From 60e7adbd2bf511f39c64f66c31a2b5a06feb9d8c Mon Sep 17 00:00:00 2001
From: Smart Mekiliuwa <st.nonso@gmail.com>
Date: Sat, 28 Feb 2026 01:26:50 +0100
Subject: [PATCH 1/4] fix(ui): use instance-level license features on
 login/signup

- Add setLicenses(instanceLevelOnly) and getLicenses(orgId?, instanceLevelOnly)
- Login and signup call setLicenses(true) so /license/features is called without orgID
- Stops wrong org-scoped request on public pages (e.g. stale CONVOY_ORG)
---
 .../src/app/public/login/login.component.ts      |  2 +-
 .../src/app/public/signup/signup.component.ts    |  2 +-
 .../app/services/licenses/licenses.service.ts    | 16 +++++++++-------
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/web/ui/dashboard/src/app/public/login/login.component.ts b/web/ui/dashboard/src/app/public/login/login.component.ts
index 6e0a8affaa..914f52dad4 100644
--- a/web/ui/dashboard/src/app/public/login/login.component.ts
+++ b/web/ui/dashboard/src/app/public/login/login.component.ts
@@ -56,7 +56,7 @@ export class LoginComponent implements OnInit, AfterViewInit {
 	) {}
 
 	ngOnInit() {
-		this.licenseService.setLicenses();
+		this.licenseService.setLicenses(true);
 	}
 
 	async ngAfterViewInit() {
diff --git a/web/ui/dashboard/src/app/public/signup/signup.component.ts b/web/ui/dashboard/src/app/public/signup/signup.component.ts
index 97abf1a6b6..3bedf2efe8 100644
--- a/web/ui/dashboard/src/app/public/signup/signup.component.ts
+++ b/web/ui/dashboard/src/app/public/signup/signup.component.ts
@@ -45,7 +45,7 @@ export class SignupComponent implements OnInit {
 	) {}
 
 	ngOnInit(): void {
-		this.licenseService.setLicenses();
+		this.licenseService.setLicenses(true);
 		this.checkGoogleOAuthConfig();
 
 		if (!this.licenseService.hasLicense('user_limit')) this.router.navigateByUrl('/login');
diff --git a/web/ui/dashboard/src/app/services/licenses/licenses.service.ts b/web/ui/dashboard/src/app/services/licenses/licenses.service.ts
index 91a2860b03..7bd2447e75 100644
--- a/web/ui/dashboard/src/app/services/licenses/licenses.service.ts
+++ b/web/ui/dashboard/src/app/services/licenses/licenses.service.ts
@@ -8,12 +8,14 @@ import {HTTP_RESPONSE} from 'src/app/models/global.model';
 export class LicensesService {
 	constructor(private http: HttpService) {}
 
-	getLicenses(orgId?: string): Promise<HTTP_RESPONSE> {
+	getLicenses(orgId?: string, instanceLevelOnly = false): Promise<HTTP_RESPONSE> {
 		return new Promise(async (resolve, reject) => {
-			const fromStorage = this.http.getOrganisation();
-			const org = orgId ?? fromStorage?.uid;
 			const query: Record<string, string> = {};
-			if (org) query['orgID'] = org;
+			if (!instanceLevelOnly) {
+				const fromStorage = this.http.getOrganisation();
+				const org = orgId ?? fromStorage?.uid;
+				if (org) query['orgID'] = org;
+			}
 			const queryUndefined = Object.keys(query).length === 0 ? undefined : query;
 			try {
 				const response = await this.http.request({
@@ -28,10 +30,10 @@ export class LicensesService {
 		});
 	}
 
-
-	async setLicenses() {
+	/** Call from login/signup (public pages) so the request uses instance-level only (no orgID). */
+	async setLicenses(instanceLevelOnly = false) {
 		try {
-			const response = await this.getLicenses();
+			const response = await this.getLicenses(undefined, instanceLevelOnly);
 			localStorage.setItem('licenses', JSON.stringify(response.data));
 		} catch {}
 	}

From ab2be7af6950616d9d12e0f44c1f079a8723d2cc Mon Sep 17 00:00:00 2001
From: Smart Mekiliuwa <st.nonso@gmail.com>
Date: Sat, 28 Feb 2026 08:06:48 +0100
Subject: [PATCH 2/4] fix: guard subscription source_metadata.verifier in
 template

---
 .../project/subscriptions/subscriptions.component.html      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/ui/dashboard/src/app/private/pages/project/subscriptions/subscriptions.component.html b/web/ui/dashboard/src/app/private/pages/project/subscriptions/subscriptions.component.html
index cf1a2d41d3..3164410c1d 100644
--- a/web/ui/dashboard/src/app/private/pages/project/subscriptions/subscriptions.component.html
+++ b/web/ui/dashboard/src/app/private/pages/project/subscriptions/subscriptions.component.html
@@ -86,9 +86,9 @@ <h1 class="text-18 font-bold text-neutral-12 mb-24px">Subscriptions</h1>
 					<div class="w-280px truncate pl-16px" *ngIf="privateService.getProjectDetails?.type === 'outgoing'">{{ subscription.name }}</div>
 					<div class="flex items-center pl-16px min-w-[370px]" *ngIf="privateService.getProjectDetails?.type === 'incoming'">
 						<div class="flex items-center">
-							<span class="max-w-[150px] truncate">{{ subscription.source_metadata.name }}</span>
-							<div convoy-tag *ngIf="subscription.source_metadata.verifier.type !== 'noop'" class="flex items-center ml-8px bg-neutral-4 !py-2px !px-8px text-10">
-								{{ subscription.source_metadata.provider || (subscription.source_metadata.verifier.type | sourceValue : 'verifier') }}
+							<span class="max-w-[150px] truncate">{{ subscription.source_metadata?.name }}</span>
+							<div convoy-tag *ngIf="subscription.source_metadata?.verifier?.type !== 'noop'" class="flex items-center ml-8px bg-neutral-4 !py-2px !px-8px text-10">
+								{{ subscription.source_metadata?.provider || ((subscription.source_metadata?.verifier?.type ?? '') | sourceValue : 'verifier') }}
 							</div>
 						</div>
 

From 511c9480c01b1aacb3bc9859d87e68e9f9e37ce2 Mon Sep 17 00:00:00 2001
From: Smart Mekiliuwa <st.nonso@gmail.com>
Date: Sat, 28 Feb 2026 10:39:36 +0100
Subject: [PATCH 3/4] feat: workspace slug SSO flow, auth config
 slug/billing_enabled, billing GetWorkspaceConfigBySlug

- Add services/workspace_slug.go: resolve by slug via billing workspace_config
- InitSSO: use slug to get license_key + external_id, local orgRepo/orgMemberRepo, clear errors
- GetAuthConfiguration: expose billing_enabled and slug for dashboard
- Billing client: GetWorkspaceConfigBySlug, WorkspaceConfigData; mock implements it for tests
- Login UI: slug input, Continue flow, validation, API error message, button styling
- config.service: optional slug param; source.go: guard subscription source_metadata
---
 api/handlers/auth.go                          | 44 ++++++++-
 api/handlers/configuration.go                 | 28 +++++-
 api/handlers/source.go                        |  3 +
 internal/pkg/billing/client.go                | 10 ++
 internal/pkg/billing/mock.go                  | 11 +++
 internal/pkg/billing/models.go                |  7 ++
 services/workspace_slug.go                    | 95 +++++++++++++++++++
 .../src/app/public/login/login.component.html | 16 +++-
 .../src/app/public/login/login.component.ts   | 35 +++++--
 .../src/app/public/login/login.service.ts     |  6 +-
 .../src/app/services/config/config.service.ts | 32 ++++---
 11 files changed, 260 insertions(+), 27 deletions(-)
 create mode 100644 services/workspace_slug.go

diff --git a/api/handlers/auth.go b/api/handlers/auth.go
index af2ddd2db5..cd427b19dd 100644
--- a/api/handlers/auth.go
+++ b/api/handlers/auth.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -25,24 +26,65 @@ import (
 
 func (h *Handler) InitSSO(w http.ResponseWriter, r *http.Request) {
 	configuration := h.A.Cfg
+	billingEnabled := configuration.Billing.Enabled && h.A.BillingClient != nil
+	slug := strings.TrimSpace(r.URL.Query().Get("slug"))
+
+	fmt.Printf("[InitSSO] billingEnabled=%v slug=%q\n", billingEnabled, slug)
+
+	licenseKey := configuration.LicenseKey
+	if billingEnabled && slug != "" {
+		fmt.Printf("[InitSSO] resolving workspace by slug\n")
+		orgRepo := organisations.New(h.A.Logger, h.A.DB)
+		orgMemberRepo := organisation_members.New(h.A.Logger, h.A.DB)
+		result, err := services.ResolveWorkspaceBySlug(r.Context(), slug, services.ResolveWorkspaceBySlugDeps{
+			BillingClient: h.A.BillingClient,
+			OrgRepo:       orgRepo,
+			Logger:        h.A.Logger,
+			Cfg:           configuration,
+			RefreshDeps: services.RefreshLicenseDataDeps{
+				OrgMemberRepo: orgMemberRepo,
+				OrgRepo:       orgRepo,
+				BillingClient: h.A.BillingClient,
+				Logger:        h.A.Logger,
+				Cfg:           configuration,
+			},
+		})
+		if err != nil {
+			fmt.Printf("[InitSSO] workspace resolve failed: %v\n", err)
+			h.A.Logger.WithError(err).WithField("slug", slug).Debug("InitSSO: workspace resolve failed")
+			_ = render.Render(w, r, util.NewErrorResponse("Workspace not found", http.StatusBadRequest))
+			return
+		}
+		fmt.Printf("[InitSSO] resolved externalID=%s SSOAvailable=%v\n", result.ExternalID, result.SSOAvailable)
+		if !result.SSOAvailable {
+			fmt.Printf("[InitSSO] SSO not available for workspace\n")
+			_ = render.Render(w, r, util.NewErrorResponse("SSO is not available for this workspace", http.StatusBadRequest))
+			return
+		}
+		licenseKey = result.LicenseKey
+	}
+
+	fmt.Printf("[InitSSO] running LoginUserSSOService\n")
 	lu := services.LoginUserSSOService{
 		UserRepo:      users.New(h.A.Logger, h.A.DB),
 		OrgRepo:       organisations.New(h.A.Logger, h.A.DB),
 		OrgMemberRepo: organisation_members.New(h.A.Logger, h.A.DB),
 		JWT:           jwt.NewJwt(&configuration.Auth.Jwt, h.A.Cache),
 		ConfigRepo:    h.A.ConfigRepo,
-		LicenseKey:    configuration.LicenseKey,
+		LicenseKey:    licenseKey,
 		Host:          configuration.Host,
 		Licenser:      h.A.Licenser,
 	}
 
 	resp, err := lu.Run()
 	if err != nil {
+		fmt.Printf("[InitSSO] LoginUserSSOService.Run failed: %v\n", err)
 		h.A.Logger.WithError(err).Errorf("SSO initialization failed: %v", err)
 		_ = render.Render(w, r, util.NewErrorResponse("Authentication failed", http.StatusForbidden))
 		return
 	}
 
+	fmt.Printf("[InitSSO] success redirect\n")
 	_ = render.Render(w, r, util.NewServerResponse("Get Redirect successful", resp, http.StatusOK))
 }
 
diff --git a/api/handlers/configuration.go b/api/handlers/configuration.go
index 5fbfe2cf4d..64b1c3a797 100644
--- a/api/handlers/configuration.go
+++ b/api/handlers/configuration.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"errors"
 	"net/http"
+	"strings"
 
 	"github.com/go-chi/render"
 
@@ -116,7 +117,32 @@ func (h *Handler) GetAuthConfiguration(w http.ResponseWriter, r *http.Request) {
 		_ = render.Render(w, r, util.NewErrorResponse("failed to load configuration", http.StatusBadRequest))
 		return
 	}
+	billingEnabled := cfg.Billing.Enabled && h.A.BillingClient != nil
+	slug := strings.TrimSpace(r.URL.Query().Get("slug"))
+
+	ssoEnabled := h.A.Licenser.EnterpriseSSO()
+	if billingEnabled && slug != "" {
+		result, err := services.ResolveWorkspaceBySlug(r.Context(), slug, services.ResolveWorkspaceBySlugDeps{
+			BillingClient: h.A.BillingClient,
+			OrgRepo:       h.A.OrgRepo,
+			Logger:        h.A.Logger,
+			Cfg:           cfg,
+			RefreshDeps: services.RefreshLicenseDataDeps{
+				OrgMemberRepo: h.A.OrgMemberRepo,
+				OrgRepo:       h.A.OrgRepo,
+				BillingClient: h.A.BillingClient,
+				Logger:        h.A.Logger,
+				Cfg:           cfg,
+			},
+		})
+		if err == nil {
+			ssoEnabled = result.SSOAvailable
+		}
+		// On error (workspace not found, etc.), keep ssoEnabled as instance default or false
+	}
+
 	authConfig := map[string]interface{}{
+		"billing_enabled":   billingEnabled,
 		"is_signup_enabled": cfg.Auth.IsSignupEnabled,
 		"google_oauth": map[string]interface{}{
 			"enabled":      cfg.Auth.GoogleOAuth.Enabled && h.A.Licenser.GoogleOAuth(),
@@ -124,7 +150,7 @@ func (h *Handler) GetAuthConfiguration(w http.ResponseWriter, r *http.Request) {
 			"redirect_url": cfg.Auth.GoogleOAuth.RedirectURL,
 		},
 		"sso": map[string]interface{}{
-			"enabled":      h.A.Licenser.EnterpriseSSO(),
+			"enabled":      ssoEnabled,
 			"redirect_url": cfg.Auth.SSO.RedirectURL,
 		},
 	}
diff --git a/api/handlers/source.go b/api/handlers/source.go
index 6dc495989b..430165178a 100644
--- a/api/handlers/source.go
+++ b/api/handlers/source.go
@@ -317,6 +317,9 @@ func (h *Handler) LoadSourcesPaged(w http.ResponseWriter, r *http.Request) {
 }
 
 func fillSourceURL(s *datastore.Source, baseUrl, customDomain string) {
+	if s == nil {
+		return
+	}
 	url := baseUrl
 	if len(customDomain) > 0 {
 		url = customDomain
diff --git a/internal/pkg/billing/client.go b/internal/pkg/billing/client.go
index 0368a69ca3..5438bff327 100644
--- a/internal/pkg/billing/client.go
+++ b/internal/pkg/billing/client.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
@@ -24,6 +25,7 @@ type Client interface {
 	CreateOrganisation(ctx context.Context, orgData BillingOrganisation) (*Response[BillingOrganisation], error)
 	GetOrganisationLicense(ctx context.Context, orgID string) (*Response[OrganisationLicense], error)
 	GetOrganisation(ctx context.Context, orgID string) (*Response[BillingOrganisation], error)
+	GetWorkspaceConfigBySlug(ctx context.Context, slug string) (*Response[WorkspaceConfigData], error)
 	UpdateOrganisation(ctx context.Context, orgID string, orgData BillingOrganisation) (*Response[BillingOrganisation], error)
 	UpdateOrganisationTaxID(ctx context.Context, orgID string, taxData UpdateOrganisationTaxIDRequest) (*Response[BillingOrganisation], error)
 	UpdateOrganisationAddress(ctx context.Context, orgID string, addressData UpdateOrganisationAddressRequest) (*Response[BillingOrganisation], error)
@@ -157,6 +159,14 @@ func (c *HTTPClient) GetOrganisation(ctx context.Context, orgID string) (*Respon
 	return makeRequest[BillingOrganisation](ctx, c.httpClient, c.config, "GET", fmt.Sprintf("/organisations/%s", orgID), nil)
 }
 
+func (c *HTTPClient) GetWorkspaceConfigBySlug(ctx context.Context, slug string) (*Response[WorkspaceConfigData], error) {
+	if slug == "" {
+		return nil, fmt.Errorf("slug is required")
+	}
+	path := fmt.Sprintf("/api/v1/workspace_config?slug=%s", strings.ReplaceAll(url.QueryEscape(slug), "+", "%20"))
+	return makeRequest[WorkspaceConfigData](ctx, c.httpClient, c.config, "GET", path, nil)
+}
+
 func (c *HTTPClient) UpdateOrganisation(ctx context.Context, orgID string, orgData BillingOrganisation) (*Response[BillingOrganisation], error) {
 	return makeRequest[BillingOrganisation](ctx, c.httpClient, c.config, "PUT", fmt.Sprintf("/organisations/%s", orgID), orgData)
 }
diff --git a/internal/pkg/billing/mock.go b/internal/pkg/billing/mock.go
index f5928de284..2ded1677aa 100644
--- a/internal/pkg/billing/mock.go
+++ b/internal/pkg/billing/mock.go
@@ -155,6 +155,17 @@ func (m *MockBillingClient) GetOrganisationLicense(ctx context.Context, orgID st
 	}, nil
 }
 
+func (m *MockBillingClient) GetWorkspaceConfigBySlug(ctx context.Context, slug string) (*Response[WorkspaceConfigData], error) {
+	if slug == "" {
+		return nil, &Error{Message: "slug is required"}
+	}
+	return &Response[WorkspaceConfigData]{
+		Status:  true,
+		Message: "OK",
+		Data:    WorkspaceConfigData{ExternalID: slug, SSOAvailable: false},
+	}, nil
+}
+
 func (m *MockBillingClient) UpdateOrganisation(ctx context.Context, orgID string, orgData BillingOrganisation) (*Response[BillingOrganisation], error) {
 	if orgID == "" || orgData.Name == "" {
 		return nil, &Error{Message: "invalid organisation update"}
diff --git a/internal/pkg/billing/models.go b/internal/pkg/billing/models.go
index c47dce2123..764dd1c7f5 100644
--- a/internal/pkg/billing/models.go
+++ b/internal/pkg/billing/models.go
@@ -1,5 +1,12 @@
 package billing
 
+// WorkspaceConfigData is the response from Overwatch GET /api/v1/workspace_config?slug=...
+type WorkspaceConfigData struct {
+	ExternalID   string `json:"external_id"`
+	LicenseKey   string `json:"license_key"`
+	SSOAvailable bool   `json:"sso_available"`
+}
+
 type BillingOrganisation struct {
 	ID             string `json:"id,omitempty"`
 	Name           string `json:"name,omitempty"`
diff --git a/services/workspace_slug.go b/services/workspace_slug.go
new file mode 100644
index 0000000000..c9faaa6367
--- /dev/null
+++ b/services/workspace_slug.go
@@ -0,0 +1,95 @@
+package services
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/frain-dev/convoy/config"
+	"github.com/frain-dev/convoy/datastore"
+	"github.com/frain-dev/convoy/internal/pkg/billing"
+	licensesvc "github.com/frain-dev/convoy/internal/pkg/license/service"
+	"github.com/frain-dev/convoy/pkg/log"
+)
+
+// ResolveWorkspaceBySlugDeps holds dependencies for resolving workspace by slug and syncing Convoy org.
+type ResolveWorkspaceBySlugDeps struct {
+	BillingClient billing.Client
+	OrgRepo       datastore.OrganisationRepository
+	Logger        log.StdLogger
+	Cfg           config.Configuration
+	// RefreshDeps is used to call RefreshLicenseDataForOrg; can reuse same deps as auth handlers.
+	RefreshDeps RefreshLicenseDataDeps
+}
+
+// ResolveWorkspaceBySlugResult is the result of resolving a workspace by slug from Overwatch and syncing Convoy.
+type ResolveWorkspaceBySlugResult struct {
+	ExternalID   string
+	LicenseKey   string
+	SSOAvailable bool
+	Org          *datastore.Organisation
+}
+
+// ResolveWorkspaceBySlug calls Overwatch workspace_config by slug, then loads Convoy org by external_id (UID),
+// refreshes license_data for that org, and returns the OW payload plus the reloaded org.
+// Returns error if slug is empty, OW returns error/404, or Convoy org not found.
+func ResolveWorkspaceBySlug(ctx context.Context, slug string, deps ResolveWorkspaceBySlugDeps) (*ResolveWorkspaceBySlugResult, error) {
+	if slug == "" {
+		return nil, errors.New("slug is required")
+	}
+	if deps.BillingClient == nil {
+		return nil, errors.New("billing client is required")
+	}
+	if deps.OrgRepo == nil {
+		return nil, errors.New("org repo is required")
+	}
+
+	reqCtx, cancel := context.WithTimeout(ctx, 15*time.Second)
+	defer cancel()
+
+	resp, err := deps.BillingClient.GetWorkspaceConfigBySlug(reqCtx, slug)
+	if err != nil {
+		if deps.Logger != nil {
+			deps.Logger.WithError(err).WithField("slug", slug).Debug("workspace_config by slug failed")
+		}
+		return nil, fmt.Errorf("workspace not found: %w", err)
+	}
+	if !resp.Status {
+		return nil, errors.New("workspace not found")
+	}
+	if resp.Data.ExternalID == "" {
+		return nil, errors.New("workspace config missing external_id: ensure the organisation in Overwatch has external_id set to the Convoy organisation UID")
+	}
+
+	org, err := deps.OrgRepo.FetchOrganisationByID(ctx, resp.Data.ExternalID)
+	if err != nil {
+		return nil, fmt.Errorf("organisation not found for workspace: %w", err)
+	}
+
+	// Refresh Convoy org license_data so local state stays in sync.
+	defaultKey := deps.Cfg.LicenseKey
+	billingEnabled := deps.Cfg.Billing.Enabled && deps.RefreshDeps.BillingClient != nil
+	licClient := licensesvc.NewClient(licensesvc.Config{
+		Host:         deps.Cfg.LicenseService.Host,
+		ValidatePath: deps.Cfg.LicenseService.ValidatePath,
+		Timeout:      deps.Cfg.LicenseService.Timeout,
+		RetryCount:   deps.Cfg.LicenseService.RetryCount,
+		Logger:       deps.Logger,
+	})
+	RefreshLicenseDataForOrg(ctx, *org, defaultKey, billingEnabled, deps.RefreshDeps, licClient)
+
+	// Re-load org after refresh.
+	org, err = deps.OrgRepo.FetchOrganisationByID(ctx, resp.Data.ExternalID)
+	if err != nil {
+		// Return the result we have; refresh may have updated anyway.
+		org = nil
+	}
+
+	return &ResolveWorkspaceBySlugResult{
+		ExternalID:   resp.Data.ExternalID,
+		LicenseKey:   resp.Data.LicenseKey,
+		SSOAvailable: resp.Data.SSOAvailable,
+		Org:          org,
+	}, nil
+}
diff --git a/web/ui/dashboard/src/app/public/login/login.component.html b/web/ui/dashboard/src/app/public/login/login.component.html
index 344a286ef9..cbd7bb6d69 100644
--- a/web/ui/dashboard/src/app/public/login/login.component.html
+++ b/web/ui/dashboard/src/app/public/login/login.component.html
@@ -29,7 +29,21 @@
 				<img *ngIf="disableLoginBtn" src="assets/img/button-loader.gif" alt="loader" class="h-18px" />
 			</button>
 
-			<button *ngIf="isSSOEnabled" convoy-button size="sm" type="button" fill="text" class="w-full" (click)="loginWithSSO()">Login with SSO</button>
+			<ng-container *ngIf="billingEnabled && !showSlugInput">
+				<button convoy-button size="sm" type="button" fill="text" class="w-full mt-12px" (click)="showSlugInput = true">Login with SSO</button>
+			</ng-container>
+			<ng-container *ngIf="billingEnabled && showSlugInput">
+				<div convoy-input-field class="mt-12px">
+					<label for="workspace-slug" convoy-label>Workspace slug</label>
+					<input type="text" id="workspace-slug" convoy-input autocomplete="off" [(ngModel)]="workspaceSlug" (ngModelChange)="showSlugError = false" placeholder="e.g. my-team" [ngModelOptions]="{standalone: true}" />
+					<convoy-input-error *ngIf="showSlugError && !workspaceSlug?.trim()">Please enter your workspace slug</convoy-input-error>
+				</div>
+				<button convoy-button size="sm" type="button" fill="text" class="w-full mt-12px disabled:!opacity-100" (click)="loginWithSSO()" [disabled]="isSubmittingSSO">
+					<ng-container *ngIf="!isSubmittingSSO">Continue with SAML SSO</ng-container>
+					<ng-container *ngIf="isSubmittingSSO">Redirecting…</ng-container>
+				</button>
+			</ng-container>
+			<button *ngIf="!billingEnabled && isSSOEnabled" convoy-button size="sm" type="button" fill="text" class="w-full mt-12px" (click)="loginWithSSO()">Login with SSO</button>
 
 			<button *ngIf="isGoogleOAuthEnabled" convoy-button size="sm" type="button" fill="text" class="w-full mt-12px" (click)="loginWithGoogle()" [disabled]="isGoogleSigningIn">
 				<img *ngIf="!isGoogleSigningIn" src="/assets/img/svg/google.svg" alt="Google icon" class="w-16px h-16px inline mr-8px" />
diff --git a/web/ui/dashboard/src/app/public/login/login.component.ts b/web/ui/dashboard/src/app/public/login/login.component.ts
index 914f52dad4..c39eac109c 100644
--- a/web/ui/dashboard/src/app/public/login/login.component.ts
+++ b/web/ui/dashboard/src/app/public/login/login.component.ts
@@ -1,6 +1,6 @@
 import {CommonModule} from '@angular/common';
 import {AfterViewInit, Component, OnInit} from '@angular/core';
-import {FormBuilder, FormGroup, ReactiveFormsModule, Validators} from '@angular/forms';
+import {FormBuilder, FormGroup, FormsModule, ReactiveFormsModule, Validators} from '@angular/forms';
 import {Router} from '@angular/router';
 import {ButtonComponent} from 'src/app/components/button/button.component';
 import {
@@ -23,7 +23,7 @@ import {GeneralService} from 'src/app/services/general/general.service';
 @Component({
 	selector: 'app-login',
 	standalone: true,
-	imports: [CommonModule, ReactiveFormsModule, ButtonComponent, InputFieldDirective, InputDirective, LabelComponent, InputErrorComponent, PasswordInputFieldComponent, LoaderModule],
+	imports: [CommonModule, FormsModule, ReactiveFormsModule, ButtonComponent, InputFieldDirective, InputDirective, LabelComponent, InputErrorComponent, PasswordInputFieldComponent, LoaderModule],
 	templateUrl: './login.component.html',
 	styleUrls: ['./login.component.scss']
 })
@@ -42,6 +42,11 @@ export class LoginComponent implements OnInit, AfterViewInit {
 	isSSOEnabled = false;
 	googleClientId = '';
 	organisations?: ORGANIZATION_DATA[];
+	billingEnabled = false;
+	showSlugInput = false;
+	workspaceSlug = '';
+	isSubmittingSSO = false;
+	showSlugError = false;
 
 	constructor(
 		private formBuilder: FormBuilder,
@@ -63,13 +68,14 @@ export class LoginComponent implements OnInit, AfterViewInit {
 
 		try {
 			const config = await this.configService.getConfig();
+			this.billingEnabled = config.billing_enabled ?? false;
 			this.isGoogleOAuthEnabled = config.auth?.google_oauth?.enabled || false;
 			this.isSSOEnabled = config.auth?.sso?.enabled || false;
 			this.googleClientId = config.auth?.google_oauth?.client_id || '';
 			this.isSignupEnabled = config.auth?.is_signup_enabled || false;
-
 		} catch (error) {
 			console.error('Failed to get config:', error);
+			this.billingEnabled = false;
 			this.isGoogleOAuthEnabled = false;
 			this.isSSOEnabled = false;
 			this.googleClientId = '';
@@ -180,26 +186,35 @@ export class LoginComponent implements OnInit, AfterViewInit {
 
 	async loginWithSSO() {
 		localStorage.setItem('AUTH_TYPE', 'login');
+		const slug = this.billingEnabled ? this.workspaceSlug?.trim() : undefined;
 
+		if (this.billingEnabled && !slug) {
+			this.showSlugError = true;
+			setTimeout(() => document.getElementById('workspace-slug')?.focus(), 0);
+			return;
+		}
+		this.showSlugError = false;
+
+		this.isSubmittingSSO = true;
 		try {
-			const res = await this.loginService.loginWithSaml();
+			const res = await this.loginService.loginWithSaml(slug);
 
 			const { redirectUrl } = res.data;
 			window.open(redirectUrl);
 		} catch (error: any) {
 			console.error('SAML login failed:', error);
 
-			let errorMessage = 'SAML login failed';
-			if (error?.message) {
-				errorMessage = error.message;
-			} else if (error?.error?.message) {
-				errorMessage = error.error.message;
-			}
+			const errorMessage =
+				typeof error === 'string'
+					? error
+					: error?.message ?? error?.error?.message ?? 'SAML login failed';
 
 			this.generalService.showNotification({
 				message: errorMessage,
 				style: 'error'
 			});
+		} finally {
+			this.isSubmittingSSO = false;
 		}
 	}
 
diff --git a/web/ui/dashboard/src/app/public/login/login.service.ts b/web/ui/dashboard/src/app/public/login/login.service.ts
index 44ad5d4c7c..229ac4e154 100644
--- a/web/ui/dashboard/src/app/public/login/login.service.ts
+++ b/web/ui/dashboard/src/app/public/login/login.service.ts
@@ -23,12 +23,14 @@ export class LoginService {
 		});
 	}
 
-	loginWithSaml(): Promise<HTTP_RESPONSE> {
+	loginWithSaml(slug?: string): Promise<HTTP_RESPONSE> {
 		return new Promise(async (resolve, reject) => {
 			try {
+				const query = slug?.trim() ? { slug: slug.trim() } : {};
 				const response = await this.http.request({
 					url: '/auth/sso',
-					method: 'get'
+					method: 'get',
+					query
 				});
 				return resolve(response);
 			} catch (error) {
diff --git a/web/ui/dashboard/src/app/services/config/config.service.ts b/web/ui/dashboard/src/app/services/config/config.service.ts
index 73d2f65642..0b2d18d84f 100644
--- a/web/ui/dashboard/src/app/services/config/config.service.ts
+++ b/web/ui/dashboard/src/app/services/config/config.service.ts
@@ -14,6 +14,7 @@ export interface AppConfig {
     is_signup_enabled?: boolean;
     [key: string]: any;
   };
+  billing_enabled?: boolean;
   [key: string]: any;
 }
 
@@ -25,20 +26,27 @@ export class ConfigService {
 
   constructor(private http: HttpService) {}
 
-  async getConfig(): Promise<AppConfig> {
-    if (this.config) {
-      return this.config;
+  /**
+   * Fetches auth configuration. When slug is provided (cloud billing), requests config for that workspace
+   * and returns sso.enabled for that org; does not use cache so each slug lookup is fresh.
+   */
+  async getConfig(slug?: string): Promise<AppConfig> {
+    const useCache = !slug && this.config;
+    if (useCache) {
+      return this.config as AppConfig;
     }
 
     try {
-
+      const query = slug ? { slug: slug.trim() } : {};
       const response = await this.http.request({
         url: '/configuration/auth',
-        method: 'get'
+        method: 'get',
+        query
       });
 
       if (response.data) {
-        this.config = {
+        const config = {
+          billing_enabled: response.data.billing_enabled,
           auth: {
             google_oauth: {
               enabled: response.data.google_oauth?.enabled || false,
@@ -52,16 +60,16 @@ export class ConfigService {
             is_signup_enabled: response.data.is_signup_enabled || false
           }
         } as AppConfig;
+        if (!slug) {
+          this.config = config;
+        }
+        return config;
       } else {
-
-        this.config = this.getDefaultConfig();
+        throw new Error('No config data in response');
       }
-      return this.config;
     } catch (error) {
       console.error('Failed to fetch config:', error);
-
-      this.config = this.getDefaultConfig();
-      return this.config;
+      throw error;
     }
   }
 

From 677bc2575bcee8e24b1e6496c4c75206dbadf8d8 Mon Sep 17 00:00:00 2001
From: Smart Mekiliuwa <st.nonso@gmail.com>
Date: Sat, 28 Feb 2026 10:47:49 +0100
Subject: [PATCH 4/4] chore: remove InitSSO debug logs and trim verbose
 comments

- Remove fmt.Printf debug logs from InitSSO (auth.go)
- Remove or shorten comments in configuration.go, workspace_slug.go, billing models
---
 api/handlers/auth.go           | 10 ----------
 api/handlers/configuration.go  |  1 -
 internal/pkg/billing/models.go |  2 +-
 services/workspace_slug.go     | 16 +++++-----------
 4 files changed, 6 insertions(+), 23 deletions(-)

diff --git a/api/handlers/auth.go b/api/handlers/auth.go
index cd427b19dd..ba86142f3a 100644
--- a/api/handlers/auth.go
+++ b/api/handlers/auth.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -29,11 +28,8 @@ func (h *Handler) InitSSO(w http.ResponseWriter, r *http.Request) {
 	billingEnabled := configuration.Billing.Enabled && h.A.BillingClient != nil
 	slug := strings.TrimSpace(r.URL.Query().Get("slug"))
 
-	fmt.Printf("[InitSSO] billingEnabled=%v slug=%q\n", billingEnabled, slug)
-
 	licenseKey := configuration.LicenseKey
 	if billingEnabled && slug != "" {
-		fmt.Printf("[InitSSO] resolving workspace by slug\n")
 		orgRepo := organisations.New(h.A.Logger, h.A.DB)
 		orgMemberRepo := organisation_members.New(h.A.Logger, h.A.DB)
 		result, err := services.ResolveWorkspaceBySlug(r.Context(), slug, services.ResolveWorkspaceBySlugDeps{
@@ -50,21 +46,17 @@ func (h *Handler) InitSSO(w http.ResponseWriter, r *http.Request) {
 			},
 		})
 		if err != nil {
-			fmt.Printf("[InitSSO] workspace resolve failed: %v\n", err)
 			h.A.Logger.WithError(err).WithField("slug", slug).Debug("InitSSO: workspace resolve failed")
 			_ = render.Render(w, r, util.NewErrorResponse("Workspace not found", http.StatusBadRequest))
 			return
 		}
-		fmt.Printf("[InitSSO] resolved externalID=%s SSOAvailable=%v\n", result.ExternalID, result.SSOAvailable)
 		if !result.SSOAvailable {
-			fmt.Printf("[InitSSO] SSO not available for workspace\n")
 			_ = render.Render(w, r, util.NewErrorResponse("SSO is not available for this workspace", http.StatusBadRequest))
 			return
 		}
 		licenseKey = result.LicenseKey
 	}
 
-	fmt.Printf("[InitSSO] running LoginUserSSOService\n")
 	lu := services.LoginUserSSOService{
 		UserRepo:      users.New(h.A.Logger, h.A.DB),
 		OrgRepo:       organisations.New(h.A.Logger, h.A.DB),
@@ -78,13 +70,11 @@ func (h *Handler) InitSSO(w http.ResponseWriter, r *http.Request) {
 
 	resp, err := lu.Run()
 	if err != nil {
-		fmt.Printf("[InitSSO] LoginUserSSOService.Run failed: %v\n", err)
 		h.A.Logger.WithError(err).Errorf("SSO initialization failed: %v", err)
 		_ = render.Render(w, r, util.NewErrorResponse("Authentication failed", http.StatusForbidden))
 		return
 	}
 
-	fmt.Printf("[InitSSO] success redirect\n")
 	_ = render.Render(w, r, util.NewServerResponse("Get Redirect successful", resp, http.StatusOK))
 }
 
diff --git a/api/handlers/configuration.go b/api/handlers/configuration.go
index 64b1c3a797..22357e3d45 100644
--- a/api/handlers/configuration.go
+++ b/api/handlers/configuration.go
@@ -138,7 +138,6 @@ func (h *Handler) GetAuthConfiguration(w http.ResponseWriter, r *http.Request) {
 		if err == nil {
 			ssoEnabled = result.SSOAvailable
 		}
-		// On error (workspace not found, etc.), keep ssoEnabled as instance default or false
 	}
 
 	authConfig := map[string]interface{}{
diff --git a/internal/pkg/billing/models.go b/internal/pkg/billing/models.go
index 764dd1c7f5..700bf33e38 100644
--- a/internal/pkg/billing/models.go
+++ b/internal/pkg/billing/models.go
@@ -1,6 +1,6 @@
 package billing
 
-// WorkspaceConfigData is the response from Overwatch GET /api/v1/workspace_config?slug=...
+// WorkspaceConfigData is the workspace_config API response.
 type WorkspaceConfigData struct {
 	ExternalID   string `json:"external_id"`
 	LicenseKey   string `json:"license_key"`
diff --git a/services/workspace_slug.go b/services/workspace_slug.go
index c9faaa6367..345a0809f2 100644
--- a/services/workspace_slug.go
+++ b/services/workspace_slug.go
@@ -13,17 +13,16 @@ import (
 	"github.com/frain-dev/convoy/pkg/log"
 )
 
-// ResolveWorkspaceBySlugDeps holds dependencies for resolving workspace by slug and syncing Convoy org.
+// ResolveWorkspaceBySlugDeps holds dependencies for ResolveWorkspaceBySlug.
 type ResolveWorkspaceBySlugDeps struct {
 	BillingClient billing.Client
 	OrgRepo       datastore.OrganisationRepository
 	Logger        log.StdLogger
 	Cfg           config.Configuration
-	// RefreshDeps is used to call RefreshLicenseDataForOrg; can reuse same deps as auth handlers.
-	RefreshDeps RefreshLicenseDataDeps
+	RefreshDeps   RefreshLicenseDataDeps
 }
 
-// ResolveWorkspaceBySlugResult is the result of resolving a workspace by slug from Overwatch and syncing Convoy.
+// ResolveWorkspaceBySlugResult is the result of ResolveWorkspaceBySlug.
 type ResolveWorkspaceBySlugResult struct {
 	ExternalID   string
 	LicenseKey   string
@@ -31,9 +30,7 @@ type ResolveWorkspaceBySlugResult struct {
 	Org          *datastore.Organisation
 }
 
-// ResolveWorkspaceBySlug calls Overwatch workspace_config by slug, then loads Convoy org by external_id (UID),
-// refreshes license_data for that org, and returns the OW payload plus the reloaded org.
-// Returns error if slug is empty, OW returns error/404, or Convoy org not found.
+// ResolveWorkspaceBySlug resolves workspace by slug via billing and syncs license data for the org.
 func ResolveWorkspaceBySlug(ctx context.Context, slug string, deps ResolveWorkspaceBySlugDeps) (*ResolveWorkspaceBySlugResult, error) {
 	if slug == "" {
 		return nil, errors.New("slug is required")
@@ -59,7 +56,7 @@ func ResolveWorkspaceBySlug(ctx context.Context, slug string, deps ResolveWorksp
 		return nil, errors.New("workspace not found")
 	}
 	if resp.Data.ExternalID == "" {
-		return nil, errors.New("workspace config missing external_id: ensure the organisation in Overwatch has external_id set to the Convoy organisation UID")
+		return nil, errors.New("workspace config missing external_id")
 	}
 
 	org, err := deps.OrgRepo.FetchOrganisationByID(ctx, resp.Data.ExternalID)
@@ -67,7 +64,6 @@ func ResolveWorkspaceBySlug(ctx context.Context, slug string, deps ResolveWorksp
 		return nil, fmt.Errorf("organisation not found for workspace: %w", err)
 	}
 
-	// Refresh Convoy org license_data so local state stays in sync.
 	defaultKey := deps.Cfg.LicenseKey
 	billingEnabled := deps.Cfg.Billing.Enabled && deps.RefreshDeps.BillingClient != nil
 	licClient := licensesvc.NewClient(licensesvc.Config{
@@ -79,10 +75,8 @@ func ResolveWorkspaceBySlug(ctx context.Context, slug string, deps ResolveWorksp
 	})
 	RefreshLicenseDataForOrg(ctx, *org, defaultKey, billingEnabled, deps.RefreshDeps, licClient)
 
-	// Re-load org after refresh.
 	org, err = deps.OrgRepo.FetchOrganisationByID(ctx, resp.Data.ExternalID)
 	if err != nil {
-		// Return the result we have; refresh may have updated anyway.
 		org = nil
 	}