltipContent>
+                              </Tooltip>
+                            </FormLabel>
+
+                            <FormControl>
+                              <ExpirationPeriodPicker
+                                value={field.value}
+                                onChange={field.onChange}
+                                disabled={envelopeHasBeenSent}
+                              />
+                            </FormControl>
+
+                            <FormMessage />
+                          </FormItem>
+                        )}
+                      />
                    </>
                  ))
                  .with('email', () => (
@@ -51,7 +51,7 @@ export const UserProfileSkeleton = ({ className, user, rows = 2 }: UserProfileSk
      <div className="mt-8 w-full">
        <div className="dark:divide-foreground/30 dark:border-foreground/30 divide-y-2 divide-neutral-200 overflow-hidden rounded-lg border-2 border-neutral-200">
          <div className="text-muted-foreground dark:bg-foreground/20 bg-neutral-50 p-4 font-medium">
-            Documents
+            <Trans>Documents</Trans>
          </div>

          {Array(rows)
@@ -1,5 +1,6 @@
 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
+import { Trans } from '@lingui/react/macro';
 import { WebhookTriggerEvents } from '@prisma/client';

 import { toFriendlyWebhookEventName } from '@documenso/lib/universal/webhook/to-friendly-webhook-event-name';
@@ -41,7 +42,11 @@ export const WebhookMultiSelectCombobox = ({
      placeholder={_(msg`Select triggers`)}
      hideClearAllButton
      hidePlaceholderWhenSelected
-      emptyIndicator={<p className="text-center text-sm">No triggers available</p>}
+      emptyIndicator={
+        <p className="text-center text-sm">
+          <Trans>No triggers available</Trans>
+        </p>
+      }
    />
  );
 };
@@ -96,7 +96,9 @@ export const AdminDocumentLogsTable = ({ envelopeId }: AdminDocumentLogsTablePro
              )}
            </div>
          ) : (
-            <p>N/A</p>
+            <p>
+              <Trans>N/A</Trans>
+            </p>
          ),
      },
      {
@@ -2,6 +2,7 @@ import { useMemo } from 'react';

 import { msg } from '@lingui/core/macro';
 import { useLingui } from '@lingui/react';
+import { Trans } from '@lingui/react/macro';
 import { DateTime } from 'luxon';
 import type { DateTimeFormatOptions } from 'luxon';
 import { useSearchParams } from 'react-router';
@@ -88,7 +89,9 @@ export const DocumentLogsTable = ({ documentId, userId }: DocumentLogsTableProps
              )}
            </div>
          ) : (
-            <p>N/A</p>
+            <p>
+              <Trans>N/A</Trans>
+            </p>
          ),
      },
      {
@@ -107,7 +107,11 @@ export default function OrganisationGroupSettingsPage({
        cell: ({ row }) => (
          <div className="flex items-center gap-2">
            <Link to={`/admin/users/${row.original.user.id}`}>{row.original.user.name}</Link>
-            {row.original.user.id === organisation?.ownerUserId && <Badge>Owner</Badge>}
+            {row.original.user.id === organisation?.ownerUserId && (
+              <Badge>
+                <Trans>Owner</Trans>
+              </Badge>
+            )}
          </div>
        ),
      },
@@ -208,7 +212,9 @@ export default function OrganisationGroupSettingsPage({
                {SUBSCRIPTION_STATUS_MAP[organisation.subscription.status]} subscription found
              </span>
            ) : (
-              <span>No subscription found</span>
+              <span>
+                <Trans>No subscription found</Trans>
+              </span>
            )}
          </AlertDescription>
        </div>
@@ -60,6 +60,7 @@ export default function OrganisationSettingsDocumentPage() {
        defaultRecipients,
        delegateDocumentOwnership,
        aiFeaturesEnabled,
+        envelopeExpirationPeriod,
      } = data;

      if (
@@ -90,6 +91,7 @@ export default function OrganisationSettingsDocumentPage() {
          drawSignatureEnabled: signatureTypes.includes(DocumentSignatureType.DRAW),
          delegateDocumentOwnership: delegateDocumentOwnership,
          aiFeaturesEnabled,
+          envelopeExpirationPeriod: envelopeExpirationPeriod ?? undefined,
        },
      });

@@ -66,7 +66,9 @@ export default function DocumentsFoldersPage() {
            onClick={() => navigateToFolder(null)}
          >
            <HomeIcon className="h-4 w-4" />
-            <span>Home</span>
+            <span>
+              <Trans>Home</Trans>
+            </span>
          </Button>
        </div>

@@ -53,6 +53,7 @@ export default function TeamsSettingsPage() {
        defaultRecipients,
        delegateDocumentOwnership,
        aiFeaturesEnabled,
+        envelopeExpirationPeriod,
      } = data;

      await updateTeamSettings({
@@ -67,6 +68,7 @@ export default function TeamsSettingsPage() {
          includeAuditLog,
          defaultRecipients,
          aiFeaturesEnabled,
+          envelopeExpirationPeriod,
          ...(signatureTypes.length === 0
            ? {
                typedSignatureEnabled: null,
@@ -66,7 +66,9 @@ export default function TemplatesFoldersPage() {
            onClick={() => navigateToFolder(null)}
          >
            <HomeIcon className="h-4 w-4" />
-            <span>Home</span>
+            <span>
+              <Trans>Home</Trans>
+            </span>
          </Button>
        </div>

@@ -25,6 +25,7 @@ import { getTeamSettings } from '@documenso/lib/server-only/team/get-team-settin
 import { getUserByEmail } from '@documenso/lib/server-only/user/get-user-by-email';
 import { DocumentAccessAuth } from '@documenso/lib/types/document-auth';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import { isRecipientExpired } from '@documenso/lib/utils/recipients';
 import { prisma } from '@documenso/prisma';
 import { SigningCard3D } from '@documenso/ui/components/signing-card';

@@ -140,6 +141,10 @@ const handleV1Loader = async ({ params, request }: Route.LoaderArgs) => {
    throw redirect(`/sign/${token}/rejected`);
  }

+  if (isRecipientExpired(recipient)) {
+    throw redirect(`/sign/${token}/expired`);
+  }
+
  if (
    document.status === DocumentStatus.COMPLETED ||
    recipient.signingStatus === SigningStatus.SIGNED
@@ -201,7 +206,8 @@ const handleV2Loader = async ({ params, request }: Route.LoaderArgs) => {
    return envelopeForSigning;
  }

-  const { envelope, recipient, isCompleted, isRejected, isRecipientsTurn } = envelopeForSigning;
+  const { envelope, recipient, isCompleted, isRejected, isExpired, isRecipientsTurn } =
+    envelopeForSigning;

  if (!isRecipientsTurn) {
    throw redirect(`/sign/${token}/waiting`);
@@ -233,12 +239,6 @@ const handleV2Loader = async ({ params, request }: Route.LoaderArgs) => {
    } as const;
  }

-  await viewedDocument({
-    token,
-    requestMetadata,
-    recipientAccessAuth: derivedRecipientAccessAuth,
-  }).catch(() => null);
-
  if (isRejected) {
    throw redirect(`/sign/${token}/rejected`);
  }
@@ -247,6 +247,16 @@ const handleV2Loader = async ({ params, request }: Route.LoaderArgs) => {
    throw redirect(envelope.documentMeta.redirectUrl || `/sign/${token}/complete`);
  }

+  if (isExpired) {
+    throw redirect(`/sign/${token}/expired`);
+  }
+
+  await viewedDocument({
+    token,
+    requestMetadata,
+    recipientAccessAuth: derivedRecipientAccessAuth,
+  }).catch(() => null);
+
  return {
    isDocumentAccessValid: true,
    envelopeForSigning,
@@ -0,0 +1,114 @@
+import { Trans } from '@lingui/react/macro';
+import { TimerOffIcon } from 'lucide-react';
+import { Link } from 'react-router';
+
+import { getOptionalSession } from '@documenso/auth/server/lib/utils/get-session';
+import { useOptionalSession } from '@documenso/lib/client-only/providers/session';
+import { getDocumentAndSenderByToken } from '@documenso/lib/server-only/document/get-document-by-token';
+import { isRecipientAuthorized } from '@documenso/lib/server-only/document/is-recipient-authorized';
+import { getRecipientByToken } from '@documenso/lib/server-only/recipient/get-recipient-by-token';
+import { Badge } from '@documenso/ui/primitives/badge';
+import { Button } from '@documenso/ui/primitives/button';
+
+import { DocumentSigningAuthPageView } from '~/components/general/document-signing/document-signing-auth-page';
+import { truncateTitle } from '~/utils/truncate-title';
+
+import type { Route } from './+types/expired';
+
+export async function loader({ params, request }: Route.LoaderArgs) {
+  const { user } = await getOptionalSession(request);
+
+  const { token } = params;
+
+  if (!token) {
+    throw new Response('Not Found', { status: 404 });
+  }
+
+  const document = await getDocumentAndSenderByToken({
+    token,
+    requireAccessAuth: false,
+  }).catch(() => null);
+
+  if (!document) {
+    throw new Response('Not Found', { status: 404 });
+  }
+
+  const title = document.title;
+
+  const recipient = await getRecipientByToken({ token }).catch(() => null);
+
+  if (!recipient) {
+    throw new Response('Not Found', { status: 404 });
+  }
+
+  const isDocumentAccessValid = await isRecipientAuthorized({
+    type: 'ACCESS',
+    documentAuthOptions: document.authOptions,
+    recipient,
+    userId: user?.id,
+  });
+
+  const recipientEmail = recipient.email;
+
+  if (isDocumentAccessValid) {
+    return {
+      isDocumentAccessValid: true,
+      recipientEmail,
+      title,
+    };
+  }
+
+  return {
+    isDocumentAccessValid: false,
+    recipientEmail,
+  };
+}
+
+export default function ExpiredSigningPage({ loaderData }: Route.ComponentProps) {
+  const { sessionData } = useOptionalSession();
+  const user = sessionData?.user;
+
+  const { isDocumentAccessValid, recipientEmail, title } = loaderData;
+
+  if (!isDocumentAccessValid) {
+    return <DocumentSigningAuthPageView email={recipientEmail} />;
+  }
+
+  return (
+    <div className="flex flex-col items-center pt-24 lg:pt-36 xl:pt-44">
+      <Badge
+        variant="neutral"
+        size="default"
+        title={title}
+        className="mb-6 rounded-xl border bg-transparent"
+      >
+        {truncateTitle(title ?? '')}
+      </Badge>
+
+      <div className="flex flex-col items-center">
+        <div className="flex items-center gap-x-4">
+          <TimerOffIcon className="h-10 w-10 text-orange-500" />
+
+          <h2 className="max-w-[35ch] text-center text-2xl font-semibold leading-normal md:text-3xl lg:text-4xl">
+            <Trans>Signing Deadline Expired</Trans>
+          </h2>
+        </div>
+
+        <p className="mt-6 max-w-[60ch] text-center text-sm text-muted-foreground">
+          <Trans>
+            The signing deadline for this document has passed. Please contact the document owner if
+            you need a new copy to sign.
+          </Trans>
+        </p>
+
+        {user && (
+          <Button className="mt-6" asChild>
+            <Link to={`/`}>
+              <Trans>Return Home</Trans>
+            </Link>
+          </Button>
+        )}
+      </div>
+    </div>
+  );
+}
@@ -1,3 +1,4 @@
+import { Trans } from '@lingui/react/macro';
 import { Outlet, isRouteErrorResponse, useRouteError } from 'react-router';

 import {
@@ -12,6 +13,7 @@ import { EmbedDocumentCompleted } from '~/components/embed/embed-document-comple
 import { EmbedDocumentRejected } from '~/components/embed/embed-document-rejected';
 import { EmbedDocumentWaitingForTurn } from '~/components/embed/embed-document-waiting-for-turn';
 import { EmbedPaywall } from '~/components/embed/embed-paywall';
+import { EmbedRecipientExpired } from '~/components/embed/embed-recipient-expired';

 import type { Route } from './+types/_layout';

@@ -78,6 +80,10 @@ export function ErrorBoundary({ loaderData }: Route.ErrorBoundaryProps) {
      return <EmbedDocumentWaitingForTurn />;
    }

+    if (error.status === 403 && error.data.type === 'embed-recipient-expired') {
+      return <EmbedRecipientExpired />;
+    }
+
    // !: Not used at the moment, may be removed in the future.
    if (error.status === 403 && error.data.type === 'embed-document-rejected') {
      return <EmbedDocumentRejected />;
@@ -89,5 +95,9 @@ export function ErrorBoundary({ loaderData }: Route.ErrorBoundaryProps) {
    }
  }

-  return <div>Not Found</div>;
+  return (
+    <div>
+      <Trans>Not Found</Trans>
+    </div>
+  );
 }
@@ -19,6 +19,7 @@ import { getRecipientsForAssistant } from '@documenso/lib/server-only/recipient/
 import { DocumentAccessAuth } from '@documenso/lib/types/document-auth';
 import { isDocumentCompleted } from '@documenso/lib/utils/document';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
+import { isRecipientExpired } from '@documenso/lib/utils/recipients';
 import { prisma } from '@documenso/prisma';

 import { EmbedSignDocumentV1ClientPage } from '~/components/embed/embed-document-signing-page-v1';
@@ -78,6 +79,17 @@ async function handleV1Loader({ params, request }: Route.LoaderArgs) {
    );
  }

+  if (isRecipientExpired(recipient)) {
+    throw data(
+      {
+        type: 'embed-recipient-expired',
+      },
+      {
+        status: 403,
+      },
+    );
+  }
+
  const { derivedRecipientAccessAuth } = extractDocumentAuthMethods({
    documentAuth: document.authOptions,
  });
@@ -190,7 +202,7 @@ async function handleV2Loader({ params, request }: Route.LoaderArgs) {
    );
  }

-  const { envelope, recipient, isRecipientsTurn } = envelopeForSigning;
+  const { envelope, recipient, isRecipientsTurn, isExpired } = envelopeForSigning;

  const organisationClaim = await getOrganisationClaimByTeamId({ teamId: envelope.teamId });

@@ -208,6 +220,17 @@ async function handleV2Loader({ params, request }: Route.LoaderArgs) {
    );
  }

+  if (isExpired) {
+    throw data(
+      {
+        type: 'embed-recipient-expired',
+      },
+      {
+        status: 403,
+      },
+    );
+  }
+
  if (!isRecipientsTurn) {
    throw data(
      {
@@ -1,5 +1,6 @@
 import { useLayoutEffect } from 'react';

+import { Trans } from '@lingui/react/macro';
 import { Outlet, useLoaderData } from 'react-router';

 import { verifyEmbeddingPresignToken } from '@documenso/lib/server-only/embedding-presign/verify-embedding-presign-token';
@@ -75,7 +76,11 @@ export default function AuthoringLayout() {
  }, []);

  if (!hasValidToken) {
-    return <div>Invalid embedding presign token provided</div>;
+    return (
+      <div>
+        <Trans>Invalid embedding presign token provided</Trans>
+      </div>
+    );
  }

  return (
@@ -1,5 +1,6 @@
 import { useEffect, useLayoutEffect, useState } from 'react';

+import { Trans } from '@lingui/react/macro';
 import { SigningStatus } from '@prisma/client';
 import { useRevalidator } from 'react-router';

@@ -283,7 +284,9 @@ export default function MultisignPage() {

        {!hidePoweredBy && (
          <div className="bg-primary text-primary-foreground fixed bottom-0 left-0 z-40 rounded-tr px-2 py-1 text-xs font-medium opacity-60 hover:opacity-100">
-            <span>Powered by</span>
+            <span>
+              <Trans>Powered by</Trans>
+            </span>
            <BrandingLogo className="ml-2 inline-block h-[14px]" />
          </div>
        )}
@@ -298,7 +301,9 @@ export default function MultisignPage() {

      {!hidePoweredBy && (
        <div className="bg-primary text-primary-foreground fixed bottom-0 left-0 z-40 rounded-tr px-2 py-1 text-xs font-medium opacity-60 hover:opacity-100">
-          <span>Powered by</span>
+          <span>
+            <Trans>Powered by</Trans>
+          </span>
          <BrandingLogo className="ml-2 inline-block h-[14px]" />
        </div>
      )}
@@ -46,7 +46,6 @@
    "content-disposition": "^1.0.1",
    "framer-motion": "^12.23.24",
    "hono": "4.11.4",
-    "hono-rate-limiter": "^0.4.2",
    "hono-react-router-adapter": "^0.6.5",
    "input-otp": "^1.4.2",
    "isbot": "^5.1.32",
@@ -106,5 +105,5 @@
    "vite-plugin-babel-macros": "^1.0.6",
    "vite-tsconfig-paths": "^5.1.4"
  },
-  "version": "2.6.0"
+  "version": "2.6.1"
 }
@@ -1,18 +1,25 @@
 import { Hono } from 'hono';
-import { rateLimiter } from 'hono-rate-limiter';
 import { contextStorage } from 'hono/context-storage';
 import { cors } from 'hono/cors';
-import { requestId } from 'hono/request-id';
 import type { RequestIdVariables } from 'hono/request-id';
+import { requestId } from 'hono/request-id';
 import type { Logger } from 'pino';

 import { tsRestHonoApp } from '@documenso/api/hono';
 import { auth } from '@documenso/auth/server';
-import { API_V2_BETA_URL, API_V2_URL } from '@documenso/lib/constants/app';
 import { jobsClient } from '@documenso/lib/jobs/client';
 import { LicenseClient } from '@documenso/lib/server-only/license/license-client';
+import { createRateLimitMiddleware } from '@documenso/lib/server-only/rate-limit/rate-limit-middleware';
+import {
+  aiRateLimit,
+  apiTrpcRateLimit,
+  apiV1RateLimit,
+  apiV2RateLimit,
+  fileUploadRateLimit,
+} from '@documenso/lib/server-only/rate-limit/rate-limits';
 import { TelemetryClient } from '@documenso/lib/server-only/telemetry/telemetry-client';
-import { getIpAddress } from '@documenso/lib/universal/get-ip-address';
+import { migrateDeletedAccountServiceAccount } from '@documenso/lib/server-only/user/service-accounts/deleted-account';
+import { migrateLegacyServiceAccount } from '@documenso/lib/server-only/user/service-accounts/legacy-service-account';
 import { env } from '@documenso/lib/utils/env';
 import { logger } from '@documenso/lib/utils/logger';
 import { openApiDocument } from '@documenso/trpc/server/open-api';
@@ -35,38 +42,13 @@ export interface HonoEnv {
 const app = new Hono<HonoEnv>();

 /**
- * Rate limiting for v1 and v2 API routes only.
- * - 100 requests per minute per IP address
+ * Database-backed rate limiting for API routes.
 */
-const rateLimitMiddleware = rateLimiter({
-  windowMs: 60 * 1000, // 1 minute
-  limit: 100, // 100 requests per window
-  keyGenerator: (c) => {
-    try {
-      return getIpAddress(c.req.raw);
-    } catch (error) {
-      return 'unknown';
-    }
-  },
-  message: {
-    error: 'Too many requests, please try again later.',
-  },
-});
-
-const aiRateLimitMiddleware = rateLimiter({
-  windowMs: 60 * 1000, // 1 minute
-  limit: 3, // 3 requests per window
-  keyGenerator: (c) => {
-    try {
-      return getIpAddress(c.req.raw);
-    } catch (error) {
-      return 'unknown';
-    }
-  },
-  message: {
-    error: 'Too many requests, please try again later.',
-  },
-});
+const apiV1RateLimitMiddleware = createRateLimitMiddleware(apiV1RateLimit);
+const apiV2RateLimitMiddleware = createRateLimitMiddleware(apiV2RateLimit);
+const aiRateLimitMiddleware = createRateLimitMiddleware(aiRateLimit);
+const trpcRateLimitMiddleware = createRateLimitMiddleware(apiTrpcRateLimit);
+const fileRateLimitMiddleware = createRateLimitMiddleware(fileUploadRateLimit);

 /**
 * Attach session and context to requests.
@@ -84,6 +66,7 @@ app.use(async (c, next) => {

  const honoLogger = logger.child({
    requestId: c.var.requestId,
+    requestPath: c.req.path,
    ipAddress: metadata.ipAddress,
    userAgent: metadata.userAgent,
  });
@@ -93,14 +76,20 @@ app.use(async (c, next) => {
  await next();
 });

-// Apply rate limit to /api/v1/*
-app.use('/api/v1/*', rateLimitMiddleware);
-app.use('/api/v2/*', rateLimitMiddleware);
+// Apply cors and rate limits to API routes.
+app.use(`/api/v1/*`, cors());
+app.use('/api/v1/*', apiV1RateLimitMiddleware);
+app.use(`/api/v2/*`, cors());
+app.use('/api/v2/*', apiV2RateLimitMiddleware);
+app.use(`/api/v2-beta/*`, cors());
+app.use('/api/v2-beta/*', apiV2RateLimitMiddleware);

 // Auth server.
 app.route('/api/auth', auth);

 // Files route.
+app.use('/api/files/upload-pdf', fileRateLimitMiddleware);
+app.use('/api/files/presigned-post-url', fileRateLimitMiddleware);
 app.route('/api/files', filesRoute);

 // AI route.
@@ -108,28 +97,26 @@ app.use('/api/ai/*', aiRateLimitMiddleware);
 app.route('/api/ai', aiRoute);

 // API servers.
-app.use(`/api/v1/*`, cors());
 app.route('/api/v1', tsRestHonoApp);
 app.use('/api/jobs/*', jobsClient.getApiHandler());
+app.use('/api/trpc/*', trpcRateLimitMiddleware);
 app.use('/api/trpc/*', reactRouterTrpcServer);

 // Unstable API server routes. Order matters for these two.
-app.get(`${API_V2_URL}/openapi.json`, (c) => c.json(openApiDocument));
-app.use(`${API_V2_URL}/*`, cors());
+app.get(`/api/v2/openapi.json`, (c) => c.json(openApiDocument));
 // Shadows the download routes that tRPC defines since tRPC-to-openapi doesn't support their return types.
-app.route(`${API_V2_URL}`, downloadRoute);
-app.use(`${API_V2_URL}/*`, async (c) =>
+app.route(`/api/v2`, downloadRoute);
+app.use(`/api/v2/*`, async (c) =>
  openApiTrpcServerHandler(c, {
    isBeta: false,
  }),
 );

 // Unstable API server routes. Order matters for these two.
-app.get(`${API_V2_BETA_URL}/openapi.json`, (c) => c.json(openApiDocument));
-app.use(`${API_V2_BETA_URL}/*`, cors());
+app.get(`/api/v2-beta/openapi.json`, (c) => c.json(openApiDocument));
 // Shadows the download routes that tRPC defines since tRPC-to-openapi doesn't support their return types.
-app.route(`${API_V2_BETA_URL}`, downloadRoute);
-app.use(`${API_V2_BETA_URL}/*`, async (c) =>
+app.route(`/api/v2-beta`, downloadRoute);
+app.use(`/api/v2-beta/*`, async (c) =>
  openApiTrpcServerHandler(c, {
    isBeta: true,
  }),
@@ -144,4 +131,11 @@ if (env('NODE_ENV') !== 'development') {
 // Start license client to verify license on startup.
 void LicenseClient.start();

+// Start cron scheduler for background jobs (e.g. envelope expiration sweep).
+// No-op for Inngest provider which handles cron externally.
+jobsClient.startCron();
+
+void migrateDeletedAccountServiceAccount();
+void migrateLegacyServiceAccount();
+
 export default app;
@@ -0,0 +1,51 @@
+%PDF-1.7
+%âãÏÓ
+1 0 obj
+<<
+/Type /Pages
+/Kids [4 0 R]
+/Count 1
+>>
+endobj
+2 0 obj
+<<
+/Type /Catalog
+/Pages 1 0 R
+>>
+endobj
+3 0 obj
+<<
+/Title (Untitled)
+/Author (Unknown)
+/Creator (@libpdf/core)
+/Producer (@libpdf/core)
+/CreationDate (D:20260211083727Z)
+/ModDate (D:20260211083727Z)
+>>
+endobj
+4 0 obj
+<<
+/Type /Page
+/MediaBox [0 0 595 842]
+/Resources <<
+>>
+/Parent 1 0 R
+>>
+endobj
+xref
+0 5
+0000000000 65535 f
+0000000015 00000 n
+0000000072 00000 n
+0000000121 00000 n
+0000000290 00000 n
+trailer
+<<
+/Size 5
+/Root 2 0 R
+/Info 3 0 R
+/ID [<B051F100F1EED01A592FC6119F589603> <B051F100F1EED01A592FC6119F589603>]
+>>
+startxref
+378
+%%EOF
@@ -0,0 +1,51 @@
+%PDF-1.7
+%âãÏÓ
+1 0 obj
+<<
+/Type /Pages
+/Kids [4 0 R]
+/Count 1
+>>
+endobj
+2 0 obj
+<<
+/Type /Catalog
+/Pages 1 0 R
+>>
+endobj
+3 0 obj
+<<
+/Title (Untitled)
+/Author (Unknown)
+/Creator (@libpdf/core)
+/Producer (@libpdf/core)
+/CreationDate (D:20260211081729Z)
+/ModDate (D:20260211081729Z)
+>>
+endobj
+4 0 obj
+<<
+/Type /Page
+/MediaBox [0 0 612 792]
+/Resources <<
+>>
+/Parent 1 0 R
+>>
+endobj
+xref
+0 5
+0000000000 65535 f
+0000000015 00000 n
+0000000072 00000 n
+0000000121 00000 n
+0000000290 00000 n
+trailer
+<<
+/Size 5
+/Root 2 0 R
+/Info 3 0 R
+/ID [<94A5FB5DCF5A94AD8C472C493420962C> <94A5FB5DCF5A94AD8C472C493420962C>]
+>>
+startxref
+378
+%%EOF
@@ -0,0 +1,51 @@
+%PDF-1.7
+%âãÏÓ
+1 0 obj
+<<
+/Type /Pages
+/Kids [4 0 R]
+/Count 1
+>>
+endobj
+2 0 obj
+<<
+/Type /Catalog
+/Pages 1 0 R
+>>
+endobj
+3 0 obj
+<<
+/Title (Untitled)
+/Author (Unknown)
+/Creator (@libpdf/core)
+/Producer (@libpdf/core)
+/CreationDate (D:20260211084535Z)
+/ModDate (D:20260211084535Z)
+>>
+endobj
+4 0 obj
+<<
+/Type /Page
+/MediaBox [0 0 1224 792]
+/Resources <<
+>>
+/Parent 1 0 R
+>>
+endobj
+xref
+0 5
+0000000000 65535 f
+0000000015 00000 n
+0000000072 00000 n
+0000000121 00000 n
+0000000290 00000 n
+trailer
+<<
+/Size 5
+/Root 2 0 R
+/Info 3 0 R
+/ID [<694452F2208AC8E3DD2D2488544F9F0C> <694452F2208AC8E3DD2D2488544F9F0C>]
+>>
+startxref
+379
+%%EOF
@@ -1,12 +1,12 @@
 {
  "name": "@documenso/root",
-  "version": "2.6.0",
+  "version": "2.6.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@documenso/root",
-      "version": "2.6.0",
+      "version": "2.6.1",
      "hasInstallScript": true,
      "workspaces": [
        "apps/*",
@@ -19,6 +19,7 @@
        "@lingui/conf": "^5.6.0",
        "@lingui/core": "^5.6.0",
        "ai": "^5.0.104",
+        "cron-parser": "^5.5.0",
        "luxon": "^3.7.2",
        "patch-package": "^8.0.1",
        "posthog-node": "4.18.0",
@@ -108,7 +109,7 @@
    },
    "apps/remix": {
      "name": "@documenso/remix",
-      "version": "2.6.0",
+      "version": "2.6.1",
      "dependencies": {
        "@cantoo/pdf-lib": "^2.5.3",
        "@documenso/api": "*",
@@ -142,7 +143,6 @@
        "content-disposition": "^1.0.1",
        "framer-motion": "^12.23.24",
        "hono": "4.11.4",
-        "hono-rate-limiter": "^0.4.2",
        "hono-react-router-adapter": "^0.6.5",
        "input-otp": "^1.4.2",
        "isbot": "^5.1.32",
@@ -20192,6 +20192,18 @@
        "typescript": ">=5"
      }
    },
+    "node_modules/cron-parser": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/cron-parser/-/cron-parser-5.5.0.tgz",
+      "integrity": "sha512-oML4lKUXxizYswqmxuOCpgFS8BNUJpIu6k/2HVHyaL8Ynnf3wdf9tkns0yRdJLSIjkJ+b0DXHMZEHGpMwjnPww==",
+      "license": "MIT",
+      "dependencies": {
+        "luxon": "^3.7.1"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
    "node_modules/cross-env": {
      "version": "10.1.0",
      "resolved": "https://registry.npmjs.org/cross-env/-/cross-env-10.1.0.tgz",
@@ -25081,15 +25093,6 @@
        "node": ">=16.9.0"
      }
    },
-    "node_modules/hono-rate-limiter": {
-      "version": "0.4.2",
-      "resolved": "https://registry.npmjs.org/hono-rate-limiter/-/hono-rate-limiter-0.4.2.tgz",
-      "integrity": "sha512-AAtFqgADyrmbDijcRTT/HJfwqfvhalya2Zo+MgfdrMPas3zSMD8SU03cv+ZsYwRU1swv7zgVt0shwN059yzhjw==",
-      "license": "MIT",
-      "peerDependencies": {
-        "hono": "^4.1.1"
-      }
-    },
    "node_modules/hono-react-router-adapter": {
      "version": "0.6.5",
      "resolved": "https://registry.npmjs.org/hono-react-router-adapter/-/hono-react-router-adapter-0.6.5.tgz",
@@ -5,7 +5,7 @@
    "apps/*",
    "packages/*"
  ],
-  "version": "2.6.0",
+  "version": "2.6.1",
  "scripts": {
    "postinstall": "patch-package",
    "build": "turbo run build",
@@ -90,6 +90,7 @@
    "@lingui/conf": "^5.6.0",
    "@lingui/core": "^5.6.0",
    "ai": "^5.0.104",
+    "cron-parser": "^5.5.0",
    "luxon": "^3.7.2",
    "patch-package": "^8.0.1",
    "posthog-node": "4.18.0",
@@ -437,8 +437,8 @@ export const ZSuccessfulRecipientResponseSchema = z.object({
  role: z.nativeEnum(RecipientRole),
  signingOrder: z.number().nullish(),
  token: z.string(),
-  // !: Not used for now
-  // expired: z.string(),
+  expiresAt: z.date().nullish(),
+  expirationNotifiedAt: z.date().nullish(),
  signedAt: z.date().nullable(),
  readStatus: z.nativeEnum(ReadStatus),
  signingStatus: z.nativeEnum(SigningStatus),
@@ -576,7 +576,8 @@ export const ZRecipientSchema = z.object({
  token: z.string(),
  signingOrder: z.number().nullish(),
  documentDeletedAt: z.date().nullish(),
-  expired: z.date().nullish(),
+  expiresAt: z.date().nullish(),
+  expirationNotifiedAt: z.date().nullish(),
  signedAt: z.date().nullish(),
  authOptions: z.unknown(),
  role: z.nativeEnum(RecipientRole),
@@ -171,6 +171,7 @@ test.describe('API V2 Envelopes', () => {
                positionY: 0,
                width: 0,
                height: 0,
+                fieldMeta: { type: 'signature' },
              },
              {
                type: FieldType.SIGNATURE,
@@ -180,6 +181,7 @@ test.describe('API V2 Envelopes', () => {
                positionY: 0,
                width: 0,
                height: 0,
+                fieldMeta: { type: 'signature' },
              },
            ],
          },
@@ -205,6 +207,7 @@ test.describe('API V2 Envelopes', () => {
            documentPending: false,
            documentCompleted: false,
            documentDeleted: false,
+            ownerRecipientExpired: true,
            ownerDocumentCompleted: true,
          },
        },
@@ -106,10 +106,10 @@ test.describe('AutoSave Subject Step', () => {
    const { user, document, team } = await setupDocumentAndNavigateToSubjectStep(page);

    // Toggle some email settings checkboxes (randomly - some checked, some unchecked)
-    await page.getByText('Send recipient signed email').click();
-    await page.getByText('Send recipient removed email').click();
-    await page.getByText('Send document completed email', { exact: true }).click();
-    await page.getByText('Send document deleted email').click();
+    await page.getByText('Email the owner when a recipient signs').click();
+    await page.getByText("Email recipients when they're removed from a pending document").click();
+    await page.getByText('Email recipients when the document is completed', { exact: true }).click();
+    await page.getByText('Email recipients when a pending document is deleted').click();

    await triggerAutosave(page);

@@ -126,26 +126,30 @@ test.describe('AutoSave Subject Step', () => {

      const emailSettings = retrievedDocumentData.documentMeta?.emailSettings;

-      await expect(page.getByText('Send recipient signed email')).toBeChecked({
+      await expect(page.getByText('Email the owner when a recipient signs')).toBeChecked({
        checked: emailSettings?.recipientSigned,
      });
-      await expect(page.getByText('Send recipient removed email')).toBeChecked({
+      await expect(
+        page.getByText("Email recipients when they're removed from a pending document"),
+      ).toBeChecked({
        checked: emailSettings?.recipientRemoved,
      });
-      await expect(page.getByText('Send document completed email', { exact: true })).toBeChecked({
+      await expect(
+        page.getByText('Email recipients when the document is completed', { exact: true }),
+      ).toBeChecked({
        checked: emailSettings?.documentCompleted,
      });
-      await expect(page.getByText('Send document deleted email')).toBeChecked({
+      await expect(page.getByText('Email recipients when a pending document is deleted')).toBeChecked({
        checked: emailSettings?.documentDeleted,
      });

-      await expect(page.getByText('Send recipient signing request email')).toBeChecked({
+      await expect(page.getByText('Email recipients with a signing request')).toBeChecked({
        checked: emailSettings?.recipientSigningRequest,
      });
-      await expect(page.getByText('Send document pending email')).toBeChecked({
+      await expect(page.getByText('Email the signer if the document is still pending')).toBeChecked({
        checked: emailSettings?.documentPending,
      });
-      await expect(page.getByText('Send document completed email to the owner')).toBeChecked({
+      await expect(page.getByText('Email the owner when the document is completed')).toBeChecked({
        checked: emailSettings?.ownerDocumentCompleted,
      });
    }).toPass();
@@ -161,10 +165,10 @@ test.describe('AutoSave Subject Step', () => {
    await page.getByRole('textbox', { name: 'Subject (Optional)' }).fill(subject);
    await page.getByRole('textbox', { name: 'Message (Optional)' }).fill(message);

-    await page.getByText('Send recipient signed email').click();
-    await page.getByText('Send recipient removed email').click();
-    await page.getByText('Send document completed email', { exact: true }).click();
-    await page.getByText('Send document deleted email').click();
+    await page.getByText('Email the owner when a recipient signs').click();
+    await page.getByText("Email recipients when they're removed from a pending document").click();
+    await page.getByText('Email recipients when the document is completed', { exact: true }).click();
+    await page.getByText('Email recipients when a pending document is deleted').click();

    await triggerAutosave(page);

@@ -190,26 +194,30 @@ test.describe('AutoSave Subject Step', () => {
        retrievedDocumentData.documentMeta?.message ?? '',
      );

-      await expect(page.getByText('Send recipient signed email')).toBeChecked({
+      await expect(page.getByText('Email the owner when a recipient signs')).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.recipientSigned,
      });
-      await expect(page.getByText('Send recipient removed email')).toBeChecked({
+      await expect(
+        page.getByText("Email recipients when they're removed from a pending document"),
+      ).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.recipientRemoved,
      });
-      await expect(page.getByText('Send document completed email', { exact: true })).toBeChecked({
+      await expect(
+        page.getByText('Email recipients when the document is completed', { exact: true }),
+      ).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.documentCompleted,
      });
-      await expect(page.getByText('Send document deleted email')).toBeChecked({
+      await expect(page.getByText('Email recipients when a pending document is deleted')).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.documentDeleted,
      });

-      await expect(page.getByText('Send recipient signing request email')).toBeChecked({
+      await expect(page.getByText('Email recipients with a signing request')).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.recipientSigningRequest,
      });
-      await expect(page.getByText('Send document pending email')).toBeChecked({
+      await expect(page.getByText('Email the signer if the document is still pending')).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.documentPending,
      });
-      await expect(page.getByText('Send document completed email to the owner')).toBeChecked({
+      await expect(page.getByText('Email the owner when the document is completed')).toBeChecked({
        checked: retrievedDocumentData.documentMeta?.emailSettings?.ownerDocumentCompleted,
      });
    }).toPass();
@@ -0,0 +1,218 @@
+import { type APIRequestContext, type Page, expect, test } from '@playwright/test';
+import { DocumentStatus, EnvelopeType, FieldType } from '@prisma/client';
+import fs from 'node:fs';
+import path from 'node:path';
+import * as pdfjsLib from 'pdfjs-dist/legacy/build/pdf.mjs';
+
+import { getEnvelopeItemPdfUrl } from '@documenso/lib/utils/envelope-download';
+import { prisma } from '@documenso/prisma';
+import { seedUser } from '@documenso/prisma/seed/users';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../lib/constants/app';
+import { createApiToken } from '../../../lib/server-only/public-api/create-api-token';
+import { RecipientRole } from '../../../prisma/generated/types';
+import type {
+  TCreateEnvelopePayload,
+  TCreateEnvelopeResponse,
+} from '../../../trpc/server/envelope-router/create-envelope.types';
+import type { TDistributeEnvelopeRequest } from '../../../trpc/server/envelope-router/distribute-envelope.types';
+import { apiSignin } from '../fixtures/authentication';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const baseUrl = `${WEBAPP_BASE_URL}/api/v2`;
+
+test.describe.configure({ mode: 'parallel', timeout: 60000 });
+
+const signAndVerifyPageDimensions = async ({
+  page,
+  request,
+  pdfFile,
+  identifier,
+  title,
+  expectedWidth,
+  expectedHeight,
+}: {
+  page: Page;
+  request: APIRequestContext;
+  pdfFile: string;
+  identifier: string;
+  title: string;
+  expectedWidth: number;
+  expectedHeight: number;
+}) => {
+  const { user, team } = await seedUser();
+
+  const { token } = await createApiToken({
+    userId: user.id,
+    teamId: team.id,
+    tokenName: 'test',
+    expiresIn: null,
+  });
+
+  const pdfBuffer = fs.readFileSync(path.join(__dirname, `../../../../assets/${pdfFile}`));
+
+  const formData = new FormData();
+
+  const createEnvelopePayload: TCreateEnvelopePayload = {
+    type: EnvelopeType.DOCUMENT,
+    title,
+    recipients: [
+      {
+        email: user.email,
+        name: user.name || '',
+        role: RecipientRole.SIGNER,
+        fields: [
+          {
+            identifier,
+            type: FieldType.SIGNATURE,
+            fieldMeta: { type: 'signature' },
+            page: 1,
+            positionX: 10,
+            positionY: 10,
+            width: 40,
+            height: 10,
+          },
+        ],
+      },
+    ],
+  };
+
+  formData.append('payload', JSON.stringify(createEnvelopePayload));
+  formData.append('files', new File([pdfBuffer], identifier, { type: 'application/pdf' }));
+
+  const createResponse = await request.post(`${baseUrl}/envelope/create`, {
+    headers: { Authorization: `Bearer ${token}` },
+    multipart: formData,
+  });
+
+  expect(createResponse.ok()).toBeTruthy();
+
+  const { id: envelopeId }: TCreateEnvelopeResponse = await createResponse.json();
+
+  const envelope = await prisma.envelope.findUniqueOrThrow({
+    where: { id: envelopeId },
+    include: { recipients: true },
+  });
+
+  const distributeResponse = await request.post(`${baseUrl}/envelope/distribute`, {
+    headers: { Authorization: `Bearer ${token}` },
+    data: { envelopeId: envelope.id } satisfies TDistributeEnvelopeRequest,
+  });
+
+  expect(distributeResponse.ok()).toBeTruthy();
+
+  // Pre-insert all fields via Prisma so we can skip the UI field interaction.
+  const fields = await prisma.field.findMany({
+    where: { envelopeId: envelope.id, inserted: false },
+  });
+
+  for (const field of fields) {
+    await prisma.field.update({
+      where: { id: field.id },
+      data: {
+        inserted: true,
+        signature: {
+          create: {
+            recipientId: envelope.recipients[0].id,
+            typedSignature: 'Test Signature',
+          },
+        },
+      },
+    });
+  }
+
+  const recipientToken = envelope.recipients[0].token;
+  const signUrl = `/sign/${recipientToken}`;
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: signUrl,
+  });
+
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+  await page.getByRole('button', { name: 'Complete' }).click();
+  await page.getByRole('button', { name: 'Sign' }).click();
+  await page.waitForURL(`${signUrl}/complete`);
+
+  await expect(async () => {
+    const { status } = await prisma.envelope.findFirstOrThrow({
+      where: { id: envelope.id },
+    });
+
+    expect(status).toBe(DocumentStatus.COMPLETED);
+  }).toPass({ timeout: 10000 });
+
+  const completedEnvelope = await prisma.envelope.findFirstOrThrow({
+    where: { id: envelope.id },
+    include: {
+      envelopeItems: {
+        orderBy: { order: 'asc' },
+        include: { documentData: true },
+      },
+    },
+  });
+
+  for (const item of completedEnvelope.envelopeItems) {
+    const documentUrl = getEnvelopeItemPdfUrl({
+      type: 'download',
+      envelopeItem: item,
+      token: recipientToken,
+      version: 'signed',
+    });
+
+    const pdfData = await fetch(documentUrl).then(async (res) => await res.arrayBuffer());
+    const loadingTask = pdfjsLib.getDocument({ data: new Uint8Array(pdfData) });
+    const pdf = await loadingTask.promise;
+
+    expect(pdf.numPages).toBeGreaterThan(1);
+
+    for (let i = 1; i <= pdf.numPages; i++) {
+      const pdfPage = await pdf.getPage(i);
+      const viewport = pdfPage.getViewport({ scale: 1 });
+
+      expect(Math.round(viewport.width)).toBe(expectedWidth);
+      expect(Math.round(viewport.height)).toBe(expectedHeight);
+    }
+  }
+};
+
+test('cert and audit log pages match letter page dimensions', async ({ page, request }) => {
+  await signAndVerifyPageDimensions({
+    page,
+    request,
+    pdfFile: 'letter-size.pdf',
+    identifier: 'letter-doc',
+    title: 'Letter Size Dimension Test',
+    expectedWidth: 612,
+    expectedHeight: 792,
+  });
+});
+
+test('cert and audit log pages match A4 page dimensions', async ({ page, request }) => {
+  await signAndVerifyPageDimensions({
+    page,
+    request,
+    pdfFile: 'a4-size.pdf',
+    identifier: 'a4-doc',
+    title: 'A4 Size Dimension Test',
+    expectedWidth: 595,
+    expectedHeight: 842,
+  });
+});
+
+test('cert and audit log pages match tabloid landscape page dimensions', async ({
+  page,
+  request,
+}) => {
+  await signAndVerifyPageDimensions({
+    page,
+    request,
+    pdfFile: 'tabloid-landscape.pdf',
+    identifier: 'tabloid-doc',
+    title: 'Tabloid Landscape Dimension Test',
+    expectedWidth: 1224,
+    expectedHeight: 792,
+  });
+});
@@ -298,18 +298,34 @@ test('field placement visual regression', async ({ page, request }, testInfo) =>
 *
 * DON'T COMMIT THIS WITHOUT THE "SKIP" COMMAND.
 */
-test.skip('download envelope images', async ({ page }) => {
+test.skip('download envelope images', async ({ page, request }) => {
  const { user, team } = await seedUser();

+  const { token: apiToken } = await createApiToken({
+    userId: user.id,
+    teamId: team.id,
+    tokenName: 'test',
+    expiresIn: null,
+  });
+
  const envelope = await seedAlignmentTestDocument({
    userId: user.id,
    teamId: team.id,
    recipientName: user.name || '',
    recipientEmail: user.email,
    insertFields: true,
-    status: DocumentStatus.PENDING,
+    status: DocumentStatus.DRAFT,
  });

+  const distributeEnvelopeRequest = await request.post(`${baseUrl}/envelope/distribute`, {
+    headers: { Authorization: `Bearer ${apiToken}` },
+    data: {
+      envelopeId: envelope.id,
+    } satisfies TDistributeEnvelopeRequest,
+  });
+
+  expect(distributeEnvelopeRequest.ok()).toBeTruthy();
+
  const token = envelope.recipients[0].token;

  const signUrl = `/sign/${token}`;
@@ -0,0 +1,291 @@
+import { expect, test } from '@playwright/test';
+import fs from 'node:fs';
+import path from 'node:path';
+
+import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { createApiToken } from '@documenso/lib/server-only/public-api/create-api-token';
+import { prisma } from '@documenso/prisma';
+import { EnvelopeType, RecipientRole } from '@documenso/prisma/client';
+import { seedPendingDocument } from '@documenso/prisma/seed/documents';
+import { seedUser } from '@documenso/prisma/seed/users';
+import type {
+  TCreateEnvelopePayload,
+  TCreateEnvelopeResponse,
+} from '@documenso/trpc/server/envelope-router/create-envelope.types';
+import type { TDistributeEnvelopeRequest } from '@documenso/trpc/server/envelope-router/distribute-envelope.types';
+
+import { apiSignin } from '../fixtures/authentication';
+import { openDropdownMenu } from '../fixtures/generic';
+
+const WEBAPP_BASE_URL = NEXT_PUBLIC_WEBAPP_URL();
+const baseUrl = `${WEBAPP_BASE_URL}/api/v2-beta`;
+
+const examplePdf = fs.readFileSync(path.join(__dirname, '../../../../assets/example.pdf'));
+
+test.describe.configure({ mode: 'parallel' });
+
+test('[ENVELOPE_EXPIRATION]: sending document sets expiresAt on recipients', async ({
+  request,
+}) => {
+  const { user, team } = await seedUser();
+
+  const { token } = await createApiToken({
+    userId: user.id,
+    teamId: team.id,
+    tokenName: 'test-expiration-send',
+    expiresIn: null,
+  });
+
+  const createPayload: TCreateEnvelopePayload = {
+    type: EnvelopeType.DOCUMENT,
+    title: '[TEST] Expiration Send Test',
+    recipients: [
+      {
+        email: 'signer-expiry@test.documenso.com',
+        name: 'Signer Expiry',
+        role: RecipientRole.SIGNER,
+        fields: [
+          {
+            type: 'SIGNATURE',
+            page: 1,
+            positionX: 10,
+            positionY: 10,
+            width: 10,
+            height: 5,
+            fieldMeta: { type: 'signature' },
+          },
+        ],
+      },
+    ],
+  };
+
+  const formData = new FormData();
+  formData.append('payload', JSON.stringify(createPayload));
+  formData.append('files', new File([examplePdf], 'example.pdf', { type: 'application/pdf' }));
+
+  const createRes = await request.post(`${baseUrl}/envelope/create`, {
+    headers: { Authorization: `Bearer ${token}` },
+    multipart: formData,
+  });
+
+  expect(createRes.ok()).toBeTruthy();
+
+  const { id: envelopeId }: TCreateEnvelopeResponse = await createRes.json();
+
+  const distributeRes = await request.post(`${baseUrl}/envelope/distribute`, {
+    headers: { Authorization: `Bearer ${token}` },
+    data: { envelopeId } satisfies TDistributeEnvelopeRequest,
+  });
+
+  expect(distributeRes.ok()).toBeTruthy();
+
+  // Check that recipients now have expiresAt set.
+  const recipients = await prisma.recipient.findMany({
+    where: { envelopeId },
+  });
+
+  expect(recipients.length).toBe(1);
+  expect(recipients[0].expiresAt).not.toBeNull();
+
+  // The default expiration period is 3 months. Verify it's roughly correct.
+  const expiresAt = recipients[0].expiresAt!;
+  const now = new Date();
+  const diffMs = expiresAt.getTime() - now.getTime();
+  const diffDays = diffMs / (1000 * 60 * 60 * 24);
+
+  // 3 months is roughly 89-92 days. Allow a generous range.
+  expect(diffDays).toBeGreaterThan(80);
+  expect(diffDays).toBeLessThan(100);
+});
+
+test('[ENVELOPE_EXPIRATION]: sending document with custom org expiration period', async ({
+  request,
+}) => {
+  const { user, organisation, team } = await seedUser();
+
+  // Set org expiration to 7 days.
+  await prisma.organisationGlobalSettings.update({
+    where: { id: organisation.organisationGlobalSettingsId },
+    data: { envelopeExpirationPeriod: { unit: 'day', amount: 7 } },
+  });
+
+  const { token } = await createApiToken({
+    userId: user.id,
+    teamId: team.id,
+    tokenName: 'test-expiration-custom',
+    expiresIn: null,
+  });
+
+  const createPayload: TCreateEnvelopePayload = {
+    type: EnvelopeType.DOCUMENT,
+    title: '[TEST] Custom Expiration Send Test',
+    recipients: [
+      {
+        email: 'signer-custom@test.documenso.com',
+        name: 'Signer Custom',
+        role: RecipientRole.SIGNER,
+        fields: [
+          {
+            type: 'SIGNATURE',
+            page: 1,
+            positionX: 10,
+            positionY: 10,
+            width: 10,
+            height: 5,
+            fieldMeta: { type: 'signature' },
+          },
+        ],
+      },
+    ],
+  };
+
+  const formData = new FormData();
+  formData.append('payload', JSON.stringify(createPayload));
+  formData.append('files', new File([examplePdf], 'example.pdf', { type: 'application/pdf' }));
+
+  const createRes = await request.post(`${baseUrl}/envelope/create`, {
+    headers: { Authorization: `Bearer ${token}` },
+    multipart: formData,
+  });
+
+  expect(createRes.ok()).toBeTruthy();
+
+  const { id: envelopeId }: TCreateEnvelopeResponse = await createRes.json();
+
+  const distributeRes = await request.post(`${baseUrl}/envelope/distribute`, {
+    headers: { Authorization: `Bearer ${token}` },
+    data: { envelopeId } satisfies TDistributeEnvelopeRequest,
+  });
+
+  expect(distributeRes.ok()).toBeTruthy();
+
+  const recipients = await prisma.recipient.findMany({
+    where: { envelopeId },
+  });
+
+  expect(recipients.length).toBe(1);
+  expect(recipients[0].expiresAt).not.toBeNull();
+
+  // 7 days expiration.
+  const expiresAt = recipients[0].expiresAt!;
+  const now = new Date();
+  const diffMs = expiresAt.getTime() - now.getTime();
+  const diffDays = diffMs / (1000 * 60 * 60 * 24);
+
+  expect(diffDays).toBeGreaterThan(6);
+  expect(diffDays).toBeLessThan(8);
+});
+
+test('[ENVELOPE_EXPIRATION]: sending document with expiration disabled', async ({ request }) => {
+  const { user, organisation, team } = await seedUser();
+
+  // Disable expiration at org level.
+  await prisma.organisationGlobalSettings.update({
+    where: { id: organisation.organisationGlobalSettingsId },
+    data: { envelopeExpirationPeriod: { disabled: true } },
+  });
+
+  const { token } = await createApiToken({
+    userId: user.id,
+    teamId: team.id,
+    tokenName: 'test-expiration-disabled',
+    expiresIn: null,
+  });
+
+  const createPayload: TCreateEnvelopePayload = {
+    type: EnvelopeType.DOCUMENT,
+    title: '[TEST] Disabled Expiration Send Test',
+    recipients: [
+      {
+        email: 'signer-disabled@test.documenso.com',
+        name: 'Signer Disabled',
+        role: RecipientRole.SIGNER,
+        fields: [
+          {
+            type: 'SIGNATURE',
+            page: 1,
+            positionX: 10,
+            positionY: 10,
+            width: 10,
+            height: 5,
+            fieldMeta: { type: 'signature' },
+          },
+        ],
+      },
+    ],
+  };
+
+  const formData = new FormData();
+  formData.append('payload', JSON.stringify(createPayload));
+  formData.append('files', new File([examplePdf], 'example.pdf', { type: 'application/pdf' }));
+
+  const createRes = await request.post(`${baseUrl}/envelope/create`, {
+    headers: { Authorization: `Bearer ${token}` },
+    multipart: formData,
+  });
+
+  expect(createRes.ok()).toBeTruthy();
+
+  const { id: envelopeId }: TCreateEnvelopeResponse = await createRes.json();
+
+  const distributeRes = await request.post(`${baseUrl}/envelope/distribute`, {
+    headers: { Authorization: `Bearer ${token}` },
+    data: { envelopeId } satisfies TDistributeEnvelopeRequest,
+  });
+
+  expect(distributeRes.ok()).toBeTruthy();
+
+  const recipients = await prisma.recipient.findMany({
+    where: { envelopeId },
+  });
+
+  expect(recipients.length).toBe(1);
+  expect(recipients[0].expiresAt).toBeNull();
+});
+
+test('[ENVELOPE_EXPIRATION]: resending refreshes expiresAt', async ({ page }) => {
+  const { user, team } = await seedUser();
+
+  const document = await seedPendingDocument(user, team.id, ['resend-target@test.documenso.com']);
+
+  const recipient = document.recipients[0];
+
+  // Set an initial expiresAt that's 1 day from now.
+  const initialExpiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000);
+
+  await prisma.recipient.update({
+    where: { id: recipient.id },
+    data: { expiresAt: initialExpiresAt },
+  });
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/t/${team.url}/documents?status=PENDING`,
+  });
+
+  // Open the document action menu and click Resend.
+  const actionBtn = page.getByTestId('document-table-action-btn').first();
+  await expect(actionBtn).toBeAttached();
+  await openDropdownMenu(page, actionBtn);
+  await expect(page.getByRole('menuitem', { name: 'Resend' })).toBeVisible();
+  await page.getByRole('menuitem', { name: 'Resend' }).click();
+
+  // Select the recipient and send.
+  await page.getByLabel('test.documenso.com').first().click();
+  await page.getByRole('button', { name: 'Send reminder' }).click();
+
+  await expect(page.getByText('Document re-sent', { exact: true })).toBeVisible({
+    timeout: 10_000,
+  });
+
+  // Verify expiresAt was refreshed.
+  await expect(async () => {
+    const updatedRecipient = await prisma.recipient.findUniqueOrThrow({
+      where: { id: recipient.id },
+    });
+
+    expect(updatedRecipient.expiresAt).not.toBeNull();
+    expect(updatedRecipient.expiresAt!.getTime()).toBeGreaterThan(initialExpiresAt.getTime());
+  }).toPass({ timeout: 10_000 });
+});
@@ -0,0 +1,150 @@
+import { expect, test } from '@playwright/test';
+
+import { getTeamSettings } from '@documenso/lib/server-only/team/get-team-settings';
+import { prisma } from '@documenso/prisma';
+import { seedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+
+test.describe.configure({ mode: 'parallel' });
+
+test('[ENVELOPE_EXPIRATION]: set custom expiration period at organisation level', async ({
+  page,
+}) => {
+  const { user, organisation } = await seedUser({
+    isPersonalOrganisation: false,
+  });
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/document`,
+  });
+
+  // Wait for the form to load.
+  await expect(page.getByRole('button', { name: 'Update' }).first()).toBeVisible();
+
+  // Change the amount to 2.
+  const amountInput = page.getByRole('spinbutton');
+  await amountInput.clear();
+  await amountInput.fill('2');
+
+  // Find all triggers, the unit picker is the one showing Months/Days/etc.
+  // In the duration mode, there's a mode select and a unit select.
+  // The unit select is inside the duration row, after the number input.
+  // Let's find the select trigger that contains the unit text.
+  const unitTrigger = page
+    .locator('button[role="combobox"]')
+    .filter({ hasText: /Months|Days|Weeks|Years/ });
+
+  await unitTrigger.click();
+  await page.getByRole('option', { name: 'Weeks' }).click();
+
+  await page.getByRole('button', { name: 'Update' }).first().click();
+  await expect(page.getByText('Your document preferences have been updated').first()).toBeVisible();
+
+  // Verify via database.
+  const orgSettings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(orgSettings.envelopeExpirationPeriod).toEqual({ unit: 'week', amount: 2 });
+});
+
+test('[ENVELOPE_EXPIRATION]: disable expiration at organisation level', async ({ page }) => {
+  const { user, organisation } = await seedUser({
+    isPersonalOrganisation: false,
+  });
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/o/${organisation.url}/settings/document`,
+  });
+
+  await expect(page.getByRole('button', { name: 'Update' }).first()).toBeVisible();
+
+  // Find the mode select (shows "Custom duration") and change to "Never expires".
+  const modeTrigger = page
+    .locator('button[role="combobox"]')
+    .filter({ hasText: 'Custom duration' });
+  await modeTrigger.click();
+  await page.getByRole('option', { name: 'Never expires' }).click();
+
+  await page.getByRole('button', { name: 'Update' }).first().click();
+  await expect(page.getByText('Your document preferences have been updated').first()).toBeVisible();
+
+  // Verify via database.
+  const orgSettings = await prisma.organisationGlobalSettings.findUniqueOrThrow({
+    where: { id: organisation.organisationGlobalSettingsId },
+  });
+
+  expect(orgSettings.envelopeExpirationPeriod).toEqual({ disabled: true });
+});
+
+test('[ENVELOPE_EXPIRATION]: team inherits expiration from organisation', async () => {
+  const { organisation, team } = await seedUser({
+    isPersonalOrganisation: false,
+  });
+
+  // Set org expiration to 2 weeks directly.
+  await prisma.organisationGlobalSettings.update({
+    where: { id: organisation.organisationGlobalSettingsId },
+    data: { envelopeExpirationPeriod: { unit: 'week', amount: 2 } },
+  });
+
+  // Verify team settings inherit the org setting.
+  const teamSettings = await getTeamSettings({ teamId: team.id });
+
+  expect(teamSettings.envelopeExpirationPeriod).toEqual({ unit: 'week', amount: 2 });
+});
+
+test('[ENVELOPE_EXPIRATION]: team overrides organisation expiration', async ({ page }) => {
+  const { user, organisation, team } = await seedUser({
+    isPersonalOrganisation: false,
+  });
+
+  // Set org expiration to 2 weeks.
+  await prisma.organisationGlobalSettings.update({
+    where: { id: organisation.organisationGlobalSettingsId },
+    data: { envelopeExpirationPeriod: { unit: 'week', amount: 2 } },
+  });
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/t/${team.url}/settings/document`,
+  });
+
+  await expect(page.getByRole('button', { name: 'Update' }).first()).toBeVisible();
+
+  // Scope to the "Default Envelope Expiration" form field section.
+  const expirationSection = page.getByText('Default Envelope Expiration').locator('..');
+
+  // The expiration picker mode select should show "Inherit from organisation" by default.
+  const modeTrigger = expirationSection.locator('button[role="combobox"]').first();
+  await expect(modeTrigger).toBeVisible();
+
+  // Switch to custom duration.
+  await modeTrigger.click();
+  await page.getByRole('option', { name: 'Custom duration' }).click();
+
+  // Set to 5 days.
+  const amountInput = expirationSection.getByRole('spinbutton');
+  await amountInput.clear();
+  await amountInput.fill('5');
+
+  const unitTrigger = expirationSection
+    .locator('button[role="combobox"]')
+    .filter({ hasText: /Months|Days|Weeks|Years/ });
+  await unitTrigger.click();
+  await page.getByRole('option', { name: 'Days' }).click();
+
+  await page.getByRole('button', { name: 'Update' }).first().click();
+  await expect(page.getByText('Your document preferences have been updated').first()).toBeVisible();
+
+  // Verify team setting is overridden.
+  const teamSettings = await getTeamSettings({ teamId: team.id });
+
+  expect(teamSettings.envelopeExpirationPeriod).toEqual({ unit: 'day', amount: 5 });
+});
@@ -0,0 +1,131 @@
+import { expect, test } from '@playwright/test';
+
+import { prisma } from '@documenso/prisma';
+import { FieldType } from '@documenso/prisma/client';
+import { seedPendingDocumentWithFullFields } from '@documenso/prisma/seed/documents';
+import { seedUser } from '@documenso/prisma/seed/users';
+
+import { apiSignin } from '../fixtures/authentication';
+import { signSignaturePad } from '../fixtures/signature';
+
+test.describe.configure({ mode: 'parallel' });
+
+test('[ENVELOPE_EXPIRATION]: expired recipient is redirected to expired page', async ({ page }) => {
+  const { user, team } = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: ['expired-recipient@test.documenso.com'],
+    teamId: team.id,
+  });
+
+  const recipient = recipients[0];
+
+  // Set expiresAt to the past so the recipient is expired.
+  await prisma.recipient.update({
+    where: { id: recipient.id },
+    data: { expiresAt: new Date(Date.now() - 60_000) },
+  });
+
+  await page.goto(`/sign/${recipient.token}`);
+  await page.waitForURL(`/sign/${recipient.token}/expired`);
+
+  await expect(page.getByText('Signing Deadline Expired')).toBeVisible();
+  await expect(page.getByText('The signing deadline for this document has passed')).toBeVisible();
+});
+
+test('[ENVELOPE_EXPIRATION]: non-expired recipient can access signing page', async ({ page }) => {
+  const { user, team } = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: ['active-recipient@test.documenso.com'],
+    teamId: team.id,
+  });
+
+  const recipient = recipients[0];
+
+  // Set expiresAt to 1 hour in the future.
+  await prisma.recipient.update({
+    where: { id: recipient.id },
+    data: { expiresAt: new Date(Date.now() + 60 * 60 * 1000) },
+  });
+
+  await page.goto(`/sign/${recipient.token}`);
+
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+});
+
+test('[ENVELOPE_EXPIRATION]: recipient with null expiresAt can sign normally', async ({ page }) => {
+  const { user, team } = await seedUser();
+
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: ['null-expiry@test.documenso.com'],
+    teamId: team.id,
+  });
+
+  const recipient = recipients[0];
+
+  // Verify expiresAt is null (default from seed).
+  const dbRecipient = await prisma.recipient.findUniqueOrThrow({
+    where: { id: recipient.id },
+  });
+
+  expect(dbRecipient.expiresAt).toBeNull();
+
+  await page.goto(`/sign/${recipient.token}`);
+
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+});
+
+test('[ENVELOPE_EXPIRATION]: expired recipient cannot complete signing', async ({ page }) => {
+  const { user, team } = await seedUser();
+
+  // Use only a SIGNATURE field to simplify the signing flow.
+  const { recipients } = await seedPendingDocumentWithFullFields({
+    owner: user,
+    recipients: [user],
+    teamId: team.id,
+    fields: [FieldType.SIGNATURE],
+  });
+
+  const recipient = recipients[0];
+
+  await apiSignin({
+    page,
+    email: user.email,
+    redirectPath: `/sign/${recipient.token}`,
+  });
+
+  await expect(page.getByRole('heading', { name: 'Sign Document' })).toBeVisible();
+
+  // Now expire the recipient while they're on the signing page.
+  await prisma.recipient.update({
+    where: { id: recipient.id },
+    data: { expiresAt: new Date(Date.now() - 1_000) },
+  });
+
+  // Set up signature.
+  await signSignaturePad(page);
+
+  // Click the signature field to attempt to insert it.
+  // The server will reject because the recipient is now expired.
+  const signatureField = recipient.fields.find((f) => f.type === FieldType.SIGNATURE);
+
+  if (signatureField) {
+    await page.locator(`#field-${signatureField.id}`).getByRole('button').click();
+  }
+
+  // The server should reject the signing attempt because the recipient has expired.
+  // Verify the field was NOT inserted (stays data-inserted="false").
+  if (signatureField) {
+    await expect(async () => {
+      const field = await prisma.field.findUniqueOrThrow({
+        where: { id: signatureField.id },
+      });
+
+      expect(field.inserted).toBe(false);
+    }).toPass({ timeout: 10_000 });
+  }
+});
@@ -205,9 +205,13 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
  await page.getByRole('textbox', { name: 'Reply to email' }).fill('organisation@documenso.com');

  // Update email document settings by enabling/disabling some checkboxes
-  await page.getByRole('checkbox', { name: 'Send recipient signed email' }).uncheck();
-  await page.getByRole('checkbox', { name: 'Send document pending email' }).uncheck();
-  await page.getByRole('checkbox', { name: 'Send document deleted email' }).uncheck();
+  await page.getByRole('checkbox', { name: 'Email the owner when a recipient signs' }).uncheck();
+  await page
+    .getByRole('checkbox', { name: 'Email the signer if the document is still pending' })
+    .uncheck();
+  await page
+    .getByRole('checkbox', { name: 'Email recipients when a pending document is deleted' })
+    .uncheck();

  await page.getByRole('button', { name: 'Update' }).first().click();
  await expect(page.getByText('Your email preferences have been updated').first()).toBeVisible();
@@ -225,6 +229,7 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
    documentPending: false, // unchecked
    documentCompleted: true,
    documentDeleted: false, // unchecked
+    ownerRecipientExpired: true,
    ownerDocumentCompleted: true,
  });

@@ -240,12 +245,12 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
  await page.getByRole('option', { name: 'Override organisation settings' }).click();

  // Update some email settings
-  await page.getByRole('checkbox', { name: 'Send recipient signing request email' }).uncheck();
+  await page.getByRole('checkbox', { name: 'Email recipients with a signing request' }).uncheck();
  await page
-    .getByRole('checkbox', { name: 'Send document completed email', exact: true })
+    .getByRole('checkbox', { name: 'Email recipients when the document is completed', exact: true })
    .uncheck();
  await page
-    .getByRole('checkbox', { name: 'Send document completed email to the owner' })
+    .getByRole('checkbox', { name: 'Email the owner when the document is completed' })
    .uncheck();

  await page.getByRole('button', { name: 'Update' }).first().click();
@@ -264,6 +269,7 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
    documentPending: true,
    documentCompleted: false,
    documentDeleted: true,
+    ownerRecipientExpired: true,
    ownerDocumentCompleted: false,
  });

@@ -284,6 +290,7 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
    documentPending: true,
    documentCompleted: false,
    documentDeleted: true,
+    ownerRecipientExpired: true,
    ownerDocumentCompleted: false,
  });

@@ -309,6 +316,7 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
    documentPending: false,
    documentCompleted: true,
    documentDeleted: false,
+    ownerRecipientExpired: true,
    ownerDocumentCompleted: true,
  });

@@ -329,6 +337,7 @@ test('[ORGANISATIONS]: manage email preferences', async ({ page }) => {
    documentPending: false,
    documentCompleted: true,
    documentDeleted: false,
+    ownerRecipientExpired: true,
    ownerDocumentCompleted: true,
  });
 });
@@ -5,6 +5,8 @@ import { deleteCookie } from 'hono/cookie';

 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { onCreateUserHook } from '@documenso/lib/server-only/user/create-user';
+import { deletedServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/deleted-account';
+import { legacyServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/legacy-service-account';
 import { isValidReturnTo, normalizeReturnTo } from '@documenso/lib/utils/is-valid-return-to';
 import { prisma } from '@documenso/prisma';

@@ -26,6 +28,13 @@ export const handleOAuthCallbackUrl = async (options: HandleOAuthCallbackUrlOpti
  const { email, name, sub, accessToken, accessTokenExpiresAt, idToken, redirectPath } =
    await validateOauth({ c, clientOptions });

+  if (
+    email.toLowerCase() === legacyServiceAccountEmail() ||
+    email.toLowerCase() === deletedServiceAccountEmail()
+  ) {
+    return c.text('FORBIDDEN', 403);
+  }
+
  // Find the account if possible.
  const existingAccount = await prisma.account.findFirst({
    where: {
@@ -2,6 +2,7 @@ import { sValidator } from '@hono/standard-validator';
 import { compare } from '@node-rs/bcrypt';
 import { UserSecurityAuditLogType } from '@prisma/client';
 import { Hono } from 'hono';
+import { HTTPException } from 'hono/http-exception';
 import { DateTime } from 'luxon';
 import { z } from 'zod';

@@ -14,10 +15,22 @@ import { isTwoFactorAuthenticationEnabled } from '@documenso/lib/server-only/2fa
 import { setupTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/setup-2fa';
 import { validateTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/validate-2fa';
 import { viewBackupCodes } from '@documenso/lib/server-only/2fa/view-backup-codes';
+import { rateLimitResponse } from '@documenso/lib/server-only/rate-limit/rate-limit-middleware';
+import {
+  forgotPasswordRateLimit,
+  loginRateLimit,
+  resendVerifyEmailRateLimit,
+  resetPasswordRateLimit,
+  signupRateLimit,
+  verifyEmailRateLimit,
+} from '@documenso/lib/server-only/rate-limit/rate-limits';
 import { createUser } from '@documenso/lib/server-only/user/create-user';
 import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password';
 import { getMostRecentEmailVerificationToken } from '@documenso/lib/server-only/user/get-most-recent-email-verification-token';
+import { getUserByResetToken } from '@documenso/lib/server-only/user/get-user-by-reset-token';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
+import { deletedServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/deleted-account';
+import { legacyServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/legacy-service-account';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
 import { verifyEmail } from '@documenso/lib/server-only/user/verify-email';
 import { env } from '@documenso/lib/utils/env';
@@ -48,6 +61,19 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()

    const { email, password, totpCode, backupCode, csrfToken } = c.req.valid('json');

+    const loginLimitResult = await loginRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+      identifier: email,
+    });
+
+    const loginLimited = rateLimitResponse(c, loginLimitResult);
+
+    if (loginLimited) {
+      throw new HTTPException(429, {
+        res: loginLimited,
+      });
+    }
+
    const csrfCookieToken = await getCsrfCookie(c);

    // Todo: (RR7) Add logging here.
@@ -57,6 +83,13 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
      });
    }

+    if (
+      email.toLowerCase() === legacyServiceAccountEmail() ||
+      email.toLowerCase() === deletedServiceAccountEmail()
+    ) {
+      return c.text('FORBIDDEN', 403);
+    }
+
    const user = await prisma.user.findFirst({
      where: {
        email: email.toLowerCase(),
@@ -142,6 +175,8 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   * Signup endpoint.
   */
  .post('/signup', sValidator('json', ZSignUpSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
    if (env('NEXT_PUBLIC_DISABLE_SIGNUP') === 'true') {
      throw new AppError('SIGNUP_DISABLED', {
        message: 'Signups are disabled.',
@@ -150,6 +185,18 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()

    const { name, email, password, signature } = c.req.valid('json');

+    const signupLimitResult = await signupRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+    });
+
+    const signupLimited = rateLimitResponse(c, signupLimitResult);
+
+    if (signupLimited) {
+      throw new HTTPException(429, {
+        res: signupLimited,
+      });
+    }
+
    const user = await createUser({ name, email, password, signature }).catch((err) => {
      console.error(err);
      throw err;
@@ -209,7 +256,24 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   * Verify email endpoint.
   */
  .post('/verify-email', sValidator('json', ZVerifyEmailSchema), async (c) => {
-    const { state, userId } = await verifyEmail({ token: c.req.valid('json').token });
+    const requestMetadata = c.get('requestMetadata');
+
+    const { token } = c.req.valid('json');
+
+    const verifyLimitResult = await verifyEmailRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+      identifier: token,
+    });
+
+    const verifyLimited = rateLimitResponse(c, verifyLimitResult);
+
+    if (verifyLimited) {
+      throw new HTTPException(429, {
+        res: verifyLimited,
+      });
+    }
+
+    const { state, userId } = await verifyEmail({ token });

    // If email is verified, automatically authenticate user.
    if (state === EMAIL_VERIFICATION_STATE.VERIFIED && userId !== null) {
@@ -224,8 +288,23 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   * Resend verification email endpoint.
   */
  .post('/resend-verify-email', sValidator('json', ZResendVerifyEmailSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
    const { email } = c.req.valid('json');

+    const resendLimitResult = await resendVerifyEmailRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+      identifier: email,
+    });
+
+    const resendLimited = rateLimitResponse(c, resendLimitResult);
+
+    if (resendLimited) {
+      throw new HTTPException(429, {
+        res: resendLimited,
+      });
+    }
+
    await jobsClient.triggerJob({
      name: 'send.signup.confirmation.email',
      payload: {
@@ -239,8 +318,30 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   * Forgot password endpoint.
   */
  .post('/forgot-password', sValidator('json', ZForgotPasswordSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
    const { email } = c.req.valid('json');

+    const forgotLimitResult = await forgotPasswordRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+      identifier: email,
+    });
+
+    const forgotLimited = rateLimitResponse(c, forgotLimitResult);
+
+    if (forgotLimited) {
+      throw new HTTPException(429, {
+        res: forgotLimited,
+      });
+    }
+
+    if (
+      email.toLowerCase() === legacyServiceAccountEmail() ||
+      email.toLowerCase() === deletedServiceAccountEmail()
+    ) {
+      return c.text('FORBIDDEN', 403);
+    }
+
    await forgotPassword({
      email,
    });
@@ -251,9 +352,31 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
   * Reset password endpoint.
   */
  .post('/reset-password', sValidator('json', ZResetPasswordSchema), async (c) => {
+    const requestMetadata = c.get('requestMetadata');
+
    const { token, password } = c.req.valid('json');

-    const requestMetadata = c.get('requestMetadata');
+    const resetLimitResult = await resetPasswordRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+      identifier: token,
+    });
+
+    const resetLimited = rateLimitResponse(c, resetLimitResult);
+
+    if (resetLimited) {
+      throw new HTTPException(429, {
+        res: resetLimited,
+      });
+    }
+
+    const user = await getUserByResetToken({ token });
+
+    if (
+      user.email.toLowerCase() === legacyServiceAccountEmail() ||
+      user.email.toLowerCase() === deletedServiceAccountEmail()
+    ) {
+      return c.text('FORBIDDEN', 403);
+    }

    const { userId } = await resetPassword({
      token,
@@ -3,8 +3,13 @@ import { UserSecurityAuditLogType } from '@prisma/client';
 import { verifyAuthenticationResponse } from '@simplewebauthn/server';
 import { isoBase64URL } from '@simplewebauthn/server/helpers';
 import { Hono } from 'hono';
+import { HTTPException } from 'hono/http-exception';

 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { rateLimitResponse } from '@documenso/lib/server-only/rate-limit/rate-limit-middleware';
+import { passkeyRateLimit } from '@documenso/lib/server-only/rate-limit/rate-limits';
+import { deletedServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/deleted-account';
+import { legacyServiceAccountEmail } from '@documenso/lib/server-only/user/service-accounts/legacy-service-account';
 import type { TAuthenticationResponseJSONSchema } from '@documenso/lib/types/webauthn';
 import { ZAuthenticationResponseJSONSchema } from '@documenso/lib/types/webauthn';
 import { getAuthenticatorOptions } from '@documenso/lib/utils/authenticator';
@@ -21,6 +26,18 @@ export const passkeyRoute = new Hono<HonoAuthContext>()
  .post('/authorize', sValidator('json', ZPasskeyAuthorizeSchema), async (c) => {
    const requestMetadata = c.get('requestMetadata');

+    const passkeyLimitResult = await passkeyRateLimit.check({
+      ip: requestMetadata.ipAddress ?? 'unknown',
+    });
+
+    const passkeyLimited = rateLimitResponse(c, passkeyLimitResult);
+
+    if (passkeyLimited) {
+      throw new HTTPException(429, {
+        res: passkeyLimited,
+      });
+    }
+
    const { csrfToken, credential } = c.req.valid('json');

    if (typeof csrfToken !== 'string' || csrfToken.length === 0) {
@@ -74,6 +91,13 @@ export const passkeyRoute = new Hono<HonoAuthContext>()

    const user = passkey.user;

+    if (
+      user.email.toLowerCase() === legacyServiceAccountEmail() ||
+      user.email.toLowerCase() === deletedServiceAccountEmail()
+    ) {
+      return c.text('FORBIDDEN', 403);
+    }
+
    const { rpId, origin } = getAuthenticatorOptions();

    const verification = await verifyAuthenticationResponse({
@@ -1,19 +1,89 @@
 import { SubscriptionStatus } from '@prisma/client';

+import { createOrganisationClaimUpsertData } from '@documenso/lib/server-only/organisation/create-organisation';
 import type { Stripe } from '@documenso/lib/server-only/stripe';
+import { INTERNAL_CLAIM_ID, internalClaims } from '@documenso/lib/types/subscription';
 import { prisma } from '@documenso/prisma';

+import { extractStripeClaimId } from './on-subscription-updated';
+
 export type OnSubscriptionDeletedOptions = {
  subscription: Stripe.Subscription;
 };

 export const onSubscriptionDeleted = async ({ subscription }: OnSubscriptionDeletedOptions) => {
-  await prisma.subscription.update({
+  const existingSubscription = await prisma.subscription.findUnique({
    where: {
      planId: subscription.id,
    },
+    include: {
+      organisation: {
+        include: {
+          organisationClaim: true,
+        },
+      },
+    },
+  });
+
+  // If the subscription doesn't exist, we don't need to do anything.
+  if (!existingSubscription) {
+    return;
+  }
+
+  const subscriptionClaimId = await extractClaimIdFromStripeSubscription(subscription);
+
+  // Individuals get their subscription deleted so they can return to the
+  // free plan.
+  if (subscriptionClaimId === INTERNAL_CLAIM_ID.INDIVIDUAL) {
+    await prisma.$transaction(async (tx) => {
+      await tx.subscription.delete({
+        where: {
+          id: existingSubscription.id,
+        },
+      });
+
+      await tx.organisationClaim.update({
+        where: {
+          id: existingSubscription.organisation.organisationClaim.id,
+        },
+        data: {
+          originalSubscriptionClaimId: INTERNAL_CLAIM_ID.FREE,
+          ...createOrganisationClaimUpsertData(internalClaims[INTERNAL_CLAIM_ID.FREE]),
+        },
+      });
+    });
+
+    return;
+  }
+
+  // For all other cases, mark the subscription as inactive since
+  // they should still have a "Personal" account.
+  await prisma.subscription.update({
+    where: {
+      id: existingSubscription.id,
+    },
    data: {
      status: SubscriptionStatus.INACTIVE,
    },
  });
 };
+
+/**
+ * Extracts the claim ID from the Stripe subscription.
+ *
+ * Returns `null` if no claim ID found.
+ */
+const extractClaimIdFromStripeSubscription = async (subscription: Stripe.Subscription) => {
+  const deletedItem = subscription.items.data[0];
+
+  if (!deletedItem) {
+    return null;
+  }
+
+  try {
+    return await extractStripeClaimId(deletedItem.price);
+  } catch (error) {
+    console.error(error);
+    return null;
+  }
+};
@@ -0,0 +1,54 @@
+import { Trans } from '@lingui/react/macro';
+
+import { Button, Section, Text } from '../components';
+import { TemplateDocumentImage } from './template-document-image';
+
+export type TemplateRecipientExpiredProps = {
+  documentName: string;
+  recipientName: string;
+  recipientEmail: string;
+  documentLink: string;
+  assetBaseUrl: string;
+};
+
+export const TemplateRecipientExpired = ({
+  documentName,
+  recipientName,
+  recipientEmail,
+  documentLink,
+  assetBaseUrl,
+}: TemplateRecipientExpiredProps) => {
+  const displayName = recipientName || recipientEmail;
+
+  return (
+    <>
+      <TemplateDocumentImage className="mt-6" assetBaseUrl={assetBaseUrl} />
+
+      <Section>
+        <Text className="mx-auto mb-0 max-w-[80%] text-center text-lg font-semibold text-primary">
+          <Trans>
+            Signing window expired for "{displayName}" on "{documentName}"
+          </Trans>
+        </Text>
+
+        <Text className="my-1 text-center text-base text-slate-400">
+          <Trans>
+            The signing window for {displayName} on document "{documentName}" has expired. You can
+            resend the document to extend their deadline or cancel the document.
+          </Trans>
+        </Text>
+
+        <Section className="my-4 text-center">
+          <Button
+            className="inline-flex items-center justify-center rounded-lg bg-documenso-500 px-6 py-3 text-center text-sm font-medium text-white no-underline"
+            href={documentLink}
+          >
+            <Trans>View Document</Trans>
+          </Button>
+        </Section>
+      </Section>
+    </>
+  );
+};
+
+export default TemplateRecipientExpired;
@@ -0,0 +1,68 @@
+import { msg } from '@lingui/core/macro';
+import { useLingui } from '@lingui/react';
+
+import { Body, Container, Head, Hr, Html, Img, Preview, Section } from '../components';
+import { useBranding } from '../providers/branding';
+import { TemplateFooter } from '../template-components/template-footer';
+import type { TemplateRecipientExpiredProps } from '../template-components/template-recipient-expired';
+import { TemplateRecipientExpired } from '../template-components/template-recipient-expired';
+
+export type RecipientExpiredEmailTemplateProps = Partial<TemplateRecipientExpiredProps>;
+
+export const RecipientExpiredTemplate = ({
+  documentName = 'Open Source Pledge.pdf',
+  recipientName = 'John Doe',
+  recipientEmail = 'john@example.com',
+  documentLink = 'https://documenso.com',
+  assetBaseUrl = 'http://localhost:3002',
+}: RecipientExpiredEmailTemplateProps) => {
+  const { _ } = useLingui();
+  const branding = useBranding();
+
+  const previewText = msg`The signing window for "${recipientName}" on document "${documentName}" has expired.`;
+
+  const getAssetUrl = (path: string) => {
+    return new URL(path, assetBaseUrl).toString();
+  };
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{_(previewText)}</Preview>
+
+      <Body className="mx-auto my-auto bg-white font-sans">
+        <Section>
+          <Container className="mx-auto mb-2 mt-8 max-w-xl rounded-lg border border-solid border-slate-200 p-4 backdrop-blur-sm">
+            <Section>
+              {branding.brandingEnabled && branding.brandingLogo ? (
+                <Img src={branding.brandingLogo} alt="Branding Logo" className="mb-4 h-6" />
+              ) : (
+                <Img
+                  src={getAssetUrl('/static/logo.png')}
+                  alt="Documenso Logo"
+                  className="mb-4 h-6"
+                />
+              )}
+
+              <TemplateRecipientExpired
+                documentName={documentName}
+                recipientName={recipientName}
+                recipientEmail={recipientEmail}
+                documentLink={documentLink}
+                assetBaseUrl={assetBaseUrl}
+              />
+            </Section>
+          </Container>
+
+          <Hr className="mx-auto mt-12 max-w-xl" />
+
+          <Container className="mx-auto max-w-xl">
+            <TemplateFooter />
+          </Container>
+        </Section>
+      </Body>
+    </Html>
+  );
+};
+
+export default RecipientExpiredTemplate;
@@ -8,8 +8,6 @@ export const DOCUMENSO_INTERNAL_EMAIL = {
  address: FROM_ADDRESS,
 };

-export const SERVICE_USER_EMAIL = 'serviceaccount@documenso.com';
-
 export const EMAIL_VERIFICATION_STATE = {
  NOT_FOUND: 'NOT_FOUND',
  VERIFIED: 'VERIFIED',
@@ -0,0 +1,66 @@
+import type { DurationLikeObject } from 'luxon';
+import { Duration } from 'luxon';
+import { z } from 'zod';
+
+export const ZEnvelopeExpirationDurationPeriod = z.object({
+  unit: z.enum(['day', 'week', 'month', 'year']),
+  amount: z.number().int().min(1),
+});
+
+export const ZEnvelopeExpirationDisabledPeriod = z.object({
+  disabled: z.literal(true),
+});
+
+export const ZEnvelopeExpirationPeriod = z.union([
+  ZEnvelopeExpirationDurationPeriod,
+  ZEnvelopeExpirationDisabledPeriod,
+]);
+
+export type TEnvelopeExpirationPeriod = z.infer<typeof ZEnvelopeExpirationPeriod>;
+export type TEnvelopeExpirationDurationPeriod = z.infer<typeof ZEnvelopeExpirationDurationPeriod>;
+
+const UNIT_TO_LUXON_KEY: Record<
+  TEnvelopeExpirationDurationPeriod['unit'],
+  keyof DurationLikeObject
+> = {
+  day: 'days',
+  week: 'weeks',
+  month: 'months',
+  year: 'years',
+};
+
+export const DEFAULT_ENVELOPE_EXPIRATION_PERIOD: TEnvelopeExpirationDurationPeriod = {
+  unit: 'month',
+  amount: 3,
+};
+
+export const getEnvelopeExpirationDuration = (
+  period: TEnvelopeExpirationDurationPeriod,
+): Duration => {
+  return Duration.fromObject({ [UNIT_TO_LUXON_KEY[period.unit]]: period.amount });
+};
+
+/**
+ * Resolve the concrete expiresAt timestamp from a raw expiration period (from JSON column).
+ *
+ * - `null` means use the default period (3 months).
+ * - `{ disabled: true }` means never expires (returns null).
+ * - `{ unit, amount }` means compute the timestamp from now + duration.
+ */
+export const resolveExpiresAt = (rawPeriod: unknown): Date | null => {
+  if (rawPeriod === null || rawPeriod === undefined) {
+    const duration = getEnvelopeExpirationDuration(DEFAULT_ENVELOPE_EXPIRATION_PERIOD);
+
+    return new Date(Date.now() + duration.toMillis());
+  }
+
+  const parsed = ZEnvelopeExpirationPeriod.parse(rawPeriod);
+
+  if ('disabled' in parsed) {
+    return null;
+  }
+
+  const duration = getEnvelopeExpirationDuration(parsed);
+
+  return new Date(Date.now() + duration.toMillis());
+};
@@ -9,6 +9,7 @@ export enum AppErrorCode {
  'EXPIRED_CODE' = 'EXPIRED_CODE',
  'INVALID_BODY' = 'INVALID_BODY',
  'INVALID_REQUEST' = 'INVALID_REQUEST',
+  'RECIPIENT_EXPIRED' = 'RECIPIENT_EXPIRED',
  'LIMIT_EXCEEDED' = 'LIMIT_EXCEEDED',
  'NOT_FOUND' = 'NOT_FOUND',
  'NOT_SETUP' = 'NOT_SETUP',
@@ -23,6 +24,7 @@ export enum AppErrorCode {
 export const genericErrorCodeToTrpcErrorCodeMap: Record<string, { code: string; status: number }> =
  {
    [AppErrorCode.ALREADY_EXISTS]: { code: 'BAD_REQUEST', status: 400 },
+    [AppErrorCode.RECIPIENT_EXPIRED]: { code: 'BAD_REQUEST', status: 400 },
    [AppErrorCode.EXPIRED_CODE]: { code: 'BAD_REQUEST', status: 400 },
    [AppErrorCode.INVALID_BODY]: { code: 'BAD_REQUEST', status: 400 },
    [AppErrorCode.INVALID_REQUEST]: { code: 'BAD_REQUEST', status: 400 },
@@ -62,6 +64,11 @@ type AppErrorOptions = {
   * Mainly used for API -> Frontend communication and logging filtering.
   */
  statusCode?: number;
+
+  /**
+   * Optional headers to include when this error is returned in an API response.
+   */
+  headers?: Record<string, string>;
 };

 export class AppError extends Error {
@@ -80,6 +87,8 @@ export class AppError extends Error {
   */
  statusCode?: number;

+  headers?: Record<string, string>;
+
  name = 'AppError';

  /**
@@ -95,6 +104,7 @@ export class AppError extends Error {
    this.code = errorCode;
    this.userMessage = options?.userMessage;
    this.statusCode = options?.statusCode;
+    this.headers = options?.headers;
  }

  /**
@@ -1,16 +1,29 @@
 import { JobClient } from './client/client';
+import { SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION } from './definitions/emails/send-2fa-token-email';
+import { SEND_COMPLETED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-completed-email';
 import { SEND_CONFIRMATION_EMAIL_JOB_DEFINITION } from './definitions/emails/send-confirmation-email';
+import { SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-direct-template-created-email';
 import { SEND_DOCUMENT_CANCELLED_EMAILS_JOB_DEFINITION } from './definitions/emails/send-document-cancelled-emails';
+import { SEND_DOCUMENT_DELETED_EMAILS_JOB_DEFINITION } from './definitions/emails/send-document-deleted-emails';
+import { SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION } from './definitions/emails/send-document-super-delete-email';
+import { SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION } from './definitions/emails/send-forgot-password-email';
 import { SEND_ORGANISATION_MEMBER_JOINED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-organisation-member-joined-email';
 import { SEND_ORGANISATION_MEMBER_LEFT_EMAIL_JOB_DEFINITION } from './definitions/emails/send-organisation-member-left-email';
+import { SEND_OWNER_RECIPIENT_EXPIRED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-owner-recipient-expired-email';
 import { SEND_PASSWORD_RESET_SUCCESS_EMAIL_JOB_DEFINITION } from './definitions/emails/send-password-reset-success-email';
+import { SEND_PENDING_EMAIL_JOB_DEFINITION } from './definitions/emails/send-pending-email';
+import { SEND_RECIPIENT_REMOVED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-recipient-removed-email';
 import { SEND_RECIPIENT_SIGNED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-recipient-signed-email';
 import { SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION } from './definitions/emails/send-rejection-emails';
+import { SEND_RESEND_DOCUMENT_EMAIL_JOB_DEFINITION } from './definitions/emails/send-resend-document-email';
 import { SEND_SIGNING_EMAIL_JOB_DEFINITION } from './definitions/emails/send-signing-email';
 import { SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION } from './definitions/emails/send-team-deleted-email';
 import { BACKPORT_SUBSCRIPTION_CLAIM_JOB_DEFINITION } from './definitions/internal/backport-subscription-claims';
 import { BULK_SEND_TEMPLATE_JOB_DEFINITION } from './definitions/internal/bulk-send-template';
+import { CLEANUP_RATE_LIMITS_JOB_DEFINITION } from './definitions/internal/cleanup-rate-limits';
 import { EXECUTE_WEBHOOK_JOB_DEFINITION } from './definitions/internal/execute-webhook';
+import { EXPIRE_RECIPIENTS_SWEEP_JOB_DEFINITION } from './definitions/internal/expire-recipients-sweep';
+import { PROCESS_RECIPIENT_EXPIRED_JOB_DEFINITION } from './definitions/internal/process-recipient-expired';
 import { SEAL_DOCUMENT_JOB_DEFINITION } from './definitions/internal/seal-document';

 /**
@@ -28,9 +41,22 @@ export const jobsClient = new JobClient([
  SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION,
  SEND_RECIPIENT_SIGNED_EMAIL_JOB_DEFINITION,
  SEND_DOCUMENT_CANCELLED_EMAILS_JOB_DEFINITION,
+  SEND_OWNER_RECIPIENT_EXPIRED_EMAIL_JOB_DEFINITION,
  BACKPORT_SUBSCRIPTION_CLAIM_JOB_DEFINITION,
  BULK_SEND_TEMPLATE_JOB_DEFINITION,
  EXECUTE_WEBHOOK_JOB_DEFINITION,
+  EXPIRE_RECIPIENTS_SWEEP_JOB_DEFINITION,
+  PROCESS_RECIPIENT_EXPIRED_JOB_DEFINITION,
+  CLEANUP_RATE_LIMITS_JOB_DEFINITION,
+  SEND_PENDING_EMAIL_JOB_DEFINITION,
+  SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION,
+  SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION,
+  SEND_COMPLETED_EMAIL_JOB_DEFINITION,
+  SEND_RECIPIENT_REMOVED_EMAIL_JOB_DEFINITION,
+  SEND_DOCUMENT_DELETED_EMAILS_JOB_DEFINITION,
+  SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION,
+  SEND_RESEND_DOCUMENT_EMAIL_JOB_DEFINITION,
+  SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION,
 ] as const);

 export const jobs = jobsClient;
@@ -36,6 +36,11 @@ export type JobDefinition<Name extends string = string, Schema = any> = {
  trigger: {
    name: Name;
    schema?: z.ZodType<Schema>;
+    /**
+     * Optional cron expression (e.g., "* * * * *" for every minute).
+     * When set, the job runs on a schedule instead of being event-triggered.
+     */
+    cron?: string;
  };
  handler: (options: { payload: Schema; io: JobRunIO }) => Promise<Json | void>;
 };
@@ -16,4 +16,14 @@ export abstract class BaseJobProvider {
  public getApiHandler(): (req: HonoContext) => Promise<Response | void> {
    throw new Error('Not implemented');
  }
+
+  /**
+   * Start the cron scheduler for any registered cron jobs.
+   *
+   * No-op for providers that handle cron scheduling externally (e.g. Inngest).
+   * Must be called explicitly at application startup.
+   */
+  public startCron(): void {
+    // No-op by default — providers override if needed.
+  }
 }
@@ -26,4 +26,15 @@ export class JobClient<T extends ReadonlyArray<JobDefinition> = []> {
  public getApiHandler() {
    return this._provider.getApiHandler();
  }
+
+  /**
+   * Start the cron scheduler for any registered cron jobs.
+   *
+   * Call this once at application startup after the instance is ready to
+   * process requests. No-op for providers that handle cron externally
+   * (e.g. Inngest).
+   */
+  public startCron() {
+    this._provider.startCron();
+  }
 }
@@ -35,16 +35,17 @@ export class InngestJobProvider extends BaseJobProvider {
  }

  public defineJob<N extends string, T>(job: JobDefinition<N, T>): void {
-    console.log('defining job', job.id);
+    const triggerConfig: { cron: string } | { event: N } = job.trigger.cron
+      ? { cron: job.trigger.cron }
+      : { event: job.trigger.name };
+
    const fn = this._client.createFunction(
      {
        id: job.id,
        name: job.name,
        optimizeParallelism: job.optimizeParallelism ?? false,
      },
-      {
-        event: job.trigger.name,
-      },
+      triggerConfig,
      async (ctx) => {
        const io = this.convertInngestIoToJobRunIo(ctx);

@@ -1,5 +1,6 @@
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { BackgroundJobStatus, Prisma } from '@prisma/client';
+import { CronExpressionParser } from 'cron-parser';
 import type { Context as HonoContext } from 'hono';

 import { prisma } from '@documenso/prisma';
@@ -16,10 +17,33 @@ import {
 import type { Json } from './_internal/json';
 import { BaseJobProvider } from './base';

+/**
+ * Build a deterministic BackgroundJob ID for a cron run so that multiple
+ * instances of the local provider racing to enqueue the same slot will
+ * collide on the primary key instead of creating duplicates.
+ */
+const createCronRunId = (jobId: string, scheduledFor: Date): string => {
+  const key = `cron:${jobId}:${scheduledFor.toISOString()}`;
+  const hash = Buffer.from(sha256(key)).toString('hex').slice(0, 24);
+
+  return `cron_${hash}`;
+};
+
+type CronJobEntry = {
+  definition: JobDefinition;
+  cron: string;
+  lastTickAt: Date;
+};
+
+const CRON_POLL_INTERVAL_MS = 30_000; // 30 seconds
+const CRON_POLL_JITTER_MS = 5_000; // 0-5 seconds random offset
+
 export class LocalJobProvider extends BaseJobProvider {
  private static _instance: LocalJobProvider;

  private _jobDefinitions: Record<string, JobDefinition> = {};
+  private _cronJobs: CronJobEntry[] = [];
+  private _cronPoller: NodeJS.Timeout | null = null;

  private constructor() {
    super();
@@ -38,6 +62,133 @@ export class LocalJobProvider extends BaseJobProvider {
      ...definition,
      enabled: definition.enabled ?? true,
    };
+
+    if (definition.trigger.cron && definition.enabled !== false) {
+      const alreadyRegistered = this._cronJobs.some((job) => job.definition.id === definition.id);
+
+      if (!alreadyRegistered) {
+        this._cronJobs.push({
+          definition: {
+            ...definition,
+            enabled: definition.enabled ?? true,
+          },
+          cron: definition.trigger.cron,
+          lastTickAt: new Date(),
+        });
+
+        console.log(`[JOBS]: Registered cron job ${definition.id} (${definition.trigger.cron})`);
+      }
+    }
+  }
+
+  /**
+   * Start the single cron poller for all registered cron jobs.
+   *
+   * Must be called explicitly at application startup after all jobs have been
+   * defined. The poller runs every 30 seconds (+ random jitter to avoid
+   * thundering herd across instances) and evaluates all registered cron jobs
+   * for due slots.
+   *
+   * For each due slot it creates a BackgroundJob row with a deterministic ID.
+   * If the insert succeeds the job is dispatched; if it fails with a unique
+   * constraint violation (P2002) another instance already claimed that slot.
+   */
+  public override startCron() {
+    if (this._cronPoller) {
+      return;
+    }
+
+    if (this._cronJobs.length === 0) {
+      return;
+    }
+
+    const tick = () => {
+      const jitter = Math.floor(Math.random() * CRON_POLL_JITTER_MS);
+
+      this._cronPoller = setTimeout(() => {
+        void this.processCronTick().finally(tick);
+      }, CRON_POLL_INTERVAL_MS + jitter);
+    };
+
+    tick();
+
+    console.log(`[JOBS]: Started cron poller for ${this._cronJobs.length} job(s)`);
+  }
+
+  private async processCronTick() {
+    for (const cronJob of this._cronJobs) {
+      try {
+        const dueSlots = this.getDueCronSlots(cronJob);
+
+        cronJob.lastTickAt = new Date();
+
+        if (dueSlots.length === 0) {
+          continue;
+        }
+
+        // Only take the latest slot — sweep-style jobs don't need to catch up
+        // every missed slot after downtime, just the most recent one.
+        const scheduledFor = dueSlots[dueSlots.length - 1];
+        const deterministicId = createCronRunId(cronJob.definition.id, scheduledFor);
+
+        const pendingJob = await prisma.backgroundJob
+          .create({
+            data: {
+              id: deterministicId,
+              jobId: cronJob.definition.id,
+              name: cronJob.definition.name,
+              version: cronJob.definition.version,
+              payload: { scheduledFor: scheduledFor.toISOString() },
+            },
+          })
+          .catch((error: unknown) => {
+            // P2002 = unique constraint violation — another instance already enqueued this slot.
+            if (error instanceof Prisma.PrismaClientKnownRequestError && error.code === 'P2002') {
+              return null;
+            }
+
+            throw error;
+          });
+
+        if (!pendingJob) {
+          continue;
+        }
+
+        await this.submitJobToEndpoint({
+          jobId: pendingJob.id,
+          jobDefinitionId: pendingJob.jobId,
+          data: {
+            name: cronJob.definition.trigger.name,
+            payload: { scheduledFor: scheduledFor.toISOString() },
+          },
+          isRetry: false,
+        });
+      } catch (error) {
+        console.error(`[JOBS]: Cron tick failed for ${cronJob.definition.id}`, error);
+      }
+    }
+  }
+
+  /**
+   * Use cron-parser to find all cron slots that are due between the last tick
+   * and now.
+   */
+  private getDueCronSlots(cronJob: CronJobEntry): Date[] {
+    const expr = CronExpressionParser.parse(cronJob.cron, {
+      currentDate: cronJob.lastTickAt,
+    });
+
+    const now = new Date();
+    const slots: Date[] = [];
+
+    let next = expr.next();
+
+    while (next.toDate() <= now) {
+      slots.push(next.toDate());
+      next = expr.next();
+    }
+
+    return slots;
  }

  public async triggerJob(options: SimpleTriggerJobOptions) {
@@ -0,0 +1,133 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import { EnvelopeType } from '@prisma/client';
+
+import { mailer } from '@documenso/email/mailer';
+import { AccessAuth2FAEmailTemplate } from '@documenso/email/templates/access-auth-2fa';
+import { isRecipientEmailValidForSending } from '@documenso/lib/utils/recipients';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { AppError, AppErrorCode } from '../../../errors/app-error';
+import { TWO_FACTOR_EMAIL_EXPIRATION_MINUTES } from '../../../server-only/2fa/email/constants';
+import { generateTwoFactorTokenFromEmail } from '../../../server-only/2fa/email/generate-2fa-token-from-email';
+import { getEmailContext } from '../../../server-only/email/get-email-context';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
+import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSend2FATokenEmailJobDefinition } from './send-2fa-token-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSend2FATokenEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { envelopeId, recipientId } = payload;
+
+  const envelope = await prisma.envelope.findFirst({
+    where: {
+      id: envelopeId,
+      type: EnvelopeType.DOCUMENT,
+      recipients: {
+        some: {
+          id: recipientId,
+        },
+      },
+    },
+    include: {
+      recipients: {
+        where: {
+          id: recipientId,
+        },
+      },
+      documentMeta: true,
+      team: {
+        select: {
+          teamEmail: true,
+          name: true,
+        },
+      },
+    },
+  });
+
+  if (!envelope) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Document not found',
+    });
+  }
+
+  const [recipient] = envelope.recipients;
+
+  if (!recipient) {
+    throw new AppError(AppErrorCode.NOT_FOUND, {
+      message: 'Recipient not found',
+    });
+  }
+
+  if (!isRecipientEmailValidForSending(recipient)) {
+    throw new AppError(AppErrorCode.INVALID_REQUEST, {
+      message: 'Recipient is missing email address',
+    });
+  }
+
+  const twoFactorTokenToken = await generateTwoFactorTokenFromEmail({
+    envelopeId,
+    email: recipient.email,
+  });
+
+  const { branding, emailLanguage, senderEmail, replyToEmail } = await getEmailContext({
+    emailType: 'RECIPIENT',
+    source: {
+      type: 'team',
+      teamId: envelope.teamId,
+    },
+    meta: envelope.documentMeta,
+  });
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  const subject = i18n._(msg`Your two-factor authentication code`);
+
+  const template = createElement(AccessAuth2FAEmailTemplate, {
+    documentTitle: envelope.title,
+    userName: recipient.name,
+    userEmail: recipient.email,
+    code: twoFactorTokenToken,
+    expiresInMinutes: TWO_FACTOR_EMAIL_EXPIRATION_MINUTES,
+    assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(template, { lang: emailLanguage, branding }),
+    renderEmailWithI18N(template, { lang: emailLanguage, branding, plainText: true }),
+  ]);
+
+  await mailer.sendMail({
+    to: {
+      address: recipient.email,
+      name: recipient.name,
+    },
+    from: senderEmail,
+    replyTo: replyToEmail,
+    subject,
+    html,
+    text,
+  });
+
+  await prisma.documentAuditLog.create({
+    data: createDocumentAuditLogData({
+      type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_ACCESS_AUTH_2FA_REQUESTED,
+      envelopeId: envelope.id,
+      data: {
+        recipientEmail: recipient.email,
+        recipientName: recipient.name,
+        recipientId: recipient.id,
+      },
+    }),
+  });
+};
@@ -0,0 +1,32 @@
+import { z } from 'zod';
+
+import { type JobDefinition } from '../../client/_internal/job';
+
+const SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_ID = 'send.2fa.token.email';
+
+const SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
+  envelopeId: z.string(),
+  recipientId: z.number(),
+});
+
+export type TSend2FATokenEmailJobDefinition = z.infer<
+  typeof SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
+export const SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION = {
+  id: SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_ID,
+  name: 'Send 2FA Token Email',
+  version: '1.0.0',
+  trigger: {
+    name: SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_ID,
+    schema: SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_SCHEMA,
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./send-2fa-token-email.handler');
+
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<
+  typeof SEND_2FA_TOKEN_EMAIL_JOB_DEFINITION_ID,
+  TSend2FATokenEmailJobDefinition
+>;
@@ -0,0 +1,20 @@
+import { sendCompletedEmail } from '../../../server-only/document/send-completed-email';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendCompletedEmailJobDefinition } from './send-completed-email';
+
+export const run = async ({
+  payload,
+}: {
+  payload: TSendCompletedEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { envelopeId, requestMetadata } = payload;
+
+  await sendCompletedEmail({
+    id: {
+      type: 'envelopeId',
+      id: envelopeId,
+    },
+    requestMetadata,
+  });
+};
@@ -0,0 +1,33 @@
+import { z } from 'zod';
+
+import { ZRequestMetadataSchema } from '../../../universal/extract-request-metadata';
+import { type JobDefinition } from '../../client/_internal/job';
+
+const SEND_COMPLETED_EMAIL_JOB_DEFINITION_ID = 'send.document.completed.email';
+
+const SEND_COMPLETED_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
+  envelopeId: z.string(),
+  requestMetadata: ZRequestMetadataSchema.optional(),
+});
+
+export type TSendCompletedEmailJobDefinition = z.infer<
+  typeof SEND_COMPLETED_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
+export const SEND_COMPLETED_EMAIL_JOB_DEFINITION = {
+  id: SEND_COMPLETED_EMAIL_JOB_DEFINITION_ID,
+  name: 'Send Completed Email',
+  version: '1.0.0',
+  trigger: {
+    name: SEND_COMPLETED_EMAIL_JOB_DEFINITION_ID,
+    schema: SEND_COMPLETED_EMAIL_JOB_DEFINITION_SCHEMA,
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./send-completed-email.handler');
+
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<
+  typeof SEND_COMPLETED_EMAIL_JOB_DEFINITION_ID,
+  TSendCompletedEmailJobDefinition
+>;
@@ -0,0 +1,105 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+import { DocumentSource } from '@prisma/client';
+
+import { mailer } from '@documenso/email/mailer';
+import { DocumentCreatedFromDirectTemplateEmailTemplate } from '@documenso/email/templates/document-created-from-direct-template';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { getEmailContext } from '../../../server-only/email/get-email-context';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { formatDocumentsPath } from '../../../utils/teams';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendDirectTemplateCreatedEmailJobDefinition } from './send-direct-template-created-email';
+
+export const run = async ({
+  payload,
+}: {
+  payload: TSendDirectTemplateCreatedEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { envelopeId, teamId, directRecipientId } = payload;
+
+  const envelope = await prisma.envelope.findFirst({
+    where: {
+      id: envelopeId,
+      source: DocumentSource.TEMPLATE_DIRECT_LINK,
+    },
+    include: {
+      user: {
+        select: {
+          id: true,
+          name: true,
+          email: true,
+        },
+      },
+      documentMeta: true,
+      team: {
+        select: {
+          url: true,
+        },
+      },
+    },
+  });
+
+  if (!envelope) {
+    throw new Error('Document not found');
+  }
+
+  const directRecipient = await prisma.recipient.findFirst({
+    where: {
+      id: directRecipientId,
+      envelopeId,
+    },
+  });
+
+  if (!directRecipient) {
+    throw new Error('Direct recipient not found on envelope');
+  }
+
+  const { branding, emailLanguage, senderEmail } = await getEmailContext({
+    emailType: 'RECIPIENT',
+    source: {
+      type: 'team',
+      teamId,
+    },
+    meta: envelope.documentMeta,
+  });
+
+  const templateOwner = envelope.user;
+
+  const documentLink = `${NEXT_PUBLIC_WEBAPP_URL()}${formatDocumentsPath(envelope.team?.url)}/${
+    envelope.id
+  }`;
+
+  const emailTemplate = createElement(DocumentCreatedFromDirectTemplateEmailTemplate, {
+    recipientName: directRecipient.email,
+    recipientRole: directRecipient.role,
+    documentLink,
+    documentName: envelope.title,
+    assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000',
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(emailTemplate, { lang: emailLanguage, branding }),
+    renderEmailWithI18N(emailTemplate, { lang: emailLanguage, branding, plainText: true }),
+  ]);
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  await mailer.sendMail({
+    to: [
+      {
+        name: templateOwner.name || '',
+        address: templateOwner.email,
+      },
+    ],
+    from: senderEmail,
+    subject: i18n._(msg`Document created from direct template`),
+    html,
+    text,
+  });
+};
@@ -0,0 +1,33 @@
+import { z } from 'zod';
+
+import { type JobDefinition } from '../../client/_internal/job';
+
+const SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_ID = 'send.direct.template.created.email';
+
+const SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
+  envelopeId: z.string(),
+  teamId: z.number(),
+  directRecipientId: z.number(),
+});
+
+export type TSendDirectTemplateCreatedEmailJobDefinition = z.infer<
+  typeof SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
+export const SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION = {
+  id: SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_ID,
+  name: 'Send Direct Template Created Email',
+  version: '1.0.0',
+  trigger: {
+    name: SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_ID,
+    schema: SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_SCHEMA,
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./send-direct-template-created-email.handler');
+
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<
+  typeof SEND_DIRECT_TEMPLATE_CREATED_EMAIL_JOB_DEFINITION_ID,
+  TSendDirectTemplateCreatedEmailJobDefinition
+>;
@@ -82,38 +82,36 @@ export const run = async ({
      isRecipientEmailValidForSending(recipient),
  );

-  await io.runTask('send-cancellation-emails', async () => {
-    await Promise.all(
-      recipientsToNotify.map(async (recipient) => {
-        const template = createElement(DocumentCancelTemplate, {
-          documentName: envelope.title,
-          inviterName: documentOwner.name || undefined,
-          inviterEmail: documentOwner.email,
-          assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-          cancellationReason: cancellationReason || 'The document has been cancelled.',
-        });
+  await Promise.all(
+    recipientsToNotify.map(async (recipient) => {
+      const template = createElement(DocumentCancelTemplate, {
+        documentName: envelope.title,
+        inviterName: documentOwner.name || undefined,
+        inviterEmail: documentOwner.email,
+        assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+        cancellationReason: cancellationReason || 'The document has been cancelled.',
+      });

-        const [html, text] = await Promise.all([
-          renderEmailWithI18N(template, { lang: emailLanguage, branding }),
-          renderEmailWithI18N(template, {
-            lang: emailLanguage,
-            branding,
-            plainText: true,
-          }),
-        ]);
+      const [html, text] = await Promise.all([
+        renderEmailWithI18N(template, { lang: emailLanguage, branding }),
+        renderEmailWithI18N(template, {
+          lang: emailLanguage,
+          branding,
+          plainText: true,
+        }),
+      ]);

-        await mailer.sendMail({
-          to: {
-            name: recipient.name,
-            address: recipient.email,
-          },
-          from: senderEmail,
-          replyTo: replyToEmail,
-          subject: i18n._(msg`Document "${envelope.title}" Cancelled`),
-          html,
-          text,
-        });
-      }),
-    );
-  });
+      await mailer.sendMail({
+        to: {
+          name: recipient.name,
+          address: recipient.email,
+        },
+        from: senderEmail,
+        replyTo: replyToEmail,
+        subject: i18n._(msg`Document "${envelope.title}" Cancelled`),
+        html,
+        text,
+      });
+    }),
+  );
 };
@@ -0,0 +1,68 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import { DocumentSuperDeleteEmailTemplate } from '@documenso/email/templates/document-super-delete';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { getEmailContext } from '../../../server-only/email/get-email-context';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendDocumentSuperDeleteEmailJobDefinition } from './send-document-super-delete-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendDocumentSuperDeleteEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { userId, documentTitle, reason, teamId } = payload;
+
+  const user = await prisma.user.findFirstOrThrow({
+    where: { id: userId },
+    select: { email: true, name: true },
+  });
+
+  const { branding, senderEmail, emailLanguage } = await getEmailContext({
+    emailType: 'RECIPIENT',
+    source: {
+      type: 'team',
+      teamId,
+    },
+    meta: null,
+  });
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+
+  const template = createElement(DocumentSuperDeleteEmailTemplate, {
+    documentName: documentTitle,
+    reason,
+    assetBaseUrl,
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(template, { lang: emailLanguage, branding }),
+    renderEmailWithI18N(template, {
+      lang: emailLanguage,
+      branding,
+      plainText: true,
+    }),
+  ]);
+
+  const i18n = await getI18nInstance(emailLanguage);
+
+  await mailer.sendMail({
+    to: {
+      address: user.email,
+      name: user.name || '',
+    },
+    from: senderEmail,
+    subject: i18n._(msg`Document Deleted!`),
+    html,
+    text,
+  });
+};
@@ -0,0 +1,34 @@
+import { z } from 'zod';
+
+import { type JobDefinition } from '../../client/_internal/job';
+
+const SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_ID = 'send.document.super.delete.email';
+
+const SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
+  userId: z.number(),
+  documentTitle: z.string(),
+  reason: z.string(),
+  teamId: z.number(),
+});
+
+export type TSendDocumentSuperDeleteEmailJobDefinition = z.infer<
+  typeof SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
+export const SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION = {
+  id: SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_ID,
+  name: 'Send Document Super Delete Email',
+  version: '1.0.0',
+  trigger: {
+    name: SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_ID,
+    schema: SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_SCHEMA,
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./send-document-super-delete-email.handler');
+
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<
+  typeof SEND_DOCUMENT_SUPER_DELETE_EMAIL_JOB_DEFINITION_ID,
+  TSendDocumentSuperDeleteEmailJobDefinition
+>;
@@ -0,0 +1,72 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/core/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import { ForgotPasswordTemplate } from '@documenso/email/templates/forgot-password';
+import { prisma } from '@documenso/prisma';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n-server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { env } from '../../../utils/env';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendForgotPasswordEmailJobDefinition } from './send-forgot-password-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendForgotPasswordEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { userId } = payload;
+
+  const user = await prisma.user.findFirstOrThrow({
+    where: {
+      id: userId,
+    },
+    include: {
+      passwordResetTokens: {
+        orderBy: {
+          createdAt: 'desc',
+        },
+        take: 1,
+      },
+    },
+  });
+
+  if (user.passwordResetTokens.length === 0) {
+    throw new Error('No password reset token found for user');
+  }
+
+  const token = user.passwordResetTokens[0].token;
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+  const resetPasswordLink = `${NEXT_PUBLIC_WEBAPP_URL()}/reset-password/${token}`;
+
+  const template = createElement(ForgotPasswordTemplate, {
+    assetBaseUrl,
+    resetPasswordLink,
+  });
+
+  const [html, text] = await Promise.all([
+    renderEmailWithI18N(template),
+    renderEmailWithI18N(template, { plainText: true }),
+  ]);
+
+  const i18n = await getI18nInstance();
+
+  await mailer.sendMail({
+    to: {
+      address: user.email,
+      name: user.name || '',
+    },
+    from: {
+      name: env('NEXT_PRIVATE_SMTP_FROM_NAME') || 'Documenso',
+      address: env('NEXT_PRIVATE_SMTP_FROM_ADDRESS') || 'noreply@documenso.com',
+    },
+    subject: i18n._(msg`Forgot Password?`),
+    html,
+    text,
+  });
+};
@@ -0,0 +1,31 @@
+import { z } from 'zod';
+
+import { type JobDefinition } from '../../client/_internal/job';
+
+const SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_ID = 'send.forgot.password.email';
+
+const SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
+  userId: z.number(),
+});
+
+export type TSendForgotPasswordEmailJobDefinition = z.infer<
+  typeof SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
+export const SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION = {
+  id: SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_ID,
+  name: 'Send Forgot Password Email',
+  version: '1.0.0',
+  trigger: {
+    name: SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_ID,
+    schema: SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_SCHEMA,
+  },
+  handler: async ({ payload, io }) => {
+    const handler = await import('./send-forgot-password-email.handler');
+
+    await handler.run({ payload, io });
+  },
+} as const satisfies JobDefinition<
+  typeof SEND_FORGOT_PASSWORD_EMAIL_JOB_DEFINITION_ID,
+  TSendForgotPasswordEmailJobDefinition
+>;
@@ -80,41 +80,36 @@ export const run = async ({
      continue;
    }

-    await io.runTask(
-      `send-organisation-member-joined-email--${invitedMember.id}_${member.id}`,
-      async () => {
-        const emailContent = createElement(OrganisationJoinEmailTemplate, {
-          assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-          baseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-          memberName: invitedMember.user.name || '',
-          memberEmail: invitedMember.user.email,
-          organisationName: organisation.name,
-          organisationUrl: organisation.url,
-        });
+    const emailContent = createElement(OrganisationJoinEmailTemplate, {
+      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+      baseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+      memberName: invitedMember.user.name || '',
+      memberEmail: invitedMember.user.email,
+      organisationName: organisation.name,
+      organisationUrl: organisation.url,
+    });

-        // !: Replace with the actual language of the recipient later
-        const [html, text] = await Promise.all([
-          renderEmailWithI18N(emailContent, {
-            lang: emailLanguage,
-            branding,
-          }),
-          renderEmailWithI18N(emailContent, {
-            lang: emailLanguage,
-            branding,
-            plainText: true,
-          }),
-        ]);
+    // !: Replace with the actual language of the recipient later
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(emailContent, {
+        lang: emailLanguage,
+        branding,
+      }),
+      renderEmailWithI18N(emailContent, {
+        lang: emailLanguage,
+        branding,
+        plainText: true,
+      }),
+    ]);

-        const i18n = await getI18nInstance(emailLanguage);
+    const i18n = await getI18nInstance(emailLanguage);

-        await mailer.sendMail({
-          to: member.user.email,
-          from: senderEmail,
-          subject: i18n._(msg`A new member has joined your organisation`),
-          html,
-          text,
-        });
-      },
-    );
+    await mailer.sendMail({
+      to: member.user.email,
+      from: senderEmail,
+      subject: i18n._(msg`A new member has joined your organisation`),
+      html,
+      text,
+    });
  }
 };
@@ -75,40 +75,35 @@ export const run = async ({
      continue;
    }

-    await io.runTask(
-      `send-organisation-member-left-email--${oldMember.id}_${member.id}`,
-      async () => {
-        const emailContent = createElement(OrganisationLeaveEmailTemplate, {
-          assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-          baseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-          memberName: oldMember.name || '',
-          memberEmail: oldMember.email,
-          organisationName: organisation.name,
-          organisationUrl: organisation.url,
-        });
+    const emailContent = createElement(OrganisationLeaveEmailTemplate, {
+      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+      baseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+      memberName: oldMember.name || '',
+      memberEmail: oldMember.email,
+      organisationName: organisation.name,
+      organisationUrl: organisation.url,
+    });

-        const [html, text] = await Promise.all([
-          renderEmailWithI18N(emailContent, {
-            lang: emailLanguage,
-            branding,
-          }),
-          renderEmailWithI18N(emailContent, {
-            lang: emailLanguage,
-            branding,
-            plainText: true,
-          }),
-        ]);
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(emailContent, {
+        lang: emailLanguage,
+        branding,
+      }),
+      renderEmailWithI18N(emailContent, {
+        lang: emailLanguage,
+        branding,
+        plainText: true,
+      }),
+    ]);

-        const i18n = await getI18nInstance(emailLanguage);
+    const i18n = await getI18nInstance(emailLanguage);

-        await mailer.sendMail({
-          to: member.user.email,
-          from: senderEmail,
-          subject: i18n._(msg`A member has left your organisation`),
-          html,
-          text,
-        });
-      },
-    );
+    await mailer.sendMail({
+      to: member.user.email,
+      from: senderEmail,
+      subject: i18n._(msg`A member has left your organisation`),
+      html,
+      text,
+    });
  }
 };
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Lucas Smith	844af17ec2	feat: move email sending into background jobs for retry support Each direct mailer.sendMail() call is replaced by a dedicated background job so that email delivery failures can be retried independently. New jobs: send-pending-email, send-completed-email, send-forgot-password-email, send-document-super-delete-email, send-recipient-removed-email, send-document-deleted-emails, send-2fa-token-email, send-resend-document-email, send-direct-template-created-email. Existing handlers (send-document-cancelled-emails, send-organisation-member-*, send-recipient-signed-email) have io.runTask wrappers removed since they interfere with the job scheduler. Job triggers are dispatched after transactions commit to avoid race conditions with uncommitted data.	2026-02-20 23:25:37 +11:00
Lucas Smith	653ab3678a	feat: better ratelimiting (#2520 ) Replace hono-rate-limiter with a Prisma/PostgreSQL bucketed counter approach that works correctly across multiple instances without sticky sessions. - Add RateLimit model with composite PK (key, action, bucket) and atomic upsert - Create rate limit factory with window parsing, bucket computation, and fail-open - Define auth-tier and API-tier rate limit instances - Add Hono middleware, rateLimitResponse helper, and tRPC assertRateLimit helper - Wire rate limit headers through AppError constructor (was declared but never assigned) - Apply rate limits to auth routes (email-password, passkey), tRPC routes (2FA email, link org account), API routes, and file upload endpoints - Add cleanup cron job for expired rate limit rows (batched delete every 15 min) - Remove hono-rate-limiter dependency	2026-02-20 12:23:02 +11:00
Lucas Smith	006b1d0a57	feat: per-recipient envelope expiration (#2519 )	2026-02-20 11:36:20 +11:00
Lucas Smith	f3ec8ddc57	v2.6.1	2026-02-18 21:57:10 +11:00
Lucas Smith	9a66d0ebf6	fix: simplify openapi field schemas to fix SDK generation (#2503 )	2026-02-18 17:07:46 +11:00
Konrad	29622d3151	fix(i18n): mark strings inside div for translation (#2514 )	2026-02-18 13:50:42 +11:00
Lucas Smith	5de2527e54	fix: v2 embed direct templates not reading email/lockEmail from hash params (#2509 )	2026-02-18 13:35:04 +11:00
Lucas Smith	6fcf0a638c	chore: add translations (#2507 )	2026-02-17 11:31:37 +11:00
Louis Liu	ff9e6acb7a	fix(ui): clarify email settings labels (#2448 )	2026-02-16 17:00:24 +11:00
Lucas Smith	a60c6a90ab	chore: add translations (#2504 )	2026-02-16 16:10:43 +11:00
github-actions[bot]	f35c19d098	chore: extract translations (#2458 )	2026-02-16 14:34:33 +11:00
McMek590	cf8e21bf35	fix: create full sentences for document-signing-auth files (#2451 )	2026-02-16 13:30:36 +11:00
Jahangir Babar	3f7c4df1b1	fix: strip diacritics from team URL slug generation (#2489 )	2026-02-16 12:36:14 +11:00
Konrad	ca199e7885	fix(i18n): mark span strings for translation (#2494 )	2026-02-16 12:07:53 +11:00
Konrad	435d61ea57	fix(i18n): mark badge string for translation (#2495 )	2026-02-16 11:58:03 +11:00
Konrad	34f14ba69a	fix(i18n): mark tabs trigger strings for translation (#2496 )	2026-02-16 11:57:44 +11:00
Konrad	51916cd3f0	fix(i18n): mark DialogTitle string for translation (#2497 )	2026-02-16 11:57:23 +11:00
Konrad	f158305499	fix(i18n): mark paragraph strings for translation (#2498 )	2026-02-16 11:57:03 +11:00
Lucas Smith	2e3d22c856	fix: use instance-specific emails for service accounts (#2502 )	2026-02-16 11:52:19 +11:00
Ephraim Duncan	d66c330d46	fix: match cert and audit log page dimensions to source document (#2473 )	2026-02-12 18:25:11 +11:00
David Nguyen	9bcb240895	fix: revert canceled individual subscriptions to free claim (#2483 ) ## Description Resolves an issue where individual plan customers who cancel are not correctly put down to the free plan. To resolve this, we delete the subscription on the stripe subscription delete webhook. Since the customerId is stored on the organisation they can still access their old invoices.	2026-02-12 17:44:33 +11:00
David Nguyen	066e6bc847	fix: envelope editor flush race condition (#2482 ) ## Description Fixes a race condition in the envelope editor when opening "Send Document" immediately after moving/resizing a selected field Replication 1. Move or resize a field (do not blur the selector/quickbar that appears when a field is selected) 2. Directly click the "Send Document" dialog 3. Error appears Note: Step 2 needs to happen relatively fast after step 1 since this is a race against the flush debouncer --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-02-12 16:32:26 +11:00
David Nguyen	0d65693d55	fix: highlight rejected certificate text (#2478 ) ## Description - Update the rejected certificate so that is it more clear on who rejected the document. - Updated the audit log generation so that the completed audit log is included ### Before <img width="681" height="597" alt="image" src="https://github.com/user-attachments/assets/3dab41c1-c86f-4555-8d50-3d9245be65d5" /> ### After Note that the order of the recipient is different in this case <img width="818" height="769" alt="image" src="https://github.com/user-attachments/assets/71f0ac12-5859-47b4-8980-2420ef949d18" /> --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: Lucas Smith <me@lucasjamessmith.me>	2026-02-12 16:06:43 +11:00
Lucas Smith	e3dee5e565	fix: auto placement field meta (#2480 )	2026-02-12 14:20:52 +11:00