Don't attempt to update PNI PQ prekeys for disabled devices

Update to the latest version of the spam filter
Remove several unused classes
2025-12-09 01:30:15 +00:00 · 2023-11-01 16:55:55 -07:00 · 2023-11-01 15:53:26 -05:00 · 2023-11-01 15:46:10 -05:00 · 2023-11-01 10:07:42 -05:00 · 2023-10-30 14:02:19 -05:00
851 changed files with 94514 additions and 30032 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -158,7 +158,7 @@ ij_java_keep_indents_on_empty_lines = false
 ij_java_keep_line_breaks = true
 ij_java_keep_multiple_expressions_in_one_line = false
 ij_java_keep_simple_blocks_in_one_line = false
-ij_java_keep_simple_classes_in_one_line = false
+ij_java_keep_simple_classes_in_one_line = true
 ij_java_keep_simple_lambdas_in_one_line = false
 ij_java_keep_simple_methods_in_one_line = false
 ij_java_label_indent_absolute = false
@@ -1135,7 +1135,7 @@ ij_kotlin_field_annotation_wrap = split_into_lines
 ij_kotlin_finally_on_new_line = false
 ij_kotlin_if_rparen_on_new_line = false
 ij_kotlin_import_nested_classes = false
-ij_kotlin_imports_layout = *,java.**,javax.**,kotlin.**,^
+ij_kotlin_imports_layout = *
 ij_kotlin_insert_whitespaces_in_simple_one_line_method = true
 ij_kotlin_keep_blank_lines_before_right_brace = 2
 ij_kotlin_keep_blank_lines_in_code = 2
@@ -1151,9 +1151,9 @@ ij_kotlin_method_call_chain_wrap = off
 ij_kotlin_method_parameters_new_line_after_left_paren = false
 ij_kotlin_method_parameters_right_paren_on_new_line = false
 ij_kotlin_method_parameters_wrap = off
-ij_kotlin_name_count_to_use_star_import = 5
-ij_kotlin_name_count_to_use_star_import_for_members = 3
-ij_kotlin_packages_to_use_import_on_demand = java.util.*,kotlinx.android.synthetic.**,io.ktor.**
+ij_kotlin_name_count_to_use_star_import = 999
+ij_kotlin_name_count_to_use_star_import_for_members = 999
+ij_kotlin_packages_to_use_import_on_demand =
 ij_kotlin_parameter_annotation_wrap = off
 ij_kotlin_space_after_comma = true
 ij_kotlin_space_after_extend_colon = true
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -0,0 +1,33 @@
+name: Update Documentation
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+      - name: Compile and Build OpenAPI file
+        run: ./mvnw compile
+      - name: Update Documentation
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cp -r api-doc/target/openapi/signal-server-openapi.yaml /tmp/
+          git config user.email "github@signal.org"
+          git config user.name "Documentation Updater"
+          git fetch origin gh-pages
+          git checkout gh-pages
+          cp /tmp/signal-server-openapi.yaml .
+          git diff --quiet || git commit -a -m "Updating documentation"
+          git push origin gh-pages -q
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@@ -0,0 +1,30 @@
+name: Integration Tests
+
+on: [workflow_dispatch]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+      - uses: aws-actions/configure-aws-credentials@v2
+        name: Configure AWS credentials from Test account
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Fetch integration utils library
+        run: |
+          mkdir -p integration-tests/.libs
+          mkdir -p integration-tests/src/main/resources
+          wget -O integration-tests/.libs/software.amazon.awssdk-sso.jar https://repo1.maven.org/maven2/software/amazon/awssdk/sso/2.19.8/sso-2.19.8.jar
+          aws s3 cp "s3://${{ vars.INTEGRATION_TESTS_BUCKET }}/config-latest.yml" integration-tests/src/main/resources/config.yml
+      - name: Run and verify integration tests
+        run: ./mvnw clean compile test-compile failsafe:integration-test failsafe:verify
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,18 +1,26 @@
 name: Service CI

-on: [push]
+on:
+  push:
+    branches-ignore:
+      - gh-pages

 jobs:
  build:
    runs-on: ubuntu-latest
+    container: ubuntu:22.04

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
      - name: Set up JDK 17
-        uses: actions/setup-java@3bc31aaf88e8fc94dc1e632d48af61be5ca8721c
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
        with:
          distribution: 'temurin'
          java-version: 17
          cache: 'maven'
+        env:
+          # work around an issue with actions/runner setting an incorrect HOME in containers, which breaks maven caching
+          # https://github.com/actions/setup-java/issues/356
+          HOME: /root
      - name: Build with Maven
-        run: mvn -e -B verify
+        run: ./mvnw -e -B verify
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@ config/deploy.properties
 /service/config/testing.yml
 /service/config/deploy.properties
 /service/dependency-reduced-pom.xml
+.java-version
 .opsmanage
 put.sh
 deployer-staging.properties
@@ -25,4 +26,6 @@ deployer.log
 !/service/src/main/resources/org/signal/badges/Badges_en.properties
 /service/src/main/resources/org/signal/subscriptions/Subscriptions_*.properties
 !/service/src/main/resources/org/signal/subscriptions/Subscriptions_en.properties
-/.tx/config
+.project
+.classpath
+.settings
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,11 +1,11 @@
-# Note that the implementation of the abusive message filter is private; internal
+# Note that the implementation of the spam filter is private; internal
 # developers will need to override this URL with:
 #
 # ```
-# git config submodule.abusive-message-filter.url PRIVATE_URL
+# git config submodule.spam-filter.url PRIVATE_URL
 # ```
 #
 # External developers may safely ignore this submodule.
-[submodule "abusive-message-filter"]
-	path = abusive-message-filter
+[submodule "spam-filter"]
+	path = spam-filter
 	url = REDACTED
--- a/.mvn/extensions.xml
+++ b/.mvn/extensions.xml
@@ -4,6 +4,6 @@
  <extension>
    <groupId>fr.brouillard.oss</groupId>
    <artifactId>jgitver-maven-plugin</artifactId>
-    <version>1.7.1</version>
+    <version>1.9.0</version>
  </extension>
 </extensions>
--- a/.mvn/wrapper/maven-wrapper.jar
+++ b/.mvn/wrapper/maven-wrapper.jar
--- a/.mvn/wrapper/maven-wrapper.properties
+++ b/.mvn/wrapper/maven-wrapper.properties
@@ -5,14 +5,16 @@
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
-# 
+#
 #   https://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.4/apache-maven-3.9.4-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar
+distributionSha256Sum=e896b60329a71b719d77bb4388b251a50aebcd73c62f69d510c858ce360afe0f
+wrapperSha256Sum=e63a53cfb9c4d291ebe3c2b0edacb7622bbc480326beaa5a0456e412f52f066a
--- a/2
+++ b/2
@@ -296,7 +296,7 @@ commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.

  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
+procedures, authorization keysManager, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
--- a/README.md
+++ b/README.md
@@ -21,6 +21,6 @@ The form and manner of this distribution makes it eligible for export under the
 License
 ---------------------

-Copyright 2013-2022 Signal Messenger, LLC
+Copyright 2013-2023 Signal Messenger, LLC

 Licensed under the AGPLv3: https://www.gnu.org/licenses/agpl-3.0.html
--- a/1
+++ b/1
--- a/api-doc/pom.xml
+++ b/api-doc/pom.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>api-doc</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.swagger.core.v3</groupId>
+        <artifactId>swagger-maven-plugin</artifactId>
+        <version>${swagger.version}</version>
+        <configuration>
+          <outputFileName>signal-server-openapi</outputFileName>
+          <outputPath>${project.build.directory}/openapi</outputPath>
+          <outputFormat>YAML</outputFormat>
+          <configurationFilePath>${project.basedir}/src/main/resources/openapi/openapi-configuration.yaml
+          </configurationFilePath>
+        </configuration>
+        <executions>
+          <execution>
+            <phase>compile</phase>
+            <goals>
+              <goal>resolve</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
--- a/api-doc/src/main/java/org/signal/openapi/OpenApiExtension.java
+++ b/api-doc/src/main/java/org/signal/openapi/OpenApiExtension.java
@@ -0,0 +1,110 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.type.SimpleType;
+import io.dropwizard.auth.Auth;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.jaxrs2.ext.AbstractOpenAPIExtension;
+import io.swagger.v3.jaxrs2.ext.OpenAPIExtension;
+import io.swagger.v3.oas.models.Components;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Optional;
+import java.util.ServiceLoader;
+import java.util.Set;
+import javax.ws.rs.Consumes;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.DisabledPermittedAuthenticatedAccount;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link AbstractOpenAPIExtension} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a lower level.
+ * This extension works in coordination with {@link OpenApiReader} that has access to the model on a higher level.
+ * <p/>
+ * The extension is enabled by being listed in {@code META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension} file.
+ * @see ServiceLoader
+ * @see OpenApiReader
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiExtension extends AbstractOpenAPIExtension {
+
+  public static final ResolvedParameter AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  public static final ResolvedParameter OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT = new ResolvedParameter();
+
+  /**
+   * When parsing endpoint methods, Swagger will treat the first parameter not annotated as header/path/query param
+   * as a request body (and will ignore other not annotated parameters). In our case, this behavior conflicts with
+   * the {@code @Auth}-annotated parameters. Here we're checking if parameters are known to be anything other than
+   * a body and return an appropriate {@link ResolvedParameter} representation.
+   */
+  @Override
+  public ResolvedParameter extractParameters(
+      final List<Annotation> annotations,
+      final Type type,
+      final Set<Type> typesToSkip,
+      final Components components,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final boolean includeRequestBody,
+      final JsonView jsonViewAnnotation,
+      final Iterator<OpenAPIExtension> chain) {
+
+    if (annotations.stream().anyMatch(a -> a.annotationType().equals(Auth.class))) {
+      // this is the case of authenticated endpoint,
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(AuthenticatedAccount.class)) {
+        return AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && simpleType.getRawClass().equals(DisabledPermittedAuthenticatedAccount.class)) {
+        return DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, AuthenticatedAccount.class)) {
+        return OPTIONAL_AUTHENTICATED_ACCOUNT;
+      }
+      if (type instanceof SimpleType simpleType
+          && isOptionalOfType(simpleType, DisabledPermittedAuthenticatedAccount.class)) {
+        return OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+      }
+    }
+
+    return super.extractParameters(
+        annotations,
+        type,
+        typesToSkip,
+        components,
+        classConsumes,
+        methodConsumes,
+        includeRequestBody,
+        jsonViewAnnotation,
+        chain);
+  }
+
+  private static boolean isOptionalOfType(final SimpleType simpleType, final Class<?> expectedType) {
+    if (!simpleType.getRawClass().equals(Optional.class)) {
+      return false;
+    }
+    final List<JavaType> typeParameters = simpleType.getBindings().getTypeParameters();
+    if (typeParameters.isEmpty()) {
+      return false;
+    }
+    return typeParameters.get(0) instanceof SimpleType optionalParameterType
+        && optionalParameterType.getRawClass().equals(expectedType);
+  }
+}
--- a/api-doc/src/main/java/org/signal/openapi/OpenApiReader.java
+++ b/api-doc/src/main/java/org/signal/openapi/OpenApiReader.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.openapi;
+
+import static com.google.common.base.MoreObjects.firstNonNull;
+import static org.signal.openapi.OpenApiExtension.AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_AUTHENTICATED_ACCOUNT;
+import static org.signal.openapi.OpenApiExtension.OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT;
+
+import com.fasterxml.jackson.annotation.JsonView;
+import com.google.common.collect.ImmutableList;
+import io.swagger.v3.jaxrs2.Reader;
+import io.swagger.v3.jaxrs2.ResolvedParameter;
+import io.swagger.v3.oas.models.Operation;
+import io.swagger.v3.oas.models.security.SecurityRequirement;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import java.util.Collections;
+import java.util.List;
+import javax.ws.rs.Consumes;
+
+/**
+ * One of the extension mechanisms of Swagger Core library (OpenAPI processor) is via custom implementations
+ * of the {@link Reader} class.
+ * <p/>
+ * The purpose of this extension is to customize certain aspects of the OpenAPI model generation on a higher level.
+ * This extension works in coordination with {@link OpenApiExtension} that has access to the model on a lower level.
+ * <p/>
+ * The extension is enabled by being listed in {@code resources/openapi/openapi-configuration.yaml} file.
+ * @see OpenApiExtension
+ * @see <a href="https://github.com/swagger-api/swagger-core/wiki/Swagger-2.X---Extensions">Swagger 2.X Extensions</a>
+ */
+public class OpenApiReader extends Reader {
+
+  private static final String AUTHENTICATED_ACCOUNT_AUTH_SCHEMA = "authenticatedAccount";
+
+
+  /**
+   * Overriding this method allows converting a resolved parameter into other operation entities,
+   * in this case, into security requirements.
+   */
+  @Override
+  protected ResolvedParameter getParameters(
+      final Type type,
+      final List<Annotation> annotations,
+      final Operation operation,
+      final Consumes classConsumes,
+      final Consumes methodConsumes,
+      final JsonView jsonViewAnnotation) {
+    final ResolvedParameter resolved = super.getParameters(
+        type, annotations, operation, classConsumes, methodConsumes, jsonViewAnnotation);
+
+    if (resolved == AUTHENTICATED_ACCOUNT || resolved == DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .build());
+    }
+    if (resolved == OPTIONAL_AUTHENTICATED_ACCOUNT || resolved == OPTIONAL_DISABLED_PERMITTED_AUTHENTICATED_ACCOUNT) {
+      operation.setSecurity(ImmutableList.<SecurityRequirement>builder()
+          .addAll(firstNonNull(operation.getSecurity(), Collections.emptyList()))
+          .add(new SecurityRequirement().addList(AUTHENTICATED_ACCOUNT_AUTH_SCHEMA))
+          .add(new SecurityRequirement())
+          .build());
+    }
+
+    return resolved;
+  }
+}
--- a/api-doc/src/main/resources/META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension
+++ b/api-doc/src/main/resources/META-INF/services/io.swagger.v3.jaxrs2.ext.OpenAPIExtension
@@ -0,0 +1 @@
+org.signal.openapi.OpenApiExtension
--- a/api-doc/src/main/resources/openapi/openapi-configuration.yaml
+++ b/api-doc/src/main/resources/openapi/openapi-configuration.yaml
@@ -0,0 +1,25 @@
+resourcePackages:
+  - org.whispersystems.textsecuregcm
+prettyPrint: true
+cacheTTL: 0
+readerClass: org.signal.openapi.OpenApiReader
+openAPI:
+  info:
+    title: Signal Server API
+    license:
+      name: AGPL-3.0-only
+      url: https://www.gnu.org/licenses/agpl-3.0.txt
+  servers:
+    - url: https://chat.signal.org
+      description: Production service
+    - url: https://chat.staging.signal.org
+      description: Staging service
+  components:
+    securitySchemes:
+      authenticatedAccount:
+        type: http
+        scheme: basic
+        description: |
+          Account authentication is based on Basic authentication schema, 
+          where `username` has a format of `<user_id>[.<device_id>]`. If `device_id` is not specified,
+          user's `main` device is assumed.
--- a/event-logger/pom.xml
+++ b/event-logger/pom.xml
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2022 Signal Messenger, LLC
+  ~ SPDX-License-Identifier: AGPL-3.0-only
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>event-logger</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-logging</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.jetbrains.kotlin</groupId>
+      <artifactId>kotlin-stdlib</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>org.jetbrains</groupId>
+          <!--
+              depends on an outdated version (13.0) for JDK 6 compatibility, but it’s safe to override
+              https://youtrack.jetbrains.com/issue/KT-25047
+          -->
+          <artifactId>annotations</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.jetbrains.kotlinx</groupId>
+      <artifactId>kotlinx-serialization-json</artifactId>
+      <version>${kotlinx-serialization.version}</version>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <sourceDirectory>${project.basedir}/src/main/kotlin</sourceDirectory>
+    <testSourceDirectory>${project.basedir}/src/test/kotlin</testSourceDirectory>
+
+    <plugins>
+      <plugin>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-maven-plugin</artifactId>
+        <version>${kotlin.version}</version>
+
+        <executions>
+          <execution>
+            <id>compile</id>
+            <goals>
+              <goal>compile</goal>
+            </goals>
+          </execution>
+
+          <execution>
+            <id>test-compile</id>
+            <goals>
+              <goal>test-compile</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <compilerPlugins>
+            <plugin>kotlinx-serialization</plugin>
+          </compilerPlugins>
+        </configuration>
+        <dependencies>
+          <dependency>
+            <groupId>org.jetbrains.kotlin</groupId>
+            <artifactId>kotlin-maven-serialization</artifactId>
+            <version>${kotlin.version}</version>
+          </dependency>
+        </dependencies>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>
--- a/event-logger/src/main/kotlin/events.kt
+++ b/event-logger/src/main/kotlin/events.kt
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.event
+
+import java.util.Collections
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.Json
+import kotlinx.serialization.modules.SerializersModule
+import kotlinx.serialization.modules.polymorphic
+import kotlinx.serialization.modules.subclass
+
+val module = SerializersModule {
+    polymorphic(Event::class) {
+        subclass(RemoteConfigSetEvent::class)
+        subclass(RemoteConfigDeleteEvent::class)
+    }
+}
+val jsonFormat = Json { serializersModule = module }
+
+sealed interface Event
+
+@Serializable
+data class RemoteConfigSetEvent(
+        val identity: String,
+        val name: String,
+        val percentage: Int,
+        val defaultValue: String? = null,
+        val value: String? = null,
+        val hashKey: String? = null,
+        val uuids: Collection<String> = Collections.emptyList(),
+) : Event
+
+@Serializable
+data class RemoteConfigDeleteEvent(
+        val identity: String,
+        val name: String,
+) : Event
--- a/event-logger/src/main/kotlin/loggers.kt
+++ b/event-logger/src/main/kotlin/loggers.kt
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.event
+
+import com.google.cloud.logging.LogEntry
+import com.google.cloud.logging.Logging
+import com.google.cloud.logging.MonitoredResourceUtil
+import com.google.cloud.logging.Payload.JsonPayload
+import com.google.cloud.logging.Severity
+import com.google.protobuf.Struct
+import com.google.protobuf.util.JsonFormat
+import kotlinx.serialization.encodeToString
+
+interface AdminEventLogger {
+    fun logEvent(event: Event, labels: Map<String, String>?)
+    fun logEvent(event: Event) = logEvent(event, null)
+}
+
+class NoOpAdminEventLogger : AdminEventLogger {
+    override fun logEvent(event: Event, labels: Map<String, String>?) {}
+}
+
+class GoogleCloudAdminEventLogger(private val logging: Logging, private val projectId: String, private val logName: String) : AdminEventLogger {
+    override fun logEvent(event: Event, labels: Map<String, String>?) {
+        val structBuilder = Struct.newBuilder()
+        JsonFormat.parser().merge(jsonFormat.encodeToString(event), structBuilder)
+        val struct = structBuilder.build()
+
+        val logEntryBuilder = LogEntry.newBuilder(JsonPayload.of(struct))
+                .setLogName(logName)
+                .setSeverity(Severity.NOTICE)
+                .setResource(MonitoredResourceUtil.getResource(projectId, "project"));
+        if (labels != null) {
+            logEntryBuilder.setLabels(labels);
+        }
+        logging.write(listOf(logEntryBuilder.build()))
+    }
+}
--- a/event-logger/src/test/kotlin/org/signal/event/GoogleCloudAdminEventLoggerTest.kt
+++ b/event-logger/src/test/kotlin/org/signal/event/GoogleCloudAdminEventLoggerTest.kt
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.event
+
+import com.google.cloud.logging.Logging
+import com.google.cloud.logging.LoggingOptions
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertDoesNotThrow
+import org.mockito.Mockito.mock
+
+class GoogleCloudAdminEventLoggerTest {
+
+    @Test
+    fun logEvent() {
+        val logging = mock(Logging::class.java)
+        val logger = GoogleCloudAdminEventLogger(logging, "my-project", "test")
+
+        val event = RemoteConfigDeleteEvent("token", "test")
+        logger.logEvent(event)
+    }
+
+    @Test
+    fun testGetService() {
+        assertDoesNotThrow {
+            // This is a canary for version conflicts between the cloud logging library and protobuf-java
+            LoggingOptions.newBuilder()
+                    .setProjectId("test")
+                    .build()
+                    .getService()
+        }
+    }
+}
--- a/integration-tests/.gitignore
+++ b/integration-tests/.gitignore
@@ -0,0 +1,2 @@
+.libs
+src/main/resources/config.yml
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>TextSecureServer</artifactId>
+    <groupId>org.whispersystems.textsecure</groupId>
+    <version>JGITVER</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>integration-tests</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.whispersystems.textsecure</groupId>
+      <artifactId>service</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>software.amazon.awssdk</groupId>
+      <artifactId>dynamodb</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <excludes>
+            <exclude>**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <additionalClasspathElements>
+            <additionalClasspathElement>${project.basedir}/.libs/software.amazon.awssdk-sso.jar</additionalClasspathElement>
+          </additionalClasspathElements>
+          <includes>
+            <include>**/*.java</include>
+          </includes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>jib-maven-plugin</artifactId>
+        <configuration>
+          <!-- we don't want jib to execute on this module -->
+          <skip>true</skip>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
--- a/integration-tests/src/main/java/org/signal/integration/Codecs.java
+++ b/integration-tests/src/main/java/org/signal/integration/Codecs.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import java.io.IOException;
+import java.util.Base64;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+
+public final class Codecs {
+
+  private Codecs() {
+    // utility class
+  }
+
+  @FunctionalInterface
+  public interface CheckedFunction<T, R> {
+    R apply(T t) throws Exception;
+  }
+
+  public static class Base64BasedSerializer<T> extends JsonSerializer<T> {
+
+    private final CheckedFunction<T, byte[]> mapper;
+
+    public Base64BasedSerializer(final CheckedFunction<T, byte[]> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public void serialize(final T value, final JsonGenerator gen, final SerializerProvider serializers) throws IOException {
+      try {
+        gen.writeString(Base64.getEncoder().withoutPadding().encodeToString(mapper.apply(value)));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class Base64BasedDeserializer<T> extends JsonDeserializer<T> {
+
+    private final CheckedFunction<byte[], T> mapper;
+
+    public Base64BasedDeserializer(final CheckedFunction<byte[], T> mapper) {
+      this.mapper = mapper;
+    }
+
+    @Override
+    public T deserialize(final JsonParser p, final DeserializationContext ctxt) throws IOException {
+      try {
+        return mapper.apply(Base64.getDecoder().decode(p.getValueAsString()));
+      } catch (Exception e) {
+        throw new RuntimeException(e);
+      }
+    }
+  }
+
+  public static class ByteArraySerializer extends Base64BasedSerializer<byte[]> {
+    public ByteArraySerializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ByteArrayDeserializer extends Base64BasedDeserializer<byte[]> {
+    public ByteArrayDeserializer() {
+      super(bytes -> bytes);
+    }
+  }
+
+  public static class ECPublicKeySerializer extends Base64BasedSerializer<ECPublicKey> {
+    public ECPublicKeySerializer() {
+      super(ECPublicKey::serialize);
+    }
+  }
+
+  public static class ECPublicKeyDeserializer extends Base64BasedDeserializer<ECPublicKey> {
+    public ECPublicKeyDeserializer() {
+      super(bytes -> Curve.decodePoint(bytes, 0));
+    }
+  }
+
+  public static class IdentityKeySerializer extends Base64BasedSerializer<IdentityKey> {
+    public IdentityKeySerializer() {
+      super(IdentityKey::serialize);
+    }
+  }
+
+  public static class IdentityKeyDeserializer extends Base64BasedDeserializer<IdentityKey> {
+    public IdentityKeyDeserializer() {
+      super(bytes -> new IdentityKey(bytes, 0));
+    }
+  }
+}
--- a/integration-tests/src/main/java/org/signal/integration/IntegrationTools.java
+++ b/integration-tests/src/main/java/org/signal/integration/IntegrationTools.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import org.signal.integration.config.Config;
+import org.whispersystems.textsecuregcm.registration.VerificationSession;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswords;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessionManager;
+import org.whispersystems.textsecuregcm.storage.VerificationSessions;
+import org.whispersystems.textsecuregcm.util.DynamoDbFromConfig;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.DynamoDbClient;
+
+public class IntegrationTools {
+
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  private final VerificationSessionManager verificationSessionManager;
+
+
+  public static IntegrationTools create(final Config config) {
+    final AwsCredentialsProvider credentialsProvider = DefaultCredentialsProvider.builder().build();
+
+    final DynamoDbAsyncClient dynamoDbAsyncClient = DynamoDbFromConfig.asyncClient(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final DynamoDbClient dynamoDbClient = DynamoDbFromConfig.client(
+        config.dynamoDbClientConfiguration(),
+        credentialsProvider);
+
+    final RegistrationRecoveryPasswords registrationRecoveryPasswords = new RegistrationRecoveryPasswords(
+        config.dynamoDbTables().registrationRecovery(), Duration.ofDays(1), dynamoDbClient, dynamoDbAsyncClient);
+
+    final VerificationSessions verificationSessions = new VerificationSessions(
+        dynamoDbAsyncClient, config.dynamoDbTables().verificationSessions(), Clock.systemUTC());
+
+    return new IntegrationTools(
+        new RegistrationRecoveryPasswordsManager(registrationRecoveryPasswords),
+        new VerificationSessionManager(verificationSessions)
+    );
+  }
+
+  private IntegrationTools(
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final VerificationSessionManager verificationSessionManager) {
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.verificationSessionManager = verificationSessionManager;
+  }
+
+  public CompletableFuture<Void> populateRecoveryPassword(final String e164, final byte[] password) {
+    return registrationRecoveryPasswordsManager.storeForCurrentNumber(e164, password);
+  }
+
+  public CompletableFuture<Optional<String>> peekVerificationSessionPushChallenge(final String sessionId) {
+    return verificationSessionManager.findForId(sessionId)
+        .thenApply(maybeSession -> maybeSession.map(VerificationSession::pushChallenge));
+  }
+}
--- a/integration-tests/src/main/java/org/signal/integration/Operations.java
+++ b/integration-tests/src/main/java/org/signal/integration/Operations.java
@@ -0,0 +1,344 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.google.common.io.Resources;
+import com.google.common.net.HttpHeaders;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import java.net.URI;
+import java.net.URL;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.Executors;
+import org.apache.commons.lang3.RandomUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.integration.config.Config;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.kem.KEMKeyPair;
+import org.signal.libsignal.protocol.kem.KEMKeyType;
+import org.signal.libsignal.protocol.kem.KEMPublicKey;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.configuration.CircuitBreakerConfiguration;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ECSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.KEMSignedPreKey;
+import org.whispersystems.textsecuregcm.entities.RegistrationRequest;
+import org.whispersystems.textsecuregcm.http.FaultTolerantHttpClient;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import org.whispersystems.textsecuregcm.util.SystemMapper;
+
+public final class Operations {
+
+  private static final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
+
+  private static final Config CONFIG = loadConfigFromClasspath("config.yml");
+
+  private static final IntegrationTools INTEGRATION_TOOLS = IntegrationTools.create(CONFIG);
+
+  private static final String USER_AGENT = "integration-test";
+
+  private static final FaultTolerantHttpClient CLIENT = buildClient();
+
+
+  private Operations() {
+    // utility class
+  }
+
+  public static TestUser newRegisteredUser(final String number) {
+    final byte[] registrationPassword = RandomUtils.nextBytes(32);
+    final String accountPassword = Base64.getEncoder().encodeToString(RandomUtils.nextBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, registrationPassword).join();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(
+        null, registrationPassword, accountAttributes, true, false,
+        Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    // upload pre-key
+    final TestUser.PreKeySetPublicView preKeySetPublicView = user.preKeys(Device.PRIMARY_ID, false);
+    apiPut("/v2/keys", preKeySetPublicView)
+        .authorized(user, Device.PRIMARY_ID)
+        .executeExpectSuccess();
+
+    return user;
+  }
+
+  public static TestUser newRegisteredUserAtomic(final String number) {
+    final byte[] registrationPassword = RandomUtils.nextBytes(32);
+    final String accountPassword = Base64.getEncoder().encodeToString(RandomUtils.nextBytes(32));
+
+    final TestUser user = TestUser.create(number, accountPassword, registrationPassword);
+    final AccountAttributes accountAttributes = user.accountAttributes();
+
+    INTEGRATION_TOOLS.populateRecoveryPassword(number, registrationPassword).join();
+
+    final ECKeyPair aciIdentityKeyPair = Curve.generateKeyPair();
+    final ECKeyPair pniIdentityKeyPair = Curve.generateKeyPair();
+
+    // register account
+    final RegistrationRequest registrationRequest = new RegistrationRequest(null,
+        registrationPassword,
+        accountAttributes,
+        true,
+        true,
+        Optional.of(new IdentityKey(aciIdentityKeyPair.getPublicKey())),
+        Optional.of(new IdentityKey(pniIdentityKeyPair.getPublicKey())),
+        Optional.of(generateSignedECPreKey(1, aciIdentityKeyPair)),
+        Optional.of(generateSignedECPreKey(2, pniIdentityKeyPair)),
+        Optional.of(generateSignedKEMPreKey(3, aciIdentityKeyPair)),
+        Optional.of(generateSignedKEMPreKey(4, pniIdentityKeyPair)),
+        Optional.empty(),
+        Optional.empty());
+
+    final AccountIdentityResponse registrationResponse = apiPost("/v1/registration", registrationRequest)
+        .authorized(number, accountPassword)
+        .executeExpectSuccess(AccountIdentityResponse.class);
+
+    user.setAciUuid(registrationResponse.uuid());
+    user.setPniUuid(registrationResponse.pni());
+
+    return user;
+  }
+
+  public static void deleteUser(final TestUser user) {
+    apiDelete("/v1/accounts/me").authorized(user).executeExpectSuccess();
+  }
+
+  public static String peekVerificationSessionPushChallenge(final String sessionId) {
+    return INTEGRATION_TOOLS.peekVerificationSessionPushChallenge(sessionId).join()
+        .orElseThrow(() -> new RuntimeException("push challenge not found for the verification session"));
+  }
+
+  public static <T> T sendEmptyRequestAuthenticated(
+      final String endpoint,
+      final String method,
+      final String username,
+      final String password,
+      final Class<T> outputType) {
+    try {
+      final HttpRequest request = HttpRequest.newBuilder()
+          .uri(serverUri(endpoint, Collections.emptyList()))
+          .method(method, HttpRequest.BodyPublishers.noBody())
+          .header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password))
+          .header(HttpHeaders.CONTENT_TYPE, "application/json")
+          .build();
+      return CLIENT.sendAsync(request, HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            } else {
+              logger.info("response: {}", response.statusCode());
+              System.out.println("response: " + response.statusCode() + ", " + response.body());
+            }
+          })
+          .thenApply(response -> {
+            try {
+              return outputType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), outputType);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .get();
+    } catch (final Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static RequestBuilder apiGet(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().GET(), endpoint);
+  }
+
+  public static RequestBuilder apiDelete(final String endpoint) {
+    return new RequestBuilder(HttpRequest.newBuilder().DELETE(), endpoint);
+  }
+
+  public static <R> RequestBuilder apiPost(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "POST", input);
+  }
+
+  public static <R> RequestBuilder apiPut(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PUT", input);
+  }
+
+  public static <R> RequestBuilder apiPatch(final String endpoint, final R input) {
+    return RequestBuilder.withJsonBody(endpoint, "PATCH", input);
+  }
+
+  private static URI serverUri(final String endpoint, final List<String> queryParams) {
+    final String query = queryParams.isEmpty()
+        ? StringUtils.EMPTY
+        : "?" + String.join("&", queryParams);
+    return URI.create("https://" + CONFIG.domain() + endpoint + query);
+  }
+
+  public static class RequestBuilder {
+
+    private final HttpRequest.Builder builder;
+
+    private final String endpoint;
+
+    private final List<String> queryParams = new ArrayList<>();
+
+
+    private RequestBuilder(final HttpRequest.Builder builder, final String endpoint) {
+      this.builder = builder;
+      this.endpoint = endpoint;
+    }
+
+    private static <R> RequestBuilder withJsonBody(final String endpoint, final String method, final R input) {
+      try {
+        final byte[] body = SystemMapper.jsonMapper().writeValueAsBytes(input);
+        return new RequestBuilder(HttpRequest.newBuilder()
+            .header(HttpHeaders.CONTENT_TYPE, "application/json")
+            .method(method, HttpRequest.BodyPublishers.ofByteArray(body)), endpoint);
+      } catch (final JsonProcessingException e) {
+        throw new RuntimeException(e);
+      }
+    }
+
+    public RequestBuilder authorized(final TestUser user) {
+      return authorized(user, Device.PRIMARY_ID);
+    }
+
+    public RequestBuilder authorized(final TestUser user, final long deviceId) {
+      final String username = "%s.%d".formatted(user.aciUuid().toString(), deviceId);
+      return authorized(username, user.accountPassword());
+    }
+
+    public RequestBuilder authorized(final String username, final String password) {
+      builder.header(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(username, password));
+      return this;
+    }
+
+    public RequestBuilder queryParam(final String key, final String value) {
+      queryParams.add("%s=%s".formatted(key, value));
+      return this;
+    }
+
+    public RequestBuilder header(final String name, final String value) {
+      builder.header(name, value);
+      return this;
+    }
+
+    public Pair<Integer, Void> execute() {
+      return execute(Void.class);
+    }
+
+    public Pair<Integer, Void> executeExpectSuccess() {
+      final Pair<Integer, Void> execute = execute();
+      Validate.isTrue(
+          execute.getLeft() >= 200 && execute.getLeft() < 300,
+          "Unexpected response code: %d",
+          execute.getLeft());
+      return execute;
+    }
+
+    public <T> T executeExpectSuccess(final Class<T> expectedType) {
+      final Pair<Integer, T> execute = execute(expectedType);
+      return requireNonNull(execute.getRight());
+    }
+
+    public void executeExpectStatusCode(final int expectedStatusCode) {
+      final Pair<Integer, Void> execute = execute(Void.class);
+      Validate.isTrue(
+          execute.getLeft() == expectedStatusCode,
+          "Unexpected response code: %d",
+          execute.getLeft()
+      );
+    }
+
+    public <T> Pair<Integer, T> execute(final Class<T> expectedType) {
+      builder.uri(serverUri(endpoint, queryParams))
+          .header(HttpHeaders.USER_AGENT, USER_AGENT);
+      return CLIENT.sendAsync(builder.build(), HttpResponse.BodyHandlers.ofString(StandardCharsets.UTF_8))
+          .whenComplete((response, error) -> {
+            if (error != null) {
+              logger.error("request error", error);
+              error.printStackTrace();
+            }
+          })
+          .thenApply(response -> {
+            try {
+              final T result = expectedType.equals(Void.class)
+                  ? null
+                  : SystemMapper.jsonMapper().readValue(response.body(), expectedType);
+              return Pair.of(response.statusCode(), result);
+            } catch (final IOException e) {
+              throw new RuntimeException(e);
+            }
+          })
+          .join();
+    }
+  }
+
+  private static FaultTolerantHttpClient buildClient() {
+    try {
+      return FaultTolerantHttpClient.newBuilder()
+          .withName("integration-test")
+          .withExecutor(Executors.newFixedThreadPool(16))
+          .withRetryExecutor(Executors.newSingleThreadScheduledExecutor())
+          .withCircuitBreaker(new CircuitBreakerConfiguration())
+          .withTrustedServerCertificates(CONFIG.rootCert())
+          .build();
+    } catch (final CertificateException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static Config loadConfigFromClasspath(final String filename) {
+    try {
+      final URL configFileUrl = Resources.getResource(filename);
+      return SystemMapper.yamlMapper().readValue(Resources.toByteArray(configFileUrl), Config.class);
+    } catch (final IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static ECSignedPreKey generateSignedECPreKey(long id, final ECKeyPair identityKeyPair) {
+    final ECPublicKey pubKey = Curve.generateKeyPair().getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new ECSignedPreKey(id, pubKey, sig);
+  }
+
+  private static KEMSignedPreKey generateSignedKEMPreKey(long id, final ECKeyPair identityKeyPair) {
+    final KEMPublicKey pubKey = KEMKeyPair.generate(KEMKeyType.KYBER_1024).getPublicKey();
+    final byte[] sig = identityKeyPair.getPrivateKey().calculateSignature(pubKey.serialize());
+    return new KEMSignedPreKey(id, pubKey, sig);
+  }
+}
--- a/integration-tests/src/main/java/org/signal/integration/TestDevice.java
+++ b/integration-tests/src/main/java/org/signal/integration/TestDevice.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.tuple.Pair;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+
+public class TestDevice {
+
+  private final long deviceId;
+
+  private final Map<Integer, Pair<IdentityKeyPair, SignedPreKeyRecord>> signedPreKeys = new ConcurrentHashMap<>();
+
+
+  public static TestDevice create(
+      final long deviceId,
+      final IdentityKeyPair aciIdentityKeyPair,
+      final IdentityKeyPair pniIdentityKeyPair) {
+    final TestDevice device = new TestDevice(deviceId);
+    device.addSignedPreKey(aciIdentityKeyPair);
+    device.addSignedPreKey(pniIdentityKeyPair);
+    return device;
+  }
+
+  public TestDevice(final long deviceId) {
+    this.deviceId = deviceId;
+  }
+
+  public long deviceId() {
+    return deviceId;
+  }
+
+  public SignedPreKeyRecord latestSignedPreKey(final IdentityKeyPair identity) {
+    final int id = signedPreKeys.entrySet()
+        .stream()
+        .filter(p -> p.getValue().getLeft().equals(identity))
+        .mapToInt(Map.Entry::getKey)
+        .max()
+        .orElseThrow();
+    return signedPreKeys.get(id).getRight();
+  }
+
+  public SignedPreKeyRecord addSignedPreKey(final IdentityKeyPair identity) {
+    try {
+      final int nextId = signedPreKeys.keySet().stream().mapToInt(k -> k + 1).max().orElse(0);
+      final ECKeyPair keyPair = Curve.generateKeyPair();
+      final byte[] signature = Curve.calculateSignature(identity.getPrivateKey(), keyPair.getPublicKey().serialize());
+      final SignedPreKeyRecord signedPreKeyRecord = new SignedPreKeyRecord(nextId, System.currentTimeMillis(), keyPair, signature);
+      signedPreKeys.put(nextId, Pair.of(identity, signedPreKeyRecord));
+      return signedPreKeyRecord;
+    } catch (InvalidKeyException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}
--- a/integration-tests/src/main/java/org/signal/integration/TestUser.java
+++ b/integration-tests/src/main/java/org/signal/integration/TestUser.java
@@ -0,0 +1,184 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static java.util.Objects.requireNonNull;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import org.apache.commons.lang3.RandomUtils;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.IdentityKeyPair;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.state.SignedPreKeyRecord;
+import org.signal.libsignal.protocol.util.KeyHelper;
+import org.whispersystems.textsecuregcm.auth.UnidentifiedAccessUtil;
+import org.whispersystems.textsecuregcm.entities.AccountAttributes;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class TestUser {
+
+  private final int registrationId;
+
+  private final IdentityKeyPair aciIdentityKey;
+
+  private final Map<Long, TestDevice> devices = new ConcurrentHashMap<>();
+
+  private final byte[] unidentifiedAccessKey;
+
+  private String phoneNumber;
+
+  private IdentityKeyPair pniIdentityKey;
+
+  private String accountPassword;
+
+  private byte[] registrationPassword;
+
+  private UUID aciUuid;
+
+  private UUID pniUuid;
+
+
+  public static TestUser create(final String phoneNumber, final String accountPassword, final byte[] registrationPassword) {
+    // ACI identity key pair
+    final IdentityKeyPair aciIdentityKey = IdentityKeyPair.generate();
+    // PNI identity key pair
+    final IdentityKeyPair pniIdentityKey = IdentityKeyPair.generate();
+    // registration id
+    final int registrationId = KeyHelper.generateRegistrationId(false);
+    // uak
+    final byte[] unidentifiedAccessKey = RandomUtils.nextBytes(UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH);
+
+    return new TestUser(
+        registrationId,
+        aciIdentityKey,
+        phoneNumber,
+        pniIdentityKey,
+        unidentifiedAccessKey,
+        accountPassword,
+        registrationPassword);
+  }
+
+  public TestUser(
+      final int registrationId,
+      final IdentityKeyPair aciIdentityKey,
+      final String phoneNumber,
+      final IdentityKeyPair pniIdentityKey,
+      final byte[] unidentifiedAccessKey,
+      final String accountPassword,
+      final byte[] registrationPassword) {
+    this.registrationId = registrationId;
+    this.aciIdentityKey = aciIdentityKey;
+    this.phoneNumber = phoneNumber;
+    this.pniIdentityKey = pniIdentityKey;
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+    this.accountPassword = accountPassword;
+    this.registrationPassword = registrationPassword;
+    devices.put(Device.PRIMARY_ID, TestDevice.create(Device.PRIMARY_ID, aciIdentityKey, pniIdentityKey));
+  }
+
+  public int registrationId() {
+    return registrationId;
+  }
+
+  public IdentityKeyPair aciIdentityKey() {
+    return aciIdentityKey;
+  }
+
+  public String phoneNumber() {
+    return phoneNumber;
+  }
+
+  public IdentityKeyPair pniIdentityKey() {
+    return pniIdentityKey;
+  }
+
+  public String accountPassword() {
+    return accountPassword;
+  }
+
+  public byte[] registrationPassword() {
+    return registrationPassword;
+  }
+
+  public UUID aciUuid() {
+    return aciUuid;
+  }
+
+  public UUID pniUuid() {
+    return pniUuid;
+  }
+
+  public AccountAttributes accountAttributes() {
+    return new AccountAttributes(true, registrationId, "", "", true, new Device.DeviceCapabilities(false, false, false, false))
+        .withUnidentifiedAccessKey(unidentifiedAccessKey)
+        .withRecoveryPassword(registrationPassword);
+  }
+
+  public void setAciUuid(final UUID aciUuid) {
+    this.aciUuid = aciUuid;
+  }
+
+  public void setPniUuid(final UUID pniUuid) {
+    this.pniUuid = pniUuid;
+  }
+
+  public void setPhoneNumber(final String phoneNumber) {
+    this.phoneNumber = phoneNumber;
+  }
+
+  public void setPniIdentityKey(final IdentityKeyPair pniIdentityKey) {
+    this.pniIdentityKey = pniIdentityKey;
+  }
+
+  public void setAccountPassword(final String accountPassword) {
+    this.accountPassword = accountPassword;
+  }
+
+  public void setRegistrationPassword(final byte[] registrationPassword) {
+    this.registrationPassword = registrationPassword;
+  }
+
+  public PreKeySetPublicView preKeys(final long deviceId, final boolean pni) {
+    final IdentityKeyPair identity = pni
+        ? pniIdentityKey
+        : aciIdentityKey;
+    final TestDevice device = requireNonNull(devices.get(deviceId));
+    final SignedPreKeyRecord signedPreKeyRecord = device.latestSignedPreKey(identity);
+    return new PreKeySetPublicView(
+        Collections.emptyList(),
+        identity.getPublicKey(),
+        new SignedPreKeyPublicView(
+            signedPreKeyRecord.getId(),
+            signedPreKeyRecord.getKeyPair().getPublicKey(),
+            signedPreKeyRecord.getSignature()
+        )
+    );
+  }
+
+  public record SignedPreKeyPublicView(
+      int keyId,
+      @JsonSerialize(using = Codecs.ECPublicKeySerializer.class)
+      @JsonDeserialize(using = Codecs.ECPublicKeyDeserializer.class)
+      ECPublicKey publicKey,
+      @JsonSerialize(using = Codecs.ByteArraySerializer.class)
+      @JsonDeserialize(using = Codecs.ByteArrayDeserializer.class)
+      byte[] signature) {
+  }
+
+  public record PreKeySetPublicView(
+      List<String> preKeys,
+      @JsonSerialize(using = Codecs.IdentityKeySerializer.class)
+      @JsonDeserialize(using = Codecs.IdentityKeyDeserializer.class)
+      IdentityKey identityKey,
+      SignedPreKeyPublicView signedPreKey) {
+  }
+}
--- a/integration-tests/src/main/java/org/signal/integration/config/Config.java
+++ b/integration-tests/src/main/java/org/signal/integration/config/Config.java
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
+
+public record Config(String domain,
+                     String rootCert,
+                     DynamoDbClientConfiguration dynamoDbClientConfiguration,
+                     DynamoDbTables dynamoDbTables) {
+}
--- a/integration-tests/src/main/java/org/signal/integration/config/DynamoDbTables.java
+++ b/integration-tests/src/main/java/org/signal/integration/config/DynamoDbTables.java
@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration.config;
+
+public record DynamoDbTables(String registrationRecovery,
+                             String verificationSessions) {
+}
--- a/integration-tests/src/test/java/org/signal/integration/AccountTest.java
+++ b/integration-tests/src/test/java/org/signal/integration/AccountTest.java
@@ -0,0 +1,124 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.http.HttpStatus;
+import org.junit.jupiter.api.Test;
+import org.signal.libsignal.usernames.BaseUsernameException;
+import org.signal.libsignal.usernames.Username;
+import org.whispersystems.textsecuregcm.entities.AccountIdentifierResponse;
+import org.whispersystems.textsecuregcm.entities.AccountIdentityResponse;
+import org.whispersystems.textsecuregcm.entities.ConfirmUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.EncryptedUsername;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashRequest;
+import org.whispersystems.textsecuregcm.entities.ReserveUsernameHashResponse;
+import org.whispersystems.textsecuregcm.entities.UsernameHashResponse;
+import org.whispersystems.textsecuregcm.identity.AciServiceIdentifier;
+
+public class AccountTest {
+
+  @Test
+  public void testCreateAccount() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550101");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testCreateAccountAtomic() throws Exception {
+    final TestUser user = Operations.newRegisteredUserAtomic("+19995550201");
+    try {
+      final Pair<Integer, AccountIdentityResponse> execute = Operations.apiGet("/v1/accounts/whoami")
+          .authorized(user)
+          .execute(AccountIdentityResponse.class);
+      assertEquals(HttpStatus.SC_OK, execute.getLeft());
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  @Test
+  public void testUsernameOperations() throws Exception {
+    final TestUser user = Operations.newRegisteredUser("+19995550102");
+    try {
+      verifyFullUsernameLifecycle(user);
+      // no do it again to check changing usernames
+      verifyFullUsernameLifecycle(user);
+    } finally {
+      Operations.deleteUser(user);
+    }
+  }
+
+  private static void verifyFullUsernameLifecycle(final TestUser user) throws BaseUsernameException {
+    final String preferred = "test";
+    final List<Username> candidates = Username.candidatesFrom(preferred, preferred.length(), preferred.length() + 1);
+
+    // reserve a username
+    final ReserveUsernameHashRequest reserveUsernameHashRequest = new ReserveUsernameHashRequest(
+        candidates.stream().map(Username::getHash).toList());
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+
+    final ReserveUsernameHashResponse reserveUsernameHashResponse = Operations
+        .apiPut("/v1/accounts/username_hash/reserve", reserveUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(ReserveUsernameHashResponse.class);
+
+    // find which one is the reserved username
+    final byte[] reservedHash = reserveUsernameHashResponse.usernameHash();
+    final Username reservedUsername = candidates.stream()
+        .filter(u -> Arrays.equals(u.getHash(), reservedHash))
+        .findAny()
+        .orElseThrow();
+
+    // confirm a username
+   final ConfirmUsernameHashRequest confirmUsernameHashRequest = new ConfirmUsernameHashRequest(
+        reservedUsername.getHash(),
+        reservedUsername.generateProof(),
+        "cluck cluck i'm a parrot".getBytes()
+    );
+    // try unauthorized
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .executeExpectStatusCode(HttpStatus.SC_UNAUTHORIZED);
+    Operations
+        .apiPut("/v1/accounts/username_hash/confirm", confirmUsernameHashRequest)
+        .authorized(user)
+        .executeExpectSuccess(UsernameHashResponse.class);
+
+
+    // lookup username
+    final AccountIdentifierResponse accountIdentifierResponse = Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .executeExpectSuccess(AccountIdentifierResponse.class);
+    assertEquals(new AciServiceIdentifier(user.aciUuid()), accountIdentifierResponse.uuid());
+    // try authorized
+    Operations
+        .apiGet("/v1/accounts/username_hash/" + Base64.getUrlEncoder().encodeToString(reservedHash))
+        .authorized(user)
+        .executeExpectStatusCode(HttpStatus.SC_BAD_REQUEST);
+
+    // delete username
+    Operations
+        .apiDelete("/v1/accounts/username_hash")
+        .authorized(user)
+        .executeExpectSuccess();
+  }
+}
--- a/integration-tests/src/test/java/org/signal/integration/MessagingTest.java
+++ b/integration-tests/src/test/java/org/signal/integration/MessagingTest.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import org.apache.commons.lang3.tuple.Pair;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.whispersystems.textsecuregcm.entities.IncomingMessage;
+import org.whispersystems.textsecuregcm.entities.IncomingMessageList;
+import org.whispersystems.textsecuregcm.entities.OutgoingMessageEntityList;
+import org.whispersystems.textsecuregcm.entities.SendMessageResponse;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+public class MessagingTest {
+
+  @ParameterizedTest
+  @ValueSource(booleans = {true, false})
+  public void testSendMessageUnsealed(final boolean atomicAccountCreation) throws Exception {
+    final TestUser userA;
+    final TestUser userB;
+
+    if (atomicAccountCreation) {
+      userA = Operations.newRegisteredUserAtomic("+19995550102");
+      userB = Operations.newRegisteredUserAtomic("+19995550103");
+    } else {
+      userA = Operations.newRegisteredUser("+19995550104");
+      userB = Operations.newRegisteredUser("+19995550105");
+    }
+
+    try {
+      final byte[] expectedContent = "Hello, World!".getBytes(StandardCharsets.UTF_8);
+      final String contentBase64 = Base64.getEncoder().encodeToString(expectedContent);
+      final IncomingMessage message = new IncomingMessage(1, Device.PRIMARY_ID, userB.registrationId(), contentBase64);
+      final IncomingMessageList messages = new IncomingMessageList(List.of(message), false, true, System.currentTimeMillis());
+
+      final Pair<Integer, SendMessageResponse> sendMessage = Operations
+          .apiPut("/v1/messages/%s".formatted(userB.aciUuid().toString()), messages)
+          .authorized(userA)
+          .execute(SendMessageResponse.class);
+
+      final Pair<Integer, OutgoingMessageEntityList> receiveMessages = Operations.apiGet("/v1/messages")
+          .authorized(userB)
+          .execute(OutgoingMessageEntityList.class);
+
+      final byte[] actualContent = receiveMessages.getRight().messages().get(0).content();
+      assertArrayEquals(expectedContent, actualContent);
+    } finally {
+      Operations.deleteUser(userA);
+      Operations.deleteUser(userB);
+    }
+  }
+}
--- a/integration-tests/src/test/java/org/signal/integration/RegistrationTest.java
+++ b/integration-tests/src/test/java/org/signal/integration/RegistrationTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.signal.integration;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.whispersystems.textsecuregcm.entities.CreateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.SubmitVerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.UpdateVerificationSessionRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationCodeRequest;
+import org.whispersystems.textsecuregcm.entities.VerificationSessionResponse;
+
+public class RegistrationTest {
+
+  @Test
+  public void testRegistration() throws Exception {
+    final UpdateVerificationSessionRequest originalRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, null, null, null, null);
+    final CreateVerificationSessionRequest input = new CreateVerificationSessionRequest("+19995550102", originalRequest);
+
+    final VerificationSessionResponse verificationSessionResponse = Operations
+        .apiPost("/v1/verification/session", input)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    final String sessionId = verificationSessionResponse.id();
+    final String pushChallenge = Operations.peekVerificationSessionPushChallenge(sessionId);
+
+    // supply push challenge
+    final UpdateVerificationSessionRequest updatedRequest = new UpdateVerificationSessionRequest(
+        "test", UpdateVerificationSessionRequest.PushTokenType.FCM, pushChallenge, null, null, null);
+    final VerificationSessionResponse pushChallengeSupplied = Operations
+        .apiPatch("/v1/verification/session/%s".formatted(sessionId), updatedRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    Assertions.assertTrue(pushChallengeSupplied.allowedToRequestCode());
+
+    // request code
+    final VerificationCodeRequest verificationCodeRequest = new VerificationCodeRequest(
+        VerificationCodeRequest.Transport.SMS, "android-ng");
+
+    final VerificationSessionResponse codeRequested = Operations
+        .apiPost("/v1/verification/session/%s/code".formatted(sessionId), verificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+
+    // verify code
+    final SubmitVerificationCodeRequest submitVerificationCodeRequest = new SubmitVerificationCodeRequest("265402");
+    final VerificationSessionResponse codeVerified = Operations
+        .apiPut("/v1/verification/session/%s/code".formatted(sessionId), submitVerificationCodeRequest)
+        .executeExpectSuccess(VerificationSessionResponse.class);
+  }
+}
--- a/218
+++ b/218
@@ -19,7 +19,7 @@
 # ----------------------------------------------------------------------------

 # ----------------------------------------------------------------------------
-# Maven Start Up Batch script
+# Apache Maven Wrapper startup batch script, version 3.2.0
 #
 # Required ENV vars:
 # ------------------
@@ -27,7 +27,6 @@
 #
 # Optional ENV vars
 # -----------------
-#   M2_HOME - location of maven2's installed home dir
 #   MAVEN_OPTS - parameters passed to the Java VM when running Maven
 #     e.g. to debug Maven itself, use
 #       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
@@ -54,7 +53,7 @@ fi
 cygwin=false;
 darwin=false;
 mingw=false
-case "`uname`" in
+case "$(uname)" in
  CYGWIN*) cygwin=true ;;
  MINGW*) mingw=true;;
  Darwin*) darwin=true
@@ -62,9 +61,9 @@ case "`uname`" in
    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
    if [ -z "$JAVA_HOME" ]; then
      if [ -x "/usr/libexec/java_home" ]; then
-        export JAVA_HOME="`/usr/libexec/java_home`"
+        JAVA_HOME="$(/usr/libexec/java_home)"; export JAVA_HOME
      else
-        export JAVA_HOME="/Library/Java/Home"
+        JAVA_HOME="/Library/Java/Home"; export JAVA_HOME
      fi
    fi
    ;;
@@ -72,68 +71,38 @@ esac

 if [ -z "$JAVA_HOME" ] ; then
  if [ -r /etc/gentoo-release ] ; then
-    JAVA_HOME=`java-config --jre-home`
+    JAVA_HOME=$(java-config --jre-home)
  fi
 fi

-if [ -z "$M2_HOME" ] ; then
-  ## resolve links - $0 may be a link to maven's home
-  PRG="$0"
-
-  # need this for relative symlinks
-  while [ -h "$PRG" ] ; do
-    ls=`ls -ld "$PRG"`
-    link=`expr "$ls" : '.*-> \(.*\)$'`
-    if expr "$link" : '/.*' > /dev/null; then
-      PRG="$link"
-    else
-      PRG="`dirname "$PRG"`/$link"
-    fi
-  done
-
-  saveddir=`pwd`
-
-  M2_HOME=`dirname "$PRG"`/..
-
-  # make it fully qualified
-  M2_HOME=`cd "$M2_HOME" && pwd`
-
-  cd "$saveddir"
-  # echo Using m2 at $M2_HOME
-fi
-
 # For Cygwin, ensure paths are in UNIX format before anything is touched
 if $cygwin ; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME=`cygpath --unix "$M2_HOME"`
  [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+    JAVA_HOME=$(cygpath --unix "$JAVA_HOME")
  [ -n "$CLASSPATH" ] &&
-    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+    CLASSPATH=$(cygpath --path --unix "$CLASSPATH")
 fi

 # For Mingw, ensure paths are in UNIX format before anything is touched
 if $mingw ; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME="`(cd "$M2_HOME"; pwd)`"
-  [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] && [ -d "$JAVA_HOME" ] &&
+    JAVA_HOME="$(cd "$JAVA_HOME" || (echo "cannot cd into $JAVA_HOME."; exit 1); pwd)"
 fi

 if [ -z "$JAVA_HOME" ]; then
-  javaExecutable="`which javac`"
-  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+  javaExecutable="$(which javac)"
+  if [ -n "$javaExecutable" ] && ! [ "$(expr "\"$javaExecutable\"" : '\([^ ]*\)')" = "no" ]; then
    # readlink(1) is not available as standard on Solaris 10.
-    readLink=`which readlink`
-    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+    readLink=$(which readlink)
+    if [ ! "$(expr "$readLink" : '\([^ ]*\)')" = "no" ]; then
      if $darwin ; then
-        javaHome="`dirname \"$javaExecutable\"`"
-        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+        javaHome="$(dirname "\"$javaExecutable\"")"
+        javaExecutable="$(cd "\"$javaHome\"" && pwd -P)/javac"
      else
-        javaExecutable="`readlink -f \"$javaExecutable\"`"
+        javaExecutable="$(readlink -f "\"$javaExecutable\"")"
      fi
-      javaHome="`dirname \"$javaExecutable\"`"
-      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      javaHome="$(dirname "\"$javaExecutable\"")"
+      javaHome=$(expr "$javaHome" : '\(.*\)/bin')
      JAVA_HOME="$javaHome"
      export JAVA_HOME
    fi
@@ -149,7 +118,7 @@ if [ -z "$JAVACMD" ] ; then
      JAVACMD="$JAVA_HOME/bin/java"
    fi
  else
-    JAVACMD="`\\unset -f command; \\command -v java`"
+    JAVACMD="$(\unset -f command 2>/dev/null; \command -v java)"
  fi
 fi

@@ -163,12 +132,9 @@ if [ -z "$JAVA_HOME" ] ; then
  echo "Warning: JAVA_HOME environment variable is not set."
 fi

-CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
-
 # traverses directory structure from process work directory to filesystem root
 # first directory with .mvn subdirectory is considered project base directory
 find_maven_basedir() {
-
  if [ -z "$1" ]
  then
    echo "Path not specified to find_maven_basedir"
@@ -184,96 +150,99 @@ find_maven_basedir() {
    fi
    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
    if [ -d "${wdir}" ]; then
-      wdir=`cd "$wdir/.."; pwd`
+      wdir=$(cd "$wdir/.." || exit 1; pwd)
    fi
    # end of workaround
  done
-  echo "${basedir}"
+  printf '%s' "$(cd "$basedir" || exit 1; pwd)"
 }

 # concatenates all lines of a file
 concat_lines() {
  if [ -f "$1" ]; then
-    echo "$(tr -s '\n' ' ' < "$1")"
+    # Remove \r in case we run on Windows within Git Bash
+    # and check out the repository with auto CRLF management
+    # enabled. Otherwise, we may read lines that are delimited with
+    # \r\n and produce $'-Xarg\r' rather than -Xarg due to word
+    # splitting rules.
+    tr -s '\r\n' ' ' < "$1"
  fi
 }

-BASE_DIR=`find_maven_basedir "$(pwd)"`
+log() {
+  if [ "$MVNW_VERBOSE" = true ]; then
+    printf '%s\n' "$1"
+  fi
+}
+
+BASE_DIR=$(find_maven_basedir "$(dirname "$0")")
 if [ -z "$BASE_DIR" ]; then
  exit 1;
 fi

+MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}; export MAVEN_PROJECTBASEDIR
+log "$MAVEN_PROJECTBASEDIR"
+
 ##########################################################################################
 # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
 # This allows using the maven wrapper in projects that prohibit checking in binary data.
 ##########################################################################################
-if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Found .mvn/wrapper/maven-wrapper.jar"
-    fi
+wrapperJarPath="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar"
+if [ -r "$wrapperJarPath" ]; then
+    log "Found $wrapperJarPath"
 else
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
-    fi
+    log "Couldn't find $wrapperJarPath, downloading it ..."
+
    if [ -n "$MVNW_REPOURL" ]; then
-      jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+      wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
    else
-      jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+      wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
    fi
-    while IFS="=" read key value; do
-      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+    while IFS="=" read -r key value; do
+      # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' )
+      safeValue=$(echo "$value" | tr -d '\r')
+      case "$key" in (wrapperUrl) wrapperUrl="$safeValue"; break ;;
      esac
-    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
-    if [ "$MVNW_VERBOSE" = true ]; then
-      echo "Downloading from: $jarUrl"
-    fi
-    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+    log "Downloading from: $wrapperUrl"
+
    if $cygwin; then
-      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+      wrapperJarPath=$(cygpath --path --windows "$wrapperJarPath")
    fi

    if command -v wget > /dev/null; then
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Found wget ... using wget"
-        fi
+        log "Found wget ... using wget"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet"
        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-            wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+            wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
        else
-            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
+            wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
        fi
    elif command -v curl > /dev/null; then
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Found curl ... using curl"
-        fi
+        log "Found curl ... using curl"
+        [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent"
        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
-            curl -o "$wrapperJarPath" "$jarUrl" -f
+            curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
        else
-            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+            curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath"
        fi
-
    else
-        if [ "$MVNW_VERBOSE" = true ]; then
-          echo "Falling back to using Java to download"
-        fi
-        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        log "Falling back to using Java to download"
+        javaSource="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        javaClass="$MAVEN_PROJECTBASEDIR/.mvn/wrapper/MavenWrapperDownloader.class"
        # For Cygwin, switch paths to Windows format before running javac
        if $cygwin; then
-          javaClass=`cygpath --path --windows "$javaClass"`
+          javaSource=$(cygpath --path --windows "$javaSource")
+          javaClass=$(cygpath --path --windows "$javaClass")
        fi
-        if [ -e "$javaClass" ]; then
-            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
-                if [ "$MVNW_VERBOSE" = true ]; then
-                  echo " - Compiling MavenWrapperDownloader.java ..."
-                fi
-                # Compiling the Java class
-                ("$JAVA_HOME/bin/javac" "$javaClass")
+        if [ -e "$javaSource" ]; then
+            if [ ! -e "$javaClass" ]; then
+                log " - Compiling MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/javac" "$javaSource")
            fi
-            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
-                # Running the downloader
-                if [ "$MVNW_VERBOSE" = true ]; then
-                  echo " - Running MavenWrapperDownloader.java ..."
-                fi
-                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            if [ -e "$javaClass" ]; then
+                log " - Running MavenWrapperDownloader.java ..."
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$wrapperUrl" "$wrapperJarPath") || rm -f "$wrapperJarPath"
            fi
        fi
    fi
@@ -282,35 +251,58 @@ fi
 # End of extension
 ##########################################################################################

-export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
-if [ "$MVNW_VERBOSE" = true ]; then
-  echo $MAVEN_PROJECTBASEDIR
+# If specified, validate the SHA-256 sum of the Maven wrapper jar file
+wrapperSha256Sum=""
+while IFS="=" read -r key value; do
+  case "$key" in (wrapperSha256Sum) wrapperSha256Sum=$value; break ;;
+  esac
+done < "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.properties"
+if [ -n "$wrapperSha256Sum" ]; then
+  wrapperSha256Result=false
+  if command -v sha256sum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | sha256sum -c > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  elif command -v shasum > /dev/null; then
+    if echo "$wrapperSha256Sum  $wrapperJarPath" | shasum -a 256 -c > /dev/null 2>&1; then
+      wrapperSha256Result=true
+    fi
+  else
+    echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available."
+    echo "Please install either command, or disable validation by removing 'wrapperSha256Sum' from your maven-wrapper.properties."
+    exit 1
+  fi
+  if [ $wrapperSha256Result = false ]; then
+    echo "Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised." >&2
+    echo "Investigate or delete $wrapperJarPath to attempt a clean download." >&2
+    echo "If you updated your Maven version, you need to update the specified wrapperSha256Sum property." >&2
+    exit 1
+  fi
 fi
+
 MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"

 # For Cygwin, switch paths to Windows format before running java
 if $cygwin; then
-  [ -n "$M2_HOME" ] &&
-    M2_HOME=`cygpath --path --windows "$M2_HOME"`
  [ -n "$JAVA_HOME" ] &&
-    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+    JAVA_HOME=$(cygpath --path --windows "$JAVA_HOME")
  [ -n "$CLASSPATH" ] &&
-    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+    CLASSPATH=$(cygpath --path --windows "$CLASSPATH")
  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
-    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+    MAVEN_PROJECTBASEDIR=$(cygpath --path --windows "$MAVEN_PROJECTBASEDIR")
 fi

 # Provide a "standardized" way to retrieve the CLI args that will
 # work with both Windows and non-Windows executions.
-MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $*"
 export MAVEN_CMD_LINE_ARGS

 WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain

+# shellcheck disable=SC2086 # safe args
 exec "$JAVACMD" \
  $MAVEN_OPTS \
  $MAVEN_DEBUG_OPTS \
  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
-  "-Dmaven.home=${M2_HOME}" \
  "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
--- a/mvnw.cmd
+++ b/mvnw.cmd
@@ -18,13 +18,12 @@
@REM ----------------------------------------------------------------------------

@REM ----------------------------------------------------------------------------
-@REM Maven Start Up Batch script
+@REM Apache Maven Wrapper startup batch script, version 3.2.0
@REM
@REM Required ENV vars:
@REM JAVA_HOME - location of a JDK home dir
@REM
@REM Optional ENV vars
-@REM M2_HOME - location of maven2's installed home dir
@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
@@ -120,10 +119,10 @@ SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
 set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
 set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain

-set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"

 FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
-    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+    IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B
 )

@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
@@ -134,11 +133,11 @@ if exist %WRAPPER_JAR% (
    )
 ) else (
    if not "%MVNW_REPOURL%" == "" (
-        SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
+        SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar"
    )
    if "%MVNW_VERBOSE%" == "true" (
        echo Couldn't find %WRAPPER_JAR%, downloading it ...
-        echo Downloading from: %DOWNLOAD_URL%
+        echo Downloading from: %WRAPPER_URL%
    )

    powershell -Command "&{"^
@@ -146,7 +145,7 @@ if exist %WRAPPER_JAR% (
 		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
 		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
 		"}"^
-		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%WRAPPER_URL%', '%WRAPPER_JAR%')"^
 		"}"
    if "%MVNW_VERBOSE%" == "true" (
        echo Finished downloading %WRAPPER_JAR%
@@ -154,6 +153,24 @@ if exist %WRAPPER_JAR% (
 )
@REM End of extension

+@REM If specified, validate the SHA-256 sum of the Maven wrapper jar file
+SET WRAPPER_SHA_256_SUM=""
+FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperSha256Sum" SET WRAPPER_SHA_256_SUM=%%B
+)
+IF NOT %WRAPPER_SHA_256_SUM%=="" (
+    powershell -Command "&{"^
+       "$hash = (Get-FileHash \"%WRAPPER_JAR%\" -Algorithm SHA256).Hash.ToLower();"^
+       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
+       "  Write-Output 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
+       "  Write-Output 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
+       "  Write-Output 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^
+       "  exit 1;"^
+       "}"^
+       "}"
+    if ERRORLEVEL 1 goto error
+)
+
@REM Provide a "standardized" way to retrieve the CLI args that will
@REM work with both Windows and non-Windows executions.
 set MAVEN_CMD_LINE_ARGS=%*
--- a/pom.xml
+++ b/pom.xml
@@ -14,11 +14,6 @@
        <enabled>false</enabled>
      </snapshots>
    </repository>
-    <repository>
-      <id>dynamodb-local-oregon</id>
-      <name>DynamoDB Local Release Repository</name>
-      <url>https://s3-us-west-2.amazonaws.com/dynamodb-local/release</url>
-    </repository>
  </repositories>

  <pluginRepositories>
@@ -35,39 +30,50 @@
  </pluginRepositories>

  <modules>
-    <module>redis-dispatch</module>
-    <module>websocket-resources</module>
+    <module>api-doc</module>
+    <module>event-logger</module>
+    <module>integration-tests</module>
    <module>service</module>
+    <module>websocket-resources</module>
  </modules>

  <properties>
-    <aws.sdk.version>1.12.154</aws.sdk.version>
-    <aws.sdk2.version>2.17.125</aws.sdk2.version>
-    <commons-codec.version>1.15</commons-codec.version>
-    <commons-csv.version>1.8</commons-csv.version>
-    <commons-io.version>2.9.0</commons-io.version>
-    <dropwizard.version>2.0.28</dropwizard.version>
+    <aws.sdk2.version>2.21.5</aws.sdk2.version>
+    <braintree.version>3.27.0</braintree.version>
+    <commons-csv.version>1.10.0</commons-csv.version>
+    <commons-io.version>2.14.0</commons-io.version>
+    <dropwizard.version>2.1.9</dropwizard.version>
    <dropwizard-metrics-datadog.version>1.1.13</dropwizard-metrics-datadog.version>
-    <gson.version>2.9.0</gson.version>
-    <guava.version>30.1.1-jre</guava.version>
-    <jackson.version>2.13.2.20220328</jackson.version>
+    <google-cloud-libraries.version>26.25.0</google-cloud-libraries.version>
+    <grpc.version>1.58.0</grpc.version> <!-- should be kept in sync with the value from Google libraries-bom -->
+    <gson.version>2.10.1</gson.version>
+    <jackson.version>2.13.5</jackson.version>
    <jaxb.version>2.3.1</jaxb.version>
-    <jedis.version>2.9.0</jedis.version>
-    <lettuce.version>6.1.9.RELEASE</lettuce.version>
-    <libphonenumber.version>8.12.50</libphonenumber.version>
-    <logstash.logback.version>7.0.1</logstash.logback.version>
-    <micrometer.version>1.5.3</micrometer.version>
-    <mockito.version>4.3.1</mockito.version>
-    <netty.version>4.1.65.Final</netty.version>
-    <opentest4j.version>1.2.0</opentest4j.version>
-    <protobuf.version>3.19.4</protobuf.version>
-    <pushy.version>0.15.1</pushy.version>
-    <resilience4j.version>1.5.0</resilience4j.version>
+    <junit-pioneer.version>2.1.0</junit-pioneer.version>
+    <kotlin.version>1.9.10</kotlin.version>
+    <kotlinx-serialization.version>1.5.1</kotlinx-serialization.version>
+    <lettuce.version>6.2.6.RELEASE</lettuce.version>
+    <libphonenumber.version>8.13.23</libphonenumber.version>
+    <logstash.logback.version>7.3</logstash.logback.version>
+    <log4j-bom.version>2.21.0</log4j-bom.version>
+    <luajava.version>3.4.0</luajava.version>
+    <micrometer.version>1.10.10</micrometer.version>
+    <netty.version>4.1.96.Final</netty.version>
+    <opentest4j.version>1.3.0</opentest4j.version>
+    <protobuf.version>3.24.3</protobuf.version> <!-- should be kept in sync with the value from Google libraries-bom -->
+    <pushy.version>0.15.2</pushy.version>
+    <reactive.grpc.version>1.2.4</reactive.grpc.version>
+    <reactor-bom.version>2022.0.12</reactor-bom.version> <!-- 3.5.x, see https://github.com/reactor/reactor#bom-versioning-scheme -->
+    <resilience4j.version>1.7.0</resilience4j.version>
    <semver4j.version>3.1.0</semver4j.version>
-    <slf4j.version>1.7.30</slf4j.version>
-    <stripe.version>20.79.0</stripe.version>
+    <slf4j.version>1.7.36</slf4j.version>
+    <stripe.version>23.10.0</stripe.version>
+    <swagger.version>2.2.17</swagger.version>
    <vavr.version>0.10.4</vavr.version>

+    <!-- 17.0.8_7-jre-jammy -->
+    <docker.image.sha256>b8af44d6a7e0615a7486d7307dd54bba23ff24e3aea14893fd2795e8c436d44e</docker.image.sha256>
+
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>

@@ -80,7 +86,7 @@
      <dependency>
        <groupId>com.fasterxml.jackson</groupId>
        <artifactId>jackson-bom</artifactId>
-        <version>2.13.2.20220328</version>
+        <version>${jackson.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
@@ -91,6 +97,13 @@
        <type>pom</type>
        <scope>import</scope>
      </dependency>
+      <!-- Needed for gRPC with Java 9+ -->
+      <dependency>
+        <groupId>org.apache.tomcat</groupId>
+        <artifactId>annotations-api</artifactId>
+        <version>6.0.53</version>
+        <scope>provided</scope>
+      </dependency>
      <dependency>
        <groupId>io.netty</groupId>
        <artifactId>netty-bom</artifactId>
@@ -98,13 +111,6 @@
        <type>pom</type>
        <scope>import</scope>
      </dependency>
-      <dependency>
-        <groupId>com.amazonaws</groupId>
-        <artifactId>aws-java-sdk-bom</artifactId>
-        <version>${aws.sdk.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
      <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>bom</artifactId>
@@ -115,10 +121,15 @@
      <dependency>
        <groupId>com.google.cloud</groupId>
        <artifactId>libraries-bom</artifactId>
-        <version>20.9.0</version>
+        <version>${google-cloud-libraries.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
+      <dependency>
+        <groupId>com.salesforce.servicelibs</groupId>
+        <artifactId>reactor-grpc-stub</artifactId>
+        <version>${reactive.grpc.version}</version>
+      </dependency>
      <dependency>
        <groupId>io.github.resilience4j</groupId>
        <artifactId>resilience4j-bom</artifactId>
@@ -133,7 +144,20 @@
        <type>pom</type>
        <scope>import</scope>
      </dependency>
-
+      <dependency>
+        <groupId>io.projectreactor</groupId>
+        <artifactId>reactor-bom</artifactId>
+        <version>${reactor-bom.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>org.jetbrains.kotlin</groupId>
+        <artifactId>kotlin-bom</artifactId>
+        <version>${kotlin.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
      <dependency>
        <groupId>com.eatthepath</groupId>
        <artifactId>pushy</artifactId>
@@ -144,11 +168,6 @@
        <artifactId>pushy-dropwizard-metrics-listener</artifactId>
        <version>${pushy.version}</version>
      </dependency>
-      <dependency>
-        <groupId>com.google.guava</groupId>
-        <artifactId>guava</artifactId>
-        <version>${guava.version}</version>
-      </dependency>
      <dependency>
        <groupId>com.google.protobuf</groupId>
        <artifactId>protobuf-java</artifactId>
@@ -164,11 +183,6 @@
        <artifactId>semver4j</artifactId>
        <version>${semver4j.version}</version>
      </dependency>
-      <dependency>
-        <groupId>commons-codec</groupId>
-        <artifactId>commons-codec</artifactId>
-        <version>${commons-codec.version}</version>
-      </dependency>
      <dependency>
        <groupId>commons-io</groupId>
        <artifactId>commons-io</artifactId>
@@ -210,18 +224,6 @@
        <version>${jaxb.version}</version>
        <scope>runtime</scope>
      </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-core</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
-      <dependency>
-        <groupId>org.mockito</groupId>
-        <artifactId>mockito-inline</artifactId>
-        <version>${mockito.version}</version>
-        <scope>test</scope>
-      </dependency>
      <dependency>
        <groupId>org.opentest4j</groupId>
        <artifactId>opentest4j</artifactId>
@@ -239,11 +241,6 @@
        <version>${slf4j.version}</version>
        <scope>test</scope>
      </dependency>
-      <dependency>
-        <groupId>redis.clients</groupId>
-        <artifactId>jedis</artifactId>
-        <version>${jedis.version}</version>
-      </dependency>
      <dependency>
        <groupId>commons-logging</groupId>
        <artifactId>commons-logging</artifactId>
@@ -252,7 +249,7 @@
      <dependency>
        <groupId>org.ow2.asm</groupId>
        <artifactId>asm</artifactId>
-        <version>9.2</version>
+        <version>9.5</version>
        <scope>test</scope>
      </dependency>
      <dependency>
@@ -260,6 +257,11 @@
        <artifactId>stripe-java</artifactId>
        <version>${stripe.version}</version>
      </dependency>
+      <dependency>
+        <groupId>com.braintreepayments.gateway</groupId>
+        <artifactId>braintree-java</artifactId>
+        <version>${braintree.version}</version>
+      </dependency>
      <dependency>
        <groupId>com.google.code.gson</groupId>
        <artifactId>gson</artifactId>
@@ -274,12 +276,12 @@
      <dependency>
        <groupId>org.signal</groupId>
        <artifactId>libsignal-server</artifactId>
-        <version>0.18.0</version>
+        <version>0.33.0</version>
      </dependency>
      <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-bom</artifactId>
-        <version>2.17.1</version>
+        <version>${log4j-bom.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
@@ -296,7 +298,7 @@
    <dependency>
      <groupId>com.github.tomakehurst</groupId>
      <artifactId>wiremock-jre8</artifactId>
-      <version>2.32.0</version>
+      <version>2.35.1</version>
      <scope>test</scope>
      <exclusions>
        <exclusion>
@@ -312,7 +314,6 @@
    <dependency>
      <groupId>org.mockito</groupId>
      <artifactId>mockito-core</artifactId>
-      <version>${mockito.version}</version>
      <scope>test</scope>
    </dependency>
    <dependency>
@@ -325,27 +326,33 @@
      <artifactId>junit-jupiter-api</artifactId>
      <scope>test</scope>
    </dependency>
+    <dependency>
+      <groupId>org.junit-pioneer</groupId>
+      <artifactId>junit-pioneer</artifactId>
+      <version>${junit-pioneer.version}</version>
+      <scope>test</scope>
+    </dependency>

  </dependencies>

  <profiles>
    <profile>
-      <id>include-abusive-message-filter</id>
+      <id>include-spam-filter</id>
      <activation>
        <file>
-          <exists>abusive-message-filter/pom.xml</exists>
+          <exists>spam-filter/pom.xml</exists>
        </file>
      </activation>
      <modules>
-        <module>abusive-message-filter</module>
+        <module>spam-filter</module>
      </modules>
    </profile>

    <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
      <activation>
        <file>
-          <missing>abusive-message-filter/pom.xml</missing>
+          <missing>spam-filter/pom.xml</missing>
        </file>
      </activation>
    </profile>
@@ -359,6 +366,15 @@
        <version>1.7.0</version>
      </extension>
    </extensions>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>com.google.cloud.tools</groupId>
+          <artifactId>jib-maven-plugin</artifactId>
+          <version>3.4.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
    <plugins>

      <plugin>
@@ -366,14 +382,28 @@
        <artifactId>protobuf-maven-plugin</artifactId>
        <version>0.6.1</version>
        <configuration>
-          <protocArtifact>com.google.protobuf:protoc:3.18.0:exe:${os.detected.classifier}</protocArtifact>
-          <checkStaleness>true</checkStaleness>
+          <checkStaleness>false</checkStaleness>
+          <protocArtifact>com.google.protobuf:protoc:${protobuf.version}:exe:${os.detected.classifier}</protocArtifact>
+          <pluginId>grpc-java</pluginId>
+          <pluginArtifact>io.grpc:protoc-gen-grpc-java:${grpc.version}:exe:${os.detected.classifier}</pluginArtifact>
+
+          <protocPlugins>
+            <protocPlugin>
+              <id>reactor-grpc</id>
+              <groupId>com.salesforce.servicelibs</groupId>
+              <artifactId>reactor-grpc</artifactId>
+              <version>${reactive.grpc.version}</version>
+              <mainClass>com.salesforce.reactorgrpc.ReactorGrpcGenerator</mainClass>
+            </protocPlugin>
+          </protocPlugins>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>compile</goal>
+              <goal>compile-custom</goal>
              <goal>test-compile</goal>
+              <goal>test-compile-custom</goal>
            </goals>
          </execution>
        </executions>
@@ -382,7 +412,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.1</version>
+        <version>3.11.0</version>
        <configuration>
          <release>17</release>
        </configuration>
@@ -391,7 +421,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
-        <version>3.2.0</version>
+        <version>3.3.0</version>
        <configuration>
          <archive>
            <manifest>
@@ -404,7 +434,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-dependency-plugin</artifactId>
-        <version>3.1.2</version>
+        <version>3.3.0</version>
        <executions>
          <execution>
            <id>copy</id>
@@ -424,7 +454,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-surefire-plugin</artifactId>
-        <version>3.0.0-M5</version>
+        <version>3.1.2</version>
        <configuration>
          <systemProperties>
            <property>
@@ -438,7 +468,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-enforcer-plugin</artifactId>
-        <version>3.0.0-M3</version>
+        <version>3.3.0</version>
        <executions>
          <execution>
            <goals>
@@ -448,7 +478,7 @@
              <rules>
                <dependencyConvergence/>
                <requireMavenVersion>
-                  <version>3.8.3</version>
+                  <version>3.8.6</version>
                </requireMavenVersion>
              </rules>
            </configuration>
@@ -459,7 +489,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-install-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.1</version>
        <configuration>
          <skip>true</skip>
        </configuration>
@@ -468,7 +498,7 @@
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-deploy-plugin</artifactId>
-        <version>3.0.0-M1</version>
+        <version>3.1.1</version>
        <configuration>
          <skip>true</skip>
        </configuration>
--- a/redis-dispatch/pom.xml
+++ b/redis-dispatch/pom.xml
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-  <parent>
-    <artifactId>TextSecureServer</artifactId>
-    <groupId>org.whispersystems.textsecure</groupId>
-    <version>JGITVER</version>
-  </parent>
-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>redis-dispatch</artifactId>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-    </dependency>
-  </dependencies>
-
-</project>
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchChannel.java
@@ -1,11 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-public interface DispatchChannel {
-  void onDispatchMessage(String channel, byte[] message);
-  void onDispatchSubscribed(String channel);
-  void onDispatchUnsubscribed(String channel);
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/DispatchManager.java
@@ -1,157 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-import java.io.IOException;
-import java.util.Map;
-import java.util.Optional;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.Executor;
-import java.util.concurrent.Executors;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class DispatchManager extends Thread {
-
-  private final Logger                       logger        = LoggerFactory.getLogger(DispatchManager.class);
-  private final Executor                     executor      = Executors.newCachedThreadPool();
-  private final Map<String, DispatchChannel> subscriptions = new ConcurrentHashMap<>();
-
-  private final Optional<DispatchChannel>    deadLetterChannel;
-  private final RedisPubSubConnectionFactory redisPubSubConnectionFactory;
-
-  private          PubSubConnection pubSubConnection;
-  private volatile boolean          running;
-
-  public DispatchManager(RedisPubSubConnectionFactory redisPubSubConnectionFactory,
-                         Optional<DispatchChannel> deadLetterChannel)
-  {
-    this.redisPubSubConnectionFactory = redisPubSubConnectionFactory;
-    this.deadLetterChannel            = deadLetterChannel;
-  }
-
-  @Override
-  public void start() {
-    this.pubSubConnection = redisPubSubConnectionFactory.connect();
-    this.running          = true;
-    super.start();
-  }
-
-  public void shutdown() {
-    this.running = false;
-    this.pubSubConnection.close();
-  }
-
-  public synchronized void subscribe(String name, DispatchChannel dispatchChannel) {
-    Optional<DispatchChannel> previous = Optional.ofNullable(subscriptions.get(name));
-    subscriptions.put(name, dispatchChannel);
-
-    try {
-      pubSubConnection.subscribe(name);
-    } catch (IOException e) {
-      logger.warn("Subscription error", e);
-    }
-
-    previous.ifPresent(channel -> dispatchUnsubscription(name, channel));
-  }
-
-  public synchronized void unsubscribe(String name, DispatchChannel channel) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(name));
-
-    if (subscription.isPresent() && subscription.get() == channel) {
-      subscriptions.remove(name);
-
-      try {
-        pubSubConnection.unsubscribe(name);
-      } catch (IOException e) {
-        logger.warn("Unsubscribe error", e);
-      }
-
-      dispatchUnsubscription(name, subscription.get());
-    }
-  }
-
-  public boolean hasSubscription(String name) {
-    return subscriptions.containsKey(name);
-  }
-  
-  @Override
-  public void run() {
-    while (running) {
-      try {
-        PubSubReply reply = pubSubConnection.read();
-
-        switch (reply.getType()) {
-          case UNSUBSCRIBE:                             break;
-          case SUBSCRIBE:   dispatchSubscribe(reply);   break;
-          case MESSAGE:     dispatchMessage(reply);     break;
-          default:          throw new AssertionError("Unknown pubsub reply type! " + reply.getType());
-        }
-      } catch (IOException e) {
-        logger.warn("***** PubSub Connection Error *****", e);
-        if (running) {
-          this.pubSubConnection.close();
-          this.pubSubConnection = redisPubSubConnectionFactory.connect();
-          resubscribeAll();
-        }
-      }
-    }
-
-    logger.warn("DispatchManager Shutting Down...");
-  }
-
-  private void dispatchSubscribe(final PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchSubscription(reply.getChannel(), subscription.get());
-    } else {
-      logger.info("Received subscribe event for non-existing channel: " + reply.getChannel());
-    }
-  }
-
-  private void dispatchMessage(PubSubReply reply) {
-    Optional<DispatchChannel> subscription = Optional.ofNullable(subscriptions.get(reply.getChannel()));
-
-    if (subscription.isPresent()) {
-      dispatchMessage(reply.getChannel(), subscription.get(), reply.getContent().get());
-    } else if (deadLetterChannel.isPresent()) {
-      dispatchMessage(reply.getChannel(), deadLetterChannel.get(), reply.getContent().get());
-    } else {
-      logger.warn("Received message for non-existing channel, with no dead letter handler: " + reply.getChannel());
-    }
-  }
-
-  private void resubscribeAll() {
-    new Thread(() -> {
-      synchronized (DispatchManager.this) {
-        try {
-          for (String name : subscriptions.keySet()) {
-            pubSubConnection.subscribe(name);
-          }
-        } catch (IOException e) {
-          logger.warn("***** RESUBSCRIPTION ERROR *****", e);
-        }
-      }
-    }).start();
-  }
-
-  private void dispatchMessage(final String name, final DispatchChannel channel, final byte[] message) {
-    executor.execute(() -> channel.onDispatchMessage(name, message));
-  }
-
-  private void dispatchSubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchSubscribed(name));
-  }
-
-  private void dispatchUnsubscription(final String name, final DispatchChannel channel) {
-    executor.execute(() -> channel.onDispatchUnsubscribed(name));
-  }
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisInputStream.java
@@ -1,68 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-
-public class RedisInputStream {
-
-  private static final byte CR = 0x0D;
-  private static final byte LF = 0x0A;
-
-  private final InputStream inputStream;
-
-  public RedisInputStream(InputStream inputStream) {
-    this.inputStream = inputStream;
-  }
-
-  public String readLine() throws IOException {
-    ByteArrayOutputStream baos = new ByteArrayOutputStream();
-
-    boolean foundCr = false;
-
-    while (true) {
-      int character = inputStream.read();
-
-      if (character == -1) {
-        throw new IOException("Stream closed!");
-      }
-
-      baos.write(character);
-
-      if      (foundCr && character == LF) break;
-      else if (character == CR)            foundCr = true;
-      else if (foundCr)                    foundCr = false;
-    }
-
-    byte[] data = baos.toByteArray();
-    return new String(data, 0, data.length-2);
-  }
-
-  public byte[] readFully(int size) throws IOException {
-    byte[] result    = new byte[size];
-    int    offset    = 0;
-    int    remaining = result.length;
-
-    while (remaining > 0) {
-      int read = inputStream.read(result, offset, remaining);
-
-      if (read < 0) {
-        throw new IOException("Stream closed!");
-      }
-
-      offset    += read;
-      remaining -= read;
-    }
-
-    return result;
-  }
-
-  public void close() throws IOException {
-    inputStream.close();
-  }
-
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/io/RedisPubSubConnectionFactory.java
@@ -1,13 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.io;
-
-import org.whispersystems.dispatch.redis.PubSubConnection;
-
-public interface RedisPubSubConnectionFactory {
-
-  PubSubConnection connect();
-
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubConnection.java
@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.whispersystems.dispatch.io.RedisInputStream;
-import org.whispersystems.dispatch.redis.protocol.ArrayReplyHeader;
-import org.whispersystems.dispatch.redis.protocol.IntReply;
-import org.whispersystems.dispatch.redis.protocol.StringReplyHeader;
-import org.whispersystems.dispatch.util.Util;
-
-import java.io.BufferedInputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.util.Arrays;
-import java.util.Optional;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-public class PubSubConnection {
-
-  private final Logger logger = LoggerFactory.getLogger(PubSubConnection.class);
-
-  private static final byte[] UNSUBSCRIBE_TYPE    = {'u', 'n', 's', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'     };
-  private static final byte[] SUBSCRIBE_TYPE      = {'s', 'u', 'b', 's', 'c', 'r', 'i', 'b', 'e'               };
-  private static final byte[] MESSAGE_TYPE        = {'m', 'e', 's', 's', 'a', 'g', 'e'                         };
-
-  private static final byte[] SUBSCRIBE_COMMAND   = {'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '          };
-  private static final byte[] UNSUBSCRIBE_COMMAND = {'U', 'N', 'S', 'U', 'B', 'S', 'C', 'R', 'I', 'B', 'E', ' '};
-  private static final byte[] CRLF                = {'\r', '\n'                                                };
-
-  private final OutputStream     outputStream;
-  private final RedisInputStream inputStream;
-  private final Socket           socket;
-  private final AtomicBoolean    closed;
-
-  public PubSubConnection(Socket socket) throws IOException {
-    this.socket       = socket;
-    this.outputStream = socket.getOutputStream();
-    this.inputStream  = new RedisInputStream(new BufferedInputStream(socket.getInputStream()));
-    this.closed       = new AtomicBoolean(false);
-  }
-
-  public void subscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(SUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public void unsubscribe(String channelName) throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    byte[] command = Util.combine(UNSUBSCRIBE_COMMAND, channelName.getBytes(), CRLF);
-    outputStream.write(command);
-  }
-
-  public PubSubReply read() throws IOException {
-    if (closed.get()) throw new IOException("Connection closed!");
-
-    ArrayReplyHeader replyHeader = new ArrayReplyHeader(inputStream.readLine());
-
-    if (replyHeader.getElementCount() != 3) {
-      throw new IOException("Received array reply header with strange count: " + replyHeader.getElementCount());
-    }
-
-    StringReplyHeader replyTypeHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            replyType       = inputStream.readFully(replyTypeHeader.getStringLength());
-    inputStream.readLine();
-
-    if      (Arrays.equals(SUBSCRIBE_TYPE, replyType))   return readSubscribeReply();
-    else if (Arrays.equals(UNSUBSCRIBE_TYPE, replyType)) return readUnsubscribeReply();
-    else if (Arrays.equals(MESSAGE_TYPE, replyType))     return readMessageReply();
-    else throw new IOException("Unknown reply type: " + new String(replyType));
-  }
-
-  public void close() {
-    try {
-      this.closed.set(true);
-      this.inputStream.close();
-      this.outputStream.close();
-      this.socket.close();
-    } catch (IOException e) {
-      logger.warn("Exception while closing", e);
-    }
-  }
-
-  private PubSubReply readMessageReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    StringReplyHeader messageHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            message       = inputStream.readFully(messageHeader.getStringLength());
-    inputStream.readLine();
-
-    return new PubSubReply(PubSubReply.Type.MESSAGE, new String(channelName), Optional.of(message));
-  }
-
-  private PubSubReply readUnsubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private PubSubReply readSubscribeReply() throws IOException {
-    String channelName = readSubscriptionReply();
-    return new PubSubReply(PubSubReply.Type.SUBSCRIBE, channelName, Optional.empty());
-  }
-
-  private String readSubscriptionReply() throws IOException {
-    StringReplyHeader channelNameHeader = new StringReplyHeader(inputStream.readLine());
-    byte[]            channelName       = inputStream.readFully(channelNameHeader.getStringLength());
-    inputStream.readLine();
-
-    new IntReply(inputStream.readLine());
-
-    return new String(channelName);
-  }
-
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/PubSubReply.java
@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import java.util.Optional;
-
-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-public class PubSubReply {
-
-  public enum Type {
-    MESSAGE,
-    SUBSCRIBE,
-    UNSUBSCRIBE
-  }
-
-  private final Type             type;
-  private final String           channel;
-  private final Optional<byte[]> content;
-
-  public PubSubReply(Type type, String channel, Optional<byte[]> content) {
-    this.type    = type;
-    this.channel = channel;
-    this.content = content;
-  }
-
-  public Type getType() {
-    return type;
-  }
-
-  public String getChannel() {
-    return channel;
-  }
-
-  public Optional<byte[]> getContent() {
-    return content;
-  }
-
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeader.java
@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class ArrayReplyHeader {
-
-  private final int elementCount;
-
-  public ArrayReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '*') {
-      throw new IOException("Invalid array reply header: " + header);
-    }
-
-    try {
-      this.elementCount = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getElementCount() {
-    return elementCount;
-  }
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/IntReply.java
@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class IntReply {
-
-  private final int value;
-
-  public IntReply(String reply) throws IOException {
-    if (reply == null || reply.length() < 2 || reply.charAt(0) != ':') {
-      throw new IOException("Invalid int reply: " + reply);
-    }
-
-    try {
-      this.value = Integer.parseInt(reply.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getValue() {
-    return value;
-  }
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeader.java
@@ -1,28 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import java.io.IOException;
-
-public class StringReplyHeader {
-
-  private final int stringLength;
-
-  public StringReplyHeader(String header) throws IOException {
-    if (header == null || header.length() < 2 || header.charAt(0) != '$') {
-      throw new IOException("Invalid string reply header: " + header);
-    }
-
-    try {
-      this.stringLength = Integer.parseInt(header.substring(1));
-    } catch (NumberFormatException e) {
-      throw new IOException(e);
-    }
-  }
-
-  public int getStringLength() {
-    return stringLength;
-  }
-}
--- a/redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java
+++ b/redis-dispatch/src/main/java/org/whispersystems/dispatch/util/Util.java
@@ -1,40 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.util;
-
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-
-public class Util {
-
-  public static byte[] combine(byte[]... elements) {
-    try {
-      int sum = 0;
-
-      for (byte[] element : elements) {
-        sum += element.length;
-      }
-
-      ByteArrayOutputStream baos = new ByteArrayOutputStream(sum);
-
-      for (byte[] element : elements) {
-        baos.write(element);
-      }
-
-      return baos.toByteArray();
-    } catch (IOException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-
-  public static void sleep(long millis) {
-    try {
-      Thread.sleep(millis);
-    } catch (InterruptedException e) {
-      throw new AssertionError(e);
-    }
-  }
-}
--- a/redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java
+++ b/redis-dispatch/src/test/java/org/whispersystems/dispatch/DispatchManagerTest.java
@@ -1,123 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.mockito.Mockito.eq;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.timeout;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Optional;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.stubbing.Answer;
-import org.whispersystems.dispatch.io.RedisPubSubConnectionFactory;
-import org.whispersystems.dispatch.redis.PubSubConnection;
-import org.whispersystems.dispatch.redis.PubSubReply;
-
-public class DispatchManagerTest {
-
-  private PubSubConnection             pubSubConnection;
-  private RedisPubSubConnectionFactory socketFactory;
-  private DispatchManager              dispatchManager;
-  private PubSubReplyInputStream       pubSubReplyInputStream;
-
-  @BeforeEach
-  void setUp() throws Exception {
-    pubSubConnection       = mock(PubSubConnection.class  );
-    socketFactory          = mock(RedisPubSubConnectionFactory.class);
-    pubSubReplyInputStream = new PubSubReplyInputStream();
-
-    when(socketFactory.connect()).thenReturn(pubSubConnection);
-    when(pubSubConnection.read()).thenAnswer((Answer<PubSubReply>) invocationOnMock -> pubSubReplyInputStream.read());
-
-    dispatchManager = new DispatchManager(socketFactory, Optional.empty());
-    dispatchManager.start();
-  }
-
-  @AfterEach
-  void tearDown() {
-    dispatchManager.shutdown();
-  }
-
-  @Test
-  public void testConnect() {
-    verify(socketFactory).connect();
-  }
-
-  @Test
-  public void testSubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testSubscribeUnsubscribe() {
-    DispatchChannel dispatchChannel = mock(DispatchChannel.class);
-    dispatchManager.subscribe("foo", dispatchChannel);
-    dispatchManager.unsubscribe("foo", dispatchChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.UNSUBSCRIBE, "foo", Optional.empty()));
-
-    verify(dispatchChannel, timeout(1000)).onDispatchUnsubscribed(eq("foo"));
-  }
-
-  @Test
-  public void testMessages() {
-    DispatchChannel fooChannel = mock(DispatchChannel.class);
-    DispatchChannel barChannel = mock(DispatchChannel.class);
-
-    dispatchManager.subscribe("foo", fooChannel);
-    dispatchManager.subscribe("bar", barChannel);
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "foo", Optional.empty()));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.SUBSCRIBE, "bar", Optional.empty()));
-
-    verify(fooChannel, timeout(1000)).onDispatchSubscribed(eq("foo"));
-    verify(barChannel, timeout(1000)).onDispatchSubscribed(eq("bar"));
-
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "foo", Optional.of("hello".getBytes())));
-    pubSubReplyInputStream.write(new PubSubReply(PubSubReply.Type.MESSAGE, "bar", Optional.of("there".getBytes())));
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(fooChannel, timeout(1000)).onDispatchMessage(eq("foo"), captor.capture());
-
-    assertArrayEquals("hello".getBytes(), captor.getValue());
-
-    verify(barChannel, timeout(1000)).onDispatchMessage(eq("bar"), captor.capture());
-
-    assertArrayEquals("there".getBytes(), captor.getValue());
-  }
-
-  private static class PubSubReplyInputStream {
-
-    private final List<PubSubReply> pubSubReplyList = new LinkedList<>();
-
-    public synchronized PubSubReply read() {
-      try {
-        while (pubSubReplyList.isEmpty()) wait();
-        return pubSubReplyList.remove(0);
-      } catch (InterruptedException e) {
-        throw new AssertionError(e);
-      }
-    }
-
-    public synchronized void write(PubSubReply pubSubReply) {
-      pubSubReplyList.add(pubSubReply);
-      notifyAll();
-    }
-  }
-
-}
--- a/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java
+++ b/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/PubSubConnectionTest.java
@@ -1,264 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis;
-
-import static org.junit.jupiter.api.Assertions.assertArrayEquals;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertFalse;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.Socket;
-import java.security.SecureRandom;
-import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentCaptor;
-import org.mockito.invocation.InvocationOnMock;
-import org.mockito.stubbing.Answer;
-
-class PubSubConnectionTest {
-
-  private static final String REPLY = "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      ":1\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "fghij\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$9\r\n" +
-      "subscribe\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      ":2\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "abcde\r\n" +
-      "$10\r\n" +
-      "1234567890\r\n" +
-      "*3\r\n" +
-      "$7\r\n" +
-      "message\r\n" +
-      "$5\r\n" +
-      "klmno\r\n" +
-      "$10\r\n" +
-      "0987654321\r\n";
-
-
-  @Test
-  void testSubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.subscribe("foobar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "SUBSCRIBE foobar\r\n".getBytes());
-  }
-
-  @Test
-  void testUnsubscribe() throws IOException {
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    PubSubConnection connection  = new PubSubConnection(socket);
-
-    connection.unsubscribe("bazbar");
-
-    ArgumentCaptor<byte[]> captor = ArgumentCaptor.forClass(byte[].class);
-    verify(outputStream).write(captor.capture());
-
-    assertArrayEquals(captor.getValue(), "UNSUBSCRIBE bazbar\r\n".getBytes());
-  }
-
-  @Test
-  void testTricklyResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new TrickleInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testFullResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new FullInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  @Test
-  void testRandomLengthResponse() throws Exception {
-    InputStream  inputStream  = mockInputStreamFor(new RandomInputStream(REPLY.getBytes()));
-    OutputStream outputStream = mock(OutputStream.class);
-    Socket       socket       = mock(Socket.class      );
-    when(socket.getOutputStream()).thenReturn(outputStream);
-    when(socket.getInputStream()).thenReturn(inputStream);
-
-    PubSubConnection pubSubConnection = new PubSubConnection(socket);
-    readResponses(pubSubConnection);
-  }
-
-  private InputStream mockInputStreamFor(final MockInputStream stub) throws IOException {
-    InputStream result = mock(InputStream.class);
-
-    when(result.read()).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        return stub.read();
-      }
-    });
-
-    when(result.read(any(byte[].class))).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[])invocationOnMock.getArguments()[0];
-        return stub.read(buffer, 0, buffer.length);
-      }
-    });
-
-    when(result.read(any(byte[].class), anyInt(), anyInt())).thenAnswer(new Answer<Integer>() {
-      @Override
-      public Integer answer(InvocationOnMock invocationOnMock) throws Throwable {
-        byte[] buffer = (byte[]) invocationOnMock.getArguments()[0];
-        int offset = (int) invocationOnMock.getArguments()[1];
-        int length = (int) invocationOnMock.getArguments()[2];
-
-        return stub.read(buffer, offset, length);
-      }
-    });
-
-    return result;
-  }
-
-  private void readResponses(PubSubConnection pubSubConnection) throws Exception {
-    PubSubReply reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "fghij");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.SUBSCRIBE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertFalse(reply.getContent().isPresent());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "abcde");
-    assertArrayEquals(reply.getContent().get(), "1234567890".getBytes());
-
-    reply = pubSubConnection.read();
-
-    assertEquals(reply.getType(), PubSubReply.Type.MESSAGE);
-    assertEquals(reply.getChannel(), "klmno");
-    assertArrayEquals(reply.getContent().get(), "0987654321".getBytes());
-  }
-
-  private interface MockInputStream {
-    public int read();
-    public int read(byte[] input, int offset, int length);
-  }
-
-  private static class TrickleInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private TrickleInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      input[offset] = data[index++];
-      return 1;
-    }
-
-  }
-
-  private static class FullInputStream implements MockInputStream {
-
-    private final byte[] data;
-    private int index = 0;
-
-    private FullInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int amount = Math.min(data.length - index, length);
-      System.arraycopy(data, index, input, offset, amount);
-      index += length;
-
-      return amount;
-    }
-  }
-
-  private static class RandomInputStream implements MockInputStream {
-    private final byte[] data;
-    private int index = 0;
-
-    private RandomInputStream(byte[] data) {
-      this.data = data;
-    }
-
-    public int read() {
-      return data[index++];
-    }
-
-    public int read(byte[] input, int offset, int length) {
-      int maxCopy    = Math.min(data.length - index, length);
-      int randomCopy = new SecureRandom().nextInt(maxCopy) + 1;
-      int copyAmount = Math.min(maxCopy, randomCopy);
-
-      System.arraycopy(data, index, input, offset, copyAmount);
-      index += copyAmount;
-
-      return copyAmount;
-    }
-
-  }
-
-}
--- a/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java
+++ b/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/ArrayReplyHeaderTest.java
@@ -1,54 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class ArrayReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(null));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(":3"));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader(""));
-  }
-
-  @Test
-  void testTruncated() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*"));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new ArrayReplyHeader("*ABC"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(4, new ArrayReplyHeader("*4").getElementCount());
-  }
-
-
-
-
-
-
-
-
-
-}
--- a/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java
+++ b/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/IntReplyHeaderTest.java
@@ -1,39 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class IntReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new IntReply(null));
-  }
-
-  @Test
-  void testEmpty() {
-    assertThrows(IOException.class, () -> new IntReply(""));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new IntReply(":A"));
-  }
-
-  @Test
-  void testBadFormat() {
-    assertThrows(IOException.class, () -> new IntReply("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(23, new IntReply(":23").getValue());
-  }
-}
--- a/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java
+++ b/redis-dispatch/src/test/java/org/whispersystems/dispatch/redis/protocol/StringReplyHeaderTest.java
@@ -1,35 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.dispatch.redis.protocol;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-
-import java.io.IOException;
-import org.junit.jupiter.api.Test;
-
-class StringReplyHeaderTest {
-
-  @Test
-  void testNull() {
-    assertThrows(IOException.class, () -> new StringReplyHeader(null));
-  }
-
-  @Test
-  void testBadNumber() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("$100A"));
-  }
-
-  @Test
-  void testBadPrefix() {
-    assertThrows(IOException.class, () -> new StringReplyHeader("*"));
-  }
-
-  @Test
-  void testValid() throws IOException {
-    assertEquals(1000, new StringReplyHeader("$1000").getStringLength());
-  }
-
-}
--- a/service/config/sample-secrets-bundle.yml
+++ b/service/config/sample-secrets-bundle.yml
@@ -0,0 +1,90 @@
+datadog.apiKey: unset
+
+stripe.apiKey: unset
+stripe.idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+
+braintree.privateKey: unset
+
+directoryV2.client.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
+directoryV2.client.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+
+svr2.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth tokens for Signal users
+svr2.userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with SVR2 to generate auth identity tokens for Signal users
+
+tus.userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG=
+
+awsAttachments.accessKey: test
+awsAttachments.accessSecret: test
+
+gcpAttachments.rsaSigningKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+apn.teamId: team-id
+apn.keyId: key-id
+apn.signingKey: |
+  -----BEGIN PRIVATE KEY-----
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+  AAAAAAAA
+  -----END PRIVATE KEY-----
+
+fcm.credentials: |
+  { "json": true }
+
+cdn.accessKey: test    # AWS Access Key ID
+cdn.accessSecret: test # AWS Access Secret
+
+unidentifiedDelivery.certificate: ABCD1234
+unidentifiedDelivery.privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+
+hCaptcha.apiKey: unset
+
+storageService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+
+zkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+genericZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+callingZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+backupsZkConfig.serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+
+paymentsService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
+paymentsService.fixerApiKey: unset
+paymentsService.coinMarketCapApiKey: unset
+
+artService.userAuthenticationTokenSharedSecret: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # base64-encoded 32-byte secret not shared with any external service, but used in ArtController
+artService.userAuthenticationTokenUserIdSecret: AAAAAAAAAAA= # base64-encoded secret to obscure user phone numbers from Sticker Creator
+
+currentReportingKey.secret: AAAAAAAAAAA=
+currentReportingKey.salt: AAAAAAAAAAA=
+
+turn.secret: AAAAAAAAAAA=
+
+linkDevice.secret: AAAAAAAAAAA=
--- a/service/config/sample.yml
+++ b/service/config/sample.yml
@@ -3,11 +3,78 @@
 # `unset` values will need to be set to work properly.
 # Most other values are technically valid for a local/demonstration environment, but are probably not production-ready.

+logging:
+  level: INFO
+  appenders:
+    - type: console
+      threshold: ALL
+      timeZone: UTC
+      target: stdout
+    - type: logstashtcpsocket
+      destination: example.com:10516
+      apiKey: secret://datadog.apiKey
+      environment: staging
+
+metrics:
+  reporters:
+    - type: signal-datadog
+      frequency: 10 seconds
+      tags:
+        - "env:staging"
+        - "service:chat"
+      udpTransport:
+        statsdHost: localhost
+        port: 8125
+      excludesAttributes:
+        - m1_rate
+        - m5_rate
+        - m15_rate
+        - mean_rate
+        - stddev
+      useRegexFilters: true
+      excludes:
+        - ^.+\.total$
+        - ^.+\.request\.filtering$
+        - ^.+\.response\.filtering$
+        - ^executor\..+$
+        - ^lettuce\..+$
+  reportOnStop: true
+
+adminEventLoggingConfiguration:
+  credentials: |
+    {
+      "key": "value"
+    }
+  projectId: some-project-id
+  logName: some-log-name
+
+grpcPort: 8080
+
 stripe:
-  apiKey: unset
-  idempotencyKeyGenerator: abcdefg12345678= # base64 for creating request idempotency hash
+  apiKey: secret://stripe.apiKey
+  idempotencyKeyGenerator: secret://stripe.idempotencyKeyGenerator
  boostDescription: >
    Example
+  supportedCurrenciesByPaymentMethod:
+    CARD:
+      - usd
+      - eur
+    SEPA_DEBIT:
+      - eur
+
+
+braintree:
+  merchantId: unset
+  publicKey: unset
+  privateKey: secret://braintree.privateKey
+  environment: unset
+  graphqlUrl: unset
+  merchantAccounts:
+    # ISO 4217 currency code and its corresponding sub-merchant account
+    'xts': unset
+  supportedCurrenciesByPaymentMethod:
+    PAYPAL:
+      - usd

 dynamoDbClientConfiguration:
  region: us-west-2 # AWS Region
@@ -18,25 +85,29 @@ dynamoDbTables:
    phoneNumberTableName: Example_Accounts_PhoneNumbers
    phoneNumberIdentifierTableName: Example_Accounts_PhoneNumberIdentifiers
    usernamesTableName: Example_Accounts_Usernames
-    scanPageSize: 100
+  backups:
+    tableName: Example_Backups
+  clientReleases:
+    tableName: Example_ClientReleases
  deletedAccounts:
    tableName: Example_DeletedAccounts
-    needsReconciliationIndexName: NeedsReconciliation
  deletedAccountsLock:
    tableName: Example_DeletedAccountsLock
  issuedReceipts:
    tableName: Example_IssuedReceipts
    expiration: P30D # Duration of time until rows expire
    generator: abcdefg12345678= # random base64-encoded binary sequence
-  keys:
+  ecKeys:
    tableName: Example_Keys
+  ecSignedPreKeys:
+    tableName: Example_EC_Signed_Pre_Keys
+  pqKeys:
+    tableName: Example_PQ_Keys
+  pqLastResortKeys:
+    tableName: Example_PQ_Last_Resort_Keys
  messages:
    tableName: Example_Messages
    expiration: P30D # Duration of time until rows expire
-  pendingAccounts:
-    tableName: Example_PendingAccounts
-  pendingDevices:
-    tableName: Example_PendingDevices
  phoneNumberIdentifiers:
    tableName: Example_PhoneNumberIdentifiers
  profiles:
@@ -46,37 +117,17 @@ dynamoDbTables:
  redeemedReceipts:
    tableName: Example_RedeemedReceipts
    expiration: P30D # Duration of time until rows expire
+  registrationRecovery:
+    tableName: Example_RegistrationRecovery
+    expiration: P300D # Duration of time until rows expire
  remoteConfig:
    tableName: Example_RemoteConfig
  reportMessage:
    tableName: Example_ReportMessage
-  reservedUsernames:
-    tableName: Example_ReservedUsernames
  subscriptions:
    tableName: Example_Subscriptions
-
-twilio: # Twilio gateway configuration
-  accountId: unset
-  accountToken: unset
-  nanpaMessagingServiceSid: unset # Twilio SID for the messaging service to use for NANPA.
-  messagingServiceSid: unset # Twilio SID for the message service to use for non-NANPA.
-  verifyServiceSid: unset # Twilio SID for a Verify service
-  localDomain: example.com # Domain Twilio can connect back to for calls. Should be domain of your service.
-  defaultClientVerificationTexts:
-    ios: example %1$s # Text to use for the verification message on iOS. Will be passed to String.format with the verification code as argument 1.
-    androidNg: example %1$s # Text to use for the verification message on android-ng client types. Will be passed to String.format with the verification code as argument 1.
-    android202001: example %1$s # Text to use for the verification message on android-2020-01 client types. Will be passed to String.format with the verification code as argument 1.
-    android202103: example %1$s # Text to use for the verification message on android-2021-03 client types. Will be passed to String.format with the verification code as argument 1.
-    generic: example %1$s # Text to use when the client type is unrecognized. Will be passed to String.format with the verification code as argument 1.
-  regionalClientVerificationTexts: # Map of country codes to custom texts
-    999: # example country code
-      ios: example %1$s # all keys from defaultClientVerificationTexts are required
-      androidNg: example %1$s
-      android202001: example %1$s
-      android202103: example %1$s
-      generic: example %1$s
-  androidAppHash: example # Hash appended to Android
-  verifyServiceFriendlyName: example # Service name used in template. Requires Twilio account rep to enable
+  verificationSessions:
+    tableName: Example_VerificationSessions

 cacheCluster: # Redis server configuration for cache cluster
  configurationUri: redis://redis.example.com:6379/
@@ -85,9 +136,7 @@ clientPresenceCluster: # Redis server configuration for client presence cluster
  configurationUri: redis://redis.example.com:6379/

 pubsub: # Redis server configuration for pubsub cluster
-  url: redis://redis.example.com:6379/
-  replicaUrls:
-    - redis://redis.example.com:6379/
+  uri: redis://redis.example.com:6379/

 pushSchedulerCluster: # Redis server configuration for push scheduler cluster
  configurationUri: redis://redis.example.com:6379/
@@ -95,46 +144,39 @@ pushSchedulerCluster: # Redis server configuration for push scheduler cluster
 rateLimitersCluster: # Redis server configuration for rate limiters cluster
  configurationUri: redis://redis.example.com:6379/

-directory:
-  client: # Configuration for interfacing with Contact Discovery Service cluster
-    userAuthenticationTokenSharedSecret: 00000f # hex-encoded secret shared with CDS used to generate auth tokens for Signal users
-    userAuthenticationTokenUserIdSecret: 00000f # hex-encoded secret shared among Signal-Servers to obscure user phone numbers from CDS
-  sqs:
-    accessKey: test     # AWS SQS accessKey
-    accessSecret: test  # AWS SQS accessSecret
-    queueUrls: # AWS SQS queue urls
-      - https://sqs.example.com/directory.fifo
-  server: # One or more CDS servers
-    - replicationName: example           # CDS replication name
-      replicationUrl: cds.example.com    # CDS replication endpoint base url
-      replicationPassword: example       # CDS replication endpoint password
-      replicationCaCertificate: |        # CDS replication endpoint TLS certificate trust root
-        -----BEGIN CERTIFICATE-----
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-        AAAAAAAAAAAAAAAAAAAA
-        -----END CERTIFICATE-----
-
 directoryV2:
  client: # Configuration for interfacing with Contact Discovery Service v2 cluster
-    userAuthenticationTokenSharedSecret: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth tokens for Signal users
-    userIdTokenSharedSecret: bbcdefghijklmnopqrstuvwxyz0123456789ABCDEFG= # base64-encoded secret shared with CDS to generate auth identity tokens for Signal users
+    userAuthenticationTokenSharedSecret: secret://directoryV2.client.userAuthenticationTokenSharedSecret
+    userIdTokenSharedSecret: secret://directoryV2.client.userIdTokenSharedSecret
+
+svr2:
+  uri: svr2.example.com
+  userAuthenticationTokenSharedSecret: secret://svr2.userAuthenticationTokenSharedSecret
+  userIdTokenSharedSecret: secret://svr2.userIdTokenSharedSecret
+  svrCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----
+

 messageCache: # Redis server configuration for message store cache
  persistDelayMinutes: 1
@@ -145,8 +187,8 @@ metricsCluster:
  configurationUri: redis://redis.example.com:6379/

 awsAttachments: # AWS S3 configuration
-  accessKey: test
-  accessSecret: test
+  accessKey: secret://awsAttachments.accessKey
+  accessSecret: secret://awsAttachments.accessSecret
  bucket: aws-attachments
  region: us-west-2

@@ -155,136 +197,82 @@ gcpAttachments: # GCP Storage configuration
  email: user@example.cocm
  maxSizeInBytes: 1024
  pathPrefix:
-  rsaSigningKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  rsaSigningKey: secret://gcpAttachments.rsaSigningKey

-accountDatabaseCrawler:
-  chunkSize: 10           # accounts per run
-  chunkIntervalMs: 60000  # time per run
+tus:
+  uploadUri: https://example.org/upload
+  userAuthenticationTokenSharedSecret: secret://tus.userAuthenticationTokenSharedSecret

 apn: # Apple Push Notifications configuration
  sandbox: true
  bundleId: com.example.textsecuregcm
-  keyId: unset
-  teamId: unset
-  signingKey: |
-    -----BEGIN PRIVATE KEY-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAA
-    -----END PRIVATE KEY-----
+  keyId: secret://apn.keyId
+  teamId: secret://apn.teamId
+  signingKey: secret://apn.signingKey

 fcm: # FCM configuration
-  credentials: |
-    { "json": true }
+  credentials: secret://fcm.credentials

 cdn:
-  accessKey: test    # AWS Access Key ID
-  accessSecret: test # AWS Access Secret
+  accessKey: secret://cdn.accessKey
+  accessSecret: secret://cdn.accessSecret
  bucket: cdn        # S3 Bucket name
  region: us-west-2  # AWS region

-datadog:
-  apiKey: unset
+dogstatsd:
  environment: dev

 unidentifiedDelivery:
-  certificate: ABCD1234
-  privateKey: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789AAAAAAA
+  certificate: secret://unidentifiedDelivery.certificate
+  privateKey: secret://unidentifiedDelivery.privateKey
  expiresDays: 7

-voiceVerification:
-  url: https://cdn-ca.signal.org/verification/
-  locales:
-    - en
-
 recaptcha:
  projectPath: projects/example
  credentialConfigurationJson: "{ }" # service account configuration for backend authentication

+hCaptcha:
+  apiKey: secret://hCaptcha.apiKey
+
+shortCode:
+  baseUrl: https://example.com/shortcodes/
+
 storageService:
  uri: storage.example.com
-  userAuthenticationTokenSharedSecret: 00000f
-  storageCaCertificate: |
-    -----BEGIN CERTIFICATE-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAAAAAAAAAAAAAA
-    -----END CERTIFICATE-----
-
-backupService:
-  uri: backup.example.com
-  userAuthenticationTokenSharedSecret: 00000f
-  backupCaCertificate: |
-    -----BEGIN CERTIFICATE-----
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-    AAAAAAAAAAAAAAAAAAAA
-    -----END CERTIFICATE-----
+  userAuthenticationTokenSharedSecret: secret://storageService.userAuthenticationTokenSharedSecret
+  storageCaCertificates:
+    - |
+      -----BEGIN CERTIFICATE-----
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+      AAAAAAAAAAAAAAAAAAAA
+      -----END CERTIFICATE-----

 zkConfig:
  serverPublic: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
-  serverSecret: ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyzAA==
+  serverSecret: secret://zkConfig.serverSecret
+
+callingZkConfig:
+  serverSecret: secret://callingZkConfig.serverSecret
+
+backupsZkConfig:
+  serverSecret: secret://backupsZkConfig.serverSecret

 appConfig:
  application: example
@@ -292,28 +280,33 @@ appConfig:
  configuration: example

 remoteConfig:
-  authorizedTokens:
-    - # 1st authorized token
-    - # 2nd authorized token
+  authorizedUsers:
+    - # 1st authorized user
+    - # 2nd authorized user
    - # ...
-    - # Nth authorized token
+    - # Nth authorized user
+  requiredHostedDomain: example.com
+  audiences:
+    - # 1st audience
+    - # 2nd audience
+    - # ...
+    - # Nth audience
  globalConfig: # keys and values that are given to clients on GET /v1/config
    EXAMPLE_KEY: VALUE

 paymentsService:
-  userAuthenticationTokenSharedSecret: 0000000f0000000f0000000f0000000f0000000f0000000f0000000f0000000f # hex-encoded 32-byte secret shared with MobileCoin services used to generate auth tokens for Signal users
-  fixerApiKey: unset
+  userAuthenticationTokenSharedSecret: secret://paymentsService.userAuthenticationTokenSharedSecret
+  fixerApiKey: secret://paymentsService.fixerApiKey
+  coinMarketCapApiKey: secret://paymentsService.coinMarketCapApiKey
+  coinMarketCapCurrencyIds:
+    MOB: 7878
  paymentCurrencies:
    # list of symbols for supported currencies
    - MOB

-donation:
-  uri: donation.example.com # value
-  supportedCurrencies:
-    - # 1st supported currency
-    - # 2nd supported currency
-    - # ...
-    - # Nth supported currency
+artService:
+  userAuthenticationTokenSharedSecret: secret://artService.userAuthenticationTokenSharedSecret
+  userAuthenticationTokenUserIdSecret: secret://artService.userAuthenticationTokenUserIdSecret

 badges:
  badges:
@@ -344,26 +337,69 @@ subscription: # configuration for Stripe subscriptions
        # list of ISO 4217 currency codes and amounts for the given badge level
        xts:
          amount: '10'
-          id: price_example # stripe ID
+          processorIds:
+            STRIPE: price_example   # stripe Price ID
+            BRAINTREE: plan_example # braintree Plan ID

-boost:
-  level: 1
-  expiration: P90D
-  badge: EXAMPLE
+oneTimeDonations:
+  sepaMaxTransactionSizeEuros: '10000'
+  boost:
+    level: 1
+    expiration: P90D
+    badge: EXAMPLE
+  gift:
+    level: 10
+    expiration: P90D
+    badge: EXAMPLE
  currencies:
    # ISO 4217 currency codes and amounts in those currencies
    xts:
-      - '1'
-      - '2'
-      - '4'
-      - '8'
-      - '20'
-      - '40'
+      minimum: '0.5'
+      gift: '2'
+      boosts:
+        - '1'
+        - '2'
+        - '4'
+        - '8'
+        - '20'
+        - '40'

-gift:
-  level: 10
-  expiration: P90D
-  badge: EXAMPLE
-  currencies:
-    # ISO 4217 currency codes and amounts in those currencies
-    xts: '2'
+registrationService:
+  host: registration.example.com
+  port: 443
+  credentialConfigurationJson: |
+    {
+      "example": "example"
+    }
+  identityTokenAudience: https://registration.example.com
+  registrationCaCertificate: | # Registration service TLS certificate trust root
+    -----BEGIN CERTIFICATE-----
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
+    AAAAAAAAAAAAAAAAAAAA
+    -----END CERTIFICATE-----
+
+turn:
+  secret: secret://turn.secret
+
+commandStopListener:
+  path: /example/path
+
+linkDevice:
+  secret: secret://linkDevice.secret
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -10,7 +10,25 @@
  <modelVersion>4.0.0</modelVersion>
  <artifactId>service</artifactId>

+  <properties>
+    <firebase-admin.version>9.2.0</firebase-admin.version>
+    <java-uuid-generator.version>4.3.0</java-uuid-generator.version>
+    <sqlite4java.version>1.0.392</sqlite4java.version>
+  </properties>
+
  <dependencies>
+    <dependency>
+      <groupId>io.swagger.core.v3</groupId>
+      <artifactId>swagger-jaxrs2</artifactId>
+      <version>${swagger.version}</version>
+      <exclusions>
+        <!-- org.yaml:snakeyaml is causing a dependency convergence error -->
+        <exclusion>
+          <groupId>org.yaml</groupId>
+          <artifactId>snakeyaml</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
    <dependency>
      <groupId>jakarta.servlet</groupId>
      <artifactId>jakarta.servlet-api</artifactId>
@@ -26,7 +44,7 @@

    <dependency>
      <groupId>org.whispersystems.textsecure</groupId>
-      <artifactId>redis-dispatch</artifactId>
+      <artifactId>event-logger</artifactId>
      <version>${project.version}</version>
    </dependency>
    <dependency>
@@ -43,10 +61,6 @@
      <groupId>io.dropwizard</groupId>
      <artifactId>dropwizard-core</artifactId>
    </dependency>
-    <dependency>
-      <groupId>io.dropwizard</groupId>
-      <artifactId>dropwizard-jdbi3</artifactId>
-    </dependency>
    <dependency>
      <groupId>io.dropwizard</groupId>
      <artifactId>dropwizard-auth</artifactId>
@@ -118,19 +132,10 @@
      <artifactId>logstash-logback-encoder</artifactId>
    </dependency>

-    <dependency>
-      <groupId>org.jdbi</groupId>
-      <artifactId>jdbi3-core</artifactId>
-    </dependency>
-
    <dependency>
      <groupId>io.dropwizard.metrics</groupId>
      <artifactId>metrics-core</artifactId>
    </dependency>
-    <dependency>
-      <groupId>io.dropwizard.metrics</groupId>
-      <artifactId>metrics-jdbi3</artifactId>
-    </dependency>
    <dependency>
      <groupId>io.dropwizard.metrics</groupId>
      <artifactId>metrics-healthchecks</artifactId>
@@ -168,6 +173,26 @@
      </exclusions>
    </dependency>

+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>luajava</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51</artifactId>
+      <version>${luajava.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>party.iroiro.luajava</groupId>
+      <artifactId>lua51-platform</artifactId>
+      <version>${luajava.version}</version>
+      <classifier>natives-desktop</classifier>
+      <scope>runtime</scope>
+    </dependency>
+
    <dependency>
      <groupId>org.eclipse.jetty.websocket</groupId>
      <artifactId>websocket-api</artifactId>
@@ -181,10 +206,6 @@
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-lang3</artifactId>
    </dependency>
-    <dependency>
-      <groupId>commons-codec</groupId>
-      <artifactId>commons-codec</artifactId>
-    </dependency>
    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-csv</artifactId>
@@ -193,34 +214,7 @@
    <dependency>
      <groupId>com.google.firebase</groupId>
      <artifactId>firebase-admin</artifactId>
-      <version>9.0.0</version>
-
-      <!-- firebase-admin has conflicting versions of these artifacts in its dependency tree; for firebase-admin
-      9.0.0, we'll need to depend directly on com.google.api-client:google-api-client:1.35.1 and
-      com.google.oauth-client:google-oauth-client:1.34.1 -->
-      <exclusions>
-        <exclusion>
-          <groupId>com.google.api-client</groupId>
-          <artifactId>google-api-client</artifactId>
-        </exclusion>
-
-        <exclusion>
-          <groupId>com.google.oauth-client</groupId>
-          <artifactId>google-oauth-client</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-
-    <dependency>
-      <groupId>com.google.api-client</groupId>
-      <artifactId>google-api-client</artifactId>
-      <version>1.35.1</version>
-    </dependency>
-
-    <dependency>
-      <groupId>com.google.oauth-client</groupId>
-      <artifactId>google-oauth-client</artifactId>
-      <version>1.34.1</version>
+      <version>${firebase-admin.version}</version>
    </dependency>

    <dependency>
@@ -236,6 +230,30 @@
      <groupId>io.github.resilience4j</groupId>
      <artifactId>resilience4j-retry</artifactId>
    </dependency>
+    <dependency>
+      <groupId>io.github.resilience4j</groupId>
+      <artifactId>resilience4j-reactor</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-netty-shaded</artifactId>
+      <scope>runtime</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-protobuf</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-stub</artifactId>
+    </dependency>
+    <!-- Needed for gRPC with Java 9+ -->
+    <dependency>
+      <groupId>org.apache.tomcat</groupId>
+      <artifactId>annotations-api</artifactId>
+      <scope>provided</scope>
+    </dependency>

    <dependency>
      <groupId>io.micrometer</groupId>
@@ -243,7 +261,7 @@
    </dependency>
    <dependency>
      <groupId>io.micrometer</groupId>
-      <artifactId>micrometer-registry-datadog</artifactId>
+      <artifactId>micrometer-registry-statsd</artifactId>
    </dependency>
    <dependency>
      <groupId>org.coursera</groupId>
@@ -274,6 +292,11 @@
      <artifactId>jackson-jaxrs-json-provider</artifactId>
    </dependency>

+    <dependency>
+      <groupId>com.salesforce.servicelibs</groupId>
+      <artifactId>reactor-grpc-stub</artifactId>
+    </dependency>
+
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>sts</artifactId>
@@ -282,10 +305,6 @@
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>s3</artifactId>
    </dependency>
-    <dependency>
-      <groupId>software.amazon.awssdk</groupId>
-      <artifactId>sqs</artifactId>
-    </dependency>
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>dynamodb</artifactId>
@@ -298,18 +317,10 @@
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>appconfigdata</artifactId>
    </dependency>
-    <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-core</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.amazonaws</groupId>
-      <artifactId>aws-java-sdk-s3</artifactId>
-    </dependency>
    <dependency>
      <groupId>com.amazonaws</groupId>
      <artifactId>dynamodb-lock-client</artifactId>
-      <version>1.1.0</version>
+      <version>1.2.0</version>
      <exclusions>
        <exclusion>
          <groupId>commons-logging</groupId>
@@ -318,11 +329,6 @@
      </exclusions>
    </dependency>

-    <dependency>
-      <groupId>redis.clients</groupId>
-      <artifactId>jedis</artifactId>
-    </dependency>
-
    <dependency>
      <groupId>io.lettuce</groupId>
      <artifactId>lettuce-core</artifactId>
@@ -392,14 +398,17 @@
    <dependency>
      <groupId>com.almworks.sqlite4java</groupId>
      <artifactId>sqlite4java</artifactId>
-      <version>1.0.392</version>
+      <version>${sqlite4java.version}</version>
      <scope>test</scope>
    </dependency>

    <dependency>
      <groupId>io.projectreactor</groupId>
      <artifactId>reactor-core</artifactId>
-      <version>3.3.22.RELEASE</version>
+    </dependency>
+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-core-micrometer</artifactId>
    </dependency>
    <dependency>
      <groupId>io.vavr</groupId>
@@ -412,6 +421,11 @@
      <scope>test</scope>
    </dependency>

+    <dependency>
+      <groupId>io.projectreactor</groupId>
+      <artifactId>reactor-test</artifactId>
+    </dependency>
+
    <dependency>
      <groupId>org.signal</groupId>
      <artifactId>embedded-redis</artifactId>
@@ -421,21 +435,27 @@
    <dependency>
      <groupId>com.fasterxml.uuid</groupId>
      <artifactId>java-uuid-generator</artifactId>
-      <version>3.2.0</version>
+      <version>${java-uuid-generator.version}</version>
      <scope>test</scope>
    </dependency>

    <dependency>
      <groupId>com.amazonaws</groupId>
      <artifactId>DynamoDBLocal</artifactId>
-      <version>1.16.0</version>
+      <version>1.23.0</version>
      <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.antlr</groupId>
-          <artifactId>antlr4-runtime</artifactId>
-        </exclusion>
-      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>io.github.ganadist.sqlite4java</groupId>
+      <artifactId>libsqlite4java-osx-aarch64</artifactId>
+      <version>${sqlite4java.version}</version>
+      <type>dylib</type>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
    </dependency>

    <dependency>
@@ -447,17 +467,29 @@
      <groupId>com.stripe</groupId>
      <artifactId>stripe-java</artifactId>
    </dependency>
+
+    <dependency>
+      <groupId>com.braintreepayments.gateway</groupId>
+      <artifactId>braintree-java</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>com.apollographql.apollo3</groupId>
+      <artifactId>apollo-api-jvm</artifactId>
+      <version>3.8.2</version>
+    </dependency>
+
  </dependencies>

  <profiles>
    <profile>
-      <id>exclude-abusive-message-filter</id>
+      <id>exclude-spam-filter</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-shade-plugin</artifactId>
-            <version>3.2.4</version>
+            <version>3.5.1</version>
            <configuration>
              <createDependencyReducedPom>true</createDependencyReducedPom>
              <filters>
@@ -492,7 +524,7 @@
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-assembly-plugin</artifactId>
-            <version>3.3.0</version>
+            <version>3.6.0</version>
            <configuration>
              <descriptors>
                <descriptor>assembly.xml</descriptor>
@@ -512,7 +544,7 @@
          <plugin>
            <groupId>org.codehaus.mojo</groupId>
            <artifactId>properties-maven-plugin</artifactId>
-            <version>1.0.0</version>
+            <version>1.2.0</version>
            <executions>
              <execution>
                <id>read-deploy-configuration</id>
@@ -528,24 +560,64 @@
          </plugin>

          <plugin>
-            <groupId>org.signal</groupId>
-            <artifactId>s3-upload-maven-plugin</artifactId>
-            <version>1.6-SNAPSHOT</version>
-            <configuration>
-              <source>${project.build.directory}/${project.build.finalName}-bin.tar.gz</source>
-              <bucketName>${deploy.bucketName}</bucketName>
-              <region>${deploy.bucketRegion}</region>
-              <destination>${project.build.finalName}-bin.tar.gz</destination>
-            </configuration>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
            <executions>
              <execution>
-                <id>deploy-to-s3</id>
                <phase>deploy</phase>
                <goals>
-                  <goal>s3-upload</goal>
+                  <goal>build</goal>
                </goals>
              </execution>
            </executions>
+            <configuration>
+              <from>
+                <image>eclipse-temurin@sha256:${docker.image.sha256}</image>
+              </from>
+              <to>
+                <image>${docker.repo}:${project.version}</image>
+              </to>
+              <container>
+                <mainClass>org.whispersystems.textsecuregcm.WhisperServerService</mainClass>
+                <jvmFlags>
+                  <jvmFlag>-server</jvmFlag>
+                  <jvmFlag>-Djava.awt.headless=true</jvmFlag>
+                  <jvmFlag>-Djdk.nio.maxCachedBufferSize=262144</jvmFlag>
+                  <jvmFlag>-Dlog4j2.formatMsgNoLookups=true</jvmFlag>
+                  <jvmFlag>-XX:MaxRAMPercentage=75</jvmFlag>
+                  <jvmFlag>-XX:+HeapDumpOnOutOfMemoryError</jvmFlag>
+                  <jvmFlag>-XX:HeapDumpPath=/tmp/heapdump.bin</jvmFlag>
+                </jvmFlags>
+                <ports>
+                  <port>8080</port>
+                </ports>
+                <creationTime>USE_CURRENT_TIMESTAMP</creationTime>
+              </container>
+              <extraDirectories>
+                <paths>
+                  <path>
+                    <from>${project.basedir}/config</from>
+                    <includes>*.yml</includes>
+                    <into>/usr/share/signal/</into>
+                  </path>
+                </paths>
+              </extraDirectories>
+            </configuration>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+    <profile>
+      <id>include-spam-filter</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>com.google.cloud.tools</groupId>
+            <artifactId>jib-maven-plugin</artifactId>
+            <configuration>
+              <!-- we don't want jib to execute on this module -->
+              <skip>true</skip>
+            </configuration>
          </plugin>
        </plugins>
      </build>
@@ -569,6 +641,16 @@
        </executions>
      </plugin>

+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <version>3.1.2</version>
+        <configuration>
+          <!-- work around PATCH not being a supported method on HttpUrlConnection -->
+          <argLine>--add-opens=java.base/java.net=ALL-UNNAMED</argLine>
+        </configuration>
+      </plugin>
+
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
@@ -584,7 +666,7 @@
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>exec-maven-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.1.0</version>
        <executions>
          <execution>
            <id>check-all-service-config</id>
@@ -602,6 +684,31 @@
          </arguments>
        </configuration>
      </plugin>
+
+      <plugin>
+        <groupId>com.github.aoudiamoncef</groupId>
+        <artifactId>apollo-client-maven-plugin</artifactId>
+        <version>5.0.0</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>generate</goal>
+            </goals>
+            <configuration>
+              <services>
+                <braintree>
+                  <compilationUnit>
+                    <name>braintree</name>
+                    <compilerParams>
+                      <schemaPackageName>com.braintree.graphql.client</schemaPackageName>
+                    </compilerParams>
+                  </compilationUnit>
+                </braintree>
+              </services>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
    </plugins>
  </build>
 </project>
--- a/service/src/main/graphql/braintree/ChargePayPalOneTimePayment.graphql
+++ b/service/src/main/graphql/braintree/ChargePayPalOneTimePayment.graphql
@@ -0,0 +1,9 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--chargePaymentMethod
+mutation ChargePayPalOneTimePayment($input: ChargePaymentMethodInput!) {
+  chargePaymentMethod(input: $input) {
+    transaction {
+      id,
+      status
+    }
+  }
+}
--- a/service/src/main/graphql/braintree/CreatePayPalBillingAgreement.graphql
+++ b/service/src/main/graphql/braintree/CreatePayPalBillingAgreement.graphql
@@ -0,0 +1,6 @@
+mutation CreatePayPalBillingAgreement($input: CreatePayPalBillingAgreementInput!) {
+  createPayPalBillingAgreement(input: $input) {
+    approvalUrl,
+    billingAgreementToken
+  }
+}
--- a/service/src/main/graphql/braintree/CreatePayPalOneTimePayment.graphql
+++ b/service/src/main/graphql/braintree/CreatePayPalOneTimePayment.graphql
@@ -0,0 +1,7 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--createPayPalOneTimePayment
+mutation CreatePayPalOneTimePayment($input: CreatePayPalOneTimePaymentInput!) {
+  createPayPalOneTimePayment(input: $input) {
+    approvalUrl,
+    paymentId
+  }
+}
--- a/service/src/main/graphql/braintree/TokenizePayPalBillingAgreement.graphql
+++ b/service/src/main/graphql/braintree/TokenizePayPalBillingAgreement.graphql
@@ -0,0 +1,7 @@
+mutation TokenizePayPalBillingAgreement($input: TokenizePayPalBillingAgreementInput!) {
+  tokenizePayPalBillingAgreement(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}
--- a/service/src/main/graphql/braintree/TokenizePayPalOneTimePayment.graphql
+++ b/service/src/main/graphql/braintree/TokenizePayPalOneTimePayment.graphql
@@ -0,0 +1,8 @@
+# https://graphql.braintreepayments.com/reference/#Mutation--tokenizePayPalOneTimePayment
+mutation TokenizePayPalOneTimePayment($input: TokenizePayPalOneTimePaymentInput!) {
+  tokenizePayPalOneTimePayment(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}
--- a/service/src/main/graphql/braintree/VaultPaymentMethod.graphql
+++ b/service/src/main/graphql/braintree/VaultPaymentMethod.graphql
@@ -0,0 +1,7 @@
+mutation VaultPaymentMethod($input: VaultPaymentMethodInput!) {
+  vaultPaymentMethod(input: $input) {
+    paymentMethod {
+      id
+    }
+  }
+}
--- a/service/src/main/graphql/braintree/schema.json
+++ b/service/src/main/graphql/braintree/schema.json
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerConfiguration.java
@@ -1,62 +1,81 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
 * SPDX-License-Identifier: AGPL-3.0-only
 */
 package org.whispersystems.textsecuregcm;

 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.dropwizard.Configuration;
+import java.time.Duration;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
-import org.whispersystems.textsecuregcm.configuration.AbusiveMessageFilterConfiguration;
-import org.whispersystems.textsecuregcm.configuration.AccountDatabaseCrawlerConfiguration;
+import org.whispersystems.textsecuregcm.attachments.TusConfiguration;
+import org.whispersystems.textsecuregcm.configuration.AdminEventLoggingConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ApnConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AppConfigConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ArtServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.AwsAttachmentsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.BadgesConfiguration;
-import org.whispersystems.textsecuregcm.configuration.BoostConfiguration;
+import org.whispersystems.textsecuregcm.configuration.BraintreeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.CdnConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DatadogConfiguration;
-import org.whispersystems.textsecuregcm.configuration.DirectoryConfiguration;
+import org.whispersystems.textsecuregcm.configuration.ClientReleaseConfiguration;
+import org.whispersystems.textsecuregcm.configuration.CommandStopListenerConfiguration;
+import org.whispersystems.textsecuregcm.configuration.DogstatsdConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DirectoryV2Configuration;
-import org.whispersystems.textsecuregcm.configuration.DonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbClientConfiguration;
 import org.whispersystems.textsecuregcm.configuration.DynamoDbTables;
 import org.whispersystems.textsecuregcm.configuration.FcmConfiguration;
 import org.whispersystems.textsecuregcm.configuration.GcpAttachmentsConfiguration;
-import org.whispersystems.textsecuregcm.configuration.GiftConfiguration;
+import org.whispersystems.textsecuregcm.configuration.GenericZkConfig;
+import org.whispersystems.textsecuregcm.configuration.HCaptchaConfiguration;
+import org.whispersystems.textsecuregcm.configuration.LinkDeviceSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MaxDeviceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.MessageByteLimitCardinalityEstimatorConfiguration;
 import org.whispersystems.textsecuregcm.configuration.MessageCacheConfiguration;
+import org.whispersystems.textsecuregcm.configuration.OneTimeDonationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.PaymentsServiceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.RateLimitsConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RecaptchaConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisClusterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RedisConfiguration;
+import org.whispersystems.textsecuregcm.configuration.RegistrationServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.RemoteConfigConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ReportMessageConfiguration;
-import org.whispersystems.textsecuregcm.configuration.SecureBackupServiceConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SecureStorageServiceConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SecureValueRecovery2Configuration;
+import org.whispersystems.textsecuregcm.configuration.ShortCodeExpanderConfiguration;
+import org.whispersystems.textsecuregcm.configuration.SpamFilterConfiguration;
 import org.whispersystems.textsecuregcm.configuration.StripeConfiguration;
 import org.whispersystems.textsecuregcm.configuration.SubscriptionConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TestDeviceConfiguration;
-import org.whispersystems.textsecuregcm.configuration.TwilioConfiguration;
+import org.whispersystems.textsecuregcm.configuration.TurnSecretConfiguration;
 import org.whispersystems.textsecuregcm.configuration.UnidentifiedDeliveryConfiguration;
-import org.whispersystems.textsecuregcm.configuration.VoiceVerificationConfiguration;
 import org.whispersystems.textsecuregcm.configuration.ZkConfig;
+import org.whispersystems.textsecuregcm.limits.RateLimiterConfig;
 import org.whispersystems.websocket.configuration.WebSocketConfiguration;

 /** @noinspection MismatchedQueryAndUpdateOfCollection, WeakerAccess */
 public class WhisperServerConfiguration extends Configuration {

+  @NotNull
+  @Valid
+  @JsonProperty
+  private AdminEventLoggingConfiguration adminEventLoggingConfiguration;
+
  @NotNull
  @Valid
  @JsonProperty
  private StripeConfiguration stripe;

+  @NotNull
+  @Valid
+  @JsonProperty
+  private BraintreeConfiguration braintree;
+
  @NotNull
  @Valid
  @JsonProperty
@@ -67,11 +86,6 @@ public class WhisperServerConfiguration extends Configuration {
  @JsonProperty
  private DynamoDbTables dynamoDbTables;

-  @NotNull
-  @Valid
-  @JsonProperty
-  private TwilioConfiguration twilio;
-
  @NotNull
  @Valid
  @JsonProperty
@@ -90,7 +104,7 @@ public class WhisperServerConfiguration extends Configuration {
  @NotNull
  @Valid
  @JsonProperty
-  private DatadogConfiguration datadog;
+  private DogstatsdConfiguration dogstatsd = new DogstatsdConfiguration();

  @NotNull
  @Valid
@@ -107,11 +121,6 @@ public class WhisperServerConfiguration extends Configuration {
  @JsonProperty
  private RedisClusterConfiguration metricsCluster;

-  @NotNull
-  @Valid
-  @JsonProperty
-  private DirectoryConfiguration directory;
-
  @NotNull
  @Valid
  @JsonProperty
@@ -120,7 +129,7 @@ public class WhisperServerConfiguration extends Configuration {
  @NotNull
  @Valid
  @JsonProperty
-  private AccountDatabaseCrawlerConfiguration accountDatabaseCrawler;
+  private SecureValueRecovery2Configuration svr2;

  @NotNull
  @Valid
@@ -145,7 +154,7 @@ public class WhisperServerConfiguration extends Configuration {
  @Valid
  @NotNull
  @JsonProperty
-  private List<TestDeviceConfiguration> testDevices = new LinkedList<>();
+  private Set<String> testDevices = new HashSet<>();

  @Valid
  @NotNull
@@ -155,7 +164,7 @@ public class WhisperServerConfiguration extends Configuration {
  @Valid
  @NotNull
  @JsonProperty
-  private RateLimitsConfiguration limits = new RateLimitsConfiguration();
+  private Map<String, RateLimiterConfig> limits = new HashMap<>();

  @Valid
  @NotNull
@@ -180,33 +189,48 @@ public class WhisperServerConfiguration extends Configuration {
  @Valid
  @NotNull
  @JsonProperty
-  private VoiceVerificationConfiguration voiceVerification;
+  private RecaptchaConfiguration recaptcha;

  @Valid
  @NotNull
  @JsonProperty
-  private RecaptchaConfiguration recaptcha;
+  private HCaptchaConfiguration hCaptcha;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ShortCodeExpanderConfiguration shortCode;

  @Valid
  @NotNull
  @JsonProperty
  private SecureStorageServiceConfiguration storageService;

-  @Valid
-  @NotNull
-  @JsonProperty
-  private SecureBackupServiceConfiguration backupService;
-
  @Valid
  @NotNull
  @JsonProperty
  private PaymentsServiceConfiguration paymentsService;

+  @Valid
+  @NotNull
+  @JsonProperty
+  private ArtServiceConfiguration artService;
+
  @Valid
  @NotNull
  @JsonProperty
  private ZkConfig zkConfig;

+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig callingZkConfig;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private GenericZkConfig backupsZkConfig;
+
  @Valid
  @NotNull
  @JsonProperty
@@ -217,11 +241,6 @@ public class WhisperServerConfiguration extends Configuration {
  @JsonProperty
  private AppConfigConfiguration appConfig;

-  @Valid
-  @NotNull
-  @JsonProperty
-  private DonationConfiguration donation;
-
  @Valid
  @NotNull
  @JsonProperty
@@ -235,12 +254,7 @@ public class WhisperServerConfiguration extends Configuration {
  @Valid
  @JsonProperty
  @NotNull
-  private BoostConfiguration boost;
-
-  @Valid
-  @JsonProperty
-  @NotNull
-  private GiftConfiguration gift;
+  private OneTimeDonationConfiguration oneTimeDonations;

  @Valid
  @NotNull
@@ -249,12 +263,60 @@ public class WhisperServerConfiguration extends Configuration {

  @Valid
  @JsonProperty
-  private AbusiveMessageFilterConfiguration abusiveMessageFilter;
+  private SpamFilterConfiguration spamFilterConfiguration;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private RegistrationServiceConfiguration registrationService;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TurnSecretConfiguration turn;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private TusConfiguration tus;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private int grpcPort;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private ClientReleaseConfiguration clientRelease = new ClientReleaseConfiguration(Duration.ofHours(4));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private MessageByteLimitCardinalityEstimatorConfiguration messageByteLimitCardinalityEstimator = new MessageByteLimitCardinalityEstimatorConfiguration(Duration.ofDays(1));
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private CommandStopListenerConfiguration commandStopListener;
+
+  @Valid
+  @NotNull
+  @JsonProperty
+  private LinkDeviceSecretConfiguration linkDevice;
+
+  public AdminEventLoggingConfiguration getAdminEventLoggingConfiguration() {
+    return adminEventLoggingConfiguration;
+  }

  public StripeConfiguration getStripe() {
    return stripe;
  }

+  public BraintreeConfiguration getBraintree() {
+    return braintree;
+  }
+
  public DynamoDbClientConfiguration getDynamoDbClientConfiguration() {
    return dynamoDbClientConfiguration;
  }
@@ -267,18 +329,18 @@ public class WhisperServerConfiguration extends Configuration {
    return recaptcha;
  }

-  public VoiceVerificationConfiguration getVoiceVerificationConfiguration() {
-    return voiceVerification;
+  public HCaptchaConfiguration getHCaptchaConfiguration() {
+    return hCaptcha;
+  }
+
+  public ShortCodeExpanderConfiguration getShortCodeRetrieverConfiguration() {
+    return shortCode;
  }

  public WebSocketConfiguration getWebSocketConfiguration() {
    return webSocket;
  }

-  public TwilioConfiguration getTwilioConfiguration() {
-    return twilio;
-  }
-
  public AwsAttachmentsConfiguration getAwsAttachmentsConfiguration() {
    return awsAttachments;
  }
@@ -299,8 +361,8 @@ public class WhisperServerConfiguration extends Configuration {
    return metricsCluster;
  }

-  public DirectoryConfiguration getDirectoryConfiguration() {
-    return directory;
+  public SecureValueRecovery2Configuration getSvr2Configuration() {
+    return svr2;
  }

  public DirectoryV2Configuration getDirectoryV2Configuration() {
@@ -311,10 +373,6 @@ public class WhisperServerConfiguration extends Configuration {
    return storageService;
  }

-  public AccountDatabaseCrawlerConfiguration getAccountDatabaseCrawlerConfiguration() {
-    return accountDatabaseCrawler;
-  }
-
  public MessageCacheConfiguration getMessageCacheConfiguration() {
    return messageCache;
  }
@@ -331,7 +389,7 @@ public class WhisperServerConfiguration extends Configuration {
    return rateLimitersCluster;
  }

-  public RateLimitsConfiguration getLimitsConfiguration() {
+  public Map<String, RateLimiterConfig> getLimitsConfiguration() {
    return limits;
  }

@@ -347,23 +405,16 @@ public class WhisperServerConfiguration extends Configuration {
    return cdn;
  }

-  public DatadogConfiguration getDatadogConfiguration() {
-    return datadog;
+  public DogstatsdConfiguration getDatadogConfiguration() {
+    return dogstatsd;
  }

  public UnidentifiedDeliveryConfiguration getDeliveryCertificate() {
    return unidentifiedDelivery;
  }

-  public Map<String, Integer> getTestDevices() {
-    Map<String, Integer> results = new HashMap<>();
-
-    for (TestDeviceConfiguration testDeviceConfiguration : testDevices) {
-      results.put(testDeviceConfiguration.getNumber(),
-                  testDeviceConfiguration.getCode());
-    }
-
-    return results;
+  public Set<String> getTestDevices() {
+    return testDevices;
  }

  public Map<String, Integer> getMaxDevices() {
@@ -377,18 +428,26 @@ public class WhisperServerConfiguration extends Configuration {
    return results;
  }

-  public SecureBackupServiceConfiguration getSecureBackupServiceConfiguration() {
-    return backupService;
-  }
-
  public PaymentsServiceConfiguration getPaymentsServiceConfiguration() {
    return paymentsService;
  }

+  public ArtServiceConfiguration getArtServiceConfiguration() {
+    return artService;
+  }
+
  public ZkConfig getZkConfig() {
    return zkConfig;
  }

+  public GenericZkConfig getCallingZkConfig() {
+    return callingZkConfig;
+  }
+
+  public GenericZkConfig getBackupsZkConfig() {
+    return backupsZkConfig;
+  }
+
  public RemoteConfigConfiguration getRemoteConfigConfiguration() {
    return remoteConfig;
  }
@@ -397,10 +456,6 @@ public class WhisperServerConfiguration extends Configuration {
    return appConfig;
  }

-  public DonationConfiguration getDonationConfiguration() {
-    return donation;
-  }
-
  public BadgesConfiguration getBadges() {
    return badges;
  }
@@ -409,19 +464,47 @@ public class WhisperServerConfiguration extends Configuration {
    return subscription;
  }

-  public BoostConfiguration getBoost() {
-    return boost;
-  }
-
-  public GiftConfiguration getGift() {
-    return gift;
+  public OneTimeDonationConfiguration getOneTimeDonations() {
+    return oneTimeDonations;
  }

  public ReportMessageConfiguration getReportMessageConfiguration() {
    return reportMessage;
  }

-  public AbusiveMessageFilterConfiguration getAbusiveMessageFilterConfiguration() {
-    return abusiveMessageFilter;
+  public SpamFilterConfiguration getSpamFilterConfiguration() {
+    return spamFilterConfiguration;
+  }
+
+  public RegistrationServiceConfiguration getRegistrationServiceConfiguration() {
+    return registrationService;
+  }
+
+  public TurnSecretConfiguration getTurnSecretConfiguration() {
+    return turn;
+  }
+
+  public TusConfiguration getTus() {
+    return tus;
+  }
+
+  public int getGrpcPort() {
+    return grpcPort;
+  }
+
+  public ClientReleaseConfiguration getClientReleaseConfiguration() {
+    return clientRelease;
+  }
+
+  public MessageByteLimitCardinalityEstimatorConfiguration getMessageByteLimitCardinalityEstimator() {
+    return messageByteLimitCardinalityEstimator;
+  }
+
+  public CommandStopListenerConfiguration getCommandStopListener() {
+    return commandStopListener;
+  }
+
+  public LinkDeviceSecretConfiguration getLinkDeviceSecretConfiguration() {
+    return linkDevice;
  }
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
--- a/service/src/main/java/org/whispersystems/textsecuregcm/abuse/AbusiveMessageFilter.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/abuse/AbusiveMessageFilter.java
@@ -1,33 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.abuse;
-
-import io.dropwizard.lifecycle.Managed;
-import javax.ws.rs.container.ContainerRequestFilter;
-import java.io.IOException;
-
-/**
- * An abusive message filter is a {@link ContainerRequestFilter} that filters requests to message-sending endpoints to
- * detect and respond to patterns of abusive behavior.
- * <p/>
- * Abusive message filters are managed components that are generally loaded dynamically via a
- * {@link java.util.ServiceLoader}. Their {@link #configure(String)} method will be called prior to be adding to the
- * server's pool of {@link Managed} objects.
- * <p/>
- * Abusive message filters must be annotated with {@link FilterAbusiveMessages}, a name binding annotation that
- * restricts the endpoints to which the filter may apply.
- */
-public interface AbusiveMessageFilter extends ContainerRequestFilter, Managed {
-
-  /**
-   * Configures this abusive message filter. This method will be called before the filter is added to the server's pool
-   * of managed objects and before the server processes any requests.
-   *
-   * @param environmentName the name of the environment in which this filter is running (e.g. "staging" or "production")
-   * @throws IOException if the filter could not read its configuration source for any reason
-   */
-  void configure(String environmentName) throws IOException;
-}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/attachments/AttachmentGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/attachments/AttachmentGenerator.java
@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+import java.util.Map;
+
+public interface AttachmentGenerator {
+
+  record Descriptor(Map<String, String> headers, String signedUploadLocation) {}
+
+  Descriptor generateAttachment(final String key);
+
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/attachments/GcsAttachmentGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/attachments/GcsAttachmentGenerator.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequest;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestGenerator;
+import org.whispersystems.textsecuregcm.gcp.CanonicalRequestSigner;
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.spec.InvalidKeySpecException;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Map;
+
+public class GcsAttachmentGenerator implements AttachmentGenerator {
+  @Nonnull
+  private final CanonicalRequestGenerator canonicalRequestGenerator;
+
+  @Nonnull
+  private final CanonicalRequestSigner canonicalRequestSigner;
+
+  public GcsAttachmentGenerator(@Nonnull String domain, @Nonnull String email,
+      int maxSizeInBytes, @Nonnull String pathPrefix, @Nonnull String rsaSigningKey)
+      throws IOException, InvalidKeyException, InvalidKeySpecException {
+    this.canonicalRequestGenerator = new CanonicalRequestGenerator(domain, email, maxSizeInBytes, pathPrefix);
+    this.canonicalRequestSigner = new CanonicalRequestSigner(rsaSigningKey);
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
+    final CanonicalRequest canonicalRequest = canonicalRequestGenerator.createFor(key, now);
+    return new Descriptor(getHeaderMap(canonicalRequest), getSignedUploadLocation(canonicalRequest));
+  }
+
+  private String getSignedUploadLocation(@Nonnull CanonicalRequest canonicalRequest) {
+    return "https://" + canonicalRequest.getDomain() + canonicalRequest.getResourcePath()
+        + '?' + canonicalRequest.getCanonicalQuery()
+        + "&X-Goog-Signature=" + canonicalRequestSigner.sign(canonicalRequest);
+  }
+
+  private static Map<String, String> getHeaderMap(@Nonnull CanonicalRequest canonicalRequest) {
+    return Map.of(
+        "host", canonicalRequest.getDomain(),
+        "x-goog-content-length-range", "1," + canonicalRequest.getMaxSizeInBytes(),
+        "x-goog-resumable", "start");
+  }
+
+
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusAttachmentGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusAttachmentGenerator.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.apache.http.HttpHeaders;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.util.Base64;
+import java.util.Map;
+
+public class TusAttachmentGenerator implements AttachmentGenerator {
+
+  private static final String ATTACHMENTS = "attachments";
+
+  final ExternalServiceCredentialsGenerator credentialsGenerator;
+  final String tusUri;
+
+  public TusAttachmentGenerator(final TusConfiguration cfg) {
+    this.tusUri = cfg.uploadUri();
+    this.credentialsGenerator = credentialsGenerator(Clock.systemUTC(), cfg);
+  }
+
+  private static ExternalServiceCredentialsGenerator credentialsGenerator(final Clock clock, final TusConfiguration cfg) {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .prependUsername(false)
+        .withClock(clock)
+        .build();
+  }
+
+  @Override
+  public Descriptor generateAttachment(final String key) {
+    final ExternalServiceCredentials credentials = credentialsGenerator.generateFor(ATTACHMENTS + "/" + key);
+    final String b64Key = Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8));
+    final Map<String, String> headers = Map.of(
+        HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(credentials),
+        "Upload-Metadata", String.format("filename %s", b64Key)
+    );
+    return new Descriptor(headers, tusUri + "/" +  ATTACHMENTS);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusConfiguration.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/attachments/TusConfiguration.java
@@ -0,0 +1,15 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.attachments;
+
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+import org.whispersystems.textsecuregcm.util.ExactlySize;
+import javax.validation.constraints.NotEmpty;
+
+public record TusConfiguration(
+  @ExactlySize(32) SecretBytes userAuthenticationTokenSharedSecret,
+  @NotEmpty String uploadUri
+){}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/AccountAuthenticator.java
@@ -7,6 +7,7 @@ package org.whispersystems.textsecuregcm.auth;
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
 import java.util.Optional;
+import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;

 public class AccountAuthenticator extends BaseAccountAuthenticator implements
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedBackupUser.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticatedBackupUser.java
@@ -0,0 +1,10 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.backup.BackupTier;
+
+public record AuthenticatedBackupUser(byte[] backupId, BackupTier backupTier) {}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticationCredentials.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/AuthenticationCredentials.java
@@ -1,50 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-package org.whispersystems.textsecuregcm.auth;
-
-import org.apache.commons.codec.binary.Hex;
-
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-
-public class AuthenticationCredentials {
-
-  private final String hashedAuthenticationToken;
-  private final String salt;
-
-  public AuthenticationCredentials(String hashedAuthenticationToken, String salt) {
-    this.hashedAuthenticationToken = hashedAuthenticationToken;
-    this.salt                      = salt;
-  }
-
-  public AuthenticationCredentials(String authenticationToken) {
-    this.salt                      = String.valueOf(Math.abs(new SecureRandom().nextInt()));
-    this.hashedAuthenticationToken = getHashedValue(salt, authenticationToken);
-  }
-
-  public String getHashedAuthenticationToken() {
-    return hashedAuthenticationToken;
-  }
-
-  public String getSalt() {
-    return salt;
-  }
-
-  public boolean verify(String authenticationToken) {
-    String theirValue = getHashedValue(salt, authenticationToken);
-    return MessageDigest.isEqual(theirValue.getBytes(StandardCharsets.UTF_8), this.hashedAuthenticationToken.getBytes(StandardCharsets.UTF_8));
-  }
-
-  private static String getHashedValue(String salt, String token) {
-    try {
-      return new String(Hex.encodeHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8))));
-    } catch (NoSuchAlgorithmException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/BaseAccountAuthenticator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2013-2021 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
 * SPDX-License-Identifier: AGPL-3.0-only
 */

@@ -27,13 +27,18 @@ import org.whispersystems.textsecuregcm.util.Util;
 public class BaseAccountAuthenticator {

  private static final String AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class, "authentication");
+  private static final String ENABLED_NOT_REQUIRED_AUTHENTICATION_COUNTER_NAME = name(BaseAccountAuthenticator.class,
+      "enabledNotRequiredAuthentication");
  private static final String AUTHENTICATION_SUCCEEDED_TAG_NAME = "succeeded";
  private static final String AUTHENTICATION_FAILURE_REASON_TAG_NAME = "reason";
-  private static final String AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME = "enabledRequired";
+  private static final String ENABLED_TAG_NAME = "enabled";

  private static final String DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME = name(BaseAccountAuthenticator.class, "daysSinceLastSeen");
  private static final String IS_PRIMARY_DEVICE_TAG = "isPrimary";

+  @VisibleForTesting
+  static final char DEVICE_ID_SEPARATOR = '.';
+
  private final AccountsManager accountsManager;
  private final Clock           clock;

@@ -43,19 +48,19 @@ public class BaseAccountAuthenticator {

  @VisibleForTesting
  public BaseAccountAuthenticator(AccountsManager accountsManager, Clock clock) {
-    this.accountsManager = accountsManager;
-    this.clock           = clock;
+    this.accountsManager   = accountsManager;
+    this.clock             = clock;
  }

  static Pair<String, Long> getIdentifierAndDeviceId(final String basicUsername) {
    final String identifier;
    final long deviceId;

-    final int deviceIdSeparatorIndex = basicUsername.indexOf('.');
+    final int deviceIdSeparatorIndex = basicUsername.indexOf(DEVICE_ID_SEPARATOR);

    if (deviceIdSeparatorIndex == -1) {
      identifier = basicUsername;
-      deviceId = Device.MASTER_ID;
+      deviceId = Device.PRIMARY_ID;
    } else {
      identifier = basicUsername.substring(0, deviceIdSeparatorIndex);
      deviceId = Long.parseLong(basicUsername.substring(deviceIdSeparatorIndex + 1));
@@ -93,20 +98,35 @@ public class BaseAccountAuthenticator {
      }

      if (enabledRequired) {
-        if (!device.get().isEnabled()) {
+        final boolean deviceDisabled = !device.get().isEnabled();
+        if (deviceDisabled) {
          failureReason = "deviceDisabled";
-          return Optional.empty();
        }

-        if (!account.get().isEnabled()) {
+        final boolean accountDisabled = !account.get().isEnabled();
+        if (accountDisabled) {
          failureReason = "accountDisabled";
+        }
+        if (accountDisabled || deviceDisabled) {
          return Optional.empty();
        }
+      } else {
+        Metrics.counter(ENABLED_NOT_REQUIRED_AUTHENTICATION_COUNTER_NAME,
+                ENABLED_TAG_NAME, String.valueOf(device.get().isEnabled() && account.get().isEnabled()),
+                IS_PRIMARY_DEVICE_TAG, String.valueOf(device.get().isPrimary()))
+            .increment();
      }

-      if (device.get().getAuthenticationCredentials().verify(basicCredentials.getPassword())) {
+      SaltedTokenHash deviceSaltedTokenHash = device.get().getAuthTokenHash();
+      if (deviceSaltedTokenHash.verify(basicCredentials.getPassword())) {
        succeeded = true;
-        final Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        Account authenticatedAccount = updateLastSeen(account.get(), device.get());
+        if (deviceSaltedTokenHash.getVersion() != SaltedTokenHash.CURRENT_VERSION) {
+          authenticatedAccount = accountsManager.updateDeviceAuthentication(
+              authenticatedAccount,
+              device.get(),
+              SaltedTokenHash.generateFor(basicCredentials.getPassword()));  // new credentials have current version
+        }
        return Optional.of(new AuthenticatedAccount(
            new RefreshingAccountAndDeviceSupplier(authenticatedAccount, device.get().getId(), accountsManager)));
      }
@@ -117,8 +137,7 @@ public class BaseAccountAuthenticator {
      return Optional.empty();
    } finally {
      Tags tags = Tags.of(
-          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded),
-          AUTHENTICATION_ENABLED_REQUIRED_TAG_NAME, String.valueOf(enabledRequired));
+          AUTHENTICATION_SUCCEEDED_TAG_NAME, String.valueOf(succeeded));

      if (StringUtils.isNotBlank(failureReason)) {
        tags = tags.and(AUTHENTICATION_FAILURE_REASON_TAG_NAME, failureReason);
@@ -130,11 +149,20 @@ public class BaseAccountAuthenticator {

  @VisibleForTesting
  public Account updateLastSeen(Account account, Device device) {
-    final long lastSeenOffsetSeconds   = Math.abs(account.getUuid().getLeastSignificantBits()) % ChronoUnit.DAYS.getDuration().toSeconds();
+    // compute a non-negative integer between 0 and 86400.
+    long n = Util.ensureNonNegativeLong(account.getUuid().getLeastSignificantBits());
+    final long lastSeenOffsetSeconds = n % ChronoUnit.DAYS.getDuration().toSeconds();
+
+    // produce a truncated timestamp which is either today at UTC midnight
+    // or yesterday at UTC midnight, based on per-user randomized offset used.
    final long todayInMillisWithOffset = Util.todayInMillisGivenOffsetFromNow(clock, Duration.ofSeconds(lastSeenOffsetSeconds).negated());

+    // only update the device's last seen time when it falls behind the truncated timestamp.
+    // this ensure a few things:
+    //   (1) each account will only update last-seen at most once per day
+    //   (2) these updates will occur throughout the day rather than all occurring at UTC midnight.
    if (device.getLastSeen() < todayInMillisWithOffset) {
-      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isMaster()))
+      Metrics.summary(DAYS_SINCE_LAST_SEEN_DISTRIBUTION_NAME, IS_PRIMARY_DEVICE_TAG, String.valueOf(device.isPrimary()))
          .record(Duration.ofMillis(todayInMillisWithOffset - device.getLastSeen()).toDays());

      return accountsManager.updateDeviceLastSeen(account, device, Util.todayInMillis(clock));
@@ -142,5 +170,4 @@ public class BaseAccountAuthenticator {

    return account;
  }
-
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/CertificateGenerator.java
@@ -8,12 +8,12 @@ package org.whispersystems.textsecuregcm.auth;
 import com.google.protobuf.ByteString;
 import com.google.protobuf.InvalidProtocolBufferException;
 import java.security.InvalidKeyException;
-import java.util.Base64;
 import java.util.concurrent.TimeUnit;
 import org.signal.libsignal.protocol.ecc.Curve;
 import org.signal.libsignal.protocol.ecc.ECPrivateKey;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.SenderCertificate;
 import org.whispersystems.textsecuregcm.entities.MessageProtos.ServerCertificate;
+import org.whispersystems.textsecuregcm.identity.IdentityType;
 import org.whispersystems.textsecuregcm.storage.Account;
 import org.whispersystems.textsecuregcm.storage.Device;

@@ -33,11 +33,11 @@ public class CertificateGenerator {

  public byte[] createFor(Account account, Device device, boolean includeE164) throws InvalidKeyException {
    SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
-                                                                                 .setSenderDevice(Math.toIntExact(device.getId()))
-                                                                                 .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
-                                                                                 .setIdentityKey(ByteString.copyFrom(Base64.getDecoder().decode(account.getIdentityKey())))
-                                                                                 .setSigner(serverCertificate)
-                                                                                 .setSenderUuid(account.getUuid().toString());
+        .setSenderDevice(Math.toIntExact(device.getId()))
+        .setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
+        .setIdentityKey(ByteString.copyFrom(account.getIdentityKey(IdentityType.ACI).serialize()))
+        .setSigner(serverCertificate)
+        .setSenderUuid(account.getUuid().toString());

    if (includeE164) {
      builder.setSender(account.getNumber());
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/CombinedUnidentifiedSenderAccessKeys.java
@@ -16,7 +16,7 @@ public class CombinedUnidentifiedSenderAccessKeys {
  public CombinedUnidentifiedSenderAccessKeys(String header) {
    try {
      this.combinedUnidentifiedSenderAccessKeys = Base64.getDecoder().decode(header);
-      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != 16) {
+      if (this.combinedUnidentifiedSenderAccessKeys == null || this.combinedUnidentifiedSenderAccessKeys.length != UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH) {
        throw new WebApplicationException("Invalid combined unidentified sender access keys", Status.UNAUTHORIZED);
      }
    } catch (IllegalArgumentException e) {
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccountAuthenticator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/DisabledPermittedAccountAuthenticator.java
@@ -8,6 +8,7 @@ package org.whispersystems.textsecuregcm.auth;
 import io.dropwizard.auth.Authenticator;
 import io.dropwizard.auth.basic.BasicCredentials;
 import java.util.Optional;
+import org.whispersystems.textsecuregcm.experiment.ExperimentEnrollmentManager;
 import org.whispersystems.textsecuregcm.storage.AccountsManager;

 public class DisabledPermittedAccountAuthenticator extends BaseAccountAuthenticator implements
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialGenerator.java
@@ -1,86 +0,0 @@
-/*
- * Copyright 2013-2021 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import com.google.common.annotations.VisibleForTesting;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.time.Clock;
-import javax.crypto.Mac;
-import javax.crypto.spec.SecretKeySpec;
-import org.apache.commons.codec.binary.Hex;
-import org.whispersystems.textsecuregcm.util.Util;
-
-public class ExternalServiceCredentialGenerator {
-
-  private final byte[] key;
-  private final byte[] userIdKey;
-  private final boolean usernameDerivation;
-  private final boolean prependUsername;
-  private final Clock clock;
-
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey) {
-    this(key, userIdKey, true, true);
-  }
-
-  public ExternalServiceCredentialGenerator(byte[] key, boolean prependUsername) {
-    this(key, new byte[0], false, prependUsername);
-  }
-
-  @VisibleForTesting
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation) {
-    this(key, userIdKey, usernameDerivation, true);
-  }
-
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
-      boolean prependUsername) {
-    this(key, userIdKey, usernameDerivation, prependUsername, Clock.systemUTC());
-  }
-
-  @VisibleForTesting
-  public ExternalServiceCredentialGenerator(byte[] key, byte[] userIdKey, boolean usernameDerivation,
-      boolean prependUsername, Clock clock) {
-    this.key = key;
-    this.userIdKey = userIdKey;
-    this.usernameDerivation = usernameDerivation;
-    this.prependUsername = prependUsername;
-    this.clock = clock;
-  }
-
-  public ExternalServiceCredentials generateFor(String identity) {
-    Mac mac = getMacInstance();
-    String username = getUserId(identity, mac, usernameDerivation);
-    long currentTimeSeconds = clock.millis() / 1000;
-    String prefix = username + ":" + currentTimeSeconds;
-    String output = Hex.encodeHexString(Util.truncate(getHmac(key, prefix.getBytes(), mac), 10));
-    String token = (prependUsername ? prefix : currentTimeSeconds) + ":" + output;
-
-    return new ExternalServiceCredentials(username, token);
-  }
-
-  private String getUserId(String number, Mac mac, boolean usernameDerivation) {
-    if (usernameDerivation) return Hex.encodeHexString(Util.truncate(getHmac(userIdKey, number.getBytes(), mac), 10));
-    else                    return number;
-  }
-
-  private Mac getMacInstance() {
-    try {
-      return Mac.getInstance("HmacSHA256");
-    } catch (NoSuchAlgorithmException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-  private byte[] getHmac(byte[] key, byte[] input, Mac mac) {
-    try {
-      mac.init(new SecretKeySpec(key, "HmacSHA256"));
-      return mac.doFinal(input);
-    } catch (InvalidKeyException e) {
-      throw new AssertionError(e);
-    }
-  }
-
-}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentials.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentials.java
@@ -6,28 +6,6 @@
 package org.whispersystems.textsecuregcm.auth;


-import com.fasterxml.jackson.annotation.JsonProperty;
+public record ExternalServiceCredentials(String username, String password) {

-public class ExternalServiceCredentials {
-
-  @JsonProperty
-  private String username;
-
-  @JsonProperty
-  private String password;
-
-  public ExternalServiceCredentials(String username, String password) {
-    this.username = username;
-    this.password = password;
-  }
-
-  public ExternalServiceCredentials() {}
-
-  public String getUsername() {
-    return username;
-  }
-
-  public String getPassword() {
-    return password;
-  }
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsGenerator.java
@@ -0,0 +1,293 @@
+/*
+ * Copyright 2013 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static java.util.Objects.requireNonNull;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256ToHexString;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmac256TruncatedToHexString;
+import static org.whispersystems.textsecuregcm.util.HmacUtils.hmacHexStringsEqual;
+
+import com.google.common.annotations.VisibleForTesting;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.function.Function;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.Validate;
+import org.whispersystems.textsecuregcm.configuration.secrets.SecretBytes;
+
+public class ExternalServiceCredentialsGenerator {
+
+  private static final String DELIMITER = ":";
+
+  private static final int TRUNCATED_SIGNATURE_LENGTH = 10;
+
+  private final byte[] key;
+
+  private final byte[] userDerivationKey;
+
+  private final boolean prependUsername;
+
+  private final boolean truncateSignature;
+
+  private final String usernameTimestampPrefix;
+
+  private final Function<Instant, Instant> usernameTimestampTruncator;
+
+  private final Clock clock;
+
+  private final int derivedUsernameTruncateLength;
+
+
+  public static ExternalServiceCredentialsGenerator.Builder builder(final SecretBytes key) {
+    return builder(key.value());
+  }
+
+  @VisibleForTesting
+  public static ExternalServiceCredentialsGenerator.Builder builder(final byte[] key) {
+    return new Builder(key);
+  }
+
+  private ExternalServiceCredentialsGenerator(
+      final byte[] key,
+      final byte[] userDerivationKey,
+      final boolean prependUsername,
+      final boolean truncateSignature,
+      final int derivedUsernameTruncateLength,
+      final String usernameTimestampPrefix,
+      final Function<Instant, Instant> usernameTimestampTruncator,
+      final Clock clock) {
+    this.key = requireNonNull(key);
+    this.userDerivationKey = requireNonNull(userDerivationKey);
+    this.prependUsername = prependUsername;
+    this.truncateSignature = truncateSignature;
+    this.usernameTimestampPrefix = usernameTimestampPrefix;
+    this.usernameTimestampTruncator = usernameTimestampTruncator;
+    this.clock = requireNonNull(clock);
+    this.derivedUsernameTruncateLength = derivedUsernameTruncateLength;
+
+    if (hasUsernameTimestampPrefix() ^ hasUsernameTimestampTruncator()) {
+      throw new RuntimeException("Configured to have only one of (usernameTimestampPrefix, usernameTimestampTruncator)");
+    }
+  }
+
+  /**
+   * A convenience method for the case of identity in the form of {@link UUID}.
+   * @param uuid identity to generate credentials for
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateForUuid(final UUID uuid) {
+    return generateFor(uuid.toString());
+  }
+
+  /**
+   * Generates `ExternalServiceCredentials` for the given identity following this generator's configuration.
+   * @param identity identity string to generate credentials for
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateFor(final String identity) {
+    if (usernameIsTimestamp()) {
+      throw new RuntimeException("Configured to use timestamp as username");
+    }
+
+    return generate(identity);
+  }
+
+  /**
+   * Generates `ExternalServiceCredentials` using a prefix concatenated with a truncated timestamp as the username, following this generator's configuration.
+   * @return an instance of {@link ExternalServiceCredentials}
+   */
+  public ExternalServiceCredentials generateWithTimestampAsUsername() {
+    if (!usernameIsTimestamp()) {
+      throw new RuntimeException("Not configured to use timestamp as username");
+    }
+
+    final String truncatedTimestampSeconds = String.valueOf(usernameTimestampTruncator.apply(clock.instant()).getEpochSecond());
+    return generate(usernameTimestampPrefix + DELIMITER + truncatedTimestampSeconds);
+  }
+
+  private ExternalServiceCredentials generate(final String identity) {
+    final String username = shouldDeriveUsername()
+        ? hmac256TruncatedToHexString(userDerivationKey, identity, derivedUsernameTruncateLength)
+        : identity;
+
+    final long currentTimeSeconds = currentTimeSeconds();
+
+    final String dataToSign = usernameIsTimestamp() ? username : username + DELIMITER + currentTimeSeconds;
+
+    final String signature = truncateSignature
+        ? hmac256TruncatedToHexString(key, dataToSign, TRUNCATED_SIGNATURE_LENGTH)
+        : hmac256ToHexString(key, dataToSign);
+
+    final String token = (prependUsername ? dataToSign : currentTimeSeconds) + DELIMITER + signature;
+
+    return new ExternalServiceCredentials(username, token);
+  }
+
+  /**
+   * In certain cases, identity (as it was passed to `generate` method)
+   * is a part of the signature (`password`, in terms of `ExternalServiceCredentials`) string itself.
+   * For such cases, this method returns the value of the identity string.
+   * @param password `password` part of `ExternalServiceCredentials`
+   * @return non-empty optional with an identity string value, or empty if value can't be extracted.
+   */
+  public Optional<String> identityFromSignature(final String password) {
+    // for some generators, identity in the clear is just not a part of the password
+    if (!prependUsername || shouldDeriveUsername() || StringUtils.isBlank(password)) {
+      return Optional.empty();
+    }
+    // checking for the case of unexpected format
+    if (StringUtils.countMatches(password, DELIMITER) == 2) {
+      if (usernameIsTimestamp()) {
+        final int indexOfSecondDelimiter = password.indexOf(DELIMITER, password.indexOf(DELIMITER) + 1);
+        return Optional.of(password.substring(0, indexOfSecondDelimiter));
+      } else {
+        return Optional.of(password.substring(0, password.indexOf(DELIMITER)));
+      }
+    }
+    return Optional.empty();
+  }
+
+  /**
+   * Given an instance of {@link ExternalServiceCredentials} object, checks that the password
+   * matches the username taking into accound this generator's configuration.
+   * @param credentials an instance of {@link ExternalServiceCredentials}
+   * @return An optional with a timestamp (seconds) of when the credentials were generated,
+   *         or an empty optional if the password doesn't match the username for any reason (including malformed data)
+   */
+  public Optional<Long> validateAndGetTimestamp(final ExternalServiceCredentials credentials) {
+    final String[] parts = requireNonNull(credentials).password().split(DELIMITER);
+    final String timestampSeconds;
+    final String actualSignature;
+
+    // making sure password format matches our expectations based on the generator configuration
+    if (parts.length == 3 && prependUsername) {
+      final String username = usernameIsTimestamp() ? parts[0] + DELIMITER + parts[1] : parts[0];
+      // username has to match the one from `credentials`
+      if (!credentials.username().equals(username)) {
+        return Optional.empty();
+      }
+      timestampSeconds = parts[1];
+      actualSignature = parts[2];
+    } else if (parts.length == 2 && !prependUsername) {
+      timestampSeconds = parts[0];
+      actualSignature = parts[1];
+    } else {
+      // unexpected password format
+      return Optional.empty();
+    }
+
+    final String signedData = usernameIsTimestamp() ? credentials.username() : credentials.username() + DELIMITER + timestampSeconds;
+    final String expectedSignature = truncateSignature
+        ? hmac256TruncatedToHexString(key, signedData, TRUNCATED_SIGNATURE_LENGTH)
+        : hmac256ToHexString(key, signedData);
+
+    // if the signature is valid it's safe to parse the `timestampSeconds` string into Long
+    return hmacHexStringsEqual(expectedSignature, actualSignature)
+        ? Optional.of(Long.valueOf(timestampSeconds))
+        : Optional.empty();
+  }
+
+  /**
+   * Given an instance of {@link ExternalServiceCredentials} object and the max allowed age for those credentials,
+   * checks if credentials are valid and not expired.
+   * @param credentials an instance of {@link ExternalServiceCredentials}
+   * @param maxAgeSeconds age in seconds
+   * @return An optional with a timestamp (seconds) of when the credentials were generated,
+   *         or an empty optional if the password doesn't match the username for any reason (including malformed data)
+   */
+  public Optional<Long> validateAndGetTimestamp(final ExternalServiceCredentials credentials, final long maxAgeSeconds) {
+    return validateAndGetTimestamp(credentials)
+        .filter(ts -> currentTimeSeconds() - ts <= maxAgeSeconds);
+  }
+
+  private boolean shouldDeriveUsername() {
+    return userDerivationKey.length > 0;
+  }
+
+  private boolean hasUsernameTimestampPrefix() {
+    return usernameTimestampPrefix != null;
+  }
+
+  private boolean hasUsernameTimestampTruncator() {
+    return usernameTimestampTruncator != null;
+  }
+
+  private boolean usernameIsTimestamp() {
+    return hasUsernameTimestampPrefix() && hasUsernameTimestampTruncator();
+  }
+
+  private long currentTimeSeconds() {
+    return clock.instant().getEpochSecond();
+  }
+
+  public static class Builder {
+
+    private final byte[] key;
+
+    private byte[] userDerivationKey = new byte[0];
+
+    private boolean prependUsername = true;
+
+    private boolean truncateSignature = true;
+
+    private int derivedUsernameTruncateLength = 10;
+
+    private String usernameTimestampPrefix = null;
+
+    private Function<Instant, Instant> usernameTimestampTruncator = null;
+
+    private Clock clock = Clock.systemUTC();
+
+
+    private Builder(final byte[] key) {
+      this.key = requireNonNull(key);
+    }
+
+    public Builder withUserDerivationKey(final SecretBytes userDerivationKey) {
+      return withUserDerivationKey(userDerivationKey.value());
+    }
+
+    public Builder withUserDerivationKey(final byte[] userDerivationKey) {
+      Validate.isTrue(requireNonNull(userDerivationKey).length > 0, "userDerivationKey must not be empty");
+      this.userDerivationKey = userDerivationKey;
+      return this;
+    }
+
+    public Builder withClock(final Clock clock) {
+      this.clock = requireNonNull(clock);
+      return this;
+    }
+
+    public Builder withDerivedUsernameTruncateLength(int truncateLength) {
+      Validate.inclusiveBetween(10, 32, truncateLength);
+      this.derivedUsernameTruncateLength = truncateLength;
+      return this;
+    }
+
+    public Builder prependUsername(final boolean prependUsername) {
+      this.prependUsername = prependUsername;
+      return this;
+    }
+
+    public Builder truncateSignature(final boolean truncateSignature) {
+      this.truncateSignature = truncateSignature;
+      return this;
+    }
+
+    public Builder withUsernameTimestampTruncatorAndPrefix(final Function<Instant, Instant> truncator, final String prefix) {
+      this.usernameTimestampTruncator = truncator;
+      this.usernameTimestampPrefix = prefix;
+      return this;
+    }
+
+    public ExternalServiceCredentialsGenerator build() {
+      return new ExternalServiceCredentialsGenerator(
+          key, userDerivationKey, prependUsername, truncateSignature, derivedUsernameTruncateLength, usernameTimestampPrefix, usernameTimestampTruncator, clock);
+    }
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsSelector.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/ExternalServiceCredentialsSelector.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+public class ExternalServiceCredentialsSelector {
+
+  private ExternalServiceCredentialsSelector() {}
+
+  public record CredentialInfo(String token, boolean valid, ExternalServiceCredentials credentials, long timestamp) {
+    /**
+     * @return a copy of this record with valid=false
+     */
+    private CredentialInfo invalidate() {
+      return new CredentialInfo(token, false, credentials, timestamp);
+    }
+  }
+
+  /**
+   * Validate a list of username:password credentials.
+   * A credential is valid if it passes validation by the provided credentialsGenerator AND it is the most recent
+   * credential in the provided list for a username.
+   *
+   * @param tokens A list of credentials, potentially with different usernames
+   * @param credentialsGenerator To validate these credentials
+   * @param maxAgeSeconds The maximum allowable age of the credential
+   * @return A {@link CredentialInfo} for each provided token
+   */
+  public static List<CredentialInfo> check(
+      final List<String> tokens,
+      final ExternalServiceCredentialsGenerator credentialsGenerator,
+      final long maxAgeSeconds) {
+
+    // the credential for the username with the latest timestamp (so far)
+    final Map<String, CredentialInfo> bestForUsername = new HashMap<>();
+    final List<CredentialInfo> results = new ArrayList<>();
+    for (String token : tokens) {
+      // each token is supposed to be in a "${username}:${password}" form,
+      // (note that password part may also contain ':' characters)
+      final String[] parts = token.split(":", 2);
+      if (parts.length != 2) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+      final ExternalServiceCredentials credentials = new ExternalServiceCredentials(parts[0], parts[1]);
+      final Optional<Long> maybeTimestamp = credentialsGenerator.validateAndGetTimestamp(credentials, maxAgeSeconds);
+      if (maybeTimestamp.isEmpty()) {
+        results.add(new CredentialInfo(token, false, null, 0L));
+        continue;
+      }
+
+      // now that we validated signature and token age, we will also find the latest of the tokens
+      // for each username
+      final long timestamp = maybeTimestamp.get();
+      final CredentialInfo best = bestForUsername.get(credentials.username());
+      if (best == null) {
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        continue;
+      }
+      if (best.timestamp() < timestamp) {
+        // we found a better credential for the username
+        bestForUsername.put(credentials.username(), new CredentialInfo(token, true, credentials, timestamp));
+        // mark the previous best as an invalid credential, since we have a better credential now
+        results.add(best.invalidate());
+      } else {
+        // the credential we already had was more recent, this one can be marked invalid
+        results.add(new CredentialInfo(token, false, null, 0L));
+      }
+    }
+
+    // all invalid tokens should be in results, just add the valid ones
+    results.addAll(bestForUsername.values());
+    return results;
+  }
+
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneVerificationTokenManager.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/PhoneVerificationTokenManager.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
+import java.security.MessageDigest;
+import java.time.Duration;
+import java.util.concurrent.CancellationException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.NotAuthorizedException;
+import javax.ws.rs.ServerErrorException;
+import javax.ws.rs.core.Response;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.entities.PhoneVerificationRequest;
+import org.whispersystems.textsecuregcm.entities.RegistrationServiceSession;
+import org.whispersystems.textsecuregcm.registration.RegistrationServiceClient;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+
+public class PhoneVerificationTokenManager {
+
+  private static final Logger logger = LoggerFactory.getLogger(PhoneVerificationTokenManager.class);
+  private static final Duration REGISTRATION_RPC_TIMEOUT = Duration.ofSeconds(15);
+  private static final long VERIFICATION_TIMEOUT_SECONDS = REGISTRATION_RPC_TIMEOUT.plusSeconds(1).getSeconds();
+
+  private final RegistrationServiceClient registrationServiceClient;
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+
+  public PhoneVerificationTokenManager(final RegistrationServiceClient registrationServiceClient,
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager) {
+    this.registrationServiceClient = registrationServiceClient;
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+  }
+
+  /**
+   * Checks if a {@link PhoneVerificationRequest} has a token that verifies the caller has confirmed access to the e164
+   * number
+   *
+   * @param number  the e164 presented for verification
+   * @param request the request with exactly one verification token (RegistrationService sessionId or registration
+   *                recovery password)
+   * @return if verification was successful, returns the verification type
+   * @throws BadRequestException    if the number does not match the sessionId’s number, or the remote service rejects
+   *                                the session ID as invalid
+   * @throws NotAuthorizedException if the session is not verified
+   * @throws ForbiddenException     if the recovery password is not valid
+   * @throws InterruptedException   if verification did not complete before a timeout
+   */
+  public PhoneVerificationRequest.VerificationType verify(final String number, final PhoneVerificationRequest request)
+      throws InterruptedException {
+
+    final PhoneVerificationRequest.VerificationType verificationType = request.verificationType();
+    switch (verificationType) {
+      case SESSION -> verifyBySessionId(number, request.decodeSessionId());
+      case RECOVERY_PASSWORD -> verifyByRecoveryPassword(number, request.recoveryPassword());
+    }
+
+    return verificationType;
+  }
+
+  private void verifyBySessionId(final String number, final byte[] sessionId) throws InterruptedException {
+    try {
+      final RegistrationServiceSession session = registrationServiceClient
+          .getSession(sessionId, REGISTRATION_RPC_TIMEOUT)
+          .get(VERIFICATION_TIMEOUT_SECONDS, TimeUnit.SECONDS)
+          .orElseThrow(() -> new NotAuthorizedException("session not verified"));
+
+      if (!MessageDigest.isEqual(number.getBytes(), session.number().getBytes())) {
+        throw new BadRequestException("number does not match session");
+      }
+      if (!session.verified()) {
+        throw new NotAuthorizedException("session not verified");
+      }
+    } catch (final ExecutionException e) {
+
+      if (e.getCause() instanceof StatusRuntimeException grpcRuntimeException) {
+        if (grpcRuntimeException.getStatus().getCode() == Status.Code.INVALID_ARGUMENT) {
+          throw new BadRequestException();
+        }
+      }
+
+      logger.error("Registration service failure", e);
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+
+    } catch (final CancellationException | TimeoutException e) {
+
+      logger.error("Registration service failure", e);
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+    }
+  }
+
+  private void verifyByRecoveryPassword(final String number, final byte[] recoveryPassword)
+      throws InterruptedException {
+    try {
+      final boolean verified = registrationRecoveryPasswordsManager.verify(number, recoveryPassword)
+          .get(VERIFICATION_TIMEOUT_SECONDS, TimeUnit.SECONDS);
+      if (!verified) {
+        throw new ForbiddenException("recoveryPassword couldn't be verified");
+      }
+    } catch (final ExecutionException | TimeoutException e) {
+      throw new ServerErrorException(Response.Status.SERVICE_UNAVAILABLE);
+    }
+  }
+
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/RegistrationLockVerificationManager.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/RegistrationLockVerificationManager.java
@@ -0,0 +1,178 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.DistributionSummary;
+import io.micrometer.core.instrument.Metrics;
+import io.micrometer.core.instrument.Tag;
+import io.micrometer.core.instrument.Tags;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.List;
+import javax.annotation.Nullable;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
+import org.whispersystems.textsecuregcm.entities.PhoneVerificationRequest;
+import org.whispersystems.textsecuregcm.entities.RegistrationLockFailure;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.metrics.UserAgentTagUtil;
+import org.whispersystems.textsecuregcm.push.ClientPresenceManager;
+import org.whispersystems.textsecuregcm.push.NotPushRegisteredException;
+import org.whispersystems.textsecuregcm.push.PushNotificationManager;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.Device;
+import org.whispersystems.textsecuregcm.storage.RegistrationRecoveryPasswordsManager;
+
+public class RegistrationLockVerificationManager {
+  public enum Flow {
+    REGISTRATION,
+    CHANGE_NUMBER
+  }
+
+  @VisibleForTesting
+  public static final int FAILURE_HTTP_STATUS = 423;
+
+  private static final String EXPIRED_REGISTRATION_LOCK_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "expiredRegistrationLock");
+  private static final String REQUIRED_REGISTRATION_LOCK_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "requiredRegistrationLock");
+  private static final String CHALLENGED_DEVICE_NOT_PUSH_REGISTERED_COUNTER_NAME =
+      name(RegistrationLockVerificationManager.class, "challengedDeviceNotPushRegistered");
+  private static final String ALREADY_LOCKED_TAG_NAME = "alreadyLocked";
+  private static final String REGISTRATION_LOCK_VERIFICATION_FLOW_TAG_NAME = "flow";
+  private static final String REGISTRATION_LOCK_MATCHES_TAG_NAME = "registrationLockMatches";
+  private static final String PHONE_VERIFICATION_TYPE_TAG_NAME = "phoneVerificationType";
+
+  private final AccountsManager accounts;
+  private final ClientPresenceManager clientPresenceManager;
+  private final ExternalServiceCredentialsGenerator svr2CredentialGenerator;
+  private final RateLimiters rateLimiters;
+  private final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager;
+  private final PushNotificationManager pushNotificationManager;
+
+  public RegistrationLockVerificationManager(
+      final AccountsManager accounts, final ClientPresenceManager clientPresenceManager,
+      final ExternalServiceCredentialsGenerator svr2CredentialGenerator,
+      final RegistrationRecoveryPasswordsManager registrationRecoveryPasswordsManager,
+      final PushNotificationManager pushNotificationManager,
+      final RateLimiters rateLimiters) {
+    this.accounts = accounts;
+    this.clientPresenceManager = clientPresenceManager;
+    this.svr2CredentialGenerator = svr2CredentialGenerator;
+    this.registrationRecoveryPasswordsManager = registrationRecoveryPasswordsManager;
+    this.pushNotificationManager = pushNotificationManager;
+    this.rateLimiters = rateLimiters;
+  }
+
+  /**
+   * Verifies the given registration lock credentials against the account’s current registration lock, if any
+   *
+   * @param account
+   * @param clientRegistrationLock
+   * @throws RateLimitExceededException
+   * @throws WebApplicationException
+   */
+  public void verifyRegistrationLock(final Account account, @Nullable final String clientRegistrationLock,
+      final String userAgent,
+      final Flow flow,
+      final PhoneVerificationRequest.VerificationType phoneVerificationType
+  ) throws RateLimitExceededException, WebApplicationException {
+
+    final Tags expiredTags = Tags.of(UserAgentTagUtil.getPlatformTag(userAgent),
+        Tag.of(REGISTRATION_LOCK_VERIFICATION_FLOW_TAG_NAME, flow.name()),
+        Tag.of(PHONE_VERIFICATION_TYPE_TAG_NAME, phoneVerificationType.name())
+    );
+
+    final StoredRegistrationLock existingRegistrationLock = account.getRegistrationLock();
+
+    switch (existingRegistrationLock.getStatus()) {
+      case EXPIRED:
+        Metrics.counter(EXPIRED_REGISTRATION_LOCK_COUNTER_NAME, expiredTags).increment();
+        return;
+      case ABSENT:
+        return;
+      case REQUIRED:
+        break;
+      default:
+        throw new RuntimeException("Unexpected status: " + existingRegistrationLock.getStatus());
+    }
+
+    if (StringUtils.isNotEmpty(clientRegistrationLock)) {
+      rateLimiters.getPinLimiter().validate(account.getNumber());
+    }
+
+    final String phoneNumber = account.getNumber();
+    final boolean registrationLockMatches = existingRegistrationLock.verify(clientRegistrationLock);
+    final boolean alreadyLocked = account.hasLockedCredentials();
+
+    final Tags additionalTags = expiredTags.and(
+        REGISTRATION_LOCK_MATCHES_TAG_NAME, Boolean.toString(registrationLockMatches),
+        ALREADY_LOCKED_TAG_NAME, Boolean.toString(alreadyLocked)
+    );
+
+    Metrics.counter(REQUIRED_REGISTRATION_LOCK_COUNTER_NAME, additionalTags).increment();
+
+    final DistributionSummary registrationLockIdleDays = DistributionSummary
+        .builder(name(RegistrationLockVerificationManager.class, "registrationLockIdleDays"))
+        .tags(additionalTags)
+        .publishPercentiles(0.75, 0.95, 0.99, 0.999)
+        .distributionStatisticExpiry(Duration.ofHours(2))
+        .register(Metrics.globalRegistry);
+
+    final Instant accountLastSeen = Instant.ofEpochMilli(account.getLastSeen());
+    final Duration timeSinceLastSeen = Duration.between(accountLastSeen, Instant.now());
+
+    registrationLockIdleDays.record(timeSinceLastSeen.toDays());
+
+    if (!registrationLockMatches) {
+      // At this point, the client verified ownership of the phone number but doesn’t have the reglock PIN.
+      // Freezing the existing account credentials will definitively start the reglock timeout.
+      // Until the timeout, the current reglock can still be supplied,
+      // along with phone number verification, to restore access.
+      final ExternalServiceCredentials existingSvr2Credentials = svr2CredentialGenerator.generateForUuid(account.getUuid());
+
+      final Account updatedAccount;
+      if (!alreadyLocked) {
+        updatedAccount = accounts.update(account, Account::lockAuthTokenHash);
+      } else {
+        updatedAccount = account;
+      }
+
+      // The client often sends an empty registration lock token on the first request
+      // and sends an actual token if the server returns a 423 indicating that one is required.
+      // This logic accounts for that behavior by not deleting the registration recovery password
+      // if the user verified correctly via registration recovery password and sent an empty token.
+      // This allows users to re-register via registration recovery password
+      // instead of always being forced to fall back to SMS verification.
+      if (!phoneVerificationType.equals(PhoneVerificationRequest.VerificationType.RECOVERY_PASSWORD) || clientRegistrationLock != null) {
+        registrationRecoveryPasswordsManager.removeForNumber(updatedAccount.getNumber());
+      }
+
+      final List<Long> deviceIds = updatedAccount.getDevices().stream().map(Device::getId).toList();
+      clientPresenceManager.disconnectAllPresences(updatedAccount.getUuid(), deviceIds);
+
+      try {
+        // Send a push notification that prompts the client to attempt login and fail due to locked credentials
+        pushNotificationManager.sendAttemptLoginNotification(updatedAccount, "failedRegistrationLock");
+      } catch (final NotPushRegisteredException e) {
+        Metrics.counter(CHALLENGED_DEVICE_NOT_PUSH_REGISTERED_COUNTER_NAME).increment();
+      }
+
+      throw new WebApplicationException(Response.status(FAILURE_HTTP_STATUS)
+          .entity(new RegistrationLockFailure(existingRegistrationLock.getTimeRemaining().toMillis(),
+              existingRegistrationLock.needsFailureCredentials() ? existingSvr2Credentials : null))
+          .build());
+    }
+
+    rateLimiters.getPinLimiter().clear(phoneNumber);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/SaltedTokenHash.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/SaltedTokenHash.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2013 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+package org.whispersystems.textsecuregcm.auth;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.HexFormat;
+import org.signal.libsignal.protocol.kdf.HKDF;
+
+public record SaltedTokenHash(String hash, String salt) {
+
+  public enum Version {
+    V1,
+    V2,
+  }
+
+  public static final Version CURRENT_VERSION = Version.V2;
+
+  private static final String V2_PREFIX = "2.";
+
+  private static final byte[] AUTH_TOKEN_HKDF_INFO = "authtoken".getBytes(StandardCharsets.UTF_8);
+
+  private static final int SALT_SIZE = 16;
+
+  private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
+
+  public static SaltedTokenHash generateFor(final String token) {
+    final String salt = generateSalt();
+    final String hash = calculateV2Hash(salt, token);
+    return new SaltedTokenHash(hash, salt);
+  }
+
+  public Version getVersion() {
+    return hash.startsWith(V2_PREFIX) ? Version.V2 : Version.V1;
+  }
+
+  public boolean verify(final String token) {
+    final String theirValue = switch (getVersion()) {
+      case V1 -> calculateV1Hash(salt, token);
+      case V2 -> calculateV2Hash(salt, token);
+    };
+    return MessageDigest.isEqual(
+        theirValue.getBytes(StandardCharsets.UTF_8),
+        hash.getBytes(StandardCharsets.UTF_8));
+  }
+
+  private static String generateSalt() {
+    final byte[] salt = new byte[SALT_SIZE];
+    SECURE_RANDOM.nextBytes(salt);
+    return HexFormat.of().formatHex(salt);
+  }
+
+  private static String calculateV1Hash(final String salt, final String token) {
+    try {
+      return HexFormat.of()
+          .formatHex(MessageDigest.getInstance("SHA1").digest((salt + token).getBytes(StandardCharsets.UTF_8)));
+    } catch (final NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private static String calculateV2Hash(final String salt, final String token) {
+    final byte[] secret = HKDF.deriveSecrets(
+        token.getBytes(StandardCharsets.UTF_8),  // key
+        salt.getBytes(StandardCharsets.UTF_8),  // salt
+        AUTH_TOKEN_HKDF_INFO,
+        32);
+    return V2_PREFIX + HexFormat.of().formatHex(secret);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredRegistrationLock.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredRegistrationLock.java
@@ -1,51 +1,81 @@
 /*
- * Copyright 2013-2020 Signal Messenger, LLC
+ * Copyright 2013 Signal Messenger, LLC
 * SPDX-License-Identifier: AGPL-3.0-only
 */

 package org.whispersystems.textsecuregcm.auth;

 import com.google.common.annotations.VisibleForTesting;
-import org.whispersystems.textsecuregcm.util.Util;
-
-import javax.annotation.Nullable;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Optional;
-import java.util.concurrent.TimeUnit;
+import javax.annotation.Nullable;
+import org.apache.commons.lang3.StringUtils;

@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class StoredRegistrationLock {
+  public enum Status {
+    REQUIRED,
+    EXPIRED,
+    ABSENT
+  }
+
+  @VisibleForTesting
+  static final Duration REGISTRATION_LOCK_EXPIRATION_DAYS = Duration.ofDays(7);

  private final Optional<String> registrationLock;

  private final Optional<String> registrationLockSalt;

-  private final long             lastSeen;
+  private final Instant lastSeen;

-  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, long lastSeen) {
+  /**
+   * @return milliseconds since the last time the account was seen.
+   */
+  private long timeSinceLastSeen() {
+    return System.currentTimeMillis() - lastSeen.toEpochMilli();
+  }
+
+  /**
+   * @return true if the registration lock and salt are both set.
+   */
+  private boolean hasLockAndSalt() {
+    return registrationLock.isPresent() && registrationLockSalt.isPresent();
+  }
+
+  public boolean isPresent() {
+    return hasLockAndSalt();
+  }
+
+  public StoredRegistrationLock(Optional<String> registrationLock, Optional<String> registrationLockSalt, Instant lastSeen) {
    this.registrationLock     = registrationLock;
    this.registrationLockSalt = registrationLockSalt;
    this.lastSeen             = lastSeen;
  }

-  public boolean requiresClientRegistrationLock() {
-    return registrationLock.isPresent() && registrationLockSalt.isPresent() && System.currentTimeMillis() - lastSeen < TimeUnit.DAYS.toMillis(7);
+  public Status getStatus() {
+    if (!isPresent()) {
+      return Status.ABSENT;
+    }
+    if (getTimeRemaining().toMillis() > 0) {
+      return Status.REQUIRED;
+    }
+    return Status.EXPIRED;
  }

  public boolean needsFailureCredentials() {
-    return registrationLock.isPresent() && registrationLockSalt.isPresent();
+    return hasLockAndSalt();
  }

-  public long getTimeRemaining() {
-    return TimeUnit.DAYS.toMillis(7) - (System.currentTimeMillis() - lastSeen);
+  public Duration getTimeRemaining() {
+    return REGISTRATION_LOCK_EXPIRATION_DAYS.minus(timeSinceLastSeen(), ChronoUnit.MILLIS);
  }

  public boolean verify(@Nullable String clientRegistrationLock) {
-    if (Util.isEmpty(clientRegistrationLock)) {
-      return false;
-    }
-
-    if (registrationLock.isPresent() && registrationLockSalt.isPresent() && !Util.isEmpty(clientRegistrationLock)) {
-      return new AuthenticationCredentials(registrationLock.get(), registrationLockSalt.get()).verify(clientRegistrationLock);
+    if (hasLockAndSalt() && StringUtils.isNotEmpty(clientRegistrationLock)) {
+      SaltedTokenHash credentials = new SaltedTokenHash(registrationLock.get(), registrationLockSalt.get());
+      return credentials.verify(clientRegistrationLock);
    } else {
      return false;
    }
@@ -53,6 +83,6 @@ public class StoredRegistrationLock {

  @VisibleForTesting
  public StoredRegistrationLock forTime(long timestamp) {
-    return new StoredRegistrationLock(registrationLock, registrationLockSalt, timestamp);
+    return new StoredRegistrationLock(registrationLock, registrationLockSalt, Instant.ofEpochMilli(timestamp));
  }
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredVerificationCode.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/StoredVerificationCode.java
@@ -1,72 +0,0 @@
-/*
- * Copyright 2013-2020 Signal Messenger, LLC
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-package org.whispersystems.textsecuregcm.auth;
-
-import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import java.security.MessageDigest;
-import java.time.Duration;
-import java.util.Optional;
-import javax.annotation.Nullable;
-import org.whispersystems.textsecuregcm.util.Util;
-
-public class StoredVerificationCode {
-
-  @JsonProperty
-  private final String code;
-
-  @JsonProperty
-  private final long timestamp;
-
-  @JsonProperty
-  private final String pushCode;
-
-  @JsonProperty
-  @Nullable
-  private final String twilioVerificationSid;
-
-  public static final Duration EXPIRATION = Duration.ofMinutes(10);
-
-  @JsonCreator
-  public StoredVerificationCode(
-      @JsonProperty("code") final String code,
-      @JsonProperty("timestamp") final long timestamp,
-      @JsonProperty("pushCode") final String pushCode,
-      @JsonProperty("twilioVerificationSid") @Nullable final String twilioVerificationSid) {
-
-    this.code = code;
-    this.timestamp = timestamp;
-    this.pushCode = pushCode;
-    this.twilioVerificationSid = twilioVerificationSid;
-  }
-
-  public String getCode() {
-    return code;
-  }
-
-  public long getTimestamp() {
-    return timestamp;
-  }
-
-  public String getPushCode() {
-    return pushCode;
-  }
-
-  public Optional<String> getTwilioVerificationSid() {
-    return Optional.ofNullable(twilioVerificationSid);
-  }
-
-  public boolean isValid(String theirCodeString) {
-    if (Util.isEmpty(code) || Util.isEmpty(theirCodeString)) {
-      return false;
-    }
-
-    byte[] ourCode = code.getBytes();
-    byte[] theirCode = theirCodeString.getBytes();
-
-    return MessageDigest.isEqual(ourCode, theirCode);
-  }
-}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnToken.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnToken.java
@@ -5,30 +5,7 @@

 package org.whispersystems.textsecuregcm.auth;

-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.google.common.annotations.VisibleForTesting;
-
 import java.util.List;

-public class TurnToken {
-
-  @JsonProperty
-  private String username;
-
-  @JsonProperty
-  private String password;
-
-  @JsonProperty
-  private List<String> urls;
-
-  public TurnToken(String username, String password, List<String> urls) {
-    this.username = username;
-    this.password = password;
-    this.urls     = urls;
-  }
-
-  @VisibleForTesting
-  List<String> getUrls() {
-    return urls;
-  }
+public record TurnToken(String username, String password, List<String> urls) {
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/TurnTokenGenerator.java
@@ -10,6 +10,7 @@ import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfigurati
 import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicTurnConfiguration;
 import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
 import org.whispersystems.textsecuregcm.util.Pair;
+import org.whispersystems.textsecuregcm.util.Util;
 import org.whispersystems.textsecuregcm.util.WeightedRandomSelect;

 import javax.crypto.Mac;
@@ -17,44 +18,53 @@ import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.Base64;
 import java.util.List;
 import java.util.Optional;
-import java.util.concurrent.TimeUnit;
+import java.util.UUID;

 public class TurnTokenGenerator {

-  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfiguration;
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;

-  public TurnTokenGenerator(final DynamicConfigurationManager<DynamicConfiguration> config) {
-    this.dynamicConfiguration = config;
+  private final byte[] turnSecret;
+
+  private static final String ALGORITHM = "HmacSHA1";
+
+  public TurnTokenGenerator(final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
+      final byte[] turnSecret) {
+
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+    this.turnSecret = turnSecret;
  }

-  public TurnToken generate(final String e164) {
+  public TurnToken generate(final UUID aci) {
    try {
-      byte[] key                = dynamicConfiguration.getConfiguration().getTurnConfiguration().getSecret().getBytes();
-      List<String> urls         = urls(e164);
-      Mac    mac                = Mac.getInstance("HmacSHA1");
-      long   validUntilSeconds  = (System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)) / 1000;
-      long   user               = Math.abs(new SecureRandom().nextInt());
-      String userTime           = validUntilSeconds + ":"  + user;
+      final List<String> urls = urls(aci);
+      final Mac mac = Mac.getInstance(ALGORITHM);
+      final long validUntilSeconds = Instant.now().plus(Duration.ofDays(1)).getEpochSecond();
+      final long user = Util.ensureNonNegativeInt(new SecureRandom().nextInt());
+      final String userTime = validUntilSeconds + ":" + user;

-      mac.init(new SecretKeySpec(key, "HmacSHA1"));
-      String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));
+      mac.init(new SecretKeySpec(turnSecret, ALGORITHM));
+      final String password = Base64.getEncoder().encodeToString(mac.doFinal(userTime.getBytes()));

      return new TurnToken(userTime, password, urls);
-    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+    } catch (final NoSuchAlgorithmException | InvalidKeyException e) {
      throw new AssertionError(e);
    }
  }

-  private List<String> urls(final String e164) {
-    final DynamicTurnConfiguration turnConfig = dynamicConfiguration.getConfiguration().getTurnConfiguration();
+  private List<String> urls(final UUID aci) {
+    final DynamicTurnConfiguration turnConfig = dynamicConfigurationManager.getConfiguration().getTurnConfiguration();

    // Check if number is enrolled to test out specific turn servers
    final Optional<TurnUriConfiguration> enrolled = turnConfig.getUriConfigs().stream()
-        .filter(config -> config.getEnrolledNumbers().contains(e164))
+        .filter(config -> config.getEnrolledAcis().contains(aci))
        .findFirst();
+
    if (enrolled.isPresent()) {
      return enrolled.get().getUris();
    }
@@ -63,6 +73,6 @@ public class TurnTokenGenerator {
    return WeightedRandomSelect.select(turnConfig
        .getUriConfigs()
        .stream()
-        .map(c -> new Pair<List<String>, Long>(c.getUris(), c.getWeight())).toList());
+        .map(c -> new Pair<>(c.getUris(), c.getWeight())).toList());
  }
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessChecksum.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessChecksum.java
@@ -9,23 +9,21 @@ import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
-import java.util.Optional;

-@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
 public class UnidentifiedAccessChecksum {

-  public static String generateFor(Optional<byte[]> unidentifiedAccessKey) {
+  public static byte[] generateFor(byte[] unidentifiedAccessKey) {
    try {
-      if (!unidentifiedAccessKey.isPresent()|| unidentifiedAccessKey.get().length != 16) return null;
+      if (unidentifiedAccessKey.length != UnidentifiedAccessUtil.UNIDENTIFIED_ACCESS_KEY_LENGTH) {
+        throw new IllegalArgumentException("Invalid UAK length: " + unidentifiedAccessKey.length);
+      }

      Mac mac = Mac.getInstance("HmacSHA256");
-      mac.init(new SecretKeySpec(unidentifiedAccessKey.get(), "HmacSHA256"));
+      mac.init(new SecretKeySpec(unidentifiedAccessKey, "HmacSHA256"));

-      return Base64.getEncoder().encodeToString(mac.doFinal(new byte[32]));
+      return mac.doFinal(new byte[32]);
    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
      throw new AssertionError(e);
    }
  }
-
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessUtil.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/UnidentifiedAccessUtil.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth;
+
+import org.whispersystems.textsecuregcm.storage.Account;
+import java.security.MessageDigest;
+
+public class UnidentifiedAccessUtil {
+
+  public static final int UNIDENTIFIED_ACCESS_KEY_LENGTH = 16;
+
+  private UnidentifiedAccessUtil() {
+  }
+
+  /**
+   * Checks whether an action (e.g. sending a message or retrieving pre-keys) may be taken on the target account by an
+   * actor presenting the given unidentified access key.
+   *
+   * @param targetAccount the account on which an actor wishes to take an action
+   * @param unidentifiedAccessKey the unidentified access key presented by the actor
+   *
+   * @return {@code true} if an actor presenting the given unidentified access key has permission to take an action on
+   * the target account or {@code false} otherwise
+   */
+  public static boolean checkUnidentifiedAccess(final Account targetAccount, final byte[] unidentifiedAccessKey) {
+    return targetAccount.isUnrestrictedUnidentifiedAccess()
+        || targetAccount.getUnidentifiedAccessKey()
+        .map(targetUnidentifiedAccessKey -> MessageDigest.isEqual(targetUnidentifiedAccessKey, unidentifiedAccessKey))
+        .orElse(false);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/AuthenticatedDevice.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/AuthenticatedDevice.java
@@ -0,0 +1,11 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth.grpc;
+
+import java.util.UUID;
+
+public record AuthenticatedDevice(UUID accountIdentifier, long deviceId) {
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/AuthenticationUtil.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/AuthenticationUtil.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth.grpc;
+
+import io.grpc.Context;
+import io.grpc.Status;
+import java.util.UUID;
+import javax.annotation.Nullable;
+import org.whispersystems.textsecuregcm.storage.Device;
+
+/**
+ * Provides utility methods for working with authentication in the context of gRPC calls.
+ */
+public class AuthenticationUtil {
+
+  static final Context.Key<UUID> CONTEXT_AUTHENTICATED_ACCOUNT_IDENTIFIER_KEY = Context.key("authenticated-aci");
+  static final Context.Key<Long> CONTEXT_AUTHENTICATED_DEVICE_IDENTIFIER_KEY = Context.key("authenticated-device-id");
+
+  /**
+   * Returns the account/device authenticated in the current gRPC context or throws an "unauthenticated" exception if
+   * no authenticated account/device is available.
+   *
+   * @return the account/device identifier authenticated in the current gRPC context
+   *
+   * @throws io.grpc.StatusRuntimeException with a status of {@code UNAUTHENTICATED} if no authenticated account/device
+   * could be retrieved from the current gRPC context
+   */
+  public static AuthenticatedDevice requireAuthenticatedDevice() {
+    @Nullable final UUID accountIdentifier = CONTEXT_AUTHENTICATED_ACCOUNT_IDENTIFIER_KEY.get();
+    @Nullable final Long deviceId = CONTEXT_AUTHENTICATED_DEVICE_IDENTIFIER_KEY.get();
+
+    if (accountIdentifier != null && deviceId != null) {
+      return new AuthenticatedDevice(accountIdentifier, deviceId);
+    }
+
+    throw Status.UNAUTHENTICATED.asRuntimeException();
+  }
+
+  /**
+   * Returns the account/device authenticated in the current gRPC context or throws an "unauthenticated" exception if
+   * no authenticated account/device is available or "permission denied" if the authenticated device is not the primary
+   * device for the account.
+   *
+   * @return the account/device identifier authenticated in the current gRPC context
+   *
+   * @throws io.grpc.StatusRuntimeException with a status of {@code UNAUTHENTICATED} if no authenticated account/device
+   * could be retrieved from the current gRPC context or a status of {@code PERMISSION_DENIED} if the authenticated
+   * device is not the primary device for the authenticated account
+   */
+  public static AuthenticatedDevice requireAuthenticatedPrimaryDevice() {
+    final AuthenticatedDevice authenticatedDevice = requireAuthenticatedDevice();
+
+    if (authenticatedDevice.deviceId() != Device.PRIMARY_ID) {
+      throw Status.PERMISSION_DENIED.asRuntimeException();
+    }
+
+    return authenticatedDevice;
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/BasicCredentialAuthenticationInterceptor.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/auth/grpc/BasicCredentialAuthenticationInterceptor.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.auth.grpc;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.dropwizard.auth.basic.BasicCredentials;
+import io.grpc.Context;
+import io.grpc.Contexts;
+import io.grpc.Metadata;
+import io.grpc.ServerCall;
+import io.grpc.ServerCallHandler;
+import io.grpc.ServerInterceptor;
+import io.grpc.Status;
+import java.util.Optional;
+import org.apache.commons.lang3.StringUtils;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
+import org.whispersystems.textsecuregcm.auth.BaseAccountAuthenticator;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+
+/**
+ * A basic credential authentication interceptor enforces the presence of a valid username and password on every call.
+ * Callers supply credentials by providing a username (UUID and optional device ID) and password pair in the
+ * {@code x-signal-basic-auth-credentials} call header.
+ * <p/>
+ * Downstream services can retrieve the identity of the authenticated caller using methods in
+ * {@link AuthenticationUtil}.
+ * <p/>
+ * Note that this authentication, while fully functional, is intended only for development and testing purposes and is
+ * intended to be replaced with a more robust and efficient strategy before widespread client adoption.
+ *
+ * @see AuthenticationUtil
+ * @see BaseAccountAuthenticator
+ */
+public class BasicCredentialAuthenticationInterceptor implements ServerInterceptor {
+
+  private final BaseAccountAuthenticator baseAccountAuthenticator;
+
+  @VisibleForTesting
+  static final Metadata.Key<String> BASIC_CREDENTIALS =
+      Metadata.Key.of("x-signal-auth", Metadata.ASCII_STRING_MARSHALLER);
+
+  private static final Metadata EMPTY_TRAILERS = new Metadata();
+
+  public BasicCredentialAuthenticationInterceptor(final BaseAccountAuthenticator baseAccountAuthenticator) {
+    this.baseAccountAuthenticator = baseAccountAuthenticator;
+  }
+
+  @Override
+  public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(
+      final ServerCall<ReqT, RespT> call,
+      final Metadata headers,
+      final ServerCallHandler<ReqT, RespT> next) {
+
+    final String authHeader = headers.get(BASIC_CREDENTIALS);
+
+    if (StringUtils.isNotBlank(authHeader)) {
+      final Optional<BasicCredentials> maybeCredentials = HeaderUtils.basicCredentialsFromAuthHeader(authHeader);
+      if (maybeCredentials.isEmpty()) {
+        call.close(Status.UNAUTHENTICATED.withDescription("Could not parse credentials"), EMPTY_TRAILERS);
+      } else {
+        final Optional<AuthenticatedAccount> maybeAuthenticatedAccount =
+            baseAccountAuthenticator.authenticate(maybeCredentials.get(), false);
+
+        if (maybeAuthenticatedAccount.isPresent()) {
+          final AuthenticatedAccount authenticatedAccount = maybeAuthenticatedAccount.get();
+
+          final Context context = Context.current()
+              .withValue(AuthenticationUtil.CONTEXT_AUTHENTICATED_ACCOUNT_IDENTIFIER_KEY, authenticatedAccount.getAccount().getUuid())
+              .withValue(AuthenticationUtil.CONTEXT_AUTHENTICATED_DEVICE_IDENTIFIER_KEY, authenticatedAccount.getAuthenticatedDevice().getId());
+
+          return Contexts.interceptCall(context, call, headers, next);
+        } else {
+          call.close(Status.UNAUTHENTICATED.withDescription("Credentials not accepted"), EMPTY_TRAILERS);
+        }
+      }
+    } else {
+      call.close(Status.UNAUTHENTICATED.withDescription("No credentials provided"), EMPTY_TRAILERS);
+    }
+
+    return new ServerCall.Listener<>() {};
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupAuthManager.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupAuthManager.java
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.backup;
+
+import io.grpc.Status;
+import java.security.MessageDigest;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import java.util.stream.Stream;
+import org.signal.libsignal.zkgroup.GenericServerSecretParams;
+import org.signal.libsignal.zkgroup.InvalidInputException;
+import org.signal.libsignal.zkgroup.backups.BackupAuthCredentialRequest;
+import org.signal.libsignal.zkgroup.backups.BackupAuthCredentialResponse;
+import org.whispersystems.textsecuregcm.configuration.dynamic.DynamicConfiguration;
+import org.whispersystems.textsecuregcm.controllers.RateLimitExceededException;
+import org.whispersystems.textsecuregcm.limits.RateLimiters;
+import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.storage.AccountsManager;
+import org.whispersystems.textsecuregcm.storage.DynamicConfigurationManager;
+import org.whispersystems.textsecuregcm.util.Util;
+
+/**
+ * Issues ZK backup auth credentials for authenticated accounts
+ * <p>
+ * Authenticated callers can create ZK credentials that contain a blinded backup-id, so that they can later use that
+ * backup id without the verifier learning that the id is associated with this account.
+ * <p>
+ * First use {@link #commitBackupId} to provide a blinded backup-id. This is stored in durable storage. Then the caller
+ * can use {@link #getBackupAuthCredentials} to retrieve credentials that can subsequently be used to make anonymously
+ * authenticated requests against their backup-id.
+ */
+public class BackupAuthManager {
+
+  private static final Duration MAX_REDEMPTION_DURATION = Duration.ofDays(7);
+  final static String BACKUP_EXPERIMENT_NAME = "backup";
+  final static String BACKUP_MEDIA_EXPERIMENT_NAME = "backupMedia";
+
+  private final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager;
+  private final GenericServerSecretParams serverSecretParams;
+  private final Clock clock;
+  private final RateLimiters rateLimiters;
+  private final AccountsManager accountsManager;
+
+  public BackupAuthManager(
+      final DynamicConfigurationManager<DynamicConfiguration> dynamicConfigurationManager,
+      final RateLimiters rateLimiters,
+      final AccountsManager accountsManager,
+      final GenericServerSecretParams serverSecretParams,
+      final Clock clock) {
+    this.dynamicConfigurationManager = dynamicConfigurationManager;
+    this.rateLimiters = rateLimiters;
+    this.accountsManager = accountsManager;
+    this.serverSecretParams = serverSecretParams;
+    this.clock = clock;
+  }
+
+  /**
+   * Store a credential request containing a blinded backup-id for future use.
+   *
+   * @param account                  The account using the backup-id
+   * @param backupAuthCredentialRequest A request containing the blinded backup-id
+   * @return A future that completes when the credentialRequest has been stored
+   * @throws RateLimitExceededException If too many backup-ids have been committed
+   */
+  public CompletableFuture<Void> commitBackupId(final Account account,
+      final BackupAuthCredentialRequest backupAuthCredentialRequest) throws RateLimitExceededException {
+    if (receiptLevel(account).isEmpty()) {
+      throw Status.PERMISSION_DENIED.withDescription("Backups not allowed on account").asRuntimeException();
+    }
+
+    byte[] serializedRequest = backupAuthCredentialRequest.serialize();
+    byte[] existingRequest = account.getBackupCredentialRequest();
+    if (existingRequest != null && MessageDigest.isEqual(serializedRequest, existingRequest)) {
+      // No need to update or enforce rate limits, this is the credential that the user has already
+      // committed to.
+      return CompletableFuture.completedFuture(null);
+    }
+
+    rateLimiters.forDescriptor(RateLimiters.For.SET_BACKUP_ID).validate(account.getUuid());
+
+    return this.accountsManager
+        .updateAsync(account, acc -> acc.setBackupCredentialRequest(serializedRequest))
+        .thenRun(Util.NOOP);
+  }
+
+  public record Credential(BackupAuthCredentialResponse credential, Instant redemptionTime) {}
+
+  /**
+   * Create a credential for every day between redemptionStart and redemptionEnd
+   * <p>
+   * This uses a {@link BackupAuthCredentialRequest} previous stored via {@link this#commitBackupId} to generate the
+   * credentials.
+   *
+   * @param account         The account to create the credentials for
+   * @param redemptionStart The day (must be truncated to a day boundary) the first credential should be valid
+   * @param redemptionEnd   The day (must be truncated to a day boundary) the last credential should be valid
+   * @return Credentials and the day on which they may be redeemed
+   */
+  public CompletableFuture<List<Credential>> getBackupAuthCredentials(
+      final Account account,
+      final Instant redemptionStart,
+      final Instant redemptionEnd) {
+
+    final long receiptLevel = receiptLevel(account).orElseThrow(
+        () -> Status.PERMISSION_DENIED.withDescription("Backups not allowed on account").asRuntimeException());
+
+    final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);
+    if (redemptionStart.isAfter(redemptionEnd) ||
+        redemptionStart.isBefore(startOfDay) ||
+        redemptionEnd.isAfter(startOfDay.plus(MAX_REDEMPTION_DURATION)) ||
+        !redemptionStart.equals(redemptionStart.truncatedTo(ChronoUnit.DAYS)) ||
+        !redemptionEnd.equals(redemptionEnd.truncatedTo(ChronoUnit.DAYS))) {
+
+      throw Status.INVALID_ARGUMENT.withDescription("invalid redemption window").asRuntimeException();
+    }
+
+    // fetch the blinded backup-id the account should have previously committed to
+    final byte[] committedBytes = account.getBackupCredentialRequest();
+    if (committedBytes == null) {
+      throw Status.NOT_FOUND.withDescription("No blinded backup-id has been added to the account").asRuntimeException();
+    }
+
+    try {
+      // create a credential for every day in the requested period
+      final BackupAuthCredentialRequest credentialReq = new BackupAuthCredentialRequest(committedBytes);
+      return CompletableFuture.completedFuture(Stream
+          .iterate(redemptionStart, curr -> curr.plus(Duration.ofDays(1)))
+          .takeWhile(redemptionTime -> !redemptionTime.isAfter(redemptionEnd))
+          .map(redemption -> new Credential(
+              credentialReq.issueCredential(redemption, receiptLevel, serverSecretParams),
+              redemption))
+          .toList());
+    } catch (InvalidInputException e) {
+      throw Status.INTERNAL
+          .withDescription("Could not deserialize stored request credential")
+          .withCause(e)
+          .asRuntimeException();
+    }
+  }
+
+  private Optional<Long> receiptLevel(final Account account) {
+    if (inExperiment(BACKUP_MEDIA_EXPERIMENT_NAME, account)) {
+      return Optional.of(BackupTier.MEDIA.getReceiptLevel());
+    }
+    if (inExperiment(BACKUP_EXPERIMENT_NAME, account)) {
+      return Optional.of(BackupTier.MESSAGES.getReceiptLevel());
+    }
+    return Optional.empty();
+  }
+
+  private boolean inExperiment(final String experimentName, final Account account) {
+    return dynamicConfigurationManager.getConfiguration()
+        .getExperimentEnrollmentConfiguration(experimentName)
+        .map(config -> config.getEnrolledUuids().contains(account.getUuid()))
+        .orElse(false);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupManager.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupManager.java
@@ -0,0 +1,391 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.backup;
+
+import io.grpc.Status;
+import io.micrometer.core.instrument.Metrics;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.time.Clock;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.HexFormat;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.CompletableFuture;
+import org.signal.libsignal.protocol.InvalidKeyException;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.zkgroup.GenericServerSecretParams;
+import org.signal.libsignal.zkgroup.VerificationFailedException;
+import org.signal.libsignal.zkgroup.backups.BackupAuthCredentialPresentation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.whispersystems.textsecuregcm.auth.AuthenticatedBackupUser;
+import org.whispersystems.textsecuregcm.metrics.MetricsUtil;
+import org.whispersystems.textsecuregcm.util.AttributeValues;
+import org.whispersystems.textsecuregcm.util.ExceptionUtils;
+import org.whispersystems.textsecuregcm.util.Util;
+import software.amazon.awssdk.core.SdkBytes;
+import software.amazon.awssdk.services.dynamodb.DynamoDbAsyncClient;
+import software.amazon.awssdk.services.dynamodb.model.AttributeValue;
+import software.amazon.awssdk.services.dynamodb.model.ConditionalCheckFailedException;
+import software.amazon.awssdk.services.dynamodb.model.GetItemRequest;
+import software.amazon.awssdk.services.dynamodb.model.UpdateItemRequest;
+
+public class BackupManager {
+
+  private static final Logger logger = LoggerFactory.getLogger(BackupManager.class);
+
+  static final String MESSAGE_BACKUP_NAME = "messageBackup";
+  private static final int BACKUP_CDN = 3;
+  private static final String ZK_AUTHN_COUNTER_NAME = MetricsUtil.name(BackupManager.class, "authentication");
+  private static final String ZK_AUTHZ_FAILURE_COUNTER_NAME = MetricsUtil.name(BackupManager.class, "authorizationFailure");
+  private static final String SUCCESS_TAG_NAME = "success";
+  private static final String FAILURE_REASON_TAG_NAME = "reason";
+
+  private final GenericServerSecretParams serverSecretParams;
+  private final TusBackupCredentialGenerator tusBackupCredentialGenerator;
+  private final DynamoDbAsyncClient dynamoClient;
+  private final String backupTableName;
+  private final Clock clock;
+
+  // The backups table
+
+  // B: 16 bytes that identifies the backup
+  public static final String KEY_BACKUP_ID_HASH = "U";
+  // N: Time in seconds since epoch of the last backup refresh. This timestamp must be periodically updated to avoid
+  // garbage collection of archive objects.
+  public static final String ATTR_LAST_REFRESH = "R";
+  // N: Time in seconds since epoch of the last backup media refresh. This timestamp can only be updated if the client
+  // has BackupTier.MEDIA, and must be periodically updated to avoid garbage collection of media objects.
+  public static final String ATTR_LAST_MEDIA_REFRESH = "MR";
+  // B: A 32 byte public key that should be used to sign the presentation used to authenticate requests against the
+  // backup-id
+  public static final String ATTR_PUBLIC_KEY = "P";
+  // N: Bytes consumed by this backup
+  public static final String ATTR_MEDIA_BYTES_USED = "MB";
+  // N: Number of media objects in the backup
+  public static final String ATTR_MEDIA_COUNT = "MC";
+  // N: The cdn number where the message backup is stored
+  public static final String ATTR_CDN = "CDN";
+
+  public BackupManager(
+      final GenericServerSecretParams serverSecretParams,
+      final TusBackupCredentialGenerator tusBackupCredentialGenerator,
+      final DynamoDbAsyncClient dynamoClient,
+      final String backupTableName,
+      final Clock clock) {
+    this.serverSecretParams = serverSecretParams;
+    this.dynamoClient = dynamoClient;
+    this.tusBackupCredentialGenerator = tusBackupCredentialGenerator;
+    this.backupTableName = backupTableName;
+    this.clock = clock;
+  }
+
+  /**
+   * Set the public key for the backup-id.
+   * <p>
+   * Once set, calls {@link BackupManager#authenticateBackupUser} can succeed if the presentation is signed with the
+   * private key corresponding to this public key.
+   *
+   * @param presentation a ZK credential presentation that encodes the backupId
+   * @param signature    the signature of the presentation
+   * @param publicKey    the public key of a key-pair that the presentation must be signed with
+   */
+  public CompletableFuture<Void> setPublicKey(
+      final BackupAuthCredentialPresentation presentation,
+      final byte[] signature,
+      final ECPublicKey publicKey) {
+
+    // Note: this is a special case where we can't validate the presentation signature against the stored public key
+    // because we are currently setting it. We check against the provided public key, but we must also verify that
+    // there isn't an existing, different stored public key for the backup-id (verified with a condition expression)
+    final BackupTier backupTier = verifySignatureAndCheckPresentation(presentation, signature, publicKey);
+    if (backupTier.compareTo(BackupTier.MESSAGES) < 0) {
+      Metrics.counter(ZK_AUTHZ_FAILURE_COUNTER_NAME).increment();
+      throw Status.PERMISSION_DENIED
+          .withDescription("credential does not support setting public key")
+          .asRuntimeException();
+    }
+
+    final byte[] hashedBackupId = hashedBackupId(presentation.getBackupId());
+    return dynamoClient.updateItem(UpdateItemRequest.builder()
+            .tableName(backupTableName)
+            .key(Map.of(KEY_BACKUP_ID_HASH, AttributeValues.b(hashedBackupId)))
+            .updateExpression("SET #publicKey = :publicKey")
+            .expressionAttributeNames(Map.of("#publicKey", ATTR_PUBLIC_KEY))
+            .expressionAttributeValues(Map.of(":publicKey", AttributeValues.b(publicKey.serialize())))
+            .conditionExpression("attribute_not_exists(#publicKey) OR #publicKey = :publicKey")
+            .build())
+        .exceptionally(throwable -> {
+          // There was already a row for this backup-id and it contained a different publicKey
+          if (ExceptionUtils.unwrap(throwable) instanceof ConditionalCheckFailedException) {
+            Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+                    SUCCESS_TAG_NAME, String.valueOf(false),
+                    FAILURE_REASON_TAG_NAME, "public_key_conflict")
+                .increment();
+            throw Status.UNAUTHENTICATED
+                .withDescription("public key does not match existing public key for the backup-id")
+                .asRuntimeException();
+          }
+          throw ExceptionUtils.wrap(throwable);
+        })
+        .thenRun(Util.NOOP);
+  }
+
+
+  /**
+   * Create a form that may be used to upload a backup file for the backupId encoded in the presentation.
+   * <p>
+   * If successful, this also updates the TTL of the backup.
+   *
+   * @param backupUser an already ZK authenticated backup user
+   * @return the upload form
+   */
+  public CompletableFuture<MessageBackupUploadDescriptor> createMessageBackupUploadDescriptor(
+      final AuthenticatedBackupUser backupUser) {
+    final byte[] hashedBackupId = hashedBackupId(backupUser);
+    final String encodedBackupId = encodeForCdn(hashedBackupId);
+
+    final long refreshTimeSecs = clock.instant().getEpochSecond();
+
+    final List<String> updates = new ArrayList<>(List.of("#cdn = :cdn", "#lastRefresh = :expiration"));
+    final Map<String, String> expressionAttributeNames = new HashMap<>(Map.of(
+        "#cdn", ATTR_CDN,
+        "#lastRefresh", ATTR_LAST_REFRESH));
+    if (backupUser.backupTier().compareTo(BackupTier.MEDIA) >= 0) {
+      updates.add("#lastMediaRefresh = :expiration");
+      expressionAttributeNames.put("#lastMediaRefresh", ATTR_LAST_MEDIA_REFRESH);
+    }
+
+    // this could race with concurrent updates, but the only effect would be last-writer-wins on the timestamp
+    return dynamoClient.updateItem(UpdateItemRequest.builder()
+            .tableName(backupTableName)
+            .key(Map.of(KEY_BACKUP_ID_HASH, AttributeValues.b(hashedBackupId)))
+            .updateExpression("SET %s".formatted(String.join(",", updates)))
+            .expressionAttributeNames(expressionAttributeNames)
+            .expressionAttributeValues(Map.of(
+                ":cdn", AttributeValues.n(BACKUP_CDN),
+                ":expiration", AttributeValues.n(refreshTimeSecs)))
+            .build())
+        .thenApply(result -> tusBackupCredentialGenerator.generateUpload(encodedBackupId, MESSAGE_BACKUP_NAME));
+  }
+
+  /**
+   * Update the last update timestamps for the backupId in the presentation
+   *
+   * @param backupUser an already ZK authenticated backup user
+   */
+  public CompletableFuture<Void> ttlRefresh(final AuthenticatedBackupUser backupUser) {
+    if (backupUser.backupTier().compareTo(BackupTier.MESSAGES) < 0) {
+      Metrics.counter(ZK_AUTHZ_FAILURE_COUNTER_NAME).increment();
+      throw Status.PERMISSION_DENIED
+          .withDescription("credential does not support ttl operation")
+          .asRuntimeException();
+    }
+    final long refreshTimeSecs = clock.instant().getEpochSecond();
+    // update message backup TTL
+    final List<String> updates = new ArrayList<>(Collections.singletonList("#lastRefresh = :expiration"));
+    final Map<String, String> expressionAttributeNames = new HashMap<>(Map.of("#lastRefresh", ATTR_LAST_REFRESH));
+    if (backupUser.backupTier().compareTo(BackupTier.MEDIA) >= 0) {
+      // update media TTL
+      expressionAttributeNames.put("#lastMediaRefresh", ATTR_LAST_MEDIA_REFRESH);
+      updates.add("#lastMediaRefresh = :expiration");
+    }
+    return dynamoClient.updateItem(UpdateItemRequest.builder()
+            .tableName(backupTableName)
+            .key(Map.of(KEY_BACKUP_ID_HASH, AttributeValues.b(hashedBackupId(backupUser))))
+            .updateExpression("SET %s".formatted(String.join(",", updates)))
+            .expressionAttributeNames(expressionAttributeNames)
+            .expressionAttributeValues(Map.of(":expiration", AttributeValues.n(refreshTimeSecs)))
+            .build())
+        .thenRun(Util.NOOP);
+  }
+
+  public record BackupInfo(int cdn, String backupSubdir, String messageBackupKey, Optional<Long> mediaUsedSpace) {}
+
+  /**
+   * Retrieve information about the existing backup
+   *
+   * @param backupUser an already ZK authenticated backup user
+   * @return Information about the existing backup
+   */
+  public CompletableFuture<BackupInfo> backupInfo(final AuthenticatedBackupUser backupUser) {
+    if (backupUser.backupTier().compareTo(BackupTier.MESSAGES) < 0) {
+      Metrics.counter(ZK_AUTHZ_FAILURE_COUNTER_NAME).increment();
+      throw Status.PERMISSION_DENIED.withDescription("credential does not support info operation")
+          .asRuntimeException();
+    }
+    return backupInfoHelper(backupUser);
+  }
+
+  private CompletableFuture<BackupInfo> backupInfoHelper(final AuthenticatedBackupUser backupUser) {
+    return dynamoClient.getItem(GetItemRequest.builder()
+            .tableName(backupTableName)
+            .key(Map.of(KEY_BACKUP_ID_HASH, AttributeValues.b(hashedBackupId(backupUser))))
+            .projectionExpression("#cdn,#bytesUsed")
+            .expressionAttributeNames(Map.of("#cdn", ATTR_CDN, "#bytesUsed", ATTR_MEDIA_BYTES_USED))
+            .build())
+        .thenApply(response -> {
+          if (!response.hasItem()) {
+            throw Status.NOT_FOUND.withDescription("Backup not found").asRuntimeException();
+          }
+          final int cdn = AttributeValues.get(response.item(), ATTR_CDN)
+              .map(AttributeValue::n)
+              .map(Integer::parseInt)
+              .orElseThrow(() -> Status.NOT_FOUND.withDescription("Stored backup not found").asRuntimeException());
+
+          final Optional<Long> mediaUsed = AttributeValues.get(response.item(), ATTR_MEDIA_BYTES_USED)
+              .map(AttributeValue::n)
+              .map(Long::parseLong);
+
+          return new BackupInfo(cdn, encodeForCdn(hashedBackupId(backupUser)), MESSAGE_BACKUP_NAME, mediaUsed);
+        });
+  }
+
+  /**
+   * Generate credentials that can be used to read from the backup CDN
+   *
+   * @param backupUser an already ZK authenticated backup user
+   * @return A map of headers to include with CDN requests
+   */
+  public Map<String, String> generateReadAuth(final AuthenticatedBackupUser backupUser) {
+    if (backupUser.backupTier().compareTo(BackupTier.MESSAGES) < 0) {
+      Metrics.counter(ZK_AUTHZ_FAILURE_COUNTER_NAME).increment();
+      throw Status.PERMISSION_DENIED
+          .withDescription("credential does not support read auth operation")
+          .asRuntimeException();
+
+    }
+    final String encodedBackupId = encodeForCdn(hashedBackupId(backupUser));
+    return tusBackupCredentialGenerator.readHeaders(encodedBackupId);
+  }
+
+  /**
+   * Authenticate the ZK anonymous backup credential's presentation
+   * <p>
+   * This validates:
+   * <li> The presentation was for a credential issued by the server </li>
+   * <li> The credential is in its redemption window </li>
+   * <li> The backup-id matches a previously committed blinded backup-id and server issued receipt level </li>
+   * <li> The signature of the credential matches an existing publicKey associated with this backup-id </li>
+   *
+   * @param presentation A {@link BackupAuthCredentialPresentation}
+   * @param signature    An XEd25519 signature of the presentation bytes
+   * @return On authentication success, the authenticated backup-id and backup-tier encoded in the presentation
+   */
+  public CompletableFuture<AuthenticatedBackupUser> authenticateBackupUser(
+      final BackupAuthCredentialPresentation presentation,
+      final byte[] signature) {
+    final byte[] hashedBackupId = hashedBackupId(presentation.getBackupId());
+    return dynamoClient.getItem(GetItemRequest.builder()
+            .tableName(backupTableName)
+            .key(Map.of(KEY_BACKUP_ID_HASH, AttributeValues.b(hashedBackupId)))
+            .projectionExpression("#publicKey")
+            .expressionAttributeNames(Map.of("#publicKey", ATTR_PUBLIC_KEY))
+            .build())
+        .thenApply(response -> {
+          if (!response.hasItem()) {
+            Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+                    SUCCESS_TAG_NAME, String.valueOf(false),
+                    FAILURE_REASON_TAG_NAME, "missing_public_key")
+                .increment();
+            throw Status.NOT_FOUND.withDescription("Backup not found").asRuntimeException();
+          }
+          final byte[] publicKeyBytes = AttributeValues.get(response.item(), ATTR_PUBLIC_KEY)
+              .map(AttributeValue::b)
+              .map(SdkBytes::asByteArray)
+              .orElseThrow(() -> Status.INTERNAL
+                  .withDescription("Stored backup missing public key")
+                  .asRuntimeException());
+          try {
+            final ECPublicKey publicKey = new ECPublicKey(publicKeyBytes);
+            return new AuthenticatedBackupUser(
+                presentation.getBackupId(),
+                verifySignatureAndCheckPresentation(presentation, signature, publicKey));
+          } catch (InvalidKeyException e) {
+            Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+                    SUCCESS_TAG_NAME, String.valueOf(false),
+                    FAILURE_REASON_TAG_NAME, "invalid_public_key")
+                .increment();
+            logger.error("Invalid publicKey for backupId hash {}",
+                HexFormat.of().formatHex(hashedBackupId), e);
+            throw Status.INTERNAL
+                .withCause(e)
+                .withDescription("Could not deserialize stored public key")
+                .asRuntimeException();
+          }
+        })
+        .thenApply(result -> {
+          Metrics.counter(ZK_AUTHN_COUNTER_NAME, SUCCESS_TAG_NAME, String.valueOf(true)).increment();
+          return result;
+        });
+  }
+
+
+  /**
+   * Verify the presentation and return the extracted backup tier
+   *
+   * @param presentation A ZK credential presentation that encodes the backupId and the receipt level of the requester
+   * @return The backup tier this presentation supports
+   */
+  private BackupTier verifySignatureAndCheckPresentation(
+      final BackupAuthCredentialPresentation presentation,
+      final byte[] signature,
+      final ECPublicKey publicKey) {
+    if (!publicKey.verifySignature(presentation.serialize(), signature)) {
+      Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+              SUCCESS_TAG_NAME, String.valueOf(false),
+              FAILURE_REASON_TAG_NAME, "signature_validation")
+          .increment();
+      throw Status.UNAUTHENTICATED
+          .withDescription("backup auth credential presentation signature verification failed")
+          .asRuntimeException();
+    }
+    try {
+      presentation.verify(clock.instant(), serverSecretParams);
+    } catch (VerificationFailedException e) {
+      Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+              SUCCESS_TAG_NAME, String.valueOf(false),
+              FAILURE_REASON_TAG_NAME, "presentation_verification")
+          .increment();
+      throw Status.UNAUTHENTICATED
+          .withDescription("backup auth credential presentation verification failed")
+          .withCause(e)
+          .asRuntimeException();
+    }
+
+    return BackupTier
+        .fromReceiptLevel(presentation.getReceiptLevel())
+        .orElseThrow(() -> {
+          Metrics.counter(ZK_AUTHN_COUNTER_NAME,
+                  SUCCESS_TAG_NAME, String.valueOf(false),
+                  FAILURE_REASON_TAG_NAME, "invalid_receipt_level")
+              .increment();
+          return Status.PERMISSION_DENIED.withDescription("invalid receipt level").asRuntimeException();
+        });
+  }
+
+  private static byte[] hashedBackupId(final AuthenticatedBackupUser backupId) {
+    return hashedBackupId(backupId.backupId());
+  }
+
+  private static byte[] hashedBackupId(final byte[] backupId) {
+    try {
+      return Arrays.copyOf(MessageDigest.getInstance("SHA-256").digest(backupId), 16);
+    } catch (NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private static String encodeForCdn(final byte[] bytes) {
+    return Base64.getUrlEncoder().encodeToString(bytes);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupTier.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/backup/BackupTier.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.backup;
+
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+public enum BackupTier {
+  NONE(0),
+  MESSAGES(10),
+  MEDIA(20);
+
+  private static Map<Long, BackupTier> LOOKUP = Arrays.stream(BackupTier.values())
+      .collect(Collectors.toMap(BackupTier::getReceiptLevel, Function.identity()));
+  private long receiptLevel;
+
+  private BackupTier(long receiptLevel) {
+    this.receiptLevel = receiptLevel;
+  }
+
+  long getReceiptLevel() {
+    return receiptLevel;
+  }
+
+  static Optional<BackupTier> fromReceiptLevel(long receiptLevel) {
+    return Optional.ofNullable(LOOKUP.get(receiptLevel));
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/backup/MessageBackupUploadDescriptor.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/backup/MessageBackupUploadDescriptor.java
@@ -0,0 +1,14 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.backup;
+
+import java.util.Map;
+
+public record MessageBackupUploadDescriptor(
+    int cdn,
+    String key,
+    Map<String, String> headers,
+    String signedUploadLocation) {}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/backup/TusBackupCredentialGenerator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/backup/TusBackupCredentialGenerator.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.backup;
+
+import org.apache.http.HttpHeaders;
+import org.whispersystems.textsecuregcm.attachments.TusConfiguration;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentials;
+import org.whispersystems.textsecuregcm.auth.ExternalServiceCredentialsGenerator;
+import org.whispersystems.textsecuregcm.util.HeaderUtils;
+
+import java.nio.charset.StandardCharsets;
+import java.time.Clock;
+import java.util.Base64;
+import java.util.Map;
+
+public class TusBackupCredentialGenerator {
+
+  private static final int BACKUP_CDN = 3;
+
+  private static String READ_PERMISSION = "read";
+  private static String WRITE_PERMISSION = "write";
+  private static String CDN_PATH = "backups";
+  private static String PERMISSION_SEPARATOR = "$";
+
+  // Write entities will be of the form 'write$backups/<string>
+  private static final String WRITE_ENTITY_PREFIX = String.format("%s%s%s/", WRITE_PERMISSION, PERMISSION_SEPARATOR,
+      CDN_PATH);
+  // Read entities will be of the form 'read$backups/<string>
+  private static final String READ_ENTITY_PREFIX = String.format("%s%s%s/", READ_PERMISSION, PERMISSION_SEPARATOR,
+      CDN_PATH);
+
+  private final ExternalServiceCredentialsGenerator credentialsGenerator;
+  private final String tusUri;
+
+  public TusBackupCredentialGenerator(final TusConfiguration cfg) {
+    this.tusUri = cfg.uploadUri();
+    this.credentialsGenerator = credentialsGenerator(Clock.systemUTC(), cfg);
+  }
+
+  private static ExternalServiceCredentialsGenerator credentialsGenerator(final Clock clock,
+      final TusConfiguration cfg) {
+    return ExternalServiceCredentialsGenerator
+        .builder(cfg.userAuthenticationTokenSharedSecret())
+        .prependUsername(false)
+        .withClock(clock)
+        .build();
+  }
+
+  public MessageBackupUploadDescriptor generateUpload(final String hashedBackupId, final String objectName) {
+    if (hashedBackupId.isBlank() || objectName.isBlank()) {
+      throw new IllegalArgumentException("Upload descriptors must have non-empty keys");
+    }
+    final String key = "%s/%s".formatted(hashedBackupId, objectName);
+    final String entity = WRITE_ENTITY_PREFIX + key;
+    final ExternalServiceCredentials credentials = credentialsGenerator.generateFor(entity);
+    final String b64Key = Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8));
+    final Map<String, String> headers = Map.of(
+        HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(credentials),
+        "Upload-Metadata", String.format("filename %s", b64Key));
+
+    return new MessageBackupUploadDescriptor(
+        BACKUP_CDN,
+        key,
+        headers,
+        tusUri + "/" + CDN_PATH);
+  }
+
+  public Map<String, String> readHeaders(final String hashedBackupId) {
+    if (hashedBackupId.isBlank()) {
+      throw new IllegalArgumentException("Backup subdir name must be non-empty");
+    }
+    final ExternalServiceCredentials credentials = credentialsGenerator.generateFor(
+        READ_ENTITY_PREFIX + hashedBackupId);
+    return Map.of(HttpHeaders.AUTHORIZATION, HeaderUtils.basicAuthHeader(credentials));
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/captcha/Action.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/captcha/Action.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+public enum Action {
+  CHALLENGE("challenge"),
+  REGISTRATION("registration");
+
+  private final String actionName;
+
+  Action(String actionName) {
+    this.actionName = actionName;
+  }
+
+  public String getActionName() {
+    return actionName;
+  }
+
+  private static final Map<String, Action> ENUM_MAP = Arrays
+      .stream(Action.values())
+      .collect(Collectors.toMap(
+          a -> a.actionName,
+          Function.identity()));
+  @JsonCreator
+  public static Action fromString(String key) {
+    return ENUM_MAP.get(key.toLowerCase(Locale.ROOT).strip());
+  }
+
+  static Optional<Action> parse(final String action) {
+    return Optional.ofNullable(fromString(action));
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/captcha/AssessmentResult.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/captcha/AssessmentResult.java
@@ -0,0 +1,115 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import java.util.Objects;
+import java.util.Optional;
+
+public class AssessmentResult {
+
+  private final boolean solved;
+  private final float actualScore;
+  private final float defaultScoreThreshold;
+  private final String scoreString;
+
+  /**
+   * A captcha assessment
+   *
+   * @param solved if false, the captcha was not successfully completed
+   * @param actualScore float representation of the risk level from [0, 1.0], with 1.0 being the least risky
+   * @param defaultScoreThreshold  the score threshold which the score will be evaluated against by default
+   * @param scoreString a quantized string representation of the risk level, suitable for use in metrics
+   */
+  private AssessmentResult(boolean solved, float actualScore, float defaultScoreThreshold, final String scoreString) {
+    this.solved = solved;
+    this.actualScore = actualScore;
+    this.defaultScoreThreshold = defaultScoreThreshold;
+    this.scoreString = scoreString;
+  }
+
+  /**
+   * Construct an {@link AssessmentResult} from a captcha evaluation score
+   *
+   * @param actualScore the score
+   * @param defaultScoreThreshold the threshold to compare the score against by default
+   */
+  public static AssessmentResult fromScore(float actualScore, float defaultScoreThreshold) {
+    if (actualScore < 0 || actualScore > 1.0 || defaultScoreThreshold < 0 || defaultScoreThreshold > 1.0) {
+      throw new IllegalArgumentException("invalid captcha score");
+    }
+    return new AssessmentResult(true, actualScore, defaultScoreThreshold, AssessmentResult.scoreString(actualScore));
+  }
+
+  /**
+   * Construct a captcha assessment that will always be invalid
+   */
+  public static AssessmentResult invalid() {
+    return new AssessmentResult(false, 0.0f, 0.0f, "");
+  }
+
+  /**
+   * Construct a captcha assessment that will always be valid
+   */
+  public static AssessmentResult alwaysValid() {
+    return new AssessmentResult(true, 1.0f, 0.0f, "1.0");
+  }
+
+  /**
+   * Check if the captcha assessment should be accepted using the default score threshold
+   *
+   * @return true if this assessment should be accepted under the default score threshold
+   */
+  public boolean isValid() {
+    return isValid(Optional.empty());
+  }
+
+  /**
+   * Check if the captcha assessment should be accepted
+   *
+   * @param scoreThreshold the minimum score the assessment requires to pass, uses default if empty
+   * @return true if the assessment scored higher than the provided scoreThreshold
+   */
+  public boolean isValid(Optional<Float> scoreThreshold) {
+    if (!solved) {
+      return false;
+    }
+    return this.actualScore >= scoreThreshold.orElse(this.defaultScoreThreshold);
+  }
+
+  public String getScoreString() {
+    return scoreString;
+  }
+
+  public float getScore() {
+    return this.actualScore;
+  }
+
+
+  /**
+   * Map a captcha score in [0.0, 1.0] to a low cardinality discrete space in [0, 100] suitable for use in metrics
+   */
+  private static String scoreString(final float score) {
+    final int x = Math.round(score * 10); // [0, 10]
+    return Integer.toString(x * 10); // [0, 100] in increments of 10
+  }
+
+  @Override
+  public boolean equals(final Object o) {
+    if (this == o)
+      return true;
+    if (o == null || getClass() != o.getClass())
+      return false;
+    AssessmentResult that = (AssessmentResult) o;
+    return solved == that.solved && Float.compare(that.actualScore, actualScore) == 0
+        && Float.compare(that.defaultScoreThreshold, defaultScoreThreshold) == 0 && Objects.equals(scoreString,
+        that.scoreString);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(solved, actualScore, defaultScoreThreshold, scoreString);
+  }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/captcha/CaptchaChecker.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright 2022 Signal Messenger, LLC
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+package org.whispersystems.textsecuregcm.captcha;
+
+import static org.whispersystems.textsecuregcm.metrics.MetricsUtil.name;
+
+import com.google.common.annotations.VisibleForTesting;
+import io.micrometer.core.instrument.Metrics;
+import java.io.IOException;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import javax.ws.rs.BadRequestException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class CaptchaChecker {
+  private static final Logger logger = LoggerFactory.getLogger(CaptchaChecker.class);
+  private static final String INVALID_SITEKEY_COUNTER_NAME = name(CaptchaChecker.class, "invalidSiteKey");
+  private static final String ASSESSMENTS_COUNTER_NAME = name(RecaptchaClient.class, "assessments");
+  private static final String INVALID_ACTION_COUNTER_NAME = name(CaptchaChecker.class, "invalidActions");
+
+  @VisibleForTesting
+  static final String SEPARATOR = ".";
+
+  private static final String SHORT_SUFFIX = "-short";
+
+  private final ShortCodeExpander shortCodeExpander;
+  private final Map<String, CaptchaClient> captchaClientMap;
+
+  public CaptchaChecker(
+      final ShortCodeExpander shortCodeRetriever,
+      final List<CaptchaClient> captchaClients) {
+    this.shortCodeExpander = shortCodeRetriever;
+    this.captchaClientMap = captchaClients.stream()
+        .collect(Collectors.toMap(CaptchaClient::scheme, Function.identity()));
+  }
+
+
+  /**
+   * Check if a solved captcha should be accepted
+   *
+   * @param expectedAction the {@link Action} for which this captcha solution is intended
+   * @param input          expected to contain a prefix indicating the captcha scheme, sitekey, token, and action. The
+   *                       expected format is {@code version-prefix.sitekey.action.token}
+   * @param ip             IP of the solver
+   * @return An {@link AssessmentResult} indicating whether the solution should be accepted, and a score that can be
+   * used for metrics
+   * @throws IOException         if there is an error validating the captcha with the underlying service
+   * @throws BadRequestException if input is not in the expected format
+   */
+  public AssessmentResult verify(
+      final Action expectedAction,
+      final String input,
+      final String ip) throws IOException {
+    final String[] parts = input.split("\\" + SEPARATOR, 4);
+
+    // we allow missing actions, if we're missing 1 part, assume it's the action
+    if (parts.length < 4) {
+      throw new BadRequestException("too few parts");
+    }
+
+    final String prefix = parts[0];
+    final String siteKey = parts[1].toLowerCase(Locale.ROOT).strip();
+    final String action = parts[2];
+    String token = parts[3];
+
+    String provider = prefix;
+    if (prefix.endsWith(SHORT_SUFFIX)) {
+      // This is a "short" solution that points to the actual solution. We need to fetch the
+      // full solution before proceeding
+      provider = prefix.substring(0, prefix.length() - SHORT_SUFFIX.length());
+      token = shortCodeExpander.retrieve(token).orElseThrow(() -> new BadRequestException("invalid shortcode"));
+    }
+
+    final CaptchaClient client = this.captchaClientMap.get(provider);
+    if (client == null) {
+      throw new BadRequestException("invalid captcha scheme");
+    }
+
+    final Action parsedAction = Action.parse(action)
+        .orElseThrow(() -> {
+          Metrics.counter(INVALID_ACTION_COUNTER_NAME, "action", action).increment();
+          throw new BadRequestException("invalid captcha action");
+        });
+
+    if (!parsedAction.equals(expectedAction)) {
+      Metrics.counter(INVALID_ACTION_COUNTER_NAME, "action", action).increment();
+      throw new BadRequestException("invalid captcha action");
+    }
+
+    final Set<String> allowedSiteKeys = client.validSiteKeys(parsedAction);
+    if (!allowedSiteKeys.contains(siteKey)) {
+      logger.debug("invalid site-key {}, action={}, token={}", siteKey, action, token);
+      Metrics.counter(INVALID_SITEKEY_COUNTER_NAME, "action", action).increment();
+      throw new BadRequestException("invalid captcha site-key");
+    }
+
+    final AssessmentResult result = client.verify(siteKey, parsedAction, token, ip);
+    Metrics.counter(ASSESSMENTS_COUNTER_NAME,
+            "action", action,
+            "score", result.getScoreString(),
+            "provider", provider)
+        .increment();
+    return result;
+  }
+}
--- a/Show More
+++ b/Show More