diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
index d78854765b9e1..596aebde25a7b 100644
--- a/.github/workflows/dependency-review.yaml
+++ b/.github/workflows/dependency-review.yaml
@@ -18,13 +18,21 @@ jobs:
       allow-ghsas: 'GHSA-6xf3-5hp7-xqqg'
       # IronRDP uses MIT/Apache-2.0 but slashes are not recognized by dependency review action
       allow-dependencies-licenses: >-
+        pkg:cargo/ironrdp-cliprdr,
         pkg:cargo/ironrdp-core,
         pkg:cargo/ironrdp-async,
         pkg:cargo/ironrdp-connector,
+        pkg:cargo/ironrdp-displaycontrol,
+        pkg:cargo/ironrdp-dvc,
+        pkg:cargo/ironrdp-error,
+        pkg:cargo/ironrdp-graphics,
         pkg:cargo/ironrdp-pdu,
+        pkg:cargo/ironrdp-rdpdr,
+        pkg:cargo/ironrdp-rdpsnd,
         pkg:cargo/ironrdp-session,
         pkg:cargo/ironrdp-svc,
         pkg:cargo/ironrdp-tokio,
+        pkg:cargo/ironrdp-tls,
         pkg:cargo/asn1-rs,
         pkg:cargo/asn1-rs-derive,
         pkg:cargo/asn1-rs-impl,
diff --git a/.github/workflows/kube-integration-tests-non-root.yaml b/.github/workflows/kube-integration-tests-non-root.yaml
index a8ff7f38d1a42..c13c0d130b55b 100644
--- a/.github/workflows/kube-integration-tests-non-root.yaml
+++ b/.github/workflows/kube-integration-tests-non-root.yaml
@@ -69,7 +69,7 @@ jobs:
         continue-on-error: true
 
       - name: Create KinD cluster
-        uses: helm/kind-action@99576bfa6ddf9a8e612d83b513da5a75875caced # v1.9.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         with:
           cluster_name: kind
           config: fixtures/kind/config.yaml
diff --git a/.golangci.yml b/.golangci.yml
index db7bea7523724..96269fa45631f 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -58,6 +58,10 @@ issues:
     - linters: [govet]
       path-except: ^e/
       text: 'non-constant format string in call to github.com/gravitational/trace.'
+    # BlockUntilContext should indeed be favored, this exception exists because
+    # at this time there are too many offenders.
+    - linters: [staticcheck]
+      text: 'BlockUntil is deprecated: New code should prefer BlockUntilContext'
   exclude-use-default: true
   max-same-issues: 0
   max-issues-per-linter: 0
diff --git a/Cargo.lock b/Cargo.lock
index da073ba335879..438d8c0c34141 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1431,8 +1431,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-async"
-version = "0.2.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.2.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bytes",
  "ironrdp-connector",
@@ -1443,8 +1443,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-cliprdr"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bitflags 2.8.0",
  "ironrdp-core",
@@ -1456,8 +1456,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-connector"
-version = "0.2.1"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.2.2"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "ironrdp-core",
  "ironrdp-error",
@@ -1474,16 +1474,16 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-core"
-version = "0.1.1"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.2"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "ironrdp-error",
 ]
 
 [[package]]
 name = "ironrdp-displaycontrol"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "ironrdp-core",
  "ironrdp-dvc",
@@ -1494,8 +1494,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-dvc"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "ironrdp-core",
  "ironrdp-pdu",
@@ -1506,13 +1506,13 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-error"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 
 [[package]]
 name = "ironrdp-graphics"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bit_field",
  "bitflags 2.8.0",
@@ -1528,8 +1528,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-pdu"
-version = "0.1.1"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.2"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bit_field",
  "bitflags 2.8.0",
@@ -1551,8 +1551,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-rdpdr"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bitflags 2.8.0",
  "ironrdp-core",
@@ -1564,8 +1564,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-rdpsnd"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bitflags 2.8.0",
  "ironrdp-core",
@@ -1576,8 +1576,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-session"
-version = "0.2.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.2.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "ironrdp-connector",
  "ironrdp-core",
@@ -1592,8 +1592,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-svc"
-version = "0.1.1"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.2"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bitflags 2.8.0",
  "ironrdp-core",
@@ -1602,8 +1602,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-tls"
-version = "0.1.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.1.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "tokio",
  "tokio-rustls",
@@ -1612,8 +1612,8 @@ dependencies = [
 
 [[package]]
 name = "ironrdp-tokio"
-version = "0.2.0"
-source = "git+https://github.com/Devolutions/IronRDP?rev=2f57fd2de320f58fe240d88a83519255ba94cb73#2f57fd2de320f58fe240d88a83519255ba94cb73"
+version = "0.2.1"
+source = "git+https://github.com/Devolutions/IronRDP?rev=dd221bf22401c4635798ec012724cba7e6d503b2#dd221bf22401c4635798ec012724cba7e6d503b2"
 dependencies = [
  "bytes",
  "ironrdp-async",
diff --git a/Cargo.toml b/Cargo.toml
index cf40926486bbf..d0d0aa4f71a26 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -21,18 +21,18 @@ lto = "thin"
 [workspace.dependencies]
 # Note: To use a local IronRDP repository as a crate (for example, ironrdp-cliprdr), define the dependency as follows:
 # ironrdp-cliprdr = { path = "/path/to/local/IronRDP/crates/ironrdp-cliprdr" }
-ironrdp-cliprdr = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-connector = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-core = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-displaycontrol = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-dvc = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-graphics = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-pdu = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-rdpdr = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-rdpsnd = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-session = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-svc = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
-ironrdp-tls = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73", features = [
+ironrdp-cliprdr = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-connector = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-core = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-displaycontrol = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-dvc = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-graphics = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-pdu = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-rdpdr = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-rdpsnd = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-session = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-svc = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
+ironrdp-tls = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2", features = [
     "rustls",
 ] }
-ironrdp-tokio = { git = "https://github.com/Devolutions/IronRDP", rev = "2f57fd2de320f58fe240d88a83519255ba94cb73" }
+ironrdp-tokio = { git = "https://github.com/Devolutions/IronRDP", rev = "dd221bf22401c4635798ec012724cba7e6d503b2" }
diff --git a/api/client/client.go b/api/client/client.go
index 2daddc81d9777..4306ab1a619b0 100644
--- a/api/client/client.go
+++ b/api/client/client.go
@@ -4835,6 +4835,18 @@ func (c *Client) GenerateAWSOIDCToken(ctx context.Context, integration string) (
 	return resp.GetToken(), nil
 }
 
+// GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+func (c *Client) GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error) {
+	resp, err := c.integrationsClient().GenerateAzureOIDCToken(ctx, &integrationpb.GenerateAzureOIDCTokenRequest{
+		Integration: integration,
+	})
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+
+	return resp.GetToken(), nil
+}
+
 // PluginsClient returns an unadorned Plugins client, using the underlying
 // Auth gRPC connection.
 // Clients connecting to non-Enterprise clusters, or older Teleport versions,
diff --git a/api/client/proto/event.pb.go b/api/client/proto/event.pb.go
index 6da314ce0042d..31466a6d80dc3 100644
--- a/api/client/proto/event.pb.go
+++ b/api/client/proto/event.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/legacy/client/proto/event.proto
 
@@ -43,6 +43,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1383,7 +1384,7 @@ func (*Event_WorkloadIdentity) isEvent_Resource() {}
 
 var File_teleport_legacy_client_proto_event_proto protoreflect.FileDescriptor
 
-var file_teleport_legacy_client_proto_event_proto_rawDesc = []byte{
+var file_teleport_legacy_client_proto_event_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x65, 0x67, 0x61, 0x63,
 	0x79, 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x65,
 	0x76, 0x65, 0x6e, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x70, 0x72, 0x6f, 0x74,
@@ -1786,16 +1787,16 @@ var file_teleport_legacy_client_proto_event_proto_rawDesc = []byte{
 	0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69,
 	0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_legacy_client_proto_event_proto_rawDescOnce sync.Once
-	file_teleport_legacy_client_proto_event_proto_rawDescData = file_teleport_legacy_client_proto_event_proto_rawDesc
+	file_teleport_legacy_client_proto_event_proto_rawDescData []byte
 )
 
 func file_teleport_legacy_client_proto_event_proto_rawDescGZIP() []byte {
 	file_teleport_legacy_client_proto_event_proto_rawDescOnce.Do(func() {
-		file_teleport_legacy_client_proto_event_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_legacy_client_proto_event_proto_rawDescData)
+		file_teleport_legacy_client_proto_event_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_legacy_client_proto_event_proto_rawDesc), len(file_teleport_legacy_client_proto_event_proto_rawDesc)))
 	})
 	return file_teleport_legacy_client_proto_event_proto_rawDescData
 }
@@ -2036,7 +2037,7 @@ func file_teleport_legacy_client_proto_event_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_legacy_client_proto_event_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_legacy_client_proto_event_proto_rawDesc), len(file_teleport_legacy_client_proto_event_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -2048,7 +2049,6 @@ func file_teleport_legacy_client_proto_event_proto_init() {
 		MessageInfos:      file_teleport_legacy_client_proto_event_proto_msgTypes,
 	}.Build()
 	File_teleport_legacy_client_proto_event_proto = out.File
-	file_teleport_legacy_client_proto_event_proto_rawDesc = nil
 	file_teleport_legacy_client_proto_event_proto_goTypes = nil
 	file_teleport_legacy_client_proto_event_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go
index 800f4e1c55e49..0107d6913d0f1 100644
--- a/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go
+++ b/api/gen/proto/go/teleport/accessgraph/v1/authorized_key.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/access_graph/v1/authorized_key.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -204,7 +205,7 @@ func (x *AuthorizedKeySpec) GetKeyType() string {
 
 var File_teleport_access_graph_v1_authorized_key_proto protoreflect.FileDescriptor
 
-var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = []byte{
+var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6f,
 	0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -243,16 +244,16 @@ var file_teleport_access_graph_v1_authorized_key_proto_rawDesc = []byte{
 	0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76,
 	0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce sync.Once
-	file_teleport_access_graph_v1_authorized_key_proto_rawDescData = file_teleport_access_graph_v1_authorized_key_proto_rawDesc
+	file_teleport_access_graph_v1_authorized_key_proto_rawDescData []byte
 )
 
 func file_teleport_access_graph_v1_authorized_key_proto_rawDescGZIP() []byte {
 	file_teleport_access_graph_v1_authorized_key_proto_rawDescOnce.Do(func() {
-		file_teleport_access_graph_v1_authorized_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_authorized_key_proto_rawDescData)
+		file_teleport_access_graph_v1_authorized_key_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_authorized_key_proto_rawDesc), len(file_teleport_access_graph_v1_authorized_key_proto_rawDesc)))
 	})
 	return file_teleport_access_graph_v1_authorized_key_proto_rawDescData
 }
@@ -282,7 +283,7 @@ func file_teleport_access_graph_v1_authorized_key_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_access_graph_v1_authorized_key_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_authorized_key_proto_rawDesc), len(file_teleport_access_graph_v1_authorized_key_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -293,7 +294,6 @@ func file_teleport_access_graph_v1_authorized_key_proto_init() {
 		MessageInfos:      file_teleport_access_graph_v1_authorized_key_proto_msgTypes,
 	}.Build()
 	File_teleport_access_graph_v1_authorized_key_proto = out.File
-	file_teleport_access_graph_v1_authorized_key_proto_rawDesc = nil
 	file_teleport_access_graph_v1_authorized_key_proto_goTypes = nil
 	file_teleport_access_graph_v1_authorized_key_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go
index 078eefc04e055..a8ab47f83e68e 100644
--- a/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go
+++ b/api/gen/proto/go/teleport/accessgraph/v1/private_key.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/access_graph/v1/private_key.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -250,7 +251,7 @@ func (x *PrivateKeySpec) GetPublicKeyMode() PublicKeyMode {
 
 var File_teleport_access_graph_v1_private_key_proto protoreflect.FileDescriptor
 
-var file_teleport_access_graph_v1_private_key_proto_rawDesc = []byte{
+var file_teleport_access_graph_v1_private_key_proto_rawDesc = string([]byte{
 	0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x69, 0x76, 0x61,
 	0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65,
@@ -298,16 +299,16 @@ var file_teleport_access_graph_v1_private_key_proto_rawDesc = []byte{
 	0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_access_graph_v1_private_key_proto_rawDescOnce sync.Once
-	file_teleport_access_graph_v1_private_key_proto_rawDescData = file_teleport_access_graph_v1_private_key_proto_rawDesc
+	file_teleport_access_graph_v1_private_key_proto_rawDescData []byte
 )
 
 func file_teleport_access_graph_v1_private_key_proto_rawDescGZIP() []byte {
 	file_teleport_access_graph_v1_private_key_proto_rawDescOnce.Do(func() {
-		file_teleport_access_graph_v1_private_key_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_private_key_proto_rawDescData)
+		file_teleport_access_graph_v1_private_key_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_private_key_proto_rawDesc), len(file_teleport_access_graph_v1_private_key_proto_rawDesc)))
 	})
 	return file_teleport_access_graph_v1_private_key_proto_rawDescData
 }
@@ -340,7 +341,7 @@ func file_teleport_access_graph_v1_private_key_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_access_graph_v1_private_key_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_private_key_proto_rawDesc), len(file_teleport_access_graph_v1_private_key_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -352,7 +353,6 @@ func file_teleport_access_graph_v1_private_key_proto_init() {
 		MessageInfos:      file_teleport_access_graph_v1_private_key_proto_msgTypes,
 	}.Build()
 	File_teleport_access_graph_v1_private_key_proto = out.File
-	file_teleport_access_graph_v1_private_key_proto_rawDesc = nil
 	file_teleport_access_graph_v1_private_key_proto_goTypes = nil
 	file_teleport_access_graph_v1_private_key_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go
index 4e70bde336528..ef052f10d0f6d 100644
--- a/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go
+++ b/api/gen/proto/go/teleport/accessgraph/v1/secrets_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/access_graph/v1/secrets_service.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -391,7 +392,7 @@ func (*ReportSecretsResponse_DeviceAssertion) isReportSecretsResponse_Payload()
 
 var File_teleport_access_graph_v1_secrets_service_proto protoreflect.FileDescriptor
 
-var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = []byte{
+var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -474,16 +475,16 @@ var file_teleport_access_graph_v1_secrets_service_proto_rawDesc = []byte{
 	0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x3b,
 	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce sync.Once
-	file_teleport_access_graph_v1_secrets_service_proto_rawDescData = file_teleport_access_graph_v1_secrets_service_proto_rawDesc
+	file_teleport_access_graph_v1_secrets_service_proto_rawDescData []byte
 )
 
 func file_teleport_access_graph_v1_secrets_service_proto_rawDescGZIP() []byte {
 	file_teleport_access_graph_v1_secrets_service_proto_rawDescOnce.Do(func() {
-		file_teleport_access_graph_v1_secrets_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_access_graph_v1_secrets_service_proto_rawDescData)
+		file_teleport_access_graph_v1_secrets_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_secrets_service_proto_rawDesc), len(file_teleport_access_graph_v1_secrets_service_proto_rawDesc)))
 	})
 	return file_teleport_access_graph_v1_secrets_service_proto_rawDescData
 }
@@ -538,7 +539,7 @@ func file_teleport_access_graph_v1_secrets_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_access_graph_v1_secrets_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_access_graph_v1_secrets_service_proto_rawDesc), len(file_teleport_access_graph_v1_secrets_service_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -550,7 +551,6 @@ func file_teleport_access_graph_v1_secrets_service_proto_init() {
 		MessageInfos:      file_teleport_access_graph_v1_secrets_service_proto_msgTypes,
 	}.Build()
 	File_teleport_access_graph_v1_secrets_service_proto = out.File
-	file_teleport_access_graph_v1_secrets_service_proto_rawDesc = nil
 	file_teleport_access_graph_v1_secrets_service_proto_goTypes = nil
 	file_teleport_access_graph_v1_secrets_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go
index 511616427eb82..13bca9ff9bf2f 100644
--- a/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go
+++ b/api/gen/proto/go/teleport/accesslist/v1/accesslist.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/accesslist/v1/accesslist.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1263,7 +1264,7 @@ func (x *AccessListStatus) GetMemberOf() []string {
 
 var File_teleport_accesslist_v1_accesslist_proto protoreflect.FileDescriptor
 
-var file_teleport_accesslist_v1_accesslist_proto_rawDesc = []byte{
+var file_teleport_accesslist_v1_accesslist_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x6c, 0x69, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c,
 	0x69, 0x73, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -1522,16 +1523,16 @@ var file_teleport_accesslist_v1_accesslist_proto_rawDesc = []byte{
 	0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63,
 	0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x6c, 0x69, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_accesslist_v1_accesslist_proto_rawDescOnce sync.Once
-	file_teleport_accesslist_v1_accesslist_proto_rawDescData = file_teleport_accesslist_v1_accesslist_proto_rawDesc
+	file_teleport_accesslist_v1_accesslist_proto_rawDescData []byte
 )
 
 func file_teleport_accesslist_v1_accesslist_proto_rawDescGZIP() []byte {
 	file_teleport_accesslist_v1_accesslist_proto_rawDescOnce.Do(func() {
-		file_teleport_accesslist_v1_accesslist_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_accesslist_v1_accesslist_proto_rawDescData)
+		file_teleport_accesslist_v1_accesslist_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_accesslist_v1_accesslist_proto_rawDesc), len(file_teleport_accesslist_v1_accesslist_proto_rawDesc)))
 	})
 	return file_teleport_accesslist_v1_accesslist_proto_rawDescData
 }
@@ -1612,7 +1613,7 @@ func file_teleport_accesslist_v1_accesslist_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_accesslist_v1_accesslist_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_accesslist_v1_accesslist_proto_rawDesc), len(file_teleport_accesslist_v1_accesslist_proto_rawDesc)),
 			NumEnums:      4,
 			NumMessages:   14,
 			NumExtensions: 0,
@@ -1624,7 +1625,6 @@ func file_teleport_accesslist_v1_accesslist_proto_init() {
 		MessageInfos:      file_teleport_accesslist_v1_accesslist_proto_msgTypes,
 	}.Build()
 	File_teleport_accesslist_v1_accesslist_proto = out.File
-	file_teleport_accesslist_v1_accesslist_proto_rawDesc = nil
 	file_teleport_accesslist_v1_accesslist_proto_goTypes = nil
 	file_teleport_accesslist_v1_accesslist_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accesslist/v1/accesslist_service.pb.go b/api/gen/proto/go/teleport/accesslist/v1/accesslist_service.pb.go
index 0a42b23ab3351..cfebfd0513090 100644
--- a/api/gen/proto/go/teleport/accesslist/v1/accesslist_service.pb.go
+++ b/api/gen/proto/go/teleport/accesslist/v1/accesslist_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/accesslist/v1/accesslist_service.proto
 
@@ -28,6 +28,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -2061,7 +2062,7 @@ func (x *GetSuggestedAccessListsResponse) GetAccessLists() []*AccessList {
 
 var File_teleport_accesslist_v1_accesslist_service_proto protoreflect.FileDescriptor
 
-var file_teleport_accesslist_v1_accesslist_service_proto_rawDesc = []byte{
+var file_teleport_accesslist_v1_accesslist_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x6c, 0x69, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c,
 	0x69, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -2524,16 +2525,16 @@ var file_teleport_accesslist_v1_accesslist_service_proto_rawDesc = []byte{
 	0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b,
 	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6c, 0x69, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_accesslist_v1_accesslist_service_proto_rawDescOnce sync.Once
-	file_teleport_accesslist_v1_accesslist_service_proto_rawDescData = file_teleport_accesslist_v1_accesslist_service_proto_rawDesc
+	file_teleport_accesslist_v1_accesslist_service_proto_rawDescData []byte
 )
 
 func file_teleport_accesslist_v1_accesslist_service_proto_rawDescGZIP() []byte {
 	file_teleport_accesslist_v1_accesslist_service_proto_rawDescOnce.Do(func() {
-		file_teleport_accesslist_v1_accesslist_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_accesslist_v1_accesslist_service_proto_rawDescData)
+		file_teleport_accesslist_v1_accesslist_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_accesslist_v1_accesslist_service_proto_rawDesc), len(file_teleport_accesslist_v1_accesslist_service_proto_rawDesc)))
 	})
 	return file_teleport_accesslist_v1_accesslist_service_proto_rawDescData
 }
@@ -2680,7 +2681,7 @@ func file_teleport_accesslist_v1_accesslist_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_accesslist_v1_accesslist_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_accesslist_v1_accesslist_service_proto_rawDesc), len(file_teleport_accesslist_v1_accesslist_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   40,
 			NumExtensions: 0,
@@ -2691,7 +2692,6 @@ func file_teleport_accesslist_v1_accesslist_service_proto_init() {
 		MessageInfos:      file_teleport_accesslist_v1_accesslist_service_proto_msgTypes,
 	}.Build()
 	File_teleport_accesslist_v1_accesslist_service_proto = out.File
-	file_teleport_accesslist_v1_accesslist_service_proto_rawDesc = nil
 	file_teleport_accesslist_v1_accesslist_service_proto_goTypes = nil
 	file_teleport_accesslist_v1_accesslist_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go
index d95cdf60655d5..4a9e7195de365 100644
--- a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go
+++ b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/accessmonitoringrules/v1/access_monitoring_rules.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -720,7 +721,7 @@ func (x *ListAccessMonitoringRulesWithFilterResponse) GetNextPageToken() string
 
 var File_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto protoreflect.FileDescriptor
 
-var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc = []byte{
+var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc = string([]byte{
 	0x0a, 0x3f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x6d, 0x6f, 0x6e, 0x69, 0x74, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x72, 0x75, 0x6c, 0x65, 0x73,
 	0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6d, 0x6f, 0x6e, 0x69, 0x74,
@@ -835,16 +836,16 @@ var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc
 	0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6d, 0x6f, 0x6e, 0x69, 0x74, 0x6f, 0x72, 0x69,
 	0x6e, 0x67, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescOnce sync.Once
-	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData = file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc
+	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData []byte
 )
 
 func file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescGZIP() []byte {
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescOnce.Do(func() {
-		file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData)
+		file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc), len(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc)))
 	})
 	return file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDescData
 }
@@ -890,7 +891,7 @@ func file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_init()
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc), len(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   12,
 			NumExtensions: 0,
@@ -901,7 +902,6 @@ func file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_init()
 		MessageInfos:      file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_msgTypes,
 	}.Build()
 	File_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto = out.File
-	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_rawDesc = nil
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_goTypes = nil
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.pb.go b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.pb.go
index c818d58e20dd9..c070ee44606e1 100644
--- a/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.pb.go
+++ b/api/gen/proto/go/teleport/accessmonitoringrules/v1/access_monitoring_rules_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/accessmonitoringrules/v1/access_monitoring_rules_service.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
+	unsafe "unsafe"
 )
 
 const (
@@ -36,7 +37,7 @@ const (
 
 var File_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto protoreflect.FileDescriptor
 
-var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc = []byte{
+var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc = string([]byte{
 	0x0a, 0x47, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x6d, 0x6f, 0x6e, 0x69, 0x74, 0x6f, 0x72, 0x69, 0x6e, 0x67, 0x72, 0x75, 0x6c, 0x65, 0x73,
 	0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6d, 0x6f, 0x6e, 0x69, 0x74,
@@ -130,7 +131,7 @@ var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto
 	0x31, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x6d, 0x6f, 0x6e, 0x69, 0x74, 0x6f, 0x72, 0x69,
 	0x6e, 0x67, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_goTypes = []any{
 	(*CreateAccessMonitoringRuleRequest)(nil),           // 0: teleport.accessmonitoringrules.v1.CreateAccessMonitoringRuleRequest
@@ -177,7 +178,7 @@ func file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_prot
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc), len(file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -187,7 +188,6 @@ func file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_prot
 		DependencyIndexes: file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_depIdxs,
 	}.Build()
 	File_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto = out.File
-	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_rawDesc = nil
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_goTypes = nil
 	file_teleport_accessmonitoringrules_v1_access_monitoring_rules_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/auditlog/v1/auditlog.pb.go b/api/gen/proto/go/teleport/auditlog/v1/auditlog.pb.go
index 7ccc12b639543..85635e3930805 100644
--- a/api/gen/proto/go/teleport/auditlog/v1/auditlog.pb.go
+++ b/api/gen/proto/go/teleport/auditlog/v1/auditlog.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/auditlog/v1/auditlog.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -597,7 +598,7 @@ func (x *EventExportChunk) GetChunk() string {
 
 var File_teleport_auditlog_v1_auditlog_proto protoreflect.FileDescriptor
 
-var file_teleport_auditlog_v1_auditlog_proto_rawDesc = []byte{
+var file_teleport_auditlog_v1_auditlog_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74,
 	0x6c, 0x6f, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x6c, 0x6f, 0x67, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -717,16 +718,16 @@ var file_teleport_auditlog_v1_auditlog_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x6c, 0x6f, 0x67, 0x2f,
 	0x76, 0x31, 0x3b, 0x61, 0x75, 0x64, 0x69, 0x74, 0x6c, 0x6f, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_auditlog_v1_auditlog_proto_rawDescOnce sync.Once
-	file_teleport_auditlog_v1_auditlog_proto_rawDescData = file_teleport_auditlog_v1_auditlog_proto_rawDesc
+	file_teleport_auditlog_v1_auditlog_proto_rawDescData []byte
 )
 
 func file_teleport_auditlog_v1_auditlog_proto_rawDescGZIP() []byte {
 	file_teleport_auditlog_v1_auditlog_proto_rawDescOnce.Do(func() {
-		file_teleport_auditlog_v1_auditlog_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_auditlog_v1_auditlog_proto_rawDescData)
+		file_teleport_auditlog_v1_auditlog_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_auditlog_v1_auditlog_proto_rawDesc), len(file_teleport_auditlog_v1_auditlog_proto_rawDesc)))
 	})
 	return file_teleport_auditlog_v1_auditlog_proto_rawDescData
 }
@@ -780,7 +781,7 @@ func file_teleport_auditlog_v1_auditlog_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_auditlog_v1_auditlog_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_auditlog_v1_auditlog_proto_rawDesc), len(file_teleport_auditlog_v1_auditlog_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   8,
 			NumExtensions: 0,
@@ -792,7 +793,6 @@ func file_teleport_auditlog_v1_auditlog_proto_init() {
 		MessageInfos:      file_teleport_auditlog_v1_auditlog_proto_msgTypes,
 	}.Build()
 	File_teleport_auditlog_v1_auditlog_proto = out.File
-	file_teleport_auditlog_v1_auditlog_proto_rawDesc = nil
 	file_teleport_auditlog_v1_auditlog_proto_goTypes = nil
 	file_teleport_auditlog_v1_auditlog_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/autoupdate/v1/autoupdate.pb.go b/api/gen/proto/go/teleport/autoupdate/v1/autoupdate.pb.go
index 92cdb8066be49..ce3bcc9a5fbfc 100644
--- a/api/gen/proto/go/teleport/autoupdate/v1/autoupdate.pb.go
+++ b/api/gen/proto/go/teleport/autoupdate/v1/autoupdate.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/autoupdate/v1/autoupdate.proto
 
@@ -28,6 +28,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1178,7 +1179,7 @@ func (x *AutoUpdateAgentRolloutStatusGroup) GetConfigWaitHours() int32 {
 
 var File_teleport_autoupdate_v1_autoupdate_proto protoreflect.FileDescriptor
 
-var file_teleport_autoupdate_v1_autoupdate_proto_rawDesc = []byte{
+var file_teleport_autoupdate_v1_autoupdate_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75,
 	0x70, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64,
 	0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -1415,16 +1416,16 @@ var file_teleport_autoupdate_v1_autoupdate_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64, 0x61, 0x74,
 	0x65, 0x2f, 0x76, 0x31, 0x3b, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_autoupdate_v1_autoupdate_proto_rawDescOnce sync.Once
-	file_teleport_autoupdate_v1_autoupdate_proto_rawDescData = file_teleport_autoupdate_v1_autoupdate_proto_rawDesc
+	file_teleport_autoupdate_v1_autoupdate_proto_rawDescData []byte
 )
 
 func file_teleport_autoupdate_v1_autoupdate_proto_rawDescGZIP() []byte {
 	file_teleport_autoupdate_v1_autoupdate_proto_rawDescOnce.Do(func() {
-		file_teleport_autoupdate_v1_autoupdate_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_autoupdate_v1_autoupdate_proto_rawDescData)
+		file_teleport_autoupdate_v1_autoupdate_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_autoupdate_v1_autoupdate_proto_rawDesc), len(file_teleport_autoupdate_v1_autoupdate_proto_rawDesc)))
 	})
 	return file_teleport_autoupdate_v1_autoupdate_proto_rawDescData
 }
@@ -1491,7 +1492,7 @@ func file_teleport_autoupdate_v1_autoupdate_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_autoupdate_v1_autoupdate_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_autoupdate_v1_autoupdate_proto_rawDesc), len(file_teleport_autoupdate_v1_autoupdate_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   14,
 			NumExtensions: 0,
@@ -1503,7 +1504,6 @@ func file_teleport_autoupdate_v1_autoupdate_proto_init() {
 		MessageInfos:      file_teleport_autoupdate_v1_autoupdate_proto_msgTypes,
 	}.Build()
 	File_teleport_autoupdate_v1_autoupdate_proto = out.File
-	file_teleport_autoupdate_v1_autoupdate_proto_rawDesc = nil
 	file_teleport_autoupdate_v1_autoupdate_proto_goTypes = nil
 	file_teleport_autoupdate_v1_autoupdate_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_service.pb.go b/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_service.pb.go
index 1fb0caa9925b8..43656e08dc1f1 100644
--- a/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_service.pb.go
+++ b/api/gen/proto/go/teleport/autoupdate/v1/autoupdate_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/autoupdate/v1/autoupdate_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -664,7 +665,7 @@ func (*DeleteAutoUpdateAgentRolloutRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_autoupdate_v1_autoupdate_service_proto protoreflect.FileDescriptor
 
-var file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc = []byte{
+var file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75,
 	0x70, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64,
 	0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -871,16 +872,16 @@ var file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc = []byte{
 	0x6f, 0x72, 0x74, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x2f, 0x76,
 	0x31, 0x3b, 0x61, 0x75, 0x74, 0x6f, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescOnce sync.Once
-	file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData = file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc
+	file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData []byte
 )
 
 func file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescGZIP() []byte {
 	file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescOnce.Do(func() {
-		file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData)
+		file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc), len(file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc)))
 	})
 	return file_teleport_autoupdate_v1_autoupdate_service_proto_rawDescData
 }
@@ -964,7 +965,7 @@ func file_teleport_autoupdate_v1_autoupdate_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc), len(file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   15,
 			NumExtensions: 0,
@@ -975,7 +976,6 @@ func file_teleport_autoupdate_v1_autoupdate_service_proto_init() {
 		MessageInfos:      file_teleport_autoupdate_v1_autoupdate_service_proto_msgTypes,
 	}.Build()
 	File_teleport_autoupdate_v1_autoupdate_service_proto = out.File
-	file_teleport_autoupdate_v1_autoupdate_service_proto_rawDesc = nil
 	file_teleport_autoupdate_v1_autoupdate_service_proto_goTypes = nil
 	file_teleport_autoupdate_v1_autoupdate_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go
index d4d80f6f19fc2..f9428ac810264 100644
--- a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go
+++ b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/clusterconfig/v1/access_graph.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -166,7 +167,7 @@ func (x *AccessGraphSecretsScanConfiguration) GetSshScanEnabled() bool {
 
 var File_teleport_clusterconfig_v1_access_graph_proto protoreflect.FileDescriptor
 
-var file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = []byte{
+var file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = string([]byte{
 	0x0a, 0x2c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x6c, 0x75, 0x73, 0x74,
 	0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19,
@@ -198,16 +199,16 @@ var file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = []byte{
 	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31,
 	0x3b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31,
 	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_clusterconfig_v1_access_graph_proto_rawDescOnce sync.Once
-	file_teleport_clusterconfig_v1_access_graph_proto_rawDescData = file_teleport_clusterconfig_v1_access_graph_proto_rawDesc
+	file_teleport_clusterconfig_v1_access_graph_proto_rawDescData []byte
 )
 
 func file_teleport_clusterconfig_v1_access_graph_proto_rawDescGZIP() []byte {
 	file_teleport_clusterconfig_v1_access_graph_proto_rawDescOnce.Do(func() {
-		file_teleport_clusterconfig_v1_access_graph_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_clusterconfig_v1_access_graph_proto_rawDescData)
+		file_teleport_clusterconfig_v1_access_graph_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_access_graph_proto_rawDesc), len(file_teleport_clusterconfig_v1_access_graph_proto_rawDesc)))
 	})
 	return file_teleport_clusterconfig_v1_access_graph_proto_rawDescData
 }
@@ -235,7 +236,7 @@ func file_teleport_clusterconfig_v1_access_graph_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_clusterconfig_v1_access_graph_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_access_graph_proto_rawDesc), len(file_teleport_clusterconfig_v1_access_graph_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -246,7 +247,6 @@ func file_teleport_clusterconfig_v1_access_graph_proto_init() {
 		MessageInfos:      file_teleport_clusterconfig_v1_access_graph_proto_msgTypes,
 	}.Build()
 	File_teleport_clusterconfig_v1_access_graph_proto = out.File
-	file_teleport_clusterconfig_v1_access_graph_proto_rawDesc = nil
 	file_teleport_clusterconfig_v1_access_graph_proto_goTypes = nil
 	file_teleport_clusterconfig_v1_access_graph_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph_settings.pb.go b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph_settings.pb.go
index 28462db836fe3..6543e8152dc47 100644
--- a/api/gen/proto/go/teleport/clusterconfig/v1/access_graph_settings.pb.go
+++ b/api/gen/proto/go/teleport/clusterconfig/v1/access_graph_settings.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/clusterconfig/v1/access_graph_settings.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -218,7 +219,7 @@ func (x *AccessGraphSettingsSpec) GetSecretsScanConfig() AccessGraphSecretsScanC
 
 var File_teleport_clusterconfig_v1_access_graph_settings_proto protoreflect.FileDescriptor
 
-var file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc = []byte{
+var file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x6c, 0x75, 0x73, 0x74,
 	0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x5f, 0x73, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67,
@@ -267,16 +268,16 @@ var file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc = []byte{
 	0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6c,
 	0x75, 0x73, 0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescOnce sync.Once
-	file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData = file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc
+	file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData []byte
 )
 
 func file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescGZIP() []byte {
 	file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescOnce.Do(func() {
-		file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData)
+		file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc), len(file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc)))
 	})
 	return file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDescData
 }
@@ -309,7 +310,7 @@ func file_teleport_clusterconfig_v1_access_graph_settings_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc), len(file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -321,7 +322,6 @@ func file_teleport_clusterconfig_v1_access_graph_settings_proto_init() {
 		MessageInfos:      file_teleport_clusterconfig_v1_access_graph_settings_proto_msgTypes,
 	}.Build()
 	File_teleport_clusterconfig_v1_access_graph_settings_proto = out.File
-	file_teleport_clusterconfig_v1_access_graph_settings_proto_rawDesc = nil
 	file_teleport_clusterconfig_v1_access_graph_settings_proto_goTypes = nil
 	file_teleport_clusterconfig_v1_access_graph_settings_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/clusterconfig/v1/clusterconfig_service.pb.go b/api/gen/proto/go/teleport/clusterconfig/v1/clusterconfig_service.pb.go
index a8f35c3229907..62af8ed67addf 100644
--- a/api/gen/proto/go/teleport/clusterconfig/v1/clusterconfig_service.pb.go
+++ b/api/gen/proto/go/teleport/clusterconfig/v1/clusterconfig_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/clusterconfig/v1/clusterconfig_service.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -858,7 +859,7 @@ func (*ResetAccessGraphSettingsRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_clusterconfig_v1_clusterconfig_service_proto protoreflect.FileDescriptor
 
-var file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc = []byte{
+var file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x6c, 0x75, 0x73, 0x74,
 	0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6c, 0x75, 0x73,
 	0x74, 0x65, 0x72, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
@@ -1130,16 +1131,16 @@ var file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc = []byte{
 	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x63,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
 	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescOnce sync.Once
-	file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData = file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc
+	file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData []byte
 )
 
 func file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescGZIP() []byte {
 	file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescOnce.Do(func() {
-		file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData)
+		file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc), len(file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc)))
 	})
 	return file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDescData
 }
@@ -1240,7 +1241,7 @@ func file_teleport_clusterconfig_v1_clusterconfig_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc), len(file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   20,
 			NumExtensions: 0,
@@ -1251,7 +1252,6 @@ func file_teleport_clusterconfig_v1_clusterconfig_service_proto_init() {
 		MessageInfos:      file_teleport_clusterconfig_v1_clusterconfig_service_proto_msgTypes,
 	}.Build()
 	File_teleport_clusterconfig_v1_clusterconfig_service_proto = out.File
-	file_teleport_clusterconfig_v1_clusterconfig_service_proto_rawDesc = nil
 	file_teleport_clusterconfig_v1_clusterconfig_service_proto_goTypes = nil
 	file_teleport_clusterconfig_v1_clusterconfig_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go
index 97d6ffae306fa..039b7b5626ded 100644
--- a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go
+++ b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/crownjewel/v1/crownjewel.proto
 
@@ -28,6 +28,7 @@ import (
 	wrapperspb "google.golang.org/protobuf/types/known/wrapperspb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -387,7 +388,7 @@ func (x *AWSTag) GetValues() []*wrapperspb.StringValue {
 
 var File_teleport_crownjewel_v1_crownjewel_proto protoreflect.FileDescriptor
 
-var file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = []byte{
+var file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e,
 	0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65,
 	0x77, 0x65, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -452,16 +453,16 @@ var file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = []byte{
 	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77,
 	0x65, 0x6c, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c,
 	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_crownjewel_v1_crownjewel_proto_rawDescOnce sync.Once
-	file_teleport_crownjewel_v1_crownjewel_proto_rawDescData = file_teleport_crownjewel_v1_crownjewel_proto_rawDesc
+	file_teleport_crownjewel_v1_crownjewel_proto_rawDescData []byte
 )
 
 func file_teleport_crownjewel_v1_crownjewel_proto_rawDescGZIP() []byte {
 	file_teleport_crownjewel_v1_crownjewel_proto_rawDescOnce.Do(func() {
-		file_teleport_crownjewel_v1_crownjewel_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_crownjewel_v1_crownjewel_proto_rawDescData)
+		file_teleport_crownjewel_v1_crownjewel_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_crownjewel_v1_crownjewel_proto_rawDesc), len(file_teleport_crownjewel_v1_crownjewel_proto_rawDesc)))
 	})
 	return file_teleport_crownjewel_v1_crownjewel_proto_rawDescData
 }
@@ -501,7 +502,7 @@ func file_teleport_crownjewel_v1_crownjewel_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_crownjewel_v1_crownjewel_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_crownjewel_v1_crownjewel_proto_rawDesc), len(file_teleport_crownjewel_v1_crownjewel_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -512,7 +513,6 @@ func file_teleport_crownjewel_v1_crownjewel_proto_init() {
 		MessageInfos:      file_teleport_crownjewel_v1_crownjewel_proto_msgTypes,
 	}.Build()
 	File_teleport_crownjewel_v1_crownjewel_proto = out.File
-	file_teleport_crownjewel_v1_crownjewel_proto_rawDesc = nil
 	file_teleport_crownjewel_v1_crownjewel_proto_goTypes = nil
 	file_teleport_crownjewel_v1_crownjewel_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel_service.pb.go b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel_service.pb.go
index 49cdf44e89322..8e207a8173ced 100644
--- a/api/gen/proto/go/teleport/crownjewel/v1/crownjewel_service.pb.go
+++ b/api/gen/proto/go/teleport/crownjewel/v1/crownjewel_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/crownjewel/v1/crownjewel_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -375,7 +376,7 @@ func (x *DeleteCrownJewelRequest) GetName() string {
 
 var File_teleport_crownjewel_v1_crownjewel_service_proto protoreflect.FileDescriptor
 
-var file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc = []byte{
+var file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e,
 	0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a, 0x65,
 	0x77, 0x65, 0x6c, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -473,16 +474,16 @@ var file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc = []byte{
 	0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x63, 0x72, 0x6f, 0x77,
 	0x6e, 0x6a, 0x65, 0x77, 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x3b, 0x63, 0x72, 0x6f, 0x77, 0x6e, 0x6a,
 	0x65, 0x77, 0x65, 0x6c, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescOnce sync.Once
-	file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData = file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc
+	file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData []byte
 )
 
 func file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescGZIP() []byte {
 	file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescOnce.Do(func() {
-		file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData)
+		file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc), len(file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc)))
 	})
 	return file_teleport_crownjewel_v1_crownjewel_service_proto_rawDescData
 }
@@ -533,7 +534,7 @@ func file_teleport_crownjewel_v1_crownjewel_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc), len(file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -544,7 +545,6 @@ func file_teleport_crownjewel_v1_crownjewel_service_proto_init() {
 		MessageInfos:      file_teleport_crownjewel_v1_crownjewel_service_proto_msgTypes,
 	}.Build()
 	File_teleport_crownjewel_v1_crownjewel_service_proto = out.File
-	file_teleport_crownjewel_v1_crownjewel_service_proto_rawDesc = nil
 	file_teleport_crownjewel_v1_crownjewel_service_proto_goTypes = nil
 	file_teleport_crownjewel_v1_crownjewel_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/dbobject/v1/dbobject.pb.go b/api/gen/proto/go/teleport/dbobject/v1/dbobject.pb.go
index 52bfb23733a00..ea024e94b0986 100644
--- a/api/gen/proto/go/teleport/dbobject/v1/dbobject.pb.go
+++ b/api/gen/proto/go/teleport/dbobject/v1/dbobject.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/dbobject/v1/dbobject.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -212,7 +213,7 @@ func (x *DatabaseObjectSpec) GetName() string {
 
 var File_teleport_dbobject_v1_dbobject_proto protoreflect.FileDescriptor
 
-var file_teleport_dbobject_v1_dbobject_proto_rawDesc = []byte{
+var file_teleport_dbobject_v1_dbobject_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a,
 	0x65, 0x63, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -251,16 +252,16 @@ var file_teleport_dbobject_v1_dbobject_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
 	0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x62,
 	0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_dbobject_v1_dbobject_proto_rawDescOnce sync.Once
-	file_teleport_dbobject_v1_dbobject_proto_rawDescData = file_teleport_dbobject_v1_dbobject_proto_rawDesc
+	file_teleport_dbobject_v1_dbobject_proto_rawDescData []byte
 )
 
 func file_teleport_dbobject_v1_dbobject_proto_rawDescGZIP() []byte {
 	file_teleport_dbobject_v1_dbobject_proto_rawDescOnce.Do(func() {
-		file_teleport_dbobject_v1_dbobject_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_dbobject_v1_dbobject_proto_rawDescData)
+		file_teleport_dbobject_v1_dbobject_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_dbobject_v1_dbobject_proto_rawDesc), len(file_teleport_dbobject_v1_dbobject_proto_rawDesc)))
 	})
 	return file_teleport_dbobject_v1_dbobject_proto_rawDescData
 }
@@ -290,7 +291,7 @@ func file_teleport_dbobject_v1_dbobject_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_dbobject_v1_dbobject_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_dbobject_v1_dbobject_proto_rawDesc), len(file_teleport_dbobject_v1_dbobject_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -301,7 +302,6 @@ func file_teleport_dbobject_v1_dbobject_proto_init() {
 		MessageInfos:      file_teleport_dbobject_v1_dbobject_proto_msgTypes,
 	}.Build()
 	File_teleport_dbobject_v1_dbobject_proto = out.File
-	file_teleport_dbobject_v1_dbobject_proto_rawDesc = nil
 	file_teleport_dbobject_v1_dbobject_proto_goTypes = nil
 	file_teleport_dbobject_v1_dbobject_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/dbobject/v1/dbobject_service.pb.go b/api/gen/proto/go/teleport/dbobject/v1/dbobject_service.pb.go
index 81dde7ec65a73..79226328b299c 100644
--- a/api/gen/proto/go/teleport/dbobject/v1/dbobject_service.pb.go
+++ b/api/gen/proto/go/teleport/dbobject/v1/dbobject_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/dbobject/v1/dbobject_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -379,7 +380,7 @@ func (x *DeleteDatabaseObjectRequest) GetName() string {
 
 var File_teleport_dbobject_v1_dbobject_service_proto protoreflect.FileDescriptor
 
-var file_teleport_dbobject_v1_dbobject_service_proto_rawDesc = []byte{
+var file_teleport_dbobject_v1_dbobject_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a,
 	0x65, 0x63, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f,
 	0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x74,
@@ -476,16 +477,16 @@ var file_teleport_dbobject_v1_dbobject_service_proto_rawDesc = []byte{
 	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74,
 	0x2f, 0x76, 0x31, 0x3b, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x76, 0x31, 0x62, 0x06,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_dbobject_v1_dbobject_service_proto_rawDescOnce sync.Once
-	file_teleport_dbobject_v1_dbobject_service_proto_rawDescData = file_teleport_dbobject_v1_dbobject_service_proto_rawDesc
+	file_teleport_dbobject_v1_dbobject_service_proto_rawDescData []byte
 )
 
 func file_teleport_dbobject_v1_dbobject_service_proto_rawDescGZIP() []byte {
 	file_teleport_dbobject_v1_dbobject_service_proto_rawDescOnce.Do(func() {
-		file_teleport_dbobject_v1_dbobject_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_dbobject_v1_dbobject_service_proto_rawDescData)
+		file_teleport_dbobject_v1_dbobject_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_dbobject_v1_dbobject_service_proto_rawDesc), len(file_teleport_dbobject_v1_dbobject_service_proto_rawDesc)))
 	})
 	return file_teleport_dbobject_v1_dbobject_service_proto_rawDescData
 }
@@ -536,7 +537,7 @@ func file_teleport_dbobject_v1_dbobject_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_dbobject_v1_dbobject_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_dbobject_v1_dbobject_service_proto_rawDesc), len(file_teleport_dbobject_v1_dbobject_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -547,7 +548,6 @@ func file_teleport_dbobject_v1_dbobject_service_proto_init() {
 		MessageInfos:      file_teleport_dbobject_v1_dbobject_service_proto_msgTypes,
 	}.Build()
 	File_teleport_dbobject_v1_dbobject_service_proto = out.File
-	file_teleport_dbobject_v1_dbobject_service_proto_rawDesc = nil
 	file_teleport_dbobject_v1_dbobject_service_proto_goTypes = nil
 	file_teleport_dbobject_v1_dbobject_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule.pb.go b/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule.pb.go
index 126def1023797..0c1b3cf5f8a88 100644
--- a/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule.pb.go
+++ b/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/dbobjectimportrule/v1/dbobjectimportrule.proto
 
@@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -373,7 +374,7 @@ func (x *DatabaseObjectImportScope) GetSchemaNames() []string {
 
 var File_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto protoreflect.FileDescriptor
 
-var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc = []byte{
+var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc = string([]byte{
 	0x0a, 0x37, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a,
 	0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31,
 	0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72,
@@ -459,16 +460,16 @@ var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc = []byt
 	0x6a, 0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76,
 	0x31, 0x3b, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74,
 	0x72, 0x75, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescOnce sync.Once
-	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData = file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc
+	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData []byte
 )
 
 func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescGZIP() []byte {
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescOnce.Do(func() {
-		file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData)
+		file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc), len(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc)))
 	})
 	return file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDescData
 }
@@ -508,7 +509,7 @@ func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc), len(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -519,7 +520,6 @@ func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_init() {
 		MessageInfos:      file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_msgTypes,
 	}.Build()
 	File_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto = out.File
-	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_rawDesc = nil
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_goTypes = nil
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.pb.go b/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.pb.go
index c051cb201a62f..382c579c67325 100644
--- a/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.pb.go
+++ b/api/gen/proto/go/teleport/dbobjectimportrule/v1/dbobjectimportrule_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/dbobjectimportrule/v1/dbobjectimportrule_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -379,7 +380,7 @@ func (x *DeleteDatabaseObjectImportRuleRequest) GetName() string {
 
 var File_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto protoreflect.FileDescriptor
 
-var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc = []byte{
+var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc = string([]byte{
 	0x0a, 0x3f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a,
 	0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31,
 	0x2f, 0x64, 0x62, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72,
@@ -507,16 +508,16 @@ var file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc
 	0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x62, 0x6f,
 	0x62, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x72, 0x75, 0x6c, 0x65, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescOnce sync.Once
-	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData = file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc
+	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData []byte
 )
 
 func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescGZIP() []byte {
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescOnce.Do(func() {
-		file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData)
+		file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc), len(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc)))
 	})
 	return file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDescData
 }
@@ -567,7 +568,7 @@ func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_init()
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc), len(file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -578,7 +579,6 @@ func file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_init()
 		MessageInfos:      file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_msgTypes,
 	}.Build()
 	File_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto = out.File
-	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_rawDesc = nil
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_goTypes = nil
 	file_teleport_dbobjectimportrule_v1_dbobjectimportrule_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go
index 8b663705a474b..ed43441c299e1 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/database_access.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/database_access.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -273,7 +274,7 @@ func (x *DatabaseAccessDenial) GetMetadata() *DenialMetadata {
 
 var File_teleport_decision_v1alpha1_database_access_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_database_access_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_database_access_proto_rawDesc = string([]byte{
 	0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x61, 0x74,
 	0x61, 0x62, 0x61, 0x73, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f,
@@ -341,16 +342,16 @@ var file_teleport_decision_v1alpha1_database_access_proto_rawDesc = []byte{
 	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64,
 	0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_database_access_proto_rawDescData = file_teleport_decision_v1alpha1_database_access_proto_rawDesc
+	file_teleport_decision_v1alpha1_database_access_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_database_access_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_database_access_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_database_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_database_access_proto_rawDescData)
+		file_teleport_decision_v1alpha1_database_access_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_database_access_proto_rawDesc), len(file_teleport_decision_v1alpha1_database_access_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_database_access_proto_rawDescData
 }
@@ -400,7 +401,7 @@ func file_teleport_decision_v1alpha1_database_access_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_database_access_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_database_access_proto_rawDesc), len(file_teleport_decision_v1alpha1_database_access_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -411,7 +412,6 @@ func file_teleport_decision_v1alpha1_database_access_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_database_access_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_database_access_proto = out.File
-	file_teleport_decision_v1alpha1_database_access_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_database_access_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_database_access_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go
index 99ec2d46a9125..2b160d12b0173 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/decision_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/decision_service.proto
 
@@ -24,6 +24,7 @@ import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
+	unsafe "unsafe"
 )
 
 const (
@@ -35,7 +36,7 @@ const (
 
 var File_teleport_decision_v1alpha1_decision_service_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x63,
 	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72,
@@ -72,7 +73,7 @@ var file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f,
 	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f,
 	0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var file_teleport_decision_v1alpha1_decision_service_proto_goTypes = []any{
 	(*EvaluateSSHAccessRequest)(nil),       // 0: teleport.decision.v1alpha1.EvaluateSSHAccessRequest
@@ -103,7 +104,7 @@ func file_teleport_decision_v1alpha1_decision_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_decision_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_decision_service_proto_rawDesc), len(file_teleport_decision_v1alpha1_decision_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -113,7 +114,6 @@ func file_teleport_decision_v1alpha1_decision_service_proto_init() {
 		DependencyIndexes: file_teleport_decision_v1alpha1_decision_service_proto_depIdxs,
 	}.Build()
 	File_teleport_decision_v1alpha1_decision_service_proto = out.File
-	file_teleport_decision_v1alpha1_decision_service_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_decision_service_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_decision_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go
index 9345429cfe270..0de8240870288 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/denial_metadata.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/denial_metadata.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -105,7 +106,7 @@ func (x *DenialMetadata) GetUserMessage() string {
 
 var File_teleport_decision_v1alpha1_denial_metadata_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = string([]byte{
 	0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x64, 0x65, 0x6e,
 	0x69, 0x61, 0x6c, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f,
@@ -132,16 +133,16 @@ var file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = []byte{
 	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69,
 	0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69,
 	0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc
+	file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData)
+		file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_denial_metadata_proto_rawDescData
 }
@@ -170,7 +171,7 @@ func file_teleport_decision_v1alpha1_denial_metadata_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -181,7 +182,6 @@ func file_teleport_decision_v1alpha1_denial_metadata_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_denial_metadata_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_denial_metadata_proto = out.File
-	file_teleport_decision_v1alpha1_denial_metadata_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_denial_metadata_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_denial_metadata_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go
index 50f600a6b0ac2..05e7e4d1801df 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/enforcement_feature.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/enforcement_feature.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -82,7 +83,7 @@ func (EnforcementFeature) EnumDescriptor() ([]byte, []int) {
 
 var File_teleport_decision_v1alpha1_enforcement_feature_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = string([]byte{
 	0x0a, 0x34, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x65, 0x6e, 0x66,
 	0x6f, 0x72, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x5f, 0x66, 0x65, 0x61, 0x74, 0x75, 0x72, 0x65,
@@ -99,16 +100,16 @@ var file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = []byte{
 	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64,
 	0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc
+	file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData)
+		file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc), len(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDescData
 }
@@ -134,7 +135,7 @@ func file_teleport_decision_v1alpha1_enforcement_feature_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc), len(file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -145,7 +146,6 @@ func file_teleport_decision_v1alpha1_enforcement_feature_proto_init() {
 		EnumInfos:         file_teleport_decision_v1alpha1_enforcement_feature_proto_enumTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_enforcement_feature_proto = out.File
-	file_teleport_decision_v1alpha1_enforcement_feature_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_enforcement_feature_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_enforcement_feature_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go
index 9d572f599a863..8f8c592c8fca7 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/permit_metadata.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/permit_metadata.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -95,7 +96,7 @@ func (x *PermitMetadata) GetPdpVersion() string {
 
 var File_teleport_decision_v1alpha1_permit_metadata_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = string([]byte{
 	0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x65, 0x72,
 	0x6d, 0x69, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f,
@@ -120,16 +121,16 @@ var file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f,
 	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f,
 	0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc
+	file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData)
+		file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_permit_metadata_proto_rawDescData
 }
@@ -158,7 +159,7 @@ func file_teleport_decision_v1alpha1_permit_metadata_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -169,7 +170,6 @@ func file_teleport_decision_v1alpha1_permit_metadata_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_permit_metadata_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_permit_metadata_proto = out.File
-	file_teleport_decision_v1alpha1_permit_metadata_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_permit_metadata_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_permit_metadata_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go
index f390d5f57b176..35ea8b0b5ebb6 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/request_metadata.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/request_metadata.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -146,7 +147,7 @@ func (x *RequestMetadata) GetPepVersionHint() string {
 
 var File_teleport_decision_v1alpha1_request_metadata_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x71,
 	0x75, 0x65, 0x73, 0x74, 0x5f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72,
@@ -172,16 +173,16 @@ var file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = []byte{
 	0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b,
 	0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc
+	file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_request_metadata_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_request_metadata_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData)
+		file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_request_metadata_proto_rawDescData
 }
@@ -210,7 +211,7 @@ func file_teleport_decision_v1alpha1_request_metadata_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc), len(file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -222,7 +223,6 @@ func file_teleport_decision_v1alpha1_request_metadata_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_request_metadata_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_request_metadata_proto = out.File
-	file_teleport_decision_v1alpha1_request_metadata_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_request_metadata_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_request_metadata_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go
index 0014edc1866c1..49f2021e49096 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/resource.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/resource.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -106,7 +107,7 @@ func (x *Resource) GetName() string {
 
 var File_teleport_decision_v1alpha1_resource_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_resource_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_resource_proto_rawDesc = string([]byte{
 	0x0a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73,
 	0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74, 0x65, 0x6c,
@@ -123,16 +124,16 @@ var file_teleport_decision_v1alpha1_resource_proto_rawDesc = []byte{
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76,
 	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e,
 	0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_resource_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_resource_proto_rawDescData = file_teleport_decision_v1alpha1_resource_proto_rawDesc
+	file_teleport_decision_v1alpha1_resource_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_resource_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_resource_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_resource_proto_rawDescData)
+		file_teleport_decision_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_resource_proto_rawDesc), len(file_teleport_decision_v1alpha1_resource_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_resource_proto_rawDescData
 }
@@ -158,7 +159,7 @@ func file_teleport_decision_v1alpha1_resource_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_resource_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_resource_proto_rawDesc), len(file_teleport_decision_v1alpha1_resource_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -169,7 +170,6 @@ func file_teleport_decision_v1alpha1_resource_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_resource_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_resource_proto = out.File
-	file_teleport_decision_v1alpha1_resource_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_resource_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_resource_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go
index f9cae3f692650..1a7ad651e8a54 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_access.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/ssh_access.proto
 
@@ -26,6 +26,7 @@ import (
 	durationpb "google.golang.org/protobuf/types/known/durationpb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -412,7 +413,7 @@ func (x *SSHAccessDenial) GetMetadata() *DenialMetadata {
 
 var File_teleport_decision_v1alpha1_ssh_access_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68,
 	0x5f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1a, 0x74,
@@ -521,16 +522,16 @@ var file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f,
 	0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc
+	file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_ssh_access_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_ssh_access_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData)
+		file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc), len(file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_ssh_access_proto_rawDescData
 }
@@ -582,7 +583,7 @@ func file_teleport_decision_v1alpha1_ssh_access_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc), len(file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -593,7 +594,6 @@ func file_teleport_decision_v1alpha1_ssh_access_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_ssh_access_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_ssh_access_proto = out.File
-	file_teleport_decision_v1alpha1_ssh_access_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_ssh_access_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_ssh_access_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go
index 3e408db5d36fe..8e47b7ca4109f 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/ssh_identity.pb.go
@@ -14,17 +14,20 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/ssh_identity.proto
 
 package decisionpb
 
 import (
+	v1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/trait/v1"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -34,11 +37,199 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )
 
+// CertExtensionMode specifies the type of extension to use in the cert. This type
+// must be kept up to date with types.CertExtensionMode.
+type CertExtensionMode int32
+
+const (
+	// CERT_EXTENSION_MODE_UNSPECIFIED is the default value and should not be used.
+	CertExtensionMode_CERT_EXTENSION_MODE_UNSPECIFIED CertExtensionMode = 0
+	// EXTENSION represents a cert extension that may or may not be
+	// honored by the server.
+	CertExtensionMode_CERT_EXTENSION_MODE_EXTENSION CertExtensionMode = 1
+)
+
+// Enum value maps for CertExtensionMode.
+var (
+	CertExtensionMode_name = map[int32]string{
+		0: "CERT_EXTENSION_MODE_UNSPECIFIED",
+		1: "CERT_EXTENSION_MODE_EXTENSION",
+	}
+	CertExtensionMode_value = map[string]int32{
+		"CERT_EXTENSION_MODE_UNSPECIFIED": 0,
+		"CERT_EXTENSION_MODE_EXTENSION":   1,
+	}
+)
+
+func (x CertExtensionMode) Enum() *CertExtensionMode {
+	p := new(CertExtensionMode)
+	*p = x
+	return p
+}
+
+func (x CertExtensionMode) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (CertExtensionMode) Descriptor() protoreflect.EnumDescriptor {
+	return file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes[0].Descriptor()
+}
+
+func (CertExtensionMode) Type() protoreflect.EnumType {
+	return &file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes[0]
+}
+
+func (x CertExtensionMode) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use CertExtensionMode.Descriptor instead.
+func (CertExtensionMode) EnumDescriptor() ([]byte, []int) {
+	return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{0}
+}
+
+// CertExtensionType represents the certificate type the extension is for.
+// Currently only ssh is supported. This type must be kept up to date with
+// types.CertExtensionType.
+type CertExtensionType int32
+
+const (
+	// CERT_EXTENSION_TYPE_UNSPECIFIED is the default value and should not be used.
+	CertExtensionType_CERT_EXTENSION_TYPE_UNSPECIFIED CertExtensionType = 0
+	// SSH is used when extending an ssh certificate
+	CertExtensionType_CERT_EXTENSION_TYPE_SSH CertExtensionType = 1
+)
+
+// Enum value maps for CertExtensionType.
+var (
+	CertExtensionType_name = map[int32]string{
+		0: "CERT_EXTENSION_TYPE_UNSPECIFIED",
+		1: "CERT_EXTENSION_TYPE_SSH",
+	}
+	CertExtensionType_value = map[string]int32{
+		"CERT_EXTENSION_TYPE_UNSPECIFIED": 0,
+		"CERT_EXTENSION_TYPE_SSH":         1,
+	}
+)
+
+func (x CertExtensionType) Enum() *CertExtensionType {
+	p := new(CertExtensionType)
+	*p = x
+	return p
+}
+
+func (x CertExtensionType) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (CertExtensionType) Descriptor() protoreflect.EnumDescriptor {
+	return file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes[1].Descriptor()
+}
+
+func (CertExtensionType) Type() protoreflect.EnumType {
+	return &file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes[1]
+}
+
+func (x CertExtensionType) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use CertExtensionType.Descriptor instead.
+func (CertExtensionType) EnumDescriptor() ([]byte, []int) {
+	return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{1}
+}
+
 // SSHIdentity is the identity used for SSH connections.
 type SSHIdentity struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// ValidAfter is the unix timestamp that marks the start time for when the certificate should
+	// be considered valid.
+	ValidAfter uint64 `protobuf:"varint,1,opt,name=valid_after,json=validAfter,proto3" json:"valid_after,omitempty"`
+	// ValidBefore is the unix timestamp that marks the end time for when the certificate should
+	// be considered valid.
+	ValidBefore uint64 `protobuf:"varint,2,opt,name=valid_before,json=validBefore,proto3" json:"valid_before,omitempty"`
+	// CertType indicates what type of cert this is (user or host).
+	CertType uint32 `protobuf:"varint,3,opt,name=cert_type,json=certType,proto3" json:"cert_type,omitempty"`
+	// Principals is the list of SSH principals associated with the certificate (this means the
+	// list of allowed unix logins in the case of user certs).
+	Principals []string `protobuf:"bytes,4,rep,name=principals,proto3" json:"principals,omitempty"`
+	// ClusterName is the name of the cluster within which a node lives
+	ClusterName string `protobuf:"bytes,5,opt,name=cluster_name,json=clusterName,proto3" json:"cluster_name,omitempty"`
+	// SystemRole identifies the system role of a Teleport instance
+	SystemRole string `protobuf:"bytes,6,opt,name=system_role,json=systemRole,proto3" json:"system_role,omitempty"`
+	// Username is teleport username
+	Username string `protobuf:"bytes,7,opt,name=username,proto3" json:"username,omitempty"`
+	// Impersonator is set when a user requests certificate for another user
+	Impersonator string `protobuf:"bytes,8,opt,name=impersonator,proto3" json:"impersonator,omitempty"`
+	// PermitX11Forwarding permits X11 forwarding for this cert
+	PermitX11Forwarding bool `protobuf:"varint,9,opt,name=permit_x11_forwarding,json=permitX11Forwarding,proto3" json:"permit_x11_forwarding,omitempty"`
+	// PermitAgentForwarding permits agent forwarding for this cert
+	PermitAgentForwarding bool `protobuf:"varint,10,opt,name=permit_agent_forwarding,json=permitAgentForwarding,proto3" json:"permit_agent_forwarding,omitempty"`
+	// PermitPortForwarding permits port forwarding.
+	PermitPortForwarding bool `protobuf:"varint,11,opt,name=permit_port_forwarding,json=permitPortForwarding,proto3" json:"permit_port_forwarding,omitempty"`
+	// Roles is a list of roles assigned to this user
+	Roles []string `protobuf:"bytes,12,rep,name=roles,proto3" json:"roles,omitempty"`
+	// RouteToCluster specifies the target cluster
+	// if present in the certificate, will be used
+	// to route the requests to
+	RouteToCluster string `protobuf:"bytes,13,opt,name=route_to_cluster,json=routeToCluster,proto3" json:"route_to_cluster,omitempty"`
+	// Traits hold claim data used to populate a role at runtime.
+	Traits []*v1.Trait `protobuf:"bytes,14,rep,name=traits,proto3" json:"traits,omitempty"`
+	// ActiveRequests tracks privilege escalation requests applied during
+	// certificate construction.
+	ActiveRequests []string `protobuf:"bytes,15,rep,name=active_requests,json=activeRequests,proto3" json:"active_requests,omitempty"`
+	// MFAVerified is the UUID of an MFA device when this Identity was
+	// confirmed immediately after an MFA check.
+	MfaVerified string `protobuf:"bytes,16,opt,name=mfa_verified,json=mfaVerified,proto3" json:"mfa_verified,omitempty"`
+	// PreviousIdentityExpires is the expiry time of the identity/cert that this
+	// identity/cert was derived from. It is used to determine a session's hard
+	// deadline in cases where both require_session_mfa and disconnect_expired_cert
+	// are enabled. See https://github.com/gravitational/teleport/issues/18544.
+	PreviousIdentityExpires *timestamppb.Timestamp `protobuf:"bytes,17,opt,name=previous_identity_expires,json=previousIdentityExpires,proto3" json:"previous_identity_expires,omitempty"`
+	// LoginIP is an observed IP of the client on the moment of certificate creation.
+	LoginIp string `protobuf:"bytes,18,opt,name=login_ip,json=loginIp,proto3" json:"login_ip,omitempty"`
+	// PinnedIP is an IP from which client must communicate with Teleport.
+	PinnedIp string `protobuf:"bytes,19,opt,name=pinned_ip,json=pinnedIp,proto3" json:"pinned_ip,omitempty"`
+	// DisallowReissue flags that any attempt to request new certificates while
+	// authenticated with this cert should be denied.
+	DisallowReissue bool `protobuf:"varint,20,opt,name=disallow_reissue,json=disallowReissue,proto3" json:"disallow_reissue,omitempty"`
+	// CertificateExtensions are user configured ssh key extensions (note: this field also
+	// ends up aggregating all *unknown* extensions during cert parsing, meaning that this
+	// can sometimes contain fields that were inserted by a newer version of teleport).
+	CertificateExtensions []*CertExtension `protobuf:"bytes,21,rep,name=certificate_extensions,json=certificateExtensions,proto3" json:"certificate_extensions,omitempty"`
+	// Renewable indicates this certificate is renewable.
+	Renewable bool `protobuf:"varint,22,opt,name=renewable,proto3" json:"renewable,omitempty"`
+	// Generation counts the number of times a certificate has been renewed, with a generation of 1
+	// meaning the cert has never been renewed. A generation of zero means the cert's generation is
+	// not being tracked.
+	Generation uint64 `protobuf:"varint,23,opt,name=generation,proto3" json:"generation,omitempty"`
+	// BotName is set to the name of the bot, if the user is a Machine ID bot user.
+	// Empty for human users.
+	BotName string `protobuf:"bytes,24,opt,name=bot_name,json=botName,proto3" json:"bot_name,omitempty"`
+	// BotInstanceID is the unique identifier for the bot instance, if this is a
+	// Machine ID bot. It is empty for human users.
+	BotInstanceId string `protobuf:"bytes,25,opt,name=bot_instance_id,json=botInstanceId,proto3" json:"bot_instance_id,omitempty"`
+	// AllowedResourceIDs lists the resources the user should be able to access.
+	AllowedResourceIds []*ResourceId `protobuf:"bytes,26,rep,name=allowed_resource_ids,json=allowedResourceIds,proto3" json:"allowed_resource_ids,omitempty"`
+	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
+	ConnectionDiagnosticId string `protobuf:"bytes,27,opt,name=connection_diagnostic_id,json=connectionDiagnosticId,proto3" json:"connection_diagnostic_id,omitempty"`
+	// PrivateKeyPolicy is the private key policy supported by this certificate.
+	PrivateKeyPolicy string `protobuf:"bytes,28,opt,name=private_key_policy,json=privateKeyPolicy,proto3" json:"private_key_policy,omitempty"`
+	// DeviceID is the trusted device identifier.
+	DeviceId string `protobuf:"bytes,29,opt,name=device_id,json=deviceId,proto3" json:"device_id,omitempty"`
+	// DeviceAssetTag is the device inventory identifier.
+	DeviceAssetTag string `protobuf:"bytes,30,opt,name=device_asset_tag,json=deviceAssetTag,proto3" json:"device_asset_tag,omitempty"`
+	// DeviceCredentialID is the identifier for the credential used by the device
+	// to authenticate itself.
+	DeviceCredentialId string `protobuf:"bytes,31,opt,name=device_credential_id,json=deviceCredentialId,proto3" json:"device_credential_id,omitempty"`
+	// GitHubUserID indicates the GitHub user ID identified by the GitHub
+	// connector.
+	GithubUserId string `protobuf:"bytes,32,opt,name=github_user_id,json=githubUserId,proto3" json:"github_user_id,omitempty"`
+	// GitHubUsername indicates the GitHub username identified by the GitHub
+	// connector.
+	GithubUsername string `protobuf:"bytes,33,opt,name=github_username,json=githubUsername,proto3" json:"github_username,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
 }
 
 func (x *SSHIdentity) Reset() {
@@ -71,45 +262,487 @@ func (*SSHIdentity) Descriptor() ([]byte, []int) {
 	return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{0}
 }
 
+func (x *SSHIdentity) GetValidAfter() uint64 {
+	if x != nil {
+		return x.ValidAfter
+	}
+	return 0
+}
+
+func (x *SSHIdentity) GetValidBefore() uint64 {
+	if x != nil {
+		return x.ValidBefore
+	}
+	return 0
+}
+
+func (x *SSHIdentity) GetCertType() uint32 {
+	if x != nil {
+		return x.CertType
+	}
+	return 0
+}
+
+func (x *SSHIdentity) GetPrincipals() []string {
+	if x != nil {
+		return x.Principals
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetClusterName() string {
+	if x != nil {
+		return x.ClusterName
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetSystemRole() string {
+	if x != nil {
+		return x.SystemRole
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetUsername() string {
+	if x != nil {
+		return x.Username
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetImpersonator() string {
+	if x != nil {
+		return x.Impersonator
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetPermitX11Forwarding() bool {
+	if x != nil {
+		return x.PermitX11Forwarding
+	}
+	return false
+}
+
+func (x *SSHIdentity) GetPermitAgentForwarding() bool {
+	if x != nil {
+		return x.PermitAgentForwarding
+	}
+	return false
+}
+
+func (x *SSHIdentity) GetPermitPortForwarding() bool {
+	if x != nil {
+		return x.PermitPortForwarding
+	}
+	return false
+}
+
+func (x *SSHIdentity) GetRoles() []string {
+	if x != nil {
+		return x.Roles
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetRouteToCluster() string {
+	if x != nil {
+		return x.RouteToCluster
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetTraits() []*v1.Trait {
+	if x != nil {
+		return x.Traits
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetActiveRequests() []string {
+	if x != nil {
+		return x.ActiveRequests
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetMfaVerified() string {
+	if x != nil {
+		return x.MfaVerified
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetPreviousIdentityExpires() *timestamppb.Timestamp {
+	if x != nil {
+		return x.PreviousIdentityExpires
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetLoginIp() string {
+	if x != nil {
+		return x.LoginIp
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetPinnedIp() string {
+	if x != nil {
+		return x.PinnedIp
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetDisallowReissue() bool {
+	if x != nil {
+		return x.DisallowReissue
+	}
+	return false
+}
+
+func (x *SSHIdentity) GetCertificateExtensions() []*CertExtension {
+	if x != nil {
+		return x.CertificateExtensions
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetRenewable() bool {
+	if x != nil {
+		return x.Renewable
+	}
+	return false
+}
+
+func (x *SSHIdentity) GetGeneration() uint64 {
+	if x != nil {
+		return x.Generation
+	}
+	return 0
+}
+
+func (x *SSHIdentity) GetBotName() string {
+	if x != nil {
+		return x.BotName
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetBotInstanceId() string {
+	if x != nil {
+		return x.BotInstanceId
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetAllowedResourceIds() []*ResourceId {
+	if x != nil {
+		return x.AllowedResourceIds
+	}
+	return nil
+}
+
+func (x *SSHIdentity) GetConnectionDiagnosticId() string {
+	if x != nil {
+		return x.ConnectionDiagnosticId
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetPrivateKeyPolicy() string {
+	if x != nil {
+		return x.PrivateKeyPolicy
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetDeviceId() string {
+	if x != nil {
+		return x.DeviceId
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetDeviceAssetTag() string {
+	if x != nil {
+		return x.DeviceAssetTag
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetDeviceCredentialId() string {
+	if x != nil {
+		return x.DeviceCredentialId
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetGithubUserId() string {
+	if x != nil {
+		return x.GithubUserId
+	}
+	return ""
+}
+
+func (x *SSHIdentity) GetGithubUsername() string {
+	if x != nil {
+		return x.GithubUsername
+	}
+	return ""
+}
+
+// CertExtension represents a key/value for a certificate extension. This type must
+// be kept up to date with types.CertExtension.
+type CertExtension struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Type represents the certificate type being extended, only ssh
+	// is supported at this time.
+	// 0 is "ssh".
+	Type CertExtensionType `protobuf:"varint,1,opt,name=type,proto3,enum=teleport.decision.v1alpha1.CertExtensionType" json:"type,omitempty"`
+	// Mode is the type of extension to be used -- currently
+	// critical-option is not supported.
+	// 0 is "extension".
+	Mode CertExtensionMode `protobuf:"varint,2,opt,name=mode,proto3,enum=teleport.decision.v1alpha1.CertExtensionMode" json:"mode,omitempty"`
+	// Name specifies the key to be used in the cert extension.
+	Name string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	// Value specifies the value to be used in the cert extension.
+	Value         string `protobuf:"bytes,4,opt,name=value,proto3" json:"value,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CertExtension) Reset() {
+	*x = CertExtension{}
+	mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CertExtension) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CertExtension) ProtoMessage() {}
+
+func (x *CertExtension) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CertExtension.ProtoReflect.Descriptor instead.
+func (*CertExtension) Descriptor() ([]byte, []int) {
+	return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *CertExtension) GetType() CertExtensionType {
+	if x != nil {
+		return x.Type
+	}
+	return CertExtensionType_CERT_EXTENSION_TYPE_UNSPECIFIED
+}
+
+func (x *CertExtension) GetMode() CertExtensionMode {
+	if x != nil {
+		return x.Mode
+	}
+	return CertExtensionMode_CERT_EXTENSION_MODE_UNSPECIFIED
+}
+
+func (x *CertExtension) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *CertExtension) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
 var File_teleport_decision_v1alpha1_ssh_identity_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x73, 0x73, 0x68,
 	0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x1a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69,
-	0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x0d, 0x0a, 0x0b, 0x53,
-	0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69,
-	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f,
-	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69,
-	0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64, 0x65, 0x63, 0x69,
-	0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+	0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f,
+	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d,
+	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x2d, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f,
+	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x74, 0x6c, 0x73, 0x5f, 0x69, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x74,
+	0x72, 0x61, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9a, 0x0b, 0x0a, 0x0b, 0x53,
+	0x53, 0x48, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x76, 0x61,
+	0x6c, 0x69, 0x64, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
+	0x0a, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x76,
+	0x61, 0x6c, 0x69, 0x64, 0x5f, 0x62, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x04, 0x52, 0x0b, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x1b,
+	0x0a, 0x09, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x0d, 0x52, 0x08, 0x63, 0x65, 0x72, 0x74, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x70,
+	0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x63,
+	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0b, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1f,
+	0x0a, 0x0b, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x5f, 0x72, 0x6f, 0x6c, 0x65, 0x18, 0x06, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x52, 0x6f, 0x6c, 0x65, 0x12,
+	0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69,
+	0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0c, 0x69, 0x6d, 0x70, 0x65, 0x72, 0x73, 0x6f, 0x6e, 0x61, 0x74, 0x6f, 0x72, 0x12,
+	0x32, 0x0a, 0x15, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x5f, 0x78, 0x31, 0x31, 0x5f, 0x66, 0x6f,
+	0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13,
+	0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x58, 0x31, 0x31, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64,
+	0x69, 0x6e, 0x67, 0x12, 0x36, 0x0a, 0x17, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x5f, 0x61, 0x67,
+	0x65, 0x6e, 0x74, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x0a,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x15, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x74, 0x41, 0x67, 0x65, 0x6e,
+	0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x34, 0x0a, 0x16, 0x70,
+	0x65, 0x72, 0x6d, 0x69, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61,
+	0x72, 0x64, 0x69, 0x6e, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x70, 0x65, 0x72,
+	0x6d, 0x69, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x69, 0x6e,
+	0x67, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x05, 0x72, 0x6f, 0x6c, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x72, 0x6f, 0x75, 0x74, 0x65,
+	0x5f, 0x74, 0x6f, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x0d, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x54, 0x6f, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65,
+	0x72, 0x12, 0x30, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x69, 0x74, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x18, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61,
+	0x69, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x69, 0x74, 0x52, 0x06, 0x74, 0x72, 0x61,
+	0x69, 0x74, 0x73, 0x12, 0x27, 0x0a, 0x0f, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x72, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x0f, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x61, 0x63,
+	0x74, 0x69, 0x76, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x12, 0x21, 0x0a, 0x0c,
+	0x6d, 0x66, 0x61, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x18, 0x10, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x6d, 0x66, 0x61, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x12,
+	0x56, 0x0a, 0x19, 0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x5f, 0x69, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x5f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x11, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x17,
+	0x70, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, 0x73, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
+	0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08, 0x6c, 0x6f, 0x67, 0x69, 0x6e,
+	0x5f, 0x69, 0x70, 0x18, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x69, 0x6e,
+	0x49, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x18,
+	0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x6e, 0x6e, 0x65, 0x64, 0x49, 0x70, 0x12,
+	0x29, 0x0a, 0x10, 0x64, 0x69, 0x73, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x72, 0x65, 0x69, 0x73,
+	0x73, 0x75, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x64, 0x69, 0x73, 0x61, 0x6c,
+	0x6c, 0x6f, 0x77, 0x52, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x12, 0x60, 0x0a, 0x16, 0x63, 0x65,
+	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
+	0x69, 0x6f, 0x6e, 0x73, 0x18, 0x15, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
+	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x45, 0x78, 0x74, 0x65,
+	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x15, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09,
+	0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x16, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x09, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x67, 0x65,
+	0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x17, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0a,
+	0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x6f,
+	0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x18, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x6f,
+	0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73,
+	0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d,
+	0x62, 0x6f, 0x74, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x58, 0x0a,
+	0x14, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x1a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e,
+	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x49, 0x64, 0x52, 0x12, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x73, 0x12, 0x38, 0x0a, 0x18, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63,
+	0x5f, 0x69, 0x64, 0x18, 0x1b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x63, 0x6f, 0x6e, 0x6e, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x69, 0x61, 0x67, 0x6e, 0x6f, 0x73, 0x74, 0x69, 0x63, 0x49,
+	0x64, 0x12, 0x2c, 0x0a, 0x12, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79,
+	0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x1c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x70,
+	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
+	0x1b, 0x0a, 0x09, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x1d, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x49, 0x64, 0x12, 0x28, 0x0a, 0x10,
+	0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x61, 0x73, 0x73, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67,
+	0x18, 0x1e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x73,
+	0x73, 0x65, 0x74, 0x54, 0x61, 0x67, 0x12, 0x30, 0x0a, 0x14, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
+	0x5f, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x1f,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x43, 0x72, 0x65, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, 0x64, 0x12, 0x24, 0x0a, 0x0e, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x20, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x27,
+	0x0a, 0x0f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x5f, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d,
+	0x65, 0x18, 0x21, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x55,
+	0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0xbf, 0x01, 0x0a, 0x0d, 0x43, 0x65, 0x72, 0x74,
+	0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x41, 0x0a, 0x04, 0x74, 0x79, 0x70,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69,
+	0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x41, 0x0a, 0x04,
+	0x6d, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
+	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x45, 0x78, 0x74, 0x65,
+	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12,
+	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x5b, 0x0a, 0x11, 0x43, 0x65, 0x72,
+	0x74, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x23,
+	0x0a, 0x1f, 0x43, 0x45, 0x52, 0x54, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x4e, 0x53, 0x49, 0x4f, 0x4e,
+	0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
+	0x44, 0x10, 0x00, 0x12, 0x21, 0x0a, 0x1d, 0x43, 0x45, 0x52, 0x54, 0x5f, 0x45, 0x58, 0x54, 0x45,
+	0x4e, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x4d, 0x4f, 0x44, 0x45, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x4e,
+	0x53, 0x49, 0x4f, 0x4e, 0x10, 0x01, 0x2a, 0x55, 0x0a, 0x11, 0x43, 0x65, 0x72, 0x74, 0x45, 0x78,
+	0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x23, 0x0a, 0x1f, 0x43,
+	0x45, 0x52, 0x54, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x4e, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x54, 0x59,
+	0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00,
+	0x12, 0x1b, 0x0a, 0x17, 0x43, 0x45, 0x52, 0x54, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x4e, 0x53, 0x49,
+	0x4f, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x53, 0x48, 0x10, 0x01, 0x42, 0x5a, 0x5a,
+	0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76,
+	0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63,
+	0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x64,
+	0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
+})
 
 var (
 	file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc
+	file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData)
+		file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc), len(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_ssh_identity_proto_rawDescData
 }
 
-var file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
+var file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
 var file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = []any{
-	(*SSHIdentity)(nil), // 0: teleport.decision.v1alpha1.SSHIdentity
+	(CertExtensionMode)(0),        // 0: teleport.decision.v1alpha1.CertExtensionMode
+	(CertExtensionType)(0),        // 1: teleport.decision.v1alpha1.CertExtensionType
+	(*SSHIdentity)(nil),           // 2: teleport.decision.v1alpha1.SSHIdentity
+	(*CertExtension)(nil),         // 3: teleport.decision.v1alpha1.CertExtension
+	(*v1.Trait)(nil),              // 4: teleport.trait.v1.Trait
+	(*timestamppb.Timestamp)(nil), // 5: google.protobuf.Timestamp
+	(*ResourceId)(nil),            // 6: teleport.decision.v1alpha1.ResourceId
 }
 var file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = []int32{
-	0, // [0:0] is the sub-list for method output_type
-	0, // [0:0] is the sub-list for method input_type
-	0, // [0:0] is the sub-list for extension type_name
-	0, // [0:0] is the sub-list for extension extendee
-	0, // [0:0] is the sub-list for field type_name
+	4, // 0: teleport.decision.v1alpha1.SSHIdentity.traits:type_name -> teleport.trait.v1.Trait
+	5, // 1: teleport.decision.v1alpha1.SSHIdentity.previous_identity_expires:type_name -> google.protobuf.Timestamp
+	3, // 2: teleport.decision.v1alpha1.SSHIdentity.certificate_extensions:type_name -> teleport.decision.v1alpha1.CertExtension
+	6, // 3: teleport.decision.v1alpha1.SSHIdentity.allowed_resource_ids:type_name -> teleport.decision.v1alpha1.ResourceId
+	1, // 4: teleport.decision.v1alpha1.CertExtension.type:type_name -> teleport.decision.v1alpha1.CertExtensionType
+	0, // 5: teleport.decision.v1alpha1.CertExtension.mode:type_name -> teleport.decision.v1alpha1.CertExtensionMode
+	6, // [6:6] is the sub-list for method output_type
+	6, // [6:6] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
 }
 
 func init() { file_teleport_decision_v1alpha1_ssh_identity_proto_init() }
@@ -117,22 +750,23 @@ func file_teleport_decision_v1alpha1_ssh_identity_proto_init() {
 	if File_teleport_decision_v1alpha1_ssh_identity_proto != nil {
 		return
 	}
+	file_teleport_decision_v1alpha1_tls_identity_proto_init()
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   1,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc), len(file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc)),
+			NumEnums:      2,
+			NumMessages:   2,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
 		GoTypes:           file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes,
 		DependencyIndexes: file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs,
+		EnumInfos:         file_teleport_decision_v1alpha1_ssh_identity_proto_enumTypes,
 		MessageInfos:      file_teleport_decision_v1alpha1_ssh_identity_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_ssh_identity_proto = out.File
-	file_teleport_decision_v1alpha1_ssh_identity_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_ssh_identity_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_ssh_identity_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go
index 3be3f70116563..36203737b606e 100644
--- a/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go
+++ b/api/gen/proto/go/teleport/decision/v1alpha1/tls_identity.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/decision/v1alpha1/tls_identity.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -771,7 +772,7 @@ func (x *DeviceExtensions) GetCredentialId() string {
 
 var File_teleport_decision_v1alpha1_tls_identity_proto protoreflect.FileDescriptor
 
-var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{
+var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x63, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x74, 0x6c, 0x73,
 	0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -932,16 +933,16 @@ var file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = []byte{
 	0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x31, 0x3b, 0x64, 0x65, 0x63, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce sync.Once
-	file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc
+	file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData []byte
 )
 
 func file_teleport_decision_v1alpha1_tls_identity_proto_rawDescGZIP() []byte {
 	file_teleport_decision_v1alpha1_tls_identity_proto_rawDescOnce.Do(func() {
-		file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData)
+		file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc), len(file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc)))
 	})
 	return file_teleport_decision_v1alpha1_tls_identity_proto_rawDescData
 }
@@ -980,7 +981,7 @@ func file_teleport_decision_v1alpha1_tls_identity_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc), len(file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -991,7 +992,6 @@ func file_teleport_decision_v1alpha1_tls_identity_proto_init() {
 		MessageInfos:      file_teleport_decision_v1alpha1_tls_identity_proto_msgTypes,
 	}.Build()
 	File_teleport_decision_v1alpha1_tls_identity_proto = out.File
-	file_teleport_decision_v1alpha1_tls_identity_proto_rawDesc = nil
 	file_teleport_decision_v1alpha1_tls_identity_proto_goTypes = nil
 	file_teleport_decision_v1alpha1_tls_identity_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go
index b5807b9f6002c..c69edb0c6d628 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/assert.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/assert.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -348,7 +349,7 @@ func (*DeviceAsserted) Descriptor() ([]byte, []int) {
 
 var File_teleport_devicetrust_v1_assert_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_assert_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_assert_proto_rawDesc = string([]byte{
 	0x0a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x73, 0x73, 0x65, 0x72, 0x74,
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
@@ -416,16 +417,16 @@ var file_teleport_devicetrust_v1_assert_proto_rawDesc = []byte{
 	0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65,
 	0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_assert_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_assert_proto_rawDescData = file_teleport_devicetrust_v1_assert_proto_rawDesc
+	file_teleport_devicetrust_v1_assert_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_assert_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_assert_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_assert_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_assert_proto_rawDescData)
+		file_teleport_devicetrust_v1_assert_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_assert_proto_rawDesc), len(file_teleport_devicetrust_v1_assert_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_assert_proto_rawDescData
 }
@@ -478,7 +479,7 @@ func file_teleport_devicetrust_v1_assert_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_assert_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_assert_proto_rawDesc), len(file_teleport_devicetrust_v1_assert_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -489,7 +490,6 @@ func file_teleport_devicetrust_v1_assert_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_assert_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_assert_proto = out.File
-	file_teleport_devicetrust_v1_assert_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_assert_proto_goTypes = nil
 	file_teleport_devicetrust_v1_assert_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/authenticate_challenge.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/authenticate_challenge.pb.go
index 130d3a9e96bcb..d50d7f8ebc3e6 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/authenticate_challenge.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/authenticate_challenge.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/authenticate_challenge.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -247,7 +248,7 @@ func (x *TPMAuthenticateDeviceChallengeResponse) GetSshSignature() []byte {
 
 var File_teleport_devicetrust_v1_authenticate_challenge_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc = string([]byte{
 	0x0a, 0x34, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e,
 	0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65,
@@ -288,16 +289,16 @@ var file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74,
 	0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72,
 	0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData = file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc
+	file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData)
+		file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc), len(file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDescData
 }
@@ -329,7 +330,7 @@ func file_teleport_devicetrust_v1_authenticate_challenge_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc), len(file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -340,7 +341,6 @@ func file_teleport_devicetrust_v1_authenticate_challenge_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_authenticate_challenge_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_authenticate_challenge_proto = out.File
-	file_teleport_devicetrust_v1_authenticate_challenge_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_authenticate_challenge_proto_goTypes = nil
 	file_teleport_devicetrust_v1_authenticate_challenge_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device.pb.go
index 94a3c2db7416f..91252a99ff8f8 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device.proto
 
@@ -26,6 +26,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -416,7 +417,7 @@ func (x *DeviceCredential) GetTpmAkPublic() []byte {
 
 var File_teleport_devicetrust_v1_device_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_proto_rawDesc = string([]byte{
 	0x0a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
@@ -527,16 +528,16 @@ var file_teleport_devicetrust_v1_device_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_proto_rawDescData = file_teleport_devicetrust_v1_device_proto_rawDesc
+	file_teleport_devicetrust_v1_device_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_proto_rawDesc), len(file_teleport_devicetrust_v1_device_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_proto_rawDescData
 }
@@ -587,7 +588,7 @@ func file_teleport_devicetrust_v1_device_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_proto_rawDesc), len(file_teleport_devicetrust_v1_device_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -599,7 +600,6 @@ func file_teleport_devicetrust_v1_device_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_proto = out.File
-	file_teleport_devicetrust_v1_device_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_collected_data.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_collected_data.pb.go
index 2ddd0a71b75fd..81047a2121296 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_collected_data.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_collected_data.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_collected_data.proto
 
@@ -26,6 +26,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -244,7 +245,7 @@ func (x *DeviceCollectedData) GetOsId() string {
 
 var File_teleport_devicetrust_v1_device_collected_data_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc = string([]byte{
 	0x0a, 0x33, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x63, 0x6f, 0x6c, 0x6c, 0x65, 0x63, 0x74, 0x65, 0x64, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x2e,
@@ -311,16 +312,16 @@ var file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75,
 	0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73,
 	0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_collected_data_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData = file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc
+	file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_collected_data_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_collected_data_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc), len(file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_collected_data_proto_rawDescData
 }
@@ -355,7 +356,7 @@ func file_teleport_devicetrust_v1_device_collected_data_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc), len(file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -366,7 +367,6 @@ func file_teleport_devicetrust_v1_device_collected_data_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_collected_data_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_collected_data_proto = out.File
-	file_teleport_devicetrust_v1_device_collected_data_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_collected_data_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_collected_data_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_confirmation_token.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_confirmation_token.pb.go
index 34162f6d796c1..48ad7b711802c 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_confirmation_token.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_confirmation_token.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_confirmation_token.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -99,7 +100,7 @@ func (x *DeviceConfirmationToken) GetToken() string {
 
 var File_teleport_devicetrust_v1_device_confirmation_token_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc = string([]byte{
 	0x0a, 0x37, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74, 0x6f,
@@ -116,16 +117,16 @@ var file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc = []byt
 	0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76,
 	0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData = file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc
+	file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDescData
 }
@@ -151,7 +152,7 @@ func file_teleport_devicetrust_v1_device_confirmation_token_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -162,7 +163,6 @@ func file_teleport_devicetrust_v1_device_confirmation_token_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_confirmation_token_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_confirmation_token_proto = out.File
-	file_teleport_devicetrust_v1_device_confirmation_token_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_confirmation_token_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_confirmation_token_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_enroll_token.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_enroll_token.pb.go
index e1ae84cf04cf1..e163d7d0b62d1 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_enroll_token.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_enroll_token.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_enroll_token.proto
 
@@ -26,6 +26,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -94,7 +95,7 @@ func (x *DeviceEnrollToken) GetExpireTime() *timestamppb.Timestamp {
 
 var File_teleport_devicetrust_v1_device_enroll_token_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x65, 0x6e, 0x72, 0x6f, 0x6c, 0x6c, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x2e, 0x70, 0x72,
@@ -115,16 +116,16 @@ var file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc = []byte{
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74,
 	0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData = file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc
+	file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_enroll_token_proto_rawDescData
 }
@@ -152,7 +153,7 @@ func file_teleport_devicetrust_v1_device_enroll_token_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -163,7 +164,6 @@ func file_teleport_devicetrust_v1_device_enroll_token_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_enroll_token_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_enroll_token_proto = out.File
-	file_teleport_devicetrust_v1_device_enroll_token_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_enroll_token_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_enroll_token_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go
index fe2f3ffbdaef9..7d45cd842b112 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_profile.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_profile.proto
 
@@ -26,6 +26,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -168,7 +169,7 @@ func (x *DeviceProfile) GetOsId() string {
 
 var File_teleport_devicetrust_v1_device_profile_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_profile_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_profile_proto_rawDesc = string([]byte{
 	0x0a, 0x2c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17,
@@ -205,16 +206,16 @@ var file_teleport_devicetrust_v1_device_profile_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74,
 	0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72,
 	0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_profile_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_profile_proto_rawDescData = file_teleport_devicetrust_v1_device_profile_proto_rawDesc
+	file_teleport_devicetrust_v1_device_profile_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_profile_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_profile_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_profile_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_profile_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_profile_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_profile_proto_rawDesc), len(file_teleport_devicetrust_v1_device_profile_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_profile_proto_rawDescData
 }
@@ -242,7 +243,7 @@ func file_teleport_devicetrust_v1_device_profile_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_profile_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_profile_proto_rawDesc), len(file_teleport_devicetrust_v1_device_profile_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -253,7 +254,6 @@ func file_teleport_devicetrust_v1_device_profile_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_profile_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_profile_proto = out.File
-	file_teleport_devicetrust_v1_device_profile_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_profile_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_profile_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_source.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_source.pb.go
index eaf3062be6738..87837a7ecc3b1 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_source.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_source.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_source.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -152,7 +153,7 @@ func (x *DeviceSource) GetOrigin() DeviceOrigin {
 
 var File_teleport_devicetrust_v1_device_source_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_source_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_source_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74,
@@ -178,16 +179,16 @@ var file_teleport_devicetrust_v1_device_source_proto_rawDesc = []byte{
 	0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b,
 	0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_source_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_source_proto_rawDescData = file_teleport_devicetrust_v1_device_source_proto_rawDesc
+	file_teleport_devicetrust_v1_device_source_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_source_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_source_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_source_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_source_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_source_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_source_proto_rawDesc), len(file_teleport_devicetrust_v1_device_source_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_source_proto_rawDescData
 }
@@ -216,7 +217,7 @@ func file_teleport_devicetrust_v1_device_source_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_source_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_source_proto_rawDesc), len(file_teleport_devicetrust_v1_device_source_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -228,7 +229,6 @@ func file_teleport_devicetrust_v1_device_source_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_source_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_source_proto = out.File
-	file_teleport_devicetrust_v1_device_source_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_source_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_source_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/device_web_token.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/device_web_token.pb.go
index 4938e216b4183..75cf3d34fae26 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/device_web_token.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/device_web_token.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/device_web_token.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -156,7 +157,7 @@ func (x *DeviceWebToken) GetExpectedDeviceIds() []string {
 
 var File_teleport_devicetrust_v1_device_web_token_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_device_web_token_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_device_web_token_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x5f, 0x77, 0x65, 0x62, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -183,16 +184,16 @@ var file_teleport_devicetrust_v1_device_web_token_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74,
 	0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72,
 	0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_device_web_token_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_device_web_token_proto_rawDescData = file_teleport_devicetrust_v1_device_web_token_proto_rawDesc
+	file_teleport_devicetrust_v1_device_web_token_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_device_web_token_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_device_web_token_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_device_web_token_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_device_web_token_proto_rawDescData)
+		file_teleport_devicetrust_v1_device_web_token_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_web_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_web_token_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_device_web_token_proto_rawDescData
 }
@@ -218,7 +219,7 @@ func file_teleport_devicetrust_v1_device_web_token_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_device_web_token_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_device_web_token_proto_rawDesc), len(file_teleport_devicetrust_v1_device_web_token_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -229,7 +230,6 @@ func file_teleport_devicetrust_v1_device_web_token_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_device_web_token_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_device_web_token_proto = out.File
-	file_teleport_devicetrust_v1_device_web_token_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_device_web_token_proto_goTypes = nil
 	file_teleport_devicetrust_v1_device_web_token_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go
index 8fb3a6ccdac7f..935868436d55b 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/devicetrust_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/devicetrust_service.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -2750,7 +2751,7 @@ func (*GetDevicesUsageRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_devicetrust_v1_devicetrust_service_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65,
 	0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72,
@@ -3298,16 +3299,16 @@ var file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc = []byte{
 	0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76,
 	0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData = file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc
+	file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData)
+		file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc), len(file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_devicetrust_service_proto_rawDescData
 }
@@ -3517,7 +3518,7 @@ func file_teleport_devicetrust_v1_devicetrust_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc), len(file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   41,
 			NumExtensions: 0,
@@ -3529,7 +3530,6 @@ func file_teleport_devicetrust_v1_devicetrust_service_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_devicetrust_service_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_devicetrust_service_proto = out.File
-	file_teleport_devicetrust_v1_devicetrust_service_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_devicetrust_service_proto_goTypes = nil
 	file_teleport_devicetrust_v1_devicetrust_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/os_type.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/os_type.pb.go
index f7413f370da34..4fb243e6d0d68 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/os_type.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/os_type.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/os_type.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -92,7 +93,7 @@ func (OSType) EnumDescriptor() ([]byte, []int) {
 
 var File_teleport_devicetrust_v1_os_type_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_os_type_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_os_type_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x6f, 0x73, 0x5f, 0x74, 0x79, 0x70,
 	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -110,16 +111,16 @@ var file_teleport_devicetrust_v1_os_type_proto_rawDesc = []byte{
 	0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76,
 	0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_os_type_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_os_type_proto_rawDescData = file_teleport_devicetrust_v1_os_type_proto_rawDesc
+	file_teleport_devicetrust_v1_os_type_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_os_type_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_os_type_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_os_type_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_os_type_proto_rawDescData)
+		file_teleport_devicetrust_v1_os_type_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_os_type_proto_rawDesc), len(file_teleport_devicetrust_v1_os_type_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_os_type_proto_rawDescData
 }
@@ -145,7 +146,7 @@ func file_teleport_devicetrust_v1_os_type_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_os_type_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_os_type_proto_rawDesc), len(file_teleport_devicetrust_v1_os_type_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -156,7 +157,6 @@ func file_teleport_devicetrust_v1_os_type_proto_init() {
 		EnumInfos:         file_teleport_devicetrust_v1_os_type_proto_enumTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_os_type_proto = out.File
-	file_teleport_devicetrust_v1_os_type_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_os_type_proto_goTypes = nil
 	file_teleport_devicetrust_v1_os_type_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/tpm.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/tpm.pb.go
index ae498710966de..e04379af64c2e 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/tpm.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/tpm.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/tpm.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -278,7 +279,7 @@ func (x *TPMPlatformAttestation) GetPlatformParameters() *TPMPlatformParameters
 
 var File_teleport_devicetrust_v1_tpm_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_tpm_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_tpm_proto_rawDesc = string([]byte{
 	0x0a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x74, 0x70, 0x6d, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x64, 0x65,
@@ -318,16 +319,16 @@ var file_teleport_devicetrust_v1_tpm_proto_rawDesc = []byte{
 	0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69,
 	0x63, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_tpm_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_tpm_proto_rawDescData = file_teleport_devicetrust_v1_tpm_proto_rawDesc
+	file_teleport_devicetrust_v1_tpm_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_tpm_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_tpm_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_tpm_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_tpm_proto_rawDescData)
+		file_teleport_devicetrust_v1_tpm_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_tpm_proto_rawDesc), len(file_teleport_devicetrust_v1_tpm_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_tpm_proto_rawDescData
 }
@@ -359,7 +360,7 @@ func file_teleport_devicetrust_v1_tpm_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_tpm_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_tpm_proto_rawDesc), len(file_teleport_devicetrust_v1_tpm_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -370,7 +371,6 @@ func file_teleport_devicetrust_v1_tpm_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_tpm_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_tpm_proto = out.File
-	file_teleport_devicetrust_v1_tpm_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_tpm_proto_goTypes = nil
 	file_teleport_devicetrust_v1_tpm_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/usage.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/usage.pb.go
index 06e62b95a442b..6aa793a77c636 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/usage.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/usage.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/usage.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -123,7 +124,7 @@ func (*DevicesUsage) Descriptor() ([]byte, []int) {
 
 var File_teleport_devicetrust_v1_usage_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_usage_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_usage_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -148,16 +149,16 @@ var file_teleport_devicetrust_v1_usage_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75,
 	0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73,
 	0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_usage_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_usage_proto_rawDescData = file_teleport_devicetrust_v1_usage_proto_rawDesc
+	file_teleport_devicetrust_v1_usage_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_usage_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_usage_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_usage_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_usage_proto_rawDescData)
+		file_teleport_devicetrust_v1_usage_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_usage_proto_rawDesc), len(file_teleport_devicetrust_v1_usage_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_usage_proto_rawDescData
 }
@@ -185,7 +186,7 @@ func file_teleport_devicetrust_v1_usage_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_usage_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_usage_proto_rawDesc), len(file_teleport_devicetrust_v1_usage_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -197,7 +198,6 @@ func file_teleport_devicetrust_v1_usage_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_usage_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_usage_proto = out.File
-	file_teleport_devicetrust_v1_usage_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_usage_proto_goTypes = nil
 	file_teleport_devicetrust_v1_usage_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/devicetrust/v1/user_certificates.pb.go b/api/gen/proto/go/teleport/devicetrust/v1/user_certificates.pb.go
index 0d44ff5339886..aeb7ee8d76af6 100644
--- a/api/gen/proto/go/teleport/devicetrust/v1/user_certificates.pb.go
+++ b/api/gen/proto/go/teleport/devicetrust/v1/user_certificates.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/devicetrust/v1/user_certificates.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -93,7 +94,7 @@ func (x *UserCertificates) GetSshAuthorizedKey() []byte {
 
 var File_teleport_devicetrust_v1_user_certificates_proto protoreflect.FileDescriptor
 
-var file_teleport_devicetrust_v1_user_certificates_proto_rawDesc = []byte{
+var file_teleport_devicetrust_v1_user_certificates_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x63,
 	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -111,16 +112,16 @@ var file_teleport_devicetrust_v1_user_certificates_proto_rawDesc = []byte{
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75,
 	0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x65, 0x76, 0x69, 0x63, 0x65, 0x74, 0x72, 0x75, 0x73,
 	0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_devicetrust_v1_user_certificates_proto_rawDescOnce sync.Once
-	file_teleport_devicetrust_v1_user_certificates_proto_rawDescData = file_teleport_devicetrust_v1_user_certificates_proto_rawDesc
+	file_teleport_devicetrust_v1_user_certificates_proto_rawDescData []byte
 )
 
 func file_teleport_devicetrust_v1_user_certificates_proto_rawDescGZIP() []byte {
 	file_teleport_devicetrust_v1_user_certificates_proto_rawDescOnce.Do(func() {
-		file_teleport_devicetrust_v1_user_certificates_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_devicetrust_v1_user_certificates_proto_rawDescData)
+		file_teleport_devicetrust_v1_user_certificates_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_user_certificates_proto_rawDesc), len(file_teleport_devicetrust_v1_user_certificates_proto_rawDesc)))
 	})
 	return file_teleport_devicetrust_v1_user_certificates_proto_rawDescData
 }
@@ -146,7 +147,7 @@ func file_teleport_devicetrust_v1_user_certificates_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_devicetrust_v1_user_certificates_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_devicetrust_v1_user_certificates_proto_rawDesc), len(file_teleport_devicetrust_v1_user_certificates_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -157,7 +158,6 @@ func file_teleport_devicetrust_v1_user_certificates_proto_init() {
 		MessageInfos:      file_teleport_devicetrust_v1_user_certificates_proto_msgTypes,
 	}.Build()
 	File_teleport_devicetrust_v1_user_certificates_proto = out.File
-	file_teleport_devicetrust_v1_user_certificates_proto_rawDesc = nil
 	file_teleport_devicetrust_v1_user_certificates_proto_goTypes = nil
 	file_teleport_devicetrust_v1_user_certificates_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig.pb.go b/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig.pb.go
index c13dbd6424928..fb0c23077cf3c 100644
--- a/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig.pb.go
+++ b/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/discoveryconfig/v1/discoveryconfig.proto
 
@@ -28,6 +28,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -468,7 +469,7 @@ func (x *ResourcesDiscoveredSummary) GetFailed() uint64 {
 
 var File_teleport_discoveryconfig_v1_discoveryconfig_proto protoreflect.FileDescriptor
 
-var file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc = []byte{
+var file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f,
 	0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x69,
 	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72,
@@ -593,16 +594,16 @@ var file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc = []byte{
 	0x74, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66, 0x69,
 	0x67, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescOnce sync.Once
-	file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData = file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc
+	file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData []byte
 )
 
 func file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescGZIP() []byte {
 	file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescOnce.Do(func() {
-		file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData)
+		file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc), len(file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc)))
 	})
 	return file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDescData
 }
@@ -658,7 +659,7 @@ func file_teleport_discoveryconfig_v1_discoveryconfig_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc), len(file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -670,7 +671,6 @@ func file_teleport_discoveryconfig_v1_discoveryconfig_proto_init() {
 		MessageInfos:      file_teleport_discoveryconfig_v1_discoveryconfig_proto_msgTypes,
 	}.Build()
 	File_teleport_discoveryconfig_v1_discoveryconfig_proto = out.File
-	file_teleport_discoveryconfig_v1_discoveryconfig_proto_rawDesc = nil
 	file_teleport_discoveryconfig_v1_discoveryconfig_proto_goTypes = nil
 	file_teleport_discoveryconfig_v1_discoveryconfig_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_service.pb.go b/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_service.pb.go
index 003a815b0df53..679a602567587 100644
--- a/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_service.pb.go
+++ b/api/gen/proto/go/teleport/discoveryconfig/v1/discoveryconfig_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/discoveryconfig/v1/discoveryconfig_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -479,7 +480,7 @@ func (x *UpdateDiscoveryConfigStatusRequest) GetStatus() *DiscoveryConfigStatus
 
 var File_teleport_discoveryconfig_v1_discoveryconfig_service_proto protoreflect.FileDescriptor
 
-var file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc = []byte{
+var file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc = string([]byte{
 	0x0a, 0x39, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f,
 	0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x69,
 	0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73, 0x65,
@@ -620,16 +621,16 @@ var file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc = []b
 	0x72, 0x74, 0x2f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63, 0x6f, 0x6e, 0x66,
 	0x69, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x63,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescOnce sync.Once
-	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData = file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc
+	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData []byte
 )
 
 func file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescGZIP() []byte {
 	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescOnce.Do(func() {
-		file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData)
+		file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc), len(file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc)))
 	})
 	return file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDescData
 }
@@ -688,7 +689,7 @@ func file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc), len(file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   9,
 			NumExtensions: 0,
@@ -699,7 +700,6 @@ func file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_init() {
 		MessageInfos:      file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_msgTypes,
 	}.Build()
 	File_teleport_discoveryconfig_v1_discoveryconfig_service_proto = out.File
-	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_rawDesc = nil
 	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_goTypes = nil
 	file_teleport_discoveryconfig_v1_discoveryconfig_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/dynamicwindows/v1/dynamicwindows_service.pb.go b/api/gen/proto/go/teleport/dynamicwindows/v1/dynamicwindows_service.pb.go
index 8aaa1430428f4..cd7cb95f80469 100644
--- a/api/gen/proto/go/teleport/dynamicwindows/v1/dynamicwindows_service.pb.go
+++ b/api/gen/proto/go/teleport/dynamicwindows/v1/dynamicwindows_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/dynamicwindows/v1/dynamicwindows_service.proto
 
@@ -30,6 +30,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -383,7 +384,7 @@ func (x *DeleteDynamicWindowsDesktopRequest) GetName() string {
 
 var File_teleport_dynamicwindows_v1_dynamicwindows_service_proto protoreflect.FileDescriptor
 
-var file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc = []byte{
+var file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc = string([]byte{
 	0x0a, 0x37, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x64, 0x79, 0x6e, 0x61, 0x6d,
 	0x69, 0x63, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x79, 0x6e,
 	0x61, 0x6d, 0x69, 0x63, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76,
@@ -491,16 +492,16 @@ var file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc = []byt
 	0x6e, 0x64, 0x6f, 0x77, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x64, 0x79, 0x6e, 0x61, 0x6d, 0x69, 0x63,
 	0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescOnce sync.Once
-	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData = file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc
+	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData []byte
 )
 
 func file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescGZIP() []byte {
 	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescOnce.Do(func() {
-		file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData)
+		file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc), len(file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc)))
 	})
 	return file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDescData
 }
@@ -550,7 +551,7 @@ func file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc), len(file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -561,7 +562,6 @@ func file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_init() {
 		MessageInfos:      file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_msgTypes,
 	}.Build()
 	File_teleport_dynamicwindows_v1_dynamicwindows_service_proto = out.File
-	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_rawDesc = nil
 	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_goTypes = nil
 	file_teleport_dynamicwindows_v1_dynamicwindows_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/embedding/v1/embedding.pb.go b/api/gen/proto/go/teleport/embedding/v1/embedding.pb.go
index 4819f689f438b..91257973d10a3 100644
--- a/api/gen/proto/go/teleport/embedding/v1/embedding.pb.go
+++ b/api/gen/proto/go/teleport/embedding/v1/embedding.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/embedding/v1/embedding.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -113,7 +114,7 @@ func (x *Embedding) GetVector() []float64 {
 
 var File_teleport_embedding_v1_embedding_proto protoreflect.FileDescriptor
 
-var file_teleport_embedding_v1_embedding_proto_rawDesc = []byte{
+var file_teleport_embedding_v1_embedding_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x65, 0x6d, 0x62, 0x65, 0x64,
 	0x64, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x65, 0x6d, 0x62, 0x65, 0x64, 0x64, 0x69, 0x6e,
 	0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -133,16 +134,16 @@ var file_teleport_embedding_v1_embedding_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x65,
 	0x6d, 0x62, 0x65, 0x64, 0x64, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x65, 0x6d, 0x62, 0x65,
 	0x64, 0x64, 0x69, 0x6e, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_embedding_v1_embedding_proto_rawDescOnce sync.Once
-	file_teleport_embedding_v1_embedding_proto_rawDescData = file_teleport_embedding_v1_embedding_proto_rawDesc
+	file_teleport_embedding_v1_embedding_proto_rawDescData []byte
 )
 
 func file_teleport_embedding_v1_embedding_proto_rawDescGZIP() []byte {
 	file_teleport_embedding_v1_embedding_proto_rawDescOnce.Do(func() {
-		file_teleport_embedding_v1_embedding_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_embedding_v1_embedding_proto_rawDescData)
+		file_teleport_embedding_v1_embedding_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_embedding_v1_embedding_proto_rawDesc), len(file_teleport_embedding_v1_embedding_proto_rawDesc)))
 	})
 	return file_teleport_embedding_v1_embedding_proto_rawDescData
 }
@@ -168,7 +169,7 @@ func file_teleport_embedding_v1_embedding_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_embedding_v1_embedding_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_embedding_v1_embedding_proto_rawDesc), len(file_teleport_embedding_v1_embedding_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -179,7 +180,6 @@ func file_teleport_embedding_v1_embedding_proto_init() {
 		MessageInfos:      file_teleport_embedding_v1_embedding_proto_msgTypes,
 	}.Build()
 	File_teleport_embedding_v1_embedding_proto = out.File
-	file_teleport_embedding_v1_embedding_proto_rawDesc = nil
 	file_teleport_embedding_v1_embedding_proto_goTypes = nil
 	file_teleport_embedding_v1_embedding_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage.pb.go b/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage.pb.go
index a4ae69eb1381c..3f3b9445eff03 100644
--- a/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage.pb.go
+++ b/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/externalauditstorage/v1/externalauditstorage.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -216,7 +217,7 @@ func (x *ExternalAuditStorageSpec) GetPolicyName() string {
 
 var File_teleport_externalauditstorage_v1_externalauditstorage_proto protoreflect.FileDescriptor
 
-var file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc = []byte{
+var file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc = string([]byte{
 	0x0a, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72,
 	0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64, 0x69, 0x74, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f,
 	0x76, 0x31, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64, 0x69, 0x74,
@@ -269,16 +270,16 @@ var file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc = [
 	0x65, 0x2f, 0x76, 0x31, 0x3b, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64,
 	0x69, 0x74, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescOnce sync.Once
-	file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData = file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc
+	file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData []byte
 )
 
 func file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescGZIP() []byte {
 	file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescOnce.Do(func() {
-		file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData)
+		file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc), len(file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc)))
 	})
 	return file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDescData
 }
@@ -308,7 +309,7 @@ func file_teleport_externalauditstorage_v1_externalauditstorage_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc), len(file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -319,7 +320,6 @@ func file_teleport_externalauditstorage_v1_externalauditstorage_proto_init() {
 		MessageInfos:      file_teleport_externalauditstorage_v1_externalauditstorage_proto_msgTypes,
 	}.Build()
 	File_teleport_externalauditstorage_v1_externalauditstorage_proto = out.File
-	file_teleport_externalauditstorage_v1_externalauditstorage_proto_rawDesc = nil
 	file_teleport_externalauditstorage_v1_externalauditstorage_proto_goTypes = nil
 	file_teleport_externalauditstorage_v1_externalauditstorage_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage_service.pb.go b/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage_service.pb.go
index 48ec792c45f05..95cf5a20ce07c 100644
--- a/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage_service.pb.go
+++ b/api/gen/proto/go/teleport/externalauditstorage/v1/externalauditstorage_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/externalauditstorage/v1/externalauditstorage_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -889,7 +890,7 @@ func (*TestDraftExternalAuditStorageAthenaResponse) Descriptor() ([]byte, []int)
 
 var File_teleport_externalauditstorage_v1_externalauditstorage_service_proto protoreflect.FileDescriptor
 
-var file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc = []byte{
+var file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc = string([]byte{
 	0x0a, 0x43, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72,
 	0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64, 0x69, 0x74, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f,
 	0x76, 0x31, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64, 0x69, 0x74,
@@ -1152,16 +1153,16 @@ var file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_raw
 	0x75, 0x64, 0x69, 0x74, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x65,
 	0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x61, 0x75, 0x64, 0x69, 0x74, 0x73, 0x74, 0x6f, 0x72,
 	0x61, 0x67, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescOnce sync.Once
-	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData = file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc
+	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData []byte
 )
 
 func file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescGZIP() []byte {
 	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescOnce.Do(func() {
-		file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData)
+		file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc), len(file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc)))
 	})
 	return file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDescData
 }
@@ -1239,7 +1240,7 @@ func file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_in
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc), len(file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   20,
 			NumExtensions: 0,
@@ -1250,7 +1251,6 @@ func file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_in
 		MessageInfos:      file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_msgTypes,
 	}.Build()
 	File_teleport_externalauditstorage_v1_externalauditstorage_service_proto = out.File
-	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_rawDesc = nil
 	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_goTypes = nil
 	file_teleport_externalauditstorage_v1_externalauditstorage_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/gitserver/v1/git_server_service.pb.go b/api/gen/proto/go/teleport/gitserver/v1/git_server_service.pb.go
index 7341cae10b5e0..c5ef7e8542b6b 100644
--- a/api/gen/proto/go/teleport/gitserver/v1/git_server_service.pb.go
+++ b/api/gen/proto/go/teleport/gitserver/v1/git_server_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/gitserver/v1/git_server_service.proto
 
@@ -27,6 +27,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -435,7 +436,7 @@ func (x *CreateGitHubAuthRequestRequest) GetOrganization() string {
 
 var File_teleport_gitserver_v1_git_server_service_proto protoreflect.FileDescriptor
 
-var file_teleport_gitserver_v1_git_server_service_proto_rawDesc = []byte{
+var file_teleport_gitserver_v1_git_server_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x67, 0x69, 0x74, 0x73, 0x65,
 	0x72, 0x76, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x67, 0x69, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76,
 	0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -530,16 +531,16 @@ var file_teleport_gitserver_v1_git_server_service_proto_rawDesc = []byte{
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x67, 0x69, 0x74, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2f, 0x76,
 	0x31, 0x3b, 0x67, 0x69, 0x74, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_gitserver_v1_git_server_service_proto_rawDescOnce sync.Once
-	file_teleport_gitserver_v1_git_server_service_proto_rawDescData = file_teleport_gitserver_v1_git_server_service_proto_rawDesc
+	file_teleport_gitserver_v1_git_server_service_proto_rawDescData []byte
 )
 
 func file_teleport_gitserver_v1_git_server_service_proto_rawDescGZIP() []byte {
 	file_teleport_gitserver_v1_git_server_service_proto_rawDescOnce.Do(func() {
-		file_teleport_gitserver_v1_git_server_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_gitserver_v1_git_server_service_proto_rawDescData)
+		file_teleport_gitserver_v1_git_server_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_gitserver_v1_git_server_service_proto_rawDesc), len(file_teleport_gitserver_v1_git_server_service_proto_rawDesc)))
 	})
 	return file_teleport_gitserver_v1_git_server_service_proto_rawDescData
 }
@@ -594,7 +595,7 @@ func file_teleport_gitserver_v1_git_server_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_gitserver_v1_git_server_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_gitserver_v1_git_server_service_proto_rawDesc), len(file_teleport_gitserver_v1_git_server_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   8,
 			NumExtensions: 0,
@@ -605,7 +606,6 @@ func file_teleport_gitserver_v1_git_server_service_proto_init() {
 		MessageInfos:      file_teleport_gitserver_v1_git_server_service_proto_msgTypes,
 	}.Build()
 	File_teleport_gitserver_v1_git_server_service_proto = out.File
-	file_teleport_gitserver_v1_git_server_service_proto_rawDesc = nil
 	file_teleport_gitserver_v1_git_server_service_proto_goTypes = nil
 	file_teleport_gitserver_v1_git_server_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/header/v1/metadata.pb.go b/api/gen/proto/go/teleport/header/v1/metadata.pb.go
index fd8a501069269..dd4a4801fbba1 100644
--- a/api/gen/proto/go/teleport/header/v1/metadata.pb.go
+++ b/api/gen/proto/go/teleport/header/v1/metadata.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/header/v1/metadata.proto
 
@@ -26,6 +26,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -132,7 +133,7 @@ func (x *Metadata) GetRevision() string {
 
 var File_teleport_header_v1_metadata_proto protoreflect.FileDescriptor
 
-var file_teleport_header_v1_metadata_proto_rawDesc = []byte{
+var file_teleport_header_v1_metadata_proto_rawDesc = string([]byte{
 	0x0a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65,
 	0x72, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x12, 0x12, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65,
@@ -164,16 +165,16 @@ var file_teleport_header_v1_metadata_proto_rawDesc = []byte{
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
 	0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b, 0x68, 0x65, 0x61, 0x64,
 	0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_header_v1_metadata_proto_rawDescOnce sync.Once
-	file_teleport_header_v1_metadata_proto_rawDescData = file_teleport_header_v1_metadata_proto_rawDesc
+	file_teleport_header_v1_metadata_proto_rawDescData []byte
 )
 
 func file_teleport_header_v1_metadata_proto_rawDescGZIP() []byte {
 	file_teleport_header_v1_metadata_proto_rawDescOnce.Do(func() {
-		file_teleport_header_v1_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_header_v1_metadata_proto_rawDescData)
+		file_teleport_header_v1_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_header_v1_metadata_proto_rawDesc), len(file_teleport_header_v1_metadata_proto_rawDesc)))
 	})
 	return file_teleport_header_v1_metadata_proto_rawDescData
 }
@@ -203,7 +204,7 @@ func file_teleport_header_v1_metadata_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_header_v1_metadata_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_header_v1_metadata_proto_rawDesc), len(file_teleport_header_v1_metadata_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -214,7 +215,6 @@ func file_teleport_header_v1_metadata_proto_init() {
 		MessageInfos:      file_teleport_header_v1_metadata_proto_msgTypes,
 	}.Build()
 	File_teleport_header_v1_metadata_proto = out.File
-	file_teleport_header_v1_metadata_proto_rawDesc = nil
 	file_teleport_header_v1_metadata_proto_goTypes = nil
 	file_teleport_header_v1_metadata_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/header/v1/resourceheader.pb.go b/api/gen/proto/go/teleport/header/v1/resourceheader.pb.go
index ba4acbde93539..eafad4722f704 100644
--- a/api/gen/proto/go/teleport/header/v1/resourceheader.pb.go
+++ b/api/gen/proto/go/teleport/header/v1/resourceheader.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/header/v1/resourceheader.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -112,7 +113,7 @@ func (x *ResourceHeader) GetMetadata() *Metadata {
 
 var File_teleport_header_v1_resourceheader_proto protoreflect.FileDescriptor
 
-var file_teleport_header_v1_resourceheader_proto_rawDesc = []byte{
+var file_teleport_header_v1_resourceheader_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65,
 	0x72, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x68, 0x65, 0x61,
 	0x64, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -134,16 +135,16 @@ var file_teleport_header_v1_resourceheader_proto_rawDesc = []byte{
 	0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c,
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b,
 	0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_header_v1_resourceheader_proto_rawDescOnce sync.Once
-	file_teleport_header_v1_resourceheader_proto_rawDescData = file_teleport_header_v1_resourceheader_proto_rawDesc
+	file_teleport_header_v1_resourceheader_proto_rawDescData []byte
 )
 
 func file_teleport_header_v1_resourceheader_proto_rawDescGZIP() []byte {
 	file_teleport_header_v1_resourceheader_proto_rawDescOnce.Do(func() {
-		file_teleport_header_v1_resourceheader_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_header_v1_resourceheader_proto_rawDescData)
+		file_teleport_header_v1_resourceheader_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_header_v1_resourceheader_proto_rawDesc), len(file_teleport_header_v1_resourceheader_proto_rawDesc)))
 	})
 	return file_teleport_header_v1_resourceheader_proto_rawDescData
 }
@@ -172,7 +173,7 @@ func file_teleport_header_v1_resourceheader_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_header_v1_resourceheader_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_header_v1_resourceheader_proto_rawDesc), len(file_teleport_header_v1_resourceheader_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -183,7 +184,6 @@ func file_teleport_header_v1_resourceheader_proto_init() {
 		MessageInfos:      file_teleport_header_v1_resourceheader_proto_msgTypes,
 	}.Build()
 	File_teleport_header_v1_resourceheader_proto = out.File
-	file_teleport_header_v1_resourceheader_proto_rawDesc = nil
 	file_teleport_header_v1_resourceheader_proto_goTypes = nil
 	file_teleport_header_v1_resourceheader_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/identitycenter/v1/identitycenter.pb.go b/api/gen/proto/go/teleport/identitycenter/v1/identitycenter.pb.go
index 381f102e6739a..1fdd4292fb8e4 100644
--- a/api/gen/proto/go/teleport/identitycenter/v1/identitycenter.pb.go
+++ b/api/gen/proto/go/teleport/identitycenter/v1/identitycenter.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/identitycenter/v1/identitycenter.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1062,7 +1063,7 @@ func (x *PrincipalAssignmentStatus) GetError() string {
 
 var File_teleport_identitycenter_v1_identitycenter_proto protoreflect.FileDescriptor
 
-var file_teleport_identitycenter_v1_identitycenter_proto_rawDesc = []byte{
+var file_teleport_identitycenter_v1_identitycenter_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74,
 	0x69, 0x74, 0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x64, 0x65,
 	0x6e, 0x74, 0x69, 0x74, 0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -1244,16 +1245,16 @@ var file_teleport_identitycenter_v1_identitycenter_proto_rawDesc = []byte{
 	0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x64, 0x65, 0x6e, 0x74,
 	0x69, 0x74, 0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_identitycenter_v1_identitycenter_proto_rawDescOnce sync.Once
-	file_teleport_identitycenter_v1_identitycenter_proto_rawDescData = file_teleport_identitycenter_v1_identitycenter_proto_rawDesc
+	file_teleport_identitycenter_v1_identitycenter_proto_rawDescData []byte
 )
 
 func file_teleport_identitycenter_v1_identitycenter_proto_rawDescGZIP() []byte {
 	file_teleport_identitycenter_v1_identitycenter_proto_rawDescOnce.Do(func() {
-		file_teleport_identitycenter_v1_identitycenter_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_identitycenter_v1_identitycenter_proto_rawDescData)
+		file_teleport_identitycenter_v1_identitycenter_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_identitycenter_v1_identitycenter_proto_rawDesc), len(file_teleport_identitycenter_v1_identitycenter_proto_rawDesc)))
 	})
 	return file_teleport_identitycenter_v1_identitycenter_proto_rawDescData
 }
@@ -1309,7 +1310,7 @@ func file_teleport_identitycenter_v1_identitycenter_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_identitycenter_v1_identitycenter_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_identitycenter_v1_identitycenter_proto_rawDesc), len(file_teleport_identitycenter_v1_identitycenter_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   12,
 			NumExtensions: 0,
@@ -1321,7 +1322,6 @@ func file_teleport_identitycenter_v1_identitycenter_proto_init() {
 		MessageInfos:      file_teleport_identitycenter_v1_identitycenter_proto_msgTypes,
 	}.Build()
 	File_teleport_identitycenter_v1_identitycenter_proto = out.File
-	file_teleport_identitycenter_v1_identitycenter_proto_rawDesc = nil
 	file_teleport_identitycenter_v1_identitycenter_proto_goTypes = nil
 	file_teleport_identitycenter_v1_identitycenter_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/identitycenter/v1/identitycenter_service.pb.go b/api/gen/proto/go/teleport/identitycenter/v1/identitycenter_service.pb.go
index 4e4cd261e09b5..68a45ccb72b9c 100644
--- a/api/gen/proto/go/teleport/identitycenter/v1/identitycenter_service.pb.go
+++ b/api/gen/proto/go/teleport/identitycenter/v1/identitycenter_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/identitycenter/v1/identitycenter_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -185,7 +186,7 @@ func (*DeleteAllPermissionSetsRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_identitycenter_v1_identitycenter_service_proto protoreflect.FileDescriptor
 
-var file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc = []byte{
+var file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc = string([]byte{
 	0x0a, 0x37, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74,
 	0x69, 0x74, 0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x64, 0x65,
 	0x6e, 0x74, 0x69, 0x74, 0x79, 0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x5f, 0x73, 0x65, 0x72, 0x76,
@@ -241,16 +242,16 @@ var file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc = []byt
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x63, 0x65,
 	0x6e, 0x74, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
 	0x63, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescOnce sync.Once
-	file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData = file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc
+	file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData []byte
 )
 
 func file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescGZIP() []byte {
 	file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescOnce.Do(func() {
-		file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData)
+		file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc), len(file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc)))
 	})
 	return file_teleport_identitycenter_v1_identitycenter_service_proto_rawDescData
 }
@@ -288,7 +289,7 @@ func file_teleport_identitycenter_v1_identitycenter_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc), len(file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -299,7 +300,6 @@ func file_teleport_identitycenter_v1_identitycenter_service_proto_init() {
 		MessageInfos:      file_teleport_identitycenter_v1_identitycenter_service_proto_msgTypes,
 	}.Build()
 	File_teleport_identitycenter_v1_identitycenter_service_proto = out.File
-	file_teleport_identitycenter_v1_identitycenter_service_proto_rawDesc = nil
 	file_teleport_identitycenter_v1_identitycenter_service_proto_goTypes = nil
 	file_teleport_identitycenter_v1_identitycenter_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go
index 8630cd64a4076..4a5665ae494b1 100644
--- a/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go
+++ b/api/gen/proto/go/teleport/integration/v1/awsoidc_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/integration/v1/awsoidc_service.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -2757,7 +2758,7 @@ func (x *PingResponse) GetUserId() string {
 
 var File_teleport_integration_v1_awsoidc_service_proto protoreflect.FileDescriptor
 
-var file_teleport_integration_v1_awsoidc_service_proto_rawDesc = []byte{
+var file_teleport_integration_v1_awsoidc_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67,
 	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x77, 0x73, 0x6f, 0x69, 0x64,
 	0x63, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -3255,16 +3256,16 @@ var file_teleport_integration_v1_awsoidc_service_proto_rawDesc = []byte{
 	0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6e, 0x74,
 	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_integration_v1_awsoidc_service_proto_rawDescOnce sync.Once
-	file_teleport_integration_v1_awsoidc_service_proto_rawDescData = file_teleport_integration_v1_awsoidc_service_proto_rawDesc
+	file_teleport_integration_v1_awsoidc_service_proto_rawDescData []byte
 )
 
 func file_teleport_integration_v1_awsoidc_service_proto_rawDescGZIP() []byte {
 	file_teleport_integration_v1_awsoidc_service_proto_rawDescOnce.Do(func() {
-		file_teleport_integration_v1_awsoidc_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_integration_v1_awsoidc_service_proto_rawDescData)
+		file_teleport_integration_v1_awsoidc_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_integration_v1_awsoidc_service_proto_rawDesc), len(file_teleport_integration_v1_awsoidc_service_proto_rawDesc)))
 	})
 	return file_teleport_integration_v1_awsoidc_service_proto_rawDescData
 }
@@ -3377,7 +3378,7 @@ func file_teleport_integration_v1_awsoidc_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_integration_v1_awsoidc_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_integration_v1_awsoidc_service_proto_rawDesc), len(file_teleport_integration_v1_awsoidc_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   41,
 			NumExtensions: 0,
@@ -3388,7 +3389,6 @@ func file_teleport_integration_v1_awsoidc_service_proto_init() {
 		MessageInfos:      file_teleport_integration_v1_awsoidc_service_proto_msgTypes,
 	}.Build()
 	File_teleport_integration_v1_awsoidc_service_proto = out.File
-	file_teleport_integration_v1_awsoidc_service_proto_rawDesc = nil
 	file_teleport_integration_v1_awsoidc_service_proto_goTypes = nil
 	file_teleport_integration_v1_awsoidc_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/integration/v1/integration_service.pb.go b/api/gen/proto/go/teleport/integration/v1/integration_service.pb.go
index ed4f0a44b7937..6968ecec33231 100644
--- a/api/gen/proto/go/teleport/integration/v1/integration_service.pb.go
+++ b/api/gen/proto/go/teleport/integration/v1/integration_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/integration/v1/integration_service.proto
 
@@ -28,6 +28,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -487,6 +488,100 @@ func (x *GenerateAWSOIDCTokenResponse) GetToken() string {
 	return ""
 }
 
+// GenerateAzureOIDCTokenRequest are the parameters used to request an Azure OIDC
+// Integration token.
+type GenerateAzureOIDCTokenRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Integration is the Azure OIDC Integration name.
+	// Required.
+	Integration   string `protobuf:"bytes,1,opt,name=integration,proto3" json:"integration,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GenerateAzureOIDCTokenRequest) Reset() {
+	*x = GenerateAzureOIDCTokenRequest{}
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GenerateAzureOIDCTokenRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateAzureOIDCTokenRequest) ProtoMessage() {}
+
+func (x *GenerateAzureOIDCTokenRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[9]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateAzureOIDCTokenRequest.ProtoReflect.Descriptor instead.
+func (*GenerateAzureOIDCTokenRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *GenerateAzureOIDCTokenRequest) GetIntegration() string {
+	if x != nil {
+		return x.Integration
+	}
+	return ""
+}
+
+// GenerateAzureOIDCTokenResponse contains a signed Azure OIDC Integration token.
+type GenerateAzureOIDCTokenResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Token is the signed JWT ready to be used
+	Token         string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GenerateAzureOIDCTokenResponse) Reset() {
+	*x = GenerateAzureOIDCTokenResponse{}
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GenerateAzureOIDCTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GenerateAzureOIDCTokenResponse) ProtoMessage() {}
+
+func (x *GenerateAzureOIDCTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GenerateAzureOIDCTokenResponse.ProtoReflect.Descriptor instead.
+func (*GenerateAzureOIDCTokenResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *GenerateAzureOIDCTokenResponse) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
 // GenerateGitHubUserCertRequest is a request to sign a client certificate used by
 // GitHub integration to authenticate with GitHub enterprise.
 type GenerateGitHubUserCertRequest struct {
@@ -507,7 +602,7 @@ type GenerateGitHubUserCertRequest struct {
 
 func (x *GenerateGitHubUserCertRequest) Reset() {
 	*x = GenerateGitHubUserCertRequest{}
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[9]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[11]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -519,7 +614,7 @@ func (x *GenerateGitHubUserCertRequest) String() string {
 func (*GenerateGitHubUserCertRequest) ProtoMessage() {}
 
 func (x *GenerateGitHubUserCertRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[9]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[11]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -532,7 +627,7 @@ func (x *GenerateGitHubUserCertRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GenerateGitHubUserCertRequest.ProtoReflect.Descriptor instead.
 func (*GenerateGitHubUserCertRequest) Descriptor() ([]byte, []int) {
-	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{9}
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *GenerateGitHubUserCertRequest) GetIntegration() string {
@@ -581,7 +676,7 @@ type GenerateGitHubUserCertResponse struct {
 
 func (x *GenerateGitHubUserCertResponse) Reset() {
 	*x = GenerateGitHubUserCertResponse{}
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[10]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[12]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -593,7 +688,7 @@ func (x *GenerateGitHubUserCertResponse) String() string {
 func (*GenerateGitHubUserCertResponse) ProtoMessage() {}
 
 func (x *GenerateGitHubUserCertResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[10]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[12]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -606,7 +701,7 @@ func (x *GenerateGitHubUserCertResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use GenerateGitHubUserCertResponse.ProtoReflect.Descriptor instead.
 func (*GenerateGitHubUserCertResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{10}
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{12}
 }
 
 func (x *GenerateGitHubUserCertResponse) GetAuthorizedKey() []byte {
@@ -628,7 +723,7 @@ type ExportIntegrationCertAuthoritiesRequest struct {
 
 func (x *ExportIntegrationCertAuthoritiesRequest) Reset() {
 	*x = ExportIntegrationCertAuthoritiesRequest{}
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[11]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[13]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -640,7 +735,7 @@ func (x *ExportIntegrationCertAuthoritiesRequest) String() string {
 func (*ExportIntegrationCertAuthoritiesRequest) ProtoMessage() {}
 
 func (x *ExportIntegrationCertAuthoritiesRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[11]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[13]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -653,7 +748,7 @@ func (x *ExportIntegrationCertAuthoritiesRequest) ProtoReflect() protoreflect.Me
 
 // Deprecated: Use ExportIntegrationCertAuthoritiesRequest.ProtoReflect.Descriptor instead.
 func (*ExportIntegrationCertAuthoritiesRequest) Descriptor() ([]byte, []int) {
-	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{11}
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{13}
 }
 
 func (x *ExportIntegrationCertAuthoritiesRequest) GetIntegration() string {
@@ -675,7 +770,7 @@ type ExportIntegrationCertAuthoritiesResponse struct {
 
 func (x *ExportIntegrationCertAuthoritiesResponse) Reset() {
 	*x = ExportIntegrationCertAuthoritiesResponse{}
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[12]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[14]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -687,7 +782,7 @@ func (x *ExportIntegrationCertAuthoritiesResponse) String() string {
 func (*ExportIntegrationCertAuthoritiesResponse) ProtoMessage() {}
 
 func (x *ExportIntegrationCertAuthoritiesResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[12]
+	mi := &file_teleport_integration_v1_integration_service_proto_msgTypes[14]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -700,7 +795,7 @@ func (x *ExportIntegrationCertAuthoritiesResponse) ProtoReflect() protoreflect.M
 
 // Deprecated: Use ExportIntegrationCertAuthoritiesResponse.ProtoReflect.Descriptor instead.
 func (*ExportIntegrationCertAuthoritiesResponse) Descriptor() ([]byte, []int) {
-	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{12}
+	return file_teleport_integration_v1_integration_service_proto_rawDescGZIP(), []int{14}
 }
 
 func (x *ExportIntegrationCertAuthoritiesResponse) GetCertAuthorities() *types.CAKeySet {
@@ -712,7 +807,7 @@ func (x *ExportIntegrationCertAuthoritiesResponse) GetCertAuthorities() *types.C
 
 var File_teleport_integration_v1_integration_service_proto protoreflect.FileDescriptor
 
-var file_teleport_integration_v1_integration_service_proto_rawDesc = []byte{
+var file_teleport_integration_v1_integration_service_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67,
 	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72,
 	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72,
@@ -765,122 +860,139 @@ var file_teleport_integration_v1_integration_service_proto_rawDesc = []byte{
 	0x1c, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44, 0x43,
 	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a,
 	0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f,
-	0x6b, 0x65, 0x6e, 0x22, 0xbd, 0x01, 0x0a, 0x1d, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
-	0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x65,
-	0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69,
-	0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62,
-	0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69,
-	0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12,
-	0x15, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x2b, 0x0a, 0x03, 0x74, 0x74, 0x6c, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03,
-	0x74, 0x74, 0x6c, 0x22, 0x47, 0x0a, 0x1e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47,
-	0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x25, 0x0a, 0x0e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x7a, 0x65, 0x64, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x61,
-	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0x4b, 0x0a, 0x27,
-	0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e,
-	0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x66, 0x0a, 0x28, 0x45, 0x78, 0x70,
-	0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65,
-	0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x10, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x0f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x43, 0x41, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74,
-	0x52, 0x0f, 0x63, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65,
-	0x73, 0x32, 0xa5, 0x08, 0x0a, 0x12, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x77, 0x0a, 0x10, 0x4c, 0x69, 0x73, 0x74,
-	0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x30, 0x2e, 0x74,
-	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31,
+	0x6b, 0x65, 0x6e, 0x22, 0x41, 0x0a, 0x1d, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41,
+	0x7a, 0x75, 0x72, 0x65, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x36, 0x0a, 0x1e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61,
+	0x74, 0x65, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65,
+	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xbd,
+	0x01, 0x0a, 0x1d, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47, 0x69, 0x74, 0x48, 0x75,
+	0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65,
+	0x79, 0x12, 0x17, 0x0a, 0x07, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x06, 0x75, 0x73, 0x65, 0x72, 0x49, 0x64, 0x12, 0x15, 0x0a, 0x06, 0x6b, 0x65,
+	0x79, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49,
+	0x64, 0x12, 0x2b, 0x0a, 0x03, 0x74, 0x74, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03, 0x74, 0x74, 0x6c, 0x22, 0x47,
+	0x0a, 0x1e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62,
+	0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x25, 0x0a, 0x0e, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x6b,
+	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0d, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72,
+	0x69, 0x7a, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x22, 0x4b, 0x0a, 0x27, 0x45, 0x78, 0x70, 0x6f, 0x72,
+	0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74,
+	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x20, 0x0a, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x22, 0x66, 0x0a, 0x28, 0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e,
+	0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x3a, 0x0a, 0x10, 0x63, 0x65, 0x72, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+	0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0f, 0x2e, 0x74, 0x79, 0x70,
+	0x65, 0x73, 0x2e, 0x43, 0x41, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x52, 0x0f, 0x63, 0x65, 0x72,
+	0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x32, 0xb1, 0x09, 0x0a,
+	0x12, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x12, 0x77, 0x0a, 0x10, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x30, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
+	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x56, 0x0a, 0x0e,
+	0x47, 0x65, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2e,
 	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x49, 0x6e, 0x74,
-	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x56, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x2e, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69,
-	0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
-	0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65,
-	0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x31, 0x12, 0x5c, 0x0a, 0x11, 0x43, 0x72, 0x65,
-	0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31,
-	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49,
-	0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x14, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x31, 0x12, 0x5c, 0x0a, 0x11, 0x55, 0x70, 0x64, 0x61, 0x74,
-	0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31, 0x2e, 0x74,
-	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74,
-	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x14, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x56, 0x31, 0x12, 0x5e, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x49,
-	0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31, 0x2e, 0x74, 0x65, 0x6c,
-	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x66, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41,
-	0x6c, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x35,
-	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41,
-	0x6c, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x83, 0x01,
-	0x0a, 0x14, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44,
-	0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31,
-	0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44, 0x43,
-	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x74,
-	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41,
-	0x57, 0x53, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x12, 0x89, 0x01, 0x0a, 0x16, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
-	0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x12, 0x36,
-	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74,
-	0x65, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31,
-	0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55,
-	0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
-	0xa7, 0x01, 0x0a, 0x20, 0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
-	0x74, 0x69, 0x65, 0x73, 0x12, 0x40, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
-	0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x45,
-	0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x41, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31,
-	0x2e, 0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65,
-	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61,
-	0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f,
-	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x49, 0x6e, 0x74, 0x65,
+	0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14,
+	0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x56, 0x31, 0x12, 0x5c, 0x0a, 0x11, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e,
+	0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x74,
+	0x79, 0x70, 0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x56, 0x31, 0x12, 0x5c, 0x0a, 0x11, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65,
+	0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
+	0x31, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x74, 0x79, 0x70,
+	0x65, 0x73, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x56, 0x31,
+	0x12, 0x5e, 0x0a, 0x11, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e,
+	0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x12, 0x66, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x49, 0x6e, 0x74,
+	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x6c, 0x6c, 0x49, 0x6e, 0x74,
+	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x83, 0x01, 0x0a, 0x14, 0x47, 0x65, 0x6e,
+	0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65,
+	0x6e, 0x12, 0x34, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74,
+	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65,
+	0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x35, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76,
+	0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x57, 0x53, 0x4f, 0x49, 0x44,
+	0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x89,
+	0x01, 0x0a, 0x16, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x7a, 0x75, 0x72, 0x65,
+	0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x12, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x41, 0x7a, 0x75, 0x72,
+	0x65, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x37, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74,
+	0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65,
+	0x72, 0x61, 0x74, 0x65, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4f, 0x49, 0x44, 0x43, 0x54, 0x6f, 0x6b,
+	0x65, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x89, 0x01, 0x0a, 0x16, 0x47,
+	0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65,
+	0x72, 0x43, 0x65, 0x72, 0x74, 0x12, 0x36, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e,
+	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73,
+	0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x37, 0x2e,
+	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65,
+	0x47, 0x69, 0x74, 0x48, 0x75, 0x62, 0x55, 0x73, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0xa7, 0x01, 0x0a, 0x20, 0x45, 0x78, 0x70, 0x6f, 0x72,
+	0x74, 0x49, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74,
+	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x40, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e, 0x74, 0x65,
+	0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x41, 0x2e,
+	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x49, 0x6e,
+	0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x65, 0x72, 0x74, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x42, 0x5a, 0x5a, 0x58, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67,
+	0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
+	0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x3b, 0x69,
+	0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_teleport_integration_v1_integration_service_proto_rawDescOnce sync.Once
-	file_teleport_integration_v1_integration_service_proto_rawDescData = file_teleport_integration_v1_integration_service_proto_rawDesc
+	file_teleport_integration_v1_integration_service_proto_rawDescData []byte
 )
 
 func file_teleport_integration_v1_integration_service_proto_rawDescGZIP() []byte {
 	file_teleport_integration_v1_integration_service_proto_rawDescOnce.Do(func() {
-		file_teleport_integration_v1_integration_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_integration_v1_integration_service_proto_rawDescData)
+		file_teleport_integration_v1_integration_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_integration_v1_integration_service_proto_rawDesc), len(file_teleport_integration_v1_integration_service_proto_rawDesc)))
 	})
 	return file_teleport_integration_v1_integration_service_proto_rawDescData
 }
 
-var file_teleport_integration_v1_integration_service_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
+var file_teleport_integration_v1_integration_service_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
 var file_teleport_integration_v1_integration_service_proto_goTypes = []any{
 	(*ListIntegrationsRequest)(nil),                  // 0: teleport.integration.v1.ListIntegrationsRequest
 	(*ListIntegrationsResponse)(nil),                 // 1: teleport.integration.v1.ListIntegrationsResponse
@@ -891,21 +1003,23 @@ var file_teleport_integration_v1_integration_service_proto_goTypes = []any{
 	(*DeleteAllIntegrationsRequest)(nil),             // 6: teleport.integration.v1.DeleteAllIntegrationsRequest
 	(*GenerateAWSOIDCTokenRequest)(nil),              // 7: teleport.integration.v1.GenerateAWSOIDCTokenRequest
 	(*GenerateAWSOIDCTokenResponse)(nil),             // 8: teleport.integration.v1.GenerateAWSOIDCTokenResponse
-	(*GenerateGitHubUserCertRequest)(nil),            // 9: teleport.integration.v1.GenerateGitHubUserCertRequest
-	(*GenerateGitHubUserCertResponse)(nil),           // 10: teleport.integration.v1.GenerateGitHubUserCertResponse
-	(*ExportIntegrationCertAuthoritiesRequest)(nil),  // 11: teleport.integration.v1.ExportIntegrationCertAuthoritiesRequest
-	(*ExportIntegrationCertAuthoritiesResponse)(nil), // 12: teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse
-	(*types.IntegrationV1)(nil),                      // 13: types.IntegrationV1
-	(*durationpb.Duration)(nil),                      // 14: google.protobuf.Duration
-	(*types.CAKeySet)(nil),                           // 15: types.CAKeySet
-	(*emptypb.Empty)(nil),                            // 16: google.protobuf.Empty
+	(*GenerateAzureOIDCTokenRequest)(nil),            // 9: teleport.integration.v1.GenerateAzureOIDCTokenRequest
+	(*GenerateAzureOIDCTokenResponse)(nil),           // 10: teleport.integration.v1.GenerateAzureOIDCTokenResponse
+	(*GenerateGitHubUserCertRequest)(nil),            // 11: teleport.integration.v1.GenerateGitHubUserCertRequest
+	(*GenerateGitHubUserCertResponse)(nil),           // 12: teleport.integration.v1.GenerateGitHubUserCertResponse
+	(*ExportIntegrationCertAuthoritiesRequest)(nil),  // 13: teleport.integration.v1.ExportIntegrationCertAuthoritiesRequest
+	(*ExportIntegrationCertAuthoritiesResponse)(nil), // 14: teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse
+	(*types.IntegrationV1)(nil),                      // 15: types.IntegrationV1
+	(*durationpb.Duration)(nil),                      // 16: google.protobuf.Duration
+	(*types.CAKeySet)(nil),                           // 17: types.CAKeySet
+	(*emptypb.Empty)(nil),                            // 18: google.protobuf.Empty
 }
 var file_teleport_integration_v1_integration_service_proto_depIdxs = []int32{
-	13, // 0: teleport.integration.v1.ListIntegrationsResponse.integrations:type_name -> types.IntegrationV1
-	13, // 1: teleport.integration.v1.CreateIntegrationRequest.integration:type_name -> types.IntegrationV1
-	13, // 2: teleport.integration.v1.UpdateIntegrationRequest.integration:type_name -> types.IntegrationV1
-	14, // 3: teleport.integration.v1.GenerateGitHubUserCertRequest.ttl:type_name -> google.protobuf.Duration
-	15, // 4: teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse.cert_authorities:type_name -> types.CAKeySet
+	15, // 0: teleport.integration.v1.ListIntegrationsResponse.integrations:type_name -> types.IntegrationV1
+	15, // 1: teleport.integration.v1.CreateIntegrationRequest.integration:type_name -> types.IntegrationV1
+	15, // 2: teleport.integration.v1.UpdateIntegrationRequest.integration:type_name -> types.IntegrationV1
+	16, // 3: teleport.integration.v1.GenerateGitHubUserCertRequest.ttl:type_name -> google.protobuf.Duration
+	17, // 4: teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse.cert_authorities:type_name -> types.CAKeySet
 	0,  // 5: teleport.integration.v1.IntegrationService.ListIntegrations:input_type -> teleport.integration.v1.ListIntegrationsRequest
 	2,  // 6: teleport.integration.v1.IntegrationService.GetIntegration:input_type -> teleport.integration.v1.GetIntegrationRequest
 	3,  // 7: teleport.integration.v1.IntegrationService.CreateIntegration:input_type -> teleport.integration.v1.CreateIntegrationRequest
@@ -913,19 +1027,21 @@ var file_teleport_integration_v1_integration_service_proto_depIdxs = []int32{
 	5,  // 9: teleport.integration.v1.IntegrationService.DeleteIntegration:input_type -> teleport.integration.v1.DeleteIntegrationRequest
 	6,  // 10: teleport.integration.v1.IntegrationService.DeleteAllIntegrations:input_type -> teleport.integration.v1.DeleteAllIntegrationsRequest
 	7,  // 11: teleport.integration.v1.IntegrationService.GenerateAWSOIDCToken:input_type -> teleport.integration.v1.GenerateAWSOIDCTokenRequest
-	9,  // 12: teleport.integration.v1.IntegrationService.GenerateGitHubUserCert:input_type -> teleport.integration.v1.GenerateGitHubUserCertRequest
-	11, // 13: teleport.integration.v1.IntegrationService.ExportIntegrationCertAuthorities:input_type -> teleport.integration.v1.ExportIntegrationCertAuthoritiesRequest
-	1,  // 14: teleport.integration.v1.IntegrationService.ListIntegrations:output_type -> teleport.integration.v1.ListIntegrationsResponse
-	13, // 15: teleport.integration.v1.IntegrationService.GetIntegration:output_type -> types.IntegrationV1
-	13, // 16: teleport.integration.v1.IntegrationService.CreateIntegration:output_type -> types.IntegrationV1
-	13, // 17: teleport.integration.v1.IntegrationService.UpdateIntegration:output_type -> types.IntegrationV1
-	16, // 18: teleport.integration.v1.IntegrationService.DeleteIntegration:output_type -> google.protobuf.Empty
-	16, // 19: teleport.integration.v1.IntegrationService.DeleteAllIntegrations:output_type -> google.protobuf.Empty
-	8,  // 20: teleport.integration.v1.IntegrationService.GenerateAWSOIDCToken:output_type -> teleport.integration.v1.GenerateAWSOIDCTokenResponse
-	10, // 21: teleport.integration.v1.IntegrationService.GenerateGitHubUserCert:output_type -> teleport.integration.v1.GenerateGitHubUserCertResponse
-	12, // 22: teleport.integration.v1.IntegrationService.ExportIntegrationCertAuthorities:output_type -> teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse
-	14, // [14:23] is the sub-list for method output_type
-	5,  // [5:14] is the sub-list for method input_type
+	9,  // 12: teleport.integration.v1.IntegrationService.GenerateAzureOIDCToken:input_type -> teleport.integration.v1.GenerateAzureOIDCTokenRequest
+	11, // 13: teleport.integration.v1.IntegrationService.GenerateGitHubUserCert:input_type -> teleport.integration.v1.GenerateGitHubUserCertRequest
+	13, // 14: teleport.integration.v1.IntegrationService.ExportIntegrationCertAuthorities:input_type -> teleport.integration.v1.ExportIntegrationCertAuthoritiesRequest
+	1,  // 15: teleport.integration.v1.IntegrationService.ListIntegrations:output_type -> teleport.integration.v1.ListIntegrationsResponse
+	15, // 16: teleport.integration.v1.IntegrationService.GetIntegration:output_type -> types.IntegrationV1
+	15, // 17: teleport.integration.v1.IntegrationService.CreateIntegration:output_type -> types.IntegrationV1
+	15, // 18: teleport.integration.v1.IntegrationService.UpdateIntegration:output_type -> types.IntegrationV1
+	18, // 19: teleport.integration.v1.IntegrationService.DeleteIntegration:output_type -> google.protobuf.Empty
+	18, // 20: teleport.integration.v1.IntegrationService.DeleteAllIntegrations:output_type -> google.protobuf.Empty
+	8,  // 21: teleport.integration.v1.IntegrationService.GenerateAWSOIDCToken:output_type -> teleport.integration.v1.GenerateAWSOIDCTokenResponse
+	10, // 22: teleport.integration.v1.IntegrationService.GenerateAzureOIDCToken:output_type -> teleport.integration.v1.GenerateAzureOIDCTokenResponse
+	12, // 23: teleport.integration.v1.IntegrationService.GenerateGitHubUserCert:output_type -> teleport.integration.v1.GenerateGitHubUserCertResponse
+	14, // 24: teleport.integration.v1.IntegrationService.ExportIntegrationCertAuthorities:output_type -> teleport.integration.v1.ExportIntegrationCertAuthoritiesResponse
+	15, // [15:25] is the sub-list for method output_type
+	5,  // [5:15] is the sub-list for method input_type
 	5,  // [5:5] is the sub-list for extension type_name
 	5,  // [5:5] is the sub-list for extension extendee
 	0,  // [0:5] is the sub-list for field type_name
@@ -940,9 +1056,9 @@ func file_teleport_integration_v1_integration_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_integration_v1_integration_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_integration_v1_integration_service_proto_rawDesc), len(file_teleport_integration_v1_integration_service_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   13,
+			NumMessages:   15,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
@@ -951,7 +1067,6 @@ func file_teleport_integration_v1_integration_service_proto_init() {
 		MessageInfos:      file_teleport_integration_v1_integration_service_proto_msgTypes,
 	}.Build()
 	File_teleport_integration_v1_integration_service_proto = out.File
-	file_teleport_integration_v1_integration_service_proto_rawDesc = nil
 	file_teleport_integration_v1_integration_service_proto_goTypes = nil
 	file_teleport_integration_v1_integration_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/integration/v1/integration_service_grpc.pb.go b/api/gen/proto/go/teleport/integration/v1/integration_service_grpc.pb.go
index e003922829236..7dfadc9f20be6 100644
--- a/api/gen/proto/go/teleport/integration/v1/integration_service_grpc.pb.go
+++ b/api/gen/proto/go/teleport/integration/v1/integration_service_grpc.pb.go
@@ -42,6 +42,7 @@ const (
 	IntegrationService_DeleteIntegration_FullMethodName                = "/teleport.integration.v1.IntegrationService/DeleteIntegration"
 	IntegrationService_DeleteAllIntegrations_FullMethodName            = "/teleport.integration.v1.IntegrationService/DeleteAllIntegrations"
 	IntegrationService_GenerateAWSOIDCToken_FullMethodName             = "/teleport.integration.v1.IntegrationService/GenerateAWSOIDCToken"
+	IntegrationService_GenerateAzureOIDCToken_FullMethodName           = "/teleport.integration.v1.IntegrationService/GenerateAzureOIDCToken"
 	IntegrationService_GenerateGitHubUserCert_FullMethodName           = "/teleport.integration.v1.IntegrationService/GenerateGitHubUserCert"
 	IntegrationService_ExportIntegrationCertAuthorities_FullMethodName = "/teleport.integration.v1.IntegrationService/ExportIntegrationCertAuthorities"
 )
@@ -67,6 +68,8 @@ type IntegrationServiceClient interface {
 	DeleteAllIntegrations(ctx context.Context, in *DeleteAllIntegrationsRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	// GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
 	GenerateAWSOIDCToken(ctx context.Context, in *GenerateAWSOIDCTokenRequest, opts ...grpc.CallOption) (*GenerateAWSOIDCTokenResponse, error)
+	// GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+	GenerateAzureOIDCToken(ctx context.Context, in *GenerateAzureOIDCTokenRequest, opts ...grpc.CallOption) (*GenerateAzureOIDCTokenResponse, error)
 	// GenerateGitHubUserCert signs a SSH certificate for GitHub integration.
 	GenerateGitHubUserCert(ctx context.Context, in *GenerateGitHubUserCertRequest, opts ...grpc.CallOption) (*GenerateGitHubUserCertResponse, error)
 	// ExportIntegrationCertAuthorities exports cert authorities for an integration.
@@ -151,6 +154,16 @@ func (c *integrationServiceClient) GenerateAWSOIDCToken(ctx context.Context, in
 	return out, nil
 }
 
+func (c *integrationServiceClient) GenerateAzureOIDCToken(ctx context.Context, in *GenerateAzureOIDCTokenRequest, opts ...grpc.CallOption) (*GenerateAzureOIDCTokenResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(GenerateAzureOIDCTokenResponse)
+	err := c.cc.Invoke(ctx, IntegrationService_GenerateAzureOIDCToken_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *integrationServiceClient) GenerateGitHubUserCert(ctx context.Context, in *GenerateGitHubUserCertRequest, opts ...grpc.CallOption) (*GenerateGitHubUserCertResponse, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(GenerateGitHubUserCertResponse)
@@ -192,6 +205,8 @@ type IntegrationServiceServer interface {
 	DeleteAllIntegrations(context.Context, *DeleteAllIntegrationsRequest) (*emptypb.Empty, error)
 	// GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
 	GenerateAWSOIDCToken(context.Context, *GenerateAWSOIDCTokenRequest) (*GenerateAWSOIDCTokenResponse, error)
+	// GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+	GenerateAzureOIDCToken(context.Context, *GenerateAzureOIDCTokenRequest) (*GenerateAzureOIDCTokenResponse, error)
 	// GenerateGitHubUserCert signs a SSH certificate for GitHub integration.
 	GenerateGitHubUserCert(context.Context, *GenerateGitHubUserCertRequest) (*GenerateGitHubUserCertResponse, error)
 	// ExportIntegrationCertAuthorities exports cert authorities for an integration.
@@ -227,6 +242,9 @@ func (UnimplementedIntegrationServiceServer) DeleteAllIntegrations(context.Conte
 func (UnimplementedIntegrationServiceServer) GenerateAWSOIDCToken(context.Context, *GenerateAWSOIDCTokenRequest) (*GenerateAWSOIDCTokenResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GenerateAWSOIDCToken not implemented")
 }
+func (UnimplementedIntegrationServiceServer) GenerateAzureOIDCToken(context.Context, *GenerateAzureOIDCTokenRequest) (*GenerateAzureOIDCTokenResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GenerateAzureOIDCToken not implemented")
+}
 func (UnimplementedIntegrationServiceServer) GenerateGitHubUserCert(context.Context, *GenerateGitHubUserCertRequest) (*GenerateGitHubUserCertResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GenerateGitHubUserCert not implemented")
 }
@@ -380,6 +398,24 @@ func _IntegrationService_GenerateAWSOIDCToken_Handler(srv interface{}, ctx conte
 	return interceptor(ctx, in, info, handler)
 }
 
+func _IntegrationService_GenerateAzureOIDCToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GenerateAzureOIDCTokenRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(IntegrationServiceServer).GenerateAzureOIDCToken(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: IntegrationService_GenerateAzureOIDCToken_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(IntegrationServiceServer).GenerateAzureOIDCToken(ctx, req.(*GenerateAzureOIDCTokenRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _IntegrationService_GenerateGitHubUserCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GenerateGitHubUserCertRequest)
 	if err := dec(in); err != nil {
@@ -451,6 +487,10 @@ var IntegrationService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GenerateAWSOIDCToken",
 			Handler:    _IntegrationService_GenerateAWSOIDCToken_Handler,
 		},
+		{
+			MethodName: "GenerateAzureOIDCToken",
+			Handler:    _IntegrationService_GenerateAzureOIDCToken_Handler,
+		},
 		{
 			MethodName: "GenerateGitHubUserCert",
 			Handler:    _IntegrationService_GenerateGitHubUserCert_Handler,
diff --git a/api/gen/proto/go/teleport/kube/v1/kube_service.pb.go b/api/gen/proto/go/teleport/kube/v1/kube_service.pb.go
index 51d713fb6c0eb..64500484c5da0 100644
--- a/api/gen/proto/go/teleport/kube/v1/kube_service.pb.go
+++ b/api/gen/proto/go/teleport/kube/v1/kube_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/kube/v1/kube_service.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -264,7 +265,7 @@ func (x *ListKubernetesResourcesResponse) GetTotalCount() int32 {
 
 var File_teleport_kube_v1_kube_service_proto protoreflect.FileDescriptor
 
-var file_teleport_kube_v1_kube_service_proto_rawDesc = []byte{
+var file_teleport_kube_v1_kube_service_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x2f,
 	0x76, 0x31, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -338,16 +339,16 @@ var file_teleport_kube_v1_kube_service_proto_rawDesc = []byte{
 	0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6b, 0x75, 0x62, 0x65,
 	0x2f, 0x76, 0x31, 0x3b, 0x6b, 0x75, 0x62, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_kube_v1_kube_service_proto_rawDescOnce sync.Once
-	file_teleport_kube_v1_kube_service_proto_rawDescData = file_teleport_kube_v1_kube_service_proto_rawDesc
+	file_teleport_kube_v1_kube_service_proto_rawDescData []byte
 )
 
 func file_teleport_kube_v1_kube_service_proto_rawDescGZIP() []byte {
 	file_teleport_kube_v1_kube_service_proto_rawDescOnce.Do(func() {
-		file_teleport_kube_v1_kube_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_kube_v1_kube_service_proto_rawDescData)
+		file_teleport_kube_v1_kube_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_kube_v1_kube_service_proto_rawDesc), len(file_teleport_kube_v1_kube_service_proto_rawDesc)))
 	})
 	return file_teleport_kube_v1_kube_service_proto_rawDescData
 }
@@ -382,7 +383,7 @@ func file_teleport_kube_v1_kube_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_kube_v1_kube_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_kube_v1_kube_service_proto_rawDesc), len(file_teleport_kube_v1_kube_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -393,7 +394,6 @@ func file_teleport_kube_v1_kube_service_proto_init() {
 		MessageInfos:      file_teleport_kube_v1_kube_service_proto_msgTypes,
 	}.Build()
 	File_teleport_kube_v1_kube_service_proto = out.File
-	file_teleport_kube_v1_kube_service_proto_rawDesc = nil
 	file_teleport_kube_v1_kube_service_proto_goTypes = nil
 	file_teleport_kube_v1_kube_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.pb.go b/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.pb.go
index 8fb33a486bf00..547f2afac6e7c 100644
--- a/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.pb.go
+++ b/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/kubewaitingcontainer/v1/kubewaitingcontainer.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -222,7 +223,7 @@ func (x *KubernetesWaitingContainerSpec) GetPatchType() string {
 
 var File_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto protoreflect.FileDescriptor
 
-var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc = []byte{
+var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc = string([]byte{
 	0x0a, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x77,
 	0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x2f,
 	0x76, 0x31, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f,
@@ -269,16 +270,16 @@ var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc = [
 	0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b,
 	0x6b, 0x75, 0x62, 0x65, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61,
 	0x69, 0x6e, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescOnce sync.Once
-	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData = file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc
+	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData []byte
 )
 
 func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescGZIP() []byte {
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescOnce.Do(func() {
-		file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData)
+		file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc), len(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc)))
 	})
 	return file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDescData
 }
@@ -308,7 +309,7 @@ func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc), len(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -319,7 +320,6 @@ func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_init() {
 		MessageInfos:      file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_msgTypes,
 	}.Build()
 	File_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto = out.File
-	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_rawDesc = nil
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_goTypes = nil
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.pb.go b/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.pb.go
index 42f9507e5f375..0c92918ed08ea 100644
--- a/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.pb.go
+++ b/api/gen/proto/go/teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/kubewaitingcontainer/v1/kubewaitingcontainer_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -358,7 +359,7 @@ func (x *DeleteKubernetesWaitingContainerRequest) GetContainerName() string {
 
 var File_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto protoreflect.FileDescriptor
 
-var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc = []byte{
+var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc = string([]byte{
 	0x0a, 0x43, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x77,
 	0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x2f,
 	0x76, 0x31, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f,
@@ -474,16 +475,16 @@ var file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_raw
 	0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x2f, 0x76, 0x31, 0x3b,
 	0x6b, 0x75, 0x62, 0x65, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6e, 0x67, 0x63, 0x6f, 0x6e, 0x74, 0x61,
 	0x69, 0x6e, 0x65, 0x72, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescOnce sync.Once
-	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData = file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc
+	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData []byte
 )
 
 func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescGZIP() []byte {
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescOnce.Do(func() {
-		file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData)
+		file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc), len(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc)))
 	})
 	return file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDescData
 }
@@ -526,7 +527,7 @@ func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_in
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc), len(file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -537,7 +538,6 @@ func file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_in
 		MessageInfos:      file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_msgTypes,
 	}.Build()
 	File_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto = out.File
-	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_rawDesc = nil
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_goTypes = nil
 	file_teleport_kubewaitingcontainer_v1_kubewaitingcontainer_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/label/v1/label.pb.go b/api/gen/proto/go/teleport/label/v1/label.pb.go
index 7a2a88b1932e0..696fdcd03bf3f 100644
--- a/api/gen/proto/go/teleport/label/v1/label.pb.go
+++ b/api/gen/proto/go/teleport/label/v1/label.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/label/v1/label.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -91,7 +92,7 @@ func (x *Label) GetValues() []string {
 
 var File_teleport_label_v1_label_proto protoreflect.FileDescriptor
 
-var file_teleport_label_v1_label_proto_rawDesc = []byte{
+var file_teleport_label_v1_label_proto_rawDesc = string([]byte{
 	0x0a, 0x1d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c,
 	0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x11, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x2e,
@@ -104,16 +105,16 @@ var file_teleport_label_v1_label_proto_rawDesc = []byte{
 	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65,
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x2f, 0x76, 0x31, 0x3b,
 	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_label_v1_label_proto_rawDescOnce sync.Once
-	file_teleport_label_v1_label_proto_rawDescData = file_teleport_label_v1_label_proto_rawDesc
+	file_teleport_label_v1_label_proto_rawDescData []byte
 )
 
 func file_teleport_label_v1_label_proto_rawDescGZIP() []byte {
 	file_teleport_label_v1_label_proto_rawDescOnce.Do(func() {
-		file_teleport_label_v1_label_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_label_v1_label_proto_rawDescData)
+		file_teleport_label_v1_label_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_label_v1_label_proto_rawDesc), len(file_teleport_label_v1_label_proto_rawDesc)))
 	})
 	return file_teleport_label_v1_label_proto_rawDescData
 }
@@ -139,7 +140,7 @@ func file_teleport_label_v1_label_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_label_v1_label_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_label_v1_label_proto_rawDesc), len(file_teleport_label_v1_label_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -150,7 +151,6 @@ func file_teleport_label_v1_label_proto_init() {
 		MessageInfos:      file_teleport_label_v1_label_proto_msgTypes,
 	}.Build()
 	File_teleport_label_v1_label_proto = out.File
-	file_teleport_label_v1_label_proto_rawDesc = nil
 	file_teleport_label_v1_label_proto_goTypes = nil
 	file_teleport_label_v1_label_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/loginrule/v1/loginrule.pb.go b/api/gen/proto/go/teleport/loginrule/v1/loginrule.pb.go
index 3e4e60ee1c8ea..056a5eb8af664 100644
--- a/api/gen/proto/go/teleport/loginrule/v1/loginrule.pb.go
+++ b/api/gen/proto/go/teleport/loginrule/v1/loginrule.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/loginrule/v1/loginrule.proto
 
@@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -125,7 +126,7 @@ func (x *LoginRule) GetTraitsExpression() string {
 
 var File_teleport_loginrule_v1_loginrule_proto protoreflect.FileDescriptor
 
-var file_teleport_loginrule_v1_loginrule_proto_rawDesc = []byte{
+var file_teleport_loginrule_v1_loginrule_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x6e,
 	0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x72, 0x75, 0x6c,
 	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -162,16 +163,16 @@ var file_teleport_loginrule_v1_loginrule_proto_rawDesc = []byte{
 	0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31,
 	0x3b, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x72, 0x75, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_loginrule_v1_loginrule_proto_rawDescOnce sync.Once
-	file_teleport_loginrule_v1_loginrule_proto_rawDescData = file_teleport_loginrule_v1_loginrule_proto_rawDesc
+	file_teleport_loginrule_v1_loginrule_proto_rawDescData []byte
 )
 
 func file_teleport_loginrule_v1_loginrule_proto_rawDescGZIP() []byte {
 	file_teleport_loginrule_v1_loginrule_proto_rawDescOnce.Do(func() {
-		file_teleport_loginrule_v1_loginrule_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_loginrule_v1_loginrule_proto_rawDescData)
+		file_teleport_loginrule_v1_loginrule_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_loginrule_v1_loginrule_proto_rawDesc), len(file_teleport_loginrule_v1_loginrule_proto_rawDesc)))
 	})
 	return file_teleport_loginrule_v1_loginrule_proto_rawDescData
 }
@@ -203,7 +204,7 @@ func file_teleport_loginrule_v1_loginrule_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_loginrule_v1_loginrule_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_loginrule_v1_loginrule_proto_rawDesc), len(file_teleport_loginrule_v1_loginrule_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -214,7 +215,6 @@ func file_teleport_loginrule_v1_loginrule_proto_init() {
 		MessageInfos:      file_teleport_loginrule_v1_loginrule_proto_msgTypes,
 	}.Build()
 	File_teleport_loginrule_v1_loginrule_proto = out.File
-	file_teleport_loginrule_v1_loginrule_proto_rawDesc = nil
 	file_teleport_loginrule_v1_loginrule_proto_goTypes = nil
 	file_teleport_loginrule_v1_loginrule_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/loginrule/v1/loginrule_service.pb.go b/api/gen/proto/go/teleport/loginrule/v1/loginrule_service.pb.go
index e8c10bd235ac5..ed9baff8cfeec 100644
--- a/api/gen/proto/go/teleport/loginrule/v1/loginrule_service.pb.go
+++ b/api/gen/proto/go/teleport/loginrule/v1/loginrule_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/loginrule/v1/loginrule_service.proto
 
@@ -27,6 +27,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -446,7 +447,7 @@ func (x *TestLoginRuleResponse) GetTraits() map[string]*wrappers.StringValues {
 
 var File_teleport_loginrule_v1_loginrule_service_proto protoreflect.FileDescriptor
 
-var file_teleport_loginrule_v1_loginrule_service_proto_rawDesc = []byte{
+var file_teleport_loginrule_v1_loginrule_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x6e,
 	0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x72, 0x75, 0x6c,
 	0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -565,16 +566,16 @@ var file_teleport_loginrule_v1_loginrule_service_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x6f,
 	0x67, 0x69, 0x6e, 0x72, 0x75, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x6c, 0x6f, 0x67, 0x69, 0x6e,
 	0x72, 0x75, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_loginrule_v1_loginrule_service_proto_rawDescOnce sync.Once
-	file_teleport_loginrule_v1_loginrule_service_proto_rawDescData = file_teleport_loginrule_v1_loginrule_service_proto_rawDesc
+	file_teleport_loginrule_v1_loginrule_service_proto_rawDescData []byte
 )
 
 func file_teleport_loginrule_v1_loginrule_service_proto_rawDescGZIP() []byte {
 	file_teleport_loginrule_v1_loginrule_service_proto_rawDescOnce.Do(func() {
-		file_teleport_loginrule_v1_loginrule_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_loginrule_v1_loginrule_service_proto_rawDescData)
+		file_teleport_loginrule_v1_loginrule_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_loginrule_v1_loginrule_service_proto_rawDesc), len(file_teleport_loginrule_v1_loginrule_service_proto_rawDesc)))
 	})
 	return file_teleport_loginrule_v1_loginrule_service_proto_rawDescData
 }
@@ -633,7 +634,7 @@ func file_teleport_loginrule_v1_loginrule_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_loginrule_v1_loginrule_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_loginrule_v1_loginrule_service_proto_rawDesc), len(file_teleport_loginrule_v1_loginrule_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   10,
 			NumExtensions: 0,
@@ -644,7 +645,6 @@ func file_teleport_loginrule_v1_loginrule_service_proto_init() {
 		MessageInfos:      file_teleport_loginrule_v1_loginrule_service_proto_msgTypes,
 	}.Build()
 	File_teleport_loginrule_v1_loginrule_service_proto = out.File
-	file_teleport_loginrule_v1_loginrule_service_proto_rawDesc = nil
 	file_teleport_loginrule_v1_loginrule_service_proto_goTypes = nil
 	file_teleport_loginrule_v1_loginrule_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/bot.pb.go b/api/gen/proto/go/teleport/machineid/v1/bot.pb.go
index 6ada2348edffc..37e0747505abe 100644
--- a/api/gen/proto/go/teleport/machineid/v1/bot.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/bot.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/bot.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -302,7 +303,7 @@ func (x *BotStatus) GetRoleName() string {
 
 var File_teleport_machineid_v1_bot_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_bot_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_bot_proto_rawDesc = string([]byte{
 	0x0a, 0x1f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x62, 0x6f, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6d, 0x61, 0x63, 0x68,
@@ -345,16 +346,16 @@ var file_teleport_machineid_v1_bot_proto_rawDesc = []byte{
 	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69,
 	0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31,
 	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_bot_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_bot_proto_rawDescData = file_teleport_machineid_v1_bot_proto_rawDesc
+	file_teleport_machineid_v1_bot_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_bot_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_bot_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_bot_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_bot_proto_rawDescData)
+		file_teleport_machineid_v1_bot_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_proto_rawDesc), len(file_teleport_machineid_v1_bot_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_bot_proto_rawDescData
 }
@@ -388,7 +389,7 @@ func file_teleport_machineid_v1_bot_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_bot_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_proto_rawDesc), len(file_teleport_machineid_v1_bot_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -399,7 +400,6 @@ func file_teleport_machineid_v1_bot_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_bot_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_bot_proto = out.File
-	file_teleport_machineid_v1_bot_proto_rawDesc = nil
 	file_teleport_machineid_v1_bot_proto_goTypes = nil
 	file_teleport_machineid_v1_bot_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go b/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go
index 5004be70faf5a..d7c755df34b1c 100644
--- a/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/bot_instance.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/bot_instance.proto
 
@@ -30,6 +30,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -499,7 +500,7 @@ func (x *BotInstanceStatus) GetLatestHeartbeats() []*BotInstanceStatusHeartbeat
 
 var File_teleport_machineid_v1_bot_instance_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_bot_instance_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_bot_instance_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74,
 	0x61, 0x6e, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65,
@@ -616,16 +617,16 @@ var file_teleport_machineid_v1_bot_instance_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d,
 	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68,
 	0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_bot_instance_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_bot_instance_proto_rawDescData = file_teleport_machineid_v1_bot_instance_proto_rawDesc
+	file_teleport_machineid_v1_bot_instance_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_bot_instance_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_bot_instance_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_bot_instance_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_bot_instance_proto_rawDescData)
+		file_teleport_machineid_v1_bot_instance_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_instance_proto_rawDesc), len(file_teleport_machineid_v1_bot_instance_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_bot_instance_proto_rawDescData
 }
@@ -672,7 +673,7 @@ func file_teleport_machineid_v1_bot_instance_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_bot_instance_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_instance_proto_rawDesc), len(file_teleport_machineid_v1_bot_instance_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -683,7 +684,6 @@ func file_teleport_machineid_v1_bot_instance_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_bot_instance_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_bot_instance_proto = out.File
-	file_teleport_machineid_v1_bot_instance_proto_rawDesc = nil
 	file_teleport_machineid_v1_bot_instance_proto_goTypes = nil
 	file_teleport_machineid_v1_bot_instance_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/bot_instance_service.pb.go b/api/gen/proto/go/teleport/machineid/v1/bot_instance_service.pb.go
index 661a0cda85267..144e57ba0c706 100644
--- a/api/gen/proto/go/teleport/machineid/v1/bot_instance_service.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/bot_instance_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/bot_instance_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -356,7 +357,7 @@ func (*SubmitHeartbeatResponse) Descriptor() ([]byte, []int) {
 
 var File_teleport_machineid_v1_bot_instance_service_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_bot_instance_service_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_bot_instance_service_proto_rawDesc = string([]byte{
 	0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x62, 0x6f, 0x74, 0x5f, 0x69, 0x6e, 0x73, 0x74,
 	0x61, 0x6e, 0x63, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f,
@@ -436,16 +437,16 @@ var file_teleport_machineid_v1_bot_instance_service_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
 	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_bot_instance_service_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_bot_instance_service_proto_rawDescData = file_teleport_machineid_v1_bot_instance_service_proto_rawDesc
+	file_teleport_machineid_v1_bot_instance_service_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_bot_instance_service_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_bot_instance_service_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_bot_instance_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_bot_instance_service_proto_rawDescData)
+		file_teleport_machineid_v1_bot_instance_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_instance_service_proto_rawDesc), len(file_teleport_machineid_v1_bot_instance_service_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_bot_instance_service_proto_rawDescData
 }
@@ -490,7 +491,7 @@ func file_teleport_machineid_v1_bot_instance_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_bot_instance_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_instance_service_proto_rawDesc), len(file_teleport_machineid_v1_bot_instance_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -501,7 +502,6 @@ func file_teleport_machineid_v1_bot_instance_service_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_bot_instance_service_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_bot_instance_service_proto = out.File
-	file_teleport_machineid_v1_bot_instance_service_proto_rawDesc = nil
 	file_teleport_machineid_v1_bot_instance_service_proto_goTypes = nil
 	file_teleport_machineid_v1_bot_instance_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/bot_service.pb.go b/api/gen/proto/go/teleport/machineid/v1/bot_service.pb.go
index 642f206865314..acc4ed9530a1d 100644
--- a/api/gen/proto/go/teleport/machineid/v1/bot_service.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/bot_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/bot_service.proto
 
@@ -27,6 +27,7 @@ import (
 	fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -390,7 +391,7 @@ func (x *DeleteBotRequest) GetBotName() string {
 
 var File_teleport_machineid_v1_bot_service_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_bot_service_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_bot_service_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x62, 0x6f, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76,
 	0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -473,16 +474,16 @@ var file_teleport_machineid_v1_bot_service_proto_rawDesc = []byte{
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76,
 	0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_bot_service_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_bot_service_proto_rawDescData = file_teleport_machineid_v1_bot_service_proto_rawDesc
+	file_teleport_machineid_v1_bot_service_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_bot_service_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_bot_service_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_bot_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_bot_service_proto_rawDescData)
+		file_teleport_machineid_v1_bot_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_service_proto_rawDesc), len(file_teleport_machineid_v1_bot_service_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_bot_service_proto_rawDescData
 }
@@ -535,7 +536,7 @@ func file_teleport_machineid_v1_bot_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_bot_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_bot_service_proto_rawDesc), len(file_teleport_machineid_v1_bot_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -546,7 +547,6 @@ func file_teleport_machineid_v1_bot_service_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_bot_service_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_bot_service_proto = out.File
-	file_teleport_machineid_v1_bot_service_proto_rawDesc = nil
 	file_teleport_machineid_v1_bot_service_proto_goTypes = nil
 	file_teleport_machineid_v1_bot_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/federation.pb.go b/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
index c05e22aba1317..f95d1762ead66 100644
--- a/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/federation.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/federation.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -408,7 +409,7 @@ func (x *SPIFFEFederationStatus) GetCurrentBundleSyncedFrom() *SPIFFEFederationB
 
 var File_teleport_machineid_v1_federation_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_federation_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_federation_proto_rawDesc = string([]byte{
 	0x0a, 0x26, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69,
 	0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
@@ -494,16 +495,16 @@ var file_teleport_machineid_v1_federation_proto_rawDesc = []byte{
 	0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b,
 	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_federation_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_federation_proto_rawDescData = file_teleport_machineid_v1_federation_proto_rawDesc
+	file_teleport_machineid_v1_federation_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_federation_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_federation_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_federation_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_federation_proto_rawDescData)
+		file_teleport_machineid_v1_federation_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_federation_proto_rawDesc), len(file_teleport_machineid_v1_federation_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_federation_proto_rawDescData
 }
@@ -545,7 +546,7 @@ func file_teleport_machineid_v1_federation_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_federation_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_federation_proto_rawDesc), len(file_teleport_machineid_v1_federation_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -556,7 +557,6 @@ func file_teleport_machineid_v1_federation_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_federation_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_federation_proto = out.File
-	file_teleport_machineid_v1_federation_proto_rawDesc = nil
 	file_teleport_machineid_v1_federation_proto_goTypes = nil
 	file_teleport_machineid_v1_federation_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/federation_service.pb.go b/api/gen/proto/go/teleport/machineid/v1/federation_service.pb.go
index 8f896d23c5fe0..014b7dc0475b7 100644
--- a/api/gen/proto/go/teleport/machineid/v1/federation_service.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/federation_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/federation_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -290,7 +291,7 @@ func (x *CreateSPIFFEFederationRequest) GetSpiffeFederation() *SPIFFEFederation
 
 var File_teleport_machineid_v1_federation_service_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_federation_service_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_federation_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x66, 0x65, 0x64, 0x65, 0x72, 0x61, 0x74, 0x69,
 	0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -367,16 +368,16 @@ var file_teleport_machineid_v1_federation_service_proto_rawDesc = []byte{
 	0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
 	0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_federation_service_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_federation_service_proto_rawDescData = file_teleport_machineid_v1_federation_service_proto_rawDesc
+	file_teleport_machineid_v1_federation_service_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_federation_service_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_federation_service_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_federation_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_federation_service_proto_rawDescData)
+		file_teleport_machineid_v1_federation_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_federation_service_proto_rawDesc), len(file_teleport_machineid_v1_federation_service_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_federation_service_proto_rawDescData
 }
@@ -419,7 +420,7 @@ func file_teleport_machineid_v1_federation_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_federation_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_federation_service_proto_rawDesc), len(file_teleport_machineid_v1_federation_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -430,7 +431,6 @@ func file_teleport_machineid_v1_federation_service_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_federation_service_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_federation_service_proto = out.File
-	file_teleport_machineid_v1_federation_service_proto_rawDesc = nil
 	file_teleport_machineid_v1_federation_service_proto_goTypes = nil
 	file_teleport_machineid_v1_federation_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/machineid/v1/workload_identity_service.pb.go b/api/gen/proto/go/teleport/machineid/v1/workload_identity_service.pb.go
index 913bb44e43b3d..bfa2bea1b632f 100644
--- a/api/gen/proto/go/teleport/machineid/v1/workload_identity_service.pb.go
+++ b/api/gen/proto/go/teleport/machineid/v1/workload_identity_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/machineid/v1/workload_identity_service.proto
 
@@ -26,6 +26,7 @@ import (
 	durationpb "google.golang.org/protobuf/types/known/durationpb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -552,7 +553,7 @@ func (x *SignJWTSVIDsResponse) GetSvids() []*JWTSVIDResponse {
 
 var File_teleport_machineid_v1_workload_identity_service_proto protoreflect.FileDescriptor
 
-var file_teleport_machineid_v1_workload_identity_service_proto_rawDesc = []byte{
+var file_teleport_machineid_v1_workload_identity_service_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64,
 	0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
@@ -639,16 +640,16 @@ var file_teleport_machineid_v1_workload_identity_service_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6d,
 	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x69, 0x64, 0x2f, 0x76, 0x31, 0x3b, 0x6d, 0x61, 0x63, 0x68,
 	0x69, 0x6e, 0x65, 0x69, 0x64, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_machineid_v1_workload_identity_service_proto_rawDescOnce sync.Once
-	file_teleport_machineid_v1_workload_identity_service_proto_rawDescData = file_teleport_machineid_v1_workload_identity_service_proto_rawDesc
+	file_teleport_machineid_v1_workload_identity_service_proto_rawDescData []byte
 )
 
 func file_teleport_machineid_v1_workload_identity_service_proto_rawDescGZIP() []byte {
 	file_teleport_machineid_v1_workload_identity_service_proto_rawDescOnce.Do(func() {
-		file_teleport_machineid_v1_workload_identity_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_machineid_v1_workload_identity_service_proto_rawDescData)
+		file_teleport_machineid_v1_workload_identity_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_workload_identity_service_proto_rawDesc), len(file_teleport_machineid_v1_workload_identity_service_proto_rawDesc)))
 	})
 	return file_teleport_machineid_v1_workload_identity_service_proto_rawDescData
 }
@@ -692,7 +693,7 @@ func file_teleport_machineid_v1_workload_identity_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_machineid_v1_workload_identity_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_machineid_v1_workload_identity_service_proto_rawDesc), len(file_teleport_machineid_v1_workload_identity_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   8,
 			NumExtensions: 0,
@@ -703,7 +704,6 @@ func file_teleport_machineid_v1_workload_identity_service_proto_init() {
 		MessageInfos:      file_teleport_machineid_v1_workload_identity_service_proto_msgTypes,
 	}.Build()
 	File_teleport_machineid_v1_workload_identity_service_proto = out.File
-	file_teleport_machineid_v1_workload_identity_service_proto_rawDesc = nil
 	file_teleport_machineid_v1_workload_identity_service_proto_goTypes = nil
 	file_teleport_machineid_v1_workload_identity_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/notifications/v1/notifications.pb.go b/api/gen/proto/go/teleport/notifications/v1/notifications.pb.go
index c6ea8ee5b3b45..d1926f7540553 100644
--- a/api/gen/proto/go/teleport/notifications/v1/notifications.pb.go
+++ b/api/gen/proto/go/teleport/notifications/v1/notifications.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/notifications/v1/notifications.proto
 
@@ -31,6 +31,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -914,9 +915,142 @@ func (x *UserLastSeenNotificationStatus) GetLastSeenTime() *timestamppb.Timestam
 	return nil
 }
 
+// UniqueNotificationIdentifier represents a unique notification identifier.
+// This is a resource whose existence is used to keep track of whether a particular notification has already been created, in order to prevent duplicate notifications.
+// For example, if the unique identifier is "unique_notification_identifier/access_list_30d_reminder/1234", when a caller attempts to create a notification
+// for a 30 day reminder to review access list 1234, it will create this identifier resource as well, and any subsequent times it attempts to create the notification,
+// it will detect that the identifier already exists, and thus know not to create a duplicate.
+// Note that using this system does not always guarantee accuracy/concurrency, so this shouldn't be used for security critical notifications.
+type UniqueNotificationIdentifier struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// kind is the resource kind ("unique_notification_identifier").
+	Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"`
+	// version is the resource version.
+	Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"`
+	// metadata is the unique notification identifier metadata.
+	Metadata *v1.Metadata `protobuf:"bytes,3,opt,name=metadata,proto3" json:"metadata,omitempty"`
+	// spec is the unique notification identifier spec.
+	Spec          *UniqueNotificationIdentifierSpec `protobuf:"bytes,5,opt,name=spec,proto3" json:"spec,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UniqueNotificationIdentifier) Reset() {
+	*x = UniqueNotificationIdentifier{}
+	mi := &file_teleport_notifications_v1_notifications_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UniqueNotificationIdentifier) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UniqueNotificationIdentifier) ProtoMessage() {}
+
+func (x *UniqueNotificationIdentifier) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_notifications_v1_notifications_proto_msgTypes[12]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UniqueNotificationIdentifier.ProtoReflect.Descriptor instead.
+func (*UniqueNotificationIdentifier) Descriptor() ([]byte, []int) {
+	return file_teleport_notifications_v1_notifications_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *UniqueNotificationIdentifier) GetKind() string {
+	if x != nil {
+		return x.Kind
+	}
+	return ""
+}
+
+func (x *UniqueNotificationIdentifier) GetVersion() string {
+	if x != nil {
+		return x.Version
+	}
+	return ""
+}
+
+func (x *UniqueNotificationIdentifier) GetMetadata() *v1.Metadata {
+	if x != nil {
+		return x.Metadata
+	}
+	return nil
+}
+
+func (x *UniqueNotificationIdentifier) GetSpec() *UniqueNotificationIdentifierSpec {
+	if x != nil {
+		return x.Spec
+	}
+	return nil
+}
+
+// UniqueNotificationIdentifierSpec is the unique notification identifier specification.
+type UniqueNotificationIdentifierSpec struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// unique_identifier is the unique identifier string. This is what is used to keep track of the unique notification and what is used in the resource's backend key.
+	UniqueIdentifier string `protobuf:"bytes,1,opt,name=unique_identifier,json=uniqueIdentifier,proto3" json:"unique_identifier,omitempty"`
+	// unique_identifier_prefix is the prefix for this unique notiifcation identifier, this is used to group notification identifiers together, eg. "access_list_30d_reminder"
+	UniqueIdentifierPrefix string `protobuf:"bytes,2,opt,name=unique_identifier_prefix,json=uniqueIdentifierPrefix,proto3" json:"unique_identifier_prefix,omitempty"`
+	unknownFields          protoimpl.UnknownFields
+	sizeCache              protoimpl.SizeCache
+}
+
+func (x *UniqueNotificationIdentifierSpec) Reset() {
+	*x = UniqueNotificationIdentifierSpec{}
+	mi := &file_teleport_notifications_v1_notifications_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UniqueNotificationIdentifierSpec) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UniqueNotificationIdentifierSpec) ProtoMessage() {}
+
+func (x *UniqueNotificationIdentifierSpec) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_notifications_v1_notifications_proto_msgTypes[13]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UniqueNotificationIdentifierSpec.ProtoReflect.Descriptor instead.
+func (*UniqueNotificationIdentifierSpec) Descriptor() ([]byte, []int) {
+	return file_teleport_notifications_v1_notifications_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *UniqueNotificationIdentifierSpec) GetUniqueIdentifier() string {
+	if x != nil {
+		return x.UniqueIdentifier
+	}
+	return ""
+}
+
+func (x *UniqueNotificationIdentifierSpec) GetUniqueIdentifierPrefix() string {
+	if x != nil {
+		return x.UniqueIdentifierPrefix
+	}
+	return ""
+}
+
 var File_teleport_notifications_v1_notifications_proto protoreflect.FileDescriptor
 
-var file_teleport_notifications_v1_notifications_proto_rawDesc = []byte{
+var file_teleport_notifications_v1_notifications_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66,
 	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x74, 0x69,
 	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -1056,78 +1190,105 @@ var file_teleport_notifications_v1_notifications_proto_rawDesc = []byte{
 	0x61, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x65, 0x6e, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52,
-	0x0c, 0x6c, 0x61, 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x2a, 0x79, 0x0a,
-	0x11, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61,
-	0x74, 0x65, 0x12, 0x22, 0x0a, 0x1e, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49,
-	0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
-	0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1e, 0x0a, 0x1a, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49,
-	0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x43, 0x4c, 0x49,
-	0x43, 0x4b, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, 0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49,
-	0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x44, 0x49, 0x53,
-	0x4d, 0x49, 0x53, 0x53, 0x45, 0x44, 0x10, 0x02, 0x42, 0x5e, 0x5a, 0x5c, 0x67, 0x69, 0x74, 0x68,
-	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76, 0x69, 0x74, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74,
-	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+	0x0c, 0x6c, 0x61, 0x73, 0x74, 0x53, 0x65, 0x65, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x22, 0xd7, 0x01,
+	0x0a, 0x1c, 0x55, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x12,
+	0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69,
+	0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x38, 0x0a, 0x08,
+	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c,
+	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72,
+	0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65,
+	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x4f, 0x0a, 0x04, 0x73, 0x70, 0x65, 0x63, 0x18, 0x05,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
+	0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31,
+	0x2e, 0x55, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x53, 0x70, 0x65,
+	0x63, 0x52, 0x04, 0x73, 0x70, 0x65, 0x63, 0x22, 0x89, 0x01, 0x0a, 0x20, 0x55, 0x6e, 0x69, 0x71,
+	0x75, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2b, 0x0a, 0x11,
+	0x75, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65,
+	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x75, 0x6e, 0x69, 0x71, 0x75, 0x65, 0x49,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x38, 0x0a, 0x18, 0x75, 0x6e, 0x69,
+	0x71, 0x75, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x5f, 0x70,
+	0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x75, 0x6e, 0x69,
+	0x71, 0x75, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x50, 0x72, 0x65,
+	0x66, 0x69, 0x78, 0x2a, 0x79, 0x0a, 0x11, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x22, 0x0a, 0x1e, 0x4e, 0x4f, 0x54, 0x49,
+	0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x55,
+	0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1e, 0x0a, 0x1a,
+	0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41,
+	0x54, 0x45, 0x5f, 0x43, 0x4c, 0x49, 0x43, 0x4b, 0x45, 0x44, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c,
+	0x4e, 0x4f, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x53, 0x54, 0x41,
+	0x54, 0x45, 0x5f, 0x44, 0x49, 0x53, 0x4d, 0x49, 0x53, 0x53, 0x45, 0x44, 0x10, 0x02, 0x42, 0x5e,
+	0x5a, 0x5c, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61,
+	0x76, 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70,
+	0x6f, 0x72, 0x74, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6e, 0x6f,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x6e,
+	0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x76, 0x31, 0x62, 0x06,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+})
 
 var (
 	file_teleport_notifications_v1_notifications_proto_rawDescOnce sync.Once
-	file_teleport_notifications_v1_notifications_proto_rawDescData = file_teleport_notifications_v1_notifications_proto_rawDesc
+	file_teleport_notifications_v1_notifications_proto_rawDescData []byte
 )
 
 func file_teleport_notifications_v1_notifications_proto_rawDescGZIP() []byte {
 	file_teleport_notifications_v1_notifications_proto_rawDescOnce.Do(func() {
-		file_teleport_notifications_v1_notifications_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_notifications_v1_notifications_proto_rawDescData)
+		file_teleport_notifications_v1_notifications_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_notifications_v1_notifications_proto_rawDesc), len(file_teleport_notifications_v1_notifications_proto_rawDesc)))
 	})
 	return file_teleport_notifications_v1_notifications_proto_rawDescData
 }
 
 var file_teleport_notifications_v1_notifications_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_teleport_notifications_v1_notifications_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_teleport_notifications_v1_notifications_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
 var file_teleport_notifications_v1_notifications_proto_goTypes = []any{
-	(NotificationState)(0),                 // 0: teleport.notifications.v1.NotificationState
-	(*Notification)(nil),                   // 1: teleport.notifications.v1.Notification
-	(*NotificationSpec)(nil),               // 2: teleport.notifications.v1.NotificationSpec
-	(*GlobalNotification)(nil),             // 3: teleport.notifications.v1.GlobalNotification
-	(*GlobalNotificationSpec)(nil),         // 4: teleport.notifications.v1.GlobalNotificationSpec
-	(*ByPermissions)(nil),                  // 5: teleport.notifications.v1.ByPermissions
-	(*ByRoles)(nil),                        // 6: teleport.notifications.v1.ByRoles
-	(*UserNotificationState)(nil),          // 7: teleport.notifications.v1.UserNotificationState
-	(*UserNotificationStateSpec)(nil),      // 8: teleport.notifications.v1.UserNotificationStateSpec
-	(*UserNotificationStateStatus)(nil),    // 9: teleport.notifications.v1.UserNotificationStateStatus
-	(*UserLastSeenNotification)(nil),       // 10: teleport.notifications.v1.UserLastSeenNotification
-	(*UserLastSeenNotificationSpec)(nil),   // 11: teleport.notifications.v1.UserLastSeenNotificationSpec
-	(*UserLastSeenNotificationStatus)(nil), // 12: teleport.notifications.v1.UserLastSeenNotificationStatus
-	(*v1.Metadata)(nil),                    // 13: teleport.header.v1.Metadata
-	(*timestamppb.Timestamp)(nil),          // 14: google.protobuf.Timestamp
-	(*types.RoleConditions)(nil),           // 15: types.RoleConditions
+	(NotificationState)(0),                   // 0: teleport.notifications.v1.NotificationState
+	(*Notification)(nil),                     // 1: teleport.notifications.v1.Notification
+	(*NotificationSpec)(nil),                 // 2: teleport.notifications.v1.NotificationSpec
+	(*GlobalNotification)(nil),               // 3: teleport.notifications.v1.GlobalNotification
+	(*GlobalNotificationSpec)(nil),           // 4: teleport.notifications.v1.GlobalNotificationSpec
+	(*ByPermissions)(nil),                    // 5: teleport.notifications.v1.ByPermissions
+	(*ByRoles)(nil),                          // 6: teleport.notifications.v1.ByRoles
+	(*UserNotificationState)(nil),            // 7: teleport.notifications.v1.UserNotificationState
+	(*UserNotificationStateSpec)(nil),        // 8: teleport.notifications.v1.UserNotificationStateSpec
+	(*UserNotificationStateStatus)(nil),      // 9: teleport.notifications.v1.UserNotificationStateStatus
+	(*UserLastSeenNotification)(nil),         // 10: teleport.notifications.v1.UserLastSeenNotification
+	(*UserLastSeenNotificationSpec)(nil),     // 11: teleport.notifications.v1.UserLastSeenNotificationSpec
+	(*UserLastSeenNotificationStatus)(nil),   // 12: teleport.notifications.v1.UserLastSeenNotificationStatus
+	(*UniqueNotificationIdentifier)(nil),     // 13: teleport.notifications.v1.UniqueNotificationIdentifier
+	(*UniqueNotificationIdentifierSpec)(nil), // 14: teleport.notifications.v1.UniqueNotificationIdentifierSpec
+	(*v1.Metadata)(nil),                      // 15: teleport.header.v1.Metadata
+	(*timestamppb.Timestamp)(nil),            // 16: google.protobuf.Timestamp
+	(*types.RoleConditions)(nil),             // 17: types.RoleConditions
 }
 var file_teleport_notifications_v1_notifications_proto_depIdxs = []int32{
-	13, // 0: teleport.notifications.v1.Notification.metadata:type_name -> teleport.header.v1.Metadata
+	15, // 0: teleport.notifications.v1.Notification.metadata:type_name -> teleport.header.v1.Metadata
 	2,  // 1: teleport.notifications.v1.Notification.spec:type_name -> teleport.notifications.v1.NotificationSpec
-	14, // 2: teleport.notifications.v1.NotificationSpec.created:type_name -> google.protobuf.Timestamp
-	13, // 3: teleport.notifications.v1.GlobalNotification.metadata:type_name -> teleport.header.v1.Metadata
+	16, // 2: teleport.notifications.v1.NotificationSpec.created:type_name -> google.protobuf.Timestamp
+	15, // 3: teleport.notifications.v1.GlobalNotification.metadata:type_name -> teleport.header.v1.Metadata
 	4,  // 4: teleport.notifications.v1.GlobalNotification.spec:type_name -> teleport.notifications.v1.GlobalNotificationSpec
 	5,  // 5: teleport.notifications.v1.GlobalNotificationSpec.by_permissions:type_name -> teleport.notifications.v1.ByPermissions
 	6,  // 6: teleport.notifications.v1.GlobalNotificationSpec.by_roles:type_name -> teleport.notifications.v1.ByRoles
 	1,  // 7: teleport.notifications.v1.GlobalNotificationSpec.notification:type_name -> teleport.notifications.v1.Notification
-	15, // 8: teleport.notifications.v1.ByPermissions.role_conditions:type_name -> types.RoleConditions
-	13, // 9: teleport.notifications.v1.UserNotificationState.metadata:type_name -> teleport.header.v1.Metadata
+	17, // 8: teleport.notifications.v1.ByPermissions.role_conditions:type_name -> types.RoleConditions
+	15, // 9: teleport.notifications.v1.UserNotificationState.metadata:type_name -> teleport.header.v1.Metadata
 	8,  // 10: teleport.notifications.v1.UserNotificationState.spec:type_name -> teleport.notifications.v1.UserNotificationStateSpec
 	9,  // 11: teleport.notifications.v1.UserNotificationState.status:type_name -> teleport.notifications.v1.UserNotificationStateStatus
 	0,  // 12: teleport.notifications.v1.UserNotificationStateStatus.notification_state:type_name -> teleport.notifications.v1.NotificationState
-	13, // 13: teleport.notifications.v1.UserLastSeenNotification.metadata:type_name -> teleport.header.v1.Metadata
+	15, // 13: teleport.notifications.v1.UserLastSeenNotification.metadata:type_name -> teleport.header.v1.Metadata
 	11, // 14: teleport.notifications.v1.UserLastSeenNotification.spec:type_name -> teleport.notifications.v1.UserLastSeenNotificationSpec
 	12, // 15: teleport.notifications.v1.UserLastSeenNotification.status:type_name -> teleport.notifications.v1.UserLastSeenNotificationStatus
-	14, // 16: teleport.notifications.v1.UserLastSeenNotificationStatus.last_seen_time:type_name -> google.protobuf.Timestamp
-	17, // [17:17] is the sub-list for method output_type
-	17, // [17:17] is the sub-list for method input_type
-	17, // [17:17] is the sub-list for extension type_name
-	17, // [17:17] is the sub-list for extension extendee
-	0,  // [0:17] is the sub-list for field type_name
+	16, // 16: teleport.notifications.v1.UserLastSeenNotificationStatus.last_seen_time:type_name -> google.protobuf.Timestamp
+	15, // 17: teleport.notifications.v1.UniqueNotificationIdentifier.metadata:type_name -> teleport.header.v1.Metadata
+	14, // 18: teleport.notifications.v1.UniqueNotificationIdentifier.spec:type_name -> teleport.notifications.v1.UniqueNotificationIdentifierSpec
+	19, // [19:19] is the sub-list for method output_type
+	19, // [19:19] is the sub-list for method input_type
+	19, // [19:19] is the sub-list for extension type_name
+	19, // [19:19] is the sub-list for extension extendee
+	0,  // [0:19] is the sub-list for field type_name
 }
 
 func init() { file_teleport_notifications_v1_notifications_proto_init() }
@@ -1144,9 +1305,9 @@ func file_teleport_notifications_v1_notifications_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_notifications_v1_notifications_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_notifications_v1_notifications_proto_rawDesc), len(file_teleport_notifications_v1_notifications_proto_rawDesc)),
 			NumEnums:      1,
-			NumMessages:   12,
+			NumMessages:   14,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
@@ -1156,7 +1317,6 @@ func file_teleport_notifications_v1_notifications_proto_init() {
 		MessageInfos:      file_teleport_notifications_v1_notifications_proto_msgTypes,
 	}.Build()
 	File_teleport_notifications_v1_notifications_proto = out.File
-	file_teleport_notifications_v1_notifications_proto_rawDesc = nil
 	file_teleport_notifications_v1_notifications_proto_goTypes = nil
 	file_teleport_notifications_v1_notifications_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go b/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go
index 36a028e3c81c0..5e72621f28dcd 100644
--- a/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go
+++ b/api/gen/proto/go/teleport/notifications/v1/notifications_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/notifications/v1/notifications_service.proto
 
@@ -30,6 +30,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -554,7 +555,7 @@ func (x *UpsertUserLastSeenNotificationRequest) GetUserLastSeenNotification() *U
 
 var File_teleport_notifications_v1_notifications_service_proto protoreflect.FileDescriptor
 
-var file_teleport_notifications_v1_notifications_service_proto_rawDesc = []byte{
+var file_teleport_notifications_v1_notifications_service_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66,
 	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x6f, 0x74, 0x69,
 	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
@@ -726,16 +727,16 @@ var file_teleport_notifications_v1_notifications_service_proto_rawDesc = []byte{
 	0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76,
 	0x31, 0x3b, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_notifications_v1_notifications_service_proto_rawDescOnce sync.Once
-	file_teleport_notifications_v1_notifications_service_proto_rawDescData = file_teleport_notifications_v1_notifications_service_proto_rawDesc
+	file_teleport_notifications_v1_notifications_service_proto_rawDescData []byte
 )
 
 func file_teleport_notifications_v1_notifications_service_proto_rawDescGZIP() []byte {
 	file_teleport_notifications_v1_notifications_service_proto_rawDescOnce.Do(func() {
-		file_teleport_notifications_v1_notifications_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_notifications_v1_notifications_service_proto_rawDescData)
+		file_teleport_notifications_v1_notifications_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_notifications_v1_notifications_service_proto_rawDesc), len(file_teleport_notifications_v1_notifications_service_proto_rawDesc)))
 	})
 	return file_teleport_notifications_v1_notifications_service_proto_rawDescData
 }
@@ -799,7 +800,7 @@ func file_teleport_notifications_v1_notifications_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_notifications_v1_notifications_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_notifications_v1_notifications_service_proto_rawDesc), len(file_teleport_notifications_v1_notifications_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   10,
 			NumExtensions: 0,
@@ -810,7 +811,6 @@ func file_teleport_notifications_v1_notifications_service_proto_init() {
 		MessageInfos:      file_teleport_notifications_v1_notifications_service_proto_msgTypes,
 	}.Build()
 	File_teleport_notifications_v1_notifications_service_proto = out.File
-	file_teleport_notifications_v1_notifications_service_proto_rawDesc = nil
 	file_teleport_notifications_v1_notifications_service_proto_goTypes = nil
 	file_teleport_notifications_v1_notifications_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/okta/v1/okta_service.pb.go b/api/gen/proto/go/teleport/okta/v1/okta_service.pb.go
index bb9386fea7455..341c409e2ccaa 100644
--- a/api/gen/proto/go/teleport/okta/v1/okta_service.pb.go
+++ b/api/gen/proto/go/teleport/okta/v1/okta_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/okta/v1/okta_service.proto
 
@@ -28,6 +28,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1769,7 +1770,7 @@ func (x *GetGroupsResponse_Group) GetDescription() string {
 
 var File_teleport_okta_v1_okta_service_proto protoreflect.FileDescriptor
 
-var file_teleport_okta_v1_okta_service_proto_rawDesc = []byte{
+var file_teleport_okta_v1_okta_service_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6f, 0x6b, 0x74, 0x61, 0x2f,
 	0x76, 0x31, 0x2f, 0x6f, 0x6b, 0x74, 0x61, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -2144,16 +2145,16 @@ var file_teleport_okta_v1_okta_service_proto_rawDesc = []byte{
 	0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70,
 	0x6f, 0x72, 0x74, 0x2f, 0x6f, 0x6b, 0x74, 0x61, 0x2f, 0x76, 0x31, 0x3b, 0x6f, 0x6b, 0x74, 0x61,
 	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_okta_v1_okta_service_proto_rawDescOnce sync.Once
-	file_teleport_okta_v1_okta_service_proto_rawDescData = file_teleport_okta_v1_okta_service_proto_rawDesc
+	file_teleport_okta_v1_okta_service_proto_rawDescData []byte
 )
 
 func file_teleport_okta_v1_okta_service_proto_rawDescGZIP() []byte {
 	file_teleport_okta_v1_okta_service_proto_rawDescOnce.Do(func() {
-		file_teleport_okta_v1_okta_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_okta_v1_okta_service_proto_rawDescData)
+		file_teleport_okta_v1_okta_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_okta_v1_okta_service_proto_rawDesc), len(file_teleport_okta_v1_okta_service_proto_rawDesc)))
 	})
 	return file_teleport_okta_v1_okta_service_proto_rawDescData
 }
@@ -2275,7 +2276,7 @@ func file_teleport_okta_v1_okta_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_okta_v1_okta_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_okta_v1_okta_service_proto_rawDesc), len(file_teleport_okta_v1_okta_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   30,
 			NumExtensions: 0,
@@ -2286,7 +2287,6 @@ func file_teleport_okta_v1_okta_service_proto_init() {
 		MessageInfos:      file_teleport_okta_v1_okta_service_proto_msgTypes,
 	}.Build()
 	File_teleport_okta_v1_okta_service_proto = out.File
-	file_teleport_okta_v1_okta_service_proto_rawDesc = nil
 	file_teleport_okta_v1_okta_service_proto_goTypes = nil
 	file_teleport_okta_v1_okta_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/plugins/v1/plugin_service.pb.go b/api/gen/proto/go/teleport/plugins/v1/plugin_service.pb.go
index 1f4a3135140c9..33b1a664e3e29 100644
--- a/api/gen/proto/go/teleport/plugins/v1/plugin_service.pb.go
+++ b/api/gen/proto/go/teleport/plugins/v1/plugin_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/plugins/v1/plugin_service.proto
 
@@ -27,6 +27,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -910,7 +911,7 @@ func (x *CleanupRequest) GetType() string {
 
 var File_teleport_plugins_v1_plugin_service_proto protoreflect.FileDescriptor
 
-var file_teleport_plugins_v1_plugin_service_proto_rawDesc = []byte{
+var file_teleport_plugins_v1_plugin_service_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69,
 	0x6e, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x73, 0x65, 0x72,
 	0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x13, 0x74, 0x65, 0x6c, 0x65,
@@ -1109,16 +1110,16 @@ var file_teleport_plugins_v1_plugin_service_proto_rawDesc = []byte{
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2f, 0x76, 0x31,
 	0x3b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_plugins_v1_plugin_service_proto_rawDescOnce sync.Once
-	file_teleport_plugins_v1_plugin_service_proto_rawDescData = file_teleport_plugins_v1_plugin_service_proto_rawDesc
+	file_teleport_plugins_v1_plugin_service_proto_rawDescData []byte
 )
 
 func file_teleport_plugins_v1_plugin_service_proto_rawDescGZIP() []byte {
 	file_teleport_plugins_v1_plugin_service_proto_rawDescOnce.Do(func() {
-		file_teleport_plugins_v1_plugin_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_plugins_v1_plugin_service_proto_rawDescData)
+		file_teleport_plugins_v1_plugin_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_plugins_v1_plugin_service_proto_rawDesc), len(file_teleport_plugins_v1_plugin_service_proto_rawDesc)))
 	})
 	return file_teleport_plugins_v1_plugin_service_proto_rawDescData
 }
@@ -1203,7 +1204,7 @@ func file_teleport_plugins_v1_plugin_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_plugins_v1_plugin_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_plugins_v1_plugin_service_proto_rawDesc), len(file_teleport_plugins_v1_plugin_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   18,
 			NumExtensions: 0,
@@ -1214,7 +1215,6 @@ func file_teleport_plugins_v1_plugin_service_proto_init() {
 		MessageInfos:      file_teleport_plugins_v1_plugin_service_proto_msgTypes,
 	}.Build()
 	File_teleport_plugins_v1_plugin_service_proto = out.File
-	file_teleport_plugins_v1_plugin_service_proto_rawDesc = nil
 	file_teleport_plugins_v1_plugin_service_proto_goTypes = nil
 	file_teleport_plugins_v1_plugin_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/presence/v1/service.pb.go b/api/gen/proto/go/teleport/presence/v1/service.pb.go
index 5b40df5cfae76..bfb1fa9a63b56 100644
--- a/api/gen/proto/go/teleport/presence/v1/service.pb.go
+++ b/api/gen/proto/go/teleport/presence/v1/service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/presence/v1/service.proto
 
@@ -28,6 +28,7 @@ import (
 	fieldmaskpb "google.golang.org/protobuf/types/known/fieldmaskpb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -505,7 +506,7 @@ func (x *DeleteReverseTunnelRequest) GetName() string {
 
 var File_teleport_presence_v1_service_proto protoreflect.FileDescriptor
 
-var file_teleport_presence_v1_service_proto_rawDesc = []byte{
+var file_teleport_presence_v1_service_proto_rawDesc = string([]byte{
 	0x0a, 0x22, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72, 0x65, 0x73, 0x65,
 	0x6e, 0x63, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x70,
@@ -621,16 +622,16 @@ var file_teleport_presence_v1_service_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72,
 	0x65, 0x73, 0x65, 0x6e, 0x63, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x70, 0x72, 0x65, 0x73, 0x65, 0x6e,
 	0x63, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_presence_v1_service_proto_rawDescOnce sync.Once
-	file_teleport_presence_v1_service_proto_rawDescData = file_teleport_presence_v1_service_proto_rawDesc
+	file_teleport_presence_v1_service_proto_rawDescData []byte
 )
 
 func file_teleport_presence_v1_service_proto_rawDescGZIP() []byte {
 	file_teleport_presence_v1_service_proto_rawDescOnce.Do(func() {
-		file_teleport_presence_v1_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_presence_v1_service_proto_rawDescData)
+		file_teleport_presence_v1_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_presence_v1_service_proto_rawDesc), len(file_teleport_presence_v1_service_proto_rawDesc)))
 	})
 	return file_teleport_presence_v1_service_proto_rawDescData
 }
@@ -687,7 +688,7 @@ func file_teleport_presence_v1_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_presence_v1_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_presence_v1_service_proto_rawDesc), len(file_teleport_presence_v1_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   9,
 			NumExtensions: 0,
@@ -698,7 +699,6 @@ func file_teleport_presence_v1_service_proto_init() {
 		MessageInfos:      file_teleport_presence_v1_service_proto_msgTypes,
 	}.Build()
 	File_teleport_presence_v1_service_proto = out.File
-	file_teleport_presence_v1_service_proto_rawDesc = nil
 	file_teleport_presence_v1_service_proto_goTypes = nil
 	file_teleport_presence_v1_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/provisioning/v1/provisioning.pb.go b/api/gen/proto/go/teleport/provisioning/v1/provisioning.pb.go
index 0cbbee3100780..1c38640131b38 100644
--- a/api/gen/proto/go/teleport/provisioning/v1/provisioning.pb.go
+++ b/api/gen/proto/go/teleport/provisioning/v1/provisioning.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/provisioning/v1/provisioning.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -411,7 +412,7 @@ func (x *PrincipalStateStatus) GetActiveLocks() []string {
 
 var File_teleport_provisioning_v1_provisioning_proto protoreflect.FileDescriptor
 
-var file_teleport_provisioning_v1_provisioning_proto_rawDesc = []byte{
+var file_teleport_provisioning_v1_provisioning_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69,
 	0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69,
 	0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74,
@@ -495,16 +496,16 @@ var file_teleport_provisioning_v1_provisioning_proto_rawDesc = []byte{
 	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_provisioning_v1_provisioning_proto_rawDescOnce sync.Once
-	file_teleport_provisioning_v1_provisioning_proto_rawDescData = file_teleport_provisioning_v1_provisioning_proto_rawDesc
+	file_teleport_provisioning_v1_provisioning_proto_rawDescData []byte
 )
 
 func file_teleport_provisioning_v1_provisioning_proto_rawDescGZIP() []byte {
 	file_teleport_provisioning_v1_provisioning_proto_rawDescOnce.Do(func() {
-		file_teleport_provisioning_v1_provisioning_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_provisioning_v1_provisioning_proto_rawDescData)
+		file_teleport_provisioning_v1_provisioning_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_provisioning_v1_provisioning_proto_rawDesc), len(file_teleport_provisioning_v1_provisioning_proto_rawDesc)))
 	})
 	return file_teleport_provisioning_v1_provisioning_proto_rawDescData
 }
@@ -543,7 +544,7 @@ func file_teleport_provisioning_v1_provisioning_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_provisioning_v1_provisioning_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_provisioning_v1_provisioning_proto_rawDesc), len(file_teleport_provisioning_v1_provisioning_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -555,7 +556,6 @@ func file_teleport_provisioning_v1_provisioning_proto_init() {
 		MessageInfos:      file_teleport_provisioning_v1_provisioning_proto_msgTypes,
 	}.Build()
 	File_teleport_provisioning_v1_provisioning_proto = out.File
-	file_teleport_provisioning_v1_provisioning_proto_rawDesc = nil
 	file_teleport_provisioning_v1_provisioning_proto_goTypes = nil
 	file_teleport_provisioning_v1_provisioning_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/provisioning/v1/provisioning_service.pb.go b/api/gen/proto/go/teleport/provisioning/v1/provisioning_service.pb.go
index 1d882ff8353a2..ef2729e27fc0a 100644
--- a/api/gen/proto/go/teleport/provisioning/v1/provisioning_service.pb.go
+++ b/api/gen/proto/go/teleport/provisioning/v1/provisioning_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/provisioning/v1/provisioning_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -84,7 +85,7 @@ func (x *DeleteDownstreamProvisioningStatesRequest) GetDownstreamId() string {
 
 var File_teleport_provisioning_v1_provisioning_service_proto protoreflect.FileDescriptor
 
-var file_teleport_provisioning_v1_provisioning_service_proto_rawDesc = []byte{
+var file_teleport_provisioning_v1_provisioning_service_proto_rawDesc = string([]byte{
 	0x0a, 0x33, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69,
 	0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69,
 	0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
@@ -113,16 +114,16 @@ var file_teleport_provisioning_v1_provisioning_service_proto_rawDesc = []byte{
 	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x3b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_provisioning_v1_provisioning_service_proto_rawDescOnce sync.Once
-	file_teleport_provisioning_v1_provisioning_service_proto_rawDescData = file_teleport_provisioning_v1_provisioning_service_proto_rawDesc
+	file_teleport_provisioning_v1_provisioning_service_proto_rawDescData []byte
 )
 
 func file_teleport_provisioning_v1_provisioning_service_proto_rawDescGZIP() []byte {
 	file_teleport_provisioning_v1_provisioning_service_proto_rawDescOnce.Do(func() {
-		file_teleport_provisioning_v1_provisioning_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_provisioning_v1_provisioning_service_proto_rawDescData)
+		file_teleport_provisioning_v1_provisioning_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_provisioning_v1_provisioning_service_proto_rawDesc), len(file_teleport_provisioning_v1_provisioning_service_proto_rawDesc)))
 	})
 	return file_teleport_provisioning_v1_provisioning_service_proto_rawDescData
 }
@@ -151,7 +152,7 @@ func file_teleport_provisioning_v1_provisioning_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_provisioning_v1_provisioning_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_provisioning_v1_provisioning_service_proto_rawDesc), len(file_teleport_provisioning_v1_provisioning_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -162,7 +163,6 @@ func file_teleport_provisioning_v1_provisioning_service_proto_init() {
 		MessageInfos:      file_teleport_provisioning_v1_provisioning_service_proto_msgTypes,
 	}.Build()
 	File_teleport_provisioning_v1_provisioning_service_proto = out.File
-	file_teleport_provisioning_v1_provisioning_service_proto_rawDesc = nil
 	file_teleport_provisioning_v1_provisioning_service_proto_goTypes = nil
 	file_teleport_provisioning_v1_provisioning_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/resourceusage/v1/access_requests.pb.go b/api/gen/proto/go/teleport/resourceusage/v1/access_requests.pb.go
index edda35aa004fb..bb4f9b3189246 100644
--- a/api/gen/proto/go/teleport/resourceusage/v1/access_requests.pb.go
+++ b/api/gen/proto/go/teleport/resourceusage/v1/access_requests.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/resourceusage/v1/access_requests.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -92,7 +93,7 @@ func (x *AccessRequestsUsage) GetMonthlyUsed() int32 {
 
 var File_teleport_resourceusage_v1_access_requests_proto protoreflect.FileDescriptor
 
-var file_teleport_resourceusage_v1_access_requests_proto_rawDesc = []byte{
+var file_teleport_resourceusage_v1_access_requests_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65,
 	0x73, 0x73, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -111,16 +112,16 @@ var file_teleport_resourceusage_v1_access_requests_proto_rawDesc = []byte{
 	0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x72, 0x65, 0x73, 0x6f,
 	0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_resourceusage_v1_access_requests_proto_rawDescOnce sync.Once
-	file_teleport_resourceusage_v1_access_requests_proto_rawDescData = file_teleport_resourceusage_v1_access_requests_proto_rawDesc
+	file_teleport_resourceusage_v1_access_requests_proto_rawDescData []byte
 )
 
 func file_teleport_resourceusage_v1_access_requests_proto_rawDescGZIP() []byte {
 	file_teleport_resourceusage_v1_access_requests_proto_rawDescOnce.Do(func() {
-		file_teleport_resourceusage_v1_access_requests_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_resourceusage_v1_access_requests_proto_rawDescData)
+		file_teleport_resourceusage_v1_access_requests_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_access_requests_proto_rawDesc), len(file_teleport_resourceusage_v1_access_requests_proto_rawDesc)))
 	})
 	return file_teleport_resourceusage_v1_access_requests_proto_rawDescData
 }
@@ -146,7 +147,7 @@ func file_teleport_resourceusage_v1_access_requests_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_resourceusage_v1_access_requests_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_access_requests_proto_rawDesc), len(file_teleport_resourceusage_v1_access_requests_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -157,7 +158,6 @@ func file_teleport_resourceusage_v1_access_requests_proto_init() {
 		MessageInfos:      file_teleport_resourceusage_v1_access_requests_proto_msgTypes,
 	}.Build()
 	File_teleport_resourceusage_v1_access_requests_proto = out.File
-	file_teleport_resourceusage_v1_access_requests_proto_rawDesc = nil
 	file_teleport_resourceusage_v1_access_requests_proto_goTypes = nil
 	file_teleport_resourceusage_v1_access_requests_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/resourceusage/v1/account_usage_type.pb.go b/api/gen/proto/go/teleport/resourceusage/v1/account_usage_type.pb.go
index dcea5253ff579..3bd423d241edc 100644
--- a/api/gen/proto/go/teleport/resourceusage/v1/account_usage_type.pb.go
+++ b/api/gen/proto/go/teleport/resourceusage/v1/account_usage_type.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/resourceusage/v1/account_usage_type.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -87,7 +88,7 @@ func (AccountUsageType) EnumDescriptor() ([]byte, []int) {
 
 var File_teleport_resourceusage_v1_account_usage_type_proto protoreflect.FileDescriptor
 
-var file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc = []byte{
+var file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc = string([]byte{
 	0x0a, 0x32, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x6f,
 	0x75, 0x6e, 0x74, 0x5f, 0x75, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x70,
@@ -108,16 +109,16 @@ var file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc = []byte{
 	0x6f, 0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x72, 0x65,
 	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_resourceusage_v1_account_usage_type_proto_rawDescOnce sync.Once
-	file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData = file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc
+	file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData []byte
 )
 
 func file_teleport_resourceusage_v1_account_usage_type_proto_rawDescGZIP() []byte {
 	file_teleport_resourceusage_v1_account_usage_type_proto_rawDescOnce.Do(func() {
-		file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData)
+		file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc), len(file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc)))
 	})
 	return file_teleport_resourceusage_v1_account_usage_type_proto_rawDescData
 }
@@ -143,7 +144,7 @@ func file_teleport_resourceusage_v1_account_usage_type_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc), len(file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -154,7 +155,6 @@ func file_teleport_resourceusage_v1_account_usage_type_proto_init() {
 		EnumInfos:         file_teleport_resourceusage_v1_account_usage_type_proto_enumTypes,
 	}.Build()
 	File_teleport_resourceusage_v1_account_usage_type_proto = out.File
-	file_teleport_resourceusage_v1_account_usage_type_proto_rawDesc = nil
 	file_teleport_resourceusage_v1_account_usage_type_proto_goTypes = nil
 	file_teleport_resourceusage_v1_account_usage_type_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/resourceusage/v1/device_trust.pb.go b/api/gen/proto/go/teleport/resourceusage/v1/device_trust.pb.go
index f9687e7a6f70f..7c49c687e2806 100644
--- a/api/gen/proto/go/teleport/resourceusage/v1/device_trust.pb.go
+++ b/api/gen/proto/go/teleport/resourceusage/v1/device_trust.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/resourceusage/v1/device_trust.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -94,7 +95,7 @@ func (x *DevicesUsage) GetDevicesInUse() int32 {
 
 var File_teleport_resourceusage_v1_device_trust_proto protoreflect.FileDescriptor
 
-var file_teleport_resourceusage_v1_device_trust_proto_rawDesc = []byte{
+var file_teleport_resourceusage_v1_device_trust_proto_rawDesc = string([]byte{
 	0x0a, 0x2c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x76, 0x69,
 	0x63, 0x65, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19,
@@ -113,16 +114,16 @@ var file_teleport_resourceusage_v1_device_trust_proto_rawDesc = []byte{
 	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x3b,
 	0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_resourceusage_v1_device_trust_proto_rawDescOnce sync.Once
-	file_teleport_resourceusage_v1_device_trust_proto_rawDescData = file_teleport_resourceusage_v1_device_trust_proto_rawDesc
+	file_teleport_resourceusage_v1_device_trust_proto_rawDescData []byte
 )
 
 func file_teleport_resourceusage_v1_device_trust_proto_rawDescGZIP() []byte {
 	file_teleport_resourceusage_v1_device_trust_proto_rawDescOnce.Do(func() {
-		file_teleport_resourceusage_v1_device_trust_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_resourceusage_v1_device_trust_proto_rawDescData)
+		file_teleport_resourceusage_v1_device_trust_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_device_trust_proto_rawDesc), len(file_teleport_resourceusage_v1_device_trust_proto_rawDesc)))
 	})
 	return file_teleport_resourceusage_v1_device_trust_proto_rawDescData
 }
@@ -148,7 +149,7 @@ func file_teleport_resourceusage_v1_device_trust_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_resourceusage_v1_device_trust_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_device_trust_proto_rawDesc), len(file_teleport_resourceusage_v1_device_trust_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -159,7 +160,6 @@ func file_teleport_resourceusage_v1_device_trust_proto_init() {
 		MessageInfos:      file_teleport_resourceusage_v1_device_trust_proto_msgTypes,
 	}.Build()
 	File_teleport_resourceusage_v1_device_trust_proto = out.File
-	file_teleport_resourceusage_v1_device_trust_proto_rawDesc = nil
 	file_teleport_resourceusage_v1_device_trust_proto_goTypes = nil
 	file_teleport_resourceusage_v1_device_trust_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/resourceusage/v1/resourceusage_service.pb.go b/api/gen/proto/go/teleport/resourceusage/v1/resourceusage_service.pb.go
index 9e6f54980263c..c4ab944f8892f 100644
--- a/api/gen/proto/go/teleport/resourceusage/v1/resourceusage_service.pb.go
+++ b/api/gen/proto/go/teleport/resourceusage/v1/resourceusage_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/resourceusage/v1/resourceusage_service.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -138,7 +139,7 @@ func (x *GetUsageResponse) GetDevicesUsage() *DevicesUsage {
 
 var File_teleport_resourceusage_v1_resourceusage_service_proto protoreflect.FileDescriptor
 
-var file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc = []byte{
+var file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75,
 	0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x65, 0x73, 0x6f,
 	0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
@@ -187,16 +188,16 @@ var file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc = []byte{
 	0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x72, 0x65, 0x73,
 	0x6f, 0x75, 0x72, 0x63, 0x65, 0x75, 0x73, 0x61, 0x67, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescOnce sync.Once
-	file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData = file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc
+	file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData []byte
 )
 
 func file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescGZIP() []byte {
 	file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescOnce.Do(func() {
-		file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData)
+		file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc), len(file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc)))
 	})
 	return file_teleport_resourceusage_v1_resourceusage_service_proto_rawDescData
 }
@@ -234,7 +235,7 @@ func file_teleport_resourceusage_v1_resourceusage_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc), len(file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -245,7 +246,6 @@ func file_teleport_resourceusage_v1_resourceusage_service_proto_init() {
 		MessageInfos:      file_teleport_resourceusage_v1_resourceusage_service_proto_msgTypes,
 	}.Build()
 	File_teleport_resourceusage_v1_resourceusage_service_proto = out.File
-	file_teleport_resourceusage_v1_resourceusage_service_proto_rawDesc = nil
 	file_teleport_resourceusage_v1_resourceusage_service_proto_goTypes = nil
 	file_teleport_resourceusage_v1_resourceusage_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/samlidp/v1/samlidp.pb.go b/api/gen/proto/go/teleport/samlidp/v1/samlidp.pb.go
index dc6e8a19a4a19..59dc0f17b3891 100644
--- a/api/gen/proto/go/teleport/samlidp/v1/samlidp.pb.go
+++ b/api/gen/proto/go/teleport/samlidp/v1/samlidp.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/samlidp/v1/samlidp.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -355,7 +356,7 @@ func (x *MappedAttribute) GetMappedValues() map[string]*wrappers.StringValues {
 
 var File_teleport_samlidp_v1_samlidp_proto protoreflect.FileDescriptor
 
-var file_teleport_samlidp_v1_samlidp_proto_rawDesc = []byte{
+var file_teleport_samlidp_v1_samlidp_proto_rawDesc = string([]byte{
 	0x0a, 0x21, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x61, 0x6d, 0x6c, 0x69,
 	0x64, 0x70, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x61, 0x6d, 0x6c, 0x69, 0x64, 0x70, 0x2e, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x12, 0x13, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x73, 0x61,
@@ -455,16 +456,16 @@ var file_teleport_samlidp_v1_samlidp_proto_rawDesc = []byte{
 	0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x61, 0x6d,
 	0x6c, 0x69, 0x64, 0x70, 0x2f, 0x76, 0x31, 0x3b, 0x73, 0x61, 0x6d, 0x6c, 0x69, 0x64, 0x70, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_samlidp_v1_samlidp_proto_rawDescOnce sync.Once
-	file_teleport_samlidp_v1_samlidp_proto_rawDescData = file_teleport_samlidp_v1_samlidp_proto_rawDesc
+	file_teleport_samlidp_v1_samlidp_proto_rawDescData []byte
 )
 
 func file_teleport_samlidp_v1_samlidp_proto_rawDescGZIP() []byte {
 	file_teleport_samlidp_v1_samlidp_proto_rawDescOnce.Do(func() {
-		file_teleport_samlidp_v1_samlidp_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_samlidp_v1_samlidp_proto_rawDescData)
+		file_teleport_samlidp_v1_samlidp_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_samlidp_v1_samlidp_proto_rawDesc), len(file_teleport_samlidp_v1_samlidp_proto_rawDesc)))
 	})
 	return file_teleport_samlidp_v1_samlidp_proto_rawDescData
 }
@@ -511,7 +512,7 @@ func file_teleport_samlidp_v1_samlidp_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_samlidp_v1_samlidp_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_samlidp_v1_samlidp_proto_rawDesc), len(file_teleport_samlidp_v1_samlidp_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -522,7 +523,6 @@ func file_teleport_samlidp_v1_samlidp_proto_init() {
 		MessageInfos:      file_teleport_samlidp_v1_samlidp_proto_msgTypes,
 	}.Build()
 	File_teleport_samlidp_v1_samlidp_proto = out.File
-	file_teleport_samlidp_v1_samlidp_proto_rawDesc = nil
 	file_teleport_samlidp_v1_samlidp_proto_goTypes = nil
 	file_teleport_samlidp_v1_samlidp_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/scim/v1/scim_service.pb.go b/api/gen/proto/go/teleport/scim/v1/scim_service.pb.go
index 3a7de7590a0ab..a370fcc941392 100644
--- a/api/gen/proto/go/teleport/scim/v1/scim_service.pb.go
+++ b/api/gen/proto/go/teleport/scim/v1/scim_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/scim/v1/scim_service.proto
 
@@ -28,6 +28,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -672,7 +673,7 @@ func (x *Page) GetCount() uint64 {
 
 var File_teleport_scim_v1_scim_service_proto protoreflect.FileDescriptor
 
-var file_teleport_scim_v1_scim_service_proto_rawDesc = []byte{
+var file_teleport_scim_v1_scim_service_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x63, 0x69, 0x6d, 0x2f,
 	0x76, 0x31, 0x2f, 0x73, 0x63, 0x69, 0x6d, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -806,16 +807,16 @@ var file_teleport_scim_v1_scim_service_proto_rawDesc = []byte{
 	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65,
 	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x63, 0x69, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x73,
 	0x63, 0x69, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_scim_v1_scim_service_proto_rawDescOnce sync.Once
-	file_teleport_scim_v1_scim_service_proto_rawDescData = file_teleport_scim_v1_scim_service_proto_rawDesc
+	file_teleport_scim_v1_scim_service_proto_rawDescData []byte
 )
 
 func file_teleport_scim_v1_scim_service_proto_rawDescGZIP() []byte {
 	file_teleport_scim_v1_scim_service_proto_rawDescOnce.Do(func() {
-		file_teleport_scim_v1_scim_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_scim_v1_scim_service_proto_rawDescData)
+		file_teleport_scim_v1_scim_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_scim_v1_scim_service_proto_rawDesc), len(file_teleport_scim_v1_scim_service_proto_rawDesc)))
 	})
 	return file_teleport_scim_v1_scim_service_proto_rawDescData
 }
@@ -876,7 +877,7 @@ func file_teleport_scim_v1_scim_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_scim_v1_scim_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_scim_v1_scim_service_proto_rawDesc), len(file_teleport_scim_v1_scim_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   10,
 			NumExtensions: 0,
@@ -887,7 +888,6 @@ func file_teleport_scim_v1_scim_service_proto_init() {
 		MessageInfos:      file_teleport_scim_v1_scim_service_proto_msgTypes,
 	}.Build()
 	File_teleport_scim_v1_scim_service_proto = out.File
-	file_teleport_scim_v1_scim_service_proto_rawDesc = nil
 	file_teleport_scim_v1_scim_service_proto_goTypes = nil
 	file_teleport_scim_v1_scim_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/secreports/v1/secreports.pb.go b/api/gen/proto/go/teleport/secreports/v1/secreports.pb.go
index 443c8ea0a5f05..705399b922d89 100644
--- a/api/gen/proto/go/teleport/secreports/v1/secreports.pb.go
+++ b/api/gen/proto/go/teleport/secreports/v1/secreports.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/secreports/v1/secreports.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -412,7 +413,7 @@ func (x *ReportStateSpec) GetUpdatedAt() string {
 
 var File_teleport_secreports_v1_secreports_proto protoreflect.FileDescriptor
 
-var file_teleport_secreports_v1_secreports_proto_rawDesc = []byte{
+var file_teleport_secreports_v1_secreports_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x70, 0x6f, 0x72, 0x74, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f,
 	0x72, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -475,16 +476,16 @@ var file_teleport_secreports_v1_secreports_proto_rawDesc = []byte{
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x73,
 	0x2f, 0x76, 0x31, 0x3b, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x76, 0x31,
 	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_secreports_v1_secreports_proto_rawDescOnce sync.Once
-	file_teleport_secreports_v1_secreports_proto_rawDescData = file_teleport_secreports_v1_secreports_proto_rawDesc
+	file_teleport_secreports_v1_secreports_proto_rawDescData []byte
 )
 
 func file_teleport_secreports_v1_secreports_proto_rawDescGZIP() []byte {
 	file_teleport_secreports_v1_secreports_proto_rawDescOnce.Do(func() {
-		file_teleport_secreports_v1_secreports_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_secreports_v1_secreports_proto_rawDescData)
+		file_teleport_secreports_v1_secreports_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_secreports_v1_secreports_proto_rawDesc), len(file_teleport_secreports_v1_secreports_proto_rawDesc)))
 	})
 	return file_teleport_secreports_v1_secreports_proto_rawDescData
 }
@@ -523,7 +524,7 @@ func file_teleport_secreports_v1_secreports_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_secreports_v1_secreports_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_secreports_v1_secreports_proto_rawDesc), len(file_teleport_secreports_v1_secreports_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -534,7 +535,6 @@ func file_teleport_secreports_v1_secreports_proto_init() {
 		MessageInfos:      file_teleport_secreports_v1_secreports_proto_msgTypes,
 	}.Build()
 	File_teleport_secreports_v1_secreports_proto = out.File
-	file_teleport_secreports_v1_secreports_proto_rawDesc = nil
 	file_teleport_secreports_v1_secreports_proto_goTypes = nil
 	file_teleport_secreports_v1_secreports_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/secreports/v1/secreports_service.pb.go b/api/gen/proto/go/teleport/secreports/v1/secreports_service.pb.go
index 06d46f93bc1b9..ebb56ed19508f 100644
--- a/api/gen/proto/go/teleport/secreports/v1/secreports_service.pb.go
+++ b/api/gen/proto/go/teleport/secreports/v1/secreports_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/secreports/v1/secreports_service.proto
 
@@ -27,6 +27,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1644,7 +1645,7 @@ func (x *ReportResult_AuditQueryResult) GetDataScannedInBytes() int64 {
 
 var File_teleport_secreports_v1_secreports_service_proto protoreflect.FileDescriptor
 
-var file_teleport_secreports_v1_secreports_service_proto_rawDesc = []byte{
+var file_teleport_secreports_v1_secreports_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65,
 	0x70, 0x6f, 0x72, 0x74, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f,
 	0x72, 0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -1937,16 +1938,16 @@ var file_teleport_secreports_v1_secreports_service_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f,
 	0x72, 0x74, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x73, 0x65, 0x63, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74,
 	0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_secreports_v1_secreports_service_proto_rawDescOnce sync.Once
-	file_teleport_secreports_v1_secreports_service_proto_rawDescData = file_teleport_secreports_v1_secreports_service_proto_rawDesc
+	file_teleport_secreports_v1_secreports_service_proto_rawDescData []byte
 )
 
 func file_teleport_secreports_v1_secreports_service_proto_rawDescGZIP() []byte {
 	file_teleport_secreports_v1_secreports_service_proto_rawDescOnce.Do(func() {
-		file_teleport_secreports_v1_secreports_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_secreports_v1_secreports_service_proto_rawDescData)
+		file_teleport_secreports_v1_secreports_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_secreports_v1_secreports_service_proto_rawDesc), len(file_teleport_secreports_v1_secreports_service_proto_rawDesc)))
 	})
 	return file_teleport_secreports_v1_secreports_service_proto_rawDescData
 }
@@ -2051,7 +2052,7 @@ func file_teleport_secreports_v1_secreports_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_secreports_v1_secreports_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_secreports_v1_secreports_service_proto_rawDesc), len(file_teleport_secreports_v1_secreports_service_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   28,
 			NumExtensions: 0,
@@ -2063,7 +2064,6 @@ func file_teleport_secreports_v1_secreports_service_proto_init() {
 		MessageInfos:      file_teleport_secreports_v1_secreports_service_proto_msgTypes,
 	}.Build()
 	File_teleport_secreports_v1_secreports_service_proto = out.File
-	file_teleport_secreports_v1_secreports_service_proto_rawDesc = nil
 	file_teleport_secreports_v1_secreports_service_proto_goTypes = nil
 	file_teleport_secreports_v1_secreports_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/trait/v1/trait.pb.go b/api/gen/proto/go/teleport/trait/v1/trait.pb.go
index 3bdae9d50b0ab..02a772752763b 100644
--- a/api/gen/proto/go/teleport/trait/v1/trait.pb.go
+++ b/api/gen/proto/go/teleport/trait/v1/trait.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/trait/v1/trait.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -91,7 +92,7 @@ func (x *Trait) GetValues() []string {
 
 var File_teleport_trait_v1_trait_proto protoreflect.FileDescriptor
 
-var file_teleport_trait_v1_trait_proto_rawDesc = []byte{
+var file_teleport_trait_v1_trait_proto_rawDesc = string([]byte{
 	0x0a, 0x1d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74,
 	0x2f, 0x76, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x11, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2e,
@@ -104,16 +105,16 @@ var file_teleport_trait_v1_trait_proto_rawDesc = []byte{
 	0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65,
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x69, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x72,
 	0x61, 0x69, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_trait_v1_trait_proto_rawDescOnce sync.Once
-	file_teleport_trait_v1_trait_proto_rawDescData = file_teleport_trait_v1_trait_proto_rawDesc
+	file_teleport_trait_v1_trait_proto_rawDescData []byte
 )
 
 func file_teleport_trait_v1_trait_proto_rawDescGZIP() []byte {
 	file_teleport_trait_v1_trait_proto_rawDescOnce.Do(func() {
-		file_teleport_trait_v1_trait_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_trait_v1_trait_proto_rawDescData)
+		file_teleport_trait_v1_trait_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_trait_v1_trait_proto_rawDesc), len(file_teleport_trait_v1_trait_proto_rawDesc)))
 	})
 	return file_teleport_trait_v1_trait_proto_rawDescData
 }
@@ -139,7 +140,7 @@ func file_teleport_trait_v1_trait_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_trait_v1_trait_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_trait_v1_trait_proto_rawDesc), len(file_teleport_trait_v1_trait_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -150,7 +151,6 @@ func file_teleport_trait_v1_trait_proto_init() {
 		MessageInfos:      file_teleport_trait_v1_trait_proto_msgTypes,
 	}.Build()
 	File_teleport_trait_v1_trait_proto = out.File
-	file_teleport_trait_v1_trait_proto_rawDesc = nil
 	file_teleport_trait_v1_trait_proto_goTypes = nil
 	file_teleport_trait_v1_trait_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/transport/v1/transport_service.pb.go b/api/gen/proto/go/teleport/transport/v1/transport_service.pb.go
index 27c2550bcd3bd..86c530b75308a 100644
--- a/api/gen/proto/go/teleport/transport/v1/transport_service.pb.go
+++ b/api/gen/proto/go/teleport/transport/v1/transport_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/transport/v1/transport_service.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -577,7 +578,7 @@ func (x *ClusterDetails) GetFipsEnabled() bool {
 
 var File_teleport_transport_v1_transport_service_proto protoreflect.FileDescriptor
 
-var file_teleport_transport_v1_transport_service_proto_rawDesc = []byte{
+var file_teleport_transport_v1_transport_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73,
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72,
 	0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -664,16 +665,16 @@ var file_teleport_transport_v1_transport_service_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f,
 	0x72, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_transport_v1_transport_service_proto_rawDescOnce sync.Once
-	file_teleport_transport_v1_transport_service_proto_rawDescData = file_teleport_transport_v1_transport_service_proto_rawDesc
+	file_teleport_transport_v1_transport_service_proto_rawDescData []byte
 )
 
 func file_teleport_transport_v1_transport_service_proto_rawDescGZIP() []byte {
 	file_teleport_transport_v1_transport_service_proto_rawDescOnce.Do(func() {
-		file_teleport_transport_v1_transport_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_transport_v1_transport_service_proto_rawDescData)
+		file_teleport_transport_v1_transport_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_transport_v1_transport_service_proto_rawDesc), len(file_teleport_transport_v1_transport_service_proto_rawDesc)))
 	})
 	return file_teleport_transport_v1_transport_service_proto_rawDescData
 }
@@ -730,7 +731,7 @@ func file_teleport_transport_v1_transport_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_transport_v1_transport_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_transport_v1_transport_service_proto_rawDesc), len(file_teleport_transport_v1_transport_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   9,
 			NumExtensions: 0,
@@ -741,7 +742,6 @@ func file_teleport_transport_v1_transport_service_proto_init() {
 		MessageInfos:      file_teleport_transport_v1_transport_service_proto_msgTypes,
 	}.Build()
 	File_teleport_transport_v1_transport_service_proto = out.File
-	file_teleport_transport_v1_transport_service_proto_rawDesc = nil
 	file_teleport_transport_v1_transport_service_proto_goTypes = nil
 	file_teleport_transport_v1_transport_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go b/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go
index ce2696824032d..ec0ddc558ef2b 100644
--- a/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go
+++ b/api/gen/proto/go/teleport/trust/v1/trust_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/trust/v1/trust_service.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -866,7 +867,7 @@ func (x *GenerateHostCertResponse) GetSshCertificate() []byte {
 
 var File_teleport_trust_v1_trust_service_proto protoreflect.FileDescriptor
 
-var file_teleport_trust_v1_trust_service_proto_rawDesc = []byte{
+var file_teleport_trust_v1_trust_service_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74,
 	0x2f, 0x76, 0x31, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
 	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -1055,16 +1056,16 @@ var file_teleport_trust_v1_trust_service_proto_rawDesc = []byte{
 	0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70,
 	0x6f, 0x72, 0x74, 0x2f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x72, 0x75,
 	0x73, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_trust_v1_trust_service_proto_rawDescOnce sync.Once
-	file_teleport_trust_v1_trust_service_proto_rawDescData = file_teleport_trust_v1_trust_service_proto_rawDesc
+	file_teleport_trust_v1_trust_service_proto_rawDescData []byte
 )
 
 func file_teleport_trust_v1_trust_service_proto_rawDescGZIP() []byte {
 	file_teleport_trust_v1_trust_service_proto_rawDescOnce.Do(func() {
-		file_teleport_trust_v1_trust_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_trust_v1_trust_service_proto_rawDescData)
+		file_teleport_trust_v1_trust_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_trust_v1_trust_service_proto_rawDesc), len(file_teleport_trust_v1_trust_service_proto_rawDesc)))
 	})
 	return file_teleport_trust_v1_trust_service_proto_rawDescData
 }
@@ -1141,7 +1142,7 @@ func file_teleport_trust_v1_trust_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_trust_v1_trust_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_trust_v1_trust_service_proto_rawDesc), len(file_teleport_trust_v1_trust_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   15,
 			NumExtensions: 0,
@@ -1152,7 +1153,6 @@ func file_teleport_trust_v1_trust_service_proto_init() {
 		MessageInfos:      file_teleport_trust_v1_trust_service_proto_msgTypes,
 	}.Build()
 	File_teleport_trust_v1_trust_service_proto = out.File
-	file_teleport_trust_v1_trust_service_proto_rawDesc = nil
 	file_teleport_trust_v1_trust_service_proto_goTypes = nil
 	file_teleport_trust_v1_trust_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/userloginstate/v1/userloginstate.pb.go b/api/gen/proto/go/teleport/userloginstate/v1/userloginstate.pb.go
index 34fbc46fe1d9b..98a9a03f0322e 100644
--- a/api/gen/proto/go/teleport/userloginstate/v1/userloginstate.pb.go
+++ b/api/gen/proto/go/teleport/userloginstate/v1/userloginstate.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userloginstate/v1/userloginstate.proto
 
@@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -242,7 +243,7 @@ func (x *ExternalIdentity) GetUsername() string {
 
 var File_teleport_userloginstate_v1_userloginstate_proto protoreflect.FileDescriptor
 
-var file_teleport_userloginstate_v1_userloginstate_proto_rawDesc = []byte{
+var file_teleport_userloginstate_v1_userloginstate_proto_rawDesc = string([]byte{
 	0x0a, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x6c,
 	0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65,
 	0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
@@ -291,16 +292,16 @@ var file_teleport_userloginstate_v1_userloginstate_proto_rawDesc = []byte{
 	0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74,
 	0x65, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74,
 	0x61, 0x74, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userloginstate_v1_userloginstate_proto_rawDescOnce sync.Once
-	file_teleport_userloginstate_v1_userloginstate_proto_rawDescData = file_teleport_userloginstate_v1_userloginstate_proto_rawDesc
+	file_teleport_userloginstate_v1_userloginstate_proto_rawDescData []byte
 )
 
 func file_teleport_userloginstate_v1_userloginstate_proto_rawDescGZIP() []byte {
 	file_teleport_userloginstate_v1_userloginstate_proto_rawDescOnce.Do(func() {
-		file_teleport_userloginstate_v1_userloginstate_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userloginstate_v1_userloginstate_proto_rawDescData)
+		file_teleport_userloginstate_v1_userloginstate_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userloginstate_v1_userloginstate_proto_rawDesc), len(file_teleport_userloginstate_v1_userloginstate_proto_rawDesc)))
 	})
 	return file_teleport_userloginstate_v1_userloginstate_proto_rawDescData
 }
@@ -335,7 +336,7 @@ func file_teleport_userloginstate_v1_userloginstate_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userloginstate_v1_userloginstate_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userloginstate_v1_userloginstate_proto_rawDesc), len(file_teleport_userloginstate_v1_userloginstate_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -346,7 +347,6 @@ func file_teleport_userloginstate_v1_userloginstate_proto_init() {
 		MessageInfos:      file_teleport_userloginstate_v1_userloginstate_proto_msgTypes,
 	}.Build()
 	File_teleport_userloginstate_v1_userloginstate_proto = out.File
-	file_teleport_userloginstate_v1_userloginstate_proto_rawDesc = nil
 	file_teleport_userloginstate_v1_userloginstate_proto_goTypes = nil
 	file_teleport_userloginstate_v1_userloginstate_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/userloginstate/v1/userloginstate_service.pb.go b/api/gen/proto/go/teleport/userloginstate/v1/userloginstate_service.pb.go
index 89f52e93ade76..5c2be1001fd26 100644
--- a/api/gen/proto/go/teleport/userloginstate/v1/userloginstate_service.pb.go
+++ b/api/gen/proto/go/teleport/userloginstate/v1/userloginstate_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userloginstate/v1/userloginstate_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -295,7 +296,7 @@ func (*DeleteAllUserLoginStatesRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_userloginstate_v1_userloginstate_service_proto protoreflect.FileDescriptor
 
-var file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc = []byte{
+var file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc = string([]byte{
 	0x0a, 0x37, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x6c,
 	0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65,
 	0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76,
@@ -377,16 +378,16 @@ var file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc = []byt
 	0x73, 0x65, 0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2f, 0x76, 0x31,
 	0x3b, 0x75, 0x73, 0x65, 0x72, 0x6c, 0x6f, 0x67, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x74, 0x65, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescOnce sync.Once
-	file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData = file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc
+	file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData []byte
 )
 
 func file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescGZIP() []byte {
 	file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescOnce.Do(func() {
-		file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData)
+		file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc), len(file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc)))
 	})
 	return file_teleport_userloginstate_v1_userloginstate_service_proto_rawDescData
 }
@@ -432,7 +433,7 @@ func file_teleport_userloginstate_v1_userloginstate_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc), len(file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -443,7 +444,6 @@ func file_teleport_userloginstate_v1_userloginstate_service_proto_init() {
 		MessageInfos:      file_teleport_userloginstate_v1_userloginstate_service_proto_msgTypes,
 	}.Build()
 	File_teleport_userloginstate_v1_userloginstate_service_proto = out.File
-	file_teleport_userloginstate_v1_userloginstate_service_proto_rawDesc = nil
 	file_teleport_userloginstate_v1_userloginstate_service_proto_goTypes = nil
 	file_teleport_userloginstate_v1_userloginstate_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser.pb.go b/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser.pb.go
index d3ba12c073ec9..6ae9054a0a5f4 100644
--- a/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser.pb.go
+++ b/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userprovisioning/v2/statichostuser.proto
 
@@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -278,7 +279,7 @@ func (x *StaticHostUserSpec) GetMatchers() []*Matcher {
 
 var File_teleport_userprovisioning_v2_statichostuser_proto protoreflect.FileDescriptor
 
-var file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc = []byte{
+var file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x32, 0x2f, 0x73,
 	0x74, 0x61, 0x74, 0x69, 0x63, 0x68, 0x6f, 0x73, 0x74, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x70, 0x72,
@@ -334,16 +335,16 @@ var file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc = []byte{
 	0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69,
 	0x6e, 0x67, 0x2f, 0x76, 0x32, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x73,
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x76, 0x32, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userprovisioning_v2_statichostuser_proto_rawDescOnce sync.Once
-	file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData = file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc
+	file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData []byte
 )
 
 func file_teleport_userprovisioning_v2_statichostuser_proto_rawDescGZIP() []byte {
 	file_teleport_userprovisioning_v2_statichostuser_proto_rawDescOnce.Do(func() {
-		file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData)
+		file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc), len(file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc)))
 	})
 	return file_teleport_userprovisioning_v2_statichostuser_proto_rawDescData
 }
@@ -377,7 +378,7 @@ func file_teleport_userprovisioning_v2_statichostuser_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc), len(file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -388,7 +389,6 @@ func file_teleport_userprovisioning_v2_statichostuser_proto_init() {
 		MessageInfos:      file_teleport_userprovisioning_v2_statichostuser_proto_msgTypes,
 	}.Build()
 	File_teleport_userprovisioning_v2_statichostuser_proto = out.File
-	file_teleport_userprovisioning_v2_statichostuser_proto_rawDesc = nil
 	file_teleport_userprovisioning_v2_statichostuser_proto_goTypes = nil
 	file_teleport_userprovisioning_v2_statichostuser_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_service.pb.go b/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_service.pb.go
index 7040f279d381c..57922c323ddef 100644
--- a/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_service.pb.go
+++ b/api/gen/proto/go/teleport/userprovisioning/v2/statichostuser_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userprovisioning/v2/statichostuser_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -382,7 +383,7 @@ func (x *DeleteStaticHostUserRequest) GetName() string {
 
 var File_teleport_userprovisioning_v2_statichostuser_service_proto protoreflect.FileDescriptor
 
-var file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc = []byte{
+var file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc = string([]byte{
 	0x0a, 0x39, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x32, 0x2f, 0x73,
 	0x74, 0x61, 0x74, 0x69, 0x63, 0x68, 0x6f, 0x73, 0x74, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x73, 0x65,
@@ -489,16 +490,16 @@ var file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc = []b
 	0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x32, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72,
 	0x6f, 0x76, 0x69, 0x73, 0x69, 0x6f, 0x6e, 0x69, 0x6e, 0x67, 0x76, 0x32, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescOnce sync.Once
-	file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData = file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc
+	file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData []byte
 )
 
 func file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescGZIP() []byte {
 	file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescOnce.Do(func() {
-		file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData)
+		file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc), len(file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc)))
 	})
 	return file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDescData
 }
@@ -549,7 +550,7 @@ func file_teleport_userprovisioning_v2_statichostuser_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc), len(file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -560,7 +561,6 @@ func file_teleport_userprovisioning_v2_statichostuser_service_proto_init() {
 		MessageInfos:      file_teleport_userprovisioning_v2_statichostuser_service_proto_msgTypes,
 	}.Build()
 	File_teleport_userprovisioning_v2_statichostuser_service_proto = out.File
-	file_teleport_userprovisioning_v2_statichostuser_service_proto_rawDesc = nil
 	file_teleport_userprovisioning_v2_statichostuser_service_proto_goTypes = nil
 	file_teleport_userprovisioning_v2_statichostuser_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/users/v1/users_service.pb.go b/api/gen/proto/go/teleport/users/v1/users_service.pb.go
index 17aeada4e0546..0d56684e7d93c 100644
--- a/api/gen/proto/go/teleport/users/v1/users_service.pb.go
+++ b/api/gen/proto/go/teleport/users/v1/users_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/users/v1/users_service.proto
 
@@ -27,6 +27,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -604,7 +605,7 @@ func (x *DeleteUserRequest) GetName() string {
 
 var File_teleport_users_v1_users_service_proto protoreflect.FileDescriptor
 
-var file_teleport_users_v1_users_service_proto_rawDesc = []byte{
+var file_teleport_users_v1_users_service_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x73,
 	0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
 	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -702,16 +703,16 @@ var file_teleport_users_v1_users_service_proto_rawDesc = []byte{
 	0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
 	0x2f, 0x75, 0x73, 0x65, 0x72, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x73, 0x76,
 	0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_users_v1_users_service_proto_rawDescOnce sync.Once
-	file_teleport_users_v1_users_service_proto_rawDescData = file_teleport_users_v1_users_service_proto_rawDesc
+	file_teleport_users_v1_users_service_proto_rawDescData []byte
 )
 
 func file_teleport_users_v1_users_service_proto_rawDescGZIP() []byte {
 	file_teleport_users_v1_users_service_proto_rawDescOnce.Do(func() {
-		file_teleport_users_v1_users_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_users_v1_users_service_proto_rawDescData)
+		file_teleport_users_v1_users_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_users_v1_users_service_proto_rawDesc), len(file_teleport_users_v1_users_service_proto_rawDesc)))
 	})
 	return file_teleport_users_v1_users_service_proto_rawDescData
 }
@@ -771,7 +772,7 @@ func file_teleport_users_v1_users_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_users_v1_users_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_users_v1_users_service_proto_rawDesc), len(file_teleport_users_v1_users_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   11,
 			NumExtensions: 0,
@@ -782,7 +783,6 @@ func file_teleport_users_v1_users_service_proto_init() {
 		MessageInfos:      file_teleport_users_v1_users_service_proto_msgTypes,
 	}.Build()
 	File_teleport_users_v1_users_service_proto = out.File
-	file_teleport_users_v1_users_service_proto_rawDesc = nil
 	file_teleport_users_v1_users_service_proto_goTypes = nil
 	file_teleport_users_v1_users_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/usertasks/v1/user_tasks.pb.go b/api/gen/proto/go/teleport/usertasks/v1/user_tasks.pb.go
index a9f9dd07c1c1e..f8137efeab90c 100644
--- a/api/gen/proto/go/teleport/usertasks/v1/user_tasks.pb.go
+++ b/api/gen/proto/go/teleport/usertasks/v1/user_tasks.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/usertasks/v1/user_tasks.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -770,7 +771,7 @@ func (x *DiscoverRDSDatabase) GetSyncTime() *timestamppb.Timestamp {
 
 var File_teleport_usertasks_v1_user_tasks_proto protoreflect.FileDescriptor
 
-var file_teleport_usertasks_v1_user_tasks_proto_rawDesc = []byte{
+var file_teleport_usertasks_v1_user_tasks_proto_rawDesc = string([]byte{
 	0x0a, 0x26, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x74,
 	0x61, 0x73, 0x6b, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x61, 0x73,
 	0x6b, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
@@ -930,16 +931,16 @@ var file_teleport_usertasks_v1_user_tasks_proto_rawDesc = []byte{
 	0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x74, 0x61, 0x73, 0x6b, 0x73, 0x2f, 0x76, 0x31, 0x3b,
 	0x75, 0x73, 0x65, 0x72, 0x74, 0x61, 0x73, 0x6b, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_usertasks_v1_user_tasks_proto_rawDescOnce sync.Once
-	file_teleport_usertasks_v1_user_tasks_proto_rawDescData = file_teleport_usertasks_v1_user_tasks_proto_rawDesc
+	file_teleport_usertasks_v1_user_tasks_proto_rawDescData []byte
 )
 
 func file_teleport_usertasks_v1_user_tasks_proto_rawDescGZIP() []byte {
 	file_teleport_usertasks_v1_user_tasks_proto_rawDescOnce.Do(func() {
-		file_teleport_usertasks_v1_user_tasks_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_usertasks_v1_user_tasks_proto_rawDescData)
+		file_teleport_usertasks_v1_user_tasks_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_usertasks_v1_user_tasks_proto_rawDesc), len(file_teleport_usertasks_v1_user_tasks_proto_rawDesc)))
 	})
 	return file_teleport_usertasks_v1_user_tasks_proto_rawDescData
 }
@@ -994,7 +995,7 @@ func file_teleport_usertasks_v1_user_tasks_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_usertasks_v1_user_tasks_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_usertasks_v1_user_tasks_proto_rawDesc), len(file_teleport_usertasks_v1_user_tasks_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   12,
 			NumExtensions: 0,
@@ -1005,7 +1006,6 @@ func file_teleport_usertasks_v1_user_tasks_proto_init() {
 		MessageInfos:      file_teleport_usertasks_v1_user_tasks_proto_msgTypes,
 	}.Build()
 	File_teleport_usertasks_v1_user_tasks_proto = out.File
-	file_teleport_usertasks_v1_user_tasks_proto_rawDesc = nil
 	file_teleport_usertasks_v1_user_tasks_proto_goTypes = nil
 	file_teleport_usertasks_v1_user_tasks_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/usertasks/v1/user_tasks_service.pb.go b/api/gen/proto/go/teleport/usertasks/v1/user_tasks_service.pb.go
index 5034465f0b54a..4b31c3d0fc3ca 100644
--- a/api/gen/proto/go/teleport/usertasks/v1/user_tasks_service.pb.go
+++ b/api/gen/proto/go/teleport/usertasks/v1/user_tasks_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/usertasks/v1/user_tasks_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -440,7 +441,7 @@ func (x *DeleteUserTaskRequest) GetName() string {
 
 var File_teleport_usertasks_v1_user_tasks_service_proto protoreflect.FileDescriptor
 
-var file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc = []byte{
+var file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x74,
 	0x61, 0x73, 0x6b, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x74, 0x61, 0x73,
 	0x6b, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -545,16 +546,16 @@ var file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73,
 	0x65, 0x72, 0x74, 0x61, 0x73, 0x6b, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x74,
 	0x61, 0x73, 0x6b, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_usertasks_v1_user_tasks_service_proto_rawDescOnce sync.Once
-	file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData = file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc
+	file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData []byte
 )
 
 func file_teleport_usertasks_v1_user_tasks_service_proto_rawDescGZIP() []byte {
 	file_teleport_usertasks_v1_user_tasks_service_proto_rawDescOnce.Do(func() {
-		file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData)
+		file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc), len(file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc)))
 	})
 	return file_teleport_usertasks_v1_user_tasks_service_proto_rawDescData
 }
@@ -608,7 +609,7 @@ func file_teleport_usertasks_v1_user_tasks_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc), len(file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   8,
 			NumExtensions: 0,
@@ -619,7 +620,6 @@ func file_teleport_usertasks_v1_user_tasks_service_proto_init() {
 		MessageInfos:      file_teleport_usertasks_v1_user_tasks_service_proto_msgTypes,
 	}.Build()
 	File_teleport_usertasks_v1_user_tasks_service_proto = out.File
-	file_teleport_usertasks_v1_user_tasks_service_proto_rawDesc = nil
 	file_teleport_usertasks_v1_user_tasks_service_proto_goTypes = nil
 	file_teleport_usertasks_v1_user_tasks_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/vnet/v1/vnet_config.pb.go b/api/gen/proto/go/teleport/vnet/v1/vnet_config.pb.go
index 18e912eac20ef..dc417fe5eebd7 100644
--- a/api/gen/proto/go/teleport/vnet/v1/vnet_config.pb.go
+++ b/api/gen/proto/go/teleport/vnet/v1/vnet_config.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/vnet/v1/vnet_config.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -217,7 +218,7 @@ func (x *CustomDNSZone) GetSuffix() string {
 
 var File_teleport_vnet_v1_vnet_config_proto protoreflect.FileDescriptor
 
-var file_teleport_vnet_v1_vnet_config_proto_rawDesc = []byte{
+var file_teleport_vnet_v1_vnet_config_proto_rawDesc = string([]byte{
 	0x0a, 0x22, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x2f,
 	0x76, 0x31, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x76,
@@ -253,16 +254,16 @@ var file_teleport_vnet_v1_vnet_config_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f,
 	0x76, 0x6e, 0x65, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x76, 0x6e, 0x65, 0x74, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_vnet_v1_vnet_config_proto_rawDescOnce sync.Once
-	file_teleport_vnet_v1_vnet_config_proto_rawDescData = file_teleport_vnet_v1_vnet_config_proto_rawDesc
+	file_teleport_vnet_v1_vnet_config_proto_rawDescData []byte
 )
 
 func file_teleport_vnet_v1_vnet_config_proto_rawDescGZIP() []byte {
 	file_teleport_vnet_v1_vnet_config_proto_rawDescOnce.Do(func() {
-		file_teleport_vnet_v1_vnet_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_vnet_v1_vnet_config_proto_rawDescData)
+		file_teleport_vnet_v1_vnet_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_vnet_v1_vnet_config_proto_rawDesc), len(file_teleport_vnet_v1_vnet_config_proto_rawDesc)))
 	})
 	return file_teleport_vnet_v1_vnet_config_proto_rawDescData
 }
@@ -294,7 +295,7 @@ func file_teleport_vnet_v1_vnet_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_vnet_v1_vnet_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_vnet_v1_vnet_config_proto_rawDesc), len(file_teleport_vnet_v1_vnet_config_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -305,7 +306,6 @@ func file_teleport_vnet_v1_vnet_config_proto_init() {
 		MessageInfos:      file_teleport_vnet_v1_vnet_config_proto_msgTypes,
 	}.Build()
 	File_teleport_vnet_v1_vnet_config_proto = out.File
-	file_teleport_vnet_v1_vnet_config_proto_rawDesc = nil
 	file_teleport_vnet_v1_vnet_config_proto_goTypes = nil
 	file_teleport_vnet_v1_vnet_config_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/vnet/v1/vnet_config_service.pb.go b/api/gen/proto/go/teleport/vnet/v1/vnet_config_service.pb.go
index adead4f4dc2ba..3178dda5e7173 100644
--- a/api/gen/proto/go/teleport/vnet/v1/vnet_config_service.pb.go
+++ b/api/gen/proto/go/teleport/vnet/v1/vnet_config_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/vnet/v1/vnet_config_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -249,7 +250,7 @@ func (*DeleteVnetConfigRequest) Descriptor() ([]byte, []int) {
 
 var File_teleport_vnet_v1_vnet_config_service_proto protoreflect.FileDescriptor
 
-var file_teleport_vnet_v1_vnet_config_service_proto_rawDesc = []byte{
+var file_teleport_vnet_v1_vnet_config_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2a, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x2f,
 	0x76, 0x31, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x73,
 	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x10, 0x74, 0x65,
@@ -313,16 +314,16 @@ var file_teleport_vnet_v1_vnet_config_service_proto_rawDesc = []byte{
 	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67,
 	0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x2f,
 	0x76, 0x31, 0x3b, 0x76, 0x6e, 0x65, 0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_vnet_v1_vnet_config_service_proto_rawDescOnce sync.Once
-	file_teleport_vnet_v1_vnet_config_service_proto_rawDescData = file_teleport_vnet_v1_vnet_config_service_proto_rawDesc
+	file_teleport_vnet_v1_vnet_config_service_proto_rawDescData []byte
 )
 
 func file_teleport_vnet_v1_vnet_config_service_proto_rawDescGZIP() []byte {
 	file_teleport_vnet_v1_vnet_config_service_proto_rawDescOnce.Do(func() {
-		file_teleport_vnet_v1_vnet_config_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_vnet_v1_vnet_config_service_proto_rawDescData)
+		file_teleport_vnet_v1_vnet_config_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_vnet_v1_vnet_config_service_proto_rawDesc), len(file_teleport_vnet_v1_vnet_config_service_proto_rawDesc)))
 	})
 	return file_teleport_vnet_v1_vnet_config_service_proto_rawDescData
 }
@@ -368,7 +369,7 @@ func file_teleport_vnet_v1_vnet_config_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_vnet_v1_vnet_config_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_vnet_v1_vnet_config_service_proto_rawDesc), len(file_teleport_vnet_v1_vnet_config_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -379,7 +380,6 @@ func file_teleport_vnet_v1_vnet_config_service_proto_init() {
 		MessageInfos:      file_teleport_vnet_v1_vnet_config_service_proto_msgTypes,
 	}.Build()
 	File_teleport_vnet_v1_vnet_config_service_proto = out.File
-	file_teleport_vnet_v1_vnet_config_service_proto_rawDesc = nil
 	file_teleport_vnet_v1_vnet_config_service_proto_goTypes = nil
 	file_teleport_vnet_v1_vnet_config_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go
index 6fe5ab6eb73f6..7b7d89f53b4a2 100644
--- a/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go
+++ b/api/gen/proto/go/teleport/workloadidentity/v1/attrs.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/workloadidentity/v1/attrs.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -408,7 +409,7 @@ func (x *Attrs) GetJoin() *JoinAttrs {
 
 var File_teleport_workloadidentity_v1_attrs_proto protoreflect.FileDescriptor
 
-var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = []byte{
+var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x61,
 	0x74, 0x74, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x74, 0x65, 0x6c, 0x65,
@@ -491,16 +492,16 @@ var file_teleport_workloadidentity_v1_attrs_proto_rawDesc = []byte{
 	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
 	0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_workloadidentity_v1_attrs_proto_rawDescOnce sync.Once
-	file_teleport_workloadidentity_v1_attrs_proto_rawDescData = file_teleport_workloadidentity_v1_attrs_proto_rawDesc
+	file_teleport_workloadidentity_v1_attrs_proto_rawDescData []byte
 )
 
 func file_teleport_workloadidentity_v1_attrs_proto_rawDescGZIP() []byte {
 	file_teleport_workloadidentity_v1_attrs_proto_rawDescOnce.Do(func() {
-		file_teleport_workloadidentity_v1_attrs_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_attrs_proto_rawDescData)
+		file_teleport_workloadidentity_v1_attrs_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_attrs_proto_rawDesc), len(file_teleport_workloadidentity_v1_attrs_proto_rawDesc)))
 	})
 	return file_teleport_workloadidentity_v1_attrs_proto_rawDescData
 }
@@ -541,7 +542,7 @@ func file_teleport_workloadidentity_v1_attrs_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_workloadidentity_v1_attrs_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_attrs_proto_rawDesc), len(file_teleport_workloadidentity_v1_attrs_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -552,7 +553,6 @@ func file_teleport_workloadidentity_v1_attrs_proto_init() {
 		MessageInfos:      file_teleport_workloadidentity_v1_attrs_proto_msgTypes,
 	}.Build()
 	File_teleport_workloadidentity_v1_attrs_proto = out.File
-	file_teleport_workloadidentity_v1_attrs_proto_rawDesc = nil
 	file_teleport_workloadidentity_v1_attrs_proto_goTypes = nil
 	file_teleport_workloadidentity_v1_attrs_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/issuance_service.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/issuance_service.pb.go
index 07bdc4d00e8c2..2c1bbe8e92a15 100644
--- a/api/gen/proto/go/teleport/workloadidentity/v1/issuance_service.pb.go
+++ b/api/gen/proto/go/teleport/workloadidentity/v1/issuance_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/workloadidentity/v1/issuance_service.proto
 
@@ -27,6 +27,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -765,7 +766,7 @@ func (x *IssueWorkloadIdentitiesResponse) GetCredentials() []*Credential {
 
 var File_teleport_workloadidentity_v1_issuance_service_proto protoreflect.FileDescriptor
 
-var file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc = []byte{
+var file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc = string([]byte{
 	0x0a, 0x33, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x69,
 	0x73, 0x73, 0x75, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
@@ -920,16 +921,16 @@ var file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc = []byte{
 	0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b,
 	0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_workloadidentity_v1_issuance_service_proto_rawDescOnce sync.Once
-	file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData = file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc
+	file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData []byte
 )
 
 func file_teleport_workloadidentity_v1_issuance_service_proto_rawDescGZIP() []byte {
 	file_teleport_workloadidentity_v1_issuance_service_proto_rawDescOnce.Do(func() {
-		file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData)
+		file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc), len(file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc)))
 	})
 	return file_teleport_workloadidentity_v1_issuance_service_proto_rawDescData
 }
@@ -999,7 +1000,7 @@ func file_teleport_workloadidentity_v1_issuance_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc), len(file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   10,
 			NumExtensions: 0,
@@ -1010,7 +1011,6 @@ func file_teleport_workloadidentity_v1_issuance_service_proto_init() {
 		MessageInfos:      file_teleport_workloadidentity_v1_issuance_service_proto_msgTypes,
 	}.Build()
 	File_teleport_workloadidentity_v1_issuance_service_proto = out.File
-	file_teleport_workloadidentity_v1_issuance_service_proto_rawDesc = nil
 	file_teleport_workloadidentity_v1_issuance_service_proto_goTypes = nil
 	file_teleport_workloadidentity_v1_issuance_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go
index f705799c17668..bbc0fdf1bc943 100644
--- a/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go
+++ b/api/gen/proto/go/teleport/workloadidentity/v1/join_attrs.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/workloadidentity/v1/join_attrs.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1452,7 +1453,7 @@ func (x *JoinAttrsKubernetes) GetPod() *JoinAttrsKubernetesPod {
 
 var File_teleport_workloadidentity_v1_join_attrs_proto protoreflect.FileDescriptor
 
-var file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = []byte{
+var file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x6a,
 	0x6f, 0x69, 0x6e, 0x5f, 0x61, 0x74, 0x74, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -1690,16 +1691,16 @@ var file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = []byte{
 	0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76,
 	0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69,
 	0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_workloadidentity_v1_join_attrs_proto_rawDescOnce sync.Once
-	file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData = file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc
+	file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData []byte
 )
 
 func file_teleport_workloadidentity_v1_join_attrs_proto_rawDescGZIP() []byte {
 	file_teleport_workloadidentity_v1_join_attrs_proto_rawDescOnce.Do(func() {
-		file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData)
+		file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc), len(file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc)))
 	})
 	return file_teleport_workloadidentity_v1_join_attrs_proto_rawDescData
 }
@@ -1755,7 +1756,7 @@ func file_teleport_workloadidentity_v1_join_attrs_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc), len(file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   16,
 			NumExtensions: 0,
@@ -1766,7 +1767,6 @@ func file_teleport_workloadidentity_v1_join_attrs_proto_init() {
 		MessageInfos:      file_teleport_workloadidentity_v1_join_attrs_proto_msgTypes,
 	}.Build()
 	File_teleport_workloadidentity_v1_join_attrs_proto = out.File
-	file_teleport_workloadidentity_v1_join_attrs_proto_rawDesc = nil
 	file_teleport_workloadidentity_v1_join_attrs_proto_goTypes = nil
 	file_teleport_workloadidentity_v1_join_attrs_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
index 3fcba9f65074d..debb88ec2e0a7 100644
--- a/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
+++ b/api/gen/proto/go/teleport/workloadidentity/v1/resource.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/workloadidentity/v1/resource.proto
 
@@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -788,7 +789,7 @@ func (x *WorkloadIdentitySpec) GetSpiffe() *WorkloadIdentitySPIFFE {
 
 var File_teleport_workloadidentity_v1_resource_proto protoreflect.FileDescriptor
 
-var file_teleport_workloadidentity_v1_resource_proto_rawDesc = []byte{
+var file_teleport_workloadidentity_v1_resource_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x72,
 	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x74,
@@ -910,16 +911,16 @@ var file_teleport_workloadidentity_v1_resource_proto_rawDesc = []byte{
 	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_workloadidentity_v1_resource_proto_rawDescOnce sync.Once
-	file_teleport_workloadidentity_v1_resource_proto_rawDescData = file_teleport_workloadidentity_v1_resource_proto_rawDesc
+	file_teleport_workloadidentity_v1_resource_proto_rawDescData []byte
 )
 
 func file_teleport_workloadidentity_v1_resource_proto_rawDescGZIP() []byte {
 	file_teleport_workloadidentity_v1_resource_proto_rawDescOnce.Do(func() {
-		file_teleport_workloadidentity_v1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_resource_proto_rawDescData)
+		file_teleport_workloadidentity_v1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_resource_proto_rawDesc), len(file_teleport_workloadidentity_v1_resource_proto_rawDesc)))
 	})
 	return file_teleport_workloadidentity_v1_resource_proto_rawDescData
 }
@@ -975,7 +976,7 @@ func file_teleport_workloadidentity_v1_resource_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_workloadidentity_v1_resource_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_resource_proto_rawDesc), len(file_teleport_workloadidentity_v1_resource_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   12,
 			NumExtensions: 0,
@@ -986,7 +987,6 @@ func file_teleport_workloadidentity_v1_resource_proto_init() {
 		MessageInfos:      file_teleport_workloadidentity_v1_resource_proto_msgTypes,
 	}.Build()
 	File_teleport_workloadidentity_v1_resource_proto = out.File
-	file_teleport_workloadidentity_v1_resource_proto_rawDesc = nil
 	file_teleport_workloadidentity_v1_resource_proto_goTypes = nil
 	file_teleport_workloadidentity_v1_resource_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/teleport/workloadidentity/v1/resource_service.pb.go b/api/gen/proto/go/teleport/workloadidentity/v1/resource_service.pb.go
index 11876baef5121..6b174e4285472 100644
--- a/api/gen/proto/go/teleport/workloadidentity/v1/resource_service.pb.go
+++ b/api/gen/proto/go/teleport/workloadidentity/v1/resource_service.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/workloadidentity/v1/resource_service.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -379,7 +380,7 @@ func (x *ListWorkloadIdentitiesResponse) GetNextPageToken() string {
 
 var File_teleport_workloadidentity_v1_resource_service_proto protoreflect.FileDescriptor
 
-var file_teleport_workloadidentity_v1_resource_service_proto_rawDesc = []byte{
+var file_teleport_workloadidentity_v1_resource_service_proto_rawDesc = string([]byte{
 	0x0a, 0x33, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
 	0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x72,
 	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e,
@@ -496,16 +497,16 @@ var file_teleport_workloadidentity_v1_resource_service_proto_rawDesc = []byte{
 	0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x3b, 0x77, 0x6f, 0x72,
 	0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_workloadidentity_v1_resource_service_proto_rawDescOnce sync.Once
-	file_teleport_workloadidentity_v1_resource_service_proto_rawDescData = file_teleport_workloadidentity_v1_resource_service_proto_rawDesc
+	file_teleport_workloadidentity_v1_resource_service_proto_rawDescData []byte
 )
 
 func file_teleport_workloadidentity_v1_resource_service_proto_rawDescGZIP() []byte {
 	file_teleport_workloadidentity_v1_resource_service_proto_rawDescOnce.Do(func() {
-		file_teleport_workloadidentity_v1_resource_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_workloadidentity_v1_resource_service_proto_rawDescData)
+		file_teleport_workloadidentity_v1_resource_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_resource_service_proto_rawDesc), len(file_teleport_workloadidentity_v1_resource_service_proto_rawDesc)))
 	})
 	return file_teleport_workloadidentity_v1_resource_service_proto_rawDescData
 }
@@ -556,7 +557,7 @@ func file_teleport_workloadidentity_v1_resource_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_workloadidentity_v1_resource_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_workloadidentity_v1_resource_service_proto_rawDesc), len(file_teleport_workloadidentity_v1_resource_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   7,
 			NumExtensions: 0,
@@ -567,7 +568,6 @@ func file_teleport_workloadidentity_v1_resource_service_proto_init() {
 		MessageInfos:      file_teleport_workloadidentity_v1_resource_service_proto_msgTypes,
 	}.Build()
 	File_teleport_workloadidentity_v1_resource_service_proto = out.File
-	file_teleport_workloadidentity_v1_resource_service_proto_rawDesc = nil
 	file_teleport_workloadidentity_v1_resource_service_proto_goTypes = nil
 	file_teleport_workloadidentity_v1_resource_service_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/access_graph.pb.go b/api/gen/proto/go/userpreferences/v1/access_graph.pb.go
index 0928ad6c83403..64fe2189ca317 100644
--- a/api/gen/proto/go/userpreferences/v1/access_graph.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/access_graph.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/access_graph.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -83,7 +84,7 @@ func (x *AccessGraphUserPreferences) GetHasBeenRedirected() bool {
 
 var File_teleport_userpreferences_v1_access_graph_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_access_graph_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_access_graph_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63,
 	0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -100,16 +101,16 @@ var file_teleport_userpreferences_v1_access_graph_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
 	0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65,
 	0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_access_graph_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_access_graph_proto_rawDescData = file_teleport_userpreferences_v1_access_graph_proto_rawDesc
+	file_teleport_userpreferences_v1_access_graph_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_access_graph_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_access_graph_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_access_graph_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_access_graph_proto_rawDescData)
+		file_teleport_userpreferences_v1_access_graph_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_access_graph_proto_rawDesc), len(file_teleport_userpreferences_v1_access_graph_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_access_graph_proto_rawDescData
 }
@@ -135,7 +136,7 @@ func file_teleport_userpreferences_v1_access_graph_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_access_graph_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_access_graph_proto_rawDesc), len(file_teleport_userpreferences_v1_access_graph_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -146,7 +147,6 @@ func file_teleport_userpreferences_v1_access_graph_proto_init() {
 		MessageInfos:      file_teleport_userpreferences_v1_access_graph_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_access_graph_proto = out.File
-	file_teleport_userpreferences_v1_access_graph_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_access_graph_proto_goTypes = nil
 	file_teleport_userpreferences_v1_access_graph_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/assist.pb.go b/api/gen/proto/go/userpreferences/v1/assist.pb.go
index 1e1bf730e9051..531012ef0b89a 100644
--- a/api/gen/proto/go/userpreferences/v1/assist.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/assist.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/assist.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -151,7 +152,7 @@ func (x *AssistUserPreferences) GetViewMode() AssistViewMode {
 
 var File_teleport_userpreferences_v1_assist_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_assist_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_assist_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x73,
 	0x73, 0x69, 0x73, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x74, 0x65, 0x6c, 0x65,
@@ -185,16 +186,16 @@ var file_teleport_userpreferences_v1_assist_proto_rawDesc = []byte{
 	0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66,
 	0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_assist_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_assist_proto_rawDescData = file_teleport_userpreferences_v1_assist_proto_rawDesc
+	file_teleport_userpreferences_v1_assist_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_assist_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_assist_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_assist_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_assist_proto_rawDescData)
+		file_teleport_userpreferences_v1_assist_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_assist_proto_rawDesc), len(file_teleport_userpreferences_v1_assist_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_assist_proto_rawDescData
 }
@@ -223,7 +224,7 @@ func file_teleport_userpreferences_v1_assist_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_assist_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_assist_proto_rawDesc), len(file_teleport_userpreferences_v1_assist_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -235,7 +236,6 @@ func file_teleport_userpreferences_v1_assist_proto_init() {
 		MessageInfos:      file_teleport_userpreferences_v1_assist_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_assist_proto = out.File
-	file_teleport_userpreferences_v1_assist_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_assist_proto_goTypes = nil
 	file_teleport_userpreferences_v1_assist_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/cluster_preferences.pb.go b/api/gen/proto/go/userpreferences/v1/cluster_preferences.pb.go
index 5010529080c2e..f33ae3f3781bd 100644
--- a/api/gen/proto/go/userpreferences/v1/cluster_preferences.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/cluster_preferences.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/cluster_preferences.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -129,7 +130,7 @@ func (x *ClusterUserPreferences) GetPinnedResources() *PinnedResourcesUserPrefer
 
 var File_teleport_userpreferences_v1_cluster_preferences_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6c,
 	0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
@@ -154,16 +155,16 @@ var file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc = []byte{
 	0x67, 0x6f, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63,
 	0x65, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72,
 	0x65, 0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData = file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc
+	file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData)
+		file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_cluster_preferences_proto_rawDescData
 }
@@ -191,7 +192,7 @@ func file_teleport_userpreferences_v1_cluster_preferences_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -202,7 +203,6 @@ func file_teleport_userpreferences_v1_cluster_preferences_proto_init() {
 		MessageInfos:      file_teleport_userpreferences_v1_cluster_preferences_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_cluster_preferences_proto = out.File
-	file_teleport_userpreferences_v1_cluster_preferences_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_cluster_preferences_proto_goTypes = nil
 	file_teleport_userpreferences_v1_cluster_preferences_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/onboard.pb.go b/api/gen/proto/go/userpreferences/v1/onboard.pb.go
index bbd1851cd4f8f..cf11d6055a065 100644
--- a/api/gen/proto/go/userpreferences/v1/onboard.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/onboard.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/onboard.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -225,7 +226,7 @@ func (x *OnboardUserPreferences) GetMarketingParams() *MarketingParams {
 
 var File_teleport_userpreferences_v1_onboard_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_onboard_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_onboard_proto_rawDesc = string([]byte{
 	0x0a, 0x29, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x6f, 0x6e,
 	0x62, 0x6f, 0x61, 0x72, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x74, 0x65, 0x6c,
@@ -268,16 +269,16 @@ var file_teleport_userpreferences_v1_onboard_proto_rawDesc = []byte{
 	0x2f, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73,
 	0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e,
 	0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_onboard_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_onboard_proto_rawDescData = file_teleport_userpreferences_v1_onboard_proto_rawDesc
+	file_teleport_userpreferences_v1_onboard_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_onboard_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_onboard_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_onboard_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_onboard_proto_rawDescData)
+		file_teleport_userpreferences_v1_onboard_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_onboard_proto_rawDesc), len(file_teleport_userpreferences_v1_onboard_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_onboard_proto_rawDescData
 }
@@ -308,7 +309,7 @@ func file_teleport_userpreferences_v1_onboard_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_onboard_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_onboard_proto_rawDesc), len(file_teleport_userpreferences_v1_onboard_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -320,7 +321,6 @@ func file_teleport_userpreferences_v1_onboard_proto_init() {
 		MessageInfos:      file_teleport_userpreferences_v1_onboard_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_onboard_proto = out.File
-	file_teleport_userpreferences_v1_onboard_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_onboard_proto_goTypes = nil
 	file_teleport_userpreferences_v1_onboard_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/sidenav_preferences.pb.go b/api/gen/proto/go/userpreferences/v1/sidenav_preferences.pb.go
index 534167515c85a..049204e69bda6 100644
--- a/api/gen/proto/go/userpreferences/v1/sidenav_preferences.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/sidenav_preferences.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/sidenav_preferences.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -88,7 +89,7 @@ func (SideNavDrawerMode) EnumDescriptor() ([]byte, []int) {
 
 var File_teleport_userpreferences_v1_sidenav_preferences_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc = string([]byte{
 	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x69,
 	0x64, 0x65, 0x6e, 0x61, 0x76, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
@@ -109,16 +110,16 @@ var file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc = []byte{
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73,
 	0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData = file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc
+	file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData)
+		file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDescData
 }
@@ -144,7 +145,7 @@ func file_teleport_userpreferences_v1_sidenav_preferences_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -155,7 +156,6 @@ func file_teleport_userpreferences_v1_sidenav_preferences_proto_init() {
 		EnumInfos:         file_teleport_userpreferences_v1_sidenav_preferences_proto_enumTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_sidenav_preferences_proto = out.File
-	file_teleport_userpreferences_v1_sidenav_preferences_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_sidenav_preferences_proto_goTypes = nil
 	file_teleport_userpreferences_v1_sidenav_preferences_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/theme.pb.go b/api/gen/proto/go/userpreferences/v1/theme.pb.go
index 4327993e2e0b2..835b4bce19870 100644
--- a/api/gen/proto/go/userpreferences/v1/theme.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/theme.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/theme.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -88,7 +89,7 @@ func (Theme) EnumDescriptor() ([]byte, []int) {
 
 var File_teleport_userpreferences_v1_theme_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_theme_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_theme_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x74, 0x68,
 	0x65, 0x6d, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -104,16 +105,16 @@ var file_teleport_userpreferences_v1_theme_proto_rawDesc = []byte{
 	0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31,
 	0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73,
 	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_theme_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_theme_proto_rawDescData = file_teleport_userpreferences_v1_theme_proto_rawDesc
+	file_teleport_userpreferences_v1_theme_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_theme_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_theme_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_theme_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_theme_proto_rawDescData)
+		file_teleport_userpreferences_v1_theme_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_theme_proto_rawDesc), len(file_teleport_userpreferences_v1_theme_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_theme_proto_rawDescData
 }
@@ -139,7 +140,7 @@ func file_teleport_userpreferences_v1_theme_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_theme_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_theme_proto_rawDesc), len(file_teleport_userpreferences_v1_theme_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   0,
 			NumExtensions: 0,
@@ -150,7 +151,6 @@ func file_teleport_userpreferences_v1_theme_proto_init() {
 		EnumInfos:         file_teleport_userpreferences_v1_theme_proto_enumTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_theme_proto = out.File
-	file_teleport_userpreferences_v1_theme_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_theme_proto_goTypes = nil
 	file_teleport_userpreferences_v1_theme_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/unified_resource_preferences.pb.go b/api/gen/proto/go/userpreferences/v1/unified_resource_preferences.pb.go
index 1dca7ee5ead1f..83bc0aa0f176c 100644
--- a/api/gen/proto/go/userpreferences/v1/unified_resource_preferences.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/unified_resource_preferences.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/unified_resource_preferences.proto
 
@@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -321,7 +322,7 @@ func (x *UnifiedResourcePreferences) GetAvailableResourceMode() AvailableResourc
 
 var File_teleport_userpreferences_v1_unified_resource_preferences_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc = string([]byte{
 	0x0a, 0x3e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x6e,
 	0x69, 0x66, 0x69, 0x65, 0x64, 0x5f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x70,
@@ -389,16 +390,16 @@ var file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc
 	0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x70, 0x72, 0x65, 0x66,
 	0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData = file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc
+	file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData)
+		file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDescData
 }
@@ -433,7 +434,7 @@ func file_teleport_userpreferences_v1_unified_resource_preferences_proto_init()
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc), len(file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc)),
 			NumEnums:      4,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -445,7 +446,6 @@ func file_teleport_userpreferences_v1_unified_resource_preferences_proto_init()
 		MessageInfos:      file_teleport_userpreferences_v1_unified_resource_preferences_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_unified_resource_preferences_proto = out.File
-	file_teleport_userpreferences_v1_unified_resource_preferences_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_unified_resource_preferences_proto_goTypes = nil
 	file_teleport_userpreferences_v1_unified_resource_preferences_proto_depIdxs = nil
 }
diff --git a/api/gen/proto/go/userpreferences/v1/userpreferences.pb.go b/api/gen/proto/go/userpreferences/v1/userpreferences.pb.go
index 9032ba2cacc11..b0c7f58cc9ef2 100644
--- a/api/gen/proto/go/userpreferences/v1/userpreferences.pb.go
+++ b/api/gen/proto/go/userpreferences/v1/userpreferences.pb.go
@@ -14,7 +14,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/userpreferences/v1/userpreferences.proto
 
@@ -26,6 +26,7 @@ import (
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -257,7 +258,7 @@ func (x *UpsertUserPreferencesRequest) GetPreferences() *UserPreferences {
 
 var File_teleport_userpreferences_v1_userpreferences_proto protoreflect.FileDescriptor
 
-var file_teleport_userpreferences_v1_userpreferences_proto_rawDesc = []byte{
+var file_teleport_userpreferences_v1_userpreferences_proto_rawDesc = string([]byte{
 	0x0a, 0x31, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x75, 0x73, 0x65, 0x72, 0x70,
 	0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73,
 	0x65, 0x72, 0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2e, 0x70, 0x72,
@@ -362,16 +363,16 @@ var file_teleport_userpreferences_v1_userpreferences_proto_rawDesc = []byte{
 	0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72,
 	0x70, 0x72, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_userpreferences_v1_userpreferences_proto_rawDescOnce sync.Once
-	file_teleport_userpreferences_v1_userpreferences_proto_rawDescData = file_teleport_userpreferences_v1_userpreferences_proto_rawDesc
+	file_teleport_userpreferences_v1_userpreferences_proto_rawDescData []byte
 )
 
 func file_teleport_userpreferences_v1_userpreferences_proto_rawDescGZIP() []byte {
 	file_teleport_userpreferences_v1_userpreferences_proto_rawDescOnce.Do(func() {
-		file_teleport_userpreferences_v1_userpreferences_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_userpreferences_v1_userpreferences_proto_rawDescData)
+		file_teleport_userpreferences_v1_userpreferences_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_userpreferences_proto_rawDesc), len(file_teleport_userpreferences_v1_userpreferences_proto_rawDesc)))
 	})
 	return file_teleport_userpreferences_v1_userpreferences_proto_rawDescData
 }
@@ -425,7 +426,7 @@ func file_teleport_userpreferences_v1_userpreferences_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_userpreferences_v1_userpreferences_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_userpreferences_v1_userpreferences_proto_rawDesc), len(file_teleport_userpreferences_v1_userpreferences_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -436,7 +437,6 @@ func file_teleport_userpreferences_v1_userpreferences_proto_init() {
 		MessageInfos:      file_teleport_userpreferences_v1_userpreferences_proto_msgTypes,
 	}.Build()
 	File_teleport_userpreferences_v1_userpreferences_proto = out.File
-	file_teleport_userpreferences_v1_userpreferences_proto_rawDesc = nil
 	file_teleport_userpreferences_v1_userpreferences_proto_goTypes = nil
 	file_teleport_userpreferences_v1_userpreferences_proto_depIdxs = nil
 }
diff --git a/api/go.mod b/api/go.mod
index 4481fec6a78f5..361ee1847983d 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
 	github.com/gravitational/trace v1.4.0
-	github.com/jonboulle/clockwork v0.4.0
+	github.com/jonboulle/clockwork v0.5.0
 	github.com/russellhaering/gosaml2 v0.9.1
 	github.com/stretchr/testify v1.10.0
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0
@@ -28,7 +28,7 @@ require (
 	golang.org/x/term v0.28.0
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d
 	google.golang.org/grpc v1.69.2
-	google.golang.org/protobuf v1.36.3
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/yaml.v2 v2.4.0
 )
 
diff --git a/api/go.sum b/api/go.sum
index f39980a9a839f..f00b0e81b062a 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -809,8 +809,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
@@ -1569,8 +1569,8 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto
index 01f4ea2af2d58..c63fa2f73850c 100644
--- a/api/proto/teleport/decision/v1alpha1/ssh_identity.proto
+++ b/api/proto/teleport/decision/v1alpha1/ssh_identity.proto
@@ -16,9 +16,174 @@ syntax = "proto3";
 
 package teleport.decision.v1alpha1;
 
+import "google/protobuf/timestamp.proto";
+import "teleport/decision/v1alpha1/tls_identity.proto";
+import "teleport/trait/v1/trait.proto";
+
 option go_package = "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1;decisionpb";
 
 // SSHIdentity is the identity used for SSH connections.
 message SSHIdentity {
-  // TBD
+  // --- common identity fields ---
+
+  // ValidAfter is the unix timestamp that marks the start time for when the certificate should
+  // be considered valid.
+  uint64 valid_after = 1;
+
+  // ValidBefore is the unix timestamp that marks the end time for when the certificate should
+  // be considered valid.
+  uint64 valid_before = 2;
+
+  // CertType indicates what type of cert this is (user or host).
+  uint32 cert_type = 3;
+
+  // Principals is the list of SSH principals associated with the certificate (this means the
+  // list of allowed unix logins in the case of user certs).
+  repeated string principals = 4;
+
+  // --- host identity fields ---
+
+  // ClusterName is the name of the cluster within which a node lives
+  string cluster_name = 5;
+  // SystemRole identifies the system role of a Teleport instance
+  string system_role = 6;
+
+  // -- user identity fields ---
+
+  // Username is teleport username
+  string username = 7;
+
+  // Impersonator is set when a user requests certificate for another user
+  string impersonator = 8;
+
+  // PermitX11Forwarding permits X11 forwarding for this cert
+  bool permit_x11_forwarding = 9;
+
+  // PermitAgentForwarding permits agent forwarding for this cert
+  bool permit_agent_forwarding = 10;
+
+  // PermitPortForwarding permits port forwarding.
+  bool permit_port_forwarding = 11;
+
+  // Roles is a list of roles assigned to this user
+  repeated string roles = 12;
+
+  // RouteToCluster specifies the target cluster
+  // if present in the certificate, will be used
+  // to route the requests to
+  string route_to_cluster = 13;
+
+  // Traits hold claim data used to populate a role at runtime.
+  repeated teleport.trait.v1.Trait traits = 14;
+
+  // ActiveRequests tracks privilege escalation requests applied during
+  // certificate construction.
+  repeated string active_requests = 15;
+
+  // MFAVerified is the UUID of an MFA device when this Identity was
+  // confirmed immediately after an MFA check.
+  string mfa_verified = 16;
+
+  // PreviousIdentityExpires is the expiry time of the identity/cert that this
+  // identity/cert was derived from. It is used to determine a session's hard
+  // deadline in cases where both require_session_mfa and disconnect_expired_cert
+  // are enabled. See https://github.com/gravitational/teleport/issues/18544.
+  google.protobuf.Timestamp previous_identity_expires = 17;
+
+  // LoginIP is an observed IP of the client on the moment of certificate creation.
+  string login_ip = 18;
+
+  // PinnedIP is an IP from which client must communicate with Teleport.
+  string pinned_ip = 19;
+
+  // DisallowReissue flags that any attempt to request new certificates while
+  // authenticated with this cert should be denied.
+  bool disallow_reissue = 20;
+
+  // CertificateExtensions are user configured ssh key extensions (note: this field also
+  // ends up aggregating all *unknown* extensions during cert parsing, meaning that this
+  // can sometimes contain fields that were inserted by a newer version of teleport).
+  repeated CertExtension certificate_extensions = 21;
+
+  // Renewable indicates this certificate is renewable.
+  bool renewable = 22;
+
+  // Generation counts the number of times a certificate has been renewed, with a generation of 1
+  // meaning the cert has never been renewed. A generation of zero means the cert's generation is
+  // not being tracked.
+  uint64 generation = 23;
+
+  // BotName is set to the name of the bot, if the user is a Machine ID bot user.
+  // Empty for human users.
+  string bot_name = 24;
+
+  // BotInstanceID is the unique identifier for the bot instance, if this is a
+  // Machine ID bot. It is empty for human users.
+  string bot_instance_id = 25;
+
+  // AllowedResourceIDs lists the resources the user should be able to access.
+  repeated ResourceId allowed_resource_ids = 26;
+
+  // ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
+  string connection_diagnostic_id = 27;
+
+  // PrivateKeyPolicy is the private key policy supported by this certificate.
+  string private_key_policy = 28;
+
+  // DeviceID is the trusted device identifier.
+  string device_id = 29;
+
+  // DeviceAssetTag is the device inventory identifier.
+  string device_asset_tag = 30;
+
+  // DeviceCredentialID is the identifier for the credential used by the device
+  // to authenticate itself.
+  string device_credential_id = 31;
+
+  // GitHubUserID indicates the GitHub user ID identified by the GitHub
+  // connector.
+  string github_user_id = 32;
+
+  // GitHubUsername indicates the GitHub username identified by the GitHub
+  // connector.
+  string github_username = 33;
+}
+
+// CertExtensionMode specifies the type of extension to use in the cert. This type
+// must be kept up to date with types.CertExtensionMode.
+enum CertExtensionMode {
+  // CERT_EXTENSION_MODE_UNSPECIFIED is the default value and should not be used.
+  CERT_EXTENSION_MODE_UNSPECIFIED = 0;
+
+  // EXTENSION represents a cert extension that may or may not be
+  // honored by the server.
+  CERT_EXTENSION_MODE_EXTENSION = 1;
+}
+
+// CertExtensionType represents the certificate type the extension is for.
+// Currently only ssh is supported. This type must be kept up to date with
+// types.CertExtensionType.
+enum CertExtensionType {
+  // CERT_EXTENSION_TYPE_UNSPECIFIED is the default value and should not be used.
+  CERT_EXTENSION_TYPE_UNSPECIFIED = 0;
+
+  // SSH is used when extending an ssh certificate
+  CERT_EXTENSION_TYPE_SSH = 1;
+}
+
+// CertExtension represents a key/value for a certificate extension. This type must
+// be kept up to date with types.CertExtension.
+message CertExtension {
+  // Type represents the certificate type being extended, only ssh
+  // is supported at this time.
+  // 0 is "ssh".
+  CertExtensionType type = 1;
+  // Mode is the type of extension to be used -- currently
+  // critical-option is not supported.
+  // 0 is "extension".
+  CertExtensionMode mode = 2;
+  // Name specifies the key to be used in the cert extension.
+  string name = 3;
+  // Value specifies the value to be used in the cert extension.
+  string value = 4;
 }
diff --git a/api/proto/teleport/integration/v1/integration_service.proto b/api/proto/teleport/integration/v1/integration_service.proto
index 0528f521f684e..8eb0875f6443b 100644
--- a/api/proto/teleport/integration/v1/integration_service.proto
+++ b/api/proto/teleport/integration/v1/integration_service.proto
@@ -46,6 +46,9 @@ service IntegrationService {
   // GenerateAWSOIDCToken generates a token to be used when executing an AWS OIDC Integration action.
   rpc GenerateAWSOIDCToken(GenerateAWSOIDCTokenRequest) returns (GenerateAWSOIDCTokenResponse);
 
+  // GenerateAzureOIDCToken generates a token to be used when executing an Azure OIDC Integration action.
+  rpc GenerateAzureOIDCToken(GenerateAzureOIDCTokenRequest) returns (GenerateAzureOIDCTokenResponse);
+
   // GenerateGitHubUserCert signs a SSH certificate for GitHub integration.
   rpc GenerateGitHubUserCert(GenerateGitHubUserCertRequest) returns (GenerateGitHubUserCertResponse);
 
@@ -119,6 +122,20 @@ message GenerateAWSOIDCTokenResponse {
   string token = 1;
 }
 
+// GenerateAzureOIDCTokenRequest are the parameters used to request an Azure OIDC
+// Integration token.
+message GenerateAzureOIDCTokenRequest {
+  // Integration is the Azure OIDC Integration name.
+  // Required.
+  string integration = 1;
+}
+
+// GenerateAzureOIDCTokenResponse contains a signed Azure OIDC Integration token.
+message GenerateAzureOIDCTokenResponse {
+  // Token is the signed JWT ready to be used
+  string token = 1;
+}
+
 // GenerateGitHubUserCertRequest is a request to sign a client certificate used by
 // GitHub integration to authenticate with GitHub enterprise.
 message GenerateGitHubUserCertRequest {
diff --git a/api/proto/teleport/notifications/v1/notifications.proto b/api/proto/teleport/notifications/v1/notifications.proto
index 4181964c2c854..7244ba0da1224 100644
--- a/api/proto/teleport/notifications/v1/notifications.proto
+++ b/api/proto/teleport/notifications/v1/notifications.proto
@@ -167,3 +167,28 @@ message UserLastSeenNotificationStatus {
   // last_seen_time is the timestamp of the last notification that the user has seen.
   google.protobuf.Timestamp last_seen_time = 1;
 }
+
+// UniqueNotificationIdentifier represents a unique notification identifier.
+// This is a resource whose existence is used to keep track of whether a particular notification has already been created, in order to prevent duplicate notifications.
+// For example, if the unique identifier is "unique_notification_identifier/access_list_30d_reminder/1234", when a caller attempts to create a notification
+// for a 30 day reminder to review access list 1234, it will create this identifier resource as well, and any subsequent times it attempts to create the notification,
+// it will detect that the identifier already exists, and thus know not to create a duplicate.
+// Note that using this system does not always guarantee accuracy/concurrency, so this shouldn't be used for security critical notifications.
+message UniqueNotificationIdentifier {
+  // kind is the resource kind ("unique_notification_identifier").
+  string kind = 1;
+  // version is the resource version.
+  string version = 2;
+  // metadata is the unique notification identifier metadata.
+  teleport.header.v1.Metadata metadata = 3;
+  // spec is the unique notification identifier spec.
+  UniqueNotificationIdentifierSpec spec = 5;
+}
+
+// UniqueNotificationIdentifierSpec is the unique notification identifier specification.
+message UniqueNotificationIdentifierSpec {
+  // unique_identifier is the unique identifier string. This is what is used to keep track of the unique notification and what is used in the resource's backend key.
+  string unique_identifier = 1;
+  // unique_identifier_prefix is the prefix for this unique notiifcation identifier, this is used to group notification identifiers together, eg. "access_list_30d_reminder"
+  string unique_identifier_prefix = 2;
+}
diff --git a/api/types/constants.go b/api/types/constants.go
index f8b2e5c2473f1..e24c0a3d98197 100644
--- a/api/types/constants.go
+++ b/api/types/constants.go
@@ -556,6 +556,8 @@ const (
 	KindUserLastSeenNotification = "user_last_seen_notification"
 	// KindUserNotificationState is a resource which tracks whether a user has clicked on or dismissed a notification.
 	KindUserNotificationState = "user_notification_state"
+	// KindUniqueNotificationIdentifier is a resource which tracks a unique identifier for a notification and is used to prevent duplicate notifications in certain cases.
+	KindUniqueNotificationIdentifier = "unique_notification_identifier"
 
 	// KindAccessGraphSecretAuthorizedKey is a authorized key entry found in
 	// a Teleport SSH node type.
diff --git a/api/types/desktop.go b/api/types/desktop.go
index a6455484e2daa..d3fb9a2de3b57 100644
--- a/api/types/desktop.go
+++ b/api/types/desktop.go
@@ -543,3 +543,11 @@ func checkNameAndScreenSize(name string, screenSize *Resolution) error {
 	}
 	return nil
 }
+
+// RDPLicenseKey is struct for retrieving licenses from backend cache, used only internally
+type RDPLicenseKey struct {
+	Version   uint32 // e.g. 0x000a0002
+	Issuer    string // e.g. example.com
+	Company   string // e.g. Example Corporation
+	ProductID string // e.g. A02
+}
diff --git a/docs/config.json b/docs/config.json
index f8ff91ae673e6..b80beeddce26c 100644
--- a/docs/config.json
+++ b/docs/config.json
@@ -136,8 +136,8 @@
       "aws_secret_access_key": "zyxw9876-this-is-an-example"
     },
     "cloud": {
-      "version": "16.4.11",
-      "major_version": "16",
+      "version": "17.1.6",
+      "major_version": "17",
       "sla": {
         "monthly_percentage": "99.9%",
         "monthly_downtime": "44 minutes"
@@ -289,6 +289,11 @@
       "destination": "/reference/operator-resources/resources-teleport-dev-users/",
       "permanent": true
     },
+    {
+      "source": "/enroll-resources/workload-identity/workload-attestation/",
+      "destination": "/reference/workload-identity/workload-identity-api-and-workload-attestation/",
+       "permanent": true
+    },
     {
       "source": "/access-controls/guides/role-templates/",
       "destination": "/admin-guides/access-controls/guides/role-templates/",
diff --git a/docs/cspell.json b/docs/cspell.json
index 34b72ddd456da..f32242348e11f 100644
--- a/docs/cspell.json
+++ b/docs/cspell.json
@@ -1003,6 +1003,7 @@
     "webproxy",
     "webui",
     "westeurope",
+    "WIMSE",
     "winadj",
     "windowsaccountname",
     "windowsdesktop",
diff --git a/docs/pages/admin-guides/access-controls/sso/sso.mdx b/docs/pages/admin-guides/access-controls/sso/sso.mdx
index c19de30c823d6..8674f2b4d368f 100644
--- a/docs/pages/admin-guides/access-controls/sso/sso.mdx
+++ b/docs/pages/admin-guides/access-controls/sso/sso.mdx
@@ -7,15 +7,7 @@ Teleport users can log in to servers, Kubernetes clusters, databases, web
 applications, and Windows desktops through their organization's Single Sign-On
 (SSO) provider.
 
-- [Microsoft Entra ID](azuread.mdx): Configure Microsoft Entra ID SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [Active Directory (ADFS)](adfs.mdx): Configure Windows Active Directory SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [Google Workspace](google-workspace.mdx): Configure Google Workspace SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [GitHub](github-sso.mdx): Configure GitHub SSO for SSH,
-  Kubernetes, databases, desktops, and web apps.
-- [GitLab](gitlab.mdx): Configure GitLab SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [OneLogin](one-login.mdx): Configure OneLogin SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [OIDC](oidc.mdx): Configure OIDC SSO for SSH, Kubernetes, databases, desktops and web apps.
-- [Okta](okta.mdx): Configure Okta SSO for SSH, Kubernetes, databases, desktops and web apps.
+(!toc!)
 
 ## How Teleport uses SSO
 
diff --git a/docs/pages/enroll-resources/workload-identity/introduction.mdx b/docs/pages/enroll-resources/workload-identity/introduction.mdx
index b3737e1997f52..3087572d86c08 100644
--- a/docs/pages/enroll-resources/workload-identity/introduction.mdx
+++ b/docs/pages/enroll-resources/workload-identity/introduction.mdx
@@ -97,10 +97,11 @@ Teleport Proxy is not used for securing workload-to-workload communication.
 Learn more about Teleport Workload Identity:
 
 - [SPIFFE](./spiffe.mdx): Learn about the SPIFFE specification and how it is implemented by Teleport Workload Identity.
-- [Workload Attestation](./workload-attestation.mdx): Learn about using Workload Attestation to securely issue SVIDs to specific workloads.
 - [Federation](./federation.mdx): Learn about using Federation to allow workloads to trust workloads from other trust domains.
 - [JWT SVIDs](./jwt-svids.mdx): Learn about the short-lived JWTs issued by Workload Identity.
 - [Best Practices](./best-practices.mdx): Best practices for using Workload Identity in Production.
+- [WorkloadIdentity Resource](../../reference/workload-identity/workload-identity-resource.mdx): The full reference for the WorkloadIdentity resource.
+- [Workload Identity API and Workload Attestation](../../reference/workload-identity/workload-identity-api-and-workload-attestation.mdx): To learn more about the Workload Identity API and Workload Attestation.
 
 Learn how to configure Teleport Workload Identity for specific use-cases:
 
diff --git a/docs/pages/includes/machine-id/workload-identity-selector-config.yaml b/docs/pages/includes/machine-id/workload-identity-selector-config.yaml
new file mode 100644
index 0000000000000..1c8bd0ef46ee4
--- /dev/null
+++ b/docs/pages/includes/machine-id/workload-identity-selector-config.yaml
@@ -0,0 +1,12 @@
+# Selector is used to control which WorkloadIdentity resource will be used to
+# issue the workload identity credential. The selector can either be the name of
+# a specific WorkloadIdentity resource or a label selector that can match
+# multiple WorkloadIdentity resources.
+#
+# The selector must be set to either a name or labels, but not both.
+selector:
+  # Name is used to select a specific WorkloadIdentity resource by its name.
+  name: foo
+  # Labels is used to select multiple WorkloadIdentity resources by their labels.
+  labels:
+    app: [foo, bar]
diff --git a/docs/pages/reference/cli/tbot.mdx b/docs/pages/reference/cli/tbot.mdx
index 46b303846c946..c07073df05392 100644
--- a/docs/pages/reference/cli/tbot.mdx
+++ b/docs/pages/reference/cli/tbot.mdx
@@ -509,8 +509,89 @@ command supports these additional flags:
 | `--username` | The database user name. The bot user must have permission to connect as this user. Required. |
 | `--database` | The name of the database available in the requested service. Required. |
 
+## tbot start workload-identity-x509
+
+Issues an X509 workload identity credential using Teleport Workload Identity and
+writes this credential to a specified destination.
+
+See the [configuration reference](../machine-id/configuration.mdx) for further
+information about the workload identity credential output and the YAML
+configuration file format.
+
+### Flags
+
+In addition to the [common `tbot start` flags](#common-start-flags), this
+command supports these additional flags:
+
+| Flag                                     | Description                                                                                                                                                        |
+|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--destination`                          | A destination URI, such as file:///foo/bar. See [Destination URIs](#destination-uris) for more info. Required.                                                     |
+| `--reader-user`                          | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux.                                 |
+| `--reader-group`                         | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux.                                |
+| `--[no-]include-federated-trust-bundles` | If set, include federated trust bundles in the output                                                                                                              |
+| `--name-selector`                        | Specifies a WorkloadIdentity resource by name to use when issuing the X509 for a workload. Mutually exclusive with `--label-selector`.                             |
+| `--label-selector`                       | Specifies a set of labels to use when selecting WorkloadIdentity resources to use when issuing the X509 for a workload. Mutually exclusive with `--name-selector`. |
+
+## tbot start workload-identity-jwt
+
+Issues a JWT workload identity credential using Teleport Workload Identity and
+writes this credential to a specified destination.
+
+The JWT workload identity credential is compatible with the [SPIFFE JWT SVID
+specification](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md).
+
+See the [configuration reference](../machine-id/configuration.mdx) for further
+information about the workload identity credential output and the YAML
+configuration file format.
+
+### Flags
+
+In addition to the [common `tbot start` flags](#common-start-flags), this
+command supports these additional flags:
+
+| Flag               | Description                                                                                                                                                        |
+|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--destination`    | A destination URI, such as file:///foo/bar. See [Destination URIs](#destination-uris) for more info. Required.                                                     |
+| `--reader-user`    | An additional user name or UID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux.                                 |
+| `--reader-group`   | An additional group name or GID that should be allowed by ACLs to read this destination. Only valid for file destinations on Linux.                                |
+| `--name-selector`  | Specifies a WorkloadIdentity resource by name to use when issuing the X509 for a workload. Mutually exclusive with `--label-selector`.                             |
+| `--label-selector` | Specifies a set of labels to use when selecting WorkloadIdentity resources to use when issuing the X509 for a workload. Mutually exclusive with `--name-selector`. |
+| `--audience`       | The audience for the JWT. Can be provided multiple times to produce a JWT with multiple audiences. At least one audience must be provided.                         |
+
+## tbot start workload-identity-api
+
+Starts the `tbot` agent and opens a listener for the local workload identity
+API.
+
+The configuration for this service can be complex, and therefore, it is
+recommended that you leverage the YAML configuration.
+
+See [Workload Identity API & Workload Attestation](../workload-identity/workload-identity-api-and-workload-attestation.mdx)
+for further information about the local workload identity API and the YAML
+configuration.
+
+### Flags
+
+In addition to the [common `tbot start` flags](#common-start-flags), this
+command supports these additional flags:
+
+| Flag               | Description                                                                                                                                                        |
+|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--listen`         | A socket URI to listen on, e.g. `tcp://localhost:1234` or `unix:///opt/workload-identity.sock`. Required.                                                          |
+| `--name-selector`  | Specifies a WorkloadIdentity resource by name to use when issuing the X509 for a workload. Mutually exclusive with `--label-selector`.                             |
+| `--label-selector` | Specifies a set of labels to use when selecting WorkloadIdentity resources to use when issuing the X509 for a workload. Mutually exclusive with `--name-selector`. |
+
 ## tbot start spiffe-svid
 
+<Admonition type="warning" >
+The use of this command has been deprecated as part of the introduction of the
+new Workload Identity configuration experience. You can replace the use of this
+command with the new `tbot start workload-identity-x509` command.
+
+For further information, see [the new Workload Identity configuration experience
+and how to migrate](../workload-identity/configuration-resource-migration.mdx).
+</Admonition>
+
 ### Flags
 
 In addition to the [common `tbot start` flags](#common-start-flags), this
diff --git a/docs/pages/reference/machine-id/configuration.mdx b/docs/pages/reference/machine-id/configuration.mdx
index 6b21fceb51462..8d97964dd1ec2 100644
--- a/docs/pages/reference/machine-id/configuration.mdx
+++ b/docs/pages/reference/machine-id/configuration.mdx
@@ -311,8 +311,70 @@ principals:
 (!docs/pages/includes/machine-id/common-output-config.yaml!)
 ```
 
+### `workload-identity-x509`
+
+The `workload-identity-x509` output is used to issue an X509 workload identity
+credential and write this to a configured destination.
+
+The output generates the following artifacts:
+
+- `svid.pem`: the X509 SVID.
+- `svid.key`: the private key associated with the X509 SVID.
+- `bundle.pem`: the X509 bundle that contains the trust domain CAs.
+
+See [Workload Identity introduction](../../enroll-resources/workload-identity/introduction.mdx)
+for more information on Workload Identity functionality.
+
+```yaml
+# type specifies the type of the output. For the X509 Workload Identity output,
+# this will always be `workload-identity-x509`.
+type: workload-identity-x509
+(!docs/pages/includes/machine-id/workload-identity-selector-config.yaml!)
+(!docs/pages/includes/machine-id/common-output-config.yaml!)
+```
+
+### `workload-identity-jwt`
+
+The `workload-identity-jwt` output is used to issue a JWT workload identity
+credential and write this to a configured destination.
+
+The JWT workload identity credential is compatible with the [SPIFFE JWT SVID
+specification](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md).
+
+The output generates the following artifacts:
+
+- `jwt_svid`: the JWT SVID.
+
+See [Workload Identity introduction](../../enroll-resources/workload-identity/introduction.mdx)
+for more information on Workload Identity functionality.
+
+```yaml
+# type specifies the type of the output. For the JWT Workload Identity output,
+# this will always be `workload-identity-jwt`.
+type: workload-identity-jwt
+# audiences specifies the values that should be included in the `aud` claim of
+# the JWT. Typically, this identifies the intended recipient of the JWT and
+# contains a single value.
+#
+# At least one audience value must be specified.
+audiences:
+ - example.com
+ - foo.example.com
+(!docs/pages/includes/machine-id/workload-identity-selector-config.yaml!)
+(!docs/pages/includes/machine-id/common-output-config.yaml!)
+```
+
 ### `spiffe-svid`
 
+<Admonition type="warning" >
+The use of this service has been deprecated as part of the introduction of the
+new Workload Identity configuration experience. You can replace the use of this
+output with the new `workload-identity-x509` or `workload-identity-jwt` service.
+
+For further information, see [the new Workload Identity configuration experience
+and how to migrate](../workload-identity/configuration-resource-migration.mdx).
+</Admonition>
+
 The `spiffe-svid` output is used to generate a SPIFFE X509 SVID and write this
 to a configured destination.
 
@@ -367,8 +429,26 @@ Outputs, they may not necessarily generate artifacts. Typically, services
 provide supporting functionality for machine to machine access, for example,
 opening tunnels or providing APIs.
 
+### `workload-identity-api`
+
+The `workload-identity-api` services opens a listener that provides a local
+workload identity API, intended to serve workload identity credentials
+(e.g X509/JWT SPIFFE SVIDs) to workloads running on the same host.
+
+For more information about this, see the
+[Workload Identity API and Workload Attestation reference](../workload-identity/workload-identity-api-and-workload-attestation.mdx)
+
 ### `spiffe-workload-api`
 
+<Admonition type="warning" >
+The use of this service has been deprecated as part of the introduction of the
+new Workload Identity configuration experience. You can replace the use of this
+service with the new `workload-identity-api` service.
+
+For further information, see [the new Workload Identity configuration experience
+and how to migrate](../workload-identity/configuration-resource-migration.mdx).
+</Admonition>
+
 The `spiffe-workload-api` service opens a listener for a service that implements
 the SPIFFE Workload API. This service is used to provide SPIFFE SVIDs to
 workloads.
@@ -500,10 +580,10 @@ service, three additional special names can be used to aid configuration:
 
 - `default`: `tbot` will return the default SVID for the workload.
 - `ROOTCA`: `tbot` will return the trust bundle for the trust domain that the
-   workload is a member of.
+workload is a member of.
 - `ALL`: `tbot` will return the trust bundle for the trust domain that the
-  workload is a member of, as well as the trust bundles of any trust domain
-  that the trust domain is federated with.
+workload is a member of, as well as the trust bundles of any trust domain
+that the trust domain is federated with.
 
 The following is an example Envoy configuration that sources a certificate
 and trust bundle from the `spiffe-workload-api` service listening on
diff --git a/docs/pages/reference/workload-identity/attributes.mdx b/docs/pages/reference/workload-identity/attributes.mdx
new file mode 100644
index 0000000000000..8ef2587cc1df7
--- /dev/null
+++ b/docs/pages/reference/workload-identity/attributes.mdx
@@ -0,0 +1,255 @@
+---
+title: Workload Identity Attributes
+description: Information about the attributes that can be used in templating and rules in the WorkloadIdentity resource.
+---
+
+Attributes are features of an identity which you can use with the
+[WorkloadIdentity](./workload-identity-resource.mdx) resource to create rules
+and template values.
+
+These attributes come from a variety of sources, such as workload attestations
+performed by `tbot` or the attestation performed by the control plane when
+`tbot` joins.
+
+## Join attributes
+
+Join attributes are sourced from the join process that the Bot underwent. These
+typically allow you to identify the machine that the `tbot` agent is running on.
+
+### `join.meta`
+
+The `join.meta` attributes are not related to any specific join method, and
+instead typically provide information about the join token that was used to
+join.
+
+| Field                       | Description                                                                                                                                                                                                                         |
+|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `join.meta.join_token_name` | The name of the join token that was used to join. This field is omitted if the join token that was used to join was of the `token` method as in this case, the name of the join token is sensitive. Example: `my-gitlab-join-token` |
+| `join.meta.join_method`     | The name of the join method that was used to join. Example: `gitlab`                                                                                                                                                                |
+
+### `join.azure`
+
+These attributes are present if the Bot joined using the Azure join method.
+
+| Field                       | Description                                                                    |
+|-----------------------------|--------------------------------------------------------------------------------|
+| `join.azure.subscription`   | The subscription ID of the Azure account that the joining entity is a part of. |
+| `join.azure.resource_group` | The resource group of the Azure account that the joining entity is a part of.  |
+
+### `join.bitbucket`
+
+These attributes are present if the Bot joined using the BitBucket join method.
+
+They are mapped from the JWT issued by BitBucket, for which further
+documentation is available at https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/
+
+| Field                                        | Description                                                             |
+|----------------------------------------------|-------------------------------------------------------------------------|
+| `join.bitbucket.sub`                         | The `sub` claim of the Bitbucket JWT that was used to join.             |
+| `join.bitbucket.step_uuid`                   | The UUID of the pipeline step.                                          |
+| `join.bitbucket.repository_uuid`             | The UUID of the repository the pipeline step is running within.         |
+| `join.bitbucket.pipeline_uuid`               | The UUID of the pipeline the step is running within.                    |
+| `join.bitbucket.workspace_uuid`              | The UUID of the workspace the pipeline belongs to.                      |
+| `join.bitbucket.deployment_environment_uuid` | The UUID of the deployment environment the pipeline is running against. |
+| `join.bitbucket.branch_name`                 | The name of the branch the pipeline is running against.                 |
+
+### `join.circleci`
+
+These attributes are present if the Bot joined using the CircleCI join method.
+
+They are mapped from the JWT issued by CircleCI, for which further documentation
+is available at https://circleci.com/docs/openid-connect-tokens/
+
+| Field                       | Description                                                |
+|-----------------------------|------------------------------------------------------------|
+| `join.circleci.sub`         | The `sub` claim of the CircleCI JWT that was used to join. |
+| `join.circleci.context_ids` | The UUIDs of the contexts used in the job.                 |
+| `join.circleci.project_id`  | The UUID of the project in which the job is running..      |
+
+### `join.gcp`
+
+These attributes are present if the Bot joined using the Google Cloud Project
+(GCP) join method.
+
+They are mapped from the JWT issued by GCP, for which further documentation is
+available at https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload
+
+The attributes beneath `join.gcp.gce` are only present if the Bot is running on
+a Google Compute Engine (GCE) instance.
+
+| Field                       | Description                                                                       |
+|-----------------------------|-----------------------------------------------------------------------------------|
+| `join.gcp.service_account`  | The service account email of the service account that the instance is running as. |
+| `join.gcp.gce.name`         | The name of the GCE instance that the joining entity is running on.               |
+| `join.gcp.gce.zone`         | The zone of the GCE instance that the joining entity is running on.               |
+| `join.gcp.gce.zone.id`      | The ID of the GCE instance that the joining entity is running on.                 |
+| `join.gcp.gce.zone.project` | The project ID of the GCP project that the instance is running within.            |
+
+### `join.github`
+
+These attributes are present if the Bot joined using the GitHub join method.
+
+They are mapped from the JWT issued by GitHub, for which further documentation is
+available at https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
+
+| Field                          | Description                                                                  |
+|--------------------------------|------------------------------------------------------------------------------|
+| `join.github.sub`              | The `sub` claim of the GitHub JWT that was used to join.                     |
+| `join.github.actor`            | The username of the actor that initiated the workflow run.                   |
+| `join.github.environment`      | The name of the environment that the workflow is running against, if any.    |
+| `join.github.ref`              | The ref that the workflow is running against..                               |
+| `join.github.ref_type`         | The type of ref that the workflow is running against. For example, `branch`. |
+| `join.github.repository`       | The name of the repository that the workflow is running within.              |
+| `join.github.repository_owner` | The name of the owner of the repository that the workflow is running within. |
+| `join.github.workflow`         | The name of the workflow that is running.                                    |
+| `join.github.event_name`       | The name of the event that triggered the workflow run..                      |
+| `join.github.sha`              | The SHA of the commit that triggered the workflow run.                       |
+| `join.github.run_id`           | The ID of this GitHub actions workflow run.                                  |
+
+### `join.gitlab`
+
+These attributes are present if the Bot joined using the GitLab join method.
+
+They are mapped from the JWT issued by GitLab, for which further documentation is
+available at https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload
+
+| Field                               | Description                                                                                                                       |
+|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
+| `join.gitlab.sub`                   | The `sub` claim of the GitLab JWT that was used to join.  For example: `project_path:mygroup/my-project:ref_type:branch:ref:main` |
+| `join.gitlab.ref`                   | The ref that the pipeline is running against. For example: `main`                                                                 |
+| `join.gitlab.ref_type`              | The type of ref that the pipeline is running against. This is typically `branch` or `tag`.                                        |
+| `join.gitlab.ref_protected`         | Whether or not the ref that the pipeline is running against is protected.                                                         |
+| `join.gitlab.namespace_path`        | The path of the namespace of the project that the pipeline is running within.                                                     |
+| `join.gitlab.project_path`          | The full qualified path of the project that the pipeline is running within. For example: `mygroup/my-project`                     |
+| `join.gitlab.user_login`            | The name of the user that triggered the pipeline run.                                                                             |
+| `join.gitlab.user_email`            | The email of the user that triggered the pipeline run.                                                                            |
+| `join.gitlab.pipeline_id`           | The ID of the pipeline.                                                                                                           |
+| `join.gitlab.pipeline_source`       | The source of the pipeline. For example: `push` or `web`                                                                          |
+| `join.gitlab.environment`           | The environment the pipeline is running against, if any.                                                                          |
+| `join.gitlab.environment_protected` | Whether or not the pipeline is running against a protected environment.                                                           |
+| `join.gitlab.runner_id`             | The ID of the runner that this pipeline is running on.                                                                            |
+| `join.gitlab.runner_environment`    | The type of runner that is processing the pipeline.  Either `gitlab-hosted` or `self-hosted`.                                     |
+| `join.gitlab.sha`                   | The SHA of the commit that triggered the pipeline run.                                                                            |
+| `join.gitlab.ci_config_ref_uri`     | The ref URI of the CI config configuring the pipeline.                                                                            |
+| `join.gitlab.ci_config_sha`         | The Git SHA of the CI config ref configuring the pipeline.                                                                        |
+
+### `join.iam`
+
+These attributes are present if the Bot joined using the AWS IAM join method.
+
+| Field              | Description                                                                                                                 |
+|--------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| `join.iam.account` | The identifier of the account that the joining entity is a part of. For example: `123456789012`.                            |
+| `join.iam.arn`     | The AWS ARN of the joining entity. For example: `arn:aws:sts::123456789012:assumed-role/my-role-name/my-role-session-name`. |
+
+### `join.kubernetes`
+
+These attributes are present if the Bot joined using the Kubernetes join method.
+
+The attributes under `join.kubernetes.pod` are only present if the bot is
+running in a Kubernetes cluster with Projected Service Account Token support.
+
+| Field                                       | Description                                                                                                                                                                           |
+|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `join.kubernetes.subject`                   | The fully qualified identifier of the entity based on the Kubernetes token. For a service account, this takes the form of `system:serviceaccount:<namespace>:<service-account-name>`. |
+| `join.kubernetes.service_account.name`      | The name of the service account that the joining entity is running as.                                                                                                                |
+| `join.kubernetes.service_account.namespace` | The namespace of the service account that the joining entity is running as.                                                                                                           |
+| `join.kubernetes.pod.name`                  | The name of the pod that the joining entity is running in.                                                                                                                            |
+
+### `join.spacelift`
+
+These attributes are present if the Bot joined using the Spacelift join method.
+
+They are mapped from the JWT issued by Spacelift, for which further documentation
+is available at https://docs.spacelift.io/integrations/cloud-providers/oidc/#standard-claims
+
+| Field                        | Description                                                                        |
+|------------------------------|------------------------------------------------------------------------------------|
+| `join.spacelift.sub`         | The `sub` claim of the Spacelift JWT that was used to join..                       |
+| `join.spacelift.space_id`    | The ID of the space in which the run is executing.                                 |
+| `join.spacelift.caller_type` | The type of the caller that owns the run, either `stack` or `module`.              |
+| `join.spacelift.caller_id`   | The ID of the caller that generated the run.                                       |
+| `join.spacelift.run_type`    | The type of the run, either `PROPOSED`, `TRACKED`, `TASK`, `TESTING` or `DESTROY`. |
+| `join.spacelift.run_id`      | The ID of the run.                                                                 |
+| `join.spacelift.scope`       | The configured scope of the token, either `read` or `write`.                       |
+
+### `join.terraform_cloud`
+
+These attributes are present if the Bot joined using the Terraform Cloud join
+method.
+
+They are mapped from the JWT issued by Terraform Cloud, for which further
+documentation is available at https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials/workload-identity-tokens
+
+| Field                                    | Description                                                                                                                                         |
+|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| `join.terraform_cloud.sub`               | The `sub` claim of the Terraform Cloud JWT that was used to join.                                                                                   |
+| `join.terraform_cloud.organization_name` | The name of the organization the project and workspace belong to.                                                                                   |
+| `join.terraform_cloud.project_name`      | The name of the project the workspace belongs to.                                                                                                   |
+| `join.terraform_cloud.workspace_name`    | The name of the workspace that the plan/apply is running within.                                                                                    |
+| `join.terraform_cloud.full_workspace`    | The fully qualified workspace path, including the organization and project name. For example: `organization:<name>:project:<name>:workspace:<name>` |
+| `join.terraform_cloud.run_id`            | The ID of the run that is being executed..                                                                                                          |
+| `join.terraform_cloud.run_phase`         | The phase of the run that is being executed, either `plan` or `apply`.                                                                              |
+
+### `join.tpm`
+
+These attributes are present if the Bot joined using the TPM join method.
+
+| Field                       | Description                                                                                                      |
+|-----------------------------|------------------------------------------------------------------------------------------------------------------|
+| `join.tpm.ek_pub_hash`      | The SHA256 hash of the PKIX formatted EK public key, encoded in hex. This effectively identifies a specific TPM. |
+| `join.tpm.ek_cert_serial`   | The serial number of the EK certificate, if present.                                                             |
+| `join.tpm.ek_cert_verified` | Whether or not the EK certificate was verified against a certificate authority.                                  |
+
+## Workload attributes
+
+Workload attributes are sourced from workload attestations performed by `tbot`
+when a workload requests an identity via the workload API. They may not be
+present depending on your configuration of `tbot`. See the
+[Workload Attestation reference](./workload-identity-api-and-workload-attestation.mdx) for more
+information.
+
+### `workload.unix`
+
+Attributes sourced from the Unix workload attestor.
+
+See the
+[Workload API and Workload Attestation reference](./workload-identity-api-and-workload-attestation.mdx#Unix)
+for more information.
+
+| Attribute                | Description                                   |
+|--------------------------|-----------------------------------------------|
+| `workload.unix.attested` | Whether the workload passed Unix attestation. |
+| `workload.unix.pid`      | The PID of the workload process.              |
+| `workload.unix.gid`      | The primary user ID of the workload process.  |
+| `workload.unix.uid`      | The primary group ID of the workload process. |
+
+### `workload.kubernetes`
+
+Attributes sourced from the Kubernetes workload attestor.
+
+See the
+[Workload API and Workload Attestation reference](./workload-identity-api-and-workload-attestation.mdx#Kubernetes)
+for more information.
+
+| Attribute                             | Description                                         |
+|---------------------------------------|-----------------------------------------------------|
+| `workload.kubernetes.attested`        | Whether the workload passed Kubernetes attestation. |
+| `workload.kubernetes.namespace`       | The namespace of the workload pod.                  |
+| `workload.kubernetes.pod_name`        | The name of the workload pod.                       |
+| `workload.kubernetes.service_account` | The service account of the workload pod.            |
+| `workload.kubernetes.pod_uid`         | The UID of the workload pod.                        |
+| `workload.kubernetes.labels`          | The labels of the workload pod.                     |
+
+## User attributes
+
+User attributes are sourced from the Bot or User that is requesting the
+issuance of the workload identity credential.
+
+| Attribute              | Description                                       |
+|------------------------|---------------------------------------------------|
+| `user.name`            | The name of the user.                             |
+| `user.is_bot`          | Whether the user is a bot.                        |
+| `user.bot_name`        | If the user is a bot, the name of the bot.        |
+| `user.bot_instance_id` | If the user is a bot, the instance ID of the bot. |
+| `user.labels`          | Labels of the user.                               |
diff --git a/docs/pages/reference/workload-identity/configuration-resource-migration.mdx b/docs/pages/reference/workload-identity/configuration-resource-migration.mdx
new file mode 100644
index 0000000000000..295b629273588
--- /dev/null
+++ b/docs/pages/reference/workload-identity/configuration-resource-migration.mdx
@@ -0,0 +1,61 @@
+---
+title: WorkloadIdentity Configuration Resource migration
+description: Migrating to the new WorkloadIdentity resource configuration
+---
+
+The way that you configure Teleport Workload Identity is changing. If you are
+currently using Workload Identity, you will need to migrate to the new
+configuration experience by V19.0.0 when support for the old configuration
+will be removed.
+
+## Overview
+
+Previously, the details of the credentials (e.g X509 SVID/JWT SVID) you wished
+to issue were defined directly within `tbot`. Controlling what credentials were
+allowed to be issued was done by configuring the `spec.allow.spiffe` field of
+the role resource.
+
+The new configuration experience introduces a new resource type, `WorkloadIdentity`,
+which allows you to define the structure of an identity credential that can be
+issued to workloads and the rules around what workloads it can be issued to.
+
+This provides the following benefits over the previous configuration experience:
+
+- Centralized control of the structure of the identity credential, which
+  simplifies the configuration of `tbot`.
+- The ability to specify rules based on the attributes of the workload, such as
+  the name of the Kubernetes namespace or service account, that is more fine
+  grained than the previous configuration.
+- The ability to use templating to dynamically generate elements of the identity
+  credential - allowing a single WorkloadIdentity resource to be used to serve
+  multiple workloads.
+
+You can read the full details of the new WorkloadIdentity resource in the
+[WorkloadIdentity Resource](./workload-identity-resource.mdx) reference.
+
+## Migrating `tbot`
+
+The following CLI commands have been replaced:
+
+- `tbot start spiffe-svid` is now `tbot start workload-identity-x509`.
+
+The following new additional CLI commands have been introduced:
+
+- `tbot start workload-identity-api` to start a listener for the Workload
+  Identity API.
+- `tbot start workload-identity-jwt` to issue a JWT SVID.
+
+You can read more about the new CLI commands in the
+[`tbot` CLI reference](../cli/tbot.mdx).
+
+The following service types have been replaced:
+
+- `spiffe-workload-api` is now `workload-identity-api`.
+- `spiffe-x509-svid` is now `workload-identity-x509`.
+
+The following new additional service types have been introduced:
+
+- `workload-identity-jwt` to issue JWT SVIDs.
+
+You can read more about the new service types in the
+[`tbot` configuration reference](../machine-id/configuration.mdx).
\ No newline at end of file
diff --git a/docs/pages/reference/workload-identity/workload-identity-api-and-workload-attestation.mdx b/docs/pages/reference/workload-identity/workload-identity-api-and-workload-attestation.mdx
new file mode 100644
index 0000000000000..7c6a23ba2fef8
--- /dev/null
+++ b/docs/pages/reference/workload-identity/workload-identity-api-and-workload-attestation.mdx
@@ -0,0 +1,418 @@
+---
+title: Workload Identity API & Workload Attestation
+description: Information about the `tbot` Workload Identity API service and Workload Attestation functionality
+---
+
+The Workload Identity API service (`workload-identity-api`) is a configurable
+`tbot` service that allows workloads to request JWT and X509 workload identity
+credentials on-the-fly.
+
+It's a more secure alternative to writing credentials to disk and supports
+performing a process known as workload attestation to determine attributes of
+the workload before issuing credentials.
+
+The Workload Identity API is compatible with two standards:
+
+- [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md)
+- [Envoy SDS](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret)
+
+In addition to issuing credentials to workloads, the Workload Identity API can
+also provide the trust bundle necessary for workloads to validate the
+credentials of other workloads.
+
+## Configuration
+
+```yaml
+# type specifies the type of the service. For the Workload Identity API service,
+# this will always be `workload-identity-api`.
+type: workload-identity-api
+# listen specifies the address that the service should listen on.
+#
+# Two types of listener are supported:
+# - TCP: `tcp://<address>:<port>`
+# - Unix socket: `unix:///<path>`
+listen: unix:///opt/machine-id/workload.sock
+# attestors allows Workload Attestation to be configured for this Workload
+# API.
+attestors:
+  # kubernetes is configuration for the Kubernetes Workload Attestor. See
+  # the Kubernetes Workload Attestor section for more information.
+  kubernetes:
+    # enabled specifies whether the Kubernetes Workload Attestor should be
+    # enabled. If unspecified, this defaults to false.
+    enabled: true
+    # kubelet holds configuration relevant to the Kubernetes Workload Attestors
+    # interaction with the Kubelet API.
+    kubelet:
+      # read_only_port is the port on which the Kubelet API is exposed for
+      # read-only operations. Since Kubernetes 1.16, the read-only port is
+      # typically disabled by default and secure_port should be used instead.
+      read_only_port: 10255
+      # secure_port is the port on which the attestor should connect to the
+      # Kubelet secure API. If unspecified, this defaults to `10250`. This is
+      # mutually exclusive with ReadOnlyPort.
+      secure_port: 10250
+      # token_path is the path to the token file that the Kubelet API client
+      # should use to authenticate with the Kubelet API. If unspecified, this
+      # defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
+      token_path: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+      # ca_path is the path to the CA file that the Kubelet API client should
+      # use to validate the Kubelet API server's certificate. If unspecified,
+      # this defaults to `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
+      ca_path: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
+      # skip_verify is used to disable verification of the Kubelet API server's
+      # certificate. If unspecified, this defaults to false.
+      #
+      # If specified, the value specified in ca_path is ignored.
+      #
+      # This is useful in cases where the Kubelet API server has not been issued
+      # with a certificate signed by the Kubernetes cluster's CA. This is fairly
+      # common with a number of Kubernetes distributions.
+      skip_verify: true
+      # anonymous is used to disable authentication with the Kubelet API. If
+      # unspecified, this defaults to false. If set, the token_path field is
+      # ignored.
+      anonymous: false
+(!docs/pages/includes/machine-id/workload-identity-selector-config.yaml!)
+```
+
+## SPIFFE Workload API
+
+The Workload Identity API implements the SPIFFE Workload API, a standardized
+API for workloads to request workload identity credentials and trust bundles.
+
+Via this API, both JWT and X509 workload identity credentials can be issued.
+
+## Workload Attestation
+
+Workload Attestation is the process completed by `tbot` to assert the identity
+of a workload that has connected to the Workload API and requested credentials.
+
+Workload Attestors are the individual components that perform this attestation.
+They use the process ID of the workload to gather information about the workload
+from platform-specific APIs. For example, the Kubernetes Workload Attestor
+queries the local Kubelet API to determine which Kubernetes pod the process
+belongs to.
+
+The result of this attestation process is known as attestation metadata. This
+attestation metadata can be included in the rules or templates you configure as
+part of a WorkloadIdentity resource.
+
+### Unix
+
+The Unix Workload Attestor is the most basic attestor and allows you to restrict
+the issuance of workload identities to specific Unix processes based on a range
+of criteria.
+
+#### Support for non-standard procfs mounting
+
+To resolve information about a process from the PID, the Unix Workload Attestor
+reads information from the procfs filesystem. By default, it expects procfs to
+be mounted at `/proc`.
+
+If procfs is mounted at a different location, you must configure the Unix
+Workload Attestor to read from that alternative location by setting the
+`HOST_PROC` environment variable.
+
+This is a sensitive configuration option, and you should ensure that it is
+set correctly or not set at all. If misconfigured, an attacker could provide
+falsified information about processes, and this could lead to the issuance of
+SVIDs to unauthorized workloads.
+
+### Kubernetes
+
+The Kubernetes Workload Attestor allows you to restrict the issuance of workload
+identities to specific Kubernetes workloads based on a range of criteria.
+
+It works by first determining the pod ID for a given process ID and then by
+querying the local kubelet API for details about that pod.
+
+#### Deployment Guidance
+
+To use Kubernetes Workload Attestation, `tbot` must be deployed as a daemon
+set. This is because the unix domain socket can only be accessed by pods on the
+same node as the agent. Additionally, the daemon set must have the `hostPID`
+property set to `true` to allow the agent to access information about
+processes within other containers.
+
+The daemon set must also have a service account assigned that allows it to query
+the Kubelet API. This is an example role with the required RBAC:
+
+```yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tbot
+rules:
+  - resources: ["pods","nodes","nodes/proxy"]
+    apiGroups: [""]
+    verbs: ["get"]
+```
+
+Mapping the Workload API Unix domain socket into the containers of workloads
+can be done in two ways:
+
+- Directly configuring a hostPath volume for the `tbot` daemonset and workloads
+which will need to connect to it.
+- Using [spiffe-csi-driver](https://github.com/spiffe/spiffe-csi).
+
+Example manifests for required Kubernetes resources:
+
+```yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tbot
+rules:
+  - resources: ["pods","nodes","nodes/proxy"]
+    apiGroups: [""]
+    verbs: ["get"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tbot
+subjects:
+  - kind: ServiceAccount
+    name: tbot
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: tbot
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tbot
+  namespace: default
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tbot-config
+  namespace: default
+data:
+  tbot.yaml: |
+    version: v2
+    onboarding:
+      join_method: kubernetes
+      # replace with the name of a join token you have created.
+      token: example-token
+    storage:
+      type: memory
+    # ensure this is configured to the address of your Teleport Proxy Service.
+    proxy_server: example.teleport.sh:443
+    services:
+      - type: workload-identity-api
+        listen: unix:///run/tbot/sockets/workload.sock
+        attestor:
+          kubernetes:
+            enabled: true
+            kubelet:
+              # skip verification of the Kubelet API certificate as this is not
+              # usually issued by the cluster CA.
+              skip_verify: true
+        selector:
+          name: example-workload-identity
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: tbot
+spec:
+  selector:
+      matchLabels:
+        app: tbot
+  template:
+    metadata:
+      labels:
+        app: tbot
+    spec:
+      securityContext:
+        runAsUser: 0
+        runAsGroup: 0
+      hostPID: true
+      containers:
+        - name: tbot
+          image: public.ecr.aws/gravitational/tbot-distroless:(=teleport.version=)
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            privileged: true
+          args:
+            - start
+            - -c
+            - /config/tbot.yaml
+            - --log-format
+            - json
+          volumeMounts:
+            - mountPath: /config
+              name: config
+            - mountPath: /var/run/secrets/tokens
+              name: join-sa-token
+            - name: tbot-sockets
+              mountPath: /run/tbot/sockets
+              readOnly: false
+          env:
+            - name: TELEPORT_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: KUBERNETES_TOKEN_PATH
+              value: /var/run/secrets/tokens/join-sa-token
+      serviceAccountName: tbot
+      volumes:
+        - name: tbot-sockets
+          hostPath:
+            path: /run/tbot/sockets
+            type: DirectoryOrCreate
+        - name: config
+          configMap:
+            name: tbot-config
+        - name: join-sa-token
+          projected:
+            sources:
+              - serviceAccountToken:
+                  path: join-sa-token
+                  # 600 seconds is the minimum that Kubernetes supports. We
+                  # recommend this value is used.
+                  expirationSeconds: 600
+                  # `example.teleport.sh` must be replaced with the name of
+                  # your Teleport cluster.
+                  audience: example.teleport.sh
+```
+
+## Envoy SDS
+
+The `workload-identity-api` service endpoint also implements the Envoy SDS API.
+This allows it to act as a source of certificates and certificate authorities
+for the Envoy proxy.
+
+As a forward proxy, Envoy can be used to attach an X.509 SVID to an outgoing
+connection from a workload that is not SPIFFE-enabled.
+
+As a reverse proxy, Envoy can be used to terminate mTLS connections from
+SPIFFE-enabled clients. Envoy can validate that the client has presented a valid
+X.509 SVID and perform enforcement of authorization policies based on the SPIFFE
+ID contained within the SVID.
+
+When acting as a reverse proxy for certain protocols, Envoy can be configured
+to attach a header indicating the identity of the client to a request before
+forwarding it to the service. This can then be used by the service to make
+authorization decisions based on the client's identity.
+
+When configuring Envoy to use the SDS API exposed by the `workload-identity-api`
+service, three additional special names can be used to aid configuration:
+
+- `default`: `tbot` will return the default SVID for the workload.
+- `ROOTCA`: `tbot` will return the trust bundle for the trust domain that the
+workload is a member of.
+- `ALL`: `tbot` will return the trust bundle for the trust domain that the
+workload is a member of, as well as the trust bundles of any trust domain
+that the trust domain is federated with.
+
+The following is an example Envoy configuration that sources a certificate
+and trust bundle from the `workload-identity-api` service listening on
+`unix:///opt/machine-id/workload.sock`. It requires that a connecting client
+presents a valid SPIFFE SVID and forwards this information to the backend
+service in the `x-forwarded-client-cert` header.
+
+```yaml
+node:
+  id: "my-envoy-proxy"
+  cluster: "my-cluster"
+static_resources:
+  listeners:
+    - name: test_listener
+      enable_reuse_port: false
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                common_http_protocol_options:
+                  idle_timeout: 1s
+                forward_client_cert_details: sanitize_set
+                set_current_client_cert_details:
+                  uri: true
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: my_service
+                      domains: ["*"]
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: my_service
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+          transport_socket:
+            name: envoy.transport_sockets.tls
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+              common_tls_context:
+                # configure the certificate that the reverse proxy should present.
+                tls_certificate_sds_secret_configs:
+                  # `name` can be replaced with the desired SPIFFE ID if  multiple
+                  # SVIDs are available.
+                  - name: "default"
+                    sds_config:
+                      resource_api_version: V3
+                      api_config_source:
+                        api_type: GRPC
+                        transport_api_version: V3
+                        grpc_services:
+                          envoy_grpc:
+                            cluster_name: tbot_agent
+                # combined validation context "melds" two validation contexts
+                # together. This is handy for extending the validation context
+                # from the SDS source.
+                combined_validation_context:
+                  default_validation_context:
+                    # You can use match_typed_subject_alt_names to configure
+                    # rules that only allow connections from specific SPIFFE IDs.
+                    match_typed_subject_alt_names: []
+                  validation_context_sds_secret_config:
+                    name: "ALL" # This can also be replaced with the trust domain name
+                    sds_config:
+                      resource_api_version: V3
+                      api_config_source:
+                        api_type: GRPC
+                        transport_api_version: V3
+                        grpc_services:
+                          envoy_grpc:
+                            cluster_name: tbot_agent
+  clusters:
+    # my_service is the example service that Envoy will forward traffic to.
+    - name: my_service
+      type: strict_dns
+      load_assignment:
+        cluster_name: my_service
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 8090
+    - name: tbot_agent
+      http2_protocol_options: {}
+      load_assignment:
+        cluster_name: tbot_agent
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    pipe:
+                      # Configure the path to the socket that `tbot` is
+                      # listening on.
+                      path: /opt/machine-id/workload.sock
+```
\ No newline at end of file
diff --git a/docs/pages/reference/workload-identity/workload-identity-resource.mdx b/docs/pages/reference/workload-identity/workload-identity-resource.mdx
new file mode 100644
index 0000000000000..b47662a92ccac
--- /dev/null
+++ b/docs/pages/reference/workload-identity/workload-identity-resource.mdx
@@ -0,0 +1,276 @@
+---
+title: WorkloadIdentity Resource
+description: Information about the WorkloadIdentity resource
+---
+
+The WorkloadIdentity resource is used to define the structure of an identity
+credentials that can be issued to workloads and the rules around what workloads
+it can be issued to.
+
+It supports templating using attributes of the workload, such as the name of the
+Kubernetes namespace or service account, which allows the WorkloadIdentity
+resource to be used in a generic way for multiple distinct workloads.
+
+## Configuration
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  # The name of the WorkloadIdentity resource. This can be used to directly
+  # request the issuance of a credential for this identity.
+  name: my-workload
+  # Key-value labels that can be used to group and filter WorkloadIdentity
+  # resources when requesting issuance.
+  labels:
+    example: foo
+spec:
+  # Configuration relevant to issuing SPIFFE-compatible workload identity
+  # credentials.
+  spiffe:
+    # The path element of the SPIFFE ID that will be included in credentials
+    # issued for this identity.
+    #
+    # This must be prefixed with a forward-slash (`/`).
+    #
+    # Required. Supports templating.
+    id: /foo/bar/{{ join.kubernetes.pod.name }}/{{ join.kubernetes.service_account.name }}
+    # The hint field allows a string to be passed to workloads along with a
+    # credential issued for this identity. This can be used to help workloads
+    # differentiate between multiple identities that they may have
+    # (e.g `internal` vs `external`).
+    #
+    # Optional. Supports templating.
+    hint: An example hint
+    # Grouped configuration for X.509 credentials.
+    x509:
+      # The DNS Subject Alternative Names (SANs) that should be included in any
+      # X509-SVID issued using this WorkloadIdentity.
+      #
+      # Each individual element of this list supports templating and after
+      # templating must be a valid DNS name.
+      #
+      # Optional, if not provided then no DNS SANs will be included in the X.509
+      # credential.
+      dns_sans:
+      - example.com
+      # Controls the subject distinguished name of an X509 workload identity
+      # credential issued using this identity. If unspecified, a blank subject
+      # will be used.
+      #
+      # In most circumstances, it is recommended to prefer relying on the
+      # SPIFFE ID encoded in the URI SAN. However, the Subject DN may be needed
+      # to support legacy systems designed for X.509 and not SPIFFE/WIMSE.
+      subject_template:
+        # The common name (CN - 2.5.4.3) of the subject distinguished name.
+        # Supports templating. If not provided, the common name will be omitted.
+        common_name: my-common-name
+        # The organization (O - 2.5.4.10) of the subject distinguished name.
+        # Supports templating. If not provided, the organization will be omitted.
+        organization: my-organization
+        # The organizational unit (OU - 2.5.4.11) of the subject distinguished
+        # name. Supports templating. If not provided, the organizational unit
+        # will be omitted.
+        organizational_unit: my-organizational-unit
+  # The rules control when this WorkloadIdentity can be used to issue a
+  # credential.
+  rules:
+    # When allow rules are specified, at least one must pass in order for the
+    # WorkloadIdentity to be used to issue a credential. This effectively
+    # creates an OR relationship between the rules.
+    #
+    # If no allow rules are specified, then the WorkloadIdentity can be issued
+    # to any workload with the correct workload_identity_labels within their
+    # role set.
+    allow:
+    # Each rule consists of a set of conditions. All conditions must pass in
+    # order for the rule to be considered a match. This effectively creates an
+    # AND relationship between the conditions.
+    #
+    # A more detailed explanation of the available operators can be found under
+    # the "Rules" section of this page.
+    - conditions:
+      - attribute: join.kubernetes.pod.name
+        eq:
+          value: my-pod
+      - attribute: join.kubernetes.namespace
+        not_eq:
+          value: kube-system
+```
+
+## Templating
+
+The WorkloadIdentity resource supports templating in certain fields, this allows
+you to customize elements of the workload identity credential issued to
+workloads with attested attributes.
+
+For example, you can use templating to insert the name of the Kubernetes
+namespace and service account into the SPIFFE ID of the workload identity
+credential:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: my-kubernetes-workload
+spec:
+  spiffe:
+    id: /k8s/{{ workload.kubernetes.namespace }}/{{ workload.kubernetes.service_account }}
+```
+
+Would result in a SPIFFE ID of `spiffe://example.teleport.sh/k8s/default/foo`
+for a workload running in the `default` namespace with the service account `foo`.
+
+When an attribute is specified in a template, this value must be present in the
+attributes of the workload in order for the workload identity credential to be
+issued. For example, if `workload.kubernetes.namespace` is used in a template,
+then a workload that is not running in Kubernetes would not be issued a
+credential.
+
+The following fields within the WorkloadIdentity resource support templating:
+
+- `spec.spiffe.id`
+- `spec.spiffe.hint`
+- `spec.spiffe.x509.dns_sans`
+- `spec.spiffe.x509.subject_template.common_name`
+- `spec.spiffe.x509.subject_template.organization`
+- `spec.spiffe.x509.subject_template.organizational_unit`
+
+You can find a full list of the supported attributes on the
+[Attributes reference](./attributes.mdx) page.
+
+## Rules
+
+By default, a WorkloadIdentity resource can be used to issue a credential by any
+User or Bot that holds a role that with `workload_identity_labels` that match
+the labels on the WorkloadIdentity resource.
+
+However, you can further restrict the issuance of credentials based on the
+attributes of the workload using the rules mechanism.
+
+Each rule consists of a set of conditions, and all conditions within that rule
+must pass in order for the rule to be considered a pass. If you specify
+multiple rules, then at least one rule must pass in order for the
+WorkloadIdentity to be allowed to be issued.
+
+For example, to restrict the issuance of a credential to only workloads running
+in the `default` namespace with the service account `foo`:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: rules-example
+spec:
+  spiffe:
+    id: /my-awesome-workload
+  rules:
+    allow:
+    - conditions:
+      - attribute: workload.kubernetes.namespace
+        eq:
+          value: default
+      - attribute: workload.kubernetes.service_account
+        eq:
+          value: foo
+```
+
+### Operators
+
+#### `eq`
+
+`eq` (equals) checks that the specified attribute equals the specified value:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: rules-example
+spec:
+  spiffe:
+    id: /my-awesome-workload
+  rules:
+    allow:
+    - conditions:
+      - attribute: workload.kubernetes.namespace
+        eq:
+          value: default
+```
+
+#### `not_eq`
+
+`not_eq` (not equals) checks that the specified attribute does not equal the
+specified value:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: rules-example
+spec:
+  spiffe:
+    id: /my-awesome-workload
+  rules:
+    allow:
+    - conditions:
+      - attribute: workload.kubernetes.namespace
+        not_eq:
+          value: default
+```
+
+#### `in`
+
+`in` (includes) checks that the specified attribute equals one of the specified
+values:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: rules-example
+spec:
+  spiffe:
+    id: /my-awesome-workload
+  rules:
+    allow:
+    - conditions:
+      - attribute: workload.kubernetes.namespace
+        in:
+          values: [default, kube-system]
+```
+
+#### `not_in`
+
+`not_in` (not includes) checks that the specified attribute does not equal any
+of the specified values:
+
+```yaml
+kind: workload_identity
+version: v1
+metadata:
+  name: rules-example
+spec:
+  spiffe:
+    id: /my-awesome-workload
+  rules:
+    allow:
+    - conditions:
+      - attribute: workload.kubernetes.namespace
+        not_in:
+          values: [foo, bar]
+```
+
+### Casting
+
+When comparing attributes which are not a string (e.g a boolean or number),
+the value in the attribute will be transferred to a string representation.
+
+## Infrastructure as Code
+
+In addition to the YAML representation which can be managed with `tctl`, the
+WorkloadIdentity resource can also be managed using Infrastructure as Code
+tools.
+
+For further information see:
+
+- [Terraform provider reference: teleport_workload_identity](../terraform-provider/resources/workload_identity.mdx)
diff --git a/docs/pages/reference/workload-identity/workload-identity.mdx b/docs/pages/reference/workload-identity/workload-identity.mdx
new file mode 100644
index 0000000000000..8c758da15bd17
--- /dev/null
+++ b/docs/pages/reference/workload-identity/workload-identity.mdx
@@ -0,0 +1,6 @@
+---
+title: Workload Identity References
+description: Configuration and CLI reference for Teleport Workload Identity
+---
+
+(!toc!)
diff --git a/e b/e
index 052b9c2436c85..c5e5b12cbb737 160000
--- a/e
+++ b/e
@@ -1 +1 @@
-Subproject commit 052b9c2436c8509628889751d88fc5410763cca2
+Subproject commit c5e5b12cbb73703c7f0bab68f45a901c2ebf2b04
diff --git a/gen/proto/go/accessgraph/v1alpha/access_graph_service.pb.go b/gen/proto/go/accessgraph/v1alpha/access_graph_service.pb.go
index 2714a5c1546cc..c367ffb180509 100644
--- a/gen/proto/go/accessgraph/v1alpha/access_graph_service.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/access_graph_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/access_graph_service.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1733,7 +1734,7 @@ func (*NetIQEventsStreamResponse) Descriptor() ([]byte, []int) {
 
 var File_accessgraph_v1alpha_access_graph_service_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_access_graph_service_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_access_graph_service_proto_rawDesc = string([]byte{
 	0x0a, 0x2e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x67, 0x72, 0x61,
 	0x70, 0x68, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
@@ -2018,16 +2019,16 @@ var file_accessgraph_v1alpha_access_graph_service_proto_rawDesc = []byte{
 	0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67,
 	0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_access_graph_service_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_access_graph_service_proto_rawDescData = file_accessgraph_v1alpha_access_graph_service_proto_rawDesc
+	file_accessgraph_v1alpha_access_graph_service_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_access_graph_service_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_access_graph_service_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_access_graph_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_access_graph_service_proto_rawDescData)
+		file_accessgraph_v1alpha_access_graph_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_access_graph_service_proto_rawDesc), len(file_accessgraph_v1alpha_access_graph_service_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_access_graph_service_proto_rawDescData
 }
@@ -2197,7 +2198,7 @@ func file_accessgraph_v1alpha_access_graph_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_access_graph_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_access_graph_service_proto_rawDesc), len(file_accessgraph_v1alpha_access_graph_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   27,
 			NumExtensions: 0,
@@ -2208,7 +2209,6 @@ func file_accessgraph_v1alpha_access_graph_service_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_access_graph_service_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_access_graph_service_proto = out.File
-	file_accessgraph_v1alpha_access_graph_service_proto_rawDesc = nil
 	file_accessgraph_v1alpha_access_graph_service_proto_goTypes = nil
 	file_accessgraph_v1alpha_access_graph_service_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/aws.pb.go b/gen/proto/go/accessgraph/v1alpha/aws.pb.go
index 6a2504b5bf2ef..0c8a2345d489f 100644
--- a/gen/proto/go/accessgraph/v1alpha/aws.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/aws.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/aws.proto
 
@@ -31,6 +31,7 @@ import (
 	wrapperspb "google.golang.org/protobuf/types/known/wrapperspb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -3244,7 +3245,7 @@ func (x *AWSOIDCProviderV1) GetLastSyncTime() *timestamppb.Timestamp {
 
 var File_accessgraph_v1alpha_aws_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_aws_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_aws_proto_rawDesc = string([]byte{
 	0x0a, 0x1d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x61, 0x77, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76, 0x31, 0x61,
@@ -3917,16 +3918,16 @@ var file_accessgraph_v1alpha_aws_proto_rawDesc = []byte{
 	0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_aws_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_aws_proto_rawDescData = file_accessgraph_v1alpha_aws_proto_rawDesc
+	file_accessgraph_v1alpha_aws_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_aws_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_aws_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_aws_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_aws_proto_rawDescData)
+		file_accessgraph_v1alpha_aws_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_aws_proto_rawDesc), len(file_accessgraph_v1alpha_aws_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_aws_proto_rawDescData
 }
@@ -4107,7 +4108,7 @@ func file_accessgraph_v1alpha_aws_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_aws_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_aws_proto_rawDesc), len(file_accessgraph_v1alpha_aws_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   31,
 			NumExtensions: 0,
@@ -4119,7 +4120,6 @@ func file_accessgraph_v1alpha_aws_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_aws_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_aws_proto = out.File
-	file_accessgraph_v1alpha_aws_proto_rawDesc = nil
 	file_accessgraph_v1alpha_aws_proto_goTypes = nil
 	file_accessgraph_v1alpha_aws_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/azure.pb.go b/gen/proto/go/accessgraph/v1alpha/azure.pb.go
index 966e889065d0f..2cce85678e0d6 100644
--- a/gen/proto/go/accessgraph/v1alpha/azure.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/azure.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/azure.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -759,7 +760,7 @@ func (x *AzureRBACPermission) GetNotDataActions() []string {
 
 var File_accessgraph_v1alpha_azure_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_azure_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_azure_proto_rawDesc = string([]byte{
 	0x0a, 0x1f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76,
@@ -900,16 +901,16 @@ var file_accessgraph_v1alpha_azure_proto_rawDesc = []byte{
 	0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67,
 	0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_azure_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_azure_proto_rawDescData = file_accessgraph_v1alpha_azure_proto_rawDesc
+	file_accessgraph_v1alpha_azure_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_azure_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_azure_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_azure_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_azure_proto_rawDescData)
+		file_accessgraph_v1alpha_azure_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_azure_proto_rawDesc), len(file_accessgraph_v1alpha_azure_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_azure_proto_rawDescData
 }
@@ -962,7 +963,7 @@ func file_accessgraph_v1alpha_azure_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_azure_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_azure_proto_rawDesc), len(file_accessgraph_v1alpha_azure_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   9,
 			NumExtensions: 0,
@@ -973,7 +974,6 @@ func file_accessgraph_v1alpha_azure_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_azure_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_azure_proto = out.File
-	file_accessgraph_v1alpha_azure_proto_rawDesc = nil
 	file_accessgraph_v1alpha_azure_proto_goTypes = nil
 	file_accessgraph_v1alpha_azure_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/entra.pb.go b/gen/proto/go/accessgraph/v1alpha/entra.pb.go
index 5d5d330114a44..370873e2747ab 100644
--- a/gen/proto/go/accessgraph/v1alpha/entra.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/entra.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/entra.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -282,7 +283,7 @@ func (x *EntraApplication) GetFederatedSsoV2() string {
 
 var File_accessgraph_v1alpha_entra_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_entra_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_entra_proto_rawDesc = string([]byte{
 	0x0a, 0x1f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x65, 0x6e, 0x74, 0x72, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76,
@@ -320,16 +321,16 @@ var file_accessgraph_v1alpha_entra_proto_rawDesc = []byte{
 	0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_entra_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_entra_proto_rawDescData = file_accessgraph_v1alpha_entra_proto_rawDesc
+	file_accessgraph_v1alpha_entra_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_entra_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_entra_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_entra_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_entra_proto_rawDescData)
+		file_accessgraph_v1alpha_entra_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_entra_proto_rawDesc), len(file_accessgraph_v1alpha_entra_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_entra_proto_rawDescData
 }
@@ -363,7 +364,7 @@ func file_accessgraph_v1alpha_entra_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_entra_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_entra_proto_rawDesc), len(file_accessgraph_v1alpha_entra_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -374,7 +375,6 @@ func file_accessgraph_v1alpha_entra_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_entra_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_entra_proto = out.File
-	file_accessgraph_v1alpha_entra_proto_rawDesc = nil
 	file_accessgraph_v1alpha_entra_proto_goTypes = nil
 	file_accessgraph_v1alpha_entra_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/events.pb.go b/gen/proto/go/accessgraph/v1alpha/events.pb.go
index f6130d50a6dd6..b62b4947b9bbc 100644
--- a/gen/proto/go/accessgraph/v1alpha/events.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/events.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/events.proto
 
@@ -29,6 +29,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -122,7 +123,7 @@ func (x *AccessPathChanged) GetAffectedResourceKind() string {
 
 var File_accessgraph_v1alpha_events_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_events_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_events_proto_rawDesc = string([]byte{
 	0x0a, 0x20, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e,
@@ -152,16 +153,16 @@ var file_accessgraph_v1alpha_events_proto_rawDesc = []byte{
 	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c,
 	0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76,
 	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_events_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_events_proto_rawDescData = file_accessgraph_v1alpha_events_proto_rawDesc
+	file_accessgraph_v1alpha_events_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_events_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_events_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_events_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_events_proto_rawDescData)
+		file_accessgraph_v1alpha_events_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_events_proto_rawDesc), len(file_accessgraph_v1alpha_events_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_events_proto_rawDescData
 }
@@ -189,7 +190,7 @@ func file_accessgraph_v1alpha_events_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_events_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_events_proto_rawDesc), len(file_accessgraph_v1alpha_events_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -200,7 +201,6 @@ func file_accessgraph_v1alpha_events_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_events_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_events_proto = out.File
-	file_accessgraph_v1alpha_events_proto_rawDesc = nil
 	file_accessgraph_v1alpha_events_proto_goTypes = nil
 	file_accessgraph_v1alpha_events_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/gitlab.pb.go b/gen/proto/go/accessgraph/v1alpha/gitlab.pb.go
index 1f92d62070b27..dd077dc36dd4f 100644
--- a/gen/proto/go/accessgraph/v1alpha/gitlab.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/gitlab.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/gitlab.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -780,7 +781,7 @@ func (x *GitlabUserIdentity) GetExternUid() string {
 
 var File_accessgraph_v1alpha_gitlab_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_gitlab_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_gitlab_proto_rawDesc = string([]byte{
 	0x0a, 0x20, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x67, 0x69, 0x74, 0x6c, 0x61, 0x62, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e,
@@ -908,16 +909,16 @@ var file_accessgraph_v1alpha_gitlab_proto_rawDesc = []byte{
 	0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63,
 	0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_gitlab_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_gitlab_proto_rawDescData = file_accessgraph_v1alpha_gitlab_proto_rawDesc
+	file_accessgraph_v1alpha_gitlab_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_gitlab_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_gitlab_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_gitlab_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_gitlab_proto_rawDescData)
+		file_accessgraph_v1alpha_gitlab_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_gitlab_proto_rawDesc), len(file_accessgraph_v1alpha_gitlab_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_gitlab_proto_rawDescData
 }
@@ -973,7 +974,7 @@ func file_accessgraph_v1alpha_gitlab_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_gitlab_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_gitlab_proto_rawDesc), len(file_accessgraph_v1alpha_gitlab_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   9,
 			NumExtensions: 0,
@@ -985,7 +986,6 @@ func file_accessgraph_v1alpha_gitlab_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_gitlab_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_gitlab_proto = out.File
-	file_accessgraph_v1alpha_gitlab_proto_rawDesc = nil
 	file_accessgraph_v1alpha_gitlab_proto_goTypes = nil
 	file_accessgraph_v1alpha_gitlab_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/graph.pb.go b/gen/proto/go/accessgraph/v1alpha/graph.pb.go
index 34e11fbe1d772..d66d85bd51b6f 100644
--- a/gen/proto/go/accessgraph/v1alpha/graph.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/graph.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/graph.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -212,7 +213,7 @@ func (x *Edge) GetProperties() map[string]string {
 
 var File_accessgraph_v1alpha_graph_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_graph_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_graph_proto_rawDesc = string([]byte{
 	0x0a, 0x1f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76,
@@ -260,16 +261,16 @@ var file_accessgraph_v1alpha_graph_proto_rawDesc = []byte{
 	0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63,
 	0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_graph_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_graph_proto_rawDescData = file_accessgraph_v1alpha_graph_proto_rawDesc
+	file_accessgraph_v1alpha_graph_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_graph_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_graph_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_graph_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_graph_proto_rawDescData)
+		file_accessgraph_v1alpha_graph_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_graph_proto_rawDesc), len(file_accessgraph_v1alpha_graph_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_graph_proto_rawDescData
 }
@@ -302,7 +303,7 @@ func file_accessgraph_v1alpha_graph_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_graph_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_graph_proto_rawDesc), len(file_accessgraph_v1alpha_graph_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -313,7 +314,6 @@ func file_accessgraph_v1alpha_graph_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_graph_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_graph_proto = out.File
-	file_accessgraph_v1alpha_graph_proto_rawDesc = nil
 	file_accessgraph_v1alpha_graph_proto_goTypes = nil
 	file_accessgraph_v1alpha_graph_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/netiq.pb.go b/gen/proto/go/accessgraph/v1alpha/netiq.pb.go
index ace9eee590ad9..d900cc8bc9912 100644
--- a/gen/proto/go/accessgraph/v1alpha/netiq.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/netiq.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/netiq.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1073,7 +1074,7 @@ func (x *NetIQRole_RoleLevel) GetCn() string {
 
 var File_accessgraph_v1alpha_netiq_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_netiq_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_netiq_proto_rawDesc = string([]byte{
 	0x0a, 0x1f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x6e, 0x65, 0x74, 0x69, 0x71, 0x2e, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2e, 0x76,
@@ -1236,16 +1237,16 @@ var file_accessgraph_v1alpha_netiq_proto_rawDesc = []byte{
 	0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
 	0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x76, 0x31, 0x61,
 	0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_netiq_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_netiq_proto_rawDescData = file_accessgraph_v1alpha_netiq_proto_rawDesc
+	file_accessgraph_v1alpha_netiq_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_netiq_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_netiq_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_netiq_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_netiq_proto_rawDescData)
+		file_accessgraph_v1alpha_netiq_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_netiq_proto_rawDesc), len(file_accessgraph_v1alpha_netiq_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_netiq_proto_rawDescData
 }
@@ -1310,7 +1311,7 @@ func file_accessgraph_v1alpha_netiq_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_netiq_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_netiq_proto_rawDesc), len(file_accessgraph_v1alpha_netiq_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   12,
 			NumExtensions: 0,
@@ -1322,7 +1323,6 @@ func file_accessgraph_v1alpha_netiq_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_netiq_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_netiq_proto = out.File
-	file_accessgraph_v1alpha_netiq_proto_rawDesc = nil
 	file_accessgraph_v1alpha_netiq_proto_goTypes = nil
 	file_accessgraph_v1alpha_netiq_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/accessgraph/v1alpha/resources.pb.go b/gen/proto/go/accessgraph/v1alpha/resources.pb.go
index 49e50e50f31a6..6d14b66542a3a 100644
--- a/gen/proto/go/accessgraph/v1alpha/resources.pb.go
+++ b/gen/proto/go/accessgraph/v1alpha/resources.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: accessgraph/v1alpha/resources.proto
 
@@ -34,6 +34,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -568,7 +569,7 @@ func (*ResourceEntry_AuthorizedKey) isResourceEntry_Resource() {}
 
 var File_accessgraph_v1alpha_resources_proto protoreflect.FileDescriptor
 
-var file_accessgraph_v1alpha_resources_proto_rawDesc = []byte{
+var file_accessgraph_v1alpha_resources_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x13, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61,
@@ -680,16 +681,16 @@ var file_accessgraph_v1alpha_resources_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70, 0x68, 0x2f, 0x76, 0x31,
 	0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x67, 0x72, 0x61, 0x70,
 	0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_accessgraph_v1alpha_resources_proto_rawDescOnce sync.Once
-	file_accessgraph_v1alpha_resources_proto_rawDescData = file_accessgraph_v1alpha_resources_proto_rawDesc
+	file_accessgraph_v1alpha_resources_proto_rawDescData []byte
 )
 
 func file_accessgraph_v1alpha_resources_proto_rawDescGZIP() []byte {
 	file_accessgraph_v1alpha_resources_proto_rawDescOnce.Do(func() {
-		file_accessgraph_v1alpha_resources_proto_rawDescData = protoimpl.X.CompressGZIP(file_accessgraph_v1alpha_resources_proto_rawDescData)
+		file_accessgraph_v1alpha_resources_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_resources_proto_rawDesc), len(file_accessgraph_v1alpha_resources_proto_rawDesc)))
 	})
 	return file_accessgraph_v1alpha_resources_proto_rawDescData
 }
@@ -770,7 +771,7 @@ func file_accessgraph_v1alpha_resources_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_accessgraph_v1alpha_resources_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_accessgraph_v1alpha_resources_proto_rawDesc), len(file_accessgraph_v1alpha_resources_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -781,7 +782,6 @@ func file_accessgraph_v1alpha_resources_proto_init() {
 		MessageInfos:      file_accessgraph_v1alpha_resources_proto_msgTypes,
 	}.Build()
 	File_accessgraph_v1alpha_resources_proto = out.File
-	file_accessgraph_v1alpha_resources_proto_rawDesc = nil
 	file_accessgraph_v1alpha_resources_proto_goTypes = nil
 	file_accessgraph_v1alpha_resources_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/prehog/v1/teleport.pb.go b/gen/proto/go/prehog/v1/teleport.pb.go
index dcb750fafd45f..2c69caaa5da06 100644
--- a/gen/proto/go/prehog/v1/teleport.pb.go
+++ b/gen/proto/go/prehog/v1/teleport.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: prehog/v1/teleport.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -720,7 +721,7 @@ func (x *SubmitUsageReportsResponse) GetBatchUuid() []byte {
 
 var File_prehog_v1_teleport_proto protoreflect.FileDescriptor
 
-var file_prehog_v1_teleport_proto_rawDesc = []byte{
+var file_prehog_v1_teleport_proto_rawDesc = string([]byte{
 	0x0a, 0x18, 0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x31, 0x2f, 0x74, 0x65, 0x6c, 0x65,
 	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x09, 0x70, 0x72, 0x65, 0x68,
 	0x6f, 0x67, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72,
@@ -866,16 +867,16 @@ var file_prehog_v1_teleport_proto_rawDesc = []byte{
 	0x68, 0x6f, 0x67, 0x5c, 0x56, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
 	0x74, 0x61, 0xea, 0x02, 0x0a, 0x50, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x3a, 0x3a, 0x56, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_prehog_v1_teleport_proto_rawDescOnce sync.Once
-	file_prehog_v1_teleport_proto_rawDescData = file_prehog_v1_teleport_proto_rawDesc
+	file_prehog_v1_teleport_proto_rawDescData []byte
 )
 
 func file_prehog_v1_teleport_proto_rawDescGZIP() []byte {
 	file_prehog_v1_teleport_proto_rawDescOnce.Do(func() {
-		file_prehog_v1_teleport_proto_rawDescData = protoimpl.X.CompressGZIP(file_prehog_v1_teleport_proto_rawDescData)
+		file_prehog_v1_teleport_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_prehog_v1_teleport_proto_rawDesc), len(file_prehog_v1_teleport_proto_rawDesc)))
 	})
 	return file_prehog_v1_teleport_proto_rawDescData
 }
@@ -920,7 +921,7 @@ func file_prehog_v1_teleport_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_prehog_v1_teleport_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_prehog_v1_teleport_proto_rawDesc), len(file_prehog_v1_teleport_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   6,
 			NumExtensions: 0,
@@ -932,7 +933,6 @@ func file_prehog_v1_teleport_proto_init() {
 		MessageInfos:      file_prehog_v1_teleport_proto_msgTypes,
 	}.Build()
 	File_prehog_v1_teleport_proto = out.File
-	file_prehog_v1_teleport_proto_rawDesc = nil
 	file_prehog_v1_teleport_proto_goTypes = nil
 	file_prehog_v1_teleport_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/prehog/v1alpha/connect.pb.go b/gen/proto/go/prehog/v1alpha/connect.pb.go
index 212649b63f16b..7d9250774a999 100644
--- a/gen/proto/go/prehog/v1alpha/connect.pb.go
+++ b/gen/proto/go/prehog/v1alpha/connect.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: prehog/v1alpha/connect.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -871,7 +872,7 @@ func (*SubmitConnectEventResponse) Descriptor() ([]byte, []int) {
 
 var File_prehog_v1alpha_connect_proto protoreflect.FileDescriptor
 
-var file_prehog_v1alpha_connect_proto_rawDesc = []byte{
+var file_prehog_v1alpha_connect_proto_rawDesc = string([]byte{
 	0x0a, 0x1c, 0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x2f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e,
 	0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x1a, 0x1f,
@@ -1039,16 +1040,16 @@ var file_prehog_v1alpha_connect_proto_rawDesc = []byte{
 	0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61,
 	0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0f, 0x50, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x3a, 0x3a, 0x56,
 	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_prehog_v1alpha_connect_proto_rawDescOnce sync.Once
-	file_prehog_v1alpha_connect_proto_rawDescData = file_prehog_v1alpha_connect_proto_rawDesc
+	file_prehog_v1alpha_connect_proto_rawDescData []byte
 )
 
 func file_prehog_v1alpha_connect_proto_rawDescGZIP() []byte {
 	file_prehog_v1alpha_connect_proto_rawDescOnce.Do(func() {
-		file_prehog_v1alpha_connect_proto_rawDescData = protoimpl.X.CompressGZIP(file_prehog_v1alpha_connect_proto_rawDescData)
+		file_prehog_v1alpha_connect_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_connect_proto_rawDesc), len(file_prehog_v1alpha_connect_proto_rawDesc)))
 	})
 	return file_prehog_v1alpha_connect_proto_rawDescData
 }
@@ -1108,7 +1109,7 @@ func file_prehog_v1alpha_connect_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_prehog_v1alpha_connect_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_connect_proto_rawDesc), len(file_prehog_v1alpha_connect_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   11,
 			NumExtensions: 0,
@@ -1119,7 +1120,6 @@ func file_prehog_v1alpha_connect_proto_init() {
 		MessageInfos:      file_prehog_v1alpha_connect_proto_msgTypes,
 	}.Build()
 	File_prehog_v1alpha_connect_proto = out.File
-	file_prehog_v1alpha_connect_proto_rawDesc = nil
 	file_prehog_v1alpha_connect_proto_goTypes = nil
 	file_prehog_v1alpha_connect_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/prehog/v1alpha/tbot.pb.go b/gen/proto/go/prehog/v1alpha/tbot.pb.go
index 00c7ed0dc3c41..d237ed8a5b33e 100644
--- a/gen/proto/go/prehog/v1alpha/tbot.pb.go
+++ b/gen/proto/go/prehog/v1alpha/tbot.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: prehog/v1alpha/tbot.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -323,7 +324,7 @@ func (*SubmitTbotEventResponse) Descriptor() ([]byte, []int) {
 
 var File_prehog_v1alpha_tbot_proto protoreflect.FileDescriptor
 
-var file_prehog_v1alpha_tbot_proto_rawDesc = []byte{
+var file_prehog_v1alpha_tbot_proto_rawDesc = string([]byte{
 	0x0a, 0x19, 0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x2f, 0x74, 0x62, 0x6f, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0e, 0x70, 0x72, 0x65,
 	0x68, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x1a, 0x1f, 0x67, 0x6f, 0x6f,
@@ -395,16 +396,16 @@ var file_prehog_v1alpha_tbot_proto_rawDesc = []byte{
 	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0f, 0x50, 0x72, 0x65, 0x68, 0x6f, 0x67,
 	0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_prehog_v1alpha_tbot_proto_rawDescOnce sync.Once
-	file_prehog_v1alpha_tbot_proto_rawDescData = file_prehog_v1alpha_tbot_proto_rawDesc
+	file_prehog_v1alpha_tbot_proto_rawDescData []byte
 )
 
 func file_prehog_v1alpha_tbot_proto_rawDescGZIP() []byte {
 	file_prehog_v1alpha_tbot_proto_rawDescOnce.Do(func() {
-		file_prehog_v1alpha_tbot_proto_rawDescData = protoimpl.X.CompressGZIP(file_prehog_v1alpha_tbot_proto_rawDescData)
+		file_prehog_v1alpha_tbot_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_tbot_proto_rawDesc), len(file_prehog_v1alpha_tbot_proto_rawDesc)))
 	})
 	return file_prehog_v1alpha_tbot_proto_rawDescData
 }
@@ -443,7 +444,7 @@ func file_prehog_v1alpha_tbot_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_prehog_v1alpha_tbot_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_tbot_proto_rawDesc), len(file_prehog_v1alpha_tbot_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -455,7 +456,6 @@ func file_prehog_v1alpha_tbot_proto_init() {
 		MessageInfos:      file_prehog_v1alpha_tbot_proto_msgTypes,
 	}.Build()
 	File_prehog_v1alpha_tbot_proto = out.File
-	file_prehog_v1alpha_tbot_proto_rawDesc = nil
 	file_prehog_v1alpha_tbot_proto_goTypes = nil
 	file_prehog_v1alpha_tbot_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/prehog/v1alpha/teleport.pb.go b/gen/proto/go/prehog/v1alpha/teleport.pb.go
index 439f24547f3a2..7f094aa311403 100644
--- a/gen/proto/go/prehog/v1alpha/teleport.pb.go
+++ b/gen/proto/go/prehog/v1alpha/teleport.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: prehog/v1alpha/teleport.proto
 
@@ -30,6 +30,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -9500,7 +9501,7 @@ func (*HelloTeleportResponse) Descriptor() ([]byte, []int) {
 
 var File_prehog_v1alpha_teleport_proto protoreflect.FileDescriptor
 
-var file_prehog_v1alpha_teleport_proto_rawDesc = []byte{
+var file_prehog_v1alpha_teleport_proto_rawDesc = string([]byte{
 	0x0a, 0x1d, 0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
 	0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x0e, 0x70, 0x72, 0x65, 0x68, 0x6f, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x1a,
@@ -11576,16 +11577,16 @@ var file_prehog_v1alpha_teleport_proto_rawDesc = []byte{
 	0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x0f, 0x50,
 	0x72, 0x65, 0x68, 0x6f, 0x67, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_prehog_v1alpha_teleport_proto_rawDescOnce sync.Once
-	file_prehog_v1alpha_teleport_proto_rawDescData = file_prehog_v1alpha_teleport_proto_rawDesc
+	file_prehog_v1alpha_teleport_proto_rawDescData []byte
 )
 
 func file_prehog_v1alpha_teleport_proto_rawDescGZIP() []byte {
 	file_prehog_v1alpha_teleport_proto_rawDescOnce.Do(func() {
-		file_prehog_v1alpha_teleport_proto_rawDescData = protoimpl.X.CompressGZIP(file_prehog_v1alpha_teleport_proto_rawDescData)
+		file_prehog_v1alpha_teleport_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_teleport_proto_rawDesc), len(file_prehog_v1alpha_teleport_proto_rawDesc)))
 	})
 	return file_prehog_v1alpha_teleport_proto_rawDescData
 }
@@ -12025,7 +12026,7 @@ func file_prehog_v1alpha_teleport_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_prehog_v1alpha_teleport_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_prehog_v1alpha_teleport_proto_rawDesc), len(file_prehog_v1alpha_teleport_proto_rawDesc)),
 			NumEnums:      15,
 			NumMessages:   107,
 			NumExtensions: 0,
@@ -12037,7 +12038,6 @@ func file_prehog_v1alpha_teleport_proto_init() {
 		MessageInfos:      file_prehog_v1alpha_teleport_proto_msgTypes,
 	}.Build()
 	File_prehog_v1alpha_teleport_proto = out.File
-	file_prehog_v1alpha_teleport_proto_rawDesc = nil
 	file_prehog_v1alpha_teleport_proto_goTypes = nil
 	file_prehog_v1alpha_teleport_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go
index 55c9bb6dd51e5..0ffc2e8702d33 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/access_request.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/access_request.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -505,7 +506,7 @@ func (x *Resource) GetDetails() *ResourceDetails {
 
 var File_teleport_lib_teleterm_v1_access_request_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_access_request_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_access_request_proto_rawDesc = string([]byte{
 	0x0a, 0x2d, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x63, 0x63, 0x65, 0x73,
 	0x73, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
@@ -617,16 +618,16 @@ var file_teleport_lib_teleterm_v1_access_request_proto_rawDesc = []byte{
 	0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_access_request_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_access_request_proto_rawDescData = file_teleport_lib_teleterm_v1_access_request_proto_rawDesc
+	file_teleport_lib_teleterm_v1_access_request_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_access_request_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_access_request_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_access_request_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_access_request_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_access_request_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_access_request_proto_rawDesc), len(file_teleport_lib_teleterm_v1_access_request_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_access_request_proto_rawDescData
 }
@@ -670,7 +671,7 @@ func file_teleport_lib_teleterm_v1_access_request_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_access_request_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_access_request_proto_rawDesc), len(file_teleport_lib_teleterm_v1_access_request_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -681,7 +682,6 @@ func file_teleport_lib_teleterm_v1_access_request_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_access_request_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_access_request_proto = out.File
-	file_teleport_lib_teleterm_v1_access_request_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_access_request_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_access_request_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/app.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/app.pb.go
index f342c307cecc3..305505aca3589 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/app.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/app.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/app.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -440,7 +441,7 @@ func (x *RouteToApp) GetTargetPort() uint32 {
 
 var File_teleport_lib_teleterm_v1_app_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_app_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_app_proto_rawDesc = string([]byte{
 	0x0a, 0x22, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x70, 0x2e, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c,
@@ -501,16 +502,16 @@ var file_teleport_lib_teleterm_v1_app_proto_rawDesc = []byte{
 	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65,
 	0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31,
 	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_app_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_app_proto_rawDescData = file_teleport_lib_teleterm_v1_app_proto_rawDesc
+	file_teleport_lib_teleterm_v1_app_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_app_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_app_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_app_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_app_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_app_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_app_proto_rawDesc), len(file_teleport_lib_teleterm_v1_app_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_app_proto_rawDescData
 }
@@ -544,7 +545,7 @@ func file_teleport_lib_teleterm_v1_app_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_app_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_app_proto_rawDesc), len(file_teleport_lib_teleterm_v1_app_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   4,
 			NumExtensions: 0,
@@ -555,7 +556,6 @@ func file_teleport_lib_teleterm_v1_app_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_app_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_app_proto = out.File
-	file_teleport_lib_teleterm_v1_app_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_app_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_app_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/auth_settings.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/auth_settings.pb.go
index a00e271c6e666..301b2063aed9b 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/auth_settings.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/auth_settings.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/auth_settings.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -197,7 +198,7 @@ func (x *AuthProvider) GetDisplayName() string {
 
 var File_teleport_lib_teleterm_v1_auth_settings_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc = string([]byte{
 	0x0a, 0x2c, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x5f,
 	0x73, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18,
@@ -237,16 +238,16 @@ var file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc = []byte{
 	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c,
 	0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72,
 	0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData = file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc
+	file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc), len(file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_auth_settings_proto_rawDescData
 }
@@ -274,7 +275,7 @@ func file_teleport_lib_teleterm_v1_auth_settings_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc), len(file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -285,7 +286,6 @@ func file_teleport_lib_teleterm_v1_auth_settings_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_auth_settings_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_auth_settings_proto = out.File
-	file_teleport_lib_teleterm_v1_auth_settings_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_auth_settings_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_auth_settings_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
index 415728c7084c2..cdcc2fc0f20e5 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/cluster.proto
 
@@ -29,6 +29,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -742,7 +743,7 @@ func (x *Features) GetIsUsageBasedBilling() bool {
 
 var File_teleport_lib_teleterm_v1_cluster_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_cluster_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_cluster_proto_rawDesc = string([]byte{
 	0x0a, 0x26, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6c, 0x75, 0x73, 0x74,
 	0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
@@ -912,16 +913,16 @@ var file_teleport_lib_teleterm_v1_cluster_proto_rawDesc = []byte{
 	0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76,
 	0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72,
 	0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_cluster_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_cluster_proto_rawDescData = file_teleport_lib_teleterm_v1_cluster_proto_rawDesc
+	file_teleport_lib_teleterm_v1_cluster_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_cluster_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_cluster_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_cluster_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_cluster_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_cluster_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_cluster_proto_rawDesc), len(file_teleport_lib_teleterm_v1_cluster_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_cluster_proto_rawDescData
 }
@@ -974,7 +975,7 @@ func file_teleport_lib_teleterm_v1_cluster_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_cluster_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_cluster_proto_rawDesc), len(file_teleport_lib_teleterm_v1_cluster_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   5,
 			NumExtensions: 0,
@@ -986,7 +987,6 @@ func file_teleport_lib_teleterm_v1_cluster_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_cluster_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_cluster_proto = out.File
-	file_teleport_lib_teleterm_v1_cluster_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_cluster_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_cluster_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/database.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/database.pb.go
index 5a976087b9da3..d104f4230e1b9 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/database.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/database.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/database.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -148,7 +149,7 @@ func (x *Database) GetLabels() []*Label {
 
 var File_teleport_lib_teleterm_v1_database_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_database_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_database_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x61, 0x74, 0x61, 0x62,
 	0x61, 0x73, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -176,16 +177,16 @@ var file_teleport_lib_teleterm_v1_database_proto_rawDesc = []byte{
 	0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72,
 	0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_database_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_database_proto_rawDescData = file_teleport_lib_teleterm_v1_database_proto_rawDesc
+	file_teleport_lib_teleterm_v1_database_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_database_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_database_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_database_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_database_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_database_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_database_proto_rawDesc), len(file_teleport_lib_teleterm_v1_database_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_database_proto_rawDescData
 }
@@ -214,7 +215,7 @@ func file_teleport_lib_teleterm_v1_database_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_database_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_database_proto_rawDesc), len(file_teleport_lib_teleterm_v1_database_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -225,7 +226,6 @@ func file_teleport_lib_teleterm_v1_database_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_database_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_database_proto = out.File
-	file_teleport_lib_teleterm_v1_database_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_database_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_database_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/gateway.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/gateway.pb.go
index 1a13471104805..9043b155d7f9c 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/gateway.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/gateway.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/gateway.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -259,7 +260,7 @@ func (x *GatewayCLICommand) GetPreview() string {
 
 var File_teleport_lib_teleterm_v1_gateway_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_gateway_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_gateway_proto_rawDesc = string([]byte{
 	0x0a, 0x26, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x67, 0x61, 0x74, 0x65, 0x77,
 	0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
@@ -301,16 +302,16 @@ var file_teleport_lib_teleterm_v1_gateway_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x67, 0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69,
 	0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65,
 	0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_gateway_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_gateway_proto_rawDescData = file_teleport_lib_teleterm_v1_gateway_proto_rawDesc
+	file_teleport_lib_teleterm_v1_gateway_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_gateway_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_gateway_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_gateway_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_gateway_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_gateway_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_gateway_proto_rawDesc), len(file_teleport_lib_teleterm_v1_gateway_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_gateway_proto_rawDescData
 }
@@ -338,7 +339,7 @@ func file_teleport_lib_teleterm_v1_gateway_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_gateway_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_gateway_proto_rawDesc), len(file_teleport_lib_teleterm_v1_gateway_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -349,7 +350,6 @@ func file_teleport_lib_teleterm_v1_gateway_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_gateway_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_gateway_proto = out.File
-	file_teleport_lib_teleterm_v1_gateway_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_gateway_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_gateway_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/kube.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/kube.pb.go
index 99e80cd54abba..55bc838678c56 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/kube.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/kube.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/kube.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -197,7 +198,7 @@ func (x *KubeResource) GetNamespace() string {
 
 var File_teleport_lib_teleterm_v1_kube_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_kube_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_kube_proto_rawDesc = string([]byte{
 	0x0a, 0x23, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e,
@@ -229,16 +230,16 @@ var file_teleport_lib_teleterm_v1_kube_proto_rawDesc = []byte{
 	0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d,
 	0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_kube_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_kube_proto_rawDescData = file_teleport_lib_teleterm_v1_kube_proto_rawDesc
+	file_teleport_lib_teleterm_v1_kube_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_kube_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_kube_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_kube_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_kube_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_kube_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_kube_proto_rawDesc), len(file_teleport_lib_teleterm_v1_kube_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_kube_proto_rawDescData
 }
@@ -269,7 +270,7 @@ func file_teleport_lib_teleterm_v1_kube_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_kube_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_kube_proto_rawDesc), len(file_teleport_lib_teleterm_v1_kube_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -280,7 +281,6 @@ func file_teleport_lib_teleterm_v1_kube_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_kube_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_kube_proto = out.File
-	file_teleport_lib_teleterm_v1_kube_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_kube_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_kube_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/label.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/label.pb.go
index ad7e0d7a433fa..85b7eb463e865 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/label.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/label.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/label.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -94,7 +95,7 @@ func (x *Label) GetValue() string {
 
 var File_teleport_lib_teleterm_v1_label_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_label_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_label_proto_rawDesc = string([]byte{
 	0x0a, 0x24, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x6c, 0x61, 0x62, 0x65, 0x6c,
 	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
@@ -109,16 +110,16 @@ var file_teleport_lib_teleterm_v1_label_proto_rawDesc = []byte{
 	0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_label_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_label_proto_rawDescData = file_teleport_lib_teleterm_v1_label_proto_rawDesc
+	file_teleport_lib_teleterm_v1_label_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_label_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_label_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_label_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_label_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_label_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_label_proto_rawDesc), len(file_teleport_lib_teleterm_v1_label_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_label_proto_rawDescData
 }
@@ -144,7 +145,7 @@ func file_teleport_lib_teleterm_v1_label_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_label_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_label_proto_rawDesc), len(file_teleport_lib_teleterm_v1_label_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -155,7 +156,6 @@ func file_teleport_lib_teleterm_v1_label_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_label_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_label_proto = out.File
-	file_teleport_lib_teleterm_v1_label_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_label_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_label_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go
index 1179e38491cfd..82adc4328c81a 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/server.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -139,7 +140,7 @@ func (x *Server) GetSubKind() string {
 
 var File_teleport_lib_teleterm_v1_server_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_server_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_server_proto_rawDesc = string([]byte{
 	0x0a, 0x25, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x65,
 	0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
@@ -166,16 +167,16 @@ var file_teleport_lib_teleterm_v1_server_proto_rawDesc = []byte{
 	0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b,
 	0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_server_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_server_proto_rawDescData = file_teleport_lib_teleterm_v1_server_proto_rawDesc
+	file_teleport_lib_teleterm_v1_server_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_server_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_server_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_server_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_server_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_server_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_server_proto_rawDesc), len(file_teleport_lib_teleterm_v1_server_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_server_proto_rawDescData
 }
@@ -204,7 +205,7 @@ func file_teleport_lib_teleterm_v1_server_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_server_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_server_proto_rawDesc), len(file_teleport_lib_teleterm_v1_server_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -215,7 +216,6 @@ func file_teleport_lib_teleterm_v1_server_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_server_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_server_proto = out.File
-	file_teleport_lib_teleterm_v1_server_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_server_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_server_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/service.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/service.pb.go
index 8f2fe1ff558ba..166d6213a9f15 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/service.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/service.proto
 
@@ -32,6 +32,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -4339,7 +4340,7 @@ func (x *LoginRequest_SsoParams) GetProviderName() string {
 
 var File_teleport_lib_teleterm_v1_service_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_service_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_service_proto_rawDesc = string([]byte{
 	0x0a, 0x26, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69,
 	0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
@@ -5306,16 +5307,16 @@ var file_teleport_lib_teleterm_v1_service_proto_rawDesc = []byte{
 	0x6f, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74,
 	0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_service_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_service_proto_rawDescData = file_teleport_lib_teleterm_v1_service_proto_rawDesc
+	file_teleport_lib_teleterm_v1_service_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_service_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_service_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_service_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_service_proto_rawDesc), len(file_teleport_lib_teleterm_v1_service_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_service_proto_rawDescData
 }
@@ -5584,7 +5585,7 @@ func file_teleport_lib_teleterm_v1_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_service_proto_rawDesc), len(file_teleport_lib_teleterm_v1_service_proto_rawDesc)),
 			NumEnums:      3,
 			NumMessages:   77,
 			NumExtensions: 0,
@@ -5596,7 +5597,6 @@ func file_teleport_lib_teleterm_v1_service_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_service_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_service_proto = out.File
-	file_teleport_lib_teleterm_v1_service_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_service_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_service_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go
index 9a6601c35ed2c..6e9c15860814f 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/tshd_events_service.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/tshd_events_service.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -1556,7 +1557,7 @@ func (*ReportUnexpectedVnetShutdownResponse) Descriptor() ([]byte, []int) {
 
 var File_teleport_lib_teleterm_v1_tshd_events_service_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc = string([]byte{
 	0x0a, 0x32, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x74, 0x73, 0x68, 0x64, 0x5f,
 	0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70,
@@ -1853,16 +1854,16 @@ var file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc = []byte{
 	0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31,
 	0x3b, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData = file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc
+	file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc), len(file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDescData
 }
@@ -1961,7 +1962,7 @@ func file_teleport_lib_teleterm_v1_tshd_events_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc), len(file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   28,
 			NumExtensions: 0,
@@ -1972,7 +1973,6 @@ func file_teleport_lib_teleterm_v1_tshd_events_service_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_tshd_events_service_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_tshd_events_service_proto = out.File
-	file_teleport_lib_teleterm_v1_tshd_events_service_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_tshd_events_service_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_tshd_events_service_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/usage_events.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/usage_events.pb.go
index c9efc48b1b3cb..f728f133fdd26 100644
--- a/gen/proto/go/teleport/lib/teleterm/v1/usage_events.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/v1/usage_events.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/v1/usage_events.proto
 
@@ -29,6 +29,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -92,7 +93,7 @@ func (x *ReportUsageEventRequest) GetPrehogReq() *v1alpha.SubmitConnectEventRequ
 
 var File_teleport_lib_teleterm_v1_usage_events_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc = string([]byte{
 	0x0a, 0x2b, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x2f, 0x75, 0x73, 0x61, 0x67, 0x65,
 	0x5f, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x74,
@@ -115,16 +116,16 @@ var file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc = []byte{
 	0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x31, 0x3b, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
 	0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_v1_usage_events_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData = file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc
+	file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_v1_usage_events_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_v1_usage_events_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData)
+		file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc), len(file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_v1_usage_events_proto_rawDescData
 }
@@ -152,7 +153,7 @@ func file_teleport_lib_teleterm_v1_usage_events_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc), len(file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@@ -163,7 +164,6 @@ func file_teleport_lib_teleterm_v1_usage_events_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_v1_usage_events_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_v1_usage_events_proto = out.File
-	file_teleport_lib_teleterm_v1_usage_events_proto_rawDesc = nil
 	file_teleport_lib_teleterm_v1_usage_events_proto_goTypes = nil
 	file_teleport_lib_teleterm_v1_usage_events_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
index 3ac070e4d0ed2..838cc420578e6 100644
--- a/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
+++ b/gen/proto/go/teleport/lib/teleterm/vnet/v1/vnet_service.pb.go
@@ -16,7 +16,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/teleterm/vnet/v1/vnet_service.proto
 
@@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -413,7 +414,7 @@ func (x *GetBackgroundItemStatusResponse) GetStatus() BackgroundItemStatus {
 
 var File_teleport_lib_teleterm_vnet_v1_vnet_service_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = []byte{
+var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = string([]byte{
 	0x0a, 0x30, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74,
 	0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76, 0x6e, 0x65, 0x74, 0x2f, 0x76, 0x31, 0x2f,
 	0x76, 0x6e, 0x65, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f,
@@ -491,16 +492,16 @@ var file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = []byte{
 	0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x72, 0x6d, 0x2f, 0x76,
 	0x6e, 0x65, 0x74, 0x2f, 0x76, 0x31, 0x3b, 0x76, 0x6e, 0x65, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescOnce sync.Once
-	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData = file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc
+	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData []byte
 )
 
 func file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescGZIP() []byte {
 	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData)
+		file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc), len(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc)))
 	})
 	return file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDescData
 }
@@ -544,7 +545,7 @@ func file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc), len(file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   8,
 			NumExtensions: 0,
@@ -556,7 +557,6 @@ func file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_init() {
 		MessageInfos:      file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_teleterm_vnet_v1_vnet_service_proto = out.File
-	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_rawDesc = nil
 	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_goTypes = nil
 	file_teleport_lib_teleterm_vnet_v1_vnet_service_proto_depIdxs = nil
 }
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
new file mode 100644
index 0000000000000..42077cf457934
--- /dev/null
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service.pb.go
@@ -0,0 +1,1257 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.4
+// 	protoc        (unknown)
+// source: teleport/lib/vnet/v1/client_application_service.proto
+
+package vnetv1
+
+import (
+	types "github.com/gravitational/teleport/api/types"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Hash specifies a cryptographic hash function.
+type Hash int32
+
+const (
+	Hash_HASH_UNSPECIFIED Hash = 0
+	// HASH_NONE is used for Ed25519 signatures, which do no pre-hash.
+	// Currently app access always uses ECDSA or RSA signatures, except for some
+	// tests that use Ed25519. This is unlikely to be used in product code unless
+	// and until that changes.
+	Hash_HASH_NONE Hash = 1
+	// HASH_SHA256 is used with ECDSA P-256 and RSA 2048 signatures.
+	Hash_HASH_SHA256 Hash = 2
+)
+
+// Enum value maps for Hash.
+var (
+	Hash_name = map[int32]string{
+		0: "HASH_UNSPECIFIED",
+		1: "HASH_NONE",
+		2: "HASH_SHA256",
+	}
+	Hash_value = map[string]int32{
+		"HASH_UNSPECIFIED": 0,
+		"HASH_NONE":        1,
+		"HASH_SHA256":      2,
+	}
+)
+
+func (x Hash) Enum() *Hash {
+	p := new(Hash)
+	*p = x
+	return p
+}
+
+func (x Hash) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Hash) Descriptor() protoreflect.EnumDescriptor {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes[0].Descriptor()
+}
+
+func (Hash) Type() protoreflect.EnumType {
+	return &file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes[0]
+}
+
+func (x Hash) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Hash.Descriptor instead.
+func (Hash) EnumDescriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{0}
+}
+
+// AuthenticateProcessRequest is a request for AuthenticateProcess.
+type AuthenticateProcessRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// version is the admin process version.
+	Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
+	// pipe_path is the path to a named pipe used for process authentication.
+	PipePath      string `protobuf:"bytes,2,opt,name=pipe_path,json=pipePath,proto3" json:"pipe_path,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AuthenticateProcessRequest) Reset() {
+	*x = AuthenticateProcessRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AuthenticateProcessRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AuthenticateProcessRequest) ProtoMessage() {}
+
+func (x *AuthenticateProcessRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AuthenticateProcessRequest.ProtoReflect.Descriptor instead.
+func (*AuthenticateProcessRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *AuthenticateProcessRequest) GetVersion() string {
+	if x != nil {
+		return x.Version
+	}
+	return ""
+}
+
+func (x *AuthenticateProcessRequest) GetPipePath() string {
+	if x != nil {
+		return x.PipePath
+	}
+	return ""
+}
+
+// AuthenticateProcessResponse is a response for AuthenticateProcess.
+type AuthenticateProcessResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// version is the client application version.
+	Version       string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AuthenticateProcessResponse) Reset() {
+	*x = AuthenticateProcessResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AuthenticateProcessResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AuthenticateProcessResponse) ProtoMessage() {}
+
+func (x *AuthenticateProcessResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AuthenticateProcessResponse.ProtoReflect.Descriptor instead.
+func (*AuthenticateProcessResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *AuthenticateProcessResponse) GetVersion() string {
+	if x != nil {
+		return x.Version
+	}
+	return ""
+}
+
+// PingRequest is a request for the Ping rpc.
+type PingRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PingRequest) Reset() {
+	*x = PingRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PingRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PingRequest) ProtoMessage() {}
+
+func (x *PingRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PingRequest.ProtoReflect.Descriptor instead.
+func (*PingRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{2}
+}
+
+// PingResponse is a response for the Ping rpc.
+type PingResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *PingResponse) Reset() {
+	*x = PingResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *PingResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PingResponse) ProtoMessage() {}
+
+func (x *PingResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use PingResponse.ProtoReflect.Descriptor instead.
+func (*PingResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{3}
+}
+
+// ResolveAppInfoRequest is a request for ResolveAppInfo.
+type ResolveAppInfoRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// fqdn is the fully-qualified domain name of the app.
+	Fqdn          string `protobuf:"bytes,1,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ResolveAppInfoRequest) Reset() {
+	*x = ResolveAppInfoRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ResolveAppInfoRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ResolveAppInfoRequest) ProtoMessage() {}
+
+func (x *ResolveAppInfoRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ResolveAppInfoRequest.ProtoReflect.Descriptor instead.
+func (*ResolveAppInfoRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *ResolveAppInfoRequest) GetFqdn() string {
+	if x != nil {
+		return x.Fqdn
+	}
+	return ""
+}
+
+// ResolveAppInfoResponse is a response for ResolveAppInfo.
+type ResolveAppInfoResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_info holds all necessary info for making connections to the resolved app.
+	AppInfo       *AppInfo `protobuf:"bytes,1,opt,name=app_info,json=appInfo,proto3" json:"app_info,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ResolveAppInfoResponse) Reset() {
+	*x = ResolveAppInfoResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ResolveAppInfoResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ResolveAppInfoResponse) ProtoMessage() {}
+
+func (x *ResolveAppInfoResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ResolveAppInfoResponse.ProtoReflect.Descriptor instead.
+func (*ResolveAppInfoResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *ResolveAppInfoResponse) GetAppInfo() *AppInfo {
+	if x != nil {
+		return x.AppInfo
+	}
+	return nil
+}
+
+// AppInfo holds all necessary info for making connections to VNet TCP apps.
+type AppInfo struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_key uniquely identifies a TCP app (and optionally a port for multi-port
+	// TCP apps).
+	AppKey *AppKey `protobuf:"bytes,1,opt,name=app_key,json=appKey,proto3" json:"app_key,omitempty"`
+	// cluster is the name of the cluster in which the app is found.
+	// Iff the app is in a leaf cluster, this will match app_key.leaf_cluster.
+	Cluster string `protobuf:"bytes,2,opt,name=cluster,proto3" json:"cluster,omitempty"`
+	// app is the app spec.
+	App *types.AppV3 `protobuf:"bytes,3,opt,name=app,proto3" json:"app,omitempty"`
+	// ipv4_cidr_range is the CIDR range from which an IPv4 address should be
+	// assigned to the app.
+	Ipv4CidrRange string `protobuf:"bytes,4,opt,name=ipv4_cidr_range,json=ipv4CidrRange,proto3" json:"ipv4_cidr_range,omitempty"`
+	// dial_options holds options that should be used when dialing the root cluster
+	// of the app.
+	DialOptions   *DialOptions `protobuf:"bytes,5,opt,name=dial_options,json=dialOptions,proto3" json:"dial_options,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AppInfo) Reset() {
+	*x = AppInfo{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AppInfo) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AppInfo) ProtoMessage() {}
+
+func (x *AppInfo) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AppInfo.ProtoReflect.Descriptor instead.
+func (*AppInfo) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *AppInfo) GetAppKey() *AppKey {
+	if x != nil {
+		return x.AppKey
+	}
+	return nil
+}
+
+func (x *AppInfo) GetCluster() string {
+	if x != nil {
+		return x.Cluster
+	}
+	return ""
+}
+
+func (x *AppInfo) GetApp() *types.AppV3 {
+	if x != nil {
+		return x.App
+	}
+	return nil
+}
+
+func (x *AppInfo) GetIpv4CidrRange() string {
+	if x != nil {
+		return x.Ipv4CidrRange
+	}
+	return ""
+}
+
+func (x *AppInfo) GetDialOptions() *DialOptions {
+	if x != nil {
+		return x.DialOptions
+	}
+	return nil
+}
+
+// AppKey uniquely identifies a TCP app in a specific profile and cluster.
+type AppKey struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// profile is the profile in which the app is found.
+	Profile string `protobuf:"bytes,1,opt,name=profile,proto3" json:"profile,omitempty"`
+	// leaf_cluster is the leaf cluster in which the app is found. If empty, the
+	// app is in the root cluster for the profile.
+	LeafCluster string `protobuf:"bytes,2,opt,name=leaf_cluster,json=leafCluster,proto3" json:"leaf_cluster,omitempty"`
+	// name is the name of the app.
+	Name          string `protobuf:"bytes,3,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *AppKey) Reset() {
+	*x = AppKey{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *AppKey) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*AppKey) ProtoMessage() {}
+
+func (x *AppKey) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use AppKey.ProtoReflect.Descriptor instead.
+func (*AppKey) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *AppKey) GetProfile() string {
+	if x != nil {
+		return x.Profile
+	}
+	return ""
+}
+
+func (x *AppKey) GetLeafCluster() string {
+	if x != nil {
+		return x.LeafCluster
+	}
+	return ""
+}
+
+func (x *AppKey) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+// DialOptions holds ALPN dial options for dialing apps.
+type DialOptions struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// web_proxy_addr is the address to dial.
+	WebProxyAddr string `protobuf:"bytes,1,opt,name=web_proxy_addr,json=webProxyAddr,proto3" json:"web_proxy_addr,omitempty"`
+	// alpn_conn_upgrade_required specifies if ALPN connection upgrade is required.
+	AlpnConnUpgradeRequired bool `protobuf:"varint,2,opt,name=alpn_conn_upgrade_required,json=alpnConnUpgradeRequired,proto3" json:"alpn_conn_upgrade_required,omitempty"`
+	// sni is a ServerName value set for upstream TLS connection.
+	Sni string `protobuf:"bytes,3,opt,name=sni,proto3" json:"sni,omitempty"`
+	// insecure_skip_verify turns off verification for x509 upstream ALPN proxy service certificate.
+	InsecureSkipVerify bool `protobuf:"varint,4,opt,name=insecure_skip_verify,json=insecureSkipVerify,proto3" json:"insecure_skip_verify,omitempty"`
+	// root_cluster_ca_cert_pool overrides the x509 certificate pool used to verify the server.
+	RootClusterCaCertPool []byte `protobuf:"bytes,5,opt,name=root_cluster_ca_cert_pool,json=rootClusterCaCertPool,proto3" json:"root_cluster_ca_cert_pool,omitempty"`
+	unknownFields         protoimpl.UnknownFields
+	sizeCache             protoimpl.SizeCache
+}
+
+func (x *DialOptions) Reset() {
+	*x = DialOptions{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DialOptions) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DialOptions) ProtoMessage() {}
+
+func (x *DialOptions) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[8]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DialOptions.ProtoReflect.Descriptor instead.
+func (*DialOptions) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *DialOptions) GetWebProxyAddr() string {
+	if x != nil {
+		return x.WebProxyAddr
+	}
+	return ""
+}
+
+func (x *DialOptions) GetAlpnConnUpgradeRequired() bool {
+	if x != nil {
+		return x.AlpnConnUpgradeRequired
+	}
+	return false
+}
+
+func (x *DialOptions) GetSni() string {
+	if x != nil {
+		return x.Sni
+	}
+	return ""
+}
+
+func (x *DialOptions) GetInsecureSkipVerify() bool {
+	if x != nil {
+		return x.InsecureSkipVerify
+	}
+	return false
+}
+
+func (x *DialOptions) GetRootClusterCaCertPool() []byte {
+	if x != nil {
+		return x.RootClusterCaCertPool
+	}
+	return nil
+}
+
+// ReissueAppCertRequest is a request for ReissueAppCert.
+type ReissueAppCertRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_info contains info about the app, every ReissueAppCertRequest must
+	// include an app_info as returned from ResolveAppInfo.
+	AppInfo *AppInfo `protobuf:"bytes,1,opt,name=app_info,json=appInfo,proto3" json:"app_info,omitempty"`
+	// target_port is the TCP port to issue the cert for.
+	TargetPort    uint32 `protobuf:"varint,2,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReissueAppCertRequest) Reset() {
+	*x = ReissueAppCertRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReissueAppCertRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReissueAppCertRequest) ProtoMessage() {}
+
+func (x *ReissueAppCertRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[9]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReissueAppCertRequest.ProtoReflect.Descriptor instead.
+func (*ReissueAppCertRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *ReissueAppCertRequest) GetAppInfo() *AppInfo {
+	if x != nil {
+		return x.AppInfo
+	}
+	return nil
+}
+
+func (x *ReissueAppCertRequest) GetTargetPort() uint32 {
+	if x != nil {
+		return x.TargetPort
+	}
+	return 0
+}
+
+// ReissueAppCertResponse is a response for ReissueAppCert.
+type ReissueAppCertResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// cert is the issued app certificate in x509 DER format.
+	Cert          []byte `protobuf:"bytes,1,opt,name=cert,proto3" json:"cert,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ReissueAppCertResponse) Reset() {
+	*x = ReissueAppCertResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ReissueAppCertResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ReissueAppCertResponse) ProtoMessage() {}
+
+func (x *ReissueAppCertResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ReissueAppCertResponse.ProtoReflect.Descriptor instead.
+func (*ReissueAppCertResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *ReissueAppCertResponse) GetCert() []byte {
+	if x != nil {
+		return x.Cert
+	}
+	return nil
+}
+
+// SignForAppRequest is a request to sign data with a private key that the
+// server has cached for the (app_key, target_port) pair. The (app_key,
+// target_port) pair here must match a previous successful call to
+// ReissueAppCert. The private key used for the signature will match the subject
+// public key of the issued x509 certificate.
+type SignForAppRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_key uniquely identifies a TCP app, it must match the key of an app from
+	// a previous successful call to ReissueAppCert.
+	AppKey *AppKey `protobuf:"bytes,1,opt,name=app_key,json=appKey,proto3" json:"app_key,omitempty"`
+	// target_port identifies the TCP port of the app, it must match the
+	// target_port of a previous successful call to ReissueAppCert for an app
+	// matching AppKey.
+	TargetPort uint32 `protobuf:"varint,2,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	// digest is the bytes to sign.
+	Digest []byte `protobuf:"bytes,3,opt,name=digest,proto3" json:"digest,omitempty"`
+	// hash is the hash function used to compute digest.
+	Hash          Hash `protobuf:"varint,4,opt,name=hash,proto3,enum=teleport.lib.vnet.v1.Hash" json:"hash,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForAppRequest) Reset() {
+	*x = SignForAppRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForAppRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForAppRequest) ProtoMessage() {}
+
+func (x *SignForAppRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[11]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForAppRequest.ProtoReflect.Descriptor instead.
+func (*SignForAppRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *SignForAppRequest) GetAppKey() *AppKey {
+	if x != nil {
+		return x.AppKey
+	}
+	return nil
+}
+
+func (x *SignForAppRequest) GetTargetPort() uint32 {
+	if x != nil {
+		return x.TargetPort
+	}
+	return 0
+}
+
+func (x *SignForAppRequest) GetDigest() []byte {
+	if x != nil {
+		return x.Digest
+	}
+	return nil
+}
+
+func (x *SignForAppRequest) GetHash() Hash {
+	if x != nil {
+		return x.Hash
+	}
+	return Hash_HASH_UNSPECIFIED
+}
+
+// SignForAppResponse is a response for SignForApp.
+type SignForAppResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// signature is the signature.
+	Signature     []byte `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *SignForAppResponse) Reset() {
+	*x = SignForAppResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *SignForAppResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SignForAppResponse) ProtoMessage() {}
+
+func (x *SignForAppResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[12]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SignForAppResponse.ProtoReflect.Descriptor instead.
+func (*SignForAppResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *SignForAppResponse) GetSignature() []byte {
+	if x != nil {
+		return x.Signature
+	}
+	return nil
+}
+
+// OnNewConnectionRequest is a request for OnNewConnection.
+type OnNewConnectionRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_key identifies the app the connection is being made for.
+	AppKey        *AppKey `protobuf:"bytes,1,opt,name=app_key,json=appKey,proto3" json:"app_key,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OnNewConnectionRequest) Reset() {
+	*x = OnNewConnectionRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OnNewConnectionRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OnNewConnectionRequest) ProtoMessage() {}
+
+func (x *OnNewConnectionRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[13]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OnNewConnectionRequest.ProtoReflect.Descriptor instead.
+func (*OnNewConnectionRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *OnNewConnectionRequest) GetAppKey() *AppKey {
+	if x != nil {
+		return x.AppKey
+	}
+	return nil
+}
+
+// OnNewConnectionRequest is a response for OnNewConnection.
+type OnNewConnectionResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OnNewConnectionResponse) Reset() {
+	*x = OnNewConnectionResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OnNewConnectionResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OnNewConnectionResponse) ProtoMessage() {}
+
+func (x *OnNewConnectionResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[14]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OnNewConnectionResponse.ProtoReflect.Descriptor instead.
+func (*OnNewConnectionResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{14}
+}
+
+// OnInvalidLocalPortRequest is a request for OnInvalidLocalPort.
+type OnInvalidLocalPortRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// app_info identifies the app the request was made for. AppInfo is used
+	// instaed of AppKey so that the application spec is included, which includes
+	// the TCP port ranges allowed for the app, which are ultimately included in
+	// the user error message.
+	AppInfo *AppInfo `protobuf:"bytes,1,opt,name=app_info,json=appInfo,proto3" json:"app_info,omitempty"`
+	// target_port is the invalid port the request was made for.
+	TargetPort    uint32 `protobuf:"varint,2,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OnInvalidLocalPortRequest) Reset() {
+	*x = OnInvalidLocalPortRequest{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OnInvalidLocalPortRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OnInvalidLocalPortRequest) ProtoMessage() {}
+
+func (x *OnInvalidLocalPortRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[15]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OnInvalidLocalPortRequest.ProtoReflect.Descriptor instead.
+func (*OnInvalidLocalPortRequest) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{15}
+}
+
+func (x *OnInvalidLocalPortRequest) GetAppInfo() *AppInfo {
+	if x != nil {
+		return x.AppInfo
+	}
+	return nil
+}
+
+func (x *OnInvalidLocalPortRequest) GetTargetPort() uint32 {
+	if x != nil {
+		return x.TargetPort
+	}
+	return 0
+}
+
+// OnInvalidLocalPortResponse is a response for OnInvalidLocalPort.
+type OnInvalidLocalPortResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OnInvalidLocalPortResponse) Reset() {
+	*x = OnInvalidLocalPortResponse{}
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OnInvalidLocalPortResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OnInvalidLocalPortResponse) ProtoMessage() {}
+
+func (x *OnInvalidLocalPortResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes[16]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OnInvalidLocalPortResponse.ProtoReflect.Descriptor instead.
+func (*OnInvalidLocalPortResponse) Descriptor() ([]byte, []int) {
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP(), []int{16}
+}
+
+var File_teleport_lib_vnet_v1_client_application_service_proto protoreflect.FileDescriptor
+
+var file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc = string([]byte{
+	0x0a, 0x35, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x76,
+	0x6e, 0x65, 0x74, 0x2f, 0x76, 0x31, 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x61, 0x70,
+	0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
+	0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x1a, 0x21, 0x74,
+	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x65, 0x67, 0x61, 0x63, 0x79, 0x2f, 0x74,
+	0x79, 0x70, 0x65, 0x73, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x22, 0x53, 0x0a, 0x1a, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18,
+	0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x69, 0x70, 0x65,
+	0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x69, 0x70,
+	0x65, 0x50, 0x61, 0x74, 0x68, 0x22, 0x37, 0x0a, 0x1b, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74,
+	0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d,
+	0x0a, 0x0b, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a,
+	0x0c, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x0a,
+	0x15, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0x52, 0x0a, 0x16, 0x52, 0x65,
+	0x73, 0x6f, 0x6c, 0x76, 0x65, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x61, 0x70, 0x70, 0x5f, 0x69, 0x6e, 0x66, 0x6f,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72,
+	0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x70,
+	0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x07, 0x61, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x22, 0xe8,
+	0x01, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x35, 0x0a, 0x07, 0x61, 0x70,
+	0x70, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e,
+	0x76, 0x31, 0x2e, 0x41, 0x70, 0x70, 0x4b, 0x65, 0x79, 0x52, 0x06, 0x61, 0x70, 0x70, 0x4b, 0x65,
+	0x79, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x1e, 0x0a, 0x03, 0x61,
+	0x70, 0x70, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73,
+	0x2e, 0x41, 0x70, 0x70, 0x56, 0x33, 0x52, 0x03, 0x61, 0x70, 0x70, 0x12, 0x26, 0x0a, 0x0f, 0x69,
+	0x70, 0x76, 0x34, 0x5f, 0x63, 0x69, 0x64, 0x72, 0x5f, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x04,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x69, 0x70, 0x76, 0x34, 0x43, 0x69, 0x64, 0x72, 0x52, 0x61,
+	0x6e, 0x67, 0x65, 0x12, 0x44, 0x0a, 0x0c, 0x64, 0x69, 0x61, 0x6c, 0x5f, 0x6f, 0x70, 0x74, 0x69,
+	0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+	0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31,
+	0x2e, 0x44, 0x69, 0x61, 0x6c, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x0b, 0x64, 0x69,
+	0x61, 0x6c, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x59, 0x0a, 0x06, 0x41, 0x70, 0x70,
+	0x4b, 0x65, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x12, 0x21, 0x0a,
+	0x0c, 0x6c, 0x65, 0x61, 0x66, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x0b, 0x6c, 0x65, 0x61, 0x66, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
+	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x6e, 0x61, 0x6d, 0x65, 0x22, 0xee, 0x01, 0x0a, 0x0b, 0x44, 0x69, 0x61, 0x6c, 0x4f, 0x70, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0e, 0x77, 0x65, 0x62, 0x5f, 0x70, 0x72, 0x6f, 0x78,
+	0x79, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x77, 0x65,
+	0x62, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x41, 0x64, 0x64, 0x72, 0x12, 0x3b, 0x0a, 0x1a, 0x61, 0x6c,
+	0x70, 0x6e, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x5f, 0x75, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x5f,
+	0x72, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x17,
+	0x61, 0x6c, 0x70, 0x6e, 0x43, 0x6f, 0x6e, 0x6e, 0x55, 0x70, 0x67, 0x72, 0x61, 0x64, 0x65, 0x52,
+	0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x6e, 0x69, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x73, 0x6e, 0x69, 0x12, 0x30, 0x0a, 0x14, 0x69, 0x6e, 0x73,
+	0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x73, 0x6b, 0x69, 0x70, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66,
+	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x69, 0x6e, 0x73, 0x65, 0x63, 0x75, 0x72,
+	0x65, 0x53, 0x6b, 0x69, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x12, 0x38, 0x0a, 0x19, 0x72,
+	0x6f, 0x6f, 0x74, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x63, 0x61, 0x5f, 0x63,
+	0x65, 0x72, 0x74, 0x5f, 0x70, 0x6f, 0x6f, 0x6c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x15,
+	0x72, 0x6f, 0x6f, 0x74, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x43, 0x61, 0x43, 0x65, 0x72,
+	0x74, 0x50, 0x6f, 0x6f, 0x6c, 0x22, 0x72, 0x0a, 0x15, 0x52, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65,
+	0x41, 0x70, 0x70, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x38,
+	0x0a, 0x08, 0x61, 0x70, 0x70, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x1d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e,
+	0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52,
+	0x07, 0x61, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67,
+	0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74,
+	0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x2c, 0x0a, 0x16, 0x52, 0x65, 0x69,
+	0x73, 0x73, 0x75, 0x65, 0x41, 0x70, 0x70, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x65, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x04, 0x63, 0x65, 0x72, 0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x53, 0x69, 0x67, 0x6e,
+	0x46, 0x6f, 0x72, 0x41, 0x70, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x35, 0x0a,
+	0x07, 0x61, 0x70, 0x70, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c,
+	0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e,
+	0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x70, 0x70, 0x4b, 0x65, 0x79, 0x52, 0x06, 0x61, 0x70,
+	0x70, 0x4b, 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70,
+	0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65,
+	0x74, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18,
+	0x03, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x2e, 0x0a,
+	0x04, 0x68, 0x61, 0x73, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1a, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e,
+	0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x52, 0x04, 0x68, 0x61, 0x73, 0x68, 0x22, 0x32, 0x0a,
+	0x12, 0x53, 0x69, 0x67, 0x6e, 0x46, 0x6f, 0x72, 0x41, 0x70, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72,
+	0x65, 0x22, 0x4f, 0x0a, 0x16, 0x4f, 0x6e, 0x4e, 0x65, 0x77, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x35, 0x0a, 0x07, 0x61,
+	0x70, 0x70, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74,
+	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74,
+	0x2e, 0x76, 0x31, 0x2e, 0x41, 0x70, 0x70, 0x4b, 0x65, 0x79, 0x52, 0x06, 0x61, 0x70, 0x70, 0x4b,
+	0x65, 0x79, 0x22, 0x19, 0x0a, 0x17, 0x4f, 0x6e, 0x4e, 0x65, 0x77, 0x43, 0x6f, 0x6e, 0x6e, 0x65,
+	0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x76, 0x0a,
+	0x19, 0x4f, 0x6e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50,
+	0x6f, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x38, 0x0a, 0x08, 0x61, 0x70,
+	0x70, 0x5f, 0x69, 0x6e, 0x66, 0x6f, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x74,
+	0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74,
+	0x2e, 0x76, 0x31, 0x2e, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x07, 0x61, 0x70, 0x70,
+	0x49, 0x6e, 0x66, 0x6f, 0x12, 0x1f, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70,
+	0x6f, 0x72, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65,
+	0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0x1c, 0x0a, 0x1a, 0x4f, 0x6e, 0x49, 0x6e, 0x76, 0x61, 0x6c,
+	0x69, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x2a, 0x3c, 0x0a, 0x04, 0x48, 0x61, 0x73, 0x68, 0x12, 0x14, 0x0a, 0x10, 0x48,
+	0x41, 0x53, 0x48, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10,
+	0x00, 0x12, 0x0d, 0x0a, 0x09, 0x48, 0x41, 0x53, 0x48, 0x5f, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x01,
+	0x12, 0x0f, 0x0a, 0x0b, 0x48, 0x41, 0x53, 0x48, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10,
+	0x02, 0x32, 0x89, 0x06, 0x0a, 0x18, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x41, 0x70, 0x70, 0x6c,
+	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x7a,
+	0x0a, 0x13, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72,
+	0x6f, 0x63, 0x65, 0x73, 0x73, 0x12, 0x30, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74,
+	0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x31, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x41,
+	0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x63, 0x65,
+	0x73, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4d, 0x0a, 0x04, 0x50, 0x69,
+	0x6e, 0x67, 0x12, 0x21, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69,
+	0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x69, 0x6e, 0x67, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x69, 0x6e,
+	0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6b, 0x0a, 0x0e, 0x52, 0x65, 0x73,
+	0x6f, 0x6c, 0x76, 0x65, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x12, 0x2b, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e,
+	0x76, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66,
+	0x6f, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70,
+	0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e,
+	0x52, 0x65, 0x73, 0x6f, 0x6c, 0x76, 0x65, 0x41, 0x70, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6b, 0x0a, 0x0e, 0x52, 0x65, 0x69, 0x73, 0x73, 0x75,
+	0x65, 0x41, 0x70, 0x70, 0x43, 0x65, 0x72, 0x74, 0x12, 0x2b, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70,
+	0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e,
+	0x52, 0x65, 0x69, 0x73, 0x73, 0x75, 0x65, 0x41, 0x70, 0x70, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x69,
+	0x73, 0x73, 0x75, 0x65, 0x41, 0x70, 0x70, 0x43, 0x65, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x12, 0x5f, 0x0a, 0x0a, 0x53, 0x69, 0x67, 0x6e, 0x46, 0x6f, 0x72, 0x41, 0x70,
+	0x70, 0x12, 0x27, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62,
+	0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x46, 0x6f, 0x72,
+	0x41, 0x70, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76,
+	0x31, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x46, 0x6f, 0x72, 0x41, 0x70, 0x70, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x6e, 0x0a, 0x0f, 0x4f, 0x6e, 0x4e, 0x65, 0x77, 0x43, 0x6f, 0x6e,
+	0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2c, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x4f,
+	0x6e, 0x4e, 0x65, 0x77, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74,
+	0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x6e, 0x4e,
+	0x65, 0x77, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x77, 0x0a, 0x12, 0x4f, 0x6e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69,
+	0x64, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x2f, 0x2e, 0x74, 0x65, 0x6c,
+	0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e, 0x76,
+	0x31, 0x2e, 0x4f, 0x6e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x6c,
+	0x50, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x30, 0x2e, 0x74, 0x65,
+	0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x6c, 0x69, 0x62, 0x2e, 0x76, 0x6e, 0x65, 0x74, 0x2e,
+	0x76, 0x31, 0x2e, 0x4f, 0x6e, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x4c, 0x6f, 0x63, 0x61,
+	0x6c, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x4c, 0x5a,
+	0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x72, 0x61, 0x76,
+	0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f,
+	0x72, 0x74, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x67, 0x6f, 0x2f,
+	0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x76, 0x6e, 0x65,
+	0x74, 0x2f, 0x76, 0x31, 0x3b, 0x76, 0x6e, 0x65, 0x74, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
+})
+
+var (
+	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescOnce sync.Once
+	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescData []byte
+)
+
+func file_teleport_lib_vnet_v1_client_application_service_proto_rawDescGZIP() []byte {
+	file_teleport_lib_vnet_v1_client_application_service_proto_rawDescOnce.Do(func() {
+		file_teleport_lib_vnet_v1_client_application_service_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc), len(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc)))
+	})
+	return file_teleport_lib_vnet_v1_client_application_service_proto_rawDescData
+}
+
+var file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
+var file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = []any{
+	(Hash)(0),                           // 0: teleport.lib.vnet.v1.Hash
+	(*AuthenticateProcessRequest)(nil),  // 1: teleport.lib.vnet.v1.AuthenticateProcessRequest
+	(*AuthenticateProcessResponse)(nil), // 2: teleport.lib.vnet.v1.AuthenticateProcessResponse
+	(*PingRequest)(nil),                 // 3: teleport.lib.vnet.v1.PingRequest
+	(*PingResponse)(nil),                // 4: teleport.lib.vnet.v1.PingResponse
+	(*ResolveAppInfoRequest)(nil),       // 5: teleport.lib.vnet.v1.ResolveAppInfoRequest
+	(*ResolveAppInfoResponse)(nil),      // 6: teleport.lib.vnet.v1.ResolveAppInfoResponse
+	(*AppInfo)(nil),                     // 7: teleport.lib.vnet.v1.AppInfo
+	(*AppKey)(nil),                      // 8: teleport.lib.vnet.v1.AppKey
+	(*DialOptions)(nil),                 // 9: teleport.lib.vnet.v1.DialOptions
+	(*ReissueAppCertRequest)(nil),       // 10: teleport.lib.vnet.v1.ReissueAppCertRequest
+	(*ReissueAppCertResponse)(nil),      // 11: teleport.lib.vnet.v1.ReissueAppCertResponse
+	(*SignForAppRequest)(nil),           // 12: teleport.lib.vnet.v1.SignForAppRequest
+	(*SignForAppResponse)(nil),          // 13: teleport.lib.vnet.v1.SignForAppResponse
+	(*OnNewConnectionRequest)(nil),      // 14: teleport.lib.vnet.v1.OnNewConnectionRequest
+	(*OnNewConnectionResponse)(nil),     // 15: teleport.lib.vnet.v1.OnNewConnectionResponse
+	(*OnInvalidLocalPortRequest)(nil),   // 16: teleport.lib.vnet.v1.OnInvalidLocalPortRequest
+	(*OnInvalidLocalPortResponse)(nil),  // 17: teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	(*types.AppV3)(nil),                 // 18: types.AppV3
+}
+var file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = []int32{
+	7,  // 0: teleport.lib.vnet.v1.ResolveAppInfoResponse.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
+	8,  // 1: teleport.lib.vnet.v1.AppInfo.app_key:type_name -> teleport.lib.vnet.v1.AppKey
+	18, // 2: teleport.lib.vnet.v1.AppInfo.app:type_name -> types.AppV3
+	9,  // 3: teleport.lib.vnet.v1.AppInfo.dial_options:type_name -> teleport.lib.vnet.v1.DialOptions
+	7,  // 4: teleport.lib.vnet.v1.ReissueAppCertRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
+	8,  // 5: teleport.lib.vnet.v1.SignForAppRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
+	0,  // 6: teleport.lib.vnet.v1.SignForAppRequest.hash:type_name -> teleport.lib.vnet.v1.Hash
+	8,  // 7: teleport.lib.vnet.v1.OnNewConnectionRequest.app_key:type_name -> teleport.lib.vnet.v1.AppKey
+	7,  // 8: teleport.lib.vnet.v1.OnInvalidLocalPortRequest.app_info:type_name -> teleport.lib.vnet.v1.AppInfo
+	1,  // 9: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:input_type -> teleport.lib.vnet.v1.AuthenticateProcessRequest
+	3,  // 10: teleport.lib.vnet.v1.ClientApplicationService.Ping:input_type -> teleport.lib.vnet.v1.PingRequest
+	5,  // 11: teleport.lib.vnet.v1.ClientApplicationService.ResolveAppInfo:input_type -> teleport.lib.vnet.v1.ResolveAppInfoRequest
+	10, // 12: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:input_type -> teleport.lib.vnet.v1.ReissueAppCertRequest
+	12, // 13: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:input_type -> teleport.lib.vnet.v1.SignForAppRequest
+	14, // 14: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:input_type -> teleport.lib.vnet.v1.OnNewConnectionRequest
+	16, // 15: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:input_type -> teleport.lib.vnet.v1.OnInvalidLocalPortRequest
+	2,  // 16: teleport.lib.vnet.v1.ClientApplicationService.AuthenticateProcess:output_type -> teleport.lib.vnet.v1.AuthenticateProcessResponse
+	4,  // 17: teleport.lib.vnet.v1.ClientApplicationService.Ping:output_type -> teleport.lib.vnet.v1.PingResponse
+	6,  // 18: teleport.lib.vnet.v1.ClientApplicationService.ResolveAppInfo:output_type -> teleport.lib.vnet.v1.ResolveAppInfoResponse
+	11, // 19: teleport.lib.vnet.v1.ClientApplicationService.ReissueAppCert:output_type -> teleport.lib.vnet.v1.ReissueAppCertResponse
+	13, // 20: teleport.lib.vnet.v1.ClientApplicationService.SignForApp:output_type -> teleport.lib.vnet.v1.SignForAppResponse
+	15, // 21: teleport.lib.vnet.v1.ClientApplicationService.OnNewConnection:output_type -> teleport.lib.vnet.v1.OnNewConnectionResponse
+	17, // 22: teleport.lib.vnet.v1.ClientApplicationService.OnInvalidLocalPort:output_type -> teleport.lib.vnet.v1.OnInvalidLocalPortResponse
+	16, // [16:23] is the sub-list for method output_type
+	9,  // [9:16] is the sub-list for method input_type
+	9,  // [9:9] is the sub-list for extension type_name
+	9,  // [9:9] is the sub-list for extension extendee
+	0,  // [0:9] is the sub-list for field type_name
+}
+
+func init() { file_teleport_lib_vnet_v1_client_application_service_proto_init() }
+func file_teleport_lib_vnet_v1_client_application_service_proto_init() {
+	if File_teleport_lib_vnet_v1_client_application_service_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc), len(file_teleport_lib_vnet_v1_client_application_service_proto_rawDesc)),
+			NumEnums:      1,
+			NumMessages:   17,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_teleport_lib_vnet_v1_client_application_service_proto_goTypes,
+		DependencyIndexes: file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs,
+		EnumInfos:         file_teleport_lib_vnet_v1_client_application_service_proto_enumTypes,
+		MessageInfos:      file_teleport_lib_vnet_v1_client_application_service_proto_msgTypes,
+	}.Build()
+	File_teleport_lib_vnet_v1_client_application_service_proto = out.File
+	file_teleport_lib_vnet_v1_client_application_service_proto_goTypes = nil
+	file_teleport_lib_vnet_v1_client_application_service_proto_depIdxs = nil
+}
diff --git a/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
new file mode 100644
index 0000000000000..dd6d82728531e
--- /dev/null
+++ b/gen/proto/go/teleport/lib/vnet/v1/client_application_service_grpc.pb.go
@@ -0,0 +1,402 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.5.1
+// - protoc             (unknown)
+// source: teleport/lib/vnet/v1/client_application_service.proto
+
+package vnetv1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.64.0 or later.
+const _ = grpc.SupportPackageIsVersion9
+
+const (
+	ClientApplicationService_AuthenticateProcess_FullMethodName = "/teleport.lib.vnet.v1.ClientApplicationService/AuthenticateProcess"
+	ClientApplicationService_Ping_FullMethodName                = "/teleport.lib.vnet.v1.ClientApplicationService/Ping"
+	ClientApplicationService_ResolveAppInfo_FullMethodName      = "/teleport.lib.vnet.v1.ClientApplicationService/ResolveAppInfo"
+	ClientApplicationService_ReissueAppCert_FullMethodName      = "/teleport.lib.vnet.v1.ClientApplicationService/ReissueAppCert"
+	ClientApplicationService_SignForApp_FullMethodName          = "/teleport.lib.vnet.v1.ClientApplicationService/SignForApp"
+	ClientApplicationService_OnNewConnection_FullMethodName     = "/teleport.lib.vnet.v1.ClientApplicationService/OnNewConnection"
+	ClientApplicationService_OnInvalidLocalPort_FullMethodName  = "/teleport.lib.vnet.v1.ClientApplicationService/OnInvalidLocalPort"
+)
+
+// ClientApplicationServiceClient is the client API for ClientApplicationService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+//
+// ClientApplicationService is a service the VNet client applications provide to
+// the VNet admin process to facilate app queries, certificate issuance,
+// metrics, error reporting, and signatures.
+type ClientApplicationServiceClient interface {
+	// AuthenticateProcess mutually authenticates client applicates to the admin
+	// service.
+	AuthenticateProcess(ctx context.Context, in *AuthenticateProcessRequest, opts ...grpc.CallOption) (*AuthenticateProcessResponse, error)
+	// Ping is used by the admin process to regularly poll that the client
+	// application is still running.
+	Ping(ctx context.Context, in *PingRequest, opts ...grpc.CallOption) (*PingResponse, error)
+	// ResolveAppInfo returns info for the given app fqdn, or an error if the app
+	// is not present in any logged-in cluster.
+	ResolveAppInfo(ctx context.Context, in *ResolveAppInfoRequest, opts ...grpc.CallOption) (*ResolveAppInfoResponse, error)
+	// ReissueAppCert issues a new app cert.
+	ReissueAppCert(ctx context.Context, in *ReissueAppCertRequest, opts ...grpc.CallOption) (*ReissueAppCertResponse, error)
+	// SignForApp issues a signature with the private key associated with an x509
+	// certificate previously issued for a requested app.
+	SignForApp(ctx context.Context, in *SignForAppRequest, opts ...grpc.CallOption) (*SignForAppResponse, error)
+	// OnNewConnection gets called whenever a new connection is about to be
+	// established through VNet for observability.
+	OnNewConnection(ctx context.Context, in *OnNewConnectionRequest, opts ...grpc.CallOption) (*OnNewConnectionResponse, error)
+	// OnInvalidLocalPort gets called before VNet refuses to handle a connection
+	// to a multi-port TCP app because the provided port does not match any of the
+	// TCP ports in the app spec.
+	OnInvalidLocalPort(ctx context.Context, in *OnInvalidLocalPortRequest, opts ...grpc.CallOption) (*OnInvalidLocalPortResponse, error)
+}
+
+type clientApplicationServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewClientApplicationServiceClient(cc grpc.ClientConnInterface) ClientApplicationServiceClient {
+	return &clientApplicationServiceClient{cc}
+}
+
+func (c *clientApplicationServiceClient) AuthenticateProcess(ctx context.Context, in *AuthenticateProcessRequest, opts ...grpc.CallOption) (*AuthenticateProcessResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(AuthenticateProcessResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_AuthenticateProcess_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) Ping(ctx context.Context, in *PingRequest, opts ...grpc.CallOption) (*PingResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(PingResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_Ping_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) ResolveAppInfo(ctx context.Context, in *ResolveAppInfoRequest, opts ...grpc.CallOption) (*ResolveAppInfoResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ResolveAppInfoResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_ResolveAppInfo_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) ReissueAppCert(ctx context.Context, in *ReissueAppCertRequest, opts ...grpc.CallOption) (*ReissueAppCertResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ReissueAppCertResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_ReissueAppCert_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) SignForApp(ctx context.Context, in *SignForAppRequest, opts ...grpc.CallOption) (*SignForAppResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(SignForAppResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_SignForApp_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) OnNewConnection(ctx context.Context, in *OnNewConnectionRequest, opts ...grpc.CallOption) (*OnNewConnectionResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(OnNewConnectionResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_OnNewConnection_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *clientApplicationServiceClient) OnInvalidLocalPort(ctx context.Context, in *OnInvalidLocalPortRequest, opts ...grpc.CallOption) (*OnInvalidLocalPortResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(OnInvalidLocalPortResponse)
+	err := c.cc.Invoke(ctx, ClientApplicationService_OnInvalidLocalPort_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// ClientApplicationServiceServer is the server API for ClientApplicationService service.
+// All implementations must embed UnimplementedClientApplicationServiceServer
+// for forward compatibility.
+//
+// ClientApplicationService is a service the VNet client applications provide to
+// the VNet admin process to facilate app queries, certificate issuance,
+// metrics, error reporting, and signatures.
+type ClientApplicationServiceServer interface {
+	// AuthenticateProcess mutually authenticates client applicates to the admin
+	// service.
+	AuthenticateProcess(context.Context, *AuthenticateProcessRequest) (*AuthenticateProcessResponse, error)
+	// Ping is used by the admin process to regularly poll that the client
+	// application is still running.
+	Ping(context.Context, *PingRequest) (*PingResponse, error)
+	// ResolveAppInfo returns info for the given app fqdn, or an error if the app
+	// is not present in any logged-in cluster.
+	ResolveAppInfo(context.Context, *ResolveAppInfoRequest) (*ResolveAppInfoResponse, error)
+	// ReissueAppCert issues a new app cert.
+	ReissueAppCert(context.Context, *ReissueAppCertRequest) (*ReissueAppCertResponse, error)
+	// SignForApp issues a signature with the private key associated with an x509
+	// certificate previously issued for a requested app.
+	SignForApp(context.Context, *SignForAppRequest) (*SignForAppResponse, error)
+	// OnNewConnection gets called whenever a new connection is about to be
+	// established through VNet for observability.
+	OnNewConnection(context.Context, *OnNewConnectionRequest) (*OnNewConnectionResponse, error)
+	// OnInvalidLocalPort gets called before VNet refuses to handle a connection
+	// to a multi-port TCP app because the provided port does not match any of the
+	// TCP ports in the app spec.
+	OnInvalidLocalPort(context.Context, *OnInvalidLocalPortRequest) (*OnInvalidLocalPortResponse, error)
+	mustEmbedUnimplementedClientApplicationServiceServer()
+}
+
+// UnimplementedClientApplicationServiceServer must be embedded to have
+// forward compatible implementations.
+//
+// NOTE: this should be embedded by value instead of pointer to avoid a nil
+// pointer dereference when methods are called.
+type UnimplementedClientApplicationServiceServer struct{}
+
+func (UnimplementedClientApplicationServiceServer) AuthenticateProcess(context.Context, *AuthenticateProcessRequest) (*AuthenticateProcessResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method AuthenticateProcess not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) Ping(context.Context, *PingRequest) (*PingResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Ping not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) ResolveAppInfo(context.Context, *ResolveAppInfoRequest) (*ResolveAppInfoResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ResolveAppInfo not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) ReissueAppCert(context.Context, *ReissueAppCertRequest) (*ReissueAppCertResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ReissueAppCert not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) SignForApp(context.Context, *SignForAppRequest) (*SignForAppResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SignForApp not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) OnNewConnection(context.Context, *OnNewConnectionRequest) (*OnNewConnectionResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method OnNewConnection not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) OnInvalidLocalPort(context.Context, *OnInvalidLocalPortRequest) (*OnInvalidLocalPortResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method OnInvalidLocalPort not implemented")
+}
+func (UnimplementedClientApplicationServiceServer) mustEmbedUnimplementedClientApplicationServiceServer() {
+}
+func (UnimplementedClientApplicationServiceServer) testEmbeddedByValue() {}
+
+// UnsafeClientApplicationServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to ClientApplicationServiceServer will
+// result in compilation errors.
+type UnsafeClientApplicationServiceServer interface {
+	mustEmbedUnimplementedClientApplicationServiceServer()
+}
+
+func RegisterClientApplicationServiceServer(s grpc.ServiceRegistrar, srv ClientApplicationServiceServer) {
+	// If the following call pancis, it indicates UnimplementedClientApplicationServiceServer was
+	// embedded by pointer and is nil.  This will cause panics if an
+	// unimplemented method is ever invoked, so we test this at initialization
+	// time to prevent it from happening at runtime later due to I/O.
+	if t, ok := srv.(interface{ testEmbeddedByValue() }); ok {
+		t.testEmbeddedByValue()
+	}
+	s.RegisterService(&ClientApplicationService_ServiceDesc, srv)
+}
+
+func _ClientApplicationService_AuthenticateProcess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(AuthenticateProcessRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).AuthenticateProcess(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_AuthenticateProcess_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).AuthenticateProcess(ctx, req.(*AuthenticateProcessRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_Ping_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(PingRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).Ping(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_Ping_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).Ping(ctx, req.(*PingRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_ResolveAppInfo_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ResolveAppInfoRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).ResolveAppInfo(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_ResolveAppInfo_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).ResolveAppInfo(ctx, req.(*ResolveAppInfoRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_ReissueAppCert_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ReissueAppCertRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).ReissueAppCert(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_ReissueAppCert_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).ReissueAppCert(ctx, req.(*ReissueAppCertRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_SignForApp_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SignForAppRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).SignForApp(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_SignForApp_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).SignForApp(ctx, req.(*SignForAppRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_OnNewConnection_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(OnNewConnectionRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).OnNewConnection(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_OnNewConnection_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).OnNewConnection(ctx, req.(*OnNewConnectionRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _ClientApplicationService_OnInvalidLocalPort_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(OnInvalidLocalPortRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(ClientApplicationServiceServer).OnInvalidLocalPort(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: ClientApplicationService_OnInvalidLocalPort_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(ClientApplicationServiceServer).OnInvalidLocalPort(ctx, req.(*OnInvalidLocalPortRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// ClientApplicationService_ServiceDesc is the grpc.ServiceDesc for ClientApplicationService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var ClientApplicationService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "teleport.lib.vnet.v1.ClientApplicationService",
+	HandlerType: (*ClientApplicationServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "AuthenticateProcess",
+			Handler:    _ClientApplicationService_AuthenticateProcess_Handler,
+		},
+		{
+			MethodName: "Ping",
+			Handler:    _ClientApplicationService_Ping_Handler,
+		},
+		{
+			MethodName: "ResolveAppInfo",
+			Handler:    _ClientApplicationService_ResolveAppInfo_Handler,
+		},
+		{
+			MethodName: "ReissueAppCert",
+			Handler:    _ClientApplicationService_ReissueAppCert_Handler,
+		},
+		{
+			MethodName: "SignForApp",
+			Handler:    _ClientApplicationService_SignForApp_Handler,
+		},
+		{
+			MethodName: "OnNewConnection",
+			Handler:    _ClientApplicationService_OnNewConnection_Handler,
+		},
+		{
+			MethodName: "OnInvalidLocalPort",
+			Handler:    _ClientApplicationService_OnInvalidLocalPort_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "teleport/lib/vnet/v1/client_application_service.proto",
+}
diff --git a/gen/proto/go/teleport/quicpeering/v1alpha/dial.pb.go b/gen/proto/go/teleport/quicpeering/v1alpha/dial.pb.go
index 08ad750cda16c..431f746d1e1e1 100644
--- a/gen/proto/go/teleport/quicpeering/v1alpha/dial.pb.go
+++ b/gen/proto/go/teleport/quicpeering/v1alpha/dial.pb.go
@@ -16,7 +16,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/quicpeering/v1alpha/dial.proto
 
@@ -29,6 +29,7 @@ import (
 	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -255,7 +256,7 @@ func (x *DialResponse) GetStatus() *status.Status {
 
 var File_teleport_quicpeering_v1alpha_dial_proto protoreflect.FileDescriptor
 
-var file_teleport_quicpeering_v1alpha_dial_proto_rawDesc = []byte{
+var file_teleport_quicpeering_v1alpha_dial_proto_rawDesc = string([]byte{
 	0x0a, 0x27, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x71, 0x75, 0x69, 0x63, 0x70,
 	0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x2f, 0x64,
 	0x69, 0x61, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x74, 0x65, 0x6c, 0x65, 0x70,
@@ -299,16 +300,16 @@ var file_teleport_quicpeering_v1alpha_dial_proto_rawDesc = []byte{
 	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x3b, 0x71, 0x75, 0x69, 0x63, 0x70, 0x65, 0x65, 0x72,
 	0x69, 0x6e, 0x67, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
 	0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_quicpeering_v1alpha_dial_proto_rawDescOnce sync.Once
-	file_teleport_quicpeering_v1alpha_dial_proto_rawDescData = file_teleport_quicpeering_v1alpha_dial_proto_rawDesc
+	file_teleport_quicpeering_v1alpha_dial_proto_rawDescData []byte
 )
 
 func file_teleport_quicpeering_v1alpha_dial_proto_rawDescGZIP() []byte {
 	file_teleport_quicpeering_v1alpha_dial_proto_rawDescOnce.Do(func() {
-		file_teleport_quicpeering_v1alpha_dial_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_quicpeering_v1alpha_dial_proto_rawDescData)
+		file_teleport_quicpeering_v1alpha_dial_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_quicpeering_v1alpha_dial_proto_rawDesc), len(file_teleport_quicpeering_v1alpha_dial_proto_rawDesc)))
 	})
 	return file_teleport_quicpeering_v1alpha_dial_proto_rawDescData
 }
@@ -342,7 +343,7 @@ func file_teleport_quicpeering_v1alpha_dial_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_quicpeering_v1alpha_dial_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_quicpeering_v1alpha_dial_proto_rawDesc), len(file_teleport_quicpeering_v1alpha_dial_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@@ -353,7 +354,6 @@ func file_teleport_quicpeering_v1alpha_dial_proto_init() {
 		MessageInfos:      file_teleport_quicpeering_v1alpha_dial_proto_msgTypes,
 	}.Build()
 	File_teleport_quicpeering_v1alpha_dial_proto = out.File
-	file_teleport_quicpeering_v1alpha_dial_proto_rawDesc = nil
 	file_teleport_quicpeering_v1alpha_dial_proto_goTypes = nil
 	file_teleport_quicpeering_v1alpha_dial_proto_depIdxs = nil
 }
diff --git a/go.mod b/go.mod
index 2269979efef2e..a61b0a745d379 100644
--- a/go.mod
+++ b/go.mod
@@ -132,6 +132,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/googleapis/gax-go/v2 v2.14.1
 	github.com/gorilla/websocket v1.5.3
+	github.com/grafana/pyroscope-go v1.2.0
 	github.com/gravitational/license v0.0.0-20240313232707-8312e719d624
 	github.com/gravitational/roundtrip v1.0.2
 	github.com/gravitational/teleport/api v0.0.0
@@ -149,7 +150,7 @@ require (
 	github.com/jackc/pgx/v5 v5.7.2
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/johannesboyne/gofakes3 v0.0.0-20240217095638-c55a48f17be6
-	github.com/jonboulle/clockwork v0.4.0
+	github.com/jonboulle/clockwork v0.5.0
 	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531
 	github.com/json-iterator/go v1.1.12
 	github.com/julienschmidt/httprouter v1.3.0 // replaced
@@ -220,7 +221,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250102185135-69823020774d
 	google.golang.org/grpc v1.69.2
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1
-	google.golang.org/protobuf v1.36.3
+	google.golang.org/protobuf v1.36.4
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/dnaeon/go-vcr.v3 v3.2.0
 	gopkg.in/ini.v1 v1.67.0
@@ -388,6 +389,7 @@ require (
 	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
+	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
diff --git a/go.sum b/go.sum
index c07e0dd98273c..4e6e6d6e2c137 100644
--- a/go.sum
+++ b/go.sum
@@ -1551,6 +1551,10 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/grafana/pyroscope-go v1.2.0 h1:aILLKjTj8CS8f/24OPMGPewQSYlhmdQMBmol1d3KGj8=
+github.com/grafana/pyroscope-go v1.2.0/go.mod h1:2GHr28Nr05bg2pElS+dDsc98f3JTUh2f6Fz1hWXrqwk=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1 h1:zGsdDzqXSuXI+1t+2TRRzdYiv+B3M4IgOPA8W/raFOA=
 github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1/go.mod h1:6FzirJfdffakAVqmHjwVfFkpru/gNbIazUOK5rIhndc=
 github.com/gravitational/go-libfido2 v1.5.3-teleport.1 h1:nPfxiTH2Sr3J6zan280fbHOkWE7gRF/lMqvhcXKh2ek=
@@ -1739,8 +1743,8 @@ github.com/johannesboyne/gofakes3 v0.0.0-20240217095638-c55a48f17be6 h1:W8heH5NR
 github.com/johannesboyne/gofakes3 v0.0.0-20240217095638-c55a48f17be6/go.mod h1:AxgWC4DDX54O2WDoQO1Ceabtn6IbktjU/7bigor+66g=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -3140,8 +3144,8 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
diff --git a/integration/appaccess/fixtures.go b/integration/appaccess/fixtures.go
index e6876e7cbdaec..3bd9ee5475d6c 100644
--- a/integration/appaccess/fixtures.go
+++ b/integration/appaccess/fixtures.go
@@ -48,7 +48,7 @@ type AppTestOptions struct {
 	ExtraLeafApps        []servicecfg.App
 	RootClusterListeners helpers.InstanceListenerSetupFunc
 	LeafClusterListeners helpers.InstanceListenerSetupFunc
-	Clock                clockwork.FakeClock
+	Clock                clockwork.Clock
 	MonitorCloseChannel  chan struct{}
 
 	RootConfig func(config *servicecfg.Config)
diff --git a/integration/autoupdate/tools/main_test.go b/integration/autoupdate/tools/main_test.go
index 71173892ca2f1..50aeea81fea30 100644
--- a/integration/autoupdate/tools/main_test.go
+++ b/integration/autoupdate/tools/main_test.go
@@ -83,7 +83,7 @@ func TestMain(m *testing.M) {
 	}))
 	baseURL = server.URL
 	for _, version := range testVersions {
-		if err := buildAndArchiveApps(ctx, tmp, toolsDir, version, server.URL); err != nil {
+		if err := buildAndArchiveApps(ctx, tmp, version, server.URL); err != nil {
 			log.Fatalf("failed to build testing app binary archive: %v", err)
 		}
 	}
@@ -131,7 +131,7 @@ func serve256File(w http.ResponseWriter, _ *http.Request, filePath string) {
 }
 
 // buildAndArchiveApps compiles the updater integration and pack it depends on platform is used.
-func buildAndArchiveApps(ctx context.Context, path string, toolsDir string, version string, baseURL string) error {
+func buildAndArchiveApps(ctx context.Context, path string, version string, baseURL string) error {
 	versionPath := filepath.Join(path, version)
 	for _, app := range []string{"tsh", "tctl"} {
 		output := filepath.Join(versionPath, app)
@@ -141,7 +141,7 @@ func buildAndArchiveApps(ctx context.Context, path string, toolsDir string, vers
 		case constants.DarwinOS:
 			output = filepath.Join(versionPath, app+".app", "Contents", "MacOS", app)
 		}
-		if err := buildBinary(output, toolsDir, version, baseURL, app); err != nil {
+		if err := buildBinary(output, version, baseURL, app); err != nil {
 			return trace.Wrap(err)
 		}
 	}
@@ -159,7 +159,7 @@ func buildAndArchiveApps(ctx context.Context, path string, toolsDir string, vers
 }
 
 // buildBinary executes command to build client tool binary with updater logic for testing.
-func buildBinary(output string, toolsDir string, version string, baseURL string, app string) error {
+func buildBinary(output string, version string, baseURL string, app string) error {
 	cmd := exec.Command(
 		"go", "build", "-o", output,
 		"-ldflags", strings.Join([]string{
diff --git a/integration/helpers/instance.go b/integration/helpers/instance.go
index 7e7deb03567a8..7e21a3f2dd42b 100644
--- a/integration/helpers/instance.go
+++ b/integration/helpers/instance.go
@@ -66,6 +66,7 @@ import (
 	"github.com/gravitational/teleport/lib/service"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/services"
+	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
@@ -373,14 +374,16 @@ func NewInstance(t *testing.T, cfg InstanceConfig) *TeleInstance {
 	fatalIf(err)
 
 	keygen := keygen.New(context.TODO())
-	cert, err := keygen.GenerateHostCert(services.HostCertParams{
+	cert, err := keygen.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      sshSigner,
 		PublicHostKey: cfg.Pub,
 		HostID:        cfg.HostID,
 		NodeName:      cfg.NodeName,
-		ClusterName:   cfg.ClusterName,
-		Role:          types.RoleAdmin,
 		TTL:           24 * time.Hour,
+		Identity: sshca.Identity{
+			ClusterName: cfg.ClusterName,
+			SystemRole:  types.RoleAdmin,
+		},
 	})
 	fatalIf(err)
 	tlsCA, err := tlsca.FromKeys(tlsCACert, cfg.Priv)
diff --git a/integration/kube_integration_test.go b/integration/kube_integration_test.go
index 51568d0e6bc7e..5c1f32ef4f056 100644
--- a/integration/kube_integration_test.go
+++ b/integration/kube_integration_test.go
@@ -1140,6 +1140,7 @@ func testKubeDisconnect(t *testing.T, suite *KubeSuite) {
 				ClientIdleTimeout: types.NewDuration(500 * time.Millisecond),
 			},
 			disconnectTimeout: 2 * time.Second,
+			verifyError:       errorContains("Client exceeded idle timeout of"),
 		},
 		{
 			name: "expired cert",
@@ -1148,6 +1149,7 @@ func testKubeDisconnect(t *testing.T, suite *KubeSuite) {
 				MaxSessionTTL:         types.NewDuration(3 * time.Second),
 			},
 			disconnectTimeout: 6 * time.Second,
+			verifyError:       errorContains("client certificate expire"),
 		},
 	}
 
@@ -1242,9 +1244,15 @@ func runKubeDisconnectTest(t *testing.T, suite *KubeSuite, tc disconnectTestCase
 			tty:          true,
 			stdin:        term,
 		})
-		require.NoError(t, err)
+		require.NoError(t, tc.verifyError(err))
 	}()
 
+	require.Eventually(t, func() bool {
+		// wait for the shell prompt
+		return strings.Contains(term.AllOutput(), "#")
+	}, 5*time.Second, 10*time.Millisecond, "Failed to get shell prompt. "+
+		"If this fails, the exec command is likely hanging and never reaching the kind cluster")
+
 	// lets type something followed by "enter" and then hang the session
 	require.NoError(t, enterInput(sessionCtx, term, "echo boring platypus\r\n", ".*boring platypus.*"))
 	time.Sleep(tc.disconnectTimeout)
diff --git a/integration/utmp_integration_test.go b/integration/utmp_integration_test.go
index 12cabe63a279e..1e711ddd8c4ff 100644
--- a/integration/utmp_integration_test.go
+++ b/integration/utmp_integration_test.go
@@ -66,7 +66,7 @@ type SrvCtx struct {
 	srv        *regular.Server
 	signer     ssh.Signer
 	server     *auth.TestServer
-	clock      clockwork.FakeClock
+	clock      *clockwork.FakeClock
 	nodeClient *authclient.Client
 	nodeID     string
 	utmpPath   string
diff --git a/integrations/access/accesslist/app_test.go b/integrations/access/accesslist/app_test.go
index 0a6443b3b2383..6e803ccb7ccef 100644
--- a/integrations/access/accesslist/app_test.go
+++ b/integrations/access/accesslist/app_test.go
@@ -357,7 +357,7 @@ func TestAccessListReminders_BadClient(t *testing.T) {
 func advanceAndLookForRecipients(t *testing.T,
 	bot *mockMessagingBot,
 	alSvc services.AccessLists,
-	clock clockwork.FakeClock,
+	clock *clockwork.FakeClock,
 	advance time.Duration,
 	accessLists []*accesslist.AccessList,
 	recipients ...string) {
diff --git a/integrations/event-handler/go.mod b/integrations/event-handler/go.mod
index b71747cb88e60..c64febd0c77af 100644
--- a/integrations/event-handler/go.mod
+++ b/integrations/event-handler/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/gravitational/teleport v0.0.0-00010101000000-000000000000
 	github.com/gravitational/teleport/api v0.0.0
 	github.com/gravitational/trace v1.5.0
-	github.com/jonboulle/clockwork v0.4.0
+	github.com/jonboulle/clockwork v0.5.0
 	github.com/json-iterator/go v1.1.12
 	github.com/manifoldco/promptui v0.9.0
 	github.com/pelletier/go-toml v1.9.5
@@ -17,7 +17,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/net v0.34.0
 	golang.org/x/time v0.9.0
-	google.golang.org/protobuf v1.36.3
+	google.golang.org/protobuf v1.36.4
 )
 
 require (
diff --git a/integrations/event-handler/go.sum b/integrations/event-handler/go.sum
index 03084225633f1..71a7a5b2e26a6 100644
--- a/integrations/event-handler/go.sum
+++ b/integrations/event-handler/go.sum
@@ -556,8 +556,8 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -1043,8 +1043,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/integrations/lib/backoff/backoff_test.go b/integrations/lib/backoff/backoff_test.go
index 0fd9f92e2c023..91c1f7424414d 100644
--- a/integrations/lib/backoff/backoff_test.go
+++ b/integrations/lib/backoff/backoff_test.go
@@ -56,7 +56,7 @@ func TestDecorr(t *testing.T) {
 	}
 }
 
-func measure(ctx context.Context, clock clockwork.FakeClock, fn func() error) (time.Duration, error) {
+func measure(ctx context.Context, clock *clockwork.FakeClock, fn func() error) (time.Duration, error) {
 	done := make(chan struct{})
 	var dur time.Duration
 	var err error
diff --git a/integrations/terraform/go.mod b/integrations/terraform/go.mod
index 1704d19731754..45829e1ddfd32 100644
--- a/integrations/terraform/go.mod
+++ b/integrations/terraform/go.mod
@@ -20,10 +20,10 @@ require (
 	github.com/hashicorp/terraform-plugin-go v0.18.0
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.10.1
-	github.com/jonboulle/clockwork v0.4.0
+	github.com/jonboulle/clockwork v0.5.0
 	github.com/stretchr/testify v1.10.0
 	google.golang.org/grpc v1.69.2
-	google.golang.org/protobuf v1.36.3
+	google.golang.org/protobuf v1.36.4
 )
 
 require (
diff --git a/integrations/terraform/go.sum b/integrations/terraform/go.sum
index 8d00f1446e2ef..c239f5f0a4e9f 100644
--- a/integrations/terraform/go.sum
+++ b/integrations/terraform/go.sum
@@ -672,6 +672,10 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/grafana/pyroscope-go v1.2.0 h1:aILLKjTj8CS8f/24OPMGPewQSYlhmdQMBmol1d3KGj8=
+github.com/grafana/pyroscope-go v1.2.0/go.mod h1:2GHr28Nr05bg2pElS+dDsc98f3JTUh2f6Fz1hWXrqwk=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1 h1:zGsdDzqXSuXI+1t+2TRRzdYiv+B3M4IgOPA8W/raFOA=
 github.com/gravitational/go-cassandra-native-protocol v0.0.0-teleport.1/go.mod h1:6FzirJfdffakAVqmHjwVfFkpru/gNbIazUOK5rIhndc=
 github.com/gravitational/go-libfido2 v1.5.3-teleport.1 h1:nPfxiTH2Sr3J6zan280fbHOkWE7gRF/lMqvhcXKh2ek=
@@ -849,8 +853,8 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/jonboulle/clockwork v0.3.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
@@ -1659,8 +1663,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
-google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/lib/auth/accountrecovery_test.go b/lib/auth/accountrecovery_test.go
index 1b53462c410cd..0ab77ddb4faee 100644
--- a/lib/auth/accountrecovery_test.go
+++ b/lib/auth/accountrecovery_test.go
@@ -137,7 +137,7 @@ func TestRecoveryCodeEventsEmitted(t *testing.T) {
 func TestStartAccountRecovery(t *testing.T) {
 	srv := newTestTLSServer(t)
 	ctx := context.Background()
-	fakeClock := srv.Clock().(clockwork.FakeClock)
+	fakeClock := srv.Clock().(*clockwork.FakeClock)
 	mockEmitter := &eventstest.MockRecorderEmitter{}
 	srv.Auth().emitter = mockEmitter
 
@@ -292,7 +292,7 @@ func TestStartAccountRecovery_UserErrors(t *testing.T) {
 func TestVerifyAccountRecovery_WithAuthnErrors(t *testing.T) {
 	srv := newTestTLSServer(t)
 	ctx := context.Background()
-	fakeClock := srv.Clock().(clockwork.FakeClock)
+	fakeClock := srv.Clock().(*clockwork.FakeClock)
 	mockEmitter := &eventstest.MockRecorderEmitter{}
 	srv.Auth().emitter = mockEmitter
 
diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go
index 0e220f0b8c8fa..26ce0acf94be5 100644
--- a/lib/auth/apiserver.go
+++ b/lib/auth/apiserver.go
@@ -31,6 +31,7 @@ import (
 	"github.com/jonboulle/clockwork"
 	"github.com/julienschmidt/httprouter"
 
+	"github.com/gravitational/teleport/api/defaults"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
 	apievents "github.com/gravitational/teleport/api/types/events"
@@ -144,6 +145,13 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) {
 	// TODO(strideynet): REMOVE IN 18.0.0 - this method is now gRPC
 	srv.POST("/:version/tokens/register", srv.WithAuth(srv.registerUsingToken))
 
+	// these endpoints are still in use by v17 agents since they cache
+	// KindNamespace
+	//
+	// TODO(espadolini): REMOVE IN v19
+	srv.GET("/:version/namespaces", srv.WithAuth(srv.getNamespaces))
+	srv.GET("/:version/namespaces/:namespace", srv.WithAuth(srv.getNamespace))
+
 	// cluster configuration
 	srv.GET("/:version/configuration/name", srv.WithAuth(srv.getClusterName))
 	srv.POST("/:version/configuration/name", srv.WithAuth(srv.setClusterName))
@@ -663,6 +671,36 @@ func (s *APIServer) searchSessionEvents(auth *ServerWithRoles, w http.ResponseWr
 	return eventsList, nil
 }
 
+func (*APIServer) getNamespaces(*ServerWithRoles, http.ResponseWriter, *http.Request, httprouter.Params, string) (any, error) {
+	return []types.Namespace{{
+		Kind:    types.KindNamespace,
+		Version: types.V2,
+		Metadata: types.Metadata{
+			Name:      defaults.Namespace,
+			Namespace: defaults.Namespace,
+		},
+	}}, nil
+}
+
+func (*APIServer) getNamespace(_ *ServerWithRoles, _ http.ResponseWriter, _ *http.Request, p httprouter.Params, _ string) (any, error) {
+	name := p.ByName("namespace")
+	if !types.IsValidNamespace(name) {
+		return nil, trace.BadParameter("invalid namespace %q", name)
+	}
+	if name != defaults.Namespace {
+		return nil, trace.NotFound("namespace %q is not found", name)
+	}
+
+	return &types.Namespace{
+		Kind:    types.KindNamespace,
+		Version: types.V2,
+		Metadata: types.Metadata{
+			Name:      defaults.Namespace,
+			Namespace: defaults.Namespace,
+		},
+	}, nil
+}
+
 func (s *APIServer) getClusterName(auth *ServerWithRoles, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
 	cn, err := auth.GetClusterName()
 	if err != nil {
diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 0a5fb9ec98a23..1306b346bb4dc 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -757,6 +757,11 @@ func (r *Services) GenerateAWSOIDCToken(ctx context.Context, integration string)
 	return r.IntegrationsTokenGenerator.GenerateAWSOIDCToken(ctx, integration)
 }
 
+// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+func (r *Services) GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error) {
+	return r.IntegrationsTokenGenerator.GenerateAzureOIDCToken(ctx, integration)
+}
+
 var (
 	generateRequestsCount = prometheus.NewCounter(
 		prometheus.CounterOpts{
@@ -2133,20 +2138,22 @@ func (a *Server) GenerateHostCert(ctx context.Context, hostPublicKey []byte, hos
 	}
 
 	// create and sign!
-	return a.generateHostCert(ctx, services.HostCertParams{
+	return a.generateHostCert(ctx, sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: hostPublicKey,
 		HostID:        hostID,
 		NodeName:      nodeName,
-		Principals:    principals,
-		ClusterName:   clusterName,
-		Role:          role,
 		TTL:           ttl,
+		Identity: sshca.Identity{
+			Principals:  principals,
+			ClusterName: clusterName,
+			SystemRole:  role,
+		},
 	})
 }
 
 func (a *Server) generateHostCert(
-	ctx context.Context, p services.HostCertParams,
+	ctx context.Context, req sshca.HostCertificateRequest,
 ) ([]byte, error) {
 	readOnlyAuthPref, err := a.GetReadOnlyAuthPreference(ctx)
 	if err != nil {
@@ -2154,7 +2161,7 @@ func (a *Server) generateHostCert(
 	}
 
 	var locks []types.LockTarget
-	switch p.Role {
+	switch req.Identity.SystemRole {
 	case types.RoleNode:
 		// Node role is a special case because it was previously suported as a
 		// lock target that only locked the `ssh_service`. If the same Teleport server
@@ -2167,9 +2174,9 @@ func (a *Server) generateHostCert(
 		// and `Node` fields if the role is `Node` so that the previous behavior
 		// is preserved.
 		// This is a legacy behavior that we need to support for backwards compatibility.
-		locks = []types.LockTarget{{ServerID: p.HostID, Node: p.HostID}, {ServerID: HostFQDN(p.HostID, p.ClusterName), Node: HostFQDN(p.HostID, p.ClusterName)}}
+		locks = []types.LockTarget{{ServerID: req.HostID, Node: req.HostID}, {ServerID: HostFQDN(req.HostID, req.Identity.ClusterName), Node: HostFQDN(req.HostID, req.Identity.ClusterName)}}
 	default:
-		locks = []types.LockTarget{{ServerID: p.HostID}, {ServerID: HostFQDN(p.HostID, p.ClusterName)}}
+		locks = []types.LockTarget{{ServerID: req.HostID}, {ServerID: HostFQDN(req.HostID, req.Identity.ClusterName)}}
 	}
 	if lockErr := a.checkLockInForce(readOnlyAuthPref.GetLockingMode(),
 		locks,
@@ -2177,7 +2184,7 @@ func (a *Server) generateHostCert(
 		return nil, trace.Wrap(lockErr)
 	}
 
-	return a.Authority.GenerateHostCert(p)
+	return a.Authority.GenerateHostCert(req)
 }
 
 // GetKeyStore returns the KeyStore used by the auth server
@@ -2229,7 +2236,7 @@ type certRequest struct {
 	traits wrappers.Traits
 	// activeRequests tracks privilege escalation requests applied
 	// during the construction of the certificate.
-	activeRequests services.RequestIDs
+	activeRequests []string
 	// appSessionID is the session ID of the application session.
 	appSessionID string
 	// appPublicAddr is the public address of the application.
@@ -3084,7 +3091,7 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types.
 		defaultMode:          readOnlyAuthPref.GetLockingMode(),
 		username:             req.user.GetName(),
 		mfaVerified:          req.mfaVerified,
-		activeAccessRequests: req.activeRequests.AccessRequests,
+		activeAccessRequests: req.activeRequests,
 		deviceID:             req.deviceExtensions.DeviceID,
 	}); err != nil {
 		return nil, trace.Wrap(err)
@@ -3213,11 +3220,6 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types.
 	// All users have access to this and join RBAC rules are checked after the connection is established.
 	allowedLogins = append(allowedLogins, teleport.SSHSessionJoinPrincipal)
 
-	requestedResourcesStr, err := types.ResourceIDsToString(req.checker.GetAllowedResourceIDs())
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
 	pinnedIP := ""
 	if caType == types.UserCA && (req.checker.PinSourceIP() || req.pinIP) {
 		if req.loginIP == "" {
@@ -3257,7 +3259,7 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types.
 			Identity: sshca.Identity{
 				Username:                req.user.GetName(),
 				Impersonator:            req.impersonator,
-				AllowedLogins:           allowedLogins,
+				Principals:              allowedLogins,
 				Roles:                   req.checker.RoleNames(),
 				PermitPortForwarding:    req.checker.CanPortForward(),
 				PermitAgentForwarding:   req.checker.CanForwardAgents(),
@@ -3275,7 +3277,7 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types.
 				BotName:                 req.botName,
 				BotInstanceID:           req.botInstanceID,
 				CertificateExtensions:   req.checker.CertificateExtensions(),
-				AllowedResourceIDs:      requestedResourcesStr,
+				AllowedResourceIDs:      req.checker.GetAllowedResourceIDs(),
 				ConnectionDiagnosticID:  req.connectionDiagnosticID,
 				PrivateKeyPolicy:        attestedKeyPolicy,
 				DeviceID:                req.deviceExtensions.DeviceID,
@@ -3370,7 +3372,7 @@ func generateCert(ctx context.Context, a *Server, req certRequest, caType types.
 		AWSRoleARNs:             roleARNs,
 		AzureIdentities:         azureIdentities,
 		GCPServiceAccounts:      gcpAccounts,
-		ActiveRequests:          req.activeRequests.AccessRequests,
+		ActiveRequests:          req.activeRequests,
 		DisallowReissue:         req.disallowReissue,
 		Renewable:               req.renewable,
 		Generation:              req.generation,
@@ -4737,14 +4739,16 @@ func (a *Server) GenerateHostCerts(ctx context.Context, req *proto.HostCertsRequ
 		return nil, trace.Wrap(err)
 	}
 	// generate host SSH certificate
-	hostSSHCert, err := a.generateHostCert(ctx, services.HostCertParams{
+	hostSSHCert, err := a.generateHostCert(ctx, sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: req.PublicSSHKey,
 		HostID:        req.HostID,
 		NodeName:      req.NodeName,
-		ClusterName:   clusterName.GetClusterName(),
-		Role:          req.Role,
-		Principals:    req.AdditionalPrincipals,
+		Identity: sshca.Identity{
+			ClusterName: clusterName.GetClusterName(),
+			SystemRole:  req.Role,
+			Principals:  req.AdditionalPrincipals,
+		},
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
diff --git a/lib/auth/auth_test.go b/lib/auth/auth_test.go
index 807f90cd6adad..3ee7308e34a5d 100644
--- a/lib/auth/auth_test.go
+++ b/lib/auth/auth_test.go
@@ -1539,7 +1539,7 @@ func TestServer_AugmentContextUserCertificates(t *testing.T) {
 	const devCred = "devicecred1"
 
 	advanceClock := func(d time.Duration) {
-		if fc, ok := testServer.Clock().(clockwork.FakeClock); ok {
+		if fc, ok := testServer.Clock().(*clockwork.FakeClock); ok {
 			fc.Advance(d)
 		}
 	}
@@ -2642,7 +2642,7 @@ func TestGenerateUserCertWithLocks(t *testing.T) {
 		mfaVerified:    mfaID,
 		sshPublicKey:   sshPubKey,
 		tlsPublicKey:   tlsPubKey,
-		activeRequests: services.RequestIDs{AccessRequests: []string{requestID}},
+		activeRequests: []string{requestID},
 		deviceExtensions: DeviceExtensions{
 			DeviceID:     deviceID,
 			AssetTag:     "assettag1",
diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
index 4e3d63dd68978..379467800318d 100644
--- a/lib/auth/auth_with_roles.go
+++ b/lib/auth/auth_with_roles.go
@@ -3440,11 +3440,9 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC
 		checker:                          checker,
 		// Copy IP from current identity to the generated certificate, if present,
 		// to avoid generateUserCerts() being used to drop IP pinning in the new certificates.
-		loginIP: a.context.Identity.GetIdentity().LoginIP,
-		traits:  accessInfo.Traits,
-		activeRequests: services.RequestIDs{
-			AccessRequests: req.AccessRequests,
-		},
+		loginIP:                a.context.Identity.GetIdentity().LoginIP,
+		traits:                 accessInfo.Traits,
+		activeRequests:         req.AccessRequests,
 		connectionDiagnosticID: req.ConnectionDiagnosticID,
 		botName:                getBotName(user),
 
diff --git a/lib/auth/authclient/api.go b/lib/auth/authclient/api.go
index 1776165eaea85..e0fb827b5aa3f 100644
--- a/lib/auth/authclient/api.go
+++ b/lib/auth/authclient/api.go
@@ -760,6 +760,9 @@ type DiscoveryAccessPoint interface {
 	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
 	GenerateAWSOIDCToken(ctx context.Context, integration string) (string, error)
 
+	// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+	GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error)
+
 	// EnrollEKSClusters enrolls EKS clusters into Teleport by installing teleport-kube-agent chart on the clusters.
 	EnrollEKSClusters(context.Context, *integrationpb.EnrollEKSClustersRequest, ...grpc.CallOption) (*integrationpb.EnrollEKSClustersResponse, error)
 
@@ -1437,6 +1440,11 @@ func (w *DiscoveryWrapper) GenerateAWSOIDCToken(ctx context.Context, integration
 	return w.NoCache.GenerateAWSOIDCToken(ctx, integration)
 }
 
+// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+func (w *DiscoveryWrapper) GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error) {
+	return w.NoCache.GenerateAzureOIDCToken(ctx, integration)
+}
+
 // EnrollEKSClusters enrolls EKS clusters into Teleport by installing teleport-kube-agent chart on the clusters.
 func (w *DiscoveryWrapper) EnrollEKSClusters(ctx context.Context, req *integrationpb.EnrollEKSClustersRequest, _ ...grpc.CallOption) (*integrationpb.EnrollEKSClustersResponse, error) {
 	return w.NoCache.EnrollEKSClusters(ctx, req)
diff --git a/lib/auth/authclient/clt.go b/lib/auth/authclient/clt.go
index 4f17263feaab7..d0a0bded016a9 100644
--- a/lib/auth/authclient/clt.go
+++ b/lib/auth/authclient/clt.go
@@ -825,6 +825,26 @@ func (c *Client) ListNotificationStatesForAllUsers(ctx context.Context, pageSize
 	return nil, "", trace.NotImplemented(notImplementedMessage)
 }
 
+// CreateUniqueNotificationIdentifier not implemented: can only be called locally.
+func (c *Client) CreateUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error) {
+	return nil, trace.NotImplemented(notImplementedMessage)
+}
+
+// GetUniqueNotificationIdentifier not implemented: can only be called locally.
+func (c *Client) GetUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error) {
+	return nil, trace.NotImplemented(notImplementedMessage)
+}
+
+// DeleteUniqueNotificationIdentifier not implemented: can only be called locally.
+func (c *Client) DeleteUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) error {
+	return trace.NotImplemented(notImplementedMessage)
+}
+
+// ListUniqueNotificationIdentifiersForPrefix not implemented: can only be called locally.
+func (c *Client) ListUniqueNotificationIdentifiersForPrefix(ctx context.Context, prefix string, pageSize int, startKey string) ([]*notificationsv1.UniqueNotificationIdentifier, string, error) {
+	return nil, "", trace.NotImplemented(notImplementedMessage)
+}
+
 // GetAccessGraphSettings gets the access graph settings from the backend.
 func (c *Client) GetAccessGraphSettings(context.Context) (*clusterconfigpb.AccessGraphSettings, error) {
 	return nil, trace.NotImplemented(notImplementedMessage)
@@ -1703,6 +1723,9 @@ type ClientI interface {
 	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
 	GenerateAWSOIDCToken(ctx context.Context, integration string) (string, error)
 
+	// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+	GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error)
+
 	// ResetAuthPreference resets cluster auth preference to defaults.
 	ResetAuthPreference(ctx context.Context) error
 
diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go
index 85e192222c815..3b09c041721a6 100644
--- a/lib/auth/bot_test.go
+++ b/lib/auth/bot_test.go
@@ -80,7 +80,7 @@ func renewBotCerts(
 	botUser string,
 	key crypto.Signer,
 ) (*authclient.Client, *proto.Certs, error) {
-	fakeClock := srv.Clock().(clockwork.FakeClock)
+	fakeClock := srv.Clock().(*clockwork.FakeClock)
 
 	privateKeyPEM, err := keys.MarshalPrivateKey(key)
 	if err != nil {
@@ -120,7 +120,7 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) {
 
 	srv := newTestTLSServer(t)
 	ctx := context.Background()
-	fakeClock := srv.Clock().(clockwork.FakeClock)
+	fakeClock := srv.Clock().(*clockwork.FakeClock)
 
 	_, err := CreateRole(ctx, srv.Auth(), "example", types.RoleSpecV6{})
 	require.NoError(t, err)
diff --git a/lib/auth/github_test.go b/lib/auth/github_test.go
index 862f3ce2d03c0..abeba08850046 100644
--- a/lib/auth/github_test.go
+++ b/lib/auth/github_test.go
@@ -55,7 +55,7 @@ type githubContext struct {
 	a           *Server
 	mockEmitter *eventstest.MockRecorderEmitter
 	b           backend.Backend
-	c           clockwork.FakeClock
+	c           *clockwork.FakeClock
 }
 
 func setupGithubContext(ctx context.Context, t *testing.T) *githubContext {
diff --git a/lib/auth/grpcserver.go b/lib/auth/grpcserver.go
index d3484efa9de6b..bd97faa5738e9 100644
--- a/lib/auth/grpcserver.go
+++ b/lib/auth/grpcserver.go
@@ -526,6 +526,24 @@ func WatchEvents(watch *authpb.Watch, stream WatchEvent, componentName string, a
 		AllowPartialSuccess: watch.AllowPartialSuccess,
 	}
 
+	// KindNamespace is being removed but v17 agents will still try to include
+	// it in their cache and they will occasionally do a GetNamespace, so we
+	// pretend to support it as a resource kind here; it's sound to do so
+	// because there will never be any events coming, and the GetNamespace and
+	// GetNamespaces APIs return static data
+	//
+	// TODO(espadolini): remove in v19
+	var removedNamespaceWatch bool
+	filteredKinds := watch.Kinds[:0]
+	for _, k := range watch.Kinds {
+		if k.Kind == types.KindNamespace {
+			removedNamespaceWatch = true
+			continue
+		}
+		filteredKinds = append(filteredKinds, k)
+	}
+	watch.Kinds = filteredKinds
+
 	events, err := auth.NewStream(stream.Context(), servicesWatch)
 	if err != nil {
 		return trace.Wrap(err)
@@ -540,6 +558,16 @@ func WatchEvents(watch *authpb.Watch, stream WatchEvent, componentName string, a
 
 	for events.Next() {
 		event := events.Item()
+		// TODO(espadolini): remove in v19
+		if removedNamespaceWatch {
+			if status, ok := event.Resource.(*types.WatchStatusV1); ok {
+				status.Spec.Kinds = append(status.Spec.Kinds, types.WatchKind{Kind: types.KindNamespace})
+			}
+			// there's only exactly one event of type OpInit and WatchStatus
+			// meta-resource (at the beginning of the stream), so we don't need
+			// to keep checking
+			removedNamespaceWatch = false
+		}
 		if role, ok := event.Resource.(*types.RoleV6); ok {
 			downgraded, err := maybeDowngradeRole(stream.Context(), role)
 			if err != nil {
diff --git a/lib/auth/grpcserver_test.go b/lib/auth/grpcserver_test.go
index f688432716339..a651958a15fd1 100644
--- a/lib/auth/grpcserver_test.go
+++ b/lib/auth/grpcserver_test.go
@@ -84,7 +84,7 @@ import (
 func TestMFADeviceManagement(t *testing.T) {
 	testServer := newTestTLSServer(t)
 	authServer := testServer.Auth()
-	clock := testServer.Clock().(clockwork.FakeClock)
+	clock := testServer.Clock().(*clockwork.FakeClock)
 	ctx := context.Background()
 
 	// Enable MFA support.
@@ -564,7 +564,7 @@ func TestMFADeviceManagement_SSO(t *testing.T) {
 func TestDeletingLastPasswordlessDevice(t *testing.T) {
 	testServer := newTestTLSServer(t)
 	authServer := testServer.Auth()
-	clock := testServer.Clock().(clockwork.FakeClock)
+	clock := testServer.Clock().(*clockwork.FakeClock)
 	ctx := context.Background()
 
 	tests := []struct {
@@ -752,7 +752,7 @@ type mfaDevices struct {
 func (d *mfaDevices) totpAuthHandler(t *testing.T, challenge *proto.MFAAuthenticateChallenge) *proto.MFAAuthenticateResponse {
 	require.NotNil(t, challenge.TOTP, "nil TOTP challenge")
 
-	if c, ok := d.clock.(clockwork.FakeClock); ok {
+	if c, ok := d.clock.(*clockwork.FakeClock); ok {
 		c.Advance(30 * time.Second)
 	}
 
@@ -1515,7 +1515,7 @@ func TestGenerateUserCerts_singleUseCerts(t *testing.T) {
 	// Register MFA devices for the fake user.
 	registered := addOneOfEachMFADevice(t, cl, clock, webOrigin)
 	// Adding MFA devices advances fake clock by 1 minute, here we return it back.
-	fakeClock, ok := clock.(clockwork.FakeClock)
+	fakeClock, ok := clock.(*clockwork.FakeClock)
 	require.True(t, ok)
 	fakeClock.Advance(-60 * time.Second)
 
diff --git a/lib/auth/helpers_mfa.go b/lib/auth/helpers_mfa.go
index eca034791db4c..3eddd890b3d4e 100644
--- a/lib/auth/helpers_mfa.go
+++ b/lib/auth/helpers_mfa.go
@@ -33,6 +33,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/auth/mocku2f"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // TestDevice is a test MFA device.
@@ -190,9 +191,8 @@ func (d *TestDevice) solveAuthnTOTP(c *proto.MFAAuthenticateChallenge) (*proto.M
 	if d.clock == nil {
 		return nil, trace.BadParameter("clock not set")
 	}
-	if c, ok := d.clock.(clockwork.FakeClock); ok {
-		c.Advance(30 * time.Second)
-	}
+	clocki.Advance(d.clock, 30*time.Second)
+
 	code, err := totp.GenerateCode(d.TOTPSecret, d.clock.Now())
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -244,9 +244,7 @@ func (d *TestDevice) solveRegisterTOTP(c *proto.MFARegisterChallenge) (*proto.MF
 	if d.clock == nil {
 		return nil, trace.BadParameter("clock not set")
 	}
-	if c, ok := d.clock.(clockwork.FakeClock); ok {
-		c.Advance(30 * time.Second)
-	}
+	clocki.Advance(d.clock, 30*time.Second)
 
 	if c.GetTOTP().Algorithm != otp.AlgorithmSHA1.String() {
 		return nil, trace.BadParameter("unexpected TOTP challenge algorithm: %s", c.GetTOTP().Algorithm)
diff --git a/lib/auth/init_test.go b/lib/auth/init_test.go
index 291458bd196e8..f4218479f302b 100644
--- a/lib/auth/init_test.go
+++ b/lib/auth/init_test.go
@@ -62,6 +62,7 @@ import (
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/suite"
 	"github.com/gravitational/teleport/lib/srv/db/common/databaseobjectimportrule"
+	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/utils/proxy"
@@ -77,14 +78,16 @@ func TestReadIdentity(t *testing.T) {
 	caSigner, err := ssh.ParsePrivateKey(priv)
 	require.NoError(t, err)
 
-	cert, err := a.GenerateHostCert(services.HostCertParams{
+	cert, err := a.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: pub,
 		HostID:        "id1",
 		NodeName:      "node-name",
-		ClusterName:   "example.com",
-		Role:          types.RoleNode,
 		TTL:           0,
+		Identity: sshca.Identity{
+			ClusterName: "example.com",
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 
@@ -98,14 +101,16 @@ func TestReadIdentity(t *testing.T) {
 	// test TTL by converting the generated cert to text -> back and making sure ExpireAfter is valid
 	ttl := 10 * time.Second
 	expiryDate := clock.Now().Add(ttl)
-	bytes, err := a.GenerateHostCert(services.HostCertParams{
+	bytes, err := a.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: pub,
 		HostID:        "id1",
 		NodeName:      "node-name",
-		ClusterName:   "example.com",
-		Role:          types.RoleNode,
 		TTL:           ttl,
+		Identity: sshca.Identity{
+			ClusterName: "example.com",
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 	copy, err := apisshutils.ParseCertificate(bytes)
@@ -125,14 +130,16 @@ func TestBadIdentity(t *testing.T) {
 	require.IsType(t, trace.BadParameter(""), err)
 
 	// missing authority domain
-	cert, err := a.GenerateHostCert(services.HostCertParams{
+	cert, err := a.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: pub,
 		HostID:        "id2",
 		NodeName:      "",
-		ClusterName:   "",
-		Role:          types.RoleNode,
 		TTL:           0,
+		Identity: sshca.Identity{
+			ClusterName: "",
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 
@@ -140,14 +147,16 @@ func TestBadIdentity(t *testing.T) {
 	require.IsType(t, trace.BadParameter(""), err)
 
 	// missing host uuid
-	cert, err = a.GenerateHostCert(services.HostCertParams{
+	cert, err = a.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: pub,
 		HostID:        "example.com",
 		NodeName:      "",
-		ClusterName:   "",
-		Role:          types.RoleNode,
 		TTL:           0,
+		Identity: sshca.Identity{
+			ClusterName: "",
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 
@@ -155,14 +164,16 @@ func TestBadIdentity(t *testing.T) {
 	require.IsType(t, trace.BadParameter(""), err)
 
 	// unrecognized role
-	cert, err = a.GenerateHostCert(services.HostCertParams{
+	cert, err = a.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		PublicHostKey: pub,
 		HostID:        "example.com",
 		NodeName:      "",
-		ClusterName:   "id1",
-		Role:          "bad role",
 		TTL:           0,
+		Identity: sshca.Identity{
+			ClusterName: "id1",
+			SystemRole:  "bad role",
+		},
 	})
 	require.NoError(t, err)
 
diff --git a/lib/auth/integration/integrationv1/azureoidc.go b/lib/auth/integration/integrationv1/azureoidc.go
new file mode 100644
index 0000000000000..0db1fd50e59d6
--- /dev/null
+++ b/lib/auth/integration/integrationv1/azureoidc.go
@@ -0,0 +1,52 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package integrationv1
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+
+	integrationpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/authz"
+	"github.com/gravitational/teleport/lib/integrations/azureoidc"
+)
+
+// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+func (s *Service) GenerateAzureOIDCToken(ctx context.Context, req *integrationpb.GenerateAzureOIDCTokenRequest) (*integrationpb.GenerateAzureOIDCTokenResponse, error) {
+	authCtx, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	_, err = s.cache.GetIntegration(ctx, req.Integration)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	for _, allowedRole := range []types.SystemRole{types.RoleDiscovery, types.RoleAuth, types.RoleProxy} {
+		if authz.HasBuiltinRole(*authCtx, string(allowedRole)) {
+			token, err := azureoidc.GenerateEntraOIDCToken(ctx, s.cache, s.keyStoreManager, s.clock)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
+			return &integrationpb.GenerateAzureOIDCTokenResponse{Token: token}, nil
+		}
+	}
+	return nil, trace.AccessDenied("token generation is only available to auth, proxy or discovery services")
+}
diff --git a/lib/auth/integration/integrationv1/azureoidc_test.go b/lib/auth/integration/integrationv1/azureoidc_test.go
new file mode 100644
index 0000000000000..f235d51538d71
--- /dev/null
+++ b/lib/auth/integration/integrationv1/azureoidc_test.go
@@ -0,0 +1,113 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package integrationv1
+
+import (
+	"testing"
+
+	"github.com/gravitational/trace"
+	"github.com/stretchr/testify/require"
+
+	integrationv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/authz"
+	"github.com/gravitational/teleport/lib/jwt"
+	"github.com/gravitational/teleport/lib/tlsca"
+)
+
+func TestGenerateAzureOIDCToken(t *testing.T) {
+	t.Parallel()
+	clusterName := "test-cluster"
+	integrationName := "my-integration"
+
+	publicURL := "https://example.com"
+
+	ca := newCertAuthority(t, types.HostCA, clusterName)
+	ctx, localClient, resourceSvc := initSvc(t, ca, clusterName, publicURL)
+
+	// Create integration
+	ig, err := types.NewIntegrationAzureOIDC(
+		types.Metadata{Name: integrationName},
+		&types.AzureOIDCIntegrationSpecV1{
+			TenantID: "foo",
+			ClientID: "bar",
+		},
+	)
+	require.NoError(t, err)
+	_, err = localClient.CreateIntegration(ctx, ig)
+	require.NoError(t, err)
+
+	t.Run("only Auth, Discovery, and Proxy roles should be able to generate Azure tokens", func(t *testing.T) {
+		// A dummy user should not be able to generate Azure OIDC tokens
+		ctx = authorizerForDummyUser(t, ctx, types.RoleSpecV6{
+			Allow: types.RoleConditions{Rules: []types.Rule{
+				{Resources: []string{types.KindIntegration}, Verbs: []string{types.VerbUse}},
+			}},
+		}, localClient)
+		_, err = resourceSvc.GenerateAzureOIDCToken(ctx, &integrationv1.GenerateAzureOIDCTokenRequest{Integration: integrationName})
+		require.True(t, trace.IsAccessDenied(err), "expected AccessDenied error, got %T", err)
+
+		// Auth, Discovery, and Proxy roles should be able to generate Azure OIDC tokens
+		for _, allowedRole := range []types.SystemRole{types.RoleAuth, types.RoleDiscovery, types.RoleProxy} {
+			ctx = authz.ContextWithUser(ctx, authz.BuiltinRole{
+				Role:                  types.RoleInstance,
+				AdditionalSystemRoles: []types.SystemRole{allowedRole},
+				Username:              string(allowedRole),
+				Identity: tlsca.Identity{
+					Username: string(allowedRole),
+				},
+			})
+
+			_, err := resourceSvc.GenerateAzureOIDCToken(ctx, &integrationv1.GenerateAzureOIDCTokenRequest{Integration: integrationName})
+			require.NoError(t, err)
+		}
+	})
+
+	t.Run("validate the Azure token", func(t *testing.T) {
+		ctx = authz.ContextWithUser(ctx, authz.BuiltinRole{
+			Role:                  types.RoleInstance,
+			AdditionalSystemRoles: []types.SystemRole{types.RoleDiscovery},
+			Username:              string(types.RoleDiscovery),
+			Identity: tlsca.Identity{
+				Username: string(types.RoleDiscovery),
+			},
+		})
+		resp, err := resourceSvc.GenerateAzureOIDCToken(ctx, &integrationv1.GenerateAzureOIDCTokenRequest{
+			Integration: integrationName,
+		})
+		require.NoError(t, err)
+
+		// Validate JWT against public key
+		require.NotEmpty(t, ca.GetActiveKeys().JWT)
+		jwtPubKey := ca.GetActiveKeys().JWT[0].PublicKey
+		publicKey, err := keys.ParsePublicKey(jwtPubKey)
+		require.NoError(t, err)
+		key, err := jwt.New(&jwt.Config{
+			ClusterName: clusterName,
+			Clock:       resourceSvc.clock,
+			PublicKey:   publicKey,
+		})
+		require.NoError(t, err)
+
+		// Verify the Azure token using the JWT
+		_, err = key.VerifyAzureToken(resp.Token)
+		require.NoError(t, err)
+	})
+}
diff --git a/lib/auth/keygen/keygen.go b/lib/auth/keygen/keygen.go
index 5f47b3a90ac16..6133a90c907c7 100644
--- a/lib/auth/keygen/keygen.go
+++ b/lib/auth/keygen/keygen.go
@@ -33,9 +33,7 @@ import (
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/lib/modules"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 // Keygen is a key generator that precomputes keys to provide quick access to
@@ -69,58 +67,64 @@ func New(_ context.Context, opts ...Option) *Keygen {
 
 // GenerateHostCert generates a host certificate with the passed in parameters.
 // The private key of the CA to sign the certificate must be provided.
-func (k *Keygen) GenerateHostCert(c services.HostCertParams) ([]byte, error) {
-	if err := c.Check(); err != nil {
+func (k *Keygen) GenerateHostCert(req sshca.HostCertificateRequest) ([]byte, error) {
+	if err := req.Check(); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	return k.GenerateHostCertWithoutValidation(c)
+	return k.GenerateHostCertWithoutValidation(req)
 }
 
 // GenerateHostCertWithoutValidation generates a host certificate with the
 // passed in parameters without validating them. For use in tests only.
-func (k *Keygen) GenerateHostCertWithoutValidation(c services.HostCertParams) ([]byte, error) {
-	pubKey, _, _, _, err := ssh.ParseAuthorizedKey(c.PublicHostKey)
+func (k *Keygen) GenerateHostCertWithoutValidation(req sshca.HostCertificateRequest) ([]byte, error) {
+	pubKey, _, _, _, err := ssh.ParseAuthorizedKey(req.PublicHostKey)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
+	// create shallow copy of identity since we want to make some local changes
+	ident := req.Identity
+
+	ident.CertType = ssh.HostCert
+
 	// Build a valid list of principals from the HostID and NodeName and then
 	// add in any additional principals passed in.
-	principals := BuildPrincipals(c.HostID, c.NodeName, c.ClusterName, types.SystemRoles{c.Role})
-	principals = append(principals, c.Principals...)
+	principals := BuildPrincipals(req.HostID, req.NodeName, ident.ClusterName, types.SystemRoles{ident.SystemRole})
+	principals = append(principals, ident.Principals...)
 	if len(principals) == 0 {
-		return nil, trace.BadParameter("no principals provided: %v, %v, %v",
-			c.HostID, c.NodeName, c.Principals)
+		return nil, trace.BadParameter("cannot generate host certificate without principals")
 	}
 	principals = apiutils.Deduplicate(principals)
+	ident.Principals = principals
 
-	// create certificate
-	validBefore := uint64(ssh.CertTimeInfinity)
-	if c.TTL != 0 {
-		b := k.clock.Now().UTC().Add(c.TTL)
-		validBefore = uint64(b.Unix())
+	// calculate ValidBefore based on the outer request TTL
+	ident.ValidBefore = uint64(ssh.CertTimeInfinity)
+	if req.TTL != 0 {
+		b := k.clock.Now().UTC().Add(req.TTL)
+		ident.ValidBefore = uint64(b.Unix())
 	}
-	cert := &ssh.Certificate{
-		ValidPrincipals: principals,
-		Key:             pubKey,
-		ValidAfter:      uint64(k.clock.Now().UTC().Add(-1 * time.Minute).Unix()),
-		ValidBefore:     validBefore,
-		CertType:        ssh.HostCert,
+
+	ident.ValidAfter = uint64(k.clock.Now().UTC().Add(-1 * time.Minute).Unix())
+
+	// encode the identity into a certificate
+	cert, err := ident.Encode("")
+	if err != nil {
+		return nil, trace.Wrap(err)
 	}
-	cert.Permissions.Extensions = make(map[string]string)
-	cert.Permissions.Extensions[utils.CertExtensionRole] = c.Role.String()
-	cert.Permissions.Extensions[utils.CertExtensionAuthority] = c.ClusterName
+
+	// set the public key of the certificate
+	cert.Key = pubKey
 
 	// sign host certificate with private signing key of certificate authority
-	if err := cert.SignCert(rand.Reader, c.CASigner); err != nil {
+	if err := cert.SignCert(rand.Reader, req.CASigner); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
 	slog.DebugContext(
 		context.TODO(),
 		"Generated SSH host certificate.",
-		"role", c.Role, "principals", principals,
+		"role", ident.SystemRole, "principals", ident.Principals,
 	)
 	return ssh.MarshalAuthorizedKey(cert), nil
 }
@@ -145,14 +149,7 @@ func (k *Keygen) GenerateUserCertWithoutValidation(req sshca.UserCertificateRequ
 	// create shallow copy of identity since we want to make some local changes
 	ident := req.Identity
 
-	// since this method ignores the supplied values for ValidBefore/ValidAfter, avoid confusing by
-	// rejecting identities where they are set.
-	if ident.ValidBefore != 0 {
-		return nil, trace.BadParameter("ValidBefore should not be set in calls to GenerateUserCert")
-	}
-	if ident.ValidAfter != 0 {
-		return nil, trace.BadParameter("ValidAfter should not be set in calls to GenerateUserCert")
-	}
+	ident.CertType = ssh.UserCert
 
 	// calculate ValidBefore based on the outer request TTL
 	ident.ValidBefore = uint64(ssh.CertTimeInfinity)
@@ -162,7 +159,7 @@ func (k *Keygen) GenerateUserCertWithoutValidation(req sshca.UserCertificateRequ
 		slog.DebugContext(
 			context.TODO(),
 			"Generated user key with expiry.",
-			"allowed_logins", ident.AllowedLogins,
+			"allowed_logins", ident.Principals,
 			"valid_before_unix_ts", ident.ValidBefore,
 			"valid_before", b,
 		)
diff --git a/lib/auth/keygen/keygen_test.go b/lib/auth/keygen/keygen_test.go
index d6c243b3ee986..e82933b944885 100644
--- a/lib/auth/keygen/keygen_test.go
+++ b/lib/auth/keygen/keygen_test.go
@@ -37,7 +37,6 @@ import (
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/auth/test"
 	"github.com/gravitational/teleport/lib/cryptosuites"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 )
 
@@ -176,16 +175,17 @@ func TestBuildPrincipals(t *testing.T) {
 	// run tests
 	for _, tc := range tests {
 		t.Logf("Running test case: %q", tc.desc)
-		hostCertificateBytes, err := tt.suite.A.GenerateHostCert(
-			services.HostCertParams{
-				CASigner:      caSigner,
-				PublicHostKey: hostPublicKey,
-				HostID:        tc.inHostID,
-				NodeName:      tc.inNodeName,
-				ClusterName:   tc.inClusterName,
-				Role:          tc.inRole,
-				TTL:           time.Hour,
-			})
+		hostCertificateBytes, err := tt.suite.A.GenerateHostCert(sshca.HostCertificateRequest{
+			CASigner:      caSigner,
+			PublicHostKey: hostPublicKey,
+			HostID:        tc.inHostID,
+			NodeName:      tc.inNodeName,
+			TTL:           time.Hour,
+			Identity: sshca.Identity{
+				ClusterName: tc.inClusterName,
+				SystemRole:  tc.inRole,
+			},
+		})
 		require.NoError(t, err)
 
 		hostCertificate, err := sshutils.ParseCertificate(hostCertificateBytes)
@@ -233,9 +233,9 @@ func TestUserCertCompatibility(t *testing.T) {
 			TTL:               time.Hour,
 			CertificateFormat: tc.inCompatibility,
 			Identity: sshca.Identity{
-				Username:      "user",
-				AllowedLogins: []string{"centos", "root"},
-				Roles:         []string{"foo"},
+				Username:   "user",
+				Principals: []string{"centos", "root"},
+				Roles:      []string{"foo"},
 				CertificateExtensions: []*types.CertExtension{{
 					Type:  types.CertExtensionType_SSH,
 					Mode:  types.CertExtensionMode_EXTENSION,
diff --git a/lib/auth/keystore/keystore_test.go b/lib/auth/keystore/keystore_test.go
index 13e05a5e5070b..be799e0683b86 100644
--- a/lib/auth/keystore/keystore_test.go
+++ b/lib/auth/keystore/keystore_test.go
@@ -508,7 +508,7 @@ func assertKeyAlgorithm(t *testing.T, expectedAlgorithm cryptosuites.Algorithm,
 
 type testPack struct {
 	backends []*backendDesc
-	clock    clockwork.FakeClock
+	clock    *clockwork.FakeClock
 }
 
 type backendDesc struct {
diff --git a/lib/auth/server_info_test.go b/lib/auth/server_info_test.go
index b87433c7986f8..97b33983d1f08 100644
--- a/lib/auth/server_info_test.go
+++ b/lib/auth/server_info_test.go
@@ -34,7 +34,7 @@ import (
 )
 
 type mockServerInfoAccessPoint struct {
-	clock         clockwork.FakeClock
+	clock         *clockwork.FakeClock
 	nodes         []types.Server
 	nodesErr      error
 	serverInfos   map[string]types.ServerInfo
diff --git a/lib/auth/sessions.go b/lib/auth/sessions.go
index 7f202bd9110b3..caf98e262b0f8 100644
--- a/lib/auth/sessions.go
+++ b/lib/auth/sessions.go
@@ -290,7 +290,7 @@ func (a *Server) newWebSession(
 		tlsPublicKey:   tlsPublicKeyPEM,
 		checker:        checker,
 		traits:         req.Traits,
-		activeRequests: services.RequestIDs{AccessRequests: req.AccessRequests},
+		activeRequests: req.AccessRequests,
 	}
 	var hasDeviceExtensions bool
 	if opts != nil && opts.deviceExtensions != nil {
@@ -557,7 +557,7 @@ func (a *Server) CreateAppSessionFromReq(ctx context.Context, req NewAppSessionR
 		checker:        checker,
 		ttl:            req.SessionTTL,
 		traits:         req.Traits,
-		activeRequests: services.RequestIDs{AccessRequests: req.AccessRequests},
+		activeRequests: req.AccessRequests,
 		// Set the app session ID in the certificate - used in auditing from the App Service.
 		appSessionID: sessionID,
 		// Only allow this certificate to be used for applications.
diff --git a/lib/auth/storage/storage.go b/lib/auth/storage/storage.go
index 76db71182e982..625cc393f8698 100644
--- a/lib/auth/storage/storage.go
+++ b/lib/auth/storage/storage.go
@@ -27,7 +27,9 @@ package storage
 import (
 	"context"
 	"encoding/json"
+	"strconv"
 	"strings"
+	"time"
 
 	"github.com/coreos/go-semver/semver"
 	"github.com/gravitational/trace"
@@ -233,6 +235,42 @@ func (p *ProcessStorage) WriteTeleportVersion(ctx context.Context, version *semv
 	return nil
 }
 
+func rdpLicenseKey(key *types.RDPLicenseKey) backend.Key {
+	return backend.NewKey("rdplicense", key.Issuer, strconv.Itoa(int(key.Version)), key.Company, key.ProductID)
+}
+
+type rdpLicense struct {
+	Data []byte `json:"data"`
+}
+
+// WriteRDPLicense writes an RDP license to local storage.
+func (p *ProcessStorage) WriteRDPLicense(ctx context.Context, key *types.RDPLicenseKey, license []byte) error {
+	value, err := json.Marshal(rdpLicense{Data: license})
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	item := backend.Item{
+		Key:     rdpLicenseKey(key),
+		Value:   value,
+		Expires: p.BackendStorage.Clock().Now().Add(28 * 24 * time.Hour),
+	}
+	_, err = p.stateStorage.Put(ctx, item)
+	return trace.Wrap(err)
+}
+
+// ReadRDPLicense reads a previously obtained license from storage.
+func (p *ProcessStorage) ReadRDPLicense(ctx context.Context, key *types.RDPLicenseKey) ([]byte, error) {
+	item, err := p.stateStorage.Get(ctx, rdpLicenseKey(key))
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	license := rdpLicense{}
+	if err := json.Unmarshal(item.Value, &license); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return license.Data, nil
+}
+
 // ReadLocalIdentity reads, parses and returns the given pub/pri key + cert from the
 // key storage (dataDir).
 func ReadLocalIdentity(dataDir string, id state.IdentityID) (*state.Identity, error) {
diff --git a/lib/auth/storage/storage_test.go b/lib/auth/storage/storage_test.go
new file mode 100644
index 0000000000000..42302101c7036
--- /dev/null
+++ b/lib/auth/storage/storage_test.go
@@ -0,0 +1,72 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package storage
+
+import (
+	"context"
+	"testing"
+
+	"github.com/gravitational/trace"
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/backend/memory"
+)
+
+func TestRDPLicense(t *testing.T) {
+	ctx := context.Background()
+	mem, err := memory.New(memory.Config{})
+	require.NoError(t, err)
+	storage := ProcessStorage{
+		BackendStorage: mem,
+		stateStorage:   mem,
+	}
+
+	_, err = storage.ReadRDPLicense(ctx, &types.RDPLicenseKey{
+		Version:   1,
+		Issuer:    "issuer",
+		Company:   "company",
+		ProductID: "productID",
+	})
+	require.True(t, trace.IsNotFound(err))
+
+	licenseData := []byte{1, 2, 3}
+	err = storage.WriteRDPLicense(ctx, &types.RDPLicenseKey{
+		Version:   1,
+		Issuer:    "issuer",
+		Company:   "company",
+		ProductID: "productID",
+	}, licenseData)
+	require.NoError(t, err)
+
+	_, err = storage.ReadRDPLicense(ctx, &types.RDPLicenseKey{
+		Version:   2,
+		Issuer:    "issuer",
+		Company:   "company",
+		ProductID: "productID",
+	})
+	require.True(t, trace.IsNotFound(err))
+
+	license, err := storage.ReadRDPLicense(ctx, &types.RDPLicenseKey{
+		Version:   1,
+		Issuer:    "issuer",
+		Company:   "company",
+		ProductID: "productID",
+	})
+	require.NoError(t, err)
+	require.Equal(t, licenseData, license)
+}
diff --git a/lib/auth/test/suite.go b/lib/auth/test/suite.go
index 14d22f8265647..ac1a9ee4cd2d1 100644
--- a/lib/auth/test/suite.go
+++ b/lib/auth/test/suite.go
@@ -64,16 +64,17 @@ func (s *AuthSuite) GenerateHostCert(t *testing.T) {
 	caSigner, err := ssh.ParsePrivateKey(priv)
 	require.NoError(t, err)
 
-	cert, err := s.A.GenerateHostCert(
-		services.HostCertParams{
-			CASigner:      caSigner,
-			PublicHostKey: pub,
-			HostID:        "00000000-0000-0000-0000-000000000000",
-			NodeName:      "auth.example.com",
-			ClusterName:   "example.com",
-			Role:          types.RoleAdmin,
-			TTL:           time.Hour,
-		})
+	cert, err := s.A.GenerateHostCert(sshca.HostCertificateRequest{
+		CASigner:      caSigner,
+		PublicHostKey: pub,
+		HostID:        "00000000-0000-0000-0000-000000000000",
+		NodeName:      "auth.example.com",
+		TTL:           time.Hour,
+		Identity: sshca.Identity{
+			ClusterName: "example.com",
+			SystemRole:  types.RoleAdmin,
+		},
+	})
 	require.NoError(t, err)
 
 	certificate, err := sshutils.ParseCertificate(cert)
@@ -102,7 +103,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
 			Username:              "user",
-			AllowedLogins:         []string{"centos", "root"},
+			Principals:            []string{"centos", "root"},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 		},
@@ -121,7 +122,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
 			Username:              "user",
-			AllowedLogins:         []string{"root"},
+			Principals:            []string{"root"},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 		},
@@ -137,7 +138,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
 			Username:              "user",
-			AllowedLogins:         []string{"root"},
+			Principals:            []string{"root"},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 		},
@@ -153,7 +154,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
 			Username:              "user",
-			AllowedLogins:         []string{"root"},
+			Principals:            []string{"root"},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 		},
@@ -170,7 +171,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		Identity: sshca.Identity{
 			Username:              "user",
 			Impersonator:          impersonator,
-			AllowedLogins:         []string{"root"},
+			Principals:            []string{"root"},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 			Roles:                 inRoles,
@@ -195,7 +196,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
 			Username:                "user",
-			AllowedLogins:           []string{"root"},
+			Principals:              []string{"root"},
 			MFAVerified:             "mfa-device-id",
 			PreviousIdentityExpires: clock.Now().Add(time.Hour),
 		},
@@ -219,7 +220,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 			PublicUserKey: pub,      // Required.
 			Identity: sshca.Identity{
 				Username:           "llama",           // Required.
-				AllowedLogins:      []string{"llama"}, // Required.
+				Principals:         []string{"llama"}, // Required.
 				DeviceID:           devID,
 				DeviceAssetTag:     devTag,
 				DeviceCredentialID: devCred,
@@ -242,7 +243,7 @@ func (s *AuthSuite) GenerateUserCert(t *testing.T) {
 			PublicUserKey: pub,      // Required.
 			Identity: sshca.Identity{
 				Username:       "llama",           // Required.
-				AllowedLogins:  []string{"llama"}, // Required.
+				Principals:     []string{"llama"}, // Required.
 				GitHubUserID:   githubUserID,
 				GitHubUsername: githubUsername,
 			},
diff --git a/lib/auth/testauthority/testauthority.go b/lib/auth/testauthority/testauthority.go
index b58f9ac27493d..dbb14c56c20cb 100644
--- a/lib/auth/testauthority/testauthority.go
+++ b/lib/auth/testauthority/testauthority.go
@@ -28,7 +28,6 @@ import (
 
 	"github.com/gravitational/teleport/lib/auth/keygen"
 	"github.com/gravitational/teleport/lib/cryptosuites"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 )
 
@@ -57,8 +56,8 @@ func (n *Keygen) GenerateKeyPair() (priv []byte, pub []byte, err error) {
 	return privateKey.PrivateKeyPEM(), privateKey.MarshalSSHPublicKey(), nil
 }
 
-func (n *Keygen) GenerateHostCert(c services.HostCertParams) ([]byte, error) {
-	return n.GenerateHostCertWithoutValidation(c)
+func (n *Keygen) GenerateHostCert(req sshca.HostCertificateRequest) ([]byte, error) {
+	return n.GenerateHostCertWithoutValidation(req)
 }
 
 func (n *Keygen) GenerateUserCert(c sshca.UserCertificateRequest) ([]byte, error) {
diff --git a/lib/auth/trust/trustv1/service_test.go b/lib/auth/trust/trustv1/service_test.go
index 23ae66a5149b5..6991ba21be1dd 100644
--- a/lib/auth/trust/trustv1/service_test.go
+++ b/lib/auth/trust/trustv1/service_test.go
@@ -41,7 +41,7 @@ import (
 )
 
 type testPack struct {
-	clock clockwork.FakeClock
+	clock *clockwork.FakeClock
 	mem   *memory.Memory
 }
 
diff --git a/lib/auth/usage_test.go b/lib/auth/usage_test.go
index 4cc3e36ac9e8c..04c07c49816eb 100644
--- a/lib/auth/usage_test.go
+++ b/lib/auth/usage_test.go
@@ -93,7 +93,7 @@ func TestAccessRequest_WithAndWithoutLimit(t *testing.T) {
 type setupAccessRequestLimist struct {
 	monthlyLimit int
 	testpack     testPack
-	clock        clockwork.FakeClock
+	clock        *clockwork.FakeClock
 	features     modules.Features
 }
 
diff --git a/lib/auth/usertoken_test.go b/lib/auth/usertoken_test.go
index 4592f95955d41..ad3b622cc0f00 100644
--- a/lib/auth/usertoken_test.go
+++ b/lib/auth/usertoken_test.go
@@ -284,7 +284,7 @@ func TestUserTokenCreationSettings(t *testing.T) {
 func TestCreatePrivilegeToken(t *testing.T) {
 	t.Parallel()
 	srv := newTestTLSServer(t)
-	fakeClock := srv.Clock().(clockwork.FakeClock)
+	fakeClock := srv.Clock().(*clockwork.FakeClock)
 	mockEmitter := &eventstest.MockRecorderEmitter{}
 	srv.Auth().emitter = mockEmitter
 	ctx := context.Background()
diff --git a/lib/autoupdate/agent/process.go b/lib/autoupdate/agent/process.go
index a24b4605e1924..75aa7cdbb9da0 100644
--- a/lib/autoupdate/agent/process.go
+++ b/lib/autoupdate/agent/process.go
@@ -330,12 +330,28 @@ func (s SystemdService) IsPresent(ctx context.Context) (bool, error) {
 
 // checkSystem returns an error if the system is not compatible with this process manager.
 func (s SystemdService) checkSystem(ctx context.Context) error {
-	_, err := os.Stat("/run/systemd/system")
-	if errors.Is(err, os.ErrNotExist) {
+	present, err := hasSystemD()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	if !present {
 		s.Log.ErrorContext(ctx, "This system does not support systemd, which is required by the updater.")
 		return trace.Wrap(ErrNotSupported)
 	}
-	return trace.Wrap(err)
+	return nil
+
+}
+
+// hasSystemD returns true if the system uses the SystemD process manager.
+func hasSystemD() (bool, error) {
+	_, err := os.Stat("/run/systemd/system")
+	if errors.Is(err, os.ErrNotExist) {
+		return false, nil
+	}
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	return true, nil
 }
 
 // systemctl returns a systemctl subcommand, converting the output to logs.
diff --git a/lib/autoupdate/agent/telemetry.go b/lib/autoupdate/agent/telemetry.go
index a1abeb1b3d768..442d21c4f2be6 100644
--- a/lib/autoupdate/agent/telemetry.go
+++ b/lib/autoupdate/agent/telemetry.go
@@ -31,6 +31,13 @@ import (
 // The binary is considered managed if it lives under /opt/teleport, but not within the package
 // path at /opt/teleport/system.
 func IsManagedByUpdater() (bool, error) {
+	systemd, err := hasSystemD()
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	if !systemd {
+		return false, nil
+	}
 	teleportPath, err := os.Readlink("/proc/self/exe")
 	if err != nil {
 		return false, trace.Wrap(err, "cannot find Teleport binary")
@@ -52,6 +59,13 @@ func IsManagedByUpdater() (bool, error) {
 // and the default installation (with teleport.service as the unit file name).
 // The binary is considered managed and default if it lives within /opt/teleport/default.
 func IsManagedAndDefault() (bool, error) {
+	systemd, err := hasSystemD()
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	if !systemd {
+		return false, nil
+	}
 	teleportPath, err := os.Readlink("/proc/self/exe")
 	if err != nil {
 		return false, trace.Wrap(err, "cannot find Teleport binary")
diff --git a/lib/autoupdate/package_url.go b/lib/autoupdate/package_url.go
new file mode 100644
index 0000000000000..9b283c3da59c2
--- /dev/null
+++ b/lib/autoupdate/package_url.go
@@ -0,0 +1,82 @@
+/*
+ * Teleport
+ * Copyright (C) 2025  Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package autoupdate
+
+import (
+	"bytes"
+	"runtime"
+	"text/template"
+
+	"github.com/gravitational/trace"
+)
+
+// InstallFlags sets flags for the Teleport installation.
+type InstallFlags int
+
+const (
+	// FlagEnterprise installs enterprise Teleport.
+	FlagEnterprise InstallFlags = 1 << iota
+	// FlagFIPS installs FIPS Teleport
+	FlagFIPS
+)
+
+const (
+	// DefaultBaseURL is CDN URL for downloading official Teleport packages.
+	DefaultBaseURL = "https://cdn.teleport.dev"
+	// DefaultPackage is the name of Teleport package.
+	DefaultPackage = "teleport"
+	// DefaultCDNURITemplate is the default template for the Teleport CDN download URL.
+	DefaultCDNURITemplate = `{{ .BaseURL }}/
+	{{- if eq .OS "darwin" }}
+	{{- .Package }}{{ if and .Enterprise (eq .Package "teleport") }}-ent{{ end }}-{{ .Version }}.pkg
+	{{- else if eq .OS "windows" }}
+	{{- .Package }}-v{{ .Version }}-{{ .OS }}-amd64-bin.zip
+	{{- else }}
+	{{- .Package }}{{ if .Enterprise }}-ent{{ end }}-v{{ .Version }}-{{ .OS }}-{{ .Arch }}{{ if .FIPS }}-fips{{ end }}-bin.tar.gz
+	{{- end }}`
+	// BaseURLEnvVar allows to override base URL for the Teleport package URL via env var.
+	BaseURLEnvVar = "TELEPORT_CDN_BASE_URL"
+)
+
+// MakeURL constructs the package download URL from template, base URL and revision.
+func MakeURL(uriTmpl string, baseURL string, pkg string, version string, flags InstallFlags) (string, error) {
+	tmpl, err := template.New("uri").Parse(uriTmpl)
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	var uriBuf bytes.Buffer
+	params := struct {
+		BaseURL, OS, Version, Arch, Package string
+		FIPS, Enterprise                    bool
+	}{
+		BaseURL:    baseURL,
+		OS:         runtime.GOOS,
+		Version:    version,
+		Arch:       runtime.GOARCH,
+		FIPS:       flags&FlagFIPS != 0,
+		Enterprise: flags&(FlagEnterprise|FlagFIPS) != 0,
+		Package:    pkg,
+	}
+	err = tmpl.Execute(&uriBuf, params)
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+
+	return uriBuf.String(), nil
+}
diff --git a/lib/autoupdate/tools/helper.go b/lib/autoupdate/tools/helper.go
index a3322f88d767b..f7d3e691b2ef4 100644
--- a/lib/autoupdate/tools/helper.go
+++ b/lib/autoupdate/tools/helper.go
@@ -27,6 +27,7 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/lib/autoupdate"
 	stacksignal "github.com/gravitational/teleport/lib/utils/signal"
 )
 
@@ -35,7 +36,7 @@ var (
 	// version is the current version of the Teleport.
 	version = teleport.Version
 	// baseURL is CDN URL for downloading official Teleport packages.
-	baseURL = defaultBaseURL
+	baseURL = autoupdate.DefaultBaseURL
 )
 
 // CheckAndUpdateLocal verifies if the TELEPORT_TOOLS_VERSION environment variable
@@ -52,6 +53,11 @@ func CheckAndUpdateLocal(ctx context.Context, reExecArgs []string) error {
 		return nil
 	}
 
+	// Overrides default base URL for custom CDN for downloading updates.
+	if envBaseURL := os.Getenv(autoupdate.BaseURLEnvVar); envBaseURL != "" {
+		baseURL = envBaseURL
+	}
+
 	updater := NewUpdater(toolsDir, version, WithBaseURL(baseURL))
 	// At process startup, check if a version has already been downloaded to
 	// $TELEPORT_HOME/bin or if the user has set the TELEPORT_TOOLS_VERSION
@@ -80,12 +86,12 @@ func CheckAndUpdateRemote(ctx context.Context, proxy string, insecure bool, reEx
 		slog.WarnContext(ctx, "Client tools update is disabled", "error", err)
 		return nil
 	}
+	// Overrides default base URL for custom CDN for downloading updates.
+	if envBaseURL := os.Getenv(autoupdate.BaseURLEnvVar); envBaseURL != "" {
+		baseURL = envBaseURL
+	}
+
 	updater := NewUpdater(toolsDir, version, WithBaseURL(baseURL))
-	// The user has typed a command like `tsh ssh ...` without being logged in,
-	// if the running binary needs to be updated, update and re-exec.
-	//
-	// If needed, download the new version of client tools and re-exec. Make
-	// sure to exit this process with the same exit code as the child process.
 	toolsVersion, reExec, err := updater.CheckRemote(ctx, proxy, insecure)
 	if err != nil {
 		return trace.Wrap(err)
diff --git a/lib/autoupdate/tools/updater.go b/lib/autoupdate/tools/updater.go
index 2845864f9c5ef..b148be735aedb 100644
--- a/lib/autoupdate/tools/updater.go
+++ b/lib/autoupdate/tools/updater.go
@@ -42,6 +42,7 @@ import (
 
 	"github.com/gravitational/teleport/api/client/webclient"
 	"github.com/gravitational/teleport/api/constants"
+	"github.com/gravitational/teleport/lib/autoupdate"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/utils/packaging"
 )
@@ -49,8 +50,6 @@ import (
 const (
 	// teleportToolsVersionEnv is environment name for requesting specific version for update.
 	teleportToolsVersionEnv = "TELEPORT_TOOLS_VERSION"
-	// defaultBaseURL is CDN URL for downloading official Teleport packages.
-	defaultBaseURL = "https://cdn.teleport.dev"
 	// reservedFreeDisk is the predefined amount of free disk space (in bytes) required
 	// to remain available after downloading archives.
 	reservedFreeDisk = 10 * 1024 * 1024 // 10 Mb
@@ -75,6 +74,13 @@ func WithBaseURL(baseURL string) Option {
 	}
 }
 
+// WithURITemplate defines custom URI template for the updater.
+func WithURITemplate(uriTemplate string) Option {
+	return func(u *Updater) {
+		u.uriTemplate = uriTemplate
+	}
+}
+
 // WithClient defines custom http client for the Updater.
 func WithClient(client *http.Client) Option {
 	return func(u *Updater) {
@@ -94,9 +100,10 @@ type Updater struct {
 	toolsDir     string
 	localVersion string
 	tools        []string
+	uriTemplate  string
+	baseURL      string
 
-	baseURL string
-	client  *http.Client
+	client *http.Client
 }
 
 // NewUpdater initializes the updater for client tools auto updates. We need to specify the tools directory
@@ -109,7 +116,8 @@ func NewUpdater(toolsDir, localVersion string, options ...Option) *Updater {
 		tools:        DefaultClientTools(),
 		toolsDir:     toolsDir,
 		localVersion: localVersion,
-		baseURL:      defaultBaseURL,
+		uriTemplate:  autoupdate.DefaultCDNURITemplate,
+		baseURL:      autoupdate.DefaultBaseURL,
 		client:       http.DefaultClient,
 	}
 	for _, option := range options {
@@ -255,7 +263,7 @@ func (u *Updater) UpdateWithLock(ctx context.Context, updateToolsVersion string)
 // with defined updater directory suffix.
 func (u *Updater) Update(ctx context.Context, toolsVersion string) error {
 	// Get platform specific download URLs.
-	packages, err := teleportPackageURLs(u.baseURL, toolsVersion)
+	packages, err := teleportPackageURLs(u.uriTemplate, u.baseURL, toolsVersion)
 	if err != nil {
 		return trace.Wrap(err)
 	}
diff --git a/lib/autoupdate/tools/utils.go b/lib/autoupdate/tools/utils.go
index f937d228b5cd4..eb9e5f7ad8a9f 100644
--- a/lib/autoupdate/tools/utils.go
+++ b/lib/autoupdate/tools/utils.go
@@ -35,6 +35,7 @@ import (
 
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/autoupdate"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -125,41 +126,36 @@ type packageURL struct {
 	Optional bool
 }
 
-// teleportPackageURLs returns the URL for the Teleport archive to download. The format is:
-// https://cdn.teleport.dev/teleport-{, ent-}v15.3.0-{linux, darwin, windows}-{amd64,arm64,arm,386}-{fips-}bin.tar.gz
-func teleportPackageURLs(baseURL, toolsVersion string) ([]packageURL, error) {
-	switch runtime.GOOS {
-	case "darwin":
-		tsh := baseURL + "/tsh-" + toolsVersion + ".pkg"
-		teleport := baseURL + "/teleport-" + toolsVersion + ".pkg"
-		return []packageURL{
-			{Archive: teleport, Hash: teleport + ".sha256"},
-			{Archive: tsh, Hash: tsh + ".sha256", Optional: true},
-		}, nil
-	case "windows":
-		archive := baseURL + "/teleport-v" + toolsVersion + "-windows-amd64-bin.zip"
-		return []packageURL{
-			{Archive: archive, Hash: archive + ".sha256"},
-		}, nil
-	case "linux":
-		m := modules.GetModules()
-		var b strings.Builder
-		b.WriteString(baseURL + "/teleport-")
-		if m.IsEnterpriseBuild() || m.IsBoringBinary() {
-			b.WriteString("ent-")
-		}
-		b.WriteString("v" + toolsVersion + "-" + runtime.GOOS + "-" + runtime.GOARCH + "-")
-		if m.IsBoringBinary() {
-			b.WriteString("fips-")
+// teleportPackageURLs returns the URL for the Teleport archive to download.
+func teleportPackageURLs(uriTmpl string, baseURL, version string) ([]packageURL, error) {
+	var flags autoupdate.InstallFlags
+	m := modules.GetModules()
+	if m.IsBoringBinary() {
+		flags |= autoupdate.FlagFIPS
+	}
+	if m.IsEnterpriseBuild() || m.IsBoringBinary() {
+		flags |= autoupdate.FlagEnterprise
+	}
+
+	teleportURL, err := autoupdate.MakeURL(uriTmpl, baseURL, autoupdate.DefaultPackage, version, flags)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	if runtime.GOOS == constants.DarwinOS {
+		tshURL, err := autoupdate.MakeURL(uriTmpl, baseURL, "tsh", version, flags)
+		if err != nil {
+			return nil, trace.Wrap(err)
 		}
-		b.WriteString("bin.tar.gz")
-		archive := b.String()
+
 		return []packageURL{
-			{Archive: archive, Hash: archive + ".sha256"},
+			{Archive: teleportURL, Hash: teleportURL + ".sha256"},
+			{Archive: tshURL, Hash: tshURL + ".sha256", Optional: true},
 		}, nil
-	default:
-		return nil, trace.BadParameter("unsupported runtime: %v", runtime.GOOS)
 	}
+
+	return []packageURL{
+		{Archive: teleportURL, Hash: teleportURL + ".sha256"},
+	}, nil
 }
 
 // toolName returns the path to {tsh, tctl} for the executable that started
diff --git a/lib/backend/dynamo/atomicwrite_test.go b/lib/backend/dynamo/atomicwrite_test.go
index d17255105b558..99ce7b8f652ea 100644
--- a/lib/backend/dynamo/atomicwrite_test.go
+++ b/lib/backend/dynamo/atomicwrite_test.go
@@ -28,9 +28,10 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
-func newAtomicWriteBackend(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteBackend(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 	dynamoCfg := map[string]interface{}{
 		"table_name":         dynamoDBTestTable(),
 		"poll_stream_period": 300 * time.Millisecond,
diff --git a/lib/backend/dynamo/dynamodbbk_test.go b/lib/backend/dynamo/dynamodbbk_test.go
index 4c6739d702c54..803310c86fd55 100644
--- a/lib/backend/dynamo/dynamodbbk_test.go
+++ b/lib/backend/dynamo/dynamodbbk_test.go
@@ -43,6 +43,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func TestMain(m *testing.M) {
@@ -74,7 +75,7 @@ func TestDynamoDB(t *testing.T) {
 		"poll_stream_period": 300 * time.Millisecond,
 	}
 
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		testCfg, err := test.ApplyOptions(options)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/etcdbk/atomicwrite_test.go b/lib/backend/etcdbk/atomicwrite_test.go
index 25369f05f4703..ac64bd3ae007b 100644
--- a/lib/backend/etcdbk/atomicwrite_test.go
+++ b/lib/backend/etcdbk/atomicwrite_test.go
@@ -23,15 +23,15 @@ import (
 	"testing"
 
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // newAtomicWriteTestBackend builds a backend suitable for the atomic write test suite. Once all backends implement AtomicWrite,
 // it will be integrated into the main backend interface and we can get rid of this separate helper.
-func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 	opts, err := test.ApplyOptions(options)
 	if err != nil {
 		return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/etcdbk/etcd_test.go b/lib/backend/etcdbk/etcd_test.go
index 7adc7cebb91f4..ac6780ed1ef9d 100644
--- a/lib/backend/etcdbk/etcd_test.go
+++ b/lib/backend/etcdbk/etcd_test.go
@@ -28,13 +28,13 @@ import (
 	"time"
 
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 const (
@@ -65,7 +65,7 @@ func TestEtcd(t *testing.T) {
 		t.Skip("This test requires etcd, run `make run-etcd` and set TELEPORT_ETCD_TEST=yes in your environment")
 	}
 
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		opts, err := test.ApplyOptions(options)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/firestore/atomicwrite_test.go b/lib/backend/firestore/atomicwrite_test.go
index 1f20b1fa244cf..b1290f85af623 100644
--- a/lib/backend/firestore/atomicwrite_test.go
+++ b/lib/backend/firestore/atomicwrite_test.go
@@ -27,9 +27,10 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
-func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 	cfg := firestoreParams()
 
 	testCfg, err := test.ApplyOptions(options)
diff --git a/lib/backend/firestore/firestorebk_test.go b/lib/backend/firestore/firestorebk_test.go
index baf93c6184fac..26bd799f8a5de 100644
--- a/lib/backend/firestore/firestorebk_test.go
+++ b/lib/backend/firestore/firestorebk_test.go
@@ -53,6 +53,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func TestMain(m *testing.M) {
@@ -126,7 +127,7 @@ func TestFirestoreDB(t *testing.T) {
 	ensureTestsEnabled(t)
 	ensureEmulatorRunning(t, cfg)
 
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		testCfg, err := test.ApplyOptions(options)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/lite/atomicwrite_test.go b/lib/backend/lite/atomicwrite_test.go
index 543a0431586e7..db5562dc4bb42 100644
--- a/lib/backend/lite/atomicwrite_test.go
+++ b/lib/backend/lite/atomicwrite_test.go
@@ -28,12 +28,13 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // newAtomicWriteTestBackendBuilder builds a backend suitable for the atomic write test suite. Once all backends implement AtomicWrite,
 // it will be integrated into the main backend interface and we can get rid of this separate helper.
-func newAtomicWriteTestBackendBuilder(t *testing.T) func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
-	return func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteTestBackendBuilder(t *testing.T) test.Constructor {
+	return func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		clock := clockwork.NewFakeClock()
 
 		cfg, err := test.ApplyOptions(options)
diff --git a/lib/backend/lite/lite_test.go b/lib/backend/lite/lite_test.go
index b401b595ebbcd..e3383b3082802 100644
--- a/lib/backend/lite/lite_test.go
+++ b/lib/backend/lite/lite_test.go
@@ -31,6 +31,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func TestMain(m *testing.M) {
@@ -39,7 +40,7 @@ func TestMain(m *testing.M) {
 }
 
 func TestLite(t *testing.T) {
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		clock := clockwork.NewFakeClock()
 
 		cfg, err := test.ApplyOptions(options)
diff --git a/lib/backend/memory/atomicwrite_test.go b/lib/backend/memory/atomicwrite_test.go
index 95314c7776e64..a3bf7747855d4 100644
--- a/lib/backend/memory/atomicwrite_test.go
+++ b/lib/backend/memory/atomicwrite_test.go
@@ -26,11 +26,12 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // newAtomicWriteTestBackend builds a backend suitable for the atomic write test suite. Once all backends implement AtomicWrite,
 // it will be integrated into the main backend interface and we can get rid of this separate helper.
-func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 	cfg, err := test.ApplyOptions(options)
 
 	if err != nil {
diff --git a/lib/backend/memory/memory_test.go b/lib/backend/memory/memory_test.go
index 46e8b7532fdfa..442b97343a0ee 100644
--- a/lib/backend/memory/memory_test.go
+++ b/lib/backend/memory/memory_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func TestMain(m *testing.M) {
@@ -40,7 +41,7 @@ func TestMain(m *testing.M) {
 }
 
 func TestMemory(t *testing.T) {
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		cfg, err := test.ApplyOptions(options)
 
 		if err != nil {
diff --git a/lib/backend/pgbk/atomicwrite_test.go b/lib/backend/pgbk/atomicwrite_test.go
index d694b1de968fe..5f0379eb33a41 100644
--- a/lib/backend/pgbk/atomicwrite_test.go
+++ b/lib/backend/pgbk/atomicwrite_test.go
@@ -29,6 +29,7 @@ import (
 
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // Testing requires a local psql backend to be set up, and for params to be passed via env. Ex:
@@ -37,7 +38,7 @@ import (
 
 // newAtomicWriteTestBackend builds a backend suitable for the atomic write test suite. Once all backends implement AtomicWrite,
 // it will be integrated into the main backend interface and we can get rid of this separate helper.
-func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+func newAtomicWriteTestBackend(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 	testCfg, err := test.ApplyOptions(options)
 	if err != nil {
 		return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/pgbk/pgbk_test.go b/lib/backend/pgbk/pgbk_test.go
index 11471ebe638ee..fe4e66d439144 100644
--- a/lib/backend/pgbk/pgbk_test.go
+++ b/lib/backend/pgbk/pgbk_test.go
@@ -31,6 +31,7 @@ import (
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/test"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func TestMain(m *testing.M) {
@@ -47,7 +48,7 @@ func TestPostgresBackend(t *testing.T) {
 		t.Skip("Postgres backend tests are disabled. Enable them by setting the TELEPORT_PGBK_TEST_PARAMS_JSON variable.")
 	}
 
-	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	newBackend := func(options ...test.ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		testCfg, err := test.ApplyOptions(options)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/test/atomicwrite_shim.go b/lib/backend/test/atomicwrite_shim.go
index d2df92aa07224..9e93cbb07ad3f 100644
--- a/lib/backend/test/atomicwrite_shim.go
+++ b/lib/backend/test/atomicwrite_shim.go
@@ -26,9 +26,9 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/gravitational/trace"
-	"github.com/jonboulle/clockwork"
 
 	"github.com/gravitational/teleport/lib/backend"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 // RunBackendComplianceSuiteWithAtomicWriteShim runs the old backend compliance suite against the provided backend
@@ -36,7 +36,7 @@ import (
 // AtomicWrite. This is done to ensure that the relationship between the conditional actions of AtomicWrite and the
 // single-write methods is well defined, and to improve overall coverage of AtomicWrite implementations via reuse.
 func RunBackendComplianceSuiteWithAtomicWriteShim(t *testing.T, newBackend Constructor) {
-	RunBackendComplianceSuite(t, func(options ...ConstructionOption) (backend.Backend, clockwork.FakeClock, error) {
+	RunBackendComplianceSuite(t, func(options ...ConstructionOption) (backend.Backend, clocki.FakeClock, error) {
 		bk, clock, err := newBackend(options...)
 		if err != nil {
 			return nil, nil, trace.Wrap(err)
diff --git a/lib/backend/test/suite.go b/lib/backend/test/suite.go
index ec00969240a6b..a35d081ceed61 100644
--- a/lib/backend/test/suite.go
+++ b/lib/backend/test/suite.go
@@ -40,6 +40,7 @@ import (
 
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/backend"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 var (
@@ -123,7 +124,7 @@ func (r BlockingFakeClock) BlockUntil(int) {
 // Constructor describes a function for constructing new instances of a
 // backend, with various options as required by a given test. Note that
 // it's the caller's responsibility to close it when the test is finished.
-type Constructor func(options ...ConstructionOption) (backend.Backend, clockwork.FakeClock, error)
+type Constructor func(options ...ConstructionOption) (backend.Backend, clocki.FakeClock, error)
 
 // RunBackendComplianceSuite runs the entire backend compliance suite,
 // creating a collection of named subtests under the context provided
diff --git a/lib/client/api.go b/lib/client/api.go
index 8a23d776693cc..da7a44c0f072f 100644
--- a/lib/client/api.go
+++ b/lib/client/api.go
@@ -5292,6 +5292,29 @@ func (tc *TeleportClient) RootClusterCACertPool(ctx context.Context) (*x509.Cert
 	return pool, trace.Wrap(err)
 }
 
+// RootClusterCACertPoolPEM returns a PEM-encoded cert pool with the root cluster CA.
+func (tc *TeleportClient) RootClusterCACertPoolPEM(ctx context.Context) ([]byte, error) {
+	_, span := tc.Tracer.Start(
+		ctx,
+		"teleportClient/RootClusterCACertPoolPEM",
+		oteltrace.WithSpanKind(oteltrace.SpanKindClient),
+	)
+	defer span.End()
+
+	keyRing, err := tc.localAgent.GetCoreKeyRing()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	rootClusterName, err := keyRing.RootClusterName()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	pool, err := keyRing.clientCertPoolPEM(rootClusterName)
+	return pool, trace.Wrap(err)
+}
+
 // HeadlessApprove handles approval of a headless authentication request.
 func (tc *TeleportClient) HeadlessApprove(ctx context.Context, headlessAuthenticationID string, confirm bool) error {
 	ctx, span := tc.Tracer.Start(
diff --git a/lib/client/ca_export.go b/lib/client/ca_export.go
index 011be4c4682d9..ad5de7e995e34 100644
--- a/lib/client/ca_export.go
+++ b/lib/client/ca_export.go
@@ -23,7 +23,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"log/slog"
 	"strings"
 	"time"
 
@@ -52,23 +51,6 @@ type ExportAuthoritiesRequest struct {
 	AuthType                   string
 	ExportAuthorityFingerprint string
 	UseCompatVersion           bool
-	Integration                string
-}
-
-func (r *ExportAuthoritiesRequest) shouldExportIntegration(ctx context.Context) (bool, error) {
-	switch r.AuthType {
-	case "github":
-		if r.Integration == "" {
-			return false, trace.BadParameter("integration name must be provided for %q CAs", r.AuthType)
-		}
-		return true, nil
-	default:
-		if r.Integration != "" {
-			r.Integration = ""
-			slog.DebugContext(ctx, "Integration name is ignored for non-integration CAs")
-		}
-		return false, nil
-	}
 }
 
 // ExportedAuthority represents an exported authority certificate, as returned
@@ -130,22 +112,9 @@ func exportAllAuthorities(
 	req ExportAuthoritiesRequest,
 	exportSecrets bool,
 ) ([]*ExportedAuthority, error) {
-	var authorities []*ExportedAuthority
-	switch isIntegration, err := req.shouldExportIntegration(ctx); {
-	case err != nil:
+	authorities, err := exportAuth(ctx, client, req, exportSecrets)
+	if err != nil {
 		return nil, trace.Wrap(err)
-	case isIntegration && exportSecrets:
-		return nil, trace.NotImplemented("export with secrets is not supported for %q CAs", req.AuthType)
-	case isIntegration:
-		authorities, err = exportAuthForIntegration(ctx, client, req)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-	default:
-		authorities, err = exportAuth(ctx, client, req, exportSecrets)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
 	}
 
 	// Sanity check that we have at least one authority.
@@ -423,9 +392,52 @@ func hostCAFormat(ca types.CertAuthority, keyBytes []byte, client authclient.Cli
 	})
 }
 
-func exportAuthForIntegration(ctx context.Context, client authclient.ClientI, req ExportAuthoritiesRequest) ([]*ExportedAuthority, error) {
+// IsIntegrationAuthorityType returns true if provided type is an integration CA
+// type.
+func IsIntegrationAuthorityType(authType string) bool {
+	return authType == types.IntegrationSubKindGitHub
+}
+
+// ExportIntegrationAuthoritiesRequest has the required fields to create an
+// export authorities request for integrations.
+type ExportIntegrationAuthoritiesRequest struct {
+	// AuthType is the type of CA to be exported. See
+	// ExportIntegrationAuthorities for details.
+	AuthType string
+	// MatchFingerprint filters authorities using provided fingerprint if
+	// specified. Fingerprint must be the SHA256 of the Authority's public key.
+	MatchFingerprint string
+	// Integration is the name of the integration resource.
+	Integration string
+}
+
+// ExportIntegrationAuthorities exports the public keys of all authorities
+// associated with an integration.
+//
+// Integrations that require certificate authorities have their CAs saved as
+// plugin credentials per integration. This ensures compatibility with services
+// like GitHub which mandate the use of unique CAs cross all integrations.
+// In addition, unlike cluster-level CAs, integration CAs are not used between
+// Teleport clients/agents/clusters. Integration CAs should only be used by an
+// agent to authenticate the service associated with the integration.
+//
+// Exporting integration CAs requires READ access to the integration. Currently,
+// "github" is the only supported AuthType.
+//
+// "github" AuthType returns the public key of each SSH certificate authority in
+// a single line. Each line starts with key type like "ssh-rsa AA..." and can be
+// copied to the text box when configuring new CA for a GitHub organization.
+// Once a CA is added to the GitHub organization, GitHub only displays the
+// SHA256 fingerprint of the key and the date it was added. The MatchFingerprint
+// option can be used to verify whether a fingerprint corresponds to that
+// particular integration.
+func ExportIntegrationAuthorities(ctx context.Context, client authclient.ClientI, req ExportIntegrationAuthoritiesRequest) ([]*ExportedAuthority, error) {
+	if req.Integration == "" {
+		return nil, trace.BadParameter("integration name is required when exporting integration authorities")
+	}
+
 	switch req.AuthType {
-	case "github":
+	case types.IntegrationSubKindGitHub:
 		keySet, err := fetchIntegrationCAKeySet(ctx, client, req.Integration)
 		if err != nil {
 			return nil, trace.Wrap(err)
@@ -453,13 +465,13 @@ func fetchIntegrationCAKeySet(ctx context.Context, client authclient.ClientI, in
 	return resp.CertAuthorities, nil
 }
 
-func exportGitHubCAs(keySet *types.CAKeySet, req ExportAuthoritiesRequest) (string, error) {
+func exportGitHubCAs(keySet *types.CAKeySet, req ExportIntegrationAuthoritiesRequest) (string, error) {
 	ret := strings.Builder{}
 	for _, key := range keySet.SSH {
-		if req.ExportAuthorityFingerprint != "" {
+		if req.MatchFingerprint != "" {
 			if fingerprint, err := sshutils.AuthorizedKeyFingerprint(key.PublicKey); err != nil {
 				return "", trace.Wrap(err)
-			} else if !sshutils.EqualFingerprints(req.ExportAuthorityFingerprint, fingerprint) {
+			} else if !sshutils.EqualFingerprints(req.MatchFingerprint, fingerprint) {
 				continue
 			}
 		}
@@ -468,5 +480,8 @@ func exportGitHubCAs(keySet *types.CAKeySet, req ExportAuthoritiesRequest) (stri
 		// cert-authority for easier copy-and-paste.
 		ret.WriteString(fmt.Sprintf("%s integration=%s\n", strings.TrimSpace(string(key.PublicKey)), req.Integration))
 	}
+	if req.MatchFingerprint != "" && ret.Len() == 0 {
+		return "", trace.NotFound("no authorities found matching the provided fingerprint")
+	}
 	return ret.String(), nil
 }
diff --git a/lib/client/ca_export_test.go b/lib/client/ca_export_test.go
index 2bec5410e195c..e42f0ef0da708 100644
--- a/lib/client/ca_export_test.go
+++ b/lib/client/ca_export_test.go
@@ -41,6 +41,7 @@ import (
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	"github.com/gravitational/teleport/lib/fixtures"
+	"github.com/gravitational/teleport/lib/sshutils"
 )
 
 type mockAuthClient struct {
@@ -126,19 +127,8 @@ func TestExportAuthorities(t *testing.T) {
 		require.NotNil(t, privKey, "x509.ParsePKCS8PrivateKey returned a nil key")
 	}
 
-	validateGitHubCAFunc := func(t *testing.T, s string) {
-		require.Contains(t, s, fixtures.SSHCAPublicKey)
-	}
-
 	mockedAuthClient := &mockAuthClient{
 		server: testAuth.AuthServer,
-		integrationsClient: mockIntegrationsClient{
-			caKeySet: &types.CAKeySet{
-				SSH: []*types.SSHKeyPair{{
-					PublicKey: []byte(fixtures.SSHCAPublicKey),
-				}},
-			},
-		},
 	}
 
 	for _, tt := range []struct {
@@ -288,23 +278,6 @@ func TestExportAuthorities(t *testing.T) {
 			assertNoSecrets: validateTLSCertificateDERFunc,
 			assertSecrets:   validateRSAPrivateKeyDERFunc,
 		},
-		{
-			name: "github missing integration",
-			req: ExportAuthoritiesRequest{
-				AuthType: "github",
-			},
-			errorCheck: require.Error,
-		},
-		{
-			name: "github",
-			req: ExportAuthoritiesRequest{
-				AuthType:    "github",
-				Integration: "my-github",
-			},
-			errorCheck:      require.NoError,
-			assertNoSecrets: validateGitHubCAFunc,
-			skipSecrets:     true, // not supported for GitHub
-		},
 	} {
 		runTest := func(
 			t *testing.T,
@@ -528,3 +501,93 @@ func (m *multiCAAuthClient) PerformMFACeremony(
 	// Skip MFA ceremonies.
 	return nil, &mfa.ErrMFANotRequired
 }
+
+func TestExportIntegrationAuthorities(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	testAuth, err := auth.NewTestAuthServer(auth.TestAuthServerConfig{
+		ClusterName: "localcluster",
+		Dir:         t.TempDir(),
+	})
+	require.NoError(t, err)
+
+	fingerprint, err := sshutils.AuthorizedKeyFingerprint([]byte(fixtures.SSHCAPublicKey))
+	require.NoError(t, err)
+
+	mockedAuthClient := &mockAuthClient{
+		server: testAuth.AuthServer,
+		integrationsClient: mockIntegrationsClient{
+			caKeySet: &types.CAKeySet{
+				SSH: []*types.SSHKeyPair{{
+					PublicKey: []byte(fixtures.SSHCAPublicKey),
+				}},
+			},
+		},
+	}
+
+	for _, tc := range []struct {
+		name        string
+		req         ExportIntegrationAuthoritiesRequest
+		checkError  require.ErrorAssertionFunc
+		checkOutput func(*testing.T, []*ExportedAuthority)
+	}{
+		{
+			name: "missing integration",
+			req: ExportIntegrationAuthoritiesRequest{
+				AuthType: "github",
+			},
+			checkError: require.Error,
+		},
+		{
+			name: "unknown type",
+			req: ExportIntegrationAuthoritiesRequest{
+				AuthType:    "unknown",
+				Integration: "integration",
+			},
+			checkError: require.Error,
+		},
+		{
+			name: "github",
+			req: ExportIntegrationAuthoritiesRequest{
+				AuthType:    "github",
+				Integration: "integration",
+			},
+			checkError: require.NoError,
+			checkOutput: func(t *testing.T, authorities []*ExportedAuthority) {
+				require.Len(t, authorities, 1)
+				require.Contains(t, string(authorities[0].Data), fixtures.SSHCAPublicKey)
+			},
+		},
+		{
+			name: "matching fingerprint",
+			req: ExportIntegrationAuthoritiesRequest{
+				AuthType:         "github",
+				Integration:      "integration",
+				MatchFingerprint: fingerprint,
+			},
+			checkError: require.NoError,
+			checkOutput: func(t *testing.T, authorities []*ExportedAuthority) {
+				require.Len(t, authorities, 1)
+				require.Contains(t, string(authorities[0].Data), fixtures.SSHCAPublicKey)
+			},
+		},
+		{
+			name: "no matching fingerprint",
+			req: ExportIntegrationAuthoritiesRequest{
+				AuthType:         "github",
+				Integration:      "integration",
+				MatchFingerprint: "something-does-not-match",
+			},
+			checkError: require.Error,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			authorities, err := ExportIntegrationAuthorities(ctx, mockedAuthClient, tc.req)
+			tc.checkError(t, err)
+			if tc.checkOutput != nil {
+				tc.checkOutput(t, authorities)
+			}
+		})
+	}
+}
diff --git a/lib/client/client_store_test.go b/lib/client/client_store_test.go
index 71239884aaaba..f62aaefeacf00 100644
--- a/lib/client/client_store_test.go
+++ b/lib/client/client_store_test.go
@@ -44,7 +44,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	"github.com/gravitational/teleport/lib/defaults"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/tlsca"
@@ -111,7 +110,7 @@ func (s *testAuthority) makeSignedKeyRing(t *testing.T, idx KeyRingIndex, makeEx
 		TTL:           ttl,
 		Identity: sshca.Identity{
 			Username:              idx.Username,
-			AllowedLogins:         allowedLogins,
+			Principals:            allowedLogins,
 			PermitAgentForwarding: false,
 			PermitPortForwarding:  true,
 			GitHubUserID:          "1234567",
@@ -311,13 +310,15 @@ func TestProxySSHConfig(t *testing.T) {
 		caSigner, err := ssh.ParsePrivateKey(CAPriv)
 		require.NoError(t, err)
 
-		hostCert, err := auth.keygen.GenerateHostCert(services.HostCertParams{
+		hostCert, err := auth.keygen.GenerateHostCert(sshca.HostCertificateRequest{
 			CASigner:      caSigner,
 			PublicHostKey: hostPub,
 			HostID:        "127.0.0.1",
 			NodeName:      "127.0.0.1",
-			ClusterName:   "host-cluster-name",
-			Role:          types.RoleNode,
+			Identity: sshca.Identity{
+				ClusterName: "host-cluster-name",
+				SystemRole:  types.RoleNode,
+			},
 		})
 		require.NoError(t, err)
 
diff --git a/lib/client/identityfile/identity_test.go b/lib/client/identityfile/identity_test.go
index 9d8eeb62a894d..fe1d9df9a9857 100644
--- a/lib/client/identityfile/identity_test.go
+++ b/lib/client/identityfile/identity_test.go
@@ -112,8 +112,8 @@ func newClientKeyRing(t *testing.T, modifiers ...func(*tlsca.Identity)) *client.
 		CASigner:      caSigner,
 		PublicUserKey: ssh.MarshalAuthorizedKey(privateKey.SSHPublicKey()),
 		Identity: sshca.Identity{
-			Username:      "testuser",
-			AllowedLogins: []string{"testuser"},
+			Username:   "testuser",
+			Principals: []string{"testuser"},
 		},
 	})
 	require.NoError(t, err)
diff --git a/lib/client/interfaces.go b/lib/client/interfaces.go
index b755a98de5970..95ea6319d845a 100644
--- a/lib/client/interfaces.go
+++ b/lib/client/interfaces.go
@@ -29,6 +29,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"log/slog"
+	"slices"
 	"strings"
 	"time"
 
@@ -303,21 +304,39 @@ func (k *KeyRing) clientTLSConfig(cipherSuites []uint16, cred TLSCredential, clu
 
 // ClientCertPool returns x509.CertPool containing trusted CA.
 func (k *KeyRing) clientCertPool(clusters ...string) (*x509.CertPool, error) {
+	certPoolPEM, err := k.clientCertPoolPEM(clusters...)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	pool := x509.NewCertPool()
+	if len(certPoolPEM) == 0 {
+		// It's valid to have no matching CAs and therefore an empty cert pool.
+		return pool, nil
+	}
+	if !pool.AppendCertsFromPEM(certPoolPEM) {
+		return nil, trace.BadParameter("failed to parse TLS CA certificate")
+	}
+	return pool, nil
+}
+
+func (k *KeyRing) clientCertPoolPEM(clusters ...string) ([]byte, error) {
+	var certPoolPEM bytes.Buffer
 	for _, caPEM := range k.TLSCAs() {
 		cert, err := tlsca.ParseCertificatePEM(caPEM)
 		if err != nil {
-			return nil, trace.Wrap(err)
+			return nil, trace.Wrap(err, "parsing TLS CA certificate")
 		}
-		for _, k := range clusters {
-			if cert.Subject.CommonName == k {
-				if !pool.AppendCertsFromPEM(caPEM) {
-					return nil, trace.BadParameter("failed to parse TLS CA certificate")
-				}
-			}
+		if !slices.Contains(clusters, cert.Subject.CommonName) {
+			continue
+		}
+		certPoolPEM.Write(caPEM)
+		// PEM files should end with a trailing newline, just double check
+		// before potentially concatenating multiple together.
+		if caPEM[len(caPEM)-1] != '\n' {
+			certPoolPEM.WriteByte('\n')
 		}
 	}
-	return pool, nil
+	return certPoolPEM.Bytes(), nil
 }
 
 // ProxyClientSSHConfig returns an ssh.ClientConfig with SSH credentials from this
diff --git a/lib/client/keyagent_test.go b/lib/client/keyagent_test.go
index a8dfdae28da95..b937812f49ddb 100644
--- a/lib/client/keyagent_test.go
+++ b/lib/client/keyagent_test.go
@@ -49,7 +49,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	"github.com/gravitational/teleport/lib/fixtures"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
@@ -366,17 +365,19 @@ func TestHostCertVerification(t *testing.T) {
 	// Generate a host certificate for node with role "node".
 	_, rootHostPub, err := keygen.GenerateKeyPair()
 	require.NoError(t, err)
-	rootHostCertBytes, err := keygen.GenerateHostCert(services.HostCertParams{
+	rootHostCertBytes, err := keygen.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      root.signer,
 		PublicHostKey: rootHostPub,
 		HostID:        "5ff40d80-9007-4f28-8f49-7d4fda2f574d",
 		NodeName:      "server01",
-		Principals: []string{
-			"127.0.0.1",
+		TTL:           1 * time.Hour,
+		Identity: sshca.Identity{
+			Principals: []string{
+				"127.0.0.1",
+			},
+			ClusterName: "example.com",
+			SystemRole:  types.RoleNode,
 		},
-		ClusterName: "example.com",
-		Role:        types.RoleNode,
-		TTL:         1 * time.Hour,
 	})
 	require.NoError(t, err)
 	rootHostPublicKey, _, _, _, err := ssh.ParseAuthorizedKey(rootHostCertBytes)
@@ -384,14 +385,16 @@ func TestHostCertVerification(t *testing.T) {
 
 	_, leafHostPub, err := keygen.GenerateKeyPair()
 	require.NoError(t, err)
-	leafHostCertBytes, err := keygen.GenerateHostCert(services.HostCertParams{
+	leafHostCertBytes, err := keygen.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      leaf.signer,
 		PublicHostKey: leafHostPub,
 		HostID:        "620bb71c-c9eb-4f6d-9823-f7d9125ebb1d",
 		NodeName:      "server02",
-		ClusterName:   "leaf.example.com",
-		Role:          types.RoleNode,
 		TTL:           1 * time.Hour,
+		Identity: sshca.Identity{
+			ClusterName: "leaf.example.com",
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 	leafHostPublicKey, _, _, _, err := ssh.ParseAuthorizedKey(leafHostCertBytes)
@@ -620,14 +623,16 @@ func TestHostCertVerificationLoadAllCasProxyAddrEqClusterName(t *testing.T) {
 func mustGenerateHostPublicCert(t *testing.T, keygen *testauthority.Keygen, signer ssh.Signer, nodeName, clusterName string) ssh.PublicKey {
 	_, leafHostPub, err := keygen.GenerateKeyPair()
 	require.NoError(t, err)
-	leafHostCertBytes, err := keygen.GenerateHostCert(services.HostCertParams{
+	leafHostCertBytes, err := keygen.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      signer,
 		PublicHostKey: leafHostPub,
 		HostID:        uuid.NewString(),
 		NodeName:      nodeName,
-		ClusterName:   clusterName,
-		Role:          types.RoleNode,
 		TTL:           1 * time.Hour,
+		Identity: sshca.Identity{
+			ClusterName: clusterName,
+			SystemRole:  types.RoleNode,
+		},
 	})
 	require.NoError(t, err)
 	leafCerts, err := sshutils.ParseAuthorizedKeys([][]byte{leafHostCertBytes})
@@ -759,7 +764,7 @@ func (s *KeyAgentTestSuite) makeKeyRing(t *testing.T, username, proxyHost string
 		TTL:               ttl,
 		Identity: sshca.Identity{
 			Username:              username,
-			AllowedLogins:         []string{username},
+			Principals:            []string{username},
 			PermitAgentForwarding: true,
 			PermitPortForwarding:  true,
 			RouteToCluster:        s.clusterName,
diff --git a/lib/client/known_hosts_migrate_test.go b/lib/client/known_hosts_migrate_test.go
index 612e7d3082f06..cba71bda212d6 100644
--- a/lib/client/known_hosts_migrate_test.go
+++ b/lib/client/known_hosts_migrate_test.go
@@ -28,7 +28,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/lib/auth/testauthority"
-	"github.com/gravitational/teleport/lib/services"
+	"github.com/gravitational/teleport/lib/sshca"
 )
 
 type knownHostsMigrateTest struct {
@@ -48,12 +48,14 @@ func generateHostCert(t *testing.T, s *knownHostsMigrateTest, clusterName string
 	caSigner, err := ssh.ParsePrivateKey(CAPriv)
 	require.NoError(t, err)
 
-	cert, err := s.keygen.GenerateHostCert(services.HostCertParams{
+	cert, err := s.keygen.GenerateHostCert(sshca.HostCertificateRequest{
 		CASigner:      caSigner,
 		HostID:        "127.0.0.1",
 		NodeName:      "127.0.0.1",
-		ClusterName:   clusterName,
 		PublicHostKey: hostPub,
+		Identity: sshca.Identity{
+			ClusterName: clusterName,
+		},
 	})
 	require.NoError(t, err)
 
diff --git a/lib/cloud/gcp/vm.go b/lib/cloud/gcp/vm.go
index eb1d1a8820249..0d0e9458713ad 100644
--- a/lib/cloud/gcp/vm.go
+++ b/lib/cloud/gcp/vm.go
@@ -574,26 +574,35 @@ https://cloud.google.com/solutions/connecting-securely#storing_host_keys_by_enab
 		HostKeyCallback: callback,
 	}
 
+	loggerWithVMMetadata := slog.With(
+		"project_id", req.ProjectID,
+		"zone", req.Zone,
+		"vm_name", req.Name,
+		"ips", ipAddrs,
+	)
+
 	var errs []error
 	for _, ip := range ipAddrs {
 		addr := net.JoinHostPort(ip, req.SSHPort)
 		stdout, stderr, err := sshutils.RunSSH(ctx, addr, req.Script, config, sshutils.WithDialer(req.dialContext))
-		slog.DebugContext(ctx, "Command completed",
-			"stdoout", string(stdout),
-			"stderr", string(stderr),
-		)
 		if err == nil {
 			return nil
 		}
 
 		// An exit error means the connection was successful, so don't try another address.
 		if errors.Is(err, &ssh.ExitError{}) {
+			loggerWithVMMetadata.ErrorContext(ctx, "Installing teleport in GCP VM failed after connecting",
+				"ip", ip,
+				"error", err,
+				"stdout", string(stdout),
+				"stderr", string(stderr),
+			)
 			return trace.Wrap(err)
 		}
 		errs = append(errs, err)
 	}
 
 	err = trace.NewAggregate(errs...)
-	slog.DebugContext(ctx, "Command exited with error", "error", err)
+	loggerWithVMMetadata.ErrorContext(ctx, "Installing teleport in GCP VM failed", "error", err)
 	return err
 }
diff --git a/lib/decision/ssh_identity.go b/lib/decision/ssh_identity.go
new file mode 100644
index 0000000000000..0bf120d5307a2
--- /dev/null
+++ b/lib/decision/ssh_identity.go
@@ -0,0 +1,143 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package decision
+
+import (
+	decisionpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/decision/v1alpha1"
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/sshca"
+)
+
+// SSHIdentityToSSHCA transforms a [decisionpb.SSHIdentity] into its
+// equivalent [sshca.Identity].
+// Note that certain types, like slices, are not deep-copied.
+func SSHIdentityToSSHCA(id *decisionpb.SSHIdentity) *sshca.Identity {
+	if id == nil {
+		return nil
+	}
+
+	return &sshca.Identity{
+		ValidAfter:              id.ValidAfter,
+		ValidBefore:             id.ValidBefore,
+		CertType:                id.CertType,
+		ClusterName:             id.ClusterName,
+		SystemRole:              types.SystemRole(id.SystemRole),
+		Username:                id.Username,
+		Impersonator:            id.Impersonator,
+		Principals:              id.Principals,
+		PermitX11Forwarding:     id.PermitX11Forwarding,
+		PermitAgentForwarding:   id.PermitAgentForwarding,
+		PermitPortForwarding:    id.PermitPortForwarding,
+		Roles:                   id.Roles,
+		RouteToCluster:          id.RouteToCluster,
+		Traits:                  traitToWrappers(id.Traits),
+		ActiveRequests:          id.ActiveRequests,
+		MFAVerified:             id.MfaVerified,
+		PreviousIdentityExpires: timestampToGoTime(id.PreviousIdentityExpires),
+		LoginIP:                 id.LoginIp,
+		PinnedIP:                id.PinnedIp,
+		DisallowReissue:         id.DisallowReissue,
+		CertificateExtensions:   certExtensionsFromProto(id.CertificateExtensions),
+		Renewable:               id.Renewable,
+		Generation:              id.Generation,
+		BotName:                 id.BotName,
+		BotInstanceID:           id.BotInstanceId,
+		AllowedResourceIDs:      resourceIDsToTypes(id.AllowedResourceIds),
+		ConnectionDiagnosticID:  id.ConnectionDiagnosticId,
+		PrivateKeyPolicy:        keys.PrivateKeyPolicy(id.PrivateKeyPolicy),
+		DeviceID:                id.DeviceId,
+		DeviceAssetTag:          id.DeviceAssetTag,
+		DeviceCredentialID:      id.DeviceCredentialId,
+		GitHubUserID:            id.GithubUserId,
+		GitHubUsername:          id.GithubUsername,
+	}
+}
+
+func SSHIdentityFromSSHCA(id *sshca.Identity) *decisionpb.SSHIdentity {
+	if id == nil {
+		return nil
+	}
+
+	return &decisionpb.SSHIdentity{
+		ValidAfter:              id.ValidAfter,
+		ValidBefore:             id.ValidBefore,
+		CertType:                id.CertType,
+		ClusterName:             id.ClusterName,
+		SystemRole:              string(id.SystemRole),
+		Username:                id.Username,
+		Impersonator:            id.Impersonator,
+		Principals:              id.Principals,
+		PermitX11Forwarding:     id.PermitX11Forwarding,
+		PermitAgentForwarding:   id.PermitAgentForwarding,
+		PermitPortForwarding:    id.PermitPortForwarding,
+		Roles:                   id.Roles,
+		RouteToCluster:          id.RouteToCluster,
+		Traits:                  traitFromWrappers(id.Traits),
+		ActiveRequests:          id.ActiveRequests,
+		MfaVerified:             id.MFAVerified,
+		PreviousIdentityExpires: timestampFromGoTime(id.PreviousIdentityExpires),
+		LoginIp:                 id.LoginIP,
+		PinnedIp:                id.PinnedIP,
+		DisallowReissue:         id.DisallowReissue,
+		CertificateExtensions:   certExtensionsToProto(id.CertificateExtensions),
+		Renewable:               id.Renewable,
+		Generation:              id.Generation,
+		BotName:                 id.BotName,
+		BotInstanceId:           id.BotInstanceID,
+		AllowedResourceIds:      resourceIDsFromTypes(id.AllowedResourceIDs),
+		ConnectionDiagnosticId:  id.ConnectionDiagnosticID,
+		PrivateKeyPolicy:        string(id.PrivateKeyPolicy),
+		DeviceId:                id.DeviceID,
+		DeviceAssetTag:          id.DeviceAssetTag,
+		DeviceCredentialId:      id.DeviceCredentialID,
+		GithubUserId:            id.GitHubUserID,
+		GithubUsername:          id.GitHubUsername,
+	}
+}
+
+func certExtensionsFromProto(extensions []*decisionpb.CertExtension) []*types.CertExtension {
+	if len(extensions) == 0 {
+		return nil
+	}
+	out := make([]*types.CertExtension, 0, len(extensions))
+	for _, extension := range extensions {
+		out = append(out, &types.CertExtension{
+			Mode:  types.CertExtensionMode(int32(extension.Mode) - 1), // enum is equivalent but off by 1
+			Type:  types.CertExtensionType(int32(extension.Type) - 1), // enum is equivalent but off by 1
+			Name:  extension.Name,
+			Value: extension.Value,
+		})
+	}
+	return out
+}
+
+func certExtensionsToProto(extensions []*types.CertExtension) []*decisionpb.CertExtension {
+	if len(extensions) == 0 {
+		return nil
+	}
+	out := make([]*decisionpb.CertExtension, 0, len(extensions))
+	for _, extension := range extensions {
+		out = append(out, &decisionpb.CertExtension{
+			Mode:  decisionpb.CertExtensionMode(int32(extension.Mode) + 1), // enum is equivalent but off by 1
+			Type:  decisionpb.CertExtensionType(int32(extension.Type) + 1), // enum is equivalent but off by 1
+			Name:  extension.Name,
+			Value: extension.Value,
+		})
+	}
+	return out
+}
diff --git a/lib/decision/ssh_identity_test.go b/lib/decision/ssh_identity_test.go
new file mode 100644
index 0000000000000..9bd1412143010
--- /dev/null
+++ b/lib/decision/ssh_identity_test.go
@@ -0,0 +1,101 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package decision
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/api/types/wrappers"
+	"github.com/gravitational/teleport/api/utils/keys"
+	"github.com/gravitational/teleport/lib/sshca"
+	"github.com/gravitational/teleport/lib/utils/testutils"
+)
+
+func TestSSHIdentityConversion(t *testing.T) {
+	ident := &sshca.Identity{
+		ValidAfter:              1,
+		ValidBefore:             2,
+		CertType:                ssh.UserCert,
+		ClusterName:             "some-cluster",
+		SystemRole:              types.RoleNode,
+		Username:                "user",
+		Impersonator:            "impersonator",
+		Principals:              []string{"login1", "login2"},
+		PermitX11Forwarding:     true,
+		PermitAgentForwarding:   true,
+		PermitPortForwarding:    true,
+		Roles:                   []string{"role1", "role2"},
+		RouteToCluster:          "cluster",
+		Traits:                  wrappers.Traits{"trait1": []string{"value1"}, "trait2": []string{"value2"}},
+		ActiveRequests:          []string{uuid.NewString()},
+		MFAVerified:             "mfa",
+		PreviousIdentityExpires: time.Unix(12345, 0),
+		LoginIP:                 "127.0.0.1",
+		PinnedIP:                "127.0.0.1",
+		DisallowReissue:         true,
+		CertificateExtensions: []*types.CertExtension{&types.CertExtension{
+			Name:  "extname",
+			Value: "extvalue",
+			Type:  types.CertExtensionType_SSH,
+			Mode:  types.CertExtensionMode_EXTENSION,
+		}},
+		Renewable:     true,
+		Generation:    3,
+		BotName:       "bot",
+		BotInstanceID: "instance",
+		AllowedResourceIDs: []types.ResourceID{{
+			ClusterName:     "cluster",
+			Kind:            types.KindKubePod, // must use a kube resource kind for parsing of sub-resource to work correctly
+			Name:            "name",
+			SubResourceName: "sub/sub",
+		}},
+		ConnectionDiagnosticID: "diag",
+		PrivateKeyPolicy:       keys.PrivateKeyPolicy("policy"),
+		DeviceID:               "device",
+		DeviceAssetTag:         "asset",
+		DeviceCredentialID:     "cred",
+		GitHubUserID:           "github",
+		GitHubUsername:         "ghuser",
+	}
+
+	ignores := []string{
+		"CertExtension.Type", // only currently defined enum variant is a zero value
+		"CertExtension.Mode", // only currently defined enum variant is a zero value
+		// TODO(fspmarshall): figure out a mechanism for making ignore of grpc fields more convenient
+		"CertExtension.XXX_NoUnkeyedLiteral",
+		"CertExtension.XXX_unrecognized",
+		"CertExtension.XXX_sizecache",
+		"ResourceID.XXX_NoUnkeyedLiteral",
+		"ResourceID.XXX_unrecognized",
+		"ResourceID.XXX_sizecache",
+	}
+
+	require.True(t, testutils.ExhaustiveNonEmpty(ident, ignores...), "empty=%+v", testutils.FindAllEmpty(ident, ignores...))
+
+	proto := SSHIdentityFromSSHCA(ident)
+
+	ident2 := SSHIdentityToSSHCA(proto)
+
+	require.Empty(t, cmp.Diff(ident, ident2))
+}
diff --git a/lib/events/filesessions/fileasync_test.go b/lib/events/filesessions/fileasync_test.go
index 7e34693ac0ea9..a015bde8ec15c 100644
--- a/lib/events/filesessions/fileasync_test.go
+++ b/lib/events/filesessions/fileasync_test.go
@@ -492,7 +492,7 @@ func TestUploadBadSession(t *testing.T) {
 type uploaderPack struct {
 	scanPeriod       time.Duration
 	initialScanDelay time.Duration
-	clock            clockwork.FakeClock
+	clock            *clockwork.FakeClock
 	eventsC          chan events.UploadEvent
 	memEventsC       chan events.UploadEvent
 	memUploader      *eventstest.MemoryUploader
diff --git a/lib/kube/proxy/cluster_details_test.go b/lib/kube/proxy/cluster_details_test.go
index 9b52a695752da..987275702198f 100644
--- a/lib/kube/proxy/cluster_details_test.go
+++ b/lib/kube/proxy/cluster_details_test.go
@@ -40,7 +40,7 @@ func TestNewClusterDetails(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
-	getClusterDetailsConfig := func(c clockwork.FakeClock) (clusterDetailsConfig, *clusterDetailsClientSet) {
+	getClusterDetailsConfig := func(c *clockwork.FakeClock) (clusterDetailsConfig, *clusterDetailsClientSet) {
 		client := &clusterDetailsClientSet{}
 		return clusterDetailsConfig{
 			kubeCreds: &staticKubeCreds{
diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go
index aeed6d7c631ac..f9f5a5d004f3f 100644
--- a/lib/kube/proxy/forwarder.go
+++ b/lib/kube/proxy/forwarder.go
@@ -429,6 +429,9 @@ type authContext struct {
 	recordingConfig   types.SessionRecordingConfig
 	// clientIdleTimeout sets information on client idle timeout
 	clientIdleTimeout time.Duration
+	// clientIdleTimeoutMessage is the message to be displayed to the user
+	// when the client idle timeout is reached
+	clientIdleTimeoutMessage string
 	// disconnectExpiredCert if set, controls the time when the connection
 	// should be disconnected because the client cert expires
 	disconnectExpiredCert time.Time
@@ -819,13 +822,14 @@ func (f *Forwarder) setupContext(
 	}
 
 	return &authContext{
-		clientIdleTimeout:     roles.AdjustClientIdleTimeout(netConfig.GetClientIdleTimeout()),
-		sessionTTL:            sessionTTL,
-		Context:               authCtx,
-		recordingConfig:       recordingConfig,
-		kubeClusterName:       kubeCluster,
-		certExpires:           identity.Expires,
-		disconnectExpiredCert: authCtx.GetDisconnectCertExpiry(authPref),
+		clientIdleTimeout:        roles.AdjustClientIdleTimeout(netConfig.GetClientIdleTimeout()),
+		clientIdleTimeoutMessage: netConfig.GetClientIdleTimeoutMessage(),
+		sessionTTL:               sessionTTL,
+		Context:                  authCtx,
+		recordingConfig:          recordingConfig,
+		kubeClusterName:          kubeCluster,
+		certExpires:              identity.Expires,
+		disconnectExpiredCert:    authCtx.GetDisconnectCertExpiry(authPref),
 		teleportCluster: teleportClusterClient{
 			name:       teleportClusterName,
 			remoteAddr: utils.NetAddr{AddrNetwork: "tcp", Addr: req.RemoteAddr},
@@ -1690,6 +1694,8 @@ func (f *Forwarder) exec(authCtx *authContext, w http.ResponseWriter, req *http.
 
 	return upgradeRequestToRemoteCommandProxy(request,
 		func(proxy *remoteCommandProxy) error {
+			sess.sendErrStatus = proxy.writeStatus
+
 			if !sess.isLocalKubernetesCluster {
 				// We're forwarding this to another kubernetes_service instance or Teleport proxy, let it handle session recording.
 				return f.remoteExec(req, sess, proxy)
@@ -2362,6 +2368,8 @@ type clusterSession struct {
 	connCtx context.Context
 	// connMonitorCancel is the conn monitor connMonitorCancel function.
 	connMonitorCancel context.CancelCauseFunc
+	// sendErrStatus is a function that sends an error status to the client.
+	sendErrStatus func(status *kubeerrors.StatusError) error
 }
 
 // close cancels the connection monitor context if available.
@@ -2400,6 +2408,7 @@ func (s *clusterSession) monitorConn(conn net.Conn, err error, hostID string) (n
 		LockTargets:           lockTargets,
 		DisconnectExpiredCert: s.disconnectExpiredCert,
 		ClientIdleTimeout:     s.clientIdleTimeout,
+		IdleTimeoutMessage:    s.clientIdleTimeoutMessage,
 		Clock:                 s.parent.cfg.Clock,
 		Tracker:               tc,
 		Conn:                  tc,
@@ -2409,6 +2418,7 @@ func (s *clusterSession) monitorConn(conn net.Conn, err error, hostID string) (n
 		Logger:                s.parent.log,
 		Emitter:               s.parent.cfg.AuthClient,
 		EmitterContext:        s.parent.ctx,
+		MessageWriter:         formatForwardResponseError(s.sendErrStatus),
 	})
 	if err != nil {
 		tc.CloseWithCause(err)
@@ -2770,3 +2780,27 @@ func errorToKubeStatusReason(err error, code int) metav1.StatusReason {
 		return metav1.StatusReasonUnknown
 	}
 }
+
+// formatForwardResponseError formats the error response from the connection
+// monitor to a Kubernetes API error response.
+type formatForwardResponseError func(status *kubeerrors.StatusError) error
+
+func (f formatForwardResponseError) WriteString(s string) (int, error) {
+	if f == nil {
+		return len(s), nil
+	}
+	err := f(
+		&kubeerrors.StatusError{
+			ErrStatus: metav1.Status{
+				Status:  metav1.StatusFailure,
+				Code:    http.StatusInternalServerError,
+				Reason:  metav1.StatusReasonInternalError,
+				Message: s,
+			},
+		},
+	)
+	if err != nil {
+		return 0, trace.Wrap(err)
+	}
+	return len(s), nil
+}
diff --git a/lib/kube/proxy/portforward_spdy.go b/lib/kube/proxy/portforward_spdy.go
index 1745536fc44f1..ad0b5e391a6e0 100644
--- a/lib/kube/proxy/portforward_spdy.go
+++ b/lib/kube/proxy/portforward_spdy.go
@@ -105,7 +105,7 @@ func runPortForwardingHTTPStreams(req portForwardRequest) error {
 	defer h.Close()
 
 	h.logger.DebugContext(req.context, "Setting port forwarding streaming connection idle timeout", "idle_timeout", req.idleTimeout)
-	conn.SetIdleTimeout(req.idleTimeout)
+	conn.SetIdleTimeout(adjustIdleTimeoutForConn(req.idleTimeout))
 
 	h.run()
 	return nil
diff --git a/lib/kube/proxy/portforward_websocket.go b/lib/kube/proxy/portforward_websocket.go
index c2cb4cb6c97a9..4ca01ea473062 100644
--- a/lib/kube/proxy/portforward_websocket.go
+++ b/lib/kube/proxy/portforward_websocket.go
@@ -93,7 +93,7 @@ func runPortForwardingWebSocket(req portForwardRequest) error {
 		},
 	})
 
-	conn.SetIdleTimeout(req.idleTimeout)
+	conn.SetIdleTimeout(adjustIdleTimeoutForConn(req.idleTimeout))
 
 	// Upgrade the request and create the virtual streams.
 	_, streams, err := conn.Open(
@@ -357,7 +357,7 @@ func runPortForwardingTunneledHTTPStreams(req portForwardRequest) error {
 	defer h.Close()
 
 	h.logger.DebugContext(context.Background(), "Setting port forwarding streaming connection idle timeout to", "idle_timeout", req.idleTimeout)
-	spdyConn.SetIdleTimeout(req.idleTimeout)
+	spdyConn.SetIdleTimeout(adjustIdleTimeoutForConn(req.idleTimeout))
 
 	h.run()
 	return nil
diff --git a/lib/kube/proxy/remotecommand.go b/lib/kube/proxy/remotecommand.go
index 2cd03c870d70b..ef06dfb7d3b0c 100644
--- a/lib/kube/proxy/remotecommand.go
+++ b/lib/kube/proxy/remotecommand.go
@@ -25,6 +25,7 @@ import (
 	"log/slog"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/gravitational/trace"
@@ -157,7 +158,7 @@ func createSPDYStreams(req remoteCommandRequest) (*remoteCommandProxy, error) {
 		return nil, trace.ConnectionProblem(trace.BadParameter("missing connection"), "missing connection")
 	}
 
-	conn.SetIdleTimeout(req.idleTimeout)
+	conn.SetIdleTimeout(adjustIdleTimeoutForConn(req.idleTimeout))
 
 	var handler protocolHandler
 	switch protocol {
@@ -445,7 +446,7 @@ func waitStreamReply(ctx context.Context, replySent <-chan struct{}, notify chan
 // v4WriteStatusFunc returns a WriteStatusFunc that marshals a given api Status
 // as json in the error channel.
 func v4WriteStatusFunc(stream io.Writer) func(status *apierrors.StatusError) error {
-	return func(status *apierrors.StatusError) error {
+	return writeStatusOnceFunc(func(status *apierrors.StatusError) error {
 		st := status.Status()
 		data, err := runtime.Encode(globalKubeCodecs.LegacyCodec(), &st)
 		if err != nil {
@@ -453,15 +454,27 @@ func v4WriteStatusFunc(stream io.Writer) func(status *apierrors.StatusError) err
 		}
 		_, err = stream.Write(data)
 		return err
-	}
+	})
 }
 
 func v1WriteStatusFunc(stream io.Writer) func(status *apierrors.StatusError) error {
-	return func(status *apierrors.StatusError) error {
+	return writeStatusOnceFunc(func(status *apierrors.StatusError) error {
 		if status.Status().Status == metav1.StatusSuccess {
 			return nil // send error messages
 		}
 		_, err := stream.Write([]byte(status.Error()))
 		return err
+	})
+}
+
+// writeStatusOnceFunc returns a function that only calls f once, and returns the result of the first call.
+func writeStatusOnceFunc(f func(status *apierrors.StatusError) error) func(status *apierrors.StatusError) error {
+	var once sync.Once
+	var err error
+	return func(status *apierrors.StatusError) error {
+		once.Do(func() {
+			err = f(status)
+		})
+		return trace.Wrap(err)
 	}
 }
diff --git a/lib/kube/proxy/remotecommand_websocket.go b/lib/kube/proxy/remotecommand_websocket.go
index abc5d3f446fdf..cb2c50e9efcb0 100644
--- a/lib/kube/proxy/remotecommand_websocket.go
+++ b/lib/kube/proxy/remotecommand_websocket.go
@@ -19,6 +19,8 @@ limitations under the License.
 package proxy
 
 import (
+	"time"
+
 	"github.com/go-logr/logr"
 	"github.com/gravitational/trace"
 	"k8s.io/apimachinery/pkg/util/httpstream/wsstream"
@@ -110,7 +112,7 @@ func createWebSocketStreams(req remoteCommandRequest) (*remoteCommandProxy, erro
 		},
 	})
 
-	conn.SetIdleTimeout(req.idleTimeout)
+	conn.SetIdleTimeout(adjustIdleTimeoutForConn(req.idleTimeout))
 
 	negotiatedProtocol, streams, err := conn.Open(
 		responsewriter.GetOriginal(req.httpResponseWriter),
@@ -163,3 +165,19 @@ func createWebSocketStreams(req remoteCommandRequest) (*remoteCommandProxy, erro
 
 	return proxy, nil
 }
+
+// adjustIdleTimeoutForConn adjusts the idle timeout for the connection
+// to be 5 seconds longer than the requested idle timeout.
+// This is done to prevent the connection from being closed by the server
+// before the connection monitor has a chance to close it and write the
+// status code.
+// If the idle timeout is 0, this function returns 0 because it means the
+// connection will never be closed by the server due to idleness.
+func adjustIdleTimeoutForConn(idleTimeout time.Duration) time.Duration {
+	// If the idle timeout is 0, we don't need to adjust it because it
+	// means the connection will never be closed by the server due to idleness.
+	if idleTimeout != 0 {
+		idleTimeout += 5 * time.Second
+	}
+	return idleTimeout
+}
diff --git a/lib/multiplexer/test/ping.pb.go b/lib/multiplexer/test/ping.pb.go
index a7448bb296f65..821369a27bdcd 100644
--- a/lib/multiplexer/test/ping.pb.go
+++ b/lib/multiplexer/test/ping.pb.go
@@ -17,7 +17,7 @@
 
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.36.3
+// 	protoc-gen-go v1.36.4
 // 	protoc        (unknown)
 // source: teleport/lib/multiplexer/test/ping.proto
 
@@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )
 
 const (
@@ -127,7 +128,7 @@ func (x *Response) GetPayload() string {
 
 var File_teleport_lib_multiplexer_test_ping_proto protoreflect.FileDescriptor
 
-var file_teleport_lib_multiplexer_test_ping_proto_rawDesc = []byte{
+var file_teleport_lib_multiplexer_test_ping_proto_rawDesc = string([]byte{
 	0x0a, 0x28, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62, 0x2f, 0x6d,
 	0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x65, 0x72, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x2f,
 	0x70, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1d, 0x74, 0x65, 0x6c, 0x65,
@@ -148,16 +149,16 @@ var file_teleport_lib_multiplexer_test_ping_proto_rawDesc = []byte{
 	0x6e, 0x61, 0x6c, 0x2f, 0x74, 0x65, 0x6c, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x6c, 0x69, 0x62,
 	0x2f, 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x65, 0x72, 0x2f, 0x74, 0x65, 0x73,
 	0x74, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+})
 
 var (
 	file_teleport_lib_multiplexer_test_ping_proto_rawDescOnce sync.Once
-	file_teleport_lib_multiplexer_test_ping_proto_rawDescData = file_teleport_lib_multiplexer_test_ping_proto_rawDesc
+	file_teleport_lib_multiplexer_test_ping_proto_rawDescData []byte
 )
 
 func file_teleport_lib_multiplexer_test_ping_proto_rawDescGZIP() []byte {
 	file_teleport_lib_multiplexer_test_ping_proto_rawDescOnce.Do(func() {
-		file_teleport_lib_multiplexer_test_ping_proto_rawDescData = protoimpl.X.CompressGZIP(file_teleport_lib_multiplexer_test_ping_proto_rawDescData)
+		file_teleport_lib_multiplexer_test_ping_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_teleport_lib_multiplexer_test_ping_proto_rawDesc), len(file_teleport_lib_multiplexer_test_ping_proto_rawDesc)))
 	})
 	return file_teleport_lib_multiplexer_test_ping_proto_rawDescData
 }
@@ -186,7 +187,7 @@ func file_teleport_lib_multiplexer_test_ping_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_teleport_lib_multiplexer_test_ping_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_teleport_lib_multiplexer_test_ping_proto_rawDesc), len(file_teleport_lib_multiplexer_test_ping_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@@ -197,7 +198,6 @@ func file_teleport_lib_multiplexer_test_ping_proto_init() {
 		MessageInfos:      file_teleport_lib_multiplexer_test_ping_proto_msgTypes,
 	}.Build()
 	File_teleport_lib_multiplexer_test_ping_proto = out.File
-	file_teleport_lib_multiplexer_test_ping_proto_rawDesc = nil
 	file_teleport_lib_multiplexer_test_ping_proto_goTypes = nil
 	file_teleport_lib_multiplexer_test_ping_proto_depIdxs = nil
 }
diff --git a/lib/proxy/peer/client.go b/lib/proxy/peer/client.go
index b3a935ff75010..6190b17e45e89 100644
--- a/lib/proxy/peer/client.go
+++ b/lib/proxy/peer/client.go
@@ -781,7 +781,7 @@ func (c *Client) connect(params connectParams) (internal.ClientConn, error) {
 			Timeout:             peerTimeout,
 			PermitWithoutStream: true,
 		}),
-		grpc.WithDefaultServiceConfig(`{"loadBalancingPolicy":"round_robin"}`),
+		grpc.WithDefaultServiceConfig(`{"loadBalancingConfig": [{"round_robin": {}}]}`),
 	)
 	if err != nil {
 		return nil, trace.Wrap(err, "Error dialing proxy %q", params.peerID)
diff --git a/lib/reversetunnel/srv_test.go b/lib/reversetunnel/srv_test.go
index 8794a8323f0f1..678cb46a7aa72 100644
--- a/lib/reversetunnel/srv_test.go
+++ b/lib/reversetunnel/srv_test.go
@@ -38,7 +38,6 @@ import (
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/sshca"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -80,13 +79,15 @@ func TestServerKeyAuth(t *testing.T) {
 		{
 			desc: "host cert",
 			key: func() ssh.PublicKey {
-				rawCert, err := ta.GenerateHostCert(services.HostCertParams{
+				rawCert, err := ta.GenerateHostCert(sshca.HostCertificateRequest{
 					CASigner:      caSigner,
 					PublicHostKey: pub,
 					HostID:        "host-id",
 					NodeName:      con.User(),
-					ClusterName:   "host-cluster-name",
-					Role:          types.RoleNode,
+					Identity: sshca.Identity{
+						ClusterName: "host-cluster-name",
+						SystemRole:  types.RoleNode,
+					},
 				})
 				require.NoError(t, err)
 				key, _, _, _, err := ssh.ParseAuthorizedKey(rawCert)
@@ -111,7 +112,7 @@ func TestServerKeyAuth(t *testing.T) {
 					TTL:               time.Minute,
 					Identity: sshca.Identity{
 						Username:       con.User(),
-						AllowedLogins:  []string{con.User()},
+						Principals:     []string{con.User()},
 						Roles:          []string{"dev", "admin"},
 						RouteToCluster: "user-cluster-name",
 					},
diff --git a/lib/service/desktop.go b/lib/service/desktop.go
index 421ffa8924246..e6eee026ff765 100644
--- a/lib/service/desktop.go
+++ b/lib/service/desktop.go
@@ -210,6 +210,7 @@ func (process *TeleportProcess) initWindowsDesktopServiceRegistered(logger *slog
 
 	srv, err := desktop.NewWindowsService(desktop.WindowsServiceConfig{
 		DataDir:      process.Config.DataDir,
+		LicenseStore: process.storage,
 		Logger:       process.logger.With(teleport.ComponentKey, teleport.Component(teleport.ComponentWindowsDesktop, process.id)),
 		Clock:        process.Clock,
 		Authorizer:   authorizer,
diff --git a/lib/service/pyroscope.go b/lib/service/pyroscope.go
new file mode 100644
index 0000000000000..34b289004a081
--- /dev/null
+++ b/lib/service/pyroscope.go
@@ -0,0 +1,131 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package service
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"time"
+
+	"github.com/grafana/pyroscope-go"
+
+	"github.com/gravitational/teleport"
+)
+
+// TODO: Replace logger when pyroscope uses slog
+type pyroscopeLogger struct {
+	l *slog.Logger
+}
+
+func (l pyroscopeLogger) Infof(format string, args ...interface{}) {
+	//nolint:sloglint // msg cannot be constant
+	l.l.Info(fmt.Sprintf(format, args...))
+}
+
+func (l pyroscopeLogger) Debugf(format string, args ...interface{}) {
+	//nolint:sloglint // msg cannot be constant
+	l.l.Debug(fmt.Sprintf(format, args...))
+}
+
+func (l pyroscopeLogger) Errorf(format string, args ...interface{}) {
+	//nolint:sloglint // msg cannot be constant
+	l.l.Error(fmt.Sprintf(format, args...))
+}
+
+// initPyroscope instruments Teleport to run with continuous profiling for Pyroscope
+func (process *TeleportProcess) initPyroscope(address string) {
+	if address == "" {
+		return
+	}
+
+	hostname, err := os.Hostname()
+	if err != nil {
+		hostname = "unknown"
+	}
+
+	// Build pyroscope config
+	config := pyroscope.Config{
+		ApplicationName: teleport.ComponentTeleport,
+		ServerAddress:   address,
+		Logger:          pyroscope.Logger(pyroscopeLogger{l: slog.Default()}),
+		Tags: map[string]string{
+			"host":    hostname,
+			"version": teleport.Version,
+			"git_ref": teleport.Gitref,
+		},
+	}
+
+	// Evaluate if profile configuration is customized
+	if p := getPyroscopeProfileTypesFromEnv(); len(p) == 0 {
+		slog.InfoContext(process.ExitContext(), "No profile types enabled, using default")
+	} else {
+		config.ProfileTypes = p
+	}
+
+	var uploadRate *time.Duration
+	if rate := os.Getenv("TELEPORT_PYROSCOPE_UPLOAD_RATE"); rate != "" {
+		parsedRate, err := time.ParseDuration(rate)
+		if err != nil {
+			slog.InfoContext(process.ExitContext(), "invalid TELEPORT_PYROSCOPE_UPLOAD_RATE, ignoring value", "provided_value", rate, "error", err)
+		} else {
+			uploadRate = &parsedRate
+		}
+	} else {
+		slog.InfoContext(process.ExitContext(), "TELEPORT_PYROSCOPE_UPLOAD_RATE not specified, using default")
+	}
+
+	// Set UploadRate or fall back to defaults
+	if uploadRate != nil {
+		config.UploadRate = *uploadRate
+	}
+
+	profiler, err := pyroscope.Start(config)
+	if err != nil {
+		slog.ErrorContext(process.ExitContext(), "error starting pyroscope profiler", "error", err)
+	} else {
+		process.OnExit("pyroscope.profiler", func(payload any) {
+			profiler.Flush(payload == nil)
+			_ = profiler.Stop()
+		})
+	}
+	slog.InfoContext(process.ExitContext(), "Pyroscope has successfully started")
+}
+
+// getPyroscopeProfileTypesFromEnv sets the profile types based on environment variables.
+func getPyroscopeProfileTypesFromEnv() []pyroscope.ProfileType {
+	var profileTypes []pyroscope.ProfileType
+
+	if os.Getenv("TELEPORT_PYROSCOPE_PROFILE_MEMORY_ENABLED") == "true" {
+		profileTypes = append(profileTypes,
+			pyroscope.ProfileAllocObjects,
+			pyroscope.ProfileAllocSpace,
+			pyroscope.ProfileInuseObjects,
+			pyroscope.ProfileInuseSpace,
+		)
+	}
+
+	if os.Getenv("TELEPORT_PYROSCOPE_PROFILE_CPU_ENABLED") == "true" {
+		profileTypes = append(profileTypes, pyroscope.ProfileCPU)
+	}
+
+	if os.Getenv("TELEPORT_PYROSCOPE_PROFILE_GOROUTINES_ENABLED") == "true" {
+		profileTypes = append(profileTypes, pyroscope.ProfileGoroutines)
+	}
+
+	return profileTypes
+}
diff --git a/lib/service/service.go b/lib/service/service.go
index 5dd8231d99c81..0e8c5e35148e5 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -1344,6 +1344,10 @@ func NewTeleport(cfg *servicecfg.Config) (*TeleportProcess, error) {
 		}
 	}
 
+	if address := os.Getenv("TELEPORT_PYROSCOPE_SERVER_ADDRESS"); address != "" {
+		process.initPyroscope(address)
+	}
+
 	if cfg.DebugService.Enabled {
 		if err := process.initDebugService(); err != nil {
 			return nil, trace.Wrap(err)
diff --git a/lib/services/authority.go b/lib/services/authority.go
index 2345342b1195b..bd04c8c7c284a 100644
--- a/lib/services/authority.go
+++ b/lib/services/authority.go
@@ -23,14 +23,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
-	"time"
 
 	"github.com/gogo/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/gravitational/trace"
 	"github.com/jonboulle/clockwork"
-	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
@@ -279,46 +277,6 @@ func GetSSHCheckingKeys(ca types.CertAuthority) [][]byte {
 	return out
 }
 
-// HostCertParams defines all parameters needed to generate a host certificate
-type HostCertParams struct {
-	// CASigner is the signer that will sign the public key of the host with the CA private key.
-	CASigner ssh.Signer
-	// PublicHostKey is the public key of the host
-	PublicHostKey []byte
-	// HostID is used by Teleport to uniquely identify a node within a cluster
-	HostID string
-	// Principals is a list of additional principals to add to the certificate.
-	Principals []string
-	// NodeName is the DNS name of the node
-	NodeName string
-	// ClusterName is the name of the cluster within which a node lives
-	ClusterName string
-	// Role identifies the role of a Teleport instance
-	Role types.SystemRole
-	// TTL defines how long a certificate is valid for
-	TTL time.Duration
-}
-
-// Check checks parameters for errors
-func (c HostCertParams) Check() error {
-	if c.CASigner == nil {
-		return trace.BadParameter("CASigner is required")
-	}
-	if c.HostID == "" && len(c.Principals) == 0 {
-		return trace.BadParameter("HostID [%q] or Principals [%q] are required",
-			c.HostID, c.Principals)
-	}
-	if c.ClusterName == "" {
-		return trace.BadParameter("ClusterName [%q] is required", c.ClusterName)
-	}
-
-	if err := c.Role.Check(); err != nil {
-		return trace.Wrap(err)
-	}
-
-	return nil
-}
-
 // CertPoolFromCertAuthorities returns a certificate pool from the TLS certificates
 // set up in the certificate authorities list, as well as the number of certificates
 // that were added to the pool.
diff --git a/lib/services/integration.go b/lib/services/integration.go
index be495d385b4ab..bfe000113ee5c 100644
--- a/lib/services/integration.go
+++ b/lib/services/integration.go
@@ -52,6 +52,8 @@ type IntegrationsGetter interface {
 type IntegrationsTokenGenerator interface {
 	// GenerateAWSOIDCToken generates a token to be used to execute an AWS OIDC Integration action.
 	GenerateAWSOIDCToken(ctx context.Context, integration string) (string, error)
+	// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+	GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error)
 }
 
 // MarshalIntegration marshals the Integration resource to JSON.
diff --git a/lib/services/local/notifications.go b/lib/services/local/notifications.go
index 3d087db81faed..da6badc8453c0 100644
--- a/lib/services/local/notifications.go
+++ b/lib/services/local/notifications.go
@@ -38,11 +38,12 @@ import (
 
 // NotificationsService manages notification resources in the backend.
 type NotificationsService struct {
-	clock                           clockwork.Clock
-	userNotificationService         *generic.ServiceWrapper[*notificationsv1.Notification]
-	globalNotificationService       *generic.ServiceWrapper[*notificationsv1.GlobalNotification]
-	userNotificationStateService    *generic.ServiceWrapper[*notificationsv1.UserNotificationState]
-	userLastSeenNotificationService *generic.ServiceWrapper[*notificationsv1.UserLastSeenNotification]
+	clock                               clockwork.Clock
+	userNotificationService             *generic.ServiceWrapper[*notificationsv1.Notification]
+	globalNotificationService           *generic.ServiceWrapper[*notificationsv1.GlobalNotification]
+	userNotificationStateService        *generic.ServiceWrapper[*notificationsv1.UserNotificationState]
+	userLastSeenNotificationService     *generic.ServiceWrapper[*notificationsv1.UserLastSeenNotification]
+	uniqueNotificationIdentifierService *generic.ServiceWrapper[*notificationsv1.UniqueNotificationIdentifier]
 }
 
 // NewNotificationsService returns a new instance of the NotificationService.
@@ -96,12 +97,26 @@ func NewNotificationsService(backend backend.Backend, clock clockwork.Clock) (*N
 		return nil, trace.Wrap(err)
 	}
 
+	uniqueNotificationIdentifierService, err := generic.NewServiceWrapper[*notificationsv1.UniqueNotificationIdentifier](
+		generic.ServiceWrapperConfig[*notificationsv1.UniqueNotificationIdentifier]{
+			Backend:       backend,
+			ResourceKind:  types.KindUniqueNotificationIdentifier,
+			BackendPrefix: notificationUniqueIdentifierPrefix,
+			MarshalFunc:   services.MarshalUniqueNotificationIdentifier,
+			UnmarshalFunc: services.UnmarshalUniqueNotificationIdentifier,
+			ValidateFunc:  services.ValidateUniqueNotificationIdentifier,
+		})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return &NotificationsService{
-		clock:                           clock,
-		userNotificationService:         userNotificationService,
-		globalNotificationService:       globalNotificationService,
-		userNotificationStateService:    userNotificationStateService,
-		userLastSeenNotificationService: userLastSeenNotificationService,
+		clock:                               clock,
+		userNotificationService:             userNotificationService,
+		globalNotificationService:           globalNotificationService,
+		userNotificationStateService:        userNotificationStateService,
+		userLastSeenNotificationService:     userLastSeenNotificationService,
+		uniqueNotificationIdentifierService: uniqueNotificationIdentifierService,
 	}, nil
 }
 
@@ -171,7 +186,7 @@ func (s *NotificationsService) CreateUserNotification(ctx context.Context, notif
 	}
 	notification.Metadata.Name = uuid.String()
 
-	if err := CheckAndSetExpiry(notification, s.clock); err != nil {
+	if err := CheckAndSetExpiry(notification.Metadata, s.clock); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -259,7 +274,7 @@ func (s *NotificationsService) CreateGlobalNotification(ctx context.Context, glo
 		return nil, trace.Wrap(err)
 	}
 
-	if err := CheckAndSetExpiry(globalNotification.Spec.Notification, s.clock); err != nil {
+	if err := CheckAndSetExpiry(globalNotification.Spec.Notification.Metadata, s.clock); err != nil {
 		return nil, trace.Wrap(err)
 	}
 
@@ -411,13 +426,85 @@ func (s *NotificationsService) DeleteUserLastSeenNotification(ctx context.Contex
 	return trace.Wrap(err)
 }
 
+// ListUniqueNotificationIdentifiersForPrefix returns unique notification identifiers with a given prefix
+func (s *NotificationsService) ListUniqueNotificationIdentifiersForPrefix(ctx context.Context, prefix string, pageSize int, startKey string) ([]*notificationsv1.UniqueNotificationIdentifier, string, error) {
+	if prefix == "" {
+		return nil, "", trace.BadParameter("prefix is missing")
+	}
+
+	serviceWithPrefix := s.uniqueNotificationIdentifierService.WithPrefix(prefix)
+
+	identifiers, nextKey, err := serviceWithPrefix.ListResources(ctx, pageSize, startKey)
+	return identifiers, nextKey, trace.Wrap(err)
+}
+
+// CreateUniqueNotificationIdentifier creates a unique notification identifier resource.
+func (s *NotificationsService) CreateUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error) {
+	if prefix == "" {
+		return nil, trace.BadParameter("prefix is missing")
+	}
+	if identifier == "" {
+		return nil, trace.BadParameter("identifier is missing")
+	}
+
+	uniqueNotificationIdentifier := &notificationsv1.UniqueNotificationIdentifier{
+		Spec: &notificationsv1.UniqueNotificationIdentifierSpec{
+			UniqueIdentifier:       identifier,
+			UniqueIdentifierPrefix: prefix,
+		},
+		Metadata: &headerv1.Metadata{
+			// the service adapter uses `getName()` to determine the backend key
+			Name: identifier,
+		},
+		Kind:    types.KindUniqueNotificationIdentifier,
+		Version: types.V1,
+	}
+
+	if err := CheckAndSetExpiry(uniqueNotificationIdentifier.Metadata, s.clock); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	serviceWithPrefix := s.uniqueNotificationIdentifierService.WithPrefix(prefix)
+
+	created, err := serviceWithPrefix.CreateResource(ctx, uniqueNotificationIdentifier)
+	return created, trace.Wrap(err)
+}
+
+// GetUniqueNotificationIdentifier returns a unique notification identifier resource.
+func (s *NotificationsService) GetUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error) {
+	if prefix == "" {
+		return nil, trace.BadParameter("prefix is missing")
+	}
+	if identifier == "" {
+		return nil, trace.BadParameter("identifier is missing")
+	}
+
+	serviceWithPrefix := s.uniqueNotificationIdentifierService.WithPrefix(prefix)
+
+	return serviceWithPrefix.GetResource(ctx, identifier)
+}
+
+// DeleteUniqueNotificationIdentifier deletes a unique notification identifier resource.
+func (s *NotificationsService) DeleteUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) error {
+	if prefix == "" {
+		return trace.BadParameter("prefix is missing")
+	}
+	if identifier == "" {
+		return trace.BadParameter("identifier is missing")
+	}
+
+	serviceWithPrefix := s.uniqueNotificationIdentifierService.WithPrefix(prefix)
+
+	return serviceWithPrefix.DeleteResource(ctx, identifier)
+}
+
 // CheckAndSetExpiry checks and sets the default expiry for a notification.
-func CheckAndSetExpiry(notification *notificationsv1.Notification, clock clockwork.Clock) error {
+func CheckAndSetExpiry(metadata *headerv1.Metadata, clock clockwork.Clock) error {
 	// If the expiry hasn't been provided, set the default to 30 days from now.
-	if notification.Metadata.Expires == nil {
+	if metadata.Expires == nil {
 		now := clock.Now()
 		futureTime := now.Add(defaultExpiry)
-		notification.Metadata.Expires = timestamppb.New(futureTime)
+		metadata.Expires = timestamppb.New(futureTime)
 		return nil
 	}
 
@@ -426,7 +513,7 @@ func CheckAndSetExpiry(notification *notificationsv1.Notification, clock clockwo
 	now := clock.Now()
 	timeOfMaxExpiry := now.Add(maxExpiry)
 
-	if (*notification.Metadata.Expires).AsTime().After(timeOfMaxExpiry) {
+	if metadata.Expires.AsTime().After(timeOfMaxExpiry) {
 		return trace.BadParameter("notification expiry cannot be more than %d days from its creation", int(maxExpiry.Hours()/24))
 	}
 
@@ -434,10 +521,11 @@ func CheckAndSetExpiry(notification *notificationsv1.Notification, clock clockwo
 }
 
 var (
-	notificationsGlobalPrefix       = backend.NewKey("notifications", "global")    // notifications/global/<notification id>
-	notificationsUserSpecificPrefix = backend.NewKey("notifications", "user")      // notifications/user/<username>/<notification id>
-	notificationsStatePrefix        = backend.NewKey("notifications", "states")    // notifications/states/<username>/<notification id>
-	notificationsUserLastSeenPrefix = backend.NewKey("notifications", "last_seen") // notifications/last_seen/<username>
+	notificationsGlobalPrefix          = backend.NewKey("notifications", "global")        // notifications/global/<notification id>
+	notificationsUserSpecificPrefix    = backend.NewKey("notifications", "user")          // notifications/user/<username>/<notification id>
+	notificationsStatePrefix           = backend.NewKey("notifications", "states")        // notifications/states/<username>/<notification id>
+	notificationsUserLastSeenPrefix    = backend.NewKey("notifications", "last_seen")     // notifications/last_seen/<username>
+	notificationUniqueIdentifierPrefix = backend.NewKey("notification_unique_identifier") // notification_unique_identifier/<key>
 )
 
 const (
diff --git a/lib/services/local/notifications_test.go b/lib/services/local/notifications_test.go
index 65c1a70316774..2ebc7e68f2438 100644
--- a/lib/services/local/notifications_test.go
+++ b/lib/services/local/notifications_test.go
@@ -403,6 +403,88 @@ func TestUserLastSeenNotificationCRUD(t *testing.T) {
 	require.True(t, trace.IsNotFound(err), "got error %T, expected a not found error due to user_last_seen_notification for test-username not existing", err)
 }
 
+// TestUniqueNotificationIdentifierCRUD tests backend operations for unique notification identifier resources.
+func TestUniqueNotificationIdentifierCRUD(t *testing.T) {
+	ctx := context.Background()
+	clock := clockwork.NewFakeClock()
+
+	mem, err := memory.New(memory.Config{
+		Context: ctx,
+		Clock:   clock,
+	})
+	require.NoError(t, err)
+
+	service, err := NewNotificationsService(backend.NewSanitizer(mem), clock)
+	require.NoError(t, err)
+
+	testPrefix1 := "test-prefix-1"
+	testPrefix2 := "test-prefix-2"
+
+	// Initially we expect there not to be any existing unique notification identifiers for either identifier prefix.
+	out, nextToken, err := service.ListUniqueNotificationIdentifiersForPrefix(ctx, testPrefix1, 5, "")
+	require.NoError(t, err)
+	require.Empty(t, out)
+	require.Empty(t, nextToken)
+
+	out, nextToken, err = service.ListUniqueNotificationIdentifiersForPrefix(ctx, testPrefix2, 5, "")
+	require.NoError(t, err)
+	require.Empty(t, out)
+	require.Empty(t, nextToken)
+
+	// Create unique notification identifiers with the testPrefix1 prefix.
+	identifier, err := service.CreateUniqueNotificationIdentifier(ctx, testPrefix1, "1")
+	require.NoError(t, err)
+	require.Equal(t, "1", identifier.Spec.UniqueIdentifier)
+	require.Equal(t, testPrefix1, identifier.Spec.UniqueIdentifierPrefix)
+
+	identifier, err = service.CreateUniqueNotificationIdentifier(ctx, testPrefix1, "2")
+	require.NoError(t, err)
+	require.Equal(t, "2", identifier.Spec.UniqueIdentifier)
+	require.Equal(t, testPrefix1, identifier.Spec.UniqueIdentifierPrefix)
+
+	// Create a unique notification identifier with the testPrefix2 prefix.
+	identifier, err = service.CreateUniqueNotificationIdentifier(ctx, testPrefix2, "1")
+	require.NoError(t, err)
+	require.Equal(t, "1", identifier.Spec.UniqueIdentifier)
+	require.Equal(t, testPrefix2, identifier.Spec.UniqueIdentifierPrefix)
+
+	// List identifiers with the testPrefix1 prefix.
+	out, _, err = service.ListUniqueNotificationIdentifiersForPrefix(ctx, testPrefix1, 5, "")
+	require.NoError(t, err)
+	// Verify that only the identifiers with testPrefix1 as prefix are returned.
+	require.Len(t, out, 2)
+	require.Equal(t, "1", out[0].Spec.UniqueIdentifier)
+	require.Equal(t, "2", out[1].Spec.UniqueIdentifier)
+
+	// List identifiers with the testPrefix2 prefix.
+	out, _, err = service.ListUniqueNotificationIdentifiersForPrefix(ctx, testPrefix2, 5, "")
+	require.NoError(t, err)
+	// Verify that only the identifier with testPrefix2 as prefix is returned.
+	require.Len(t, out, 1)
+	require.Equal(t, "1", out[0].Spec.UniqueIdentifier)
+
+	// Test that getting a unique notification identifier works.
+	uni, err := service.GetUniqueNotificationIdentifier(ctx, testPrefix1, "1")
+	require.NoError(t, err)
+	require.Equal(t, "1", uni.Spec.UniqueIdentifier)
+	require.Equal(t, testPrefix1, uni.Spec.UniqueIdentifierPrefix)
+
+	// Delete one of the identifiers with testPrefix1 prefix.
+	err = service.DeleteUniqueNotificationIdentifier(ctx, testPrefix1, "1")
+	require.NoError(t, err)
+
+	// Verify that it no longer exists and that only "2" is returned when listing for identifiers with testPrefix1.
+	out, _, err = service.ListUniqueNotificationIdentifiersForPrefix(ctx, testPrefix1, 5, "")
+	require.NoError(t, err)
+	require.Len(t, out, 1)
+	require.Equal(t, "2", out[0].Spec.UniqueIdentifier)
+	require.Equal(t, testPrefix1, out[0].Spec.UniqueIdentifierPrefix)
+
+	// Try to create an identifier with an empty prefix and identifier and verify that there is an error.
+	_, err = service.CreateUniqueNotificationIdentifier(ctx, "", "")
+	require.True(t, trace.IsBadParameter(err), "got error %T, expected a bad parameter error due to no identifier or prefix being provided", err)
+}
+
 func newUserNotification(t *testing.T, username string, title string) *notificationsv1.Notification {
 	t.Helper()
 
diff --git a/lib/services/local/resource_test.go b/lib/services/local/resource_test.go
index 97e866c022253..65c17006951b2 100644
--- a/lib/services/local/resource_test.go
+++ b/lib/services/local/resource_test.go
@@ -134,7 +134,7 @@ func runUserResourceTest(
 	}
 
 	// Advance the clock to let the users to expire.
-	tt.bk.Clock().(clockwork.FakeClock).Advance(2 * time.Minute)
+	tt.bk.Clock().(*clockwork.FakeClock).Advance(2 * time.Minute)
 	allUsers, err = s.GetUsers(ctx, withSecrets)
 	require.NoError(t, err)
 	require.Empty(t, allUsers, "expected all users to expire")
diff --git a/lib/services/notifications.go b/lib/services/notifications.go
index 47b16bbf35126..6dd0ee09dfab7 100644
--- a/lib/services/notifications.go
+++ b/lib/services/notifications.go
@@ -48,6 +48,13 @@ type Notifications interface {
 	UpsertUserLastSeenNotification(ctx context.Context, username string, ulsn *notificationsv1.UserLastSeenNotification) (*notificationsv1.UserLastSeenNotification, error)
 	GetUserLastSeenNotification(ctx context.Context, username string) (*notificationsv1.UserLastSeenNotification, error)
 	DeleteUserLastSeenNotification(ctx context.Context, username string) error
+
+	// UniqueNotificationIdentifier methods should not be exposed to the client since they should only ever be used internally.
+
+	CreateUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error)
+	ListUniqueNotificationIdentifiersForPrefix(ctx context.Context, prefix string, pageSize int, startKey string) ([]*notificationsv1.UniqueNotificationIdentifier, string, error)
+	GetUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) (*notificationsv1.UniqueNotificationIdentifier, error)
+	DeleteUniqueNotificationIdentifier(ctx context.Context, prefix string, identifier string) error
 }
 
 // ValidateNotification verifies that the necessary fields are configured for a notification object.
@@ -169,3 +176,26 @@ func MarshalUserLastSeenNotification(userLastSeenNotification *notificationsv1.U
 func UnmarshalUserLastSeenNotification(data []byte, opts ...MarshalOption) (*notificationsv1.UserLastSeenNotification, error) {
 	return FastUnmarshalProtoResourceDeprecated[*notificationsv1.UserLastSeenNotification](data, opts...)
 }
+
+// ValidateUniqueNotificationIdentifier verifies that the necessary fields are configured for a unique notification identifier object.
+func ValidateUniqueNotificationIdentifier(uni *notificationsv1.UniqueNotificationIdentifier) error {
+	if uni.Spec.UniqueIdentifier == "" {
+		return trace.BadParameter("unique notification identifier key is missing")
+	}
+
+	return nil
+}
+
+// MarshalUniqueNotificationIdentifier marshals a UniqueNotificationIdentifier resource to JSON.
+func MarshalUniqueNotificationIdentifier(uni *notificationsv1.UniqueNotificationIdentifier, opts ...MarshalOption) ([]byte, error) {
+	if err := ValidateUniqueNotificationIdentifier(uni); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return FastMarshalProtoResourceDeprecated(uni, opts...)
+}
+
+// UnmarshalUniqueNotificationIdentifier unmarshals a UniqueNotificationIdentifier resource from JSON.
+func UnmarshalUniqueNotificationIdentifier(data []byte, opts ...MarshalOption) (*notificationsv1.UniqueNotificationIdentifier, error) {
+	return FastUnmarshalProtoResourceDeprecated[*notificationsv1.UniqueNotificationIdentifier](data, opts...)
+}
diff --git a/lib/services/suite/suite.go b/lib/services/suite/suite.go
index b94881b59420a..f3818f7a921ee 100644
--- a/lib/services/suite/suite.go
+++ b/lib/services/suite/suite.go
@@ -202,7 +202,7 @@ type ServicesTestSuite struct {
 	UsersS        services.UsersService
 	RestrictionsS services.Restrictions
 	ChangesC      chan interface{}
-	Clock         clockwork.FakeClock
+	Clock         *clockwork.FakeClock
 }
 
 func (s *ServicesTestSuite) Users() services.UsersService {
diff --git a/lib/srv/app/azure/handler_test.go b/lib/srv/app/azure/handler_test.go
index 9cb7610af9bcd..cead5740df5f5 100644
--- a/lib/srv/app/azure/handler_test.go
+++ b/lib/srv/app/azure/handler_test.go
@@ -76,10 +76,10 @@ func TestForwarder_getToken(t *testing.T) {
 				Clock: clockwork.NewFakeClock(),
 				getAccessToken: func(ctx context.Context, managedIdentity string, scope string) (*azcore.AccessToken, error) {
 					// find the fake clock from above
-					var clock clockwork.FakeClock
+					var clock *clockwork.FakeClock
 					for _, test := range tests {
 						if test.name == "timeout" {
-							clock = test.config.Clock.(clockwork.FakeClock)
+							clock = test.config.Clock.(*clockwork.FakeClock)
 						}
 					}
 
diff --git a/lib/srv/app/gcp/handler_test.go b/lib/srv/app/gcp/handler_test.go
index 6f38dfa5a2961..7bebc9a88f830 100644
--- a/lib/srv/app/gcp/handler_test.go
+++ b/lib/srv/app/gcp/handler_test.go
@@ -90,10 +90,10 @@ func TestHandler_getToken(t *testing.T) {
 			},
 			config: func(state any) HandlerConfig {
 				return HandlerConfig{
-					Clock: state.(clockwork.FakeClock).(clockwork.Clock),
+					Clock: state.(clockwork.Clock),
 					cloudClientGCP: makeTestCloudClient(&testIAMCredentialsClient{
 						generateAccessToken: func(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
-							clock := state.(clockwork.FakeClock)
+							clock := state.(*clockwork.FakeClock)
 
 							// advance time by getTokenTimeout
 							clock.Advance(getTokenTimeout)
diff --git a/lib/srv/app/server_test.go b/lib/srv/app/server_test.go
index ee9c01accf1fb..1c0c8b4f322b3 100644
--- a/lib/srv/app/server_test.go
+++ b/lib/srv/app/server_test.go
@@ -78,7 +78,7 @@ func TestMain(m *testing.M) {
 }
 
 type Suite struct {
-	clock        clockwork.FakeClock
+	clock        *clockwork.FakeClock
 	dataDir      string
 	authServer   *auth.TestAuthServer
 	tlsServer    *auth.TestTLSServer
diff --git a/lib/srv/authhandlers_test.go b/lib/srv/authhandlers_test.go
index 8e009819e2108..9c5ce5b43b1d7 100644
--- a/lib/srv/authhandlers_test.go
+++ b/lib/srv/authhandlers_test.go
@@ -220,8 +220,8 @@ func TestRBAC(t *testing.T) {
 				CASigner:      caSigner,
 				PublicUserKey: ssh.MarshalAuthorizedKey(privateKey.SSHPublicKey()),
 				Identity: sshca.Identity{
-					Username:      "testuser",
-					AllowedLogins: []string{"testuser"},
+					Username:   "testuser",
+					Principals: []string{"testuser"},
 				},
 			})
 			require.NoError(t, err)
@@ -395,8 +395,8 @@ func TestRBACJoinMFA(t *testing.T) {
 				PublicUserKey:     privateKey.MarshalSSHPublicKey(),
 				CertificateFormat: constants.CertificateFormatStandard,
 				Identity: sshca.Identity{
-					Username:      username,
-					AllowedLogins: []string{username},
+					Username:   username,
+					Principals: []string{username},
 					Traits: wrappers.Traits{
 						teleport.TraitInternalPrefix: []string{""},
 					},
diff --git a/lib/srv/db/access_test.go b/lib/srv/db/access_test.go
index 87a41580549b4..cf85bd913be74 100644
--- a/lib/srv/db/access_test.go
+++ b/lib/srv/db/access_test.go
@@ -1508,7 +1508,7 @@ type testContext struct {
 	spanner map[string]testSpannerDB
 
 	// clock to override clock in tests.
-	clock clockwork.FakeClock
+	clock *clockwork.FakeClock
 }
 
 // testPostgres represents a single proxied Postgres database.
diff --git a/lib/srv/db/server_test.go b/lib/srv/db/server_test.go
index 8d3e81d8541b3..d0bdbbc4f9ead 100644
--- a/lib/srv/db/server_test.go
+++ b/lib/srv/db/server_test.go
@@ -256,7 +256,7 @@ func TestDatabaseServerAutoDisconnect(t *testing.T) {
 // Most testing code should NOT need to use this function.
 //
 // In technical terms, it divides the clock advancement into 100 smaller steps, with a short sleep after each one.
-func advanceInSteps(clock clockwork.FakeClock, total time.Duration) {
+func advanceInSteps(clock *clockwork.FakeClock, total time.Duration) {
 	step := total / 100
 	if step <= 0 {
 		step = 1
diff --git a/lib/srv/desktop/audit_test.go b/lib/srv/desktop/audit_test.go
index 2efc12ee5fc41..bae777676ed1c 100644
--- a/lib/srv/desktop/audit_test.go
+++ b/lib/srv/desktop/audit_test.go
@@ -172,7 +172,7 @@ func TestSessionEndEvent(t *testing.T) {
 
 	id, audit := setup(testDesktop)
 
-	audit.clock.(clockwork.FakeClock).Advance(30 * time.Second)
+	audit.clock.(*clockwork.FakeClock).Advance(30 * time.Second)
 
 	endEvent := audit.makeSessionEnd(true)
 
diff --git a/lib/srv/desktop/rdp/rdpclient/client.go b/lib/srv/desktop/rdp/rdpclient/client.go
index 534644e6be1df..64c43d2faf8ee 100644
--- a/lib/srv/desktop/rdp/rdpclient/client.go
+++ b/lib/srv/desktop/rdp/rdpclient/client.go
@@ -72,7 +72,9 @@ import "C"
 
 import (
 	"context"
+	"encoding/binary"
 	"fmt"
+	"github.com/google/uuid"
 	"log/slog"
 	"os"
 	"runtime/cgo"
@@ -330,6 +332,19 @@ func (c *Client) startRustRDP(ctx context.Context) error {
 		return trace.BadParameter("user key was nil")
 	}
 
+	hostID, err := uuid.Parse(c.cfg.HostID)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	nextHostID := hostID[:]
+	cHostID := [4]C.uint32_t{}
+	for i := 0; i < len(cHostID); i++ {
+		const uint32Len = 4
+		cHostID[i] = (C.uint32_t)(binary.LittleEndian.Uint32(nextHostID[:uint32Len]))
+		nextHostID = nextHostID[uint32Len:]
+	}
+
 	res := C.client_run(
 		C.uintptr_t(c.handle),
 		C.CGOConnectParams{
@@ -350,6 +365,7 @@ func (c *Client) startRustRDP(ctx context.Context) error {
 			allow_clipboard:         C.bool(c.cfg.AllowClipboard),
 			allow_directory_sharing: C.bool(c.cfg.AllowDirectorySharing),
 			show_desktop_wallpaper:  C.bool(c.cfg.ShowDesktopWallpaper),
+			client_id:               cHostID,
 		},
 	)
 
@@ -751,6 +767,106 @@ func toClient(handle C.uintptr_t) (value *Client, err error) {
 	return cgo.Handle(handle).Value().(*Client), nil
 }
 
+//export cgo_read_rdp_license
+func cgo_read_rdp_license(handle C.uintptr_t, req *C.CGOLicenseRequest, data_out **C.uint8_t, len_out *C.size_t) C.CGOErrCode {
+	*data_out = nil
+	*len_out = 0
+
+	client, err := toClient(handle)
+	if err != nil {
+		return C.ErrCodeFailure
+	}
+
+	issuer := C.GoString(req.issuer)
+	company := C.GoString(req.company)
+	productID := C.GoString(req.product_id)
+
+	license, err := client.readRDPLicense(context.Background(), types.RDPLicenseKey{
+		Version:   uint32(req.version),
+		Issuer:    issuer,
+		Company:   company,
+		ProductID: productID,
+	})
+	if trace.IsNotFound(err) {
+		return C.ErrCodeNotFound
+	} else if err != nil {
+		return C.ErrCodeFailure
+	}
+
+	// in this case, we expect the caller to use cgo_free_rdp_license
+	// when the data is no longer needed
+	*data_out = (*C.uint8_t)(C.CBytes(license))
+	*len_out = C.size_t(len(license))
+	return C.ErrCodeSuccess
+}
+
+//export cgo_free_rdp_license
+func cgo_free_rdp_license(p *C.uint8_t) {
+	C.free(unsafe.Pointer(p))
+}
+
+//export cgo_write_rdp_license
+func cgo_write_rdp_license(handle C.uintptr_t, req *C.CGOLicenseRequest, data *C.uint8_t, length C.size_t) C.CGOErrCode {
+	client, err := toClient(handle)
+	if err != nil {
+		return C.ErrCodeFailure
+	}
+
+	issuer := C.GoString(req.issuer)
+	company := C.GoString(req.company)
+	productID := C.GoString(req.product_id)
+
+	licenseData := C.GoBytes(unsafe.Pointer(data), C.int(length))
+
+	err = client.writeRDPLicense(context.Background(), types.RDPLicenseKey{
+		Version:   uint32(req.version),
+		Issuer:    issuer,
+		Company:   company,
+		ProductID: productID,
+	}, licenseData)
+	if err != nil {
+		return C.ErrCodeFailure
+	}
+
+	return C.ErrCodeSuccess
+}
+
+func (c *Client) readRDPLicense(ctx context.Context, key types.RDPLicenseKey) ([]byte, error) {
+	log := c.cfg.Logger.With(
+		"issuer", key.Issuer,
+		"company", key.Company,
+		"version", key.Version,
+		"product", key.ProductID,
+	)
+
+	license, err := c.cfg.LicenseStore.ReadRDPLicense(ctx, &key)
+	switch {
+	case trace.IsNotFound(err):
+		log.InfoContext(ctx, "existing RDP license not found")
+	case err != nil:
+		log.ErrorContext(ctx, "could not look up existing RDP license", "error", err)
+	case len(license) > 0:
+		log.InfoContext(ctx, "found existing RDP license")
+	}
+
+	return license, trace.Wrap(err)
+}
+
+func (c *Client) writeRDPLicense(ctx context.Context, key types.RDPLicenseKey, license []byte) error {
+	log := c.cfg.Logger.With(
+		"issuer", key.Issuer,
+		"company", key.Company,
+		"version", key.Version,
+		"product", key.ProductID,
+	)
+	log.InfoContext(ctx, "writing RDP license to storage")
+	err := c.cfg.LicenseStore.WriteRDPLicense(ctx, &key, license)
+	if err != nil {
+		log.ErrorContext(ctx, "could not write RDP license", "error", err)
+	}
+	return trace.Wrap(err)
+}
+
 //export cgo_handle_fastpath_pdu
 func cgo_handle_fastpath_pdu(handle C.uintptr_t, data *C.uint8_t, length C.uint32_t) C.CGOErrCode {
 	goData := asRustBackedSlice(data, int(length))
diff --git a/lib/srv/desktop/rdp/rdpclient/client_common.go b/lib/srv/desktop/rdp/rdpclient/client_common.go
index 80e192e37427c..51a54308685c5 100644
--- a/lib/srv/desktop/rdp/rdpclient/client_common.go
+++ b/lib/srv/desktop/rdp/rdpclient/client_common.go
@@ -27,14 +27,25 @@ import (
 
 	"github.com/gravitational/trace"
 
+	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/srv/desktop/tdp"
 )
 
+// LicenseStore implements client-side license storage for Microsoft
+// Remote Desktop Services (RDS) licenses.
+type LicenseStore interface {
+	WriteRDPLicense(ctx context.Context, key *types.RDPLicenseKey, license []byte) error
+	ReadRDPLicense(ctx context.Context, key *types.RDPLicenseKey) ([]byte, error)
+}
+
 // Config for creating a new Client.
 type Config struct {
 	// Addr is the network address of the RDP server, in the form host:port.
 	Addr string
 
+	LicenseStore LicenseStore
+	HostID       string
+
 	// UserCertGenerator generates user certificates for RDP authentication.
 	GenerateUserCert GenerateUserCertFn
 	CertTTL          time.Duration
diff --git a/lib/srv/desktop/rdp/rdpclient/src/client.rs b/lib/srv/desktop/rdp/rdpclient/src/client.rs
index 3dae0fc453b59..3f6d6423dfa59 100644
--- a/lib/srv/desktop/rdp/rdpclient/src/client.rs
+++ b/lib/srv/desktop/rdp/rdpclient/src/client.rs
@@ -74,6 +74,7 @@ use tokio::sync::mpsc::{channel, error::SendError, Receiver, Sender};
 use tokio::task::JoinError;
 // Export this for crate level use.
 use crate::cliprdr::{ClipboardFn, TeleportCliprdrBackend};
+use crate::license::GoLicenseCache;
 use crate::rdpdr::scard::SCARD_DEVICE_ID;
 use crate::rdpdr::TeleportRdpdrBackend;
 use crate::ssl::TlsStream;
@@ -150,7 +151,7 @@ impl Client {
         let mut rng = rand_chacha::ChaCha20Rng::from_entropy();
         let pin = format!("{:08}", rng.gen_range(0i32..=99999999i32));
 
-        let connector_config = create_config(&params, pin.clone());
+        let connector_config = create_config(&params, pin.clone(), cgo_handle);
 
         // Create a channel for sending/receiving function calls to/from the Client.
         let (client_handle, function_receiver) = ClientHandle::new(100);
@@ -1401,7 +1402,7 @@ impl FunctionReceiver {
 type RdpReadStream = Framed<TokioStream<ReadHalf<TlsStream<TokioTcpStream>>>>;
 type RdpWriteStream = Framed<TokioStream<WriteHalf<TlsStream<TokioTcpStream>>>>;
 
-fn create_config(params: &ConnectParams, pin: String) -> Config {
+fn create_config(params: &ConnectParams, pin: String, cgo_handle: CgoHandle) -> Config {
     Config {
         desktop_size: DesktopSize {
             width: params.screen_width,
@@ -1456,6 +1457,8 @@ fn create_config(params: &ConnectParams, pin: String) -> Config {
             PerformanceFlags::empty()
         },
         desktop_scale_factor: 0,
+        license_cache: Some(Arc::new(GoLicenseCache { cgo_handle })),
+        hardware_id: Some(params.client_id),
     }
 }
 
@@ -1474,6 +1477,7 @@ pub struct ConnectParams {
     pub show_desktop_wallpaper: bool,
     pub ad: bool,
     pub nla: bool,
+    pub client_id: [u32; 4],
 }
 
 #[derive(Debug)]
diff --git a/lib/srv/desktop/rdp/rdpclient/src/lib.rs b/lib/srv/desktop/rdp/rdpclient/src/lib.rs
index c82663f704c73..55ac5f72a77d9 100644
--- a/lib/srv/desktop/rdp/rdpclient/src/lib.rs
+++ b/lib/srv/desktop/rdp/rdpclient/src/lib.rs
@@ -45,6 +45,7 @@ use std::ptr;
 use util::{from_c_string, from_go_array};
 pub mod client;
 mod cliprdr;
+mod license;
 mod network_client;
 mod piv;
 mod rdpdr;
@@ -124,6 +125,7 @@ pub unsafe extern "C" fn client_run(cgo_handle: CgoHandle, params: CGOConnectPar
             allow_clipboard: params.allow_clipboard,
             allow_directory_sharing: params.allow_directory_sharing,
             show_desktop_wallpaper: params.show_desktop_wallpaper,
+            client_id: params.client_id,
         },
     ) {
         Ok(res) => CGOResult {
@@ -509,6 +511,7 @@ pub struct CGOConnectParams {
     allow_clipboard: bool,
     allow_directory_sharing: bool,
     show_desktop_wallpaper: bool,
+    client_id: [u32; 4],
 }
 
 /// CGOKeyboardEvent is a CGO-compatible version of KeyboardEvent that we pass back to Go.
@@ -579,6 +582,7 @@ pub enum CGOErrCode {
     ErrCodeSuccess = 0,
     ErrCodeFailure = 1,
     ErrCodeClientPtr = 2,
+    ErrCodeNotFound = 3,
 }
 
 #[repr(C)]
@@ -733,6 +737,19 @@ pub type CGOSharedDirectoryTruncateResponse = SharedDirectoryTruncateResponse;
 // These functions are defined on the Go side.
 // Look for functions with '//export funcname' comments.
 extern "C" {
+    fn cgo_free_rdp_license(data: *mut u8);
+    fn cgo_read_rdp_license(
+        cgo_handle: CgoHandle,
+        req: *mut CGOLicenseRequest,
+        data_out: *mut *mut u8,
+        len_out: *mut usize,
+    ) -> CGOErrCode;
+    fn cgo_write_rdp_license(
+        cgo_handle: CgoHandle,
+        req: *mut CGOLicenseRequest,
+        data: *mut u8,
+        length: usize,
+    ) -> CGOErrCode;
     fn cgo_handle_remote_copy(cgo_handle: CgoHandle, data: *mut u8, len: u32) -> CGOErrCode;
     fn cgo_handle_fastpath_pdu(cgo_handle: CgoHandle, data: *mut u8, len: u32) -> CGOErrCode;
     fn cgo_handle_rdp_connection_activated(
@@ -784,3 +801,11 @@ extern "C" {
 ///
 /// [cgo.Handle]: https://pkg.go.dev/runtime/cgo#Handle
 type CgoHandle = usize;
+
+#[repr(C)]
+pub struct CGOLicenseRequest {
+    version: u32,
+    issuer: *const c_char,
+    company: *const c_char,
+    product_id: *const c_char,
+}
diff --git a/lib/srv/desktop/rdp/rdpclient/src/license.rs b/lib/srv/desktop/rdp/rdpclient/src/license.rs
new file mode 100644
index 0000000000000..3636d2d4c6eb3
--- /dev/null
+++ b/lib/srv/desktop/rdp/rdpclient/src/license.rs
@@ -0,0 +1,85 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+use crate::{
+    cgo_free_rdp_license, cgo_read_rdp_license, cgo_write_rdp_license, CGOErrCode,
+    CGOLicenseRequest, CgoHandle,
+};
+use ironrdp_connector::{custom_err, general_err, ConnectorError, ConnectorResult, LicenseCache};
+use ironrdp_pdu::rdp::server_license::LicenseInformation;
+use picky_krb::negoex::NegoexDataType;
+use std::ffi::{CString, NulError};
+use std::{ptr, slice};
+
+#[derive(Debug)]
+pub(crate) struct GoLicenseCache {
+    pub(crate) cgo_handle: CgoHandle,
+}
+
+fn conversion_error(e: NulError) -> ConnectorError {
+    custom_err!("conversion error", e)
+}
+
+impl LicenseCache for GoLicenseCache {
+    fn get_license(&self, license_info: LicenseInformation) -> ConnectorResult<Option<Vec<u8>>> {
+        let issuer = CString::new(license_info.scope).map_err(conversion_error)?;
+        let company = CString::new(license_info.company_name).map_err(conversion_error)?;
+        let product_id = CString::new(license_info.product_id).map_err(conversion_error)?;
+        let mut req = CGOLicenseRequest {
+            version: license_info.version,
+            issuer: issuer.as_ptr(),
+            company: company.as_ptr(),
+            product_id: product_id.as_ptr(),
+        };
+        let mut data: *mut u8 = ptr::null_mut();
+        let mut size = 0usize;
+        unsafe {
+            match cgo_read_rdp_license(self.cgo_handle, &mut req, &mut data, &mut size) {
+                CGOErrCode::ErrCodeSuccess => {
+                    let license = slice::from_raw_parts_mut(data, size).to_vec();
+                    cgo_free_rdp_license(data);
+                    Ok(Some(license))
+                }
+                CGOErrCode::ErrCodeFailure => Err(general_err!("error retrieving license")),
+                CGOErrCode::ErrCodeClientPtr => Err(general_err!("invalid client pointer")),
+                CGOErrCode::ErrCodeNotFound => Ok(None),
+            }
+        }
+    }
+
+    fn store_license(&self, mut license_info: LicenseInformation) -> ConnectorResult<()> {
+        let issuer = CString::new(license_info.scope).map_err(conversion_error)?;
+        let company = CString::new(license_info.company_name).map_err(conversion_error)?;
+        let product_id = CString::new(license_info.product_id).map_err(conversion_error)?;
+        let mut req = CGOLicenseRequest {
+            version: license_info.version,
+            issuer: issuer.as_ptr(),
+            company: company.as_ptr(),
+            product_id: product_id.as_ptr(),
+        };
+        unsafe {
+            match cgo_write_rdp_license(
+                self.cgo_handle,
+                &mut req,
+                license_info.license_info.as_mut_ptr(),
+                license_info.license_info.size(),
+            ) {
+                CGOErrCode::ErrCodeSuccess => Ok(()),
+                _ => Err(general_err!("error storing license")),
+            }
+        }
+    }
+}
diff --git a/lib/srv/desktop/windows_server.go b/lib/srv/desktop/windows_server.go
index 8dbbad96b3fb6..659838868ee90 100644
--- a/lib/srv/desktop/windows_server.go
+++ b/lib/srv/desktop/windows_server.go
@@ -159,8 +159,9 @@ type WindowsServiceConfig struct {
 	// Logger is the logger for the service.
 	Logger *slog.Logger
 	// Clock provides current time.
-	Clock   clockwork.Clock
-	DataDir string
+	Clock        clockwork.Clock
+	DataDir      string
+	LicenseStore rdpclient.LicenseStore
 	// Authorizer is used to authorize requests.
 	Authorizer authz.Authorizer
 	// LockWatcher is used to monitor for new locks.
@@ -957,7 +958,9 @@ func (s *WindowsService) connectRDP(ctx context.Context, log *slog.Logger, tdpCo
 
 	//nolint:staticcheck // SA4023. False positive, depends on build tags.
 	rdpc, err := rdpclient.New(rdpclient.Config{
-		Logger: log,
+		LicenseStore: s.cfg.LicenseStore,
+		HostID:       s.cfg.Heartbeat.HostUUID,
+		Logger:       log,
 		GenerateUserCert: func(ctx context.Context, username string, ttl time.Duration) (certDER, keyDER []byte, err error) {
 			return s.generateUserCert(ctx, username, ttl, desktop, createUsers, groups)
 		},
diff --git a/lib/srv/discovery/access_graph_aws.go b/lib/srv/discovery/access_graph_aws.go
index fa662da21dada..185dd3f908a68 100644
--- a/lib/srv/discovery/access_graph_aws.go
+++ b/lib/srv/discovery/access_graph_aws.go
@@ -54,7 +54,7 @@ const (
 	// automatically reconnect if the connection is lost without
 	// relying on new events from the auth server to trigger a reconnect.
 	serviceConfig = `{
-		 "loadBalancingPolicy": "round_robin",
+		 "loadBalancingConfig": [{"round_robin": {}}],
 		 "healthCheckConfig": {
 			 "serviceName": ""
 		 }
@@ -82,8 +82,10 @@ func (s *Server) reconcileAccessGraph(ctx context.Context, currentTAGResources *
 		return trace.Wrap(errNoAccessGraphFetchers)
 	}
 
-	s.awsSyncStatus.iterationStarted(allFetchers, s.clock.Now())
-	for _, discoveryConfigName := range s.awsSyncStatus.discoveryConfigs() {
+	for _, fetcher := range allFetchers {
+		s.tagSyncStatus.syncStarted(fetcher, s.clock.Now())
+	}
+	for _, discoveryConfigName := range s.tagSyncStatus.discoveryConfigs() {
 		s.updateDiscoveryConfigStatus(discoveryConfigName)
 	}
 
@@ -92,7 +94,6 @@ func (s *Server) reconcileAccessGraph(ctx context.Context, currentTAGResources *
 	tokens := make(chan struct{}, 3)
 	accountIds := map[string]struct{}{}
 	for _, fetcher := range allFetchers {
-		fetcher := fetcher
 		accountIds[fetcher.GetAccountID()] = struct{}{}
 		tokens <- struct{}{}
 		go func() {
@@ -127,8 +128,10 @@ func (s *Server) reconcileAccessGraph(ctx context.Context, currentTAGResources *
 	upsert, toDel := aws_sync.ReconcileResults(currentTAGResources, result)
 	pushErr := push(stream, upsert, toDel)
 
-	s.awsSyncStatus.iterationFinished(allFetchers, pushErr, s.clock.Now())
-	for _, discoveryConfigName := range s.awsSyncStatus.discoveryConfigs() {
+	for _, fetcher := range allFetchers {
+		s.tagSyncStatus.syncFinished(fetcher, pushErr, s.clock.Now())
+	}
+	for _, discoveryConfigName := range s.tagSyncStatus.discoveryConfigs() {
 		s.updateDiscoveryConfigStatus(discoveryConfigName)
 	}
 
@@ -153,8 +156,8 @@ func (s *Server) reconcileAccessGraph(ctx context.Context, currentTAGResources *
 }
 
 // getAllAWSSyncFetchers returns all AWS sync fetchers.
-func (s *Server) getAllAWSSyncFetchers() []aws_sync.AWSSync {
-	allFetchers := make([]aws_sync.AWSSync, 0, len(s.dynamicTAGAWSFetchers))
+func (s *Server) getAllAWSSyncFetchers() []*aws_sync.Fetcher {
+	allFetchers := make([]*aws_sync.Fetcher, 0, len(s.dynamicTAGAWSFetchers))
 
 	s.muDynamicTAGAWSFetchers.RLock()
 	for _, fetcherSet := range s.dynamicTAGAWSFetchers {
@@ -483,8 +486,8 @@ func (s *Server) initTAGAWSWatchers(ctx context.Context, cfg *Config) error {
 }
 
 // accessGraphAWSFetchersFromMatchers converts Matchers into a set of AWS Sync Fetchers.
-func (s *Server) accessGraphAWSFetchersFromMatchers(ctx context.Context, matchers Matchers, discoveryConfigName string) ([]aws_sync.AWSSync, error) {
-	var fetchers []aws_sync.AWSSync
+func (s *Server) accessGraphAWSFetchersFromMatchers(ctx context.Context, matchers Matchers, discoveryConfigName string) ([]*aws_sync.Fetcher, error) {
+	var fetchers []*aws_sync.Fetcher
 	var errs []error
 	if matchers.AccessGraph == nil {
 		return fetchers, nil
@@ -498,7 +501,7 @@ func (s *Server) accessGraphAWSFetchersFromMatchers(ctx context.Context, matcher
 				ExternalID: awsFetcher.AssumeRole.ExternalID,
 			}
 		}
-		fetcher, err := aws_sync.NewAWSFetcher(
+		fetcher, err := aws_sync.NewFetcher(
 			ctx,
 			aws_sync.Config{
 				AWSConfigProvider:   s.AWSConfigProvider,
diff --git a/lib/srv/discovery/access_graph_azure.go b/lib/srv/discovery/access_graph_azure.go
index d7f911bb2a449..166c126103284 100644
--- a/lib/srv/discovery/access_graph_azure.go
+++ b/lib/srv/discovery/access_graph_azure.go
@@ -64,6 +64,13 @@ func (s *Server) reconcileAccessGraphAzure(
 		return trace.Wrap(errNoAccessGraphFetchers)
 	}
 
+	for _, fetcher := range allFetchers {
+		s.tagSyncStatus.syncStarted(fetcher, s.clock.Now())
+	}
+	for _, discoveryConfigName := range s.tagSyncStatus.discoveryConfigs() {
+		s.updateDiscoveryConfigStatus(discoveryConfigName)
+	}
+
 	// Fetch results concurrently
 	resultsC := make(chan fetcherResult, len(allFetchers))
 	// Restricts concurrently running fetchers to 3
@@ -107,6 +114,13 @@ func (s *Server) reconcileAccessGraphAzure(
 	upsert, toDel := azuresync.ReconcileResults(currentTAGResources, result)
 	pushErr := azurePush(stream, upsert, toDel)
 
+	for _, fetcher := range allFetchers {
+		s.tagSyncStatus.syncFinished(fetcher, pushErr, s.clock.Now())
+	}
+	for _, discoveryConfigName := range s.tagSyncStatus.discoveryConfigs() {
+		s.updateDiscoveryConfigStatus(discoveryConfigName)
+	}
+
 	if pushErr != nil {
 		s.Log.ErrorContext(ctx, "Error pushing TAGs", "error", pushErr)
 		return nil
@@ -392,6 +406,7 @@ func (s *Server) accessGraphAzureFetchersFromMatchers(
 			SubscriptionID:      matcher.SubscriptionID,
 			Integration:         matcher.Integration,
 			DiscoveryConfigName: discoveryConfigName,
+			OIDCCredentials:     s.AccessPoint,
 		}
 		fetcher, err := azuresync.NewFetcher(fetcherCfg, s.ctx)
 		if err != nil {
diff --git a/lib/srv/discovery/access_graph_test.go b/lib/srv/discovery/access_graph_test.go
index b02c32348c6af..c6efe1064cbfc 100644
--- a/lib/srv/discovery/access_graph_test.go
+++ b/lib/srv/discovery/access_graph_test.go
@@ -36,7 +36,7 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 	testErr := "test error"
 	clock := clockwork.NewFakeClock()
 	type args struct {
-		fetchers []aws_sync.AWSSync
+		fetchers []*fakeFetcher
 		pushErr  error
 		preRun   bool
 	}
@@ -48,8 +48,8 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "test updateDiscoveryConfigStatus",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						count:               1,
 						discoveryConfigName: "test",
 					},
@@ -71,8 +71,8 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "test updateDiscoveryConfigStatus with pushError",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						count:               1,
 						discoveryConfigName: "test",
 					},
@@ -94,8 +94,8 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "test updateDiscoveryConfigStatus with error",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						count:               1,
 						discoveryConfigName: "test",
 						err:                 errors.New(testErr),
@@ -117,8 +117,8 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "discar reports for non-discovery config results",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						count: 1,
 					},
 				},
@@ -128,8 +128,8 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "test updateDiscoveryConfigStatus pre-run",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						discoveryConfigName: "test",
 					},
 				},
@@ -150,16 +150,16 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "test multiple aws sync fetchers",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						discoveryConfigName: "test1",
 						count:               1,
 					},
-					&fakeFetcher{
+					{
 						discoveryConfigName: "test1",
 						count:               1,
 					},
-					&fakeFetcher{
+					{
 						discoveryConfigName: "test2",
 						count:               1,
 					},
@@ -189,7 +189,7 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "merge two errors",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
+				fetchers: []*fakeFetcher{
 					&fakeFetcher{
 						discoveryConfigName: "test1",
 						err:                 fmt.Errorf("error in fetcher 1"),
@@ -214,12 +214,12 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 		{
 			name: "reports error if at least one fetcher fails",
 			args: args{
-				fetchers: []aws_sync.AWSSync{
-					&fakeFetcher{
+				fetchers: []*fakeFetcher{
+					{
 						discoveryConfigName: "test1",
 						err:                 fmt.Errorf("error in fetcher 1"),
 					},
-					&fakeFetcher{
+					{
 						discoveryConfigName: "test1",
 						count:               2,
 					},
@@ -247,16 +247,20 @@ func TestServer_updateDiscoveryConfigStatus(t *testing.T) {
 					AccessPoint: accessPoint,
 					clock:       clock,
 				},
-				awsSyncStatus: awsSyncStatus{},
+				tagSyncStatus: newTagSyncStatus(),
 			}
 
 			if tt.args.preRun {
-				s.awsSyncStatus.iterationStarted(tt.args.fetchers, s.clock.Now())
+				for _, fetcher := range tt.args.fetchers {
+					s.tagSyncStatus.syncStarted(fetcher, s.clock.Now())
+				}
 			} else {
-				s.awsSyncStatus.iterationFinished(tt.args.fetchers, tt.args.pushErr, s.clock.Now())
+				for _, fetcher := range tt.args.fetchers {
+					s.tagSyncStatus.syncFinished(fetcher, tt.args.pushErr, s.clock.Now())
+				}
 			}
 
-			for _, discoveryConfigName := range s.awsSyncStatus.discoveryConfigs() {
+			for _, discoveryConfigName := range s.tagSyncStatus.discoveryConfigs() {
 				s.updateDiscoveryConfigStatus(discoveryConfigName)
 			}
 
@@ -270,7 +274,7 @@ func stringPointer(s string) *string {
 }
 
 type fakeFetcher struct {
-	aws_sync.AWSSync
+	aws_sync.Fetcher
 	err                 error
 	count               uint64
 	discoveryConfigName string
diff --git a/lib/srv/discovery/discovery.go b/lib/srv/discovery/discovery.go
index 4dd5eb77f59a3..0f2617fb3f140 100644
--- a/lib/srv/discovery/discovery.go
+++ b/lib/srv/discovery/discovery.go
@@ -422,9 +422,9 @@ type Server struct {
 
 	// dynamicTAGAWSFetchers holds the current TAG Fetchers for the Dynamic Matchers (those coming from DiscoveryConfig resource).
 	// The key is the DiscoveryConfig name.
-	dynamicTAGAWSFetchers   map[string][]aws_sync.AWSSync
+	dynamicTAGAWSFetchers   map[string][]*aws_sync.Fetcher
 	muDynamicTAGAWSFetchers sync.RWMutex
-	staticTAGAWSFetchers    []aws_sync.AWSSync
+	staticTAGAWSFetchers    []*aws_sync.Fetcher
 
 	// dynamicTAGAzureFetchers holds the current TAG Fetchers for the Dynamic Matchers (those coming from DiscoveryConfig resource).
 	// The key is the DiscoveryConfig name.
@@ -440,7 +440,7 @@ type Server struct {
 
 	dynamicDiscoveryConfig map[string]*discoveryconfig.DiscoveryConfig
 
-	awsSyncStatus         awsSyncStatus
+	tagSyncStatus         *tagSyncStatus
 	awsEC2ResourcesStatus awsResourcesStatus
 	awsRDSResourcesStatus awsResourcesStatus
 	awsEKSResourcesStatus awsResourcesStatus
@@ -477,10 +477,10 @@ func New(ctx context.Context, cfg *Config) (*Server, error) {
 		dynamicServerAWSFetchers:   make(map[string][]server.Fetcher),
 		dynamicServerAzureFetchers: make(map[string][]server.Fetcher),
 		dynamicServerGCPFetchers:   make(map[string][]server.Fetcher),
-		dynamicTAGAWSFetchers:      make(map[string][]aws_sync.AWSSync),
+		dynamicTAGAWSFetchers:      make(map[string][]*aws_sync.Fetcher),
 		dynamicTAGAzureFetchers:    make(map[string][]*azure_sync.Fetcher),
 		dynamicDiscoveryConfig:     make(map[string]*discoveryconfig.DiscoveryConfig),
-		awsSyncStatus:              awsSyncStatus{},
+		tagSyncStatus:              newTagSyncStatus(),
 		awsEC2ResourcesStatus:      newAWSResourceStatusCollector(types.AWSMatcherEC2),
 		awsRDSResourcesStatus:      newAWSResourceStatusCollector(types.AWSMatcherRDS),
 		awsEKSResourcesStatus:      newAWSResourceStatusCollector(types.AWSMatcherEKS),
diff --git a/lib/srv/discovery/fetchers/aws-sync/aws-sync.go b/lib/srv/discovery/fetchers/aws-sync/aws-sync.go
index f3f1056352ae1..eecc06b0ef218 100644
--- a/lib/srv/discovery/fetchers/aws-sync/aws-sync.go
+++ b/lib/srv/discovery/fetchers/aws-sync/aws-sync.go
@@ -138,28 +138,14 @@ type AssumeRole struct {
 	ExternalID string
 }
 
-// awsFetcher is a fetcher that fetches AWS resources.
-type awsFetcher struct {
+// Fetcher is a fetcher that fetches AWS resources.
+type Fetcher struct {
 	Config
 	lastError               error
 	lastDiscoveredResources uint64
 	lastResult              *Resources
 }
 
-// AWSSync is the interface for fetching AWS resources.
-type AWSSync interface {
-	// Poll polls all AWS resources and returns the result.
-	Poll(context.Context, Features) (*Resources, error)
-	// Status reports the last known status of the fetcher.
-	Status() (uint64, error)
-	// DiscoveryConfigName returns the name of the Discovery Config.
-	DiscoveryConfigName() string
-	// IsFromDiscoveryConfig returns true if the fetcher is associated with a Discovery Config.
-	IsFromDiscoveryConfig() bool
-	// GetAccountID returns the AWS account ID.
-	GetAccountID() string
-}
-
 // Resources is a collection of polled AWS resources.
 type Resources struct {
 	// Users is the list of AWS users.
@@ -249,12 +235,12 @@ func (r *Resources) UsageReport(numberAccounts int) *usageeventsv1.AccessGraphAW
 	}
 }
 
-// NewAWSFetcher creates a new AWS fetcher.
-func NewAWSFetcher(ctx context.Context, cfg Config) (AWSSync, error) {
+// NewFetcher creates a new AWS fetcher.
+func NewFetcher(ctx context.Context, cfg Config) (*Fetcher, error) {
 	if err := cfg.CheckAndSetDefaults(); err != nil {
 		return nil, trace.Wrap(err)
 	}
-	a := &awsFetcher{
+	a := &Fetcher{
 		Config:     cfg,
 		lastResult: &Resources{},
 	}
@@ -270,14 +256,14 @@ func NewAWSFetcher(ctx context.Context, cfg Config) (AWSSync, error) {
 // Poll is a blocking call and will return when all resources have been fetched.
 // It's possible that the call returns Resources and an error at the same time
 // if some resources were fetched successfully and some were not.
-func (a *awsFetcher) Poll(ctx context.Context, features Features) (*Resources, error) {
+func (a *Fetcher) Poll(ctx context.Context, features Features) (*Resources, error) {
 	result, err := a.poll(ctx, features)
 	deduplicateResources(result)
 	a.storeReport(result, err)
 	return result, trace.Wrap(err)
 }
 
-func (a *awsFetcher) storeReport(rec *Resources, err error) {
+func (a *Fetcher) storeReport(rec *Resources, err error) {
 	a.lastError = err
 	if rec == nil {
 		return
@@ -286,11 +272,11 @@ func (a *awsFetcher) storeReport(rec *Resources, err error) {
 	a.lastDiscoveredResources = uint64(rec.count())
 }
 
-func (a *awsFetcher) GetAccountID() string {
+func (a *Fetcher) GetAccountID() string {
 	return a.AccountID
 }
 
-func (a *awsFetcher) poll(ctx context.Context, features Features) (*Resources, error) {
+func (a *Fetcher) poll(ctx context.Context, features Features) (*Resources, error) {
 	eGroup, ctx := errgroup.WithContext(ctx)
 	// Set the limit for the number of concurrent pollers running in parallel.
 	// This is to prevent the number of concurrent pollers from growing too large
@@ -371,7 +357,7 @@ func (a *awsFetcher) poll(ctx context.Context, features Features) (*Resources, e
 
 // getAWSOptions returns a list of AWSAssumeRoleOptionFn to be used when
 // creating AWS clients.
-func (a *awsFetcher) getAWSOptions() []cloud.AWSOptionsFn {
+func (a *Fetcher) getAWSOptions() []cloud.AWSOptionsFn {
 	opts := []cloud.AWSOptionsFn{
 		cloud.WithCredentialsMaybeIntegration(a.Config.Integration),
 	}
@@ -398,7 +384,7 @@ func (a *awsFetcher) getAWSOptions() []cloud.AWSOptionsFn {
 
 // getAWSV2Options returns a list of options to be used when
 // creating AWS clients with the v2 sdk.
-func (a *awsFetcher) getAWSV2Options() []awsconfig.OptionsFn {
+func (a *Fetcher) getAWSV2Options() []awsconfig.OptionsFn {
 	opts := []awsconfig.OptionsFn{
 		awsconfig.WithCredentialsMaybeIntegration(a.Config.Integration),
 	}
@@ -417,7 +403,7 @@ func (a *awsFetcher) getAWSV2Options() []awsconfig.OptionsFn {
 	return opts
 }
 
-func (a *awsFetcher) getAccountId(ctx context.Context) (string, error) {
+func (a *Fetcher) getAccountId(ctx context.Context) (string, error) {
 	stsClient, err := a.CloudClients.GetAWSSTSClient(
 		ctx,
 		"", /* region is empty because groups are global */
@@ -436,14 +422,14 @@ func (a *awsFetcher) getAccountId(ctx context.Context) (string, error) {
 	return aws.ToString(req.Account), nil
 }
 
-func (a *awsFetcher) DiscoveryConfigName() string {
+func (a *Fetcher) DiscoveryConfigName() string {
 	return a.Config.DiscoveryConfigName
 }
 
-func (a *awsFetcher) IsFromDiscoveryConfig() bool {
+func (a *Fetcher) IsFromDiscoveryConfig() bool {
 	return a.Config.DiscoveryConfigName != ""
 }
 
-func (a *awsFetcher) Status() (uint64, error) {
+func (a *Fetcher) Status() (uint64, error) {
 	return a.lastDiscoveredResources, a.lastError
 }
diff --git a/lib/srv/discovery/fetchers/aws-sync/ec2.go b/lib/srv/discovery/fetchers/aws-sync/ec2.go
index ec24aca8184e1..1ae520e743c38 100644
--- a/lib/srv/discovery/fetchers/aws-sync/ec2.go
+++ b/lib/srv/discovery/fetchers/aws-sync/ec2.go
@@ -39,7 +39,7 @@ import (
 
 // pollAWSEC2Instances is a function that returns a function that fetches
 // ec2 instances and instance profiles and returns an error if any.
-func (a *awsFetcher) pollAWSEC2Instances(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSEC2Instances(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 
@@ -59,7 +59,7 @@ func (a *awsFetcher) pollAWSEC2Instances(ctx context.Context, result *Resources,
 // as a slice of accessgraphv1alpha.AWSInstanceV1.
 // It uses ec2.DescribeInstancesPagesWithContext to iterate over all instances
 // in all regions.
-func (a *awsFetcher) fetchAWSEC2Instances(ctx context.Context) ([]*accessgraphv1alpha.AWSInstanceV1, error) {
+func (a *Fetcher) fetchAWSEC2Instances(ctx context.Context) ([]*accessgraphv1alpha.AWSInstanceV1, error) {
 	var (
 		hosts    []*accessgraphv1alpha.AWSInstanceV1
 		hostsMu  sync.Mutex
@@ -150,7 +150,7 @@ func awsInstanceToProtoInstance(instance ec2types.Instance, region string, accou
 
 // fetchInstanceProfiles fetches instance profiles from all regions and returns them
 // as a slice of accessgraphv1alpha.AWSInstanceProfileV1.
-func (a *awsFetcher) fetchInstanceProfiles(ctx context.Context) ([]*accessgraphv1alpha.AWSInstanceProfileV1, error) {
+func (a *Fetcher) fetchInstanceProfiles(ctx context.Context) ([]*accessgraphv1alpha.AWSInstanceProfileV1, error) {
 	existing := a.lastResult.InstanceProfiles
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
diff --git a/lib/srv/discovery/fetchers/aws-sync/eks.go b/lib/srv/discovery/fetchers/aws-sync/eks.go
index fc1791b4cb13a..beba3a5a9a3b3 100644
--- a/lib/srv/discovery/fetchers/aws-sync/eks.go
+++ b/lib/srv/discovery/fetchers/aws-sync/eks.go
@@ -50,7 +50,7 @@ type EKSClient interface {
 
 // pollAWSEKSClusters is a function that returns a function that fetches
 // eks clusters and their access scope levels.
-func (a *awsFetcher) pollAWSEKSClusters(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSEKSClusters(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		output, err := a.fetchAWSSEKSClusters(ctx)
 		if err != nil {
@@ -71,7 +71,7 @@ type fetchAWSEKSClustersOutput struct {
 }
 
 // fetchAWSSEKSClusters fetches eks instances from all regions.
-func (a *awsFetcher) fetchAWSSEKSClusters(ctx context.Context) (fetchAWSEKSClustersOutput, error) {
+func (a *Fetcher) fetchAWSSEKSClusters(ctx context.Context) (fetchAWSEKSClustersOutput, error) {
 	var (
 		output   fetchAWSEKSClustersOutput
 		hostsMu  sync.Mutex
@@ -213,7 +213,7 @@ func awsEKSClusterToProtoCluster(cluster *ekstypes.Cluster, region, accountID st
 }
 
 // fetchAccessEntries fetches the access entries for the given cluster.
-func (a *awsFetcher) fetchAccessEntries(ctx context.Context, eksClient EKSClient, cluster *accessgraphv1alpha.AWSEKSClusterV1) ([]*accessgraphv1alpha.AWSEKSClusterAccessEntryV1, error) {
+func (a *Fetcher) fetchAccessEntries(ctx context.Context, eksClient EKSClient, cluster *accessgraphv1alpha.AWSEKSClusterV1) ([]*accessgraphv1alpha.AWSEKSClusterAccessEntryV1, error) {
 	var accessEntries []string
 
 	for p := eks.NewListAccessEntriesPaginator(eksClient,
@@ -277,7 +277,7 @@ func awsAccessEntryToProtoAccessEntry(accessEntry *ekstypes.AccessEntry, cluster
 }
 
 // fetchAccessEntries fetches the access entries for the given cluster.
-func (a *awsFetcher) fetchAssociatedPolicies(ctx context.Context, eksClient EKSClient, cluster *accessgraphv1alpha.AWSEKSClusterV1, arns []string) ([]*accessgraphv1alpha.AWSEKSAssociatedAccessPolicyV1, error) {
+func (a *Fetcher) fetchAssociatedPolicies(ctx context.Context, eksClient EKSClient, cluster *accessgraphv1alpha.AWSEKSClusterV1, arns []string) ([]*accessgraphv1alpha.AWSEKSAssociatedAccessPolicyV1, error) {
 	var associatedPolicies []*accessgraphv1alpha.AWSEKSAssociatedAccessPolicyV1
 	var errs []error
 
diff --git a/lib/srv/discovery/fetchers/aws-sync/eks_test.go b/lib/srv/discovery/fetchers/aws-sync/eks_test.go
index b38f1ff851a92..e8cd55b767767 100644
--- a/lib/srv/discovery/fetchers/aws-sync/eks_test.go
+++ b/lib/srv/discovery/fetchers/aws-sync/eks_test.go
@@ -196,7 +196,7 @@ func TestPollAWSEKSClusters(t *testing.T) {
 				defer mu.Unlock()
 				errs = append(errs, err)
 			}
-			a := &awsFetcher{
+			a := &Fetcher{
 				Config: Config{
 					AccountID:    accountID,
 					Regions:      regions,
diff --git a/lib/srv/discovery/fetchers/aws-sync/groups.go b/lib/srv/discovery/fetchers/aws-sync/groups.go
index b4c9ac1dc8a62..b212ee1629b5e 100644
--- a/lib/srv/discovery/fetchers/aws-sync/groups.go
+++ b/lib/srv/discovery/fetchers/aws-sync/groups.go
@@ -34,7 +34,7 @@ import (
 
 // pollAWSGroups is a function that returns a function that fetches
 // AWS groups and their inline and attached policies.
-func (a *awsFetcher) pollAWSGroups(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSGroups(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 
@@ -90,7 +90,7 @@ func (a *awsFetcher) pollAWSGroups(ctx context.Context, result *Resources, colle
 
 // fetchGroups fetches AWS groups and returns them as a slice of accessgraphv1alpha.AWSGroupV1.
 // It uses ListGroupsPagesWithContext to iterate over all groups.
-func (a *awsFetcher) fetchGroups(ctx context.Context) ([]*accessgraphv1alpha.AWSGroupV1, error) {
+func (a *Fetcher) fetchGroups(ctx context.Context) ([]*accessgraphv1alpha.AWSGroupV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because groups are global */
@@ -140,7 +140,7 @@ func awsGroupToProtoGroup(group iamtypes.Group, accountID string) *accessgraphv1
 // as a slice of accessgraphv1alpha.AWSGroupInlinePolicyV1.
 // It uses ListGroupPoliciesPagesWithContext to iterate over all inline policies
 // associated with the group.
-func (a *awsFetcher) fetchGroupInlinePolicies(ctx context.Context, group *accessgraphv1alpha.AWSGroupV1) ([]*accessgraphv1alpha.AWSGroupInlinePolicyV1, error) {
+func (a *Fetcher) fetchGroupInlinePolicies(ctx context.Context, group *accessgraphv1alpha.AWSGroupV1) ([]*accessgraphv1alpha.AWSGroupInlinePolicyV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
@@ -197,7 +197,7 @@ func awsGroupPolicyToProtoGroupPolicy(policy *iam.GetGroupPolicyOutput, accountI
 }
 
 // fetchGroupAttachedPolicies fetches attached policies for a group.
-func (a *awsFetcher) fetchGroupAttachedPolicies(ctx context.Context, group *accessgraphv1alpha.AWSGroupV1) (*accessgraphv1alpha.AWSGroupAttachedPolicies, error) {
+func (a *Fetcher) fetchGroupAttachedPolicies(ctx context.Context, group *accessgraphv1alpha.AWSGroupV1) (*accessgraphv1alpha.AWSGroupAttachedPolicies, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
diff --git a/lib/srv/discovery/fetchers/aws-sync/iam_test.go b/lib/srv/discovery/fetchers/aws-sync/iam_test.go
index d428aa4ed3a42..9e84d892a224f 100644
--- a/lib/srv/discovery/fetchers/aws-sync/iam_test.go
+++ b/lib/srv/discovery/fetchers/aws-sync/iam_test.go
@@ -65,7 +65,7 @@ func TestAWSIAMPollSAMLProviders(t *testing.T) {
 		},
 	)
 	require.NoError(t, err)
-	a := &awsFetcher{
+	a := &Fetcher{
 		Config: Config{
 			AccountID: accountID,
 			AWSConfigProvider: &mocks.AWSConfigProvider{
@@ -203,7 +203,7 @@ func TestAWSIAMPollOIDCProviders(t *testing.T) {
 		defer mu.Unlock()
 		errs = append(errs, err)
 	}
-	a := &awsFetcher{
+	a := &Fetcher{
 		Config: Config{
 			AccountID: accountID,
 			AWSConfigProvider: &mocks.AWSConfigProvider{
diff --git a/lib/srv/discovery/fetchers/aws-sync/idp.go b/lib/srv/discovery/fetchers/aws-sync/idp.go
index 98f7c61536c6d..a564c5f02ebf8 100644
--- a/lib/srv/discovery/fetchers/aws-sync/idp.go
+++ b/lib/srv/discovery/fetchers/aws-sync/idp.go
@@ -31,7 +31,7 @@ import (
 	accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha"
 )
 
-func (a *awsFetcher) pollAWSSAMLProviders(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSSAMLProviders(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		existing := a.lastResult
 		awsCfg, err := a.AWSConfigProvider.GetConfig(
@@ -74,7 +74,7 @@ func (a *awsFetcher) pollAWSSAMLProviders(ctx context.Context, result *Resources
 }
 
 // fetchAWSSAMLProvider fetches data about a single SAML identity provider.
-func (a *awsFetcher) fetchAWSSAMLProvider(ctx context.Context, client iamClient, arn string) (*accessgraphv1alpha.AWSSAMLProviderV1, error) {
+func (a *Fetcher) fetchAWSSAMLProvider(ctx context.Context, client iamClient, arn string) (*accessgraphv1alpha.AWSSAMLProviderV1, error) {
 	providerResp, err := client.GetSAMLProvider(ctx, &iam.GetSAMLProviderInput{
 		SAMLProviderArn: aws.String(arn),
 	})
@@ -132,7 +132,7 @@ func awsSAMLProviderOutputToProto(arn string, accountID string, provider *iam.Ge
 	}, nil
 }
 
-func (a *awsFetcher) pollAWSOIDCProviders(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSOIDCProviders(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		existing := a.lastResult
 		awsCfg, err := a.AWSConfigProvider.GetConfig(
@@ -175,7 +175,7 @@ func (a *awsFetcher) pollAWSOIDCProviders(ctx context.Context, result *Resources
 }
 
 // fetchAWSOIDCProvider fetches data about a single OIDC identity provider.
-func (a *awsFetcher) fetchAWSOIDCProvider(ctx context.Context, client iamClient, arn string) (*accessgraphv1alpha.AWSOIDCProviderV1, error) {
+func (a *Fetcher) fetchAWSOIDCProvider(ctx context.Context, client iamClient, arn string) (*accessgraphv1alpha.AWSOIDCProviderV1, error) {
 	providerResp, err := client.GetOpenIDConnectProvider(ctx, &iam.GetOpenIDConnectProviderInput{
 		OpenIDConnectProviderArn: aws.String(arn),
 	})
diff --git a/lib/srv/discovery/fetchers/aws-sync/policies.go b/lib/srv/discovery/fetchers/aws-sync/policies.go
index 2b3171d3045df..511245a4b732c 100644
--- a/lib/srv/discovery/fetchers/aws-sync/policies.go
+++ b/lib/srv/discovery/fetchers/aws-sync/policies.go
@@ -34,7 +34,7 @@ import (
 
 // pollAWSPolicies is a function that returns a function that fetches
 // AWS policies and returns an error if any.
-func (a *awsFetcher) pollAWSPolicies(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSPolicies(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 		result.Policies, err = a.fetchPolicies(ctx)
@@ -49,7 +49,7 @@ func (a *awsFetcher) pollAWSPolicies(ctx context.Context, result *Resources, col
 // accessgraphv1alpha.AWSPolicyV1.
 // It uses iam.ListPoliciesPagesWithContext to iterate over all policies
 // and iam.GetPolicyVersionWithContext to fetch policy documents.
-func (a *awsFetcher) fetchPolicies(ctx context.Context) ([]*accessgraphv1alpha.AWSPolicyV1, error) {
+func (a *Fetcher) fetchPolicies(ctx context.Context) ([]*accessgraphv1alpha.AWSPolicyV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
diff --git a/lib/srv/discovery/fetchers/aws-sync/rds.go b/lib/srv/discovery/fetchers/aws-sync/rds.go
index f163c49f6b6d3..3d7117425d6ab 100644
--- a/lib/srv/discovery/fetchers/aws-sync/rds.go
+++ b/lib/srv/discovery/fetchers/aws-sync/rds.go
@@ -40,7 +40,7 @@ type rdsClient interface {
 
 // pollAWSRDSDatabases is a function that returns a function that fetches
 // RDS instances and clusters.
-func (a *awsFetcher) pollAWSRDSDatabases(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSRDSDatabases(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 		result.RDSDatabases, err = a.fetchAWSRDSDatabases(ctx)
@@ -52,7 +52,7 @@ func (a *awsFetcher) pollAWSRDSDatabases(ctx context.Context, result *Resources,
 }
 
 // fetchAWSRDSDatabases fetches RDS databases from all regions.
-func (a *awsFetcher) fetchAWSRDSDatabases(ctx context.Context) (
+func (a *Fetcher) fetchAWSRDSDatabases(ctx context.Context) (
 	[]*accessgraphv1alpha.AWSRDSDatabaseV1,
 	error,
 ) {
@@ -155,7 +155,7 @@ func awsRDSClusterToRDS(instance *rdstypes.DBCluster, region, accountID string)
 	}
 }
 
-func (a *awsFetcher) collectDBInstances(ctx context.Context,
+func (a *Fetcher) collectDBInstances(ctx context.Context,
 	clt rdsClient,
 	region string,
 	collectDBs func([]*accessgraphv1alpha.AWSRDSDatabaseV1, error),
@@ -189,7 +189,7 @@ func (a *awsFetcher) collectDBInstances(ctx context.Context,
 	collectDBs(instances, nil)
 }
 
-func (a *awsFetcher) collectDBClusters(
+func (a *Fetcher) collectDBClusters(
 	ctx context.Context,
 	clt rdsClient,
 	region string,
diff --git a/lib/srv/discovery/fetchers/aws-sync/rds_test.go b/lib/srv/discovery/fetchers/aws-sync/rds_test.go
index f888294c3ddcf..27940a1d4215f 100644
--- a/lib/srv/discovery/fetchers/aws-sync/rds_test.go
+++ b/lib/srv/discovery/fetchers/aws-sync/rds_test.go
@@ -101,14 +101,14 @@ func TestPollAWSRDS(t *testing.T) {
 
 	tests := []struct {
 		name             string
-		fetcherConfigOpt func(*awsFetcher)
+		fetcherConfigOpt func(*Fetcher)
 		want             *Resources
 		checkError       func(*testing.T, error)
 	}{
 		{
 			name: "poll rds databases",
 			want: &resourcesFixture,
-			fetcherConfigOpt: func(a *awsFetcher) {
+			fetcherConfigOpt: func(a *Fetcher) {
 				a.awsClients = fakeAWSClients{
 					rdsClient: &mocks.RDSClient{
 						DBInstances: dbInstances(),
@@ -123,7 +123,7 @@ func TestPollAWSRDS(t *testing.T) {
 		{
 			name: "reuse last synced databases on failure",
 			want: &resourcesFixture,
-			fetcherConfigOpt: func(a *awsFetcher) {
+			fetcherConfigOpt: func(a *Fetcher) {
 				a.awsClients = fakeAWSClients{
 					rdsClient: &mocks.RDSClient{Unauth: true},
 				}
@@ -137,7 +137,7 @@ func TestPollAWSRDS(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			a := &awsFetcher{
+			a := &Fetcher{
 				Config: Config{
 					AccountID: accountID,
 					AWSConfigProvider: &mocks.AWSConfigProvider{
diff --git a/lib/srv/discovery/fetchers/aws-sync/roles.go b/lib/srv/discovery/fetchers/aws-sync/roles.go
index a56678b609a44..5f076f4b525c0 100644
--- a/lib/srv/discovery/fetchers/aws-sync/roles.go
+++ b/lib/srv/discovery/fetchers/aws-sync/roles.go
@@ -36,7 +36,7 @@ import (
 
 // pollAWSRoles is a function that returns a function that fetches
 // AWS roles and their inline and attached policies.
-func (a *awsFetcher) pollAWSRoles(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSRoles(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 		existing := a.lastResult
@@ -85,7 +85,7 @@ func (a *awsFetcher) pollAWSRoles(ctx context.Context, result *Resources, collec
 }
 
 // fetchRoles fetches AWS roles and returns them as a slice of accessgraphv1alpha.AWSRoleV1.
-func (a *awsFetcher) fetchRoles(ctx context.Context) ([]*accessgraphv1alpha.AWSRoleV1, error) {
+func (a *Fetcher) fetchRoles(ctx context.Context) ([]*accessgraphv1alpha.AWSRoleV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because roles are global */
@@ -122,7 +122,7 @@ func (a *awsFetcher) fetchRoles(ctx context.Context) ([]*accessgraphv1alpha.AWSR
 // them as a slice of accessgraphv1alpha.AWSRoleInlinePolicyV1.
 // It uses iam.ListRolePoliciesPagesWithContext to iterate over all inline policies
 // and iam.GetRolePolicyWithContext to fetch policy documents.
-func (a *awsFetcher) fetchRoleInlinePolicies(ctx context.Context, role *accessgraphv1alpha.AWSRoleV1) ([]*accessgraphv1alpha.AWSRoleInlinePolicyV1, error) {
+func (a *Fetcher) fetchRoleInlinePolicies(ctx context.Context, role *accessgraphv1alpha.AWSRoleV1) ([]*accessgraphv1alpha.AWSRoleInlinePolicyV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
@@ -171,7 +171,7 @@ func (a *awsFetcher) fetchRoleInlinePolicies(ctx context.Context, role *accessgr
 }
 
 // fetchRoleAttachedPolicies fetches attached policies for an AWS role.
-func (a *awsFetcher) fetchRoleAttachedPolicies(ctx context.Context, role *accessgraphv1alpha.AWSRoleV1) (*accessgraphv1alpha.AWSRoleAttachedPolicies, error) {
+func (a *Fetcher) fetchRoleAttachedPolicies(ctx context.Context, role *accessgraphv1alpha.AWSRoleV1) (*accessgraphv1alpha.AWSRoleAttachedPolicies, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
diff --git a/lib/srv/discovery/fetchers/aws-sync/s3.go b/lib/srv/discovery/fetchers/aws-sync/s3.go
index b340d6d8d50d4..20f749f6fd952 100644
--- a/lib/srv/discovery/fetchers/aws-sync/s3.go
+++ b/lib/srv/discovery/fetchers/aws-sync/s3.go
@@ -49,7 +49,7 @@ type s3Client interface {
 
 // pollAWSS3Buckets is a function that returns a function that fetches
 // AWS s3 buckets and their inline and attached policies.
-func (a *awsFetcher) pollAWSS3Buckets(ctx context.Context, result *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSS3Buckets(ctx context.Context, result *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 		result.S3Buckets, err = a.fetchS3Buckets(ctx)
@@ -62,7 +62,7 @@ func (a *awsFetcher) pollAWSS3Buckets(ctx context.Context, result *Resources, co
 
 // fetchS3Buckets fetches AWS s3 buckets and returns them as a slice of
 // accessgraphv1alpha.AWSS3BucketV1.
-func (a *awsFetcher) fetchS3Buckets(ctx context.Context) ([]*accessgraphv1alpha.AWSS3BucketV1, error) {
+func (a *Fetcher) fetchS3Buckets(ctx context.Context) ([]*accessgraphv1alpha.AWSS3BucketV1, error) {
 	var s3s []*accessgraphv1alpha.AWSS3BucketV1
 	var errs []error
 	var mu sync.Mutex
@@ -213,7 +213,7 @@ type s3Details struct {
 	tags         *s3.GetBucketTaggingOutput
 }
 
-func (a *awsFetcher) getS3BucketDetails(ctx context.Context, bucket s3types.Bucket, bucketRegion string) (s3Details, failedRequests, []error) {
+func (a *Fetcher) getS3BucketDetails(ctx context.Context, bucket s3types.Bucket, bucketRegion string) (s3Details, failedRequests, []error) {
 	var failedReqs failedRequests
 	var errs []error
 	var details s3Details
@@ -293,7 +293,7 @@ func isS3BucketNoTagSet(err error) bool {
 	return isAPIErrorCode(err, "NoSuchTagSet")
 }
 
-func (a *awsFetcher) listS3Buckets(ctx context.Context) ([]s3types.Bucket, func(*string) (string, error), error) {
+func (a *Fetcher) listS3Buckets(ctx context.Context) ([]s3types.Bucket, func(*string) (string, error), error) {
 	region := awsutil.GetKnownRegions()[0]
 	if len(a.Regions) > 0 {
 		region = a.Regions[0]
diff --git a/lib/srv/discovery/fetchers/aws-sync/s3_test.go b/lib/srv/discovery/fetchers/aws-sync/s3_test.go
index c6dc57d9b6266..ade779690b490 100644
--- a/lib/srv/discovery/fetchers/aws-sync/s3_test.go
+++ b/lib/srv/discovery/fetchers/aws-sync/s3_test.go
@@ -174,7 +174,7 @@ func TestPollAWSS3(t *testing.T) {
 				defer mu.Unlock()
 				errs = append(errs, err)
 			}
-			a := &awsFetcher{
+			a := &Fetcher{
 				Config: Config{
 					AWSConfigProvider: &mocks.AWSConfigProvider{
 						OIDCIntegrationClient: &mocks.FakeOIDCIntegrationClient{
diff --git a/lib/srv/discovery/fetchers/aws-sync/users.go b/lib/srv/discovery/fetchers/aws-sync/users.go
index 3284dfb518466..94f28cc9a3928 100644
--- a/lib/srv/discovery/fetchers/aws-sync/users.go
+++ b/lib/srv/discovery/fetchers/aws-sync/users.go
@@ -34,7 +34,7 @@ import (
 
 // pollAWSUsers is a function that returns a function that fetches
 // AWS users and their inline and attached policies, and groups.
-func (a *awsFetcher) pollAWSUsers(ctx context.Context, result, existing *Resources, collectErr func(error)) func() error {
+func (a *Fetcher) pollAWSUsers(ctx context.Context, result, existing *Resources, collectErr func(error)) func() error {
 	return func() error {
 		var err error
 
@@ -104,7 +104,7 @@ func (a *awsFetcher) pollAWSUsers(ctx context.Context, result, existing *Resourc
 
 // fetchUsers fetches AWS users and returns them as a slice of accessgraphv1alpha.AWSUserV1.
 // It uses iam.ListUsersPagesWithContext to iterate over all users.
-func (a *awsFetcher) fetchUsers(ctx context.Context) ([]*accessgraphv1alpha.AWSUserV1, error) {
+func (a *Fetcher) fetchUsers(ctx context.Context) ([]*accessgraphv1alpha.AWSUserV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users are global */
@@ -170,7 +170,7 @@ func awsUserToProtoUser(user iamtypes.User, accountID string) *accessgraphv1alph
 	}
 }
 
-func (a *awsFetcher) fetchUserInlinePolicies(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) ([]*accessgraphv1alpha.AWSUserInlinePolicyV1, error) {
+func (a *Fetcher) fetchUserInlinePolicies(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) ([]*accessgraphv1alpha.AWSUserInlinePolicyV1, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
@@ -227,7 +227,7 @@ func awsUserPolicyToProtoUserPolicy(policy *iam.GetUserPolicyOutput, user *acces
 	}
 }
 
-func (a *awsFetcher) fetchUserAttachedPolicies(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) (*accessgraphv1alpha.AWSUserAttachedPolicies, error) {
+func (a *Fetcher) fetchUserAttachedPolicies(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) (*accessgraphv1alpha.AWSUserAttachedPolicies, error) {
 	awsCfg, err := a.AWSConfigProvider.GetConfig(
 		ctx,
 		"", /* region is empty because users and groups are global */
@@ -271,7 +271,7 @@ func (a *awsFetcher) fetchUserAttachedPolicies(ctx context.Context, user *access
 	return rsp, trace.Wrap(err)
 }
 
-func (a *awsFetcher) fetchGroupsForUser(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) (*accessgraphv1alpha.AWSUserGroupsV1, error) {
+func (a *Fetcher) fetchGroupsForUser(ctx context.Context, user *accessgraphv1alpha.AWSUserV1) (*accessgraphv1alpha.AWSUserGroupsV1, error) {
 	userGroups := &accessgraphv1alpha.AWSUserGroupsV1{
 		User:         user,
 		LastSyncTime: timestamppb.Now(),
diff --git a/lib/srv/discovery/fetchers/azuresync/azure-sync.go b/lib/srv/discovery/fetchers/azuresync/azure-sync.go
index 53d4d4144c5cf..3f00071c9e679 100644
--- a/lib/srv/discovery/fetchers/azuresync/azure-sync.go
+++ b/lib/srv/discovery/fetchers/azuresync/azure-sync.go
@@ -25,6 +25,7 @@ import (
 	"github.com/gravitational/trace"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/gravitational/teleport/api/types"
 	accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha"
 	"github.com/gravitational/teleport/lib/cloud/azure"
 	"github.com/gravitational/teleport/lib/msgraph"
@@ -35,6 +36,11 @@ import (
 // the number of resource types, we may increase this value or use some other approach to fetching concurrency.
 const fetcherConcurrency = 4
 
+type AzureOIDCCredentials interface {
+	GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error)
+	GetIntegration(ctx context.Context, name string) (types.Integration, error)
+}
+
 // Config defines parameters required for fetching resources from Azure
 type Config struct {
 	// SubscriptionID is the Azure subscriptipn ID
@@ -43,6 +49,8 @@ type Config struct {
 	Integration string
 	// DiscoveryConfigName is the name of this Discovery configuration
 	DiscoveryConfigName string
+	// OIDCCredentials provides methods for fetching OIDC credentials
+	OIDCCredentials AzureOIDCCredentials
 }
 
 // Resources represents the set of resources fetched from Azure
@@ -80,10 +88,27 @@ type Fetcher struct {
 
 // NewFetcher returns a new fetcher based on configuration parameters
 func NewFetcher(cfg Config, ctx context.Context) (*Fetcher, error) {
-	// Establish the credential from the managed identity
-	cred, err := azidentity.NewDefaultAzureCredential(nil)
-	if err != nil {
-		return nil, trace.Wrap(err)
+	var cred msgraph.AzureTokenProvider
+	var err error
+	if cfg.Integration == "" {
+		// Establish the credential from the managed identity
+		cred, err = azidentity.NewDefaultAzureCredential(nil)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	} else {
+		// Establish the credential from OIDC credential assertion
+		integration, err := cfg.OIDCCredentials.GetIntegration(ctx, cfg.Integration)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		azureIntegration := integration.GetAzureOIDCIntegrationSpec()
+		cred, err = azidentity.NewClientAssertionCredential(azureIntegration.TenantID, azureIntegration.ClientID, func(ctx context.Context) (string, error) {
+			return cfg.OIDCCredentials.GenerateAzureOIDCToken(ctx, cfg.Integration)
+		}, nil)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
 
 	// Create the clients for the fetcher
diff --git a/lib/srv/discovery/kube_integration_watcher_test.go b/lib/srv/discovery/kube_integration_watcher_test.go
index 3c7cbd57731fd..717e31b0d595e 100644
--- a/lib/srv/discovery/kube_integration_watcher_test.go
+++ b/lib/srv/discovery/kube_integration_watcher_test.go
@@ -525,6 +525,11 @@ func (m *mockIntegrationsTokenGenerator) GenerateAWSOIDCToken(ctx context.Contex
 	return uuid.NewString(), nil
 }
 
+// GenerateAzureOIDCToken generates a token to be used to execute an Azure OIDC Integration action.
+func (m *mockIntegrationsTokenGenerator) GenerateAzureOIDCToken(ctx context.Context, integration string) (string, error) {
+	return uuid.NewString(), nil
+}
+
 type mockEnrollEKSClusterClient struct {
 	createAccessEntry           func(context.Context, *eks.CreateAccessEntryInput, ...func(*eks.Options)) (*eks.CreateAccessEntryOutput, error)
 	associateAccessPolicy       func(context.Context, *eks.AssociateAccessPolicyInput, ...func(*eks.Options)) (*eks.AssociateAccessPolicyOutput, error)
diff --git a/lib/srv/discovery/status.go b/lib/srv/discovery/status.go
index ab7a23e040039..4b25bff187540 100644
--- a/lib/srv/discovery/status.go
+++ b/lib/srv/discovery/status.go
@@ -35,10 +35,19 @@ import (
 	"github.com/gravitational/teleport/api/utils/retryutils"
 	libevents "github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/services"
-	aws_sync "github.com/gravitational/teleport/lib/srv/discovery/fetchers/aws-sync"
 	"github.com/gravitational/teleport/lib/srv/server"
 )
 
+// FetcherStatus defines an interface for fetchers to report status
+type FetcherStatus interface {
+	// Status reports the last known status of the fetcher.
+	Status() (uint64, error)
+	// DiscoveryConfigName returns the name of the Discovery Config.
+	DiscoveryConfigName() string
+	// IsFromDiscoveryConfig returns true if the fetcher is associated with a Discovery Config.
+	IsFromDiscoveryConfig() bool
+}
+
 // updateDiscoveryConfigStatus updates the DiscoveryConfig Status field with the current in-memory status.
 // The status will be updated with the following matchers:
 // - AWS Sync (TAG) status
@@ -59,8 +68,8 @@ func (s *Server) updateDiscoveryConfigStatus(discoveryConfigNames ...string) {
 			IntegrationDiscoveredResources: make(map[string]*discoveryconfigv1.IntegrationDiscoveredSummary),
 		}
 
-		// Merge AWS Sync (TAG) status
-		discoveryConfigStatus = s.awsSyncStatus.mergeIntoGlobalStatus(discoveryConfigName, discoveryConfigStatus)
+		// Merge AWS or Azure Sync (TAG) status
+		discoveryConfigStatus = s.tagSyncStatus.mergeIntoGlobalStatus(discoveryConfigName, discoveryConfigStatus)
 
 		// Merge AWS EC2 Instances (auto discovery) status
 		discoveryConfigStatus = s.awsEC2ResourcesStatus.mergeIntoGlobalStatus(discoveryConfigName, discoveryConfigStatus)
@@ -84,16 +93,23 @@ func (s *Server) updateDiscoveryConfigStatus(discoveryConfigNames ...string) {
 	}
 }
 
-// awsSyncStatus contains all the status for aws_sync Fetchers grouped by DiscoveryConfig.
-type awsSyncStatus struct {
+// tagSyncStatus contains all the status for both AWS and Azure fetchers grouped by DiscoveryConfig.
+type tagSyncStatus struct {
 	mu sync.RWMutex
-	// awsSyncResults maps the DiscoveryConfig name to a aws_sync result.
-	// Each DiscoveryConfig might have multiple `aws_sync` matchers.
-	awsSyncResults map[string][]awsSyncResult
+	// syncResults maps the DiscoveryConfig name to a AWS or Azure fetcher result.
+	// Each DiscoveryConfig might have multiple AWS or Azure matchers.
+	syncResults map[string][]tagSyncResult
+}
+
+// newTagSyncStatus creates a new sync status object for storing results from the last fetch
+func newTagSyncStatus() *tagSyncStatus {
+	return &tagSyncStatus{
+		syncResults: make(map[string][]tagSyncResult),
+	}
 }
 
-// awsSyncResult stores the result of the aws_sync Matchers for a given DiscoveryConfig.
-type awsSyncResult struct {
+// tagSyncResult stores the result of the aws_sync Matchers for a given DiscoveryConfig.
+type tagSyncResult struct {
 	// state is the State for the DiscoveryConfigStatus.
 	// Allowed values are:
 	// - DISCOVERY_CONFIG_STATE_SYNCING
@@ -105,72 +121,65 @@ type awsSyncResult struct {
 	discoveredResources uint64
 }
 
-func (d *awsSyncStatus) iterationFinished(fetchers []aws_sync.AWSSync, pushErr error, lastUpdate time.Time) {
+func (d *tagSyncStatus) syncFinished(fetcher FetcherStatus, pushErr error, lastUpdate time.Time) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
 
-	d.awsSyncResults = make(map[string][]awsSyncResult)
-	for _, fetcher := range fetchers {
-		// Only update the status for fetchers that are from the discovery config.
-		if !fetcher.IsFromDiscoveryConfig() {
-			continue
-		}
-
-		count, statusErr := fetcher.Status()
-		statusAndPushErr := trace.NewAggregate(statusErr, pushErr)
+	// Only update the status for fetchers that are from the discovery config.
+	if !fetcher.IsFromDiscoveryConfig() {
+		return
+	}
 
-		fetcherResult := awsSyncResult{
-			state:               discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_RUNNING.String(),
-			lastSyncTime:        lastUpdate,
-			discoveredResources: count,
-		}
+	count, statusErr := fetcher.Status()
+	statusAndPushErr := trace.NewAggregate(statusErr, pushErr)
 
-		if statusAndPushErr != nil {
-			errorMessage := statusAndPushErr.Error()
-			fetcherResult.errorMessage = &errorMessage
-			fetcherResult.state = discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_ERROR.String()
-		}
+	fetcherResult := tagSyncResult{
+		state:               discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_RUNNING.String(),
+		lastSyncTime:        lastUpdate,
+		discoveredResources: count,
+	}
 
-		d.awsSyncResults[fetcher.DiscoveryConfigName()] = append(d.awsSyncResults[fetcher.DiscoveryConfigName()], fetcherResult)
+	if statusAndPushErr != nil {
+		errorMessage := statusAndPushErr.Error()
+		fetcherResult.errorMessage = &errorMessage
+		fetcherResult.state = discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_ERROR.String()
 	}
+
+	d.syncResults[fetcher.DiscoveryConfigName()] = append(d.syncResults[fetcher.DiscoveryConfigName()], fetcherResult)
 }
 
-func (d *awsSyncStatus) discoveryConfigs() []string {
+func (d *tagSyncStatus) discoveryConfigs() []string {
 	d.mu.RLock()
 	defer d.mu.RUnlock()
 
-	ret := make([]string, 0, len(d.awsSyncResults))
-	for k := range d.awsSyncResults {
+	ret := make([]string, 0, len(d.syncResults))
+	for k := range d.syncResults {
 		ret = append(ret, k)
 	}
 	return ret
 }
 
-func (d *awsSyncStatus) iterationStarted(fetchers []aws_sync.AWSSync, lastUpdate time.Time) {
+func (d *tagSyncStatus) syncStarted(fetcher FetcherStatus, lastUpdate time.Time) {
 	d.mu.Lock()
 	defer d.mu.Unlock()
+	// Only update the status for fetchers that are from the discovery config.
+	if !fetcher.IsFromDiscoveryConfig() {
+		return
+	}
 
-	d.awsSyncResults = make(map[string][]awsSyncResult)
-	for _, fetcher := range fetchers {
-		// Only update the status for fetchers that are from the discovery config.
-		if !fetcher.IsFromDiscoveryConfig() {
-			continue
-		}
-
-		fetcherResult := awsSyncResult{
-			state:        discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_SYNCING.String(),
-			lastSyncTime: lastUpdate,
-		}
-
-		d.awsSyncResults[fetcher.DiscoveryConfigName()] = append(d.awsSyncResults[fetcher.DiscoveryConfigName()], fetcherResult)
+	fetcherResult := tagSyncResult{
+		state:        discoveryconfigv1.DiscoveryConfigState_DISCOVERY_CONFIG_STATE_SYNCING.String(),
+		lastSyncTime: lastUpdate,
 	}
+
+	d.syncResults[fetcher.DiscoveryConfigName()] = append(d.syncResults[fetcher.DiscoveryConfigName()], fetcherResult)
 }
 
-func (d *awsSyncStatus) mergeIntoGlobalStatus(discoveryConfigName string, existingStatus discoveryconfig.Status) discoveryconfig.Status {
+func (d *tagSyncStatus) mergeIntoGlobalStatus(discoveryConfigName string, existingStatus discoveryconfig.Status) discoveryconfig.Status {
 	d.mu.RLock()
 	defer d.mu.RUnlock()
 
-	awsStatusFetchers, found := d.awsSyncResults[discoveryConfigName]
+	awsStatusFetchers, found := d.syncResults[discoveryConfigName]
 	if !found {
 		return existingStatus
 	}
diff --git a/lib/srv/git/forward_test.go b/lib/srv/git/forward_test.go
index 3b4438cfa3a99..4ea3566bd9744 100644
--- a/lib/srv/git/forward_test.go
+++ b/lib/srv/git/forward_test.go
@@ -282,11 +282,11 @@ func makeUserCert(t *testing.T, caSigner ssh.Signer) ssh.Signer {
 		PublicUserKey:     clientPrivateKey.MarshalSSHPublicKey(),
 		CertificateFormat: constants.CertificateFormatStandard,
 		Identity: sshca.Identity{
-			Username:      "alice",
-			AllowedLogins: []string{"does-not-matter"},
-			GitHubUserID:  "1234567",
-			Traits:        wrappers.Traits{},
-			Roles:         []string{"editor"},
+			Username:     "alice",
+			Principals:   []string{"does-not-matter"},
+			GitHubUserID: "1234567",
+			Traits:       wrappers.Traits{},
+			Roles:        []string{"editor"},
 		},
 	})
 	require.NoError(t, err)
diff --git a/lib/srv/mock.go b/lib/srv/mock.go
index 548019d2928d6..cda6f938a9dc5 100644
--- a/lib/srv/mock.go
+++ b/lib/srv/mock.go
@@ -47,6 +47,7 @@ import (
 	rsession "github.com/gravitational/teleport/lib/session"
 	"github.com/gravitational/teleport/lib/sshutils"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/clocki"
 )
 
 func newTestServerContext(t *testing.T, srv Server, roleSet services.RoleSet) *ServerContext {
@@ -159,7 +160,7 @@ type mockServer struct {
 	datadir   string
 	auth      *auth.Server
 	component string
-	clock     clockwork.FakeClock
+	clock     clocki.FakeClock
 	bpf       bpf.BPF
 }
 
diff --git a/lib/srv/monitor.go b/lib/srv/monitor.go
index 8381c6e8bde4a..9eecd497b60dc 100644
--- a/lib/srv/monitor.go
+++ b/lib/srv/monitor.go
@@ -238,6 +238,8 @@ type MonitorConfig struct {
 	Logger *slog.Logger
 	// IdleTimeoutMessage is sent to the client when the idle timeout expires.
 	IdleTimeoutMessage string
+	// CertificateExpiredMessage is sent to the client when the certificate expires.
+	CertificateExpiredMessage string
 	// MessageWriter wraps a channel to send text messages to the client. Use
 	// for disconnection messages, etc.
 	MessageWriter io.StringWriter
@@ -417,6 +419,15 @@ func (w *Monitor) start(lockWatch types.Watcher) {
 
 func (w *Monitor) disconnectClientOnExpiredCert() {
 	reason := fmt.Sprintf("client certificate expired at %v", w.Clock.Now().UTC())
+	if w.MessageWriter != nil {
+		msg := w.CertificateExpiredMessage
+		if msg == "" {
+			msg = reason
+		}
+		if _, err := w.MessageWriter.WriteString(msg); err != nil {
+			w.Logger.WarnContext(w.Context, "Failed to send certificate expiration message", "error", err)
+		}
+	}
 	w.disconnectClient(reason)
 }
 
diff --git a/lib/srv/regular/sshserver_test.go b/lib/srv/regular/sshserver_test.go
index 2ae622fbfff40..b79149f4ebeb7 100644
--- a/lib/srv/regular/sshserver_test.go
+++ b/lib/srv/regular/sshserver_test.go
@@ -114,7 +114,7 @@ type sshTestFixture struct {
 	up      *upack
 	signer  ssh.Signer
 	user    string
-	clock   clockwork.FakeClock
+	clock   *clockwork.FakeClock
 	testSrv *auth.TestServer
 }
 
diff --git a/lib/srv/statichostuser_test.go b/lib/srv/statichostuser_test.go
index 9db961118a4a4..4958f27cd52a3 100644
--- a/lib/srv/statichostuser_test.go
+++ b/lib/srv/statichostuser_test.go
@@ -126,13 +126,13 @@ func (m *mockHostSudoers) WriteSudoers(name string, sudoers []string) error {
 	return nil
 }
 
-type eventSender func(ctx context.Context, events *mockEvents, clock clockwork.FakeClock) error
+type eventSender func(ctx context.Context, events *mockEvents, clock *clockwork.FakeClock) error
 
 func TestStaticHostUserHandler(t *testing.T) {
 	t.Parallel()
 
 	sendEvents := func(eventList []types.Event) eventSender {
-		return func(ctx context.Context, events *mockEvents, clock clockwork.FakeClock) error {
+		return func(ctx context.Context, events *mockEvents, clock *clockwork.FakeClock) error {
 			for _, event := range eventList {
 				select {
 				case events.events <- event:
@@ -291,7 +291,7 @@ func TestStaticHostUserHandler(t *testing.T) {
 		},
 		{
 			name: "restart on watcher init failure",
-			sendEvents: func(ctx context.Context, events *mockEvents, clock clockwork.FakeClock) error {
+			sendEvents: func(ctx context.Context, events *mockEvents, clock *clockwork.FakeClock) error {
 				// Wait until the handler is waiting for an init event.
 				clock.BlockUntil(1)
 				// Send a wrong event type first, which will cause the handler to fail and restart.
@@ -342,7 +342,7 @@ func TestStaticHostUserHandler(t *testing.T) {
 		},
 		{
 			name: "restart on watcher timeout failure",
-			sendEvents: func(ctx context.Context, events *mockEvents, clock clockwork.FakeClock) error {
+			sendEvents: func(ctx context.Context, events *mockEvents, clock *clockwork.FakeClock) error {
 				// Force a timeout on waiting for the init event.
 				clock.BlockUntil(1)
 				clock.Advance(staticHostUserWatcherTimeout)
diff --git a/lib/sshca/identity.go b/lib/sshca/identity.go
index 19f40bfdf336d..32e1ad5f8ffb8 100644
--- a/lib/sshca/identity.go
+++ b/lib/sshca/identity.go
@@ -35,22 +35,39 @@ import (
 	"github.com/gravitational/teleport/api/types/wrappers"
 	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/services"
+	"github.com/gravitational/teleport/lib/utils"
 )
 
 // Identity is a user identity. All identity fields map directly to an ssh certificate field.
 type Identity struct {
+
+	// --- common identity fields ---
+
 	// ValidAfter is the unix timestamp that marks the start time for when the certificate should
 	// be considered valid.
 	ValidAfter uint64
 	// ValidBefore is the unix timestamp that marks the end time for when the certificate should
 	// be considered valid.
 	ValidBefore uint64
+	// CertType indicates what type of cert this is (user or host).
+	CertType uint32
+	// Principals is the list of SSH principals associated with the certificate (this means the
+	// list of allowed unix logins in the case of user certs).
+	Principals []string
+
+	// --- host identity fields ---
+
+	// ClusterName is the name of the cluster within which a node lives
+	ClusterName string
+	// SystemRole identifies the system role of a Teleport instance
+	SystemRole types.SystemRole
+
+	// -- user identity fields ---
+
 	// Username is teleport username
 	Username string
 	// Impersonator is set when a user requests certificate for another user
 	Impersonator string
-	// AllowedLogins is a list of SSH principals
-	AllowedLogins []string
 	// PermitX11Forwarding permits X11 forwarding for this cert
 	PermitX11Forwarding bool
 	// PermitAgentForwarding permits agent forwarding for this cert
@@ -67,7 +84,7 @@ type Identity struct {
 	Traits wrappers.Traits
 	// ActiveRequests tracks privilege escalation requests applied during
 	// certificate construction.
-	ActiveRequests services.RequestIDs
+	ActiveRequests []string
 	// MFAVerified is the UUID of an MFA device when this Identity was
 	// confirmed immediately after an MFA check.
 	MFAVerified string
@@ -100,7 +117,7 @@ type Identity struct {
 	// Machine ID bot. It is empty for human users.
 	BotInstanceID string
 	// AllowedResourceIDs lists the resources the user should be able to access.
-	AllowedResourceIDs string
+	AllowedResourceIDs []types.ResourceID
 	// ConnectionDiagnosticID references the ConnectionDiagnostic that we should use to append traces when testing a Connection.
 	ConnectionDiagnosticID string
 	// PrivateKeyPolicy is the private key policy supported by this certificate.
@@ -120,15 +137,6 @@ type Identity struct {
 	GitHubUsername string
 }
 
-// Check performs validation of certain fields in the identity.
-func (i *Identity) Check() error {
-	if len(i.AllowedLogins) == 0 {
-		return trace.BadParameter("ssh user identity missing allowed logins")
-	}
-
-	return nil
-}
-
 // Encode encodes the identity into an ssh certificate. Note that the returned certificate is incomplete
 // and must be have its public key set before signing.
 func (i *Identity) Encode(certFormat string) (*ssh.Certificate, error) {
@@ -140,18 +148,38 @@ func (i *Identity) Encode(certFormat string) (*ssh.Certificate, error) {
 	if validAfter == 0 {
 		validAfter = uint64(time.Now().UTC().Add(-1 * time.Minute).Unix())
 	}
+
+	if i.CertType == 0 {
+		return nil, trace.BadParameter("cannot encode ssh identity missing required field CertType")
+	}
+
 	cert := &ssh.Certificate{
 		// we have to use key id to identify teleport user
 		KeyId:           i.Username,
-		ValidPrincipals: i.AllowedLogins,
+		ValidPrincipals: i.Principals,
 		ValidAfter:      validAfter,
 		ValidBefore:     validBefore,
-		CertType:        ssh.UserCert,
+		CertType:        i.CertType,
+	}
+
+	cert.Permissions.Extensions = make(map[string]string)
+
+	if i.CertType == ssh.UserCert {
+		cert.Permissions.Extensions[teleport.CertExtensionPermitPTY] = ""
+	}
+
+	// --- host extensions ---
+
+	if sr := i.SystemRole.String(); sr != "" {
+		cert.Permissions.Extensions[utils.CertExtensionRole] = sr
 	}
-	cert.Permissions.Extensions = map[string]string{
-		teleport.CertExtensionPermitPTY: "",
+
+	if i.ClusterName != "" {
+		cert.Permissions.Extensions[utils.CertExtensionAuthority] = i.ClusterName
 	}
 
+	// --- user extensions ---
+
 	if i.PermitX11Forwarding {
 		cert.Permissions.Extensions[teleport.CertExtensionPermitX11Forwarding] = ""
 	}
@@ -188,8 +216,12 @@ func (i *Identity) Encode(certFormat string) (*ssh.Certificate, error) {
 	if i.BotInstanceID != "" {
 		cert.Permissions.Extensions[teleport.CertExtensionBotInstanceID] = i.BotInstanceID
 	}
-	if i.AllowedResourceIDs != "" {
-		cert.Permissions.Extensions[teleport.CertExtensionAllowedResources] = i.AllowedResourceIDs
+	if len(i.AllowedResourceIDs) != 0 {
+		requestedResourcesStr, err := types.ResourceIDsToString(i.AllowedResourceIDs)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		cert.Permissions.Extensions[teleport.CertExtensionAllowedResources] = requestedResourcesStr
 	}
 	if i.ConnectionDiagnosticID != "" {
 		cert.Permissions.Extensions[teleport.CertExtensionConnectionDiagnosticID] = i.ConnectionDiagnosticID
@@ -257,8 +289,11 @@ func (i *Identity) Encode(certFormat string) (*ssh.Certificate, error) {
 		if i.RouteToCluster != "" {
 			cert.Permissions.Extensions[teleport.CertExtensionTeleportRouteToCluster] = i.RouteToCluster
 		}
-		if !i.ActiveRequests.IsEmpty() {
-			requests, err := i.ActiveRequests.Marshal()
+		if len(i.ActiveRequests) != 0 {
+			reqs := services.RequestIDs{
+				AccessRequests: i.ActiveRequests,
+			}
+			requests, err := reqs.Marshal()
 			if err != nil {
 				return nil, trace.Wrap(err)
 			}
@@ -271,14 +306,12 @@ func (i *Identity) Encode(certFormat string) (*ssh.Certificate, error) {
 
 // DecodeIdentity decodes an ssh certificate into an identity.
 func DecodeIdentity(cert *ssh.Certificate) (*Identity, error) {
-	if cert.CertType != ssh.UserCert {
-		return nil, trace.BadParameter("DecodeIdentity intended for use with user certs, got %v", cert.CertType)
-	}
 	ident := &Identity{
-		Username:      cert.KeyId,
-		AllowedLogins: cert.ValidPrincipals,
-		ValidAfter:    cert.ValidAfter,
-		ValidBefore:   cert.ValidBefore,
+		Username:    cert.KeyId,
+		Principals:  cert.ValidPrincipals,
+		ValidAfter:  cert.ValidAfter,
+		ValidBefore: cert.ValidBefore,
+		CertType:    cert.CertType,
 	}
 
 	// clone the extension map and remove entries from the clone as they are processed so
@@ -304,9 +337,19 @@ func DecodeIdentity(cert *ssh.Certificate) (*Identity, error) {
 		return ok
 	}
 
-	// ignore the permit pty extension, it's always set
+	// ignore the permit pty extension, teleport considers this permission implied for all users
 	_, _ = takeExtension(teleport.CertExtensionPermitPTY)
 
+	// --- host extensions ---
+
+	if v, ok := takeExtension(utils.CertExtensionRole); ok {
+		ident.SystemRole = types.SystemRole(v)
+	}
+
+	ident.ClusterName = takeValue(utils.CertExtensionAuthority)
+
+	// --- user extensions ---
+
 	ident.PermitX11Forwarding = takeBool(teleport.CertExtensionPermitX11Forwarding)
 	ident.PermitAgentForwarding = takeBool(teleport.CertExtensionPermitAgentForwarding)
 	ident.PermitPortForwarding = takeBool(teleport.CertExtensionPermitPortForwarding)
@@ -335,7 +378,15 @@ func DecodeIdentity(cert *ssh.Certificate) (*Identity, error) {
 
 	ident.BotName = takeValue(teleport.CertExtensionBotName)
 	ident.BotInstanceID = takeValue(teleport.CertExtensionBotInstanceID)
-	ident.AllowedResourceIDs = takeValue(teleport.CertExtensionAllowedResources)
+
+	if v, ok := takeExtension(teleport.CertExtensionAllowedResources); ok {
+		resourceIDs, err := types.ResourceIDsFromString(v)
+		if err != nil {
+			return nil, trace.BadParameter("failed to parse value %q for extension %q as resource IDs: %v", v, teleport.CertExtensionAllowedResources, err)
+		}
+		ident.AllowedResourceIDs = resourceIDs
+	}
+
 	ident.ConnectionDiagnosticID = takeValue(teleport.CertExtensionConnectionDiagnosticID)
 	ident.PrivateKeyPolicy = keys.PrivateKeyPolicy(takeValue(teleport.CertExtensionPrivateKeyPolicy))
 	ident.DeviceID = takeValue(teleport.CertExtensionDeviceID)
@@ -371,11 +422,11 @@ func DecodeIdentity(cert *ssh.Certificate) (*Identity, error) {
 	ident.RouteToCluster = takeValue(teleport.CertExtensionTeleportRouteToCluster)
 
 	if v, ok := takeExtension(teleport.CertExtensionTeleportActiveRequests); ok {
-		var requests services.RequestIDs
-		if err := requests.Unmarshal([]byte(v)); err != nil {
+		var reqs services.RequestIDs
+		if err := reqs.Unmarshal([]byte(v)); err != nil {
 			return nil, trace.BadParameter("failed to unmarshal value %q for extension %q as active requests: %v", v, teleport.CertExtensionTeleportActiveRequests, err)
 		}
-		ident.ActiveRequests = requests
+		ident.ActiveRequests = reqs.AccessRequests
 	}
 
 	// aggregate all remaining extensions into the CertificateExtensions field
diff --git a/lib/sshca/identity_test.go b/lib/sshca/identity_test.go
index 5c7c6db75b3e8..ef5b721f993a4 100644
--- a/lib/sshca/identity_test.go
+++ b/lib/sshca/identity_test.go
@@ -26,31 +26,32 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/types/wrappers"
 	"github.com/gravitational/teleport/api/utils/keys"
-	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/utils/testutils"
 )
 
 func TestIdentityConversion(t *testing.T) {
 	ident := &Identity{
-		ValidAfter:            1,
-		ValidBefore:           2,
-		Username:              "user",
-		Impersonator:          "impersonator",
-		AllowedLogins:         []string{"login1", "login2"},
-		PermitX11Forwarding:   true,
-		PermitAgentForwarding: true,
-		PermitPortForwarding:  true,
-		Roles:                 []string{"role1", "role2"},
-		RouteToCluster:        "cluster",
-		Traits:                wrappers.Traits{"trait1": []string{"value1"}, "trait2": []string{"value2"}},
-		ActiveRequests: services.RequestIDs{
-			AccessRequests: []string{uuid.NewString()},
-		},
+		ValidAfter:              1,
+		ValidBefore:             2,
+		CertType:                ssh.UserCert,
+		ClusterName:             "some-cluster",
+		SystemRole:              types.RoleNode,
+		Username:                "user",
+		Impersonator:            "impersonator",
+		Principals:              []string{"login1", "login2"},
+		PermitX11Forwarding:     true,
+		PermitAgentForwarding:   true,
+		PermitPortForwarding:    true,
+		Roles:                   []string{"role1", "role2"},
+		RouteToCluster:          "cluster",
+		Traits:                  wrappers.Traits{"trait1": []string{"value1"}, "trait2": []string{"value2"}},
+		ActiveRequests:          []string{uuid.NewString()},
 		MFAVerified:             "mfa",
 		PreviousIdentityExpires: time.Unix(12345, 0),
 		LoginIP:                 "127.0.0.1",
@@ -62,11 +63,16 @@ func TestIdentityConversion(t *testing.T) {
 			Type:  types.CertExtensionType_SSH,
 			Mode:  types.CertExtensionMode_EXTENSION,
 		}},
-		Renewable:              true,
-		Generation:             3,
-		BotName:                "bot",
-		BotInstanceID:          "instance",
-		AllowedResourceIDs:     "resource",
+		Renewable:     true,
+		Generation:    3,
+		BotName:       "bot",
+		BotInstanceID: "instance",
+		AllowedResourceIDs: []types.ResourceID{{
+			ClusterName:     "cluster",
+			Kind:            types.KindKubePod, // must use a kube resource kind for parsing of sub-resource to work correctly
+			Name:            "name",
+			SubResourceName: "sub/sub",
+		}},
 		ConnectionDiagnosticID: "diag",
 		PrivateKeyPolicy:       keys.PrivateKeyPolicy("policy"),
 		DeviceID:               "device",
@@ -83,6 +89,9 @@ func TestIdentityConversion(t *testing.T) {
 		"CertExtension.XXX_NoUnkeyedLiteral",
 		"CertExtension.XXX_unrecognized",
 		"CertExtension.XXX_sizecache",
+		"ResourceID.XXX_NoUnkeyedLiteral",
+		"ResourceID.XXX_unrecognized",
+		"ResourceID.XXX_sizecache",
 	}
 
 	require.True(t, testutils.ExhaustiveNonEmpty(ident, ignores...), "empty=%+v", testutils.FindAllEmpty(ident, ignores...))
diff --git a/lib/sshca/sshca.go b/lib/sshca/sshca.go
index 15f5dcf6c1aeb..95f3c1fb7a17e 100644
--- a/lib/sshca/sshca.go
+++ b/lib/sshca/sshca.go
@@ -26,7 +26,6 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	apidefaults "github.com/gravitational/teleport/api/defaults"
-	"github.com/gravitational/teleport/lib/services"
 )
 
 // Authority implements minimal key-management facility for generating OpenSSH
@@ -35,13 +34,54 @@ type Authority interface {
 	// GenerateHostCert takes the private key of the CA, public key of the new host,
 	// along with metadata (host ID, node name, cluster name, roles, and ttl) and generates
 	// a host certificate.
-	GenerateHostCert(certParams services.HostCertParams) ([]byte, error)
+	GenerateHostCert(HostCertificateRequest) ([]byte, error)
 
 	// GenerateUserCert generates user ssh certificate, it takes pkey as a signing
 	// private key (user certificate authority)
 	GenerateUserCert(UserCertificateRequest) ([]byte, error)
 }
 
+// HostCertificateRequest is a request to generate a new ssh host certificate.
+type HostCertificateRequest struct {
+	// CASigner is the signer that will sign the public key of the host with the CA private key
+	CASigner ssh.Signer
+	// PublicHostKey is the public key of the host
+	PublicHostKey []byte
+	// HostID is used by Teleport to uniquely identify a node within a cluster (this is used to help infill
+	// Identity.Princiapals and is not a standalone cert field).
+	HostID string
+	// NodeName is the DNS name of the node (this is used to help infill Identity.Princiapals and is not a
+	// standalone cert field).
+	NodeName string
+	// TTL defines how long a certificate is valid for
+	TTL time.Duration
+	// Identity is the host identity to be encoded in the certificate.
+	Identity Identity
+}
+
+func (r *HostCertificateRequest) Check() error {
+	if r.CASigner == nil {
+		return trace.BadParameter("ssh host certificate request missing ca signer")
+	}
+	if r.HostID == "" && len(r.Identity.Principals) == 0 {
+		return trace.BadParameter("ssh host certificate request missing host ID and principals")
+	}
+	if r.Identity.ClusterName == "" {
+		return trace.BadParameter("ssh host certificate request missing cluster name")
+	}
+	if r.Identity.ValidBefore != 0 {
+		return trace.BadParameter("ValidBefore should not be set in host cert requests (derived from TTL)")
+	}
+	if r.Identity.ValidAfter != 0 {
+		return trace.BadParameter("ValidAfter should not be set in host cert requests (derived from TTL)")
+	}
+	if err := r.Identity.SystemRole.Check(); err != nil {
+		return trace.Wrap(err)
+	}
+
+	return nil
+}
+
 // UserCertificateRequest is a request to generate a new ssh user certificate.
 type UserCertificateRequest struct {
 	// CASigner is the signer that will sign the public key of the user with the CA private key
@@ -64,8 +104,14 @@ func (r *UserCertificateRequest) CheckAndSetDefaults() error {
 	if r.TTL < apidefaults.MinCertDuration {
 		r.TTL = apidefaults.MinCertDuration
 	}
-	if err := r.Identity.Check(); err != nil {
-		return trace.Wrap(err)
+	if len(r.Identity.Principals) == 0 {
+		return trace.BadParameter("ssh user identity missing allowed logins")
+	}
+	if r.Identity.ValidBefore != 0 {
+		return trace.BadParameter("ValidBefore should not be set in user cert requests (derived from TTL)")
+	}
+	if r.Identity.ValidAfter != 0 {
+		return trace.BadParameter("ValidAfter should not be set in user cert requests (derived from TTL)")
 	}
 
 	return nil
diff --git a/lib/teleterm/vnet/service.go b/lib/teleterm/vnet/service.go
index 391f69a4fb48e..4eb8a9ecbb17b 100644
--- a/lib/teleterm/vnet/service.go
+++ b/lib/teleterm/vnet/service.go
@@ -29,12 +29,11 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/gravitational/teleport"
-	"github.com/gravitational/teleport/api/client/proto"
-	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/api/utils"
 	prehogv1alpha "github.com/gravitational/teleport/gen/proto/go/prehog/v1alpha"
 	apiteleterm "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/v1"
 	api "github.com/gravitational/teleport/gen/proto/go/teleport/lib/teleterm/vnet/v1"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
 	"github.com/gravitational/teleport/lib/teleterm/clusteridcache"
@@ -73,7 +72,8 @@ func New(cfg Config) (*Service, error) {
 	}
 
 	return &Service{
-		cfg: cfg,
+		cfg:                cfg,
+		clusterConfigCache: vnet.NewClusterConfigCache(cfg.Clock),
 	}, nil
 }
 
@@ -125,7 +125,7 @@ func (s *Service) Start(ctx context.Context, req *api.StartRequest) (*api.StartR
 		return nil, trace.AlreadyExists("VNet is already running")
 	}
 
-	appProvider := &appProvider{
+	clientApplication := &clientApplication{
 		daemonService:      s.cfg.DaemonService,
 		insecureSkipVerify: s.cfg.InsecureSkipVerify,
 		usageReporter:      &disabledTelemetryUsageReporter{},
@@ -156,13 +156,11 @@ func (s *Service) Start(ctx context.Context, req *api.StartRequest) (*api.StartR
 				usageReporter.Stop()
 			}
 		}()
-		appProvider.usageReporter = usageReporter
+		clientApplication.usageReporter = usageReporter
 	}
 
-	s.clusterConfigCache = vnet.NewClusterConfigCache(s.cfg.Clock)
 	processManager, err := vnet.RunUserProcess(ctx, &vnet.UserProcessConfig{
-		AppProvider:        appProvider,
-		ClusterConfigCache: s.clusterConfigCache,
+		ClientApplication: clientApplication,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -196,7 +194,7 @@ func (s *Service) Start(ctx context.Context, req *api.StartRequest) (*api.StartR
 	}()
 
 	s.processManager = processManager
-	s.usageReporter = appProvider.usageReporter
+	s.usageReporter = clientApplication.usageReporter
 	s.status = statusRunning
 	return &api.StartResponse{}, nil
 }
@@ -355,31 +353,33 @@ func (s *Service) reportUnexpectedShutdown(ctx context.Context, shutdownErr erro
 	return trace.Wrap(err, "sending shutdown report")
 }
 
-type appProvider struct {
+type clientApplication struct {
 	daemonService      *daemon.Service
 	usageReporter      usageReporter
 	insecureSkipVerify bool
 }
 
-func (p *appProvider) ListProfiles() ([]string, error) {
+func (p *clientApplication) ListProfiles() ([]string, error) {
 	profiles, err := p.daemonService.ListProfileNames()
 	return profiles, trace.Wrap(err)
 }
 
-func (p *appProvider) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (vnet.ClusterClient, error) {
+func (p *clientApplication) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (vnet.ClusterClient, error) {
 	return p.getCachedClient(ctx, profileName, leafClusterName)
 }
 
-func (p *appProvider) getCachedClient(ctx context.Context, profileName, leafClusterName string) (*client.ClusterClient, error) {
+func (p *clientApplication) getCachedClient(ctx context.Context, profileName, leafClusterName string) (*client.ClusterClient, error) {
 	uri := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName)
 	client, err := p.daemonService.GetCachedClient(ctx, uri)
 	return client, trace.Wrap(err)
 }
 
-func (p *appProvider) ReissueAppCert(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) (tls.Certificate, error) {
-	clusterURI := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName)
-	appURI := clusterURI.AppendApp(routeToApp.Name)
+func (p *clientApplication) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error) {
+	appKey := appInfo.GetAppKey()
+	clusterURI := uri.NewClusterURI(appKey.GetProfile()).AppendLeafCluster(appKey.GetLeafCluster())
+	appURI := clusterURI.AppendApp(appKey.GetName())
 
+	routeToApp := vnet.RouteToApp(appInfo, targetPort)
 	apiteletermRouteToApp := apiteleterm.RouteToApp{
 		Name:        routeToApp.Name,
 		PublicAddr:  routeToApp.PublicAddr,
@@ -411,7 +411,7 @@ func (p *appProvider) ReissueAppCert(ctx context.Context, profileName, leafClust
 			return trace.Wrap(err)
 		}
 
-		cert, err = cluster.ReissueAppCert(ctx, client, routeToApp)
+		cert, err = cluster.ReissueAppCert(ctx, client, *routeToApp)
 		return trace.Wrap(err)
 	}
 
@@ -441,19 +441,19 @@ func (p *appProvider) ReissueAppCert(ctx context.Context, profileName, leafClust
 }
 
 // GetDialOptions returns ALPN dial options for the profile.
-func (p *appProvider) GetDialOptions(ctx context.Context, profileName string) (*vnet.DialOptions, error) {
+func (p *clientApplication) GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error) {
 	cluster, tc, err := p.daemonService.ResolveClusterURI(uri.NewClusterURI(profileName))
 	if err != nil {
 		return nil, trace.Wrap(err, "resolving cluster by URI")
 	}
 
-	dialOpts := &vnet.DialOptions{
+	dialOpts := &vnetv1.DialOptions{
 		WebProxyAddr:            cluster.GetProxyHost(),
-		ALPNConnUpgradeRequired: tc.TLSRoutingConnUpgradeRequired,
+		AlpnConnUpgradeRequired: tc.TLSRoutingConnUpgradeRequired,
 		InsecureSkipVerify:      p.insecureSkipVerify,
 	}
-	if dialOpts.ALPNConnUpgradeRequired {
-		dialOpts.RootClusterCACertPool, err = tc.RootClusterCACertPool(ctx)
+	if dialOpts.AlpnConnUpgradeRequired {
+		dialOpts.RootClusterCaCertPool, err = tc.RootClusterCACertPoolPEM(ctx)
 		if err != nil {
 			return nil, trace.Wrap(err, "loading root cluster CA cert pool")
 		}
@@ -461,15 +461,15 @@ func (p *appProvider) GetDialOptions(ctx context.Context, profileName string) (*
 	return dialOpts, nil
 }
 
-// OnNewConnection submits a usage event once per appProvider lifetime.
+// OnNewConnection submits a usage event once per clientApplication lifetime.
 // That is, if a user makes multiple connections to a single app, OnNewConnection submits a single
 // event. This is to mimic how Connect submits events for its app gateways. This lets us compare
 // popularity of VNet and app gateways.
-func (p *appProvider) OnNewConnection(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) error {
+func (p *clientApplication) OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error {
 	// Enqueue the event from a separate goroutine since we don't care about errors anyway and we also
 	// don't want to slow down VNet connections.
 	go func() {
-		uri := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName).AppendApp(routeToApp.Name)
+		uri := uri.NewClusterURI(appKey.GetProfile()).AppendLeafCluster(appKey.GetLeafCluster()).AppendApp(appKey.GetName())
 
 		// Not passing ctx to ReportApp since ctx is tied to the lifetime of the connection.
 		// If it's a short-lived connection, inheriting its context would interrupt reporting.
@@ -484,13 +484,17 @@ func (p *appProvider) OnNewConnection(ctx context.Context, profileName, leafClus
 
 // OnInvalidLocalPort gets called before VNet refuses to handle a connection to a multi-port TCP app
 // because the provided port does not match any of the TCP ports in the app spec.
-func (p *appProvider) OnInvalidLocalPort(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp, tcpPorts types.PortRanges) {
+func (p *clientApplication) OnInvalidLocalPort(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) {
 	// If something is wrong with the Electron app to the point that it stopped accepting RPCs, return
 	// quickly rather than being blocked on sending a notification.
 	ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
 	defer cancel()
 
-	appURI := uri.NewClusterURI(profileName).AppendLeafCluster(leafClusterName).AppendApp(routeToApp.Name)
+	appKey := appInfo.GetAppKey()
+	appURI := uri.NewClusterURI(appKey.GetProfile()).
+		AppendLeafCluster(appKey.GetLeafCluster()).
+		AppendApp(appKey.GetName())
+	routeToApp := vnet.RouteToApp(appInfo, targetPort)
 	apiteletermRouteToApp := apiteleterm.RouteToApp{
 		Name:        routeToApp.Name,
 		PublicAddr:  routeToApp.PublicAddr,
@@ -502,6 +506,7 @@ func (p *appProvider) OnInvalidLocalPort(ctx context.Context, profileName, leafC
 	invalidLocalPort := &apiteleterm.InvalidLocalPort{}
 	// Send ports only if there's less than 10 ranges. A bigger number would be difficult to show in
 	// the UI.
+	tcpPorts := appInfo.GetApp().GetTCPPorts()
 	if len(tcpPorts) <= 10 {
 		apiTCPPorts := make([]*apiteleterm.PortRange, 0, len(tcpPorts))
 		for _, portRange := range tcpPorts {
@@ -523,7 +528,10 @@ func (p *appProvider) OnInvalidLocalPort(ctx context.Context, profileName, leafC
 	})
 	if err != nil {
 		log.ErrorContext(ctx, "Could not notify the Electron app about invalid local port",
-			"notify_error", err, "profile_name", profileName, "leaf_cluster_name", leafClusterName, "route_to_app", routeToApp)
+			"notify_error", err,
+			"profile_name", appKey.GetProfile(),
+			"leaf_cluster_name", appKey.GetLeafCluster(),
+			"route_to_app", routeToApp)
 	}
 }
 
diff --git a/lib/usagereporter/usagereporter_test.go b/lib/usagereporter/usagereporter_test.go
index cbb6c667b794b..deeb36c404cb2 100644
--- a/lib/usagereporter/usagereporter_test.go
+++ b/lib/usagereporter/usagereporter_test.go
@@ -66,7 +66,7 @@ func newFailingSubmitter(size int) (SubmitFunc[TestEvent], chan []*SubmittedEven
 // newTestingUsageReporter creates a new usage reporter that can be used in
 // tests.
 func newTestingUsageReporter(
-	clock clockwork.FakeClock, submitClock clockwork.FakeClock,
+	clock *clockwork.FakeClock, submitClock *clockwork.FakeClock,
 	submitter SubmitFunc[TestEvent],
 ) (*UsageReporter[TestEvent], context.CancelFunc, chan struct{}) {
 	ctx, cancel := context.WithCancel(context.Background())
@@ -122,7 +122,7 @@ func compareUsageEvents(t *testing.T, reporter *UsageReporter[TestEvent], inputs
 }
 
 // advanceClocks advances all the given clocks by the same duration
-func advanceClocks(dur time.Duration, clocks ...clockwork.FakeClock) {
+func advanceClocks(dur time.Duration, clocks ...*clockwork.FakeClock) {
 	for _, c := range clocks {
 		c.Advance(dur)
 	}
diff --git a/lib/utils/cli.go b/lib/utils/cli.go
index b79c90873db27..1c2e0c68928a7 100644
--- a/lib/utils/cli.go
+++ b/lib/utils/cli.go
@@ -117,8 +117,10 @@ var initTestLoggerOnce = sync.Once{}
 // InitLoggerForTests initializes the standard logger for tests.
 func InitLoggerForTests() {
 	initTestLoggerOnce.Do(func() {
-		// Parse flags to check testing.Verbose().
-		flag.Parse()
+		if !flag.Parsed() {
+			// Parse flags to check testing.Verbose().
+			flag.Parse()
+		}
 
 		if !testing.Verbose() {
 			slog.SetDefault(slog.New(logutils.DiscardHandler{}))
diff --git a/lib/utils/clocki/advance.go b/lib/utils/clocki/advance.go
new file mode 100644
index 0000000000000..12cb83baba172
--- /dev/null
+++ b/lib/utils/clocki/advance.go
@@ -0,0 +1,31 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package clocki
+
+import (
+	"time"
+
+	"github.com/jonboulle/clockwork"
+)
+
+// Advance attempts to advance an underlying fake clock.
+// It's a noop on real clocks.
+func Advance(clock clockwork.Clock, d time.Duration) {
+	if c, ok := clock.(interface{ Advance(time.Duration) }); ok {
+		c.Advance(d)
+	}
+}
diff --git a/lib/utils/clocki/doc.go b/lib/utils/clocki/doc.go
new file mode 100644
index 0000000000000..1d100b81bc4a0
--- /dev/null
+++ b/lib/utils/clocki/doc.go
@@ -0,0 +1,19 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+// Package clocki holds interfaces and utilities to deal with clockwork that
+// are resilient to its breaking changes.
+package clocki
diff --git a/lib/utils/clocki/fake_clock.go b/lib/utils/clocki/fake_clock.go
new file mode 100644
index 0000000000000..f0be42cb32dfa
--- /dev/null
+++ b/lib/utils/clocki/fake_clock.go
@@ -0,0 +1,35 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package clocki
+
+import (
+	"time"
+
+	"github.com/jonboulle/clockwork"
+)
+
+// FakeClock duplicates its namesake interface as defined by clockwork versions
+// prior to v0.5.0.
+type FakeClock interface {
+	clockwork.Clock
+
+	// Advance advances the FakeClock to a new point in time, ensuring any existing
+	// waiters are notified appropriately before returning.
+	Advance(d time.Duration)
+	// BlockUntil blocks until the FakeClock has the given number of waiters.
+	BlockUntil(waiters int)
+}
diff --git a/lib/utils/diagnostics/latency/monitor_test.go b/lib/utils/diagnostics/latency/monitor_test.go
index 48da369d7472b..4e2afcbde4464 100644
--- a/lib/utils/diagnostics/latency/monitor_test.go
+++ b/lib/utils/diagnostics/latency/monitor_test.go
@@ -38,7 +38,7 @@ func TestMain(m *testing.M) {
 }
 
 type fakePinger struct {
-	clock   clockwork.FakeClock
+	clock   *clockwork.FakeClock
 	latency time.Duration
 	pingC   chan struct{}
 }
diff --git a/lib/vnet/app_resolver.go b/lib/vnet/app_resolver.go
index bf2485cd60dbb..ca74f2f90fda2 100644
--- a/lib/vnet/app_resolver.go
+++ b/lib/vnet/app_resolver.go
@@ -17,12 +17,9 @@
 package vnet
 
 import (
-	"cmp"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
-	"fmt"
 	"log/slog"
 	"net"
 	"strings"
@@ -33,298 +30,90 @@ import (
 	"golang.org/x/sync/singleflight"
 
 	"github.com/gravitational/teleport"
-	apiclient "github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/client/proto"
-	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/lib/auth/authclient"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/srv/alpnproxy"
 	alpncommon "github.com/gravitational/teleport/lib/srv/alpnproxy/common"
 )
 
-// AppProvider is an interface providing the necessary methods to log in to apps and get clients able to list
-// apps in all clusters in all current profiles. This should be the minimum necessary interface that needs to
-// be implemented differently for Connect and `tsh vnet`.
-type AppProvider interface {
-	// ListProfiles lists the names of all profiles saved for the user.
-	ListProfiles() ([]string, error)
-
-	// GetCachedClient returns a [*client.ClusterClient] for the given profile and leaf cluster.
-	// [leafClusterName] may be empty when requesting a client for the root cluster. Returned clients are
-	// expected to be cached, as this may be called frequently.
-	GetCachedClient(ctx context.Context, profileName, leafClusterName string) (ClusterClient, error)
-
-	// ReissueAppCert returns a new app certificate for the given app in the named profile and leaf cluster.
-	// Implementations may trigger a re-login to the cluster, but if they do, they MUST clear all cached
-	// clients for that cluster so that new working clients will be returned from [GetCachedClient].
-	ReissueAppCert(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) (tls.Certificate, error)
-
-	// GetDialOptions returns ALPN dial options for the profile.
-	GetDialOptions(ctx context.Context, profileName string) (*DialOptions, error)
-
+// appProvider is an interface for querying app info from an app fqdn, getting
+// certs issued for apps, and reporting connections and errors.
+type appProvider interface {
+	// ResolveAppInfo returns an *AppInfo for the given app fqdn, or an error if
+	// the app is not present in any logged-in cluster.
+	ResolveAppInfo(ctx context.Context, fqdn string) (*vnetv1.AppInfo, error)
+	// ReissueAppCert issues a new cert for the target app.
+	ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error)
 	// OnNewConnection gets called whenever a new connection is about to be established through VNet.
 	// By the time OnNewConnection, VNet has already verified that the user holds a valid cert for the
 	// app.
 	//
 	// The connection won't be established until OnNewConnection returns. Returning an error prevents
 	// the connection from being made.
-	OnNewConnection(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) error
-
+	OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error
 	// OnInvalidLocalPort gets called before VNet refuses to handle a connection to a multi-port TCP app
 	// because the provided port does not match any of the TCP ports in the app spec.
-	OnInvalidLocalPort(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp, tcpPorts types.PortRanges)
+	OnInvalidLocalPort(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16)
 }
 
-// ClusterClient is an interface defining the subset of [client.ClusterClient] methods used by [AppProvider].
-type ClusterClient interface {
-	CurrentCluster() authclient.ClientI
-	ClusterName() string
-	RootClusterName() string
-}
-
-// DialOptions holds ALPN dial options for dialing apps.
-type DialOptions struct {
-	// WebProxyAddr is the address to dial.
-	WebProxyAddr string
-	// ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required.
-	ALPNConnUpgradeRequired bool
-	// SNI is a ServerName value set for upstream TLS connection.
-	SNI string
-	// RootClusterCACertPool overrides the x509 certificate pool used to verify the server.
-	RootClusterCACertPool *x509.CertPool
-	// InsecureSkipTLSVerify turns off verification for x509 upstream ALPN proxy service certificate.
-	InsecureSkipVerify bool
-}
-
-// tcpAppResolver implements [tcpHandlerResolver] for Teleport TCP apps.
+// tcpAppResolver implements tcpHandlerResolver for Teleport TCP apps.
 type tcpAppResolver struct {
-	appProvider        AppProvider
-	clusterConfigCache *ClusterConfigCache
-	log                *slog.Logger
-	clock              clockwork.Clock
+	appProvider appProvider
+	log         *slog.Logger
+	clock       clockwork.Clock
 }
 
-// newTCPAppResolver returns a new [*tcpAppResolver] which will resolve full-qualified domain names to
-// [tcpHandler]s that will proxy TCP connection to Teleport TCP apps.
-//
-// It uses [appProvider] to list and retrieve cluster clients which are expected to be cached to avoid
-// repeated/unnecessary dials to the cluster. These clients are then used to list TCP apps that should be
-// handled.
-//
-// [appProvider] is also used to get app certificates used to dial the apps.
-func newTCPAppResolver(appProvider AppProvider, opts ...tcpAppResolverOption) (*tcpAppResolver, error) {
-	r := &tcpAppResolver{
+func newTCPAppResolver(appProvider appProvider, clock clockwork.Clock) *tcpAppResolver {
+	return &tcpAppResolver{
 		appProvider: appProvider,
 		log:         log.With(teleport.ComponentKey, "VNet.AppResolver"),
+		clock:       clock,
 	}
-	for _, opt := range opts {
-		opt(r)
-	}
-	r.clock = cmp.Or(r.clock, clockwork.NewRealClock())
-	r.clusterConfigCache = cmp.Or(r.clusterConfigCache, NewClusterConfigCache(r.clock))
-	return r, nil
 }
 
-type tcpAppResolverOption func(*tcpAppResolver)
-
-// withClock is a functional option to override the default clock (for tests).
-func withClock(clock clockwork.Clock) tcpAppResolverOption {
-	return func(r *tcpAppResolver) {
-		r.clock = clock
-	}
-}
-
-// WithClusterConfigCache is a functional option to override the cluster config cache.
-func WithClusterConfigCache(clusterConfigCache *ClusterConfigCache) tcpAppResolverOption {
-	return func(r *tcpAppResolver) {
-		r.clusterConfigCache = clusterConfigCache
-	}
-}
-
-// resolveTCPHandler resolves a fully-qualified domain name to a [tcpHandlerSpec] for a Teleport TCP app that should
-// be used to handle all future TCP connections to [fqdn].
-// Avoid using [trace.Wrap] on [errNoTCPHandler] to prevent collecting a full stack trace on every unhandled
-// query.
+// resolveTCPHandler resolves a fully-qualified domain name to a tcpHandlerSpec
+// for a Teleport TCP app that should be used to handle all future TCP
+// connections to fqdn.
+//
+// Avoid using [trace.Wrap] on errNoTCPHandler to prevent collecting a full
+// stack trace on every unhandled query.
 func (r *tcpAppResolver) resolveTCPHandler(ctx context.Context, fqdn string) (*tcpHandlerSpec, error) {
-	profileNames, err := r.appProvider.ListProfiles()
-	if err != nil {
-		return nil, trace.Wrap(err, "listing profiles")
-	}
-	for _, profileName := range profileNames {
-		if fqdn == fullyQualify(profileName) {
-			// This is a query for the proxy address, which we'll never want to handle.
-			return nil, errNoTCPHandler
-		}
-
-		clusterClient, err := r.clusterClientForAppFQDN(ctx, profileName, fqdn)
-		if err != nil {
-			if errors.Is(err, errNoMatch) {
-				continue
-			}
-			// The user might be logged out from this one cluster (and retryWithRelogin isn't working). Log
-			// the error but don't return it so that DNS resolution will be forwarded upstream instead of
-			// failing, to avoid breaking e.g. web app access (we don't know if this is a web or TCP app yet
-			// because we can't log in).
-			r.log.ErrorContext(ctx, "Failed to get teleport client.", "error", err)
-			continue
-		}
-
-		leafClusterName := ""
-		clusterName := clusterClient.ClusterName()
-		if clusterName != "" && clusterName != clusterClient.RootClusterName() {
-			leafClusterName = clusterName
-		}
-
-		return r.resolveTCPHandlerForCluster(ctx, clusterClient, profileName, leafClusterName, fqdn)
-	}
-	// fqdn did not match any profile, forward the request upstream.
-	return nil, errNoTCPHandler
-}
-
-var errNoMatch = errors.New("cluster does not match queried FQDN")
-
-func (r *tcpAppResolver) clusterClientForAppFQDN(ctx context.Context, profileName, fqdn string) (ClusterClient, error) {
-	rootClient, err := r.appProvider.GetCachedClient(ctx, profileName, "")
-	if err != nil {
-		r.log.ErrorContext(ctx, "Failed to get root cluster client, apps in this cluster will not be resolved.", "profile", profileName, "error", err)
-		return nil, errNoMatch
-	}
-
-	if isDescendantSubdomain(fqdn, profileName) {
-		// The queried app fqdn is a subdomain of this cluster proxy address.
-		return rootClient, nil
-	}
-
-	leafClusters, err := getLeafClusters(ctx, rootClient)
-	if err != nil {
-		// Good chance we're here because the user is not logged in to the profile.
-		r.log.ErrorContext(ctx, "Failed to list leaf clusters, apps in this cluster will not be resolved.", "profile", profileName, "error", err)
-		return nil, errNoMatch
-	}
-
-	// Prefix with an empty string to represent the root cluster.
-	allClusters := append([]string{""}, leafClusters...)
-	for _, leafClusterName := range allClusters {
-		clusterClient, err := r.appProvider.GetCachedClient(ctx, profileName, leafClusterName)
-		if err != nil {
-			r.log.ErrorContext(ctx, "Failed to get cluster client, apps in this cluster will not be resolved.", "profile", profileName, "leaf_cluster", leafClusterName, "error", err)
-			continue
-		}
-
-		clusterConfig, err := r.clusterConfigCache.GetClusterConfig(ctx, clusterClient)
-		if err != nil {
-			r.log.ErrorContext(ctx, "Failed to get VnetConfig, apps in the cluster will not be resolved.", "profile", profileName, "leaf_cluster", leafClusterName, "error", err)
-			continue
-		}
-		for _, zone := range clusterConfig.DNSZones {
-			if isDescendantSubdomain(fqdn, zone) {
-				return clusterClient, nil
-			}
-		}
-	}
-	return nil, errNoMatch
-}
-
-func getLeafClusters(ctx context.Context, rootClient ClusterClient) ([]string, error) {
-	var leafClusters []string
-	nextPage := ""
-	for {
-		remoteClusters, nextPage, err := rootClient.CurrentCluster().ListRemoteClusters(ctx, 0, nextPage)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-		for _, rc := range remoteClusters {
-			leafClusters = append(leafClusters, rc.GetName())
-		}
-		if nextPage == "" {
-			return leafClusters, nil
-		}
-	}
-}
-
-// resolveTCPHandlerForCluster takes a cluster client and resolves [fqdn] to a [tcpHandlerSpec] if a matching
-// app is found in that cluster.
-// Avoid using [trace.Wrap] on [errNoTCPHandler] to prevent collecting a full stack trace on every unhandled
-// query.
-func (r *tcpAppResolver) resolveTCPHandlerForCluster(
-	ctx context.Context,
-	clusterClient ClusterClient,
-	profileName, leafClusterName, fqdn string,
-) (*tcpHandlerSpec, error) {
-	log := r.log.With("profile", profileName, "leaf_cluster", leafClusterName, "fqdn", fqdn)
-	// An app public_addr could technically be full-qualified or not, match either way.
-	expr := fmt.Sprintf(`(resource.spec.public_addr == "%s" || resource.spec.public_addr == "%s") && hasPrefix(resource.spec.uri, "tcp://")`,
-		strings.TrimSuffix(fqdn, "."), fqdn)
-	resp, err := apiclient.GetResourcePage[types.AppServer](ctx, clusterClient.CurrentCluster(), &proto.ListResourcesRequest{
-		ResourceType:        types.KindAppServer,
-		PredicateExpression: expr,
-		Limit:               1,
-	})
-	if err != nil {
-		// Don't return an unexpected error so we can try to find the app in different clusters or forward the
-		// request upstream.
-		log.InfoContext(ctx, "Failed to list application servers.", "error", err)
-		return nil, errNoTCPHandler
-	}
-	if len(resp.Resources) == 0 {
-		// Didn't find any matching app, forward the request upstream.
-		return nil, errNoTCPHandler
-	}
-	app := resp.Resources[0].GetApp()
-	appHandler, err := r.newTCPAppHandler(ctx, profileName, leafClusterName, app)
+	appInfo, err := r.appProvider.ResolveAppInfo(ctx, fqdn)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		// Intentionally don't wrap the error, collecting a trace is expensive
+		// and should only be done for unexpected errors
+		return nil, err
 	}
-
-	clusterConfig, err := r.clusterConfigCache.GetClusterConfig(ctx, clusterClient)
+	appHandler, err := r.newTCPAppHandler(ctx, appInfo)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		return nil, err
 	}
-
 	return &tcpHandlerSpec{
-		ipv4CIDRRange: clusterConfig.IPv4CIDRRange,
+		ipv4CIDRRange: appInfo.GetIpv4CidrRange(),
 		tcpHandler:    appHandler,
 	}, nil
 }
 
 type tcpAppHandler struct {
+	appInfo     *vnetv1.AppInfo
+	appProvider appProvider
 	log         *slog.Logger
-	appProvider AppProvider
 	clock       clockwork.Clock
-	profileName string
-	// clusterName is the name of the cluster that the app belongs to. For root cluster, it is not
-	// necessarily the equivalent of profileName. RouteToApp passed to a local proxy needs to include
-	// the actual root cluster name, not just an empty string (unlike what's often the case with
-	// siteName in lib/client).
-	clusterName      string
-	leafClusterName  string
-	app              types.Application
-	portToLocalProxy map[uint16]*alpnproxy.LocalProxy
+
 	// mu guards access to portToLocalProxy.
-	mu sync.Mutex
+	mu               sync.Mutex
+	portToLocalProxy map[uint16]*alpnproxy.LocalProxy
 }
 
-func (r *tcpAppResolver) newTCPAppHandler(
-	ctx context.Context,
-	profileName string,
-	leafClusterName string,
-	app types.Application,
-) (*tcpAppHandler, error) {
-	clusterClient, err := r.appProvider.GetCachedClient(ctx, profileName, leafClusterName)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
+func (r *tcpAppResolver) newTCPAppHandler(ctx context.Context, appInfo *vnetv1.AppInfo) (*tcpAppHandler, error) {
 	return &tcpAppHandler{
-		appProvider:      r.appProvider,
+		appInfo:     appInfo,
+		appProvider: r.appProvider,
+		log: r.log.With(teleport.ComponentKey, "VNet.tcpAppResolver",
+			"profile", appInfo.GetAppKey().GetProfile(), "leaf_cluster", appInfo.GetAppKey().GetLeafCluster(), "fqdn", appInfo.GetApp().GetPublicAddr()),
 		clock:            r.clock,
-		profileName:      profileName,
-		clusterName:      clusterClient.ClusterName(),
-		leafClusterName:  leafClusterName,
-		app:              app,
 		portToLocalProxy: make(map[uint16]*alpnproxy.LocalProxy),
-		log: r.log.With(teleport.ComponentKey, "VNet.AppHandler",
-			"profile", profileName, "leaf_cluster", leafClusterName, "fqdn", app.GetPublicAddr()),
 	}, nil
 }
 
@@ -333,72 +122,64 @@ func (r *tcpAppResolver) newTCPAppHandler(
 func (h *tcpAppHandler) getOrInitializeLocalProxy(ctx context.Context, localPort uint16) (*alpnproxy.LocalProxy, error) {
 	h.mu.Lock()
 	defer h.mu.Unlock()
-
 	// Connections to single-port apps need to go through a local proxy that has a cert with TargetPort
 	// set to 0. This ensures that the old behavior is kept for such apps, where the client can dial
 	// the public address of an app on any port and be routed to the port from the URI.
 	//
 	// https://github.com/gravitational/teleport/blob/master/rfd/0182-multi-port-tcp-app-access.md#vnet-with-single-port-apps
-	if len(h.app.GetTCPPorts()) == 0 {
+	if len(h.appInfo.GetApp().GetTCPPorts()) == 0 {
 		localPort = 0
 	}
-
 	lp, ok := h.portToLocalProxy[localPort]
 	if ok {
 		return lp, nil
 	}
-
-	routeToApp := h.routeToApp(localPort)
-	dialOpts, err := h.appProvider.GetDialOptions(ctx, h.profileName)
-	if err != nil {
-		return nil, trace.Wrap(err, "getting dial options for profile %q", h.profileName)
-	}
-
 	appCertIssuer := &appCertIssuer{
-		appProvider:     h.appProvider,
-		profileName:     h.profileName,
-		leafClusterName: h.leafClusterName,
-		routeToApp:      routeToApp,
+		appProvider: h.appProvider,
+		appInfo:     h.appInfo,
+		targetPort:  localPort,
 	}
 	certChecker := client.NewCertChecker(appCertIssuer, h.clock)
 	middleware := &localProxyMiddleware{
-		certChecker:     certChecker,
-		appProvider:     h.appProvider,
-		routeToApp:      routeToApp,
-		profileName:     h.profileName,
-		leafClusterName: h.leafClusterName,
+		certChecker: certChecker,
+		appProvider: h.appProvider,
+		appKey:      h.appInfo.GetAppKey(),
 	}
-
+	dialOptions := h.appInfo.GetDialOptions()
 	localProxyConfig := alpnproxy.LocalProxyConfig{
-		RemoteProxyAddr:         dialOpts.WebProxyAddr,
+		RemoteProxyAddr:         dialOptions.GetWebProxyAddr(),
 		Protocols:               []alpncommon.Protocol{alpncommon.ProtocolTCP},
 		ParentContext:           ctx,
-		SNI:                     dialOpts.SNI,
-		RootCAs:                 dialOpts.RootClusterCACertPool,
-		ALPNConnUpgradeRequired: dialOpts.ALPNConnUpgradeRequired,
+		SNI:                     dialOptions.GetSni(),
+		ALPNConnUpgradeRequired: dialOptions.GetAlpnConnUpgradeRequired(),
 		Middleware:              middleware,
-		InsecureSkipVerify:      dialOpts.InsecureSkipVerify,
+		InsecureSkipVerify:      dialOptions.GetInsecureSkipVerify(),
 		Clock:                   h.clock,
 	}
-
+	if certPoolPEM := dialOptions.GetRootClusterCaCertPool(); len(certPoolPEM) > 0 {
+		caPool := x509.NewCertPool()
+		if !caPool.AppendCertsFromPEM(dialOptions.GetRootClusterCaCertPool()) {
+			return nil, trace.Errorf("failed to parse root cluster CA certs")
+		}
+		localProxyConfig.RootCAs = caPool
+	}
 	h.log.DebugContext(ctx, "Creating local proxy", "target_port", localPort)
 	newLP, err := alpnproxy.NewLocalProxy(localProxyConfig)
 	if err != nil {
 		return nil, trace.Wrap(err, "creating local proxy")
 	}
-
 	h.portToLocalProxy[localPort] = newLP
-
 	return newLP, nil
 }
 
 // handleTCPConnector handles an incoming TCP connection from VNet by passing it to the local alpn proxy,
 // which is set up with middleware to automatically handler certificate renewal and re-logins.
 func (h *tcpAppHandler) handleTCPConnector(ctx context.Context, localPort uint16, connector func() (net.Conn, error)) error {
-	if len(h.app.GetTCPPorts()) > 0 {
-		if !h.app.GetTCPPorts().Contains(int(localPort)) {
-			h.appProvider.OnInvalidLocalPort(ctx, h.profileName, h.leafClusterName, h.routeToApp(localPort), h.app.GetTCPPorts())
-			return trace.BadParameter("local port %d is not in TCP ports of app %q", localPort, h.app.GetName())
+	app := h.appInfo.GetApp()
+	if len(app.GetTCPPorts()) > 0 {
+		if !app.GetTCPPorts().Contains(int(localPort)) {
+			h.appProvider.OnInvalidLocalPort(ctx, h.appInfo, localPort)
+			return trace.BadParameter("local port %d is not in TCP ports of app %q", localPort, app.GetName())
 		}
 	}
 
@@ -409,26 +190,12 @@ func (h *tcpAppHandler) handleTCPConnector(ctx context.Context, localPort uint16
 	return trace.Wrap(lp.HandleTCPConnector(ctx, connector), "handling TCP connector")
 }
 
-func (h *tcpAppHandler) routeToApp(localPort uint16) proto.RouteToApp {
-	return proto.RouteToApp{
-		Name:       h.app.GetName(),
-		PublicAddr: h.app.GetPublicAddr(),
-		// ClusterName must _not_ be set to "" when targeting an app from a root cluster. Otherwise the
-		// connection routed through a local proxy will just get lost somewhere in the cluster (with no
-		// clear error being reported) and hang forever.
-		ClusterName: h.clusterName,
-		URI:         h.app.GetURI(),
-		TargetPort:  uint32(localPort),
-	}
-}
-
 // appCertIssuer implements [client.CertIssuer].
 type appCertIssuer struct {
-	appProvider     AppProvider
-	profileName     string
-	leafClusterName string
-	routeToApp      proto.RouteToApp
-	group           singleflight.Group
+	appProvider appProvider
+	appInfo     *vnetv1.AppInfo
+	targetPort  uint16
+	group       singleflight.Group
 }
 
 func (i *appCertIssuer) CheckCert(cert *x509.Certificate) error {
@@ -438,7 +205,7 @@ func (i *appCertIssuer) CheckCert(cert *x509.Certificate) error {
 
 func (i *appCertIssuer) IssueCert(ctx context.Context) (tls.Certificate, error) {
 	cert, err, _ := i.group.Do("", func() (any, error) {
-		return i.appProvider.ReissueAppCert(ctx, i.profileName, i.leafClusterName, i.routeToApp)
+		return i.appProvider.ReissueAppCert(ctx, i.appInfo, i.targetPort)
 	})
 	return cert.(tls.Certificate), trace.Wrap(err)
 }
@@ -460,13 +227,11 @@ func fullyQualify(domain string) string {
 }
 
 // localProxyMiddleware wraps around [client.CertChecker] and additionally makes it so that its
-// OnNewConnection method calls the same method of [AppProvider].
+// OnNewConnection method calls the same method of [appProvider].
 type localProxyMiddleware struct {
-	routeToApp      proto.RouteToApp
-	profileName     string
-	leafClusterName string
-	certChecker     *client.CertChecker
-	appProvider     AppProvider
+	appKey      *vnetv1.AppKey
+	certChecker *client.CertChecker
+	appProvider appProvider
 }
 
 func (m *localProxyMiddleware) OnNewConnection(ctx context.Context, lp *alpnproxy.LocalProxy) error {
@@ -474,10 +239,21 @@ func (m *localProxyMiddleware) OnNewConnection(ctx context.Context, lp *alpnprox
 	if err != nil {
 		return trace.Wrap(err)
 	}
-
-	return trace.Wrap(m.appProvider.OnNewConnection(ctx, m.profileName, m.leafClusterName, m.routeToApp))
+	return trace.Wrap(m.appProvider.OnNewConnection(ctx, m.appKey))
 }
 
 func (m *localProxyMiddleware) OnStart(ctx context.Context, lp *alpnproxy.LocalProxy) error {
 	return trace.Wrap(m.certChecker.OnStart(ctx, lp))
 }
+
+// RouteToApp returns a *proto.RouteToApp populated from appInfo and targetPort.
+func RouteToApp(appInfo *vnetv1.AppInfo, targetPort uint16) *proto.RouteToApp {
+	app := appInfo.GetApp()
+	return &proto.RouteToApp{
+		Name:        app.GetName(),
+		PublicAddr:  app.GetPublicAddr(),
+		ClusterName: appInfo.GetCluster(),
+		URI:         app.GetURI(),
+		TargetPort:  uint32(targetPort),
+	}
+}
diff --git a/lib/vnet/ipbits.go b/lib/vnet/ipbits.go
index d76a636a0df54..1ffb43952db46 100644
--- a/lib/vnet/ipbits.go
+++ b/lib/vnet/ipbits.go
@@ -41,7 +41,7 @@ func NewIPv6Prefix() (tcpip.Address, error) {
 	var bytes [16]byte
 	bytes[0] = 0xfd
 	if _, err := rand.Read(bytes[1:6]); err != nil {
-		return tcpip.Address{}, trace.Wrap(err)
+		return tcpip.Address{}, trace.Wrap(err, "reading random bytes")
 	}
 	return tcpip.AddrFrom16(bytes), nil
 }
diff --git a/lib/vnet/local_app_provider.go b/lib/vnet/local_app_provider.go
new file mode 100644
index 0000000000000..935eab0906e43
--- /dev/null
+++ b/lib/vnet/local_app_provider.go
@@ -0,0 +1,245 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package vnet
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
+
+	apiclient "github.com/gravitational/teleport/api/client"
+	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/types"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
+	"github.com/gravitational/teleport/lib/auth/authclient"
+)
+
+// ClientApplication is the common interface implemented by each VNet client
+// application: Connect and tsh. It provides methods to list user profiles, get
+// cluster clients, issue app certificates, and report metrics and errors -
+// anything that uses the user's credentials or a Teleport client.
+// The name "client application" refers to a user-facing client application, in
+// constrast to the MacOS daemon or Windows service.
+type ClientApplication interface {
+	// ListProfiles lists the names of all profiles saved for the user.
+	ListProfiles() ([]string, error)
+
+	// GetCachedClient returns a [*client.ClusterClient] for the given profile and leaf cluster.
+	// [leafClusterName] may be empty when requesting a client for the root cluster. Returned clients are
+	// expected to be cached, as this may be called frequently.
+	GetCachedClient(ctx context.Context, profileName, leafClusterName string) (ClusterClient, error)
+
+	// ReissueAppCert issues a new cert for the target app.
+	ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error)
+
+	// GetDialOptions returns ALPN dial options for the profile.
+	GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error)
+
+	// OnNewConnection gets called whenever a new connection is about to be established through VNet.
+	// By the time OnNewConnection, VNet has already verified that the user holds a valid cert for the
+	// app.
+	//
+	// The connection won't be established until OnNewConnection returns. Returning an error prevents
+	// the connection from being made.
+	OnNewConnection(ctx context.Context, appKey *vnetv1.AppKey) error
+
+	// OnInvalidLocalPort gets called before VNet refuses to handle a connection to a multi-port TCP app
+	// because the provided port does not match any of the TCP ports in the app spec.
+	OnInvalidLocalPort(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16)
+}
+
+// ClusterClient is an interface defining the subset of [client.ClusterClient]
+// methods used by via [ClientApplication].
+type ClusterClient interface {
+	CurrentCluster() authclient.ClientI
+	ClusterName() string
+	RootClusterName() string
+}
+
+// localAppProvider implements wraps a [ClientApplication] to implement
+// appProvider.
+type localAppProvider struct {
+	ClientApplication
+	clusterConfigCache *ClusterConfigCache
+}
+
+func newLocalAppProvider(clientApp ClientApplication, clock clockwork.Clock) *localAppProvider {
+	return &localAppProvider{
+		ClientApplication:  clientApp,
+		clusterConfigCache: NewClusterConfigCache(clock),
+	}
+}
+
+// ResolveAppInfo implements [appProvider.ResolveAppInfo].
+func (p *localAppProvider) ResolveAppInfo(ctx context.Context, fqdn string) (*vnetv1.AppInfo, error) {
+	profileNames, err := p.ClientApplication.ListProfiles()
+	if err != nil {
+		return nil, trace.Wrap(err, "listing profiles")
+	}
+	for _, profileName := range profileNames {
+		if fqdn == fullyQualify(profileName) {
+			// This is a query for the proxy address, which we'll never want to handle.
+			// The DNS request must be forwarded upstream so that the VNet
+			// process can always dial the proxy address without recursively
+			// querying the VNet DNS nameserver.
+			return nil, errNoTCPHandler
+		}
+
+		clusterClient, err := p.clusterClientForAppFQDN(ctx, profileName, fqdn)
+		if err != nil {
+			if errors.Is(err, errNoMatch) {
+				continue
+			}
+			// The user might be logged out from this one cluster (and retryWithRelogin isn't working). Log
+			// the error but don't return it so that DNS resolution will be forwarded upstream instead of
+			// failing, to avoid breaking e.g. web app access (we don't know if this is a web or TCP app yet
+			// because we can't log in).
+			log.ErrorContext(ctx, "Failed to get teleport client.", "error", err)
+			continue
+		}
+
+		leafClusterName := ""
+		clusterName := clusterClient.ClusterName()
+		if clusterName != "" && clusterName != clusterClient.RootClusterName() {
+			leafClusterName = clusterName
+		}
+
+		return p.resolveAppInfoForCluster(ctx, clusterClient, profileName, leafClusterName, fqdn)
+	}
+	// fqdn did not match any profile, forward the request upstream.
+	return nil, errNoTCPHandler
+}
+
+func (p *localAppProvider) clusterClientForAppFQDN(ctx context.Context, profileName, fqdn string) (ClusterClient, error) {
+	rootClient, err := p.ClientApplication.GetCachedClient(ctx, profileName, "")
+	if err != nil {
+		log.ErrorContext(ctx, "Failed to get root cluster client, apps in this cluster will not be resolved.", "profile", profileName, "error", err)
+		return nil, errNoMatch
+	}
+
+	if isDescendantSubdomain(fqdn, profileName) {
+		// The queried app fqdn is a subdomain of this cluster proxy address.
+		return rootClient, nil
+	}
+
+	leafClusters, err := getLeafClusters(ctx, rootClient)
+	if err != nil {
+		// Good chance we're here because the user is not logged in to the profile.
+		log.ErrorContext(ctx, "Failed to list leaf clusters, apps in this cluster will not be resolved.", "profile", profileName, "error", err)
+		return nil, errNoMatch
+	}
+
+	// Prefix with an empty string to represent the root cluster.
+	allClusters := append([]string{""}, leafClusters...)
+	for _, leafClusterName := range allClusters {
+		clusterClient, err := p.ClientApplication.GetCachedClient(ctx, profileName, leafClusterName)
+		if err != nil {
+			log.ErrorContext(ctx, "Failed to get cluster client, apps in this cluster will not be resolved.", "profile", profileName, "leaf_cluster", leafClusterName, "error", err)
+			continue
+		}
+
+		clusterConfig, err := p.clusterConfigCache.GetClusterConfig(ctx, clusterClient)
+		if err != nil {
+			log.ErrorContext(ctx, "Failed to get VNet config, apps in the cluster will not be resolved.", "profile", profileName, "leaf_cluster", leafClusterName, "error", err)
+			continue
+		}
+		for _, zone := range clusterConfig.DNSZones {
+			if isDescendantSubdomain(fqdn, zone) {
+				return clusterClient, nil
+			}
+		}
+	}
+	return nil, errNoMatch
+}
+
+var errNoMatch = errors.New("cluster does not match queried FQDN")
+
+func getLeafClusters(ctx context.Context, rootClient ClusterClient) ([]string, error) {
+	var leafClusters []string
+	nextPage := ""
+	for {
+		remoteClusters, nextPage, err := rootClient.CurrentCluster().ListRemoteClusters(ctx, 0, nextPage)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		for _, rc := range remoteClusters {
+			leafClusters = append(leafClusters, rc.GetName())
+		}
+		if nextPage == "" {
+			return leafClusters, nil
+		}
+	}
+}
+
+func (p *localAppProvider) resolveAppInfoForCluster(
+	ctx context.Context,
+	clusterClient ClusterClient,
+	profileName, leafClusterName, fqdn string,
+) (*vnetv1.AppInfo, error) {
+	log := log.With("profile", profileName, "leaf_cluster", leafClusterName, "fqdn", fqdn)
+	// An app public_addr could technically be full-qualified or not, match either way.
+	expr := fmt.Sprintf(`(resource.spec.public_addr == "%s" || resource.spec.public_addr == "%s") && hasPrefix(resource.spec.uri, "tcp://")`,
+		strings.TrimSuffix(fqdn, "."), fqdn)
+	resp, err := apiclient.GetResourcePage[types.AppServer](ctx, clusterClient.CurrentCluster(), &proto.ListResourcesRequest{
+		ResourceType:        types.KindAppServer,
+		PredicateExpression: expr,
+		Limit:               1,
+	})
+	if err != nil {
+		// Don't return an unexpected error so we can try to find the app in different clusters or forward the
+		// request upstream.
+		log.InfoContext(ctx, "Failed to list application servers", "error", err)
+		return nil, errNoTCPHandler
+	}
+	if len(resp.Resources) == 0 {
+		// Didn't find any matching app, forward the request upstream.
+		return nil, errNoTCPHandler
+	}
+	// At this point we have found a matching app in the cluster, any error is
+	// unexpected and is preventing access to the app and should be returned to
+	// the user.
+	app, ok := resp.Resources[0].GetApp().(*types.AppV3)
+	if !ok {
+		return nil, trace.BadParameter("expected *types.AppV3, got %T", resp.Resources[0].GetApp())
+	}
+	clusterConfig, err := p.clusterConfigCache.GetClusterConfig(ctx, clusterClient)
+	if err != nil {
+		log.ErrorContext(ctx, "Failed to get cluster VNet config for matching app", "error", err)
+		return nil, trace.Wrap(err, "getting cached cluster VNet config for matching app")
+	}
+	dialOpts, err := p.ClientApplication.GetDialOptions(ctx, profileName)
+	if err != nil {
+		log.ErrorContext(ctx, "Failed to get cluster dial options", "error", err)
+		return nil, trace.Wrap(err, "getting dial options for matching app")
+	}
+	appInfo := &vnetv1.AppInfo{
+		AppKey: &vnetv1.AppKey{
+			Profile:     profileName,
+			LeafCluster: leafClusterName,
+		},
+		Cluster:       clusterClient.ClusterName(),
+		App:           app,
+		Ipv4CidrRange: clusterConfig.IPv4CIDRRange,
+		DialOptions:   dialOpts,
+	}
+	return appInfo, nil
+}
diff --git a/lib/vnet/network_stack.go b/lib/vnet/network_stack.go
index 6c7dbfa2f8563..e275fcab48e0a 100644
--- a/lib/vnet/network_stack.go
+++ b/lib/vnet/network_stack.go
@@ -87,25 +87,29 @@ func (c *networkStackConfig) checkAndSetDefaults() error {
 }
 
 // tcpHandlerResolver describes a type that can resolve a fully-qualified domain
-// name to a [tcpHandlerSpec] that defines the CIDR range to assign an IP to
+// name to a tcpHandlerSpec that defines the CIDR range to assign an IP to
 // that handler from, and a handler for all future connections to that IP
 // address.
 //
 // Implementations beware - an FQDN always ends with a '.'.
 type tcpHandlerResolver interface {
-	// resolveTCPHandler decides if [fqdn] should match a TCP handler.
+	// resolveTCPHandler decides if fqdn should match a TCP handler.
 	//
-	// If [fqdn] matches a Teleport-managed TCP app it must return a
-	// [tcpHandlerSpec] defining the range to
-	// assign an IP from, and a handler for future connections to any assigned IPs.
+	// If fqdn matches a Teleport-managed TCP app it must return a
+	// tcpHandlerSpec defining the CIDR range to assign an IP from, and a
+	// handler for future connections to any assigned IPs.
 	//
-	// If [fqdn] does not match it must return ErrNoTCPHandler.
+	// If fqdn does not match it must return errNoTCPHandler. Avoid using
+	// [trace.Wrap] on errNoTCPHandler to prevent collecting a full stack trace
+	// on every unhandled query.
 	resolveTCPHandler(ctx context.Context, fqdn string) (*tcpHandlerSpec, error)
 }
 
-// errNoTCPHandler should be returned by [tcpHandlerResolver]s when no handler matches the FQDN.
-// Avoid using [trace.Wrap] on errNoTCPHandler where possible, this isn't an unexpected error that we would
-// expect to need to debug and [trace.Wrap] incurs overhead to collect a full stack trace.
+// errNoTCPHandler should be returned by tcpHandlerResolvers when no handler
+// matches the FQDN.
+//
+// Avoid using [trace.Wrap] on errNoTCPHandler where possible, this isn't an
+// unexpected error that should require the overhead of collecting a stack trace.
 var errNoTCPHandler = errors.New("no handler for address")
 
 // tcpHandlerSpec specifies a VNet TCP handler.
diff --git a/lib/vnet/user_process.go b/lib/vnet/user_process.go
index 820c70504a753..76ce1e9fd0742 100644
--- a/lib/vnet/user_process.go
+++ b/lib/vnet/user_process.go
@@ -28,19 +28,17 @@ import (
 
 // UserProcessConfig provides the necessary configuration to run VNet.
 type UserProcessConfig struct {
-	// AppProvider is a required field providing an interface implementation for [AppProvider].
-	AppProvider AppProvider
-	// ClusterConfigCache is an optional field providing [ClusterConfigCache]. If empty, a new cache
-	// will be created.
-	ClusterConfigCache *ClusterConfigCache
+	// ClientApplication is a required field providing an interface implementation for
+	// [ClientApplication].
+	ClientApplication ClientApplication
 	// HomePath is the tsh home used for Teleport clients created by VNet. Resolved using the same
 	// rules as HomeDir in tsh.
 	HomePath string
 }
 
 func (c *UserProcessConfig) checkAndSetDefaults() error {
-	if c.AppProvider == nil {
-		return trace.BadParameter("missing AppProvider")
+	if c.ClientApplication == nil {
+		return trace.BadParameter("missing ClientApplication")
 	}
 	if c.HomePath == "" {
 		c.HomePath = profile.FullProfilePath(os.Getenv(types.HomeEnvVar))
diff --git a/lib/vnet/user_process_darwin.go b/lib/vnet/user_process_darwin.go
index a1b07da1b38ff..7fdde42c19f9d 100644
--- a/lib/vnet/user_process_darwin.go
+++ b/lib/vnet/user_process_darwin.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/gravitational/trace"
+	"github.com/jonboulle/clockwork"
 	"golang.zx2c4.com/wireguard/tun"
 
 	"github.com/gravitational/teleport/lib/vnet/daemon"
@@ -31,7 +32,7 @@ import (
 // background. To do this, it also needs to launch an admin process in the
 // background. It returns a [ProcessManager] which controls the lifecycle of
 // both background tasks.
-func runPlatformUserProcess(ctx context.Context, config *UserProcessConfig) (pm *ProcessManager, err error) {
+func runPlatformUserProcess(ctx context.Context, cfg *UserProcessConfig) (pm *ProcessManager, err error) {
 	// Make sure to close the process manager if returning a non-nil error.
 	defer func() {
 		if pm != nil && err != nil {
@@ -65,7 +66,7 @@ func runPlatformUserProcess(ctx context.Context, config *UserProcessConfig) (pm
 			SocketPath: socketPath,
 			IPv6Prefix: ipv6Prefix.String(),
 			DNSAddr:    dnsIPv6.String(),
-			HomePath:   config.HomePath,
+			HomePath:   cfg.HomePath,
 		}
 		return trace.Wrap(execAdminProcess(processCtx, daemonConfig))
 	})
@@ -106,12 +107,9 @@ func runPlatformUserProcess(ctx context.Context, config *UserProcessConfig) (pm
 		}
 	}
 
-	appResolver, err := newTCPAppResolver(config.AppProvider,
-		WithClusterConfigCache(config.ClusterConfigCache))
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
+	clock := clockwork.NewRealClock()
+	appProvider := newLocalAppProvider(cfg.ClientApplication, clock)
+	appResolver := newTCPAppResolver(appProvider, clock)
 	ns, err := newNetworkStack(&networkStackConfig{
 		tunDevice:          tun,
 		ipv6Prefix:         ipv6Prefix,
diff --git a/lib/vnet/vnet_test.go b/lib/vnet/vnet_test.go
index a2e73ee25f5fd..a3c59c6371bec 100644
--- a/lib/vnet/vnet_test.go
+++ b/lib/vnet/vnet_test.go
@@ -20,7 +20,6 @@ import (
 	"bytes"
 	"cmp"
 	"context"
-	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
@@ -54,8 +53,10 @@ import (
 	headerv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/header/v1"
 	"github.com/gravitational/teleport/api/gen/proto/go/teleport/vnet/v1"
 	"github.com/gravitational/teleport/api/types"
-	apiutils "github.com/gravitational/teleport/api/utils"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/auth/authclient"
+	"github.com/gravitational/teleport/lib/cryptosuites"
+	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -75,8 +76,8 @@ type testPack struct {
 }
 
 type testPackConfig struct {
-	clock       clockwork.FakeClock
-	appProvider AppProvider
+	clock       *clockwork.FakeClock
+	appProvider appProvider
 }
 
 func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPack {
@@ -129,8 +130,7 @@ func newTestPack(t *testing.T, ctx context.Context, cfg testPackConfig) *testPac
 
 	dnsIPv6 := ipv6WithSuffix(vnetIPv6Prefix, []byte{2})
 
-	tcpHandlerResolver, err := newTCPAppResolver(cfg.appProvider, withClock(cfg.clock))
-	require.NoError(t, err)
+	tcpHandlerResolver := newTCPAppResolver(cfg.appProvider, cfg.clock)
 
 	// Create the VNet and connect it to the other side of the TUN.
 	ns, err := newNetworkStack(&networkStackConfig{
@@ -251,36 +251,44 @@ type testClusterSpec struct {
 	leafClusters   map[string]testClusterSpec
 }
 
-type echoAppProvider struct {
+type fakeClientApp struct {
 	clusters                    map[string]testClusterSpec
-	dialOpts                    DialOptions
+	dialOpts                    *vnetv1.DialOptions
 	reissueAppCert              func() tls.Certificate
 	onNewConnectionCallCount    atomic.Uint32
 	onInvalidLocalPortCallCount atomic.Uint32
 	// requestedRouteToApps indexed by public address.
-	requestedRouteToApps   map[string][]proto.RouteToApp
+	requestedRouteToApps   map[string][]*proto.RouteToApp
 	requestedRouteToAppsMu sync.RWMutex
+	clusterConfigCache     *ClusterConfigCache
 }
 
-// newEchoAppProvider returns an app provider with the list of named apps in each profile and leaf cluster.
-func newEchoAppProvider(clusterSpecs map[string]testClusterSpec, dialOpts DialOptions, reissueAppCert func() tls.Certificate) *echoAppProvider {
-	return &echoAppProvider{
+// newFakeClientApp returns an app provider with the list of named apps
+// in each profile and leaf cluster.
+func newFakeClientApp(
+	clusterSpecs map[string]testClusterSpec,
+	dialOpts *vnetv1.DialOptions,
+	reissueAppCert func() tls.Certificate,
+	clock clockwork.Clock,
+) *fakeClientApp {
+	return &fakeClientApp{
 		clusters:             clusterSpecs,
 		dialOpts:             dialOpts,
 		reissueAppCert:       reissueAppCert,
-		requestedRouteToApps: make(map[string][]proto.RouteToApp),
+		requestedRouteToApps: make(map[string][]*proto.RouteToApp),
+		clusterConfigCache:   NewClusterConfigCache(clock),
 	}
 }
 
 // ListProfiles lists the names of all profiles saved for the user.
-func (p *echoAppProvider) ListProfiles() ([]string, error) {
+func (p *fakeClientApp) ListProfiles() ([]string, error) {
 	return maps.Keys(p.clusters), nil
 }
 
 // GetCachedClient returns a [*client.ClusterClient] for the given profile and leaf cluster.
 // [leafClusterName] may be empty when requesting a client for the root cluster. Returned clients are
 // expected to be cached, as this may be called frequently.
-func (p *echoAppProvider) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (ClusterClient, error) {
+func (p *fakeClientApp) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (ClusterClient, error) {
 	rootCluster, ok := p.clusters[profileName]
 	if !ok {
 		return nil, trace.NotFound("no cluster for %s", profileName)
@@ -307,31 +315,36 @@ func (p *echoAppProvider) GetCachedClient(ctx context.Context, profileName, leaf
 	}, nil
 }
 
-func (p *echoAppProvider) ReissueAppCert(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) (tls.Certificate, error) {
+func (p *fakeClientApp) GetCachedClusterConfig(ctx context.Context, clt ClusterClient) (*ClusterConfig, error) {
+	return p.clusterConfigCache.GetClusterConfig(ctx, clt)
+}
+
+func (p *fakeClientApp) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error) {
 	p.requestedRouteToAppsMu.Lock()
 	defer p.requestedRouteToAppsMu.Unlock()
 
+	routeToApp := RouteToApp(appInfo, targetPort)
 	p.requestedRouteToApps[routeToApp.PublicAddr] = append(p.requestedRouteToApps[routeToApp.PublicAddr], routeToApp)
 
 	return p.reissueAppCert(), nil
 }
 
-func (p *echoAppProvider) RequestedRouteToApps(publicAddr string) []proto.RouteToApp {
+func (p *fakeClientApp) RequestedRouteToApps(publicAddr string) []*proto.RouteToApp {
 	p.requestedRouteToAppsMu.RLock()
 	defer p.requestedRouteToAppsMu.RUnlock()
 
 	requestedRoutes := p.requestedRouteToApps[publicAddr]
-	returnedRoutes := make([]proto.RouteToApp, len(requestedRoutes))
+	returnedRoutes := make([]*proto.RouteToApp, len(requestedRoutes))
 	copy(returnedRoutes, requestedRoutes)
 
 	return returnedRoutes
 }
 
-func (p *echoAppProvider) GetDialOptions(ctx context.Context, profileName string) (*DialOptions, error) {
-	return &p.dialOpts, nil
+func (p *fakeClientApp) GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error) {
+	return p.dialOpts, nil
 }
 
-func (p *echoAppProvider) GetVnetConfig(ctx context.Context, profileName, leafClusterName string) (*vnet.VnetConfig, error) {
+func (p *fakeClientApp) GetVnetConfig(ctx context.Context, profileName, leafClusterName string) (*vnet.VnetConfig, error) {
 	rootCluster, ok := p.clusters[profileName]
 	if !ok {
 		return nil, trace.Errorf("no cluster for %s", profileName)
@@ -382,12 +395,12 @@ func (p *echoAppProvider) GetVnetConfig(ctx context.Context, profileName, leafCl
 	return cfg, nil
 }
 
-func (p *echoAppProvider) OnNewConnection(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) error {
+func (p *fakeClientApp) OnNewConnection(_ context.Context, _ *vnetv1.AppKey) error {
 	p.onNewConnectionCallCount.Add(1)
 	return nil
 }
 
-func (p *echoAppProvider) OnInvalidLocalPort(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp, tcpPorts types.PortRanges) {
+func (p *fakeClientApp) OnInvalidLocalPort(_ context.Context, _ *vnetv1.AppInfo, _ uint16) {
 	p.onInvalidLocalPortCallCount.Add(1)
 }
 
@@ -501,7 +514,7 @@ func TestDialFakeApp(t *testing.T) {
 		return newClientCert(t, ca, "testclient", clock.Now().Add(appCertLifetime))
 	}
 
-	appProvider := newEchoAppProvider(map[string]testClusterSpec{
+	clientApp := newFakeClientApp(map[string]testClusterSpec{
 		"root1.example.com": {
 			apps: []appSpec{
 				appSpec{publicAddr: "echo1.root1.example.com"},
@@ -562,63 +575,121 @@ func TestDialFakeApp(t *testing.T) {
 				},
 			},
 		},
-	}, dialOpts, reissueClientCert)
+	}, dialOpts, reissueClientCert, clock)
 
 	p := newTestPack(t, ctx, testPackConfig{
 		clock:       clock,
-		appProvider: appProvider,
+		appProvider: newLocalAppProvider(clientApp, clock),
 	})
 
 	validTestCases := []struct {
-		app        string
-		port       int
-		expectCIDR string
+		app              string
+		port             int
+		expectCIDR       string
+		expectRouteToApp proto.RouteToApp
 	}{
 		{
 			app:        "echo1.root1.example.com",
 			expectCIDR: "192.168.2.0/24",
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo1.root1.example.com",
+				PublicAddr:  "echo1.root1.example.com",
+				ClusterName: "root1.example.com",
+			},
 		},
 		{
 			app:        "echo2.root1.example.com",
 			expectCIDR: "192.168.2.0/24",
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo2.root1.example.com",
+				PublicAddr:  "echo2.root1.example.com",
+				ClusterName: "root1.example.com",
+			},
 		},
 		{
 			app:        "echo.myzone.example.com",
 			expectCIDR: "192.168.2.0/24",
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo.myzone.example.com",
+				PublicAddr:  "echo.myzone.example.com",
+				ClusterName: "root1.example.com",
+			},
 		},
 		{
 			app:        "echo.nested.myzone.example.com",
 			expectCIDR: "192.168.2.0/24",
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo.nested.myzone.example.com",
+				PublicAddr:  "echo.nested.myzone.example.com",
+				ClusterName: "root1.example.com",
+			},
 		},
 		{
 			app:        "echo1.leaf1.example.com",
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo1.leaf1.example.com",
+				PublicAddr:  "echo1.leaf1.example.com",
+				ClusterName: "leaf1.example.com",
+			},
 		},
 		{
 			app:        "echo1.leaf2.example.com",
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo1.leaf2.example.com",
+				PublicAddr:  "echo1.leaf2.example.com",
+				ClusterName: "leaf2.example.com",
+			},
 		},
 		{
 			app:        "echo1.root2.example.com",
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo1.root2.example.com",
+				PublicAddr:  "echo1.root2.example.com",
+				ClusterName: "root2.example.com",
+			},
 		},
 		{
 			app:        "echo2.root2.example.com",
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo2.root2.example.com",
+				PublicAddr:  "echo2.root2.example.com",
+				ClusterName: "root2.example.com",
+			},
 		},
 		{
 			app:        "echo1.leaf3.example.com",
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "echo1.leaf3.example.com",
+				PublicAddr:  "echo1.leaf3.example.com",
+				ClusterName: "leaf3.example.com",
+			},
 		},
 		{
 			app:        "multi-port.root1.example.com",
 			port:       1337,
 			expectCIDR: "192.168.2.0/24",
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "multi-port.root1.example.com",
+				PublicAddr:  "multi-port.root1.example.com",
+				ClusterName: "root1.example.com",
+				TargetPort:  1337,
+			},
 		},
 		{
 			app:        "multi-port.leaf1.example.com",
 			port:       1337,
 			expectCIDR: defaultIPv4CIDRRange,
+			expectRouteToApp: proto.RouteToApp{
+				Name:        "multi-port.leaf1.example.com",
+				PublicAddr:  "multi-port.leaf1.example.com",
+				ClusterName: "leaf1.example.com",
+				TargetPort:  1337,
+			},
 		},
 	}
 
@@ -632,7 +703,6 @@ func TestDialFakeApp(t *testing.T) {
 		for i := 0; i < 3; i++ {
 			t.Run(fmt.Sprint(i), func(t *testing.T) {
 				for _, tc := range validTestCases {
-					tc := tc
 					t.Run(tc.app, func(t *testing.T) {
 						t.Parallel()
 
@@ -652,19 +722,14 @@ func TestDialFakeApp(t *testing.T) {
 						// The app name may have resolved to a v4 or v6 address, either way the 4-byte suffix should be a
 						// valid IPv4 address in the expected CIDR range.
 						remoteIPSuffix := remoteIP[len(remoteIP)-4:]
-						require.True(t, expectNet.Contains(remoteIPSuffix), "expected CIDR range %s does not include remote IP %s", expectNet, remoteIPSuffix)
+						assert.True(t, expectNet.Contains(remoteIPSuffix), "expected CIDR range %s does not include remote IP %s", expectNet, remoteIPSuffix)
 
 						testEchoConnection(t, conn)
 
-						requestedRoutes := appProvider.RequestedRouteToApps(tc.app)
-						// For multi-port apps, certs should have RouteToApp.TargetPort set to the specified
-						// cert.
-						//
-						// Single-port apps are going to be dialed on defaultPort in tests, but certs for them
-						// need to have RouteToApp.TargetPort set to 0.
-						require.True(t, apiutils.All(requestedRoutes, func(route proto.RouteToApp) bool {
-							return int(route.TargetPort) == tc.port
-						}), "not all requested certs had RouteToApp.TargetPort set to %d", tc.port)
+						for _, requestedRouteToApp := range clientApp.RequestedRouteToApps(tc.app) {
+							assert.Equal(t, &tc.expectRouteToApp, requestedRouteToApp,
+								"requested cert RouteToApp did not match expected for app")
+						}
 					})
 				}
 			})
@@ -699,15 +764,16 @@ func TestDialFakeApp(t *testing.T) {
 		// immediately close it.
 		require.ErrorContains(t, err, "connection was refused")
 
-		requestedRoutes := appProvider.RequestedRouteToApps(app)
-		require.False(t, slices.ContainsFunc(requestedRoutes, func(route proto.RouteToApp) bool {
+		requestedRoutes := clientApp.RequestedRouteToApps(app)
+		require.False(t, slices.ContainsFunc(requestedRoutes, func(route *proto.RouteToApp) bool {
 			return int(route.TargetPort) == port
 		}), "no certs are supposed to be requested for target port %d in app %s", port, app)
-		require.Equal(t, uint32(1), appProvider.onInvalidLocalPortCallCount.Load(), "unexpected number of calls to OnInvalidLocalPort")
+		require.Equal(t, uint32(1), clientApp.onInvalidLocalPortCallCount.Load(), "unexpected number of calls to OnInvalidLocalPort")
 	})
 }
 
 func testEchoConnection(t *testing.T, conn net.Conn) {
+	t.Helper()
 	const testString = "1........."
 	writeBuf := bytes.Repeat([]byte(testString), 200)
 	readBuf := make([]byte, len(writeBuf))
@@ -742,7 +808,7 @@ func TestOnNewConnection(t *testing.T) {
 		return newClientCert(t, ca, "testclient", clock.Now().Add(appCertLifetime))
 	}
 
-	appProvider := newEchoAppProvider(map[string]testClusterSpec{
+	clientApp := newFakeClientApp(map[string]testClusterSpec{
 		"root1.example.com": {
 			apps: []appSpec{
 				appSpec{publicAddr: "echo1"},
@@ -750,14 +816,14 @@ func TestOnNewConnection(t *testing.T) {
 			cidrRange:    "192.168.2.0/24",
 			leafClusters: map[string]testClusterSpec{},
 		},
-	}, dialOpts, reissueClientCert)
+	}, dialOpts, reissueClientCert, clock)
 
 	validAppName := "echo1.root1.example.com"
 	invalidAppName := "not.an.app.example.com."
 
 	p := newTestPack(t, ctx, testPackConfig{
 		clock:       clock,
-		appProvider: appProvider,
+		appProvider: newLocalAppProvider(clientApp, clock),
 	})
 
 	// Attempt to establish a connection to an invalid app and verify that OnNewConnection was not
@@ -766,13 +832,13 @@ func TestOnNewConnection(t *testing.T) {
 	defer lookupCtxCancel()
 	_, err := p.lookupHost(lookupCtx, invalidAppName)
 	require.Error(t, err, "Expected lookup of an invalid app to fail")
-	require.Equal(t, uint32(0), appProvider.onNewConnectionCallCount.Load())
+	require.Equal(t, uint32(0), clientApp.onNewConnectionCallCount.Load())
 
 	// Establish a connection to a valid app and verify that OnNewConnection was called.
 	conn, err := p.dialHost(ctx, validAppName, 80 /* bogus port */)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, conn.Close()) })
-	require.Equal(t, uint32(1), appProvider.onNewConnectionCallCount.Load())
+	require.Equal(t, uint32(1), clientApp.onNewConnectionCallCount.Load())
 }
 
 func randomULAAddress() (tcpip.Address, error) {
@@ -862,7 +928,7 @@ func (f *fakeTUN) Close() error {
 }
 
 func newSelfSignedCA(t *testing.T) tls.Certificate {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	signer, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.ECDSAP256)
 	require.NoError(t, err)
 
 	template := x509.Certificate{
@@ -877,12 +943,12 @@ func newSelfSignedCA(t *testing.T) tls.Certificate {
 		IsCA:                  true,
 		MaxPathLenZero:        true,
 	}
-	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, signer.Public(), signer)
 	require.NoError(t, err)
 
 	return tls.Certificate{
 		Certificate: [][]byte{certBytes},
-		PrivateKey:  priv,
+		PrivateKey:  signer,
 	}
 }
 
@@ -895,7 +961,7 @@ func newClientCert(t *testing.T, ca tls.Certificate, cn string, expires time.Tim
 }
 
 func newLeafCert(t *testing.T, ca tls.Certificate, cn string, expires time.Time, keyUsage x509.ExtKeyUsage) tls.Certificate {
-	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	signer, err := cryptosuites.GenerateKeyWithAlgorithm(cryptosuites.ECDSAP256)
 	require.NoError(t, err)
 
 	caCert, err := x509.ParseCertificate(ca.Certificate[0])
@@ -912,16 +978,16 @@ func newLeafCert(t *testing.T, ca tls.Certificate, cn string, expires time.Time,
 		ExtKeyUsage: []x509.ExtKeyUsage{keyUsage},
 		DNSNames:    []string{cn},
 	}
-	certBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, pub, ca.PrivateKey)
+	certBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, signer.Public(), ca.PrivateKey)
 	require.NoError(t, err)
 
 	return tls.Certificate{
 		Certificate: [][]byte{certBytes},
-		PrivateKey:  priv,
+		PrivateKey:  signer,
 	}
 }
 
-func mustStartFakeWebProxy(ctx context.Context, t *testing.T, ca tls.Certificate, clock clockwork.FakeClock) DialOptions {
+func mustStartFakeWebProxy(ctx context.Context, t *testing.T, ca tls.Certificate, clock *clockwork.FakeClock) *vnetv1.DialOptions {
 	t.Helper()
 
 	roots := x509.NewCertPool()
@@ -997,11 +1063,12 @@ func mustStartFakeWebProxy(ctx context.Context, t *testing.T, ca tls.Certificate
 		},
 	})
 
-	dialOpts := DialOptions{
+	caPEM, err := tlsca.MarshalCertificatePEM(caX509)
+	require.NoError(t, err)
+	dialOpts := &vnetv1.DialOptions{
 		WebProxyAddr:          listener.Addr().String(),
-		RootClusterCACertPool: roots,
-		SNI:                   proxyCN,
+		RootClusterCaCertPool: caPEM,
+		Sni:                   proxyCN,
 	}
-
 	return dialOpts
 }
diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go
index 245e498b9afdb..3da076476e5e1 100644
--- a/lib/web/apiserver_test.go
+++ b/lib/web/apiserver_test.go
@@ -166,7 +166,7 @@ type WebSuite struct {
 	mockU2F     *mocku2f.Key
 	server      *auth.TestServer
 	proxyClient *authclient.Client
-	clock       clockwork.FakeClock
+	clock       *clockwork.FakeClock
 }
 
 // TestMain will re-execute Teleport to run a command if "exec" is passed to
@@ -210,7 +210,7 @@ type webSuiteConfig struct {
 	presenceChecker PresenceChecker
 
 	// clock to use for all server components
-	clock clockwork.FakeClock
+	clock *clockwork.FakeClock
 
 	// databaseREPLGetter allows setting custom database REPLs.
 	databaseREPLGetter dbrepl.REPLRegistry
@@ -8166,7 +8166,7 @@ func withDevicesClientOverride(c devicepb.DeviceTrustServiceClient) proxyOption
 }
 
 func createProxy(ctx context.Context, t *testing.T, proxyID string, node *regular.Server, authServer *auth.TestTLSServer,
-	hostSigners []ssh.Signer, clock clockwork.FakeClock, opts ...proxyOption,
+	hostSigners []ssh.Signer, clock *clockwork.FakeClock, opts ...proxyOption,
 ) *testProxy {
 	cfg := proxyConfig{}
 	for _, opt := range opts {
@@ -8497,11 +8497,11 @@ type webPack struct {
 	proxies []*testProxy
 	server  *auth.TestServer
 	node    *regular.Server
-	clock   clockwork.FakeClock
+	clock   *clockwork.FakeClock
 }
 
 type testProxy struct {
-	clock   clockwork.FakeClock
+	clock   *clockwork.FakeClock
 	client  authclient.ClientI
 	auth    *auth.TestTLSServer
 	revTun  reversetunnelclient.Server
diff --git a/lib/web/app/handler_test.go b/lib/web/app/handler_test.go
index d7cc3a6e03fde..9effc56630e5f 100644
--- a/lib/web/app/handler_test.go
+++ b/lib/web/app/handler_test.go
@@ -479,7 +479,7 @@ type testServer struct {
 	serverURL *url.URL
 }
 
-func setup(t *testing.T, clock clockwork.FakeClock, authClient authclient.ClientI, proxyClient reversetunnelclient.Tunnel) *testServer {
+func setup(t *testing.T, clock *clockwork.FakeClock, authClient authclient.ClientI, proxyClient reversetunnelclient.Tunnel) *testServer {
 	appHandler, err := NewHandler(context.Background(), &HandlerConfig{
 		Clock:                 clock,
 		AuthClient:            authClient,
@@ -636,7 +636,7 @@ func (r *fakeRemoteListener) Addr() net.Addr {
 }
 
 // createAppSession generates a WebSession for an application.
-func createAppSession(t *testing.T, clock clockwork.FakeClock, caKey, caCert []byte, clusterName, publicAddr string) types.WebSession {
+func createAppSession(t *testing.T, clock *clockwork.FakeClock, caKey, caCert []byte, clusterName, publicAddr string) types.WebSession {
 	key, cert := createAppKeyCertPair(t, clock, caKey, caCert, clusterName, publicAddr)
 	keyPEM, err := keys.MarshalPrivateKey(key)
 	require.NoError(t, err)
@@ -653,7 +653,7 @@ func createAppSession(t *testing.T, clock clockwork.FakeClock, caKey, caCert []b
 }
 
 // createAppKeyCertPair creates and a client key and signed app cert for the client key
-func createAppKeyCertPair(t *testing.T, clock clockwork.FakeClock, caKey, caCert []byte, clusterName, publicAddr string) (crypto.Signer, []byte) {
+func createAppKeyCertPair(t *testing.T, clock *clockwork.FakeClock, caKey, caCert []byte, clusterName, publicAddr string) (crypto.Signer, []byte) {
 	tlsCA, err := tlsca.FromKeys(caCert, caKey)
 	require.NoError(t, err)
 
diff --git a/lib/web/features_test.go b/lib/web/features_test.go
index 52fcbddc91d0a..d6d1fd6d5caa0 100644
--- a/lib/web/features_test.go
+++ b/lib/web/features_test.go
@@ -150,7 +150,7 @@ func TestFeaturesWatcher(t *testing.T) {
 // requireFeatures is a helper function that advances the clock, then
 // calls `getFeatures` every 100ms for up to 1 second, until it
 // returns the expected result (`want`).
-func requireFeatures(t *testing.T, fakeClock clockwork.FakeClock, want proto.Features, getFeatures func() proto.Features) {
+func requireFeatures(t *testing.T, fakeClock *clockwork.FakeClock, want proto.Features, getFeatures func() proto.Features) {
 	t.Helper()
 
 	// Advance the clock so the service fetch and stores features
@@ -165,7 +165,7 @@ func requireFeatures(t *testing.T, fakeClock clockwork.FakeClock, want proto.Fea
 // neverFeatures is a helper function that advances the clock, then
 // calls `getFeatures` every 100ms for up to 1 second. If at some point `getFeatures`
 // returns `doNotWant`, the test fails.
-func neverFeatures(t *testing.T, fakeClock clockwork.FakeClock, doNotWant proto.Features, getFeatures func() proto.Features) {
+func neverFeatures(t *testing.T, fakeClock *clockwork.FakeClock, doNotWant proto.Features, getFeatures func() proto.Features) {
 	t.Helper()
 
 	fakeClock.Advance(1 * time.Second)
diff --git a/lib/web/scripts/node-join/install.sh b/lib/web/scripts/node-join/install.sh
index 3559f688cbaa3..ef33cf8d10007 100755
--- a/lib/web/scripts/node-join/install.sh
+++ b/lib/web/scripts/node-join/install.sh
@@ -18,6 +18,7 @@ TARGET_PORT_DEFAULT=443
 TELEPORT_ARCHIVE_PATH='{{.packageName}}'
 TELEPORT_BINARY_DIR="/usr/local/bin"
 TELEPORT_BINARY_LIST="teleport tctl tsh teleport-update"
+TELEPORT_BINARY_LIST_darwin="teleport" # only install server binaries for macOS
 TELEPORT_CONFIG_PATH="/etc/teleport.yaml"
 TELEPORT_DATA_DIR="/var/lib/teleport"
 TELEPORT_DOCS_URL="https://goteleport.com/docs/"
@@ -747,6 +748,7 @@ if [[ "${OSTYPE}" == "linux"* ]]; then
 elif [[ "${OSTYPE}" == "darwin"* ]]; then
     # macOS host, now detect arch
     TELEPORT_BINARY_TYPE="darwin"
+    TELEPORT_BINARY_LIST="${TELEPORT_BINARY_LIST_darwin}"
     ARCH=$(uname -m)
     log "Detected host: ${OSTYPE}, using Teleport binary type ${TELEPORT_BINARY_TYPE}"
     if [[ ${ARCH} == "arm64" ]]; then
diff --git a/proto/teleport/lib/vnet/v1/client_application_service.proto b/proto/teleport/lib/vnet/v1/client_application_service.proto
new file mode 100644
index 0000000000000..177668a4920dc
--- /dev/null
+++ b/proto/teleport/lib/vnet/v1/client_application_service.proto
@@ -0,0 +1,200 @@
+// Teleport
+// Copyright (C) 2025 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+syntax = "proto3";
+
+package teleport.lib.vnet.v1;
+
+import "teleport/legacy/types/types.proto";
+
+option go_package = "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1;vnetv1";
+
+// ClientApplicationService is a service the VNet client applications provide to
+// the VNet admin process to facilate app queries, certificate issuance,
+// metrics, error reporting, and signatures.
+service ClientApplicationService {
+  // AuthenticateProcess mutually authenticates client applicates to the admin
+  // service.
+  rpc AuthenticateProcess(AuthenticateProcessRequest) returns (AuthenticateProcessResponse);
+  // Ping is used by the admin process to regularly poll that the client
+  // application is still running.
+  rpc Ping(PingRequest) returns (PingResponse);
+  // ResolveAppInfo returns info for the given app fqdn, or an error if the app
+  // is not present in any logged-in cluster.
+  rpc ResolveAppInfo(ResolveAppInfoRequest) returns (ResolveAppInfoResponse);
+  // ReissueAppCert issues a new app cert.
+  rpc ReissueAppCert(ReissueAppCertRequest) returns (ReissueAppCertResponse);
+  // SignForApp issues a signature with the private key associated with an x509
+  // certificate previously issued for a requested app.
+  rpc SignForApp(SignForAppRequest) returns (SignForAppResponse);
+  // OnNewConnection gets called whenever a new connection is about to be
+  // established through VNet for observability.
+  rpc OnNewConnection(OnNewConnectionRequest) returns (OnNewConnectionResponse);
+  // OnInvalidLocalPort gets called before VNet refuses to handle a connection
+  // to a multi-port TCP app because the provided port does not match any of the
+  // TCP ports in the app spec.
+  rpc OnInvalidLocalPort(OnInvalidLocalPortRequest) returns (OnInvalidLocalPortResponse);
+}
+
+// AuthenticateProcessRequest is a request for AuthenticateProcess.
+message AuthenticateProcessRequest {
+  // version is the admin process version.
+  string version = 1;
+  // pipe_path is the path to a named pipe used for process authentication.
+  string pipe_path = 2;
+}
+
+// AuthenticateProcessResponse is a response for AuthenticateProcess.
+message AuthenticateProcessResponse {
+  // version is the client application version.
+  string version = 1;
+}
+
+// PingRequest is a request for the Ping rpc.
+message PingRequest {}
+
+// PingResponse is a response for the Ping rpc.
+message PingResponse {}
+
+// ResolveAppInfoRequest is a request for ResolveAppInfo.
+message ResolveAppInfoRequest {
+  // fqdn is the fully-qualified domain name of the app.
+  string fqdn = 1;
+}
+
+// ResolveAppInfoResponse is a response for ResolveAppInfo.
+message ResolveAppInfoResponse {
+  // app_info holds all necessary info for making connections to the resolved app.
+  AppInfo app_info = 1;
+}
+
+// AppInfo holds all necessary info for making connections to VNet TCP apps.
+message AppInfo {
+  // app_key uniquely identifies a TCP app (and optionally a port for multi-port
+  // TCP apps).
+  AppKey app_key = 1;
+  // cluster is the name of the cluster in which the app is found.
+  // Iff the app is in a leaf cluster, this will match app_key.leaf_cluster.
+  string cluster = 2;
+  // app is the app spec.
+  types.AppV3 app = 3;
+  // ipv4_cidr_range is the CIDR range from which an IPv4 address should be
+  // assigned to the app.
+  string ipv4_cidr_range = 4;
+  // dial_options holds options that should be used when dialing the root cluster
+  // of the app.
+  DialOptions dial_options = 5;
+}
+
+// AppKey uniquely identifies a TCP app in a specific profile and cluster.
+message AppKey {
+  // profile is the profile in which the app is found.
+  string profile = 1;
+  // leaf_cluster is the leaf cluster in which the app is found. If empty, the
+  // app is in the root cluster for the profile.
+  string leaf_cluster = 2;
+  // name is the name of the app.
+  string name = 3;
+}
+
+// DialOptions holds ALPN dial options for dialing apps.
+message DialOptions {
+  // web_proxy_addr is the address to dial.
+  string web_proxy_addr = 1;
+  // alpn_conn_upgrade_required specifies if ALPN connection upgrade is required.
+  bool alpn_conn_upgrade_required = 2;
+  // sni is a ServerName value set for upstream TLS connection.
+  string sni = 3;
+  // insecure_skip_verify turns off verification for x509 upstream ALPN proxy service certificate.
+  bool insecure_skip_verify = 4;
+  // root_cluster_ca_cert_pool overrides the x509 certificate pool used to verify the server.
+  bytes root_cluster_ca_cert_pool = 5;
+}
+
+// ReissueAppCertRequest is a request for ReissueAppCert.
+message ReissueAppCertRequest {
+  // app_info contains info about the app, every ReissueAppCertRequest must
+  // include an app_info as returned from ResolveAppInfo.
+  AppInfo app_info = 1;
+  // target_port is the TCP port to issue the cert for.
+  uint32 target_port = 2;
+}
+
+// ReissueAppCertResponse is a response for ReissueAppCert.
+message ReissueAppCertResponse {
+  // cert is the issued app certificate in x509 DER format.
+  bytes cert = 1;
+}
+
+// SignForAppRequest is a request to sign data with a private key that the
+// server has cached for the (app_key, target_port) pair. The (app_key,
+// target_port) pair here must match a previous successful call to
+// ReissueAppCert. The private key used for the signature will match the subject
+// public key of the issued x509 certificate.
+message SignForAppRequest {
+  // app_key uniquely identifies a TCP app, it must match the key of an app from
+  // a previous successful call to ReissueAppCert.
+  AppKey app_key = 1;
+  // target_port identifies the TCP port of the app, it must match the
+  // target_port of a previous successful call to ReissueAppCert for an app
+  // matching AppKey.
+  uint32 target_port = 2;
+  // digest is the bytes to sign.
+  bytes digest = 3;
+  // hash is the hash function used to compute digest.
+  Hash hash = 4;
+}
+
+// Hash specifies a cryptographic hash function.
+enum Hash {
+  HASH_UNSPECIFIED = 0;
+  // HASH_NONE is used for Ed25519 signatures, which do no pre-hash.
+  // Currently app access always uses ECDSA or RSA signatures, except for some
+  // tests that use Ed25519. This is unlikely to be used in product code unless
+  // and until that changes.
+  HASH_NONE = 1;
+  // HASH_SHA256 is used with ECDSA P-256 and RSA 2048 signatures.
+  HASH_SHA256 = 2;
+}
+
+// SignForAppResponse is a response for SignForApp.
+message SignForAppResponse {
+  // signature is the signature.
+  bytes signature = 1;
+}
+
+// OnNewConnectionRequest is a request for OnNewConnection.
+message OnNewConnectionRequest {
+  // app_key identifies the app the connection is being made for.
+  AppKey app_key = 1;
+}
+
+// OnNewConnectionRequest is a response for OnNewConnection.
+message OnNewConnectionResponse {}
+
+// OnInvalidLocalPortRequest is a request for OnInvalidLocalPort.
+message OnInvalidLocalPortRequest {
+  // app_info identifies the app the request was made for. AppInfo is used
+  // instaed of AppKey so that the application spec is included, which includes
+  // the TCP port ranges allowed for the app, which are ultimately included in
+  // the user error message.
+  AppInfo app_info = 1;
+  // target_port is the invalid port the request was made for.
+  uint32 target_port = 2;
+}
+
+// OnInvalidLocalPortResponse is a response for OnInvalidLocalPort.
+message OnInvalidLocalPortResponse {}
diff --git a/tool/tctl/common/auth_command.go b/tool/tctl/common/auth_command.go
index 300b0d61be55b..36ba3048471f0 100644
--- a/tool/tctl/common/auth_command.go
+++ b/tool/tctl/common/auth_command.go
@@ -232,25 +232,38 @@ var allowedCRLCertificateTypes = []string{
 	string(types.UserCA),
 }
 
+func (a *AuthCommand) exportAuthorities(ctx context.Context, clt authCommandClient) ([]*client.ExportedAuthority, error) {
+	switch {
+	case client.IsIntegrationAuthorityType(a.authType):
+		if a.exportPrivateKeys {
+			return nil, trace.BadParameter("exporting private keys is not supported for integration authorities")
+		}
+		return client.ExportIntegrationAuthorities(ctx, clt, client.ExportIntegrationAuthoritiesRequest{
+			AuthType:         a.authType,
+			MatchFingerprint: a.exportAuthorityFingerprint,
+			Integration:      a.integration,
+		})
+
+	case a.exportPrivateKeys:
+		return client.ExportAllAuthoritiesSecrets(ctx, clt, client.ExportAuthoritiesRequest{
+			AuthType:                   a.authType,
+			ExportAuthorityFingerprint: a.exportAuthorityFingerprint,
+			UseCompatVersion:           a.compatVersion == "1.0",
+		})
+	default:
+		return client.ExportAllAuthorities(ctx, clt, client.ExportAuthoritiesRequest{
+			AuthType:                   a.authType,
+			ExportAuthorityFingerprint: a.exportAuthorityFingerprint,
+			UseCompatVersion:           a.compatVersion == "1.0",
+		})
+	}
+}
+
 // ExportAuthorities outputs the list of authorities in OpenSSH compatible formats
 // If --type flag is given, only prints keys for CAs of this type, otherwise
 // prints all keys
 func (a *AuthCommand) ExportAuthorities(ctx context.Context, clt authCommandClient) error {
-	exportFunc := client.ExportAllAuthorities
-	if a.exportPrivateKeys {
-		exportFunc = client.ExportAllAuthoritiesSecrets
-	}
-
-	authorities, err := exportFunc(
-		ctx,
-		clt,
-		client.ExportAuthoritiesRequest{
-			AuthType:                   a.authType,
-			ExportAuthorityFingerprint: a.exportAuthorityFingerprint,
-			UseCompatVersion:           a.compatVersion == "1.0",
-			Integration:                a.integration,
-		},
-	)
+	authorities, err := a.exportAuthorities(ctx, clt)
 	if err != nil {
 		return trace.Wrap(err)
 	}
diff --git a/tool/tctl/common/helpers_test.go b/tool/tctl/common/helpers_test.go
index b235a40e8b5e2..c99fc932b26d2 100644
--- a/tool/tctl/common/helpers_test.go
+++ b/tool/tctl/common/helpers_test.go
@@ -216,7 +216,7 @@ func mustWriteIdentityFile(t *testing.T, client *authclient.Client, username str
 type testServerOptions struct {
 	fileConfig      *config.FileConfig
 	fileDescriptors []*servicecfg.FileDescriptor
-	fakeClock       clockwork.FakeClock
+	fakeClock       *clockwork.FakeClock
 }
 
 type testServerOptionFunc func(options *testServerOptions)
@@ -233,7 +233,7 @@ func withFileDescriptors(fds []*servicecfg.FileDescriptor) testServerOptionFunc
 	}
 }
 
-func withFakeClock(fakeClock clockwork.FakeClock) testServerOptionFunc {
+func withFakeClock(fakeClock *clockwork.FakeClock) testServerOptionFunc {
 	return func(options *testServerOptions) {
 		options.fakeClock = fakeClock
 	}
diff --git a/tool/tsh/common/app.go b/tool/tsh/common/app.go
index e01935cb05212..4d270c8fa2166 100644
--- a/tool/tsh/common/app.go
+++ b/tool/tsh/common/app.go
@@ -99,7 +99,7 @@ func onAppLogin(cf *CLIConf) error {
 		AccessRequests: appInfo.profile.ActiveRequests.AccessRequests,
 	}
 
-	key, err := appLogin(cf.Context, tc, clusterClient, rootClient, appCertParams)
+	key, err := appLogin(cf.Context, clusterClient, rootClient, appCertParams)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -117,7 +117,6 @@ func onAppLogin(cf *CLIConf) error {
 
 func appLogin(
 	ctx context.Context,
-	tc *client.TeleportClient,
 	clusterClient *client.ClusterClient,
 	rootClient authclient.ClientI,
 	appCertParams client.ReissueParams,
diff --git a/tool/tsh/common/vnet.go b/tool/tsh/common/vnet.go
index d85f3536f94e5..9bd0c3e3ba287 100644
--- a/tool/tsh/common/vnet.go
+++ b/tool/tsh/common/vnet.go
@@ -47,11 +47,13 @@ func newVnetCommand(app *kingpin.Application) *vnetCommand {
 }
 
 func (c *vnetCommand) run(cf *CLIConf) error {
-	appProvider, err := newVnetAppProvider(cf)
+	clientApp, err := newVnetClientApplication(cf)
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	processManager, err := vnet.RunUserProcess(cf.Context, &vnet.UserProcessConfig{AppProvider: appProvider})
+	processManager, err := vnet.RunUserProcess(cf.Context, &vnet.UserProcessConfig{
+		ClientApplication: clientApp,
+	})
 	if err != nil {
 		return trace.Wrap(err)
 	}
diff --git a/tool/tsh/common/vnet_app_provider.go b/tool/tsh/common/vnet_client_application.go
similarity index 73%
rename from tool/tsh/common/vnet_app_provider.go
rename to tool/tsh/common/vnet_client_application.go
index 86b5fee21d9e9..5ad03083749a2 100644
--- a/tool/tsh/common/vnet_app_provider.go
+++ b/tool/tsh/common/vnet_client_application.go
@@ -19,7 +19,6 @@ package common
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"log/slog"
 	"net"
@@ -29,27 +28,26 @@ import (
 	"github.com/gravitational/trace"
 
 	"github.com/gravitational/teleport/api/client/proto"
-	"github.com/gravitational/teleport/api/types"
+	vnetv1 "github.com/gravitational/teleport/gen/proto/go/teleport/lib/vnet/v1"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/client/clientcache"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/vnet"
 )
 
-// vnetAppProvider implements [vnet.AppProvider] in order to provide the
-// necessary methods to log in to apps and get clients able to list apps in all
-// clusters in all current profiles.
-type vnetAppProvider struct {
+// vnetClientApplication implements [vnet.ClientApplication] in order to provide
+// the necessary methods to list and log in to apps.
+type vnetClientApplication struct {
 	cf          *CLIConf
 	clientStore *client.Store
 	clientCache *clientcache.Cache
 	loginMu     sync.Mutex
 }
 
-func newVnetAppProvider(cf *CLIConf) (*vnetAppProvider, error) {
+func newVnetClientApplication(cf *CLIConf) (*vnetClientApplication, error) {
 	clientStore := client.NewFSClientStore(cf.HomePath)
 
-	p := &vnetAppProvider{
+	p := &vnetClientApplication{
 		cf:          cf,
 		clientStore: clientStore,
 	}
@@ -68,13 +66,13 @@ func newVnetAppProvider(cf *CLIConf) (*vnetAppProvider, error) {
 }
 
 // ListProfiles lists the names of all profiles saved for the user.
-func (p *vnetAppProvider) ListProfiles() ([]string, error) {
+func (p *vnetClientApplication) ListProfiles() ([]string, error) {
 	return p.clientStore.ListProfiles()
 }
 
 // GetCachedClient returns a cached [*client.ClusterClient] for the given profile and leaf cluster.
 // [leafClusterName] may be empty when requesting a client for the root cluster.
-func (p *vnetAppProvider) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (vnet.ClusterClient, error) {
+func (p *vnetClientApplication) GetCachedClient(ctx context.Context, profileName, leafClusterName string) (vnet.ClusterClient, error) {
 	return p.clientCache.Get(ctx, profileName, leafClusterName)
 }
 
@@ -83,34 +81,36 @@ func (p *vnetAppProvider) GetCachedClient(ctx context.Context, profileName, leaf
 // was shorter than the cluster cert lifetime, or if the user has already re-logged in to the cluster.
 // If a cluster relogin is completed, the cluster client cache will be cleared for the root cluster and all
 // leaf clusters of that root.
-func (p *vnetAppProvider) ReissueAppCert(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) (tls.Certificate, error) {
-	tc, err := p.newTeleportClient(ctx, profileName, leafClusterName)
+func (p *vnetClientApplication) ReissueAppCert(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) (tls.Certificate, error) {
+	appKey := appInfo.GetAppKey()
+	tc, err := p.newTeleportClient(ctx, appKey.GetProfile(), appKey.GetLeafCluster())
 	if err != nil {
 		return tls.Certificate{}, trace.Wrap(err)
 	}
+	routeToApp := vnet.RouteToApp(appInfo, targetPort)
 
 	var cert tls.Certificate
 	err = p.retryWithRelogin(ctx, tc, func() error {
 		var err error
-		cert, err = p.reissueAppCert(ctx, tc, profileName, leafClusterName, routeToApp)
+		cert, err = p.reissueAppCert(ctx, tc, appKey.GetProfile(), appKey.GetLeafCluster(), routeToApp)
 		return trace.Wrap(err, "reissuing app cert")
 	})
 	return cert, trace.Wrap(err)
 }
 
 // GetDialOptions returns ALPN dial options for the profile.
-func (p *vnetAppProvider) GetDialOptions(ctx context.Context, profileName string) (*vnet.DialOptions, error) {
+func (p *vnetClientApplication) GetDialOptions(ctx context.Context, profileName string) (*vnetv1.DialOptions, error) {
 	profile, err := p.clientStore.GetProfile(profileName)
 	if err != nil {
 		return nil, trace.Wrap(err, "loading user profile")
 	}
-	dialOpts := &vnet.DialOptions{
+	dialOpts := &vnetv1.DialOptions{
 		WebProxyAddr:            profile.WebProxyAddr,
-		ALPNConnUpgradeRequired: profile.TLSRoutingConnUpgradeRequired,
+		AlpnConnUpgradeRequired: profile.TLSRoutingConnUpgradeRequired,
 		InsecureSkipVerify:      p.cf.InsecureSkipVerify,
 	}
-	if dialOpts.ALPNConnUpgradeRequired {
-		dialOpts.RootClusterCACertPool, err = p.getRootClusterCACertPool(ctx, profileName)
+	if dialOpts.AlpnConnUpgradeRequired {
+		dialOpts.RootClusterCaCertPool, err = p.getRootClusterCACertPoolPEM(ctx, profileName)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -120,16 +120,17 @@ func (p *vnetAppProvider) GetDialOptions(ctx context.Context, profileName string
 
 // OnNewConnection gets called before each VNet connection. It's a noop as tsh doesn't need to do
 // anything extra here.
-func (p *vnetAppProvider) OnNewConnection(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp) error {
+func (p *vnetClientApplication) OnNewConnection(_ context.Context, _ *vnetv1.AppKey) error {
 	return nil
 }
 
 // OnInvalidLocalPort gets called before VNet refuses to handle a connection to a multi-port TCP app
 // because the provided port does not match any of the TCP ports in the app spec.
-func (p *vnetAppProvider) OnInvalidLocalPort(ctx context.Context, profileName, leafClusterName string, routeToApp proto.RouteToApp, tcpPorts types.PortRanges) {
+func (p *vnetClientApplication) OnInvalidLocalPort(ctx context.Context, appInfo *vnetv1.AppInfo, targetPort uint16) {
 	msg := fmt.Sprintf("%s: Connection refused, port not included in target ports of app %q.",
-		net.JoinHostPort(routeToApp.PublicAddr, strconv.Itoa(int(routeToApp.TargetPort))), routeToApp.Name)
+		net.JoinHostPort(appInfo.GetApp().GetPublicAddr(), strconv.Itoa(int(targetPort))), appInfo.GetAppKey().GetName())
 
+	tcpPorts := appInfo.GetApp().GetTCPPorts()
 	if len(tcpPorts) <= 10 {
 		msg = fmt.Sprintf("%s Valid ports: %s.", msg, tcpPorts)
 	}
@@ -138,19 +139,19 @@ func (p *vnetAppProvider) OnInvalidLocalPort(ctx context.Context, profileName, l
 }
 
 // getRootClusterCACertPool returns a certificate pool for the root cluster of the given profile.
-func (p *vnetAppProvider) getRootClusterCACertPool(ctx context.Context, profileName string) (*x509.CertPool, error) {
+func (p *vnetClientApplication) getRootClusterCACertPoolPEM(ctx context.Context, profileName string) ([]byte, error) {
 	tc, err := p.newTeleportClient(ctx, profileName, "")
 	if err != nil {
 		return nil, trace.Wrap(err, "creating new client")
 	}
-	certPool, err := tc.RootClusterCACertPool(ctx)
+	certPool, err := tc.RootClusterCACertPoolPEM(ctx)
 	if err != nil {
 		return nil, trace.Wrap(err, "loading root cluster CA cert pool")
 	}
 	return certPool, nil
 }
 
-func (p *vnetAppProvider) retryWithRelogin(ctx context.Context, tc *client.TeleportClient, fn func() error, opts ...client.RetryWithReloginOption) error {
+func (p *vnetClientApplication) retryWithRelogin(ctx context.Context, tc *client.TeleportClient, fn func() error, opts ...client.RetryWithReloginOption) error {
 	profileName, err := utils.Host(tc.WebProxyAddr)
 	if err != nil {
 		return trace.Wrap(err)
@@ -186,7 +187,7 @@ func (p *vnetAppProvider) retryWithRelogin(ctx context.Context, tc *client.Telep
 	return client.RetryWithRelogin(ctx, tc, fn, opts...)
 }
 
-func (p *vnetAppProvider) reissueAppCert(ctx context.Context, tc *client.TeleportClient, profileName, leafClusterName string, routeToApp proto.RouteToApp) (tls.Certificate, error) {
+func (p *vnetClientApplication) reissueAppCert(ctx context.Context, tc *client.TeleportClient, profileName, leafClusterName string, routeToApp *proto.RouteToApp) (tls.Certificate, error) {
 	slog.InfoContext(ctx, "Reissuing cert for app.", "app_name", routeToApp.Name, "profile", profileName, "leaf_cluster", leafClusterName)
 
 	profile, err := tc.ProfileStatus()
@@ -195,11 +196,10 @@ func (p *vnetAppProvider) reissueAppCert(ctx context.Context, tc *client.Telepor
 	}
 
 	appCertParams := client.ReissueParams{
-		RouteToCluster: tc.SiteName,
-		RouteToApp:     routeToApp,
+		RouteToCluster: leafClusterName,
+		RouteToApp:     *routeToApp,
 		AccessRequests: profile.ActiveRequests.AccessRequests,
 		RequesterName:  proto.UserCertsRequest_TSH_APP_LOCAL_PROXY,
-		TTL:            tc.KeyTTL,
 	}
 
 	// leafClusterName cannot be replaced with routeToApp.ClusterName here. That's because when
@@ -214,7 +214,7 @@ func (p *vnetAppProvider) reissueAppCert(ctx context.Context, tc *client.Telepor
 		return tls.Certificate{}, trace.Wrap(err, "getting cached root client")
 	}
 
-	keyRing, err := appLogin(ctx, tc, clusterClient, rootClient.AuthClient, appCertParams)
+	keyRing, err := appLogin(ctx, clusterClient, rootClient.AuthClient, appCertParams)
 	if err != nil {
 		return tls.Certificate{}, trace.Wrap(err, "logging in to app")
 	}
@@ -227,7 +227,7 @@ func (p *vnetAppProvider) reissueAppCert(ctx context.Context, tc *client.Telepor
 	return cert, nil
 }
 
-func (p *vnetAppProvider) newTeleportClient(ctx context.Context, profileName, leafClusterName string) (*client.TeleportClient, error) {
+func (p *vnetClientApplication) newTeleportClient(ctx context.Context, profileName, leafClusterName string) (*client.TeleportClient, error) {
 	cfg := &client.Config{
 		ClientStore: p.clientStore,
 	}
diff --git a/tool/tsh/common/vnet_other.go b/tool/tsh/common/vnet_other.go
index d6ed0d03280c7..5ce492f4f14b6 100644
--- a/tool/tsh/common/vnet_other.go
+++ b/tool/tsh/common/vnet_other.go
@@ -24,7 +24,7 @@ import (
 )
 
 // Satisfy unused linter.
-var _ = newVnetAppProvider
+var _ = newVnetClientApplication
 
 func newPlatformVnetAdminSetupCommand(app *kingpin.Application) vnetCLICommand {
 	return vnetCommandNotSupported{}
diff --git a/web/packages/shared/components/FieldInput/FieldInput.tsx b/web/packages/shared/components/FieldInput/FieldInput.tsx
index 2f3a3eb012550..146db2849cdce 100644
--- a/web/packages/shared/components/FieldInput/FieldInput.tsx
+++ b/web/packages/shared/components/FieldInput/FieldInput.tsx
@@ -57,6 +57,7 @@ const FieldInput = forwardRef<HTMLInputElement, FieldInputProps>(
       spellCheck,
       readonly = false,
       toolTipContent = null,
+      tooltipSticky = false,
       disabled = false,
       markAsError = false,
       required = false,
@@ -114,7 +115,10 @@ const FieldInput = forwardRef<HTMLInputElement, FieldInputProps>(
                   >
                     {label}
                   </span>
-                  <IconTooltip children={toolTipContent} />
+                  <IconTooltip
+                    sticky={tooltipSticky}
+                    children={toolTipContent}
+                  />
                 </>
               ) : (
                 <>{label}</>
@@ -242,6 +246,7 @@ export type FieldInputProps = BoxProps & {
   min?: number;
   max?: number;
   toolTipContent?: React.ReactNode;
+  tooltipSticky?: boolean;
   disabled?: boolean;
   // markAsError is a flag to highlight an
   // input box as error color before validator
diff --git a/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx b/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx
index 738b88890b2dd..ce1bfdfb4b5f9 100644
--- a/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx
+++ b/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx
@@ -64,7 +64,7 @@ export function ChangePasswordWizard({
   const reauthState = useReAuthenticate({
     challengeScope: MfaChallengeScope.CHANGE_PASSWORD,
     onMfaResponse: async mfaResponse =>
-      setWebauthnResponse(mfaResponse?.webauthn_response),
+      setWebauthnResponse(mfaResponse.webauthn_response),
   });
 
   const [reauthMethod, setReauthMethod] = useState<ReauthenticationMethod>();
diff --git a/web/packages/teleport/src/components/LabelsInput/LabelsInput.story.tsx b/web/packages/teleport/src/components/LabelsInput/LabelsInput.story.tsx
index 0fdbbfcb3cd05..d1cfa0853d8dd 100644
--- a/web/packages/teleport/src/components/LabelsInput/LabelsInput.story.tsx
+++ b/web/packages/teleport/src/components/LabelsInput/LabelsInput.story.tsx
@@ -60,6 +60,8 @@ export const Custom = () => {
       <LabelsInput
         labels={labels}
         setLabels={setLables}
+        legend="List of Labels"
+        tooltipContent="List of labels, 'nuff said"
         labelKey={{
           fieldName: 'Custom Key Name',
           placeholder: 'custom key placeholder',
diff --git a/web/packages/teleport/src/components/LabelsInput/LabelsInput.tsx b/web/packages/teleport/src/components/LabelsInput/LabelsInput.tsx
index 6c58424c0d905..9991a7d374100 100644
--- a/web/packages/teleport/src/components/LabelsInput/LabelsInput.tsx
+++ b/web/packages/teleport/src/components/LabelsInput/LabelsInput.tsx
@@ -18,9 +18,10 @@
 
 import styled from 'styled-components';
 
-import { Box, ButtonIcon, ButtonSecondary, Flex } from 'design';
+import { Box, ButtonIcon, ButtonSecondary, Flex, Text } from 'design';
 import * as Icons from 'design/Icon';
 import { inputGeometry } from 'design/Input/Input';
+import { IconTooltip } from 'design/Tooltip';
 import FieldInput from 'shared/components/FieldInput';
 import {
   useRule,
@@ -63,6 +64,8 @@ type LabelValidationResult = {
 export type LabelsRule = Rule<Label[], LabelListValidationResult>;
 
 export function LabelsInput({
+  legend,
+  tooltipContent,
   labels = [],
   setLabels,
   disableBtns = false,
@@ -74,6 +77,8 @@ export function LabelsInput({
   inputWidth = 200,
   rule = defaultRule,
 }: {
+  legend?: string;
+  tooltipContent?: string;
   labels: Label[];
   setLabels(l: Label[]): void;
   disableBtns?: boolean;
@@ -141,23 +146,46 @@ export function LabelsInput({
   const width = `${inputWidth}px`;
   const inputSize = 'medium';
   return (
-    <>
-      {labels.length > 0 && (
-        <Flex mt={2}>
-          <Box width={width} mr="3">
-            {labelKey.fieldName} <SmallText>(required field)</SmallText>
-          </Box>
-          <Box>
-            {labelVal.fieldName} <SmallText>(required field)</SmallText>
-          </Box>
-        </Flex>
-      )}
-      <Box>
+    <Fieldset gap={labels.length > 0 ? 2 : 1}>
+      <Stack gap={1}>
+        {legend && (
+          <Legend>
+            {tooltipContent ? (
+              <>
+                <span
+                  css={{
+                    marginRight: '4px',
+                    verticalAlign: 'middle',
+                  }}
+                >
+                  {legend}
+                </span>
+                <IconTooltip children={tooltipContent} />
+              </>
+            ) : (
+              legend
+            )}
+          </Legend>
+        )}
+        {labels.length > 0 && (
+          <Flex>
+            <Box width={width} mr="3">
+              <Text typography="body3">
+                {labelKey.fieldName} (required field)
+              </Text>
+            </Box>
+            <Text typography="body3">
+              {labelVal.fieldName} (required field)
+            </Text>
+          </Flex>
+        )}
+      </Stack>
+      <Stack gap={2}>
         {labels.map((label, index) => {
           const validationItem: LabelValidationResult | undefined =
             validationResult.results?.[index];
           return (
-            <Box mb={2} key={index}>
+            <Box key={index}>
               <Flex alignItems="start">
                 <FieldInput
                   size={inputSize}
@@ -217,7 +245,7 @@ export function LabelsInput({
             </Box>
           );
         })}
-      </Box>
+      </Stack>
       <ButtonSecondary
         onClick={e => {
           e.preventDefault();
@@ -229,17 +257,12 @@ export function LabelsInput({
         <Icons.Add className="icon-add" disabled={disableBtns} size="small" />
         {labels.length > 0 ? `Add another ${adjective}` : `Add a ${adjective}`}
       </ButtonSecondary>
-    </>
+    </Fieldset>
   );
 }
 
 const defaultRule = () => () => ({ valid: true });
 
-const SmallText = styled.span`
-  font-size: ${p => p.theme.fontSizes[1]}px;
-  font-weight: lighter;
-`;
-
 export const nonEmptyLabels: LabelsRule = labels => () => {
   const results = labels.map(label => ({
     name: requiredField('required')(label.name)(),
@@ -250,3 +273,22 @@ export const nonEmptyLabels: LabelsRule = labels => () => {
     results: results,
   };
 };
+
+const Stack = styled(Flex).attrs({
+  flexDirection: 'column',
+  alignItems: 'start',
+})``;
+
+const Fieldset = styled(Stack).attrs({
+  as: 'fieldset',
+})`
+  border: none;
+  margin: 0;
+  padding: 0;
+`;
+
+const Legend = styled.legend`
+  margin: 0;
+  padding: 0;
+  ${props => props.theme.typography.body3}
+`;
diff --git a/web/packages/teleport/src/lib/term/tty.ts b/web/packages/teleport/src/lib/term/tty.ts
index de5f79a4da624..55aa52823411e 100644
--- a/web/packages/teleport/src/lib/term/tty.ts
+++ b/web/packages/teleport/src/lib/term/tty.ts
@@ -80,7 +80,7 @@ class Tty extends EventEmitterMfaSender {
     this.socket.send(bytearray.buffer);
   }
 
-  sendChallengeResponse(resp: MfaChallengeResponse) {
+  sendChallengeResponse(data: MfaChallengeResponse) {
     // we want to have the backend listen on a single message type
     // for any responses. so our data will look like data.webauthn, data.sso, etc
     // but to be backward compatible, we need to still spread the existing webauthn only fields
@@ -88,8 +88,8 @@ class Tty extends EventEmitterMfaSender {
     // in 19, we can just pass "data" without this extra step
     // TODO (avatus): DELETE IN 19.0.0
     const backwardCompatibleData = {
-      ...resp?.webauthn_response,
-      ...resp,
+      ...data.webauthn_response,
+      ...data,
     };
     const encoded = this._proto.encodeChallengeResponse(
       JSON.stringify(backwardCompatibleData)
diff --git a/web/packages/teleport/src/services/api/api.test.ts b/web/packages/teleport/src/services/api/api.test.ts
index 2cf717cfda8f4..5616df264c662 100644
--- a/web/packages/teleport/src/services/api/api.test.ts
+++ b/web/packages/teleport/src/services/api/api.test.ts
@@ -16,6 +16,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+import { MfaChallengeResponse } from '../mfa';
 import api, {
   defaultRequestOptions,
   getAuthHeaders,
@@ -24,9 +25,18 @@ import api, {
 } from './api';
 
 describe('api.fetch', () => {
-  const mockedFetch = jest.spyOn(global, 'fetch').mockResolvedValue({} as any); // we don't care about response
+  let mockedFetch: jest.SpiedFunction<typeof fetch>;
+  beforeEach(() => {
+    mockedFetch = jest
+      .spyOn(global, 'fetch')
+      .mockResolvedValue({ json: async () => ({}), ok: true } as Response); // we don't care about response
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
 
-  const mfaResp = {
+  const mfaResp: MfaChallengeResponse = {
     webauthn_response: {
       id: 'some-id',
       type: 'some-type',
@@ -43,7 +53,7 @@ describe('api.fetch', () => {
     },
   };
 
-  const customOpts = {
+  const customOpts: RequestInit = {
     method: 'POST',
     // Override the default header from `defaultRequestOptions`.
     headers: {
@@ -51,10 +61,6 @@ describe('api.fetch', () => {
     },
   };
 
-  afterEach(() => {
-    jest.resetAllMocks();
-  });
-
   test('default (no optional params provided)', async () => {
     await api.fetch('/something');
     expect(mockedFetch).toHaveBeenCalledTimes(1);
@@ -156,7 +162,7 @@ describe('api.fetch', () => {
   });
 });
 
-// The code below should guard us from changes to api.fetchJson which would cause it to lose type
+// The code below should guard us from changes to api.fetchJsonWithMfaAuthnRetry which would cause it to lose type
 // information, for example by returning `any`.
 
 const fooService = {
@@ -171,13 +177,13 @@ const makeFoo = (): { foo: string } => {
 
 // This is a bogus test to satisfy Jest. We don't even need to execute the code that's in the async
 // function, we're interested only in the type system checking the code.
-test('fetchJson does not return any', () => {
+test('fetchJsonWithMfaAuthnRetry does not return any', () => {
   const bogusFunction = async () => {
     const result = await fooService.doSomething();
     // Reading foo is correct. We add a bogus expect to satisfy Jest.
     JSON.stringify(result.foo);
 
-    // @ts-expect-error If there's no error here, it means that api.fetchJson returns any, which it
+    // @ts-expect-error If there's no error here, it means that api.fetchJsonWithMfaAuthnRetry returns any, which it
     // shouldn't.
     JSON.stringify(result.bar);
   };
diff --git a/web/packages/teleport/src/services/api/api.ts b/web/packages/teleport/src/services/api/api.ts
index f253c43635186..ac386c641f6a4 100644
--- a/web/packages/teleport/src/services/api/api.ts
+++ b/web/packages/teleport/src/services/api/api.ts
@@ -150,66 +150,31 @@ const api = {
     customOptions: RequestInit,
     mfaResponse?: MfaChallengeResponse
   ): Promise<any> {
-    const response = await api.fetch(url, customOptions, mfaResponse);
-
-    let json;
     try {
-      json = await response.json();
+      return await api.fetch(url, customOptions, mfaResponse);
     } catch (err) {
-      // error reading JSON
-      const message = response.ok
-        ? err.message
-        : `${response.status} - ${response.url}`;
-      throw new ApiError({ message, response, opts: { cause: err } });
-    }
-
-    if (response.ok) {
-      return json;
-    }
-
-    /** This error can occur in the edge case where a role in the user's certificate was deleted during their session. */
-    const isRoleNotFoundErr = isRoleNotFoundError(parseError(json));
-    if (isRoleNotFoundErr) {
-      websession.logoutWithoutSlo({
-        /* Don't remember location after login, since they may no longer have access to the page they were on. */
-        rememberLocation: false,
-        /* Show "access changed" notice on login page. */
-        withAccessChangedMessage: true,
-      });
-      return;
+      // Retry with MFA if we get an admin action MFA error.
+      if (!mfaResponse && isAdminActionRequiresMfaError(err)) {
+        mfaResponse = await api.getAdminActionMfaResponse();
+        return api.fetch(url, customOptions, mfaResponse);
+      } else {
+        throw err;
+      }
     }
+  },
 
-    // Retry with MFA if we get an admin action missing MFA error.
-    const isAdminActionMfaError = isAdminActionRequiresMfaError(
-      parseError(json)
-    );
-    const shouldRetry = isAdminActionMfaError && !mfaResponse;
-    if (!shouldRetry) {
-      throw new ApiError({
-        message: parseError(json),
-        response,
-        proxyVersion: parseProxyVersion(json),
-        messages: json.messages,
-      });
-    }
+  async getAdminActionMfaResponse() {
+    const challenge = await auth.getMfaChallenge({
+      scope: MfaChallengeScope.ADMIN_ACTION,
+    });
 
-    let mfaResponseForRetry;
-    try {
-      const challenge = await auth.getMfaChallenge({
-        scope: MfaChallengeScope.ADMIN_ACTION,
-      });
-      mfaResponseForRetry = await auth.getMfaChallengeResponse(challenge);
-    } catch {
+    if (!challenge) {
       throw new Error(
-        'Failed to fetch MFA challenge. Please connect a registered hardware key and try again. If you do not have a hardware key registered, you can add one from your account settings page.'
+        'This is an admin-level API request and requires MFA verification. Please try again with a registered MFA device. If you do not have an MFA device registered, you can add one in the account settings page.'
       );
     }
 
-    return api.fetchJsonWithMfaAuthnRetry(
-      url,
-      customOptions,
-      mfaResponseForRetry
-    );
+    return auth.getMfaChallengeResponse(challenge);
   },
 
   /**
@@ -254,7 +219,7 @@ const api = {
    * @param mfaResponse if defined (eg: `fetchJsonWithMfaAuthnRetry`)
    * will add a custom MFA header field that will hold the mfaResponse.
    */
-  fetch(
+  async fetch(
     url: string,
     customOptions: RequestInit = {},
     mfaResponse?: MfaChallengeResponse
@@ -280,7 +245,41 @@ const api = {
     }
 
     // native call
-    return fetch(url, options);
+    const response = await fetch(url, options);
+
+    let json;
+    try {
+      json = await response.json();
+    } catch (err) {
+      // error reading JSON
+      const message = response.ok
+        ? err.message
+        : `${response.status} - ${response.url}`;
+      throw new ApiError({ message, response, opts: { cause: err } });
+    }
+
+    if (response.ok) {
+      return json;
+    }
+
+    /** This error can occur in the edge case where a role in the user's certificate was deleted during their session. */
+    const isRoleNotFoundErr = isRoleNotFoundError(parseError(json));
+    if (isRoleNotFoundErr) {
+      websession.logoutWithoutSlo({
+        /* Don't remember location after login, since they may no longer have access to the page they were on. */
+        rememberLocation: false,
+        /* Show "access changed" notice on login page. */
+        withAccessChangedMessage: true,
+      });
+      return;
+    }
+
+    throw new ApiError({
+      message: parseError(json),
+      response,
+      proxyVersion: parseProxyVersion(json),
+      messages: json.messages,
+    });
   },
 };
 
@@ -326,8 +325,8 @@ export function getHostName() {
   return location.hostname + (location.port ? ':' + location.port : '');
 }
 
-function isAdminActionRequiresMfaError(errMessage) {
-  return errMessage.includes(
+function isAdminActionRequiresMfaError(err: Error) {
+  return err.message.includes(
     'admin-level API request requires MFA verification'
   );
 }
diff --git a/web/packages/teleport/src/services/auth/auth.ts b/web/packages/teleport/src/services/auth/auth.ts
index 100259d6dfc20..3e58e9f5f5f4b 100644
--- a/web/packages/teleport/src/services/auth/auth.ts
+++ b/web/packages/teleport/src/services/auth/auth.ts
@@ -238,7 +238,7 @@ const auth = {
       .then(res => {
         const request = {
           action: 'accept',
-          webauthnAssertionResponse: res?.webauthn_response,
+          webauthnAssertionResponse: res.webauthn_response,
         };
 
         return api.put(cfg.getHeadlessSsoPath(transactionId), request);
@@ -254,11 +254,11 @@ const auth = {
   },
 
   // getChallenge gets an MFA challenge for the provided parameters. If is_mfa_required_req
-  // is provided and it is found that MFA is not required, returns null instead.
+  // is provided and it is found that MFA is not required, returns undefined instead.
   async getMfaChallenge(
     req: CreateAuthenticateChallengeRequest,
     abortSignal?: AbortSignal
-  ) {
+  ): Promise<MfaAuthenticateChallenge | undefined> {
     return api
       .post(
         cfg.api.mfaAuthnChallengePath,
@@ -274,13 +274,14 @@ const auth = {
   },
 
   // getChallengeResponse gets an MFA challenge response for the provided parameters.
-  // If is_mfa_required_req is provided and it is found that MFA is not required, returns null instead.
+  // If challenge is undefined or has no viable challenge options, returns empty response.
   async getMfaChallengeResponse(
     challenge: MfaAuthenticateChallenge,
     mfaType?: DeviceType,
     totpCode?: string
-  ): Promise<MfaChallengeResponse | undefined> {
-    if (!challenge) return;
+  ): Promise<MfaChallengeResponse> {
+    // No challenge, return empty response.
+    if (!challenge) return {};
 
     // TODO(Joerger): If mfaType is not provided by a parent component, use some global context
     // to display a component, similar to the one used in useMfa. For now we just default to
@@ -310,7 +311,7 @@ const auth = {
     }
 
     // No viable challenge, return empty response.
-    return;
+    return {};
   },
 
   async getWebAuthnChallengeResponse(
@@ -439,7 +440,7 @@ const auth = {
     return auth
       .getMfaChallenge({ scope, allowReuse, isMfaRequiredRequest }, abortSignal)
       .then(challenge => auth.getMfaChallengeResponse(challenge, 'webauthn'))
-      .then(res => res?.webauthn_response);
+      .then(res => res.webauthn_response);
   },
 
   getMfaChallengeResponseForAdminAction(allowReuse?: boolean) {
diff --git a/web/packages/teleterm/build_resources/entitlements.mac.plist b/web/packages/teleterm/build_resources/entitlements.mac.plist
new file mode 100644
index 0000000000000..4928fa4048d55
--- /dev/null
+++ b/web/packages/teleterm/build_resources/entitlements.mac.plist
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <!-- https://github.com/electron/electron-notarize#prerequisites -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+  </dict>
+</plist>