diff --git a/apps/backend/prisma/migrations/20250903080405_workflows/migration.sql b/apps/backend/prisma/migrations/20250903080405_workflows/migration.sql
new file mode 100644
index 0000000000..add84a7b9c
--- /dev/null
+++ b/apps/backend/prisma/migrations/20250903080405_workflows/migration.sql
@@ -0,0 +1,81 @@
+-- CreateTable
+CREATE TABLE "WorkflowTriggerToken" (
+    "tenancyId" UUID NOT NULL,
+    "id" UUID NOT NULL,
+    "tokenHash" TEXT NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "WorkflowTriggerToken_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateTable
+CREATE TABLE "WorkflowTrigger" (
+    "tenancyId" UUID NOT NULL,
+    "id" UUID NOT NULL,
+    "executionId" UUID NOT NULL,
+    "triggerData" JSONB NOT NULL,
+    "scheduledAt" TIMESTAMP(3),
+    "output" JSONB,
+    "error" JSONB,
+    "compiledWorkflowId" UUID,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "WorkflowTrigger_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateTable
+CREATE TABLE "WorkflowExecution" (
+    "tenancyId" UUID NOT NULL,
+    "id" UUID NOT NULL,
+    "workflowId" TEXT NOT NULL,
+    "triggerIds" TEXT[],
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "WorkflowExecution_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateTable
+CREATE TABLE "CurrentlyCompilingWorkflow" (
+    "tenancyId" UUID NOT NULL,
+    "workflowId" TEXT NOT NULL,
+    "compilationVersion" INTEGER NOT NULL,
+    "sourceHash" TEXT NOT NULL,
+    "startedCompilingAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "CurrentlyCompilingWorkflow_pkey" PRIMARY KEY ("tenancyId","workflowId","compilationVersion","sourceHash")
+);
+
+-- CreateTable
+CREATE TABLE "CompiledWorkflow" (
+    "tenancyId" UUID NOT NULL,
+    "id" UUID NOT NULL,
+    "workflowId" TEXT NOT NULL,
+    "compilationVersion" INTEGER NOT NULL,
+    "sourceHash" TEXT NOT NULL,
+    "compiledCode" TEXT,
+    "compileError" TEXT,
+    "compiledAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "registeredTriggers" TEXT[],
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "CompiledWorkflow_pkey" PRIMARY KEY ("tenancyId","id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "WorkflowTriggerToken_tenancyId_tokenHash_key" ON "WorkflowTriggerToken"("tenancyId", "tokenHash");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CompiledWorkflow_tenancyId_workflowId_compilationVersion_so_key" ON "CompiledWorkflow"("tenancyId", "workflowId", "compilationVersion", "sourceHash");
+
+-- AddForeignKey
+ALTER TABLE "WorkflowTrigger" ADD CONSTRAINT "WorkflowTrigger_tenancyId_compiledWorkflowId_fkey" FOREIGN KEY ("tenancyId", "compiledWorkflowId") REFERENCES "CompiledWorkflow"("tenancyId", "id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "WorkflowTrigger" ADD CONSTRAINT "WorkflowTrigger_tenancyId_executionId_fkey" FOREIGN KEY ("tenancyId", "executionId") REFERENCES "WorkflowExecution"("tenancyId", "id") ON DELETE RESTRICT ON UPDATE CASCADE;
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
index b07257fcad..374da8a1cf 100644
--- a/apps/backend/prisma/schema.prisma
+++ b/apps/backend/prisma/schema.prisma
@@ -24,7 +24,7 @@ model Project {
   fullLogoUrl      String?
 
   projectConfigOverride Json?
-  stripeAccountId             String?
+  stripeAccountId       String?
 
   apiKeySets                 ApiKeySet[]
   projectUsers               ProjectUser[]
@@ -773,15 +773,109 @@ model ItemQuantityChange {
 }
 
 model DataVaultEntry {
-  id         String   @default(uuid()) @db.Uuid
-  tenancyId  String   @db.Uuid
-  storeId    String
-  hashedKey  String
-  encrypted  Json     // Contains { edkBase64, ciphertextBase64 } from encryptWithKms()
-  createdAt  DateTime @default(now())
-  updatedAt  DateTime @updatedAt
+  id        String   @default(uuid()) @db.Uuid
+  tenancyId String   @db.Uuid
+  storeId   String
+  hashedKey String
+  encrypted Json // Contains { edkBase64, ciphertextBase64 } from encryptWithKms()
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
 
   @@id([tenancyId, id])
   @@unique([tenancyId, storeId, hashedKey])
   @@index([tenancyId, storeId])
 }
+
+model WorkflowTriggerToken {
+  tenancyId String @db.Uuid
+  id        String @default(uuid()) @db.Uuid
+
+  tokenHash String
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  expiresAt DateTime
+
+  @@id([tenancyId, id])
+  @@unique([tenancyId, tokenHash])
+}
+
+model WorkflowTrigger {
+  tenancyId   String @db.Uuid
+  id          String @default(uuid()) @db.Uuid
+  executionId String @db.Uuid
+
+  triggerData Json
+
+  // the following fields determine the state of the trigger:
+  // - scheduledAt && !compiledWorkflowId && !output && !error: the trigger is scheduled to be executed
+  // - !scheduledAt && compiledWorkflowId && !output && !error: the trigger is currently executing
+  // - !scheduledAt && compiledWorkflowId && output && !error: the trigger has successfully completed execution
+  // - !scheduledAt && compiledWorkflowId && !output && error: the trigger has failed execution
+  // All other combinations are invalid.
+  scheduledAt        DateTime?
+  output             Json?
+  error              Json?
+  compiledWorkflowId String?           @db.Uuid
+  compiledWorkflow   CompiledWorkflow? @relation(fields: [tenancyId, compiledWorkflowId], references: [tenancyId, id])
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  execution WorkflowExecution @relation(fields: [tenancyId, executionId], references: [tenancyId, id])
+
+  @@id([tenancyId, id])
+}
+
+model WorkflowExecution {
+  tenancyId String @db.Uuid
+  id        String @default(uuid()) @db.Uuid
+
+  workflowId String
+
+  triggerIds String[]
+  triggers   WorkflowTrigger[]
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@id([tenancyId, id])
+}
+
+model CurrentlyCompilingWorkflow {
+  tenancyId          String @db.Uuid
+  workflowId         String
+  compilationVersion Int
+  sourceHash         String
+
+  startedCompilingAt DateTime @default(now())
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@id([tenancyId, workflowId, compilationVersion, sourceHash])
+}
+
+model CompiledWorkflow {
+  tenancyId          String @db.Uuid
+  id                 String @default(uuid()) @db.Uuid
+  workflowId         String // note: The workflow with this ID may have been edited or deleted in the meantime, so there may be multiple CompiledWorkflows with the same workflowId
+  compilationVersion Int
+  sourceHash         String
+
+  // exactly one of [compiledCode, compileError] must be set
+  compiledCode String?
+  compileError String?
+
+  compiledAt         DateTime @default(now())
+  registeredTriggers String[]
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  workflowTriggers WorkflowTrigger[]
+
+  @@id([tenancyId, id])
+  @@unique([tenancyId, workflowId, compilationVersion, sourceHash])
+}
diff --git a/apps/backend/src/app/api/latest/users/crud.tsx b/apps/backend/src/app/api/latest/users/crud.tsx
index 9a26dbb085..d7ebfeebf4 100644
--- a/apps/backend/src/app/api/latest/users/crud.tsx
+++ b/apps/backend/src/app/api/latest/users/crud.tsx
@@ -5,6 +5,7 @@ import { ensureTeamMembershipExists, ensureUserExists } from "@/lib/request-chec
 import { Tenancy, getSoleTenancyFromProjectBranch, getTenancy } from "@/lib/tenancies";
 import { PrismaTransaction } from "@/lib/types";
 import { sendTeamMembershipDeletedWebhook, sendUserCreatedWebhook, sendUserDeletedWebhook, sendUserUpdatedWebhook } from "@/lib/webhooks";
+import { triggerWorkflows } from "@/lib/workflows";
 import { RawQuery, getPrismaClientForSourceOfTruth, getPrismaClientForTenancy, getPrismaSchemaForSourceOfTruth, getPrismaSchemaForTenancy, globalPrismaClient, rawQuery, retryTransaction, sqlQuoteIdent } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { uploadAndGetUrl } from "@/s3";
@@ -648,6 +649,14 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
 
     await createPersonalTeamIfEnabled(prisma, auth.tenancy, result);
 
+    // if the user is not an anonymous user, trigger onSignUp workflows
+    if (!result.is_anonymous) {
+      await triggerWorkflows(auth.tenancy, {
+        type: "sign-up",
+        userId: result.id,
+      });
+    }
+
     runAsynchronouslyAndWaitUntil(sendUserCreatedWebhook({
       projectId: auth.project.id,
       data: result,
@@ -948,8 +957,15 @@ export const usersCrudHandlers = createLazyProxy(() => createCrudHandlers(usersC
         }
       }
 
-      // if we went from anonymous to non-anonymous, rename the personal team
+      // if we went from anonymous to non-anonymous:
       if (oldUser.isAnonymous && data.is_anonymous === false) {
+        // trigger onSignUp workflows
+        await triggerWorkflows(auth.tenancy, {
+          type: "sign-up",
+          userId: params.user_id,
+        });
+
+        // rename the personal team
         await tx.team.updateMany({
           where: {
             tenancyId: auth.tenancy.id,
diff --git a/apps/backend/src/lib/email-rendering.tsx b/apps/backend/src/lib/email-rendering.tsx
index b58622e0c1..9a49ec960a 100644
--- a/apps/backend/src/lib/email-rendering.tsx
+++ b/apps/backend/src/lib/email-rendering.tsx
@@ -1,6 +1,5 @@
 import { Freestyle } from '@/lib/freestyle';
 import { emptyEmailTheme } from '@stackframe/stack-shared/dist/helpers/emails';
-import { getEnvVariable, getNodeEnvironment } from '@stackframe/stack-shared/dist/utils/env';
 import { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';
 import { bundleJavaScript } from '@stackframe/stack-shared/dist/utils/esbuild';
 import { get, has } from '@stackframe/stack-shared/dist/utils/objects';
@@ -53,7 +52,6 @@ export async function renderEmailWithTemplate(
     previewMode?: boolean,
   },
 ): Promise<Result<{ html: string, text: string, subject?: string, notificationCategory?: string }, string>> {
-  const apiKey = getEnvVariable("STACK_FREESTYLE_API_KEY");
   const variables = options.variables ?? {};
   const previewMode = options.previewMode ?? false;
   const user = (previewMode && !options.user) ? { displayName: "John Doe" } : options.user;
@@ -114,17 +112,17 @@ export async function renderEmailWithTemplate(
     return Result.error(result.error);
   }
 
-  const freestyle = new Freestyle({ apiKey });
+  const freestyle = new Freestyle();
   const nodeModules = {
     "react": "19.1.1",
     "@react-email/components": "0.1.1",
     "arktype": "2.1.20",
   };
   const output = await freestyle.executeScript(result.data, { nodeModules });
-  if ("error" in output) {
-    return Result.error(output.error as string);
+  if (output.status === "error") {
+    return Result.error(`${output.error}`);
   }
-  return Result.ok(output.result as { html: string, text: string, subject: string, notificationCategory: string });
+  return Result.ok(output.data.result as { html: string, text: string, subject: string, notificationCategory: string });
 }
 
 
diff --git a/apps/backend/src/lib/freestyle.tsx b/apps/backend/src/lib/freestyle.tsx
index b6b0ea6ceb..d038973c8f 100644
--- a/apps/backend/src/lib/freestyle.tsx
+++ b/apps/backend/src/lib/freestyle.tsx
@@ -1,18 +1,24 @@
 import { traceSpan } from '@/utils/telemetry';
-import { getNodeEnvironment } from '@stackframe/stack-shared/dist/utils/env';
-import { StackAssertionError, captureError, errorToNiceString } from '@stackframe/stack-shared/dist/utils/errors';
+import { getEnvVariable, getNodeEnvironment } from '@stackframe/stack-shared/dist/utils/env';
+import { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';
+import { parseJson } from '@stackframe/stack-shared/dist/utils/json';
+import { Result } from '@stackframe/stack-shared/dist/utils/results';
 import { FreestyleSandboxes } from 'freestyle-sandboxes';
 
 export class Freestyle {
   private freestyle: FreestyleSandboxes;
 
-  constructor(options: { apiKey: string }) {
+  constructor(options: { apiKey?: string } = {}) {
+    const apiKey = options.apiKey || getEnvVariable("STACK_FREESTYLE_API_KEY");
     let baseUrl = undefined;
-    if (["development", "test"].includes(getNodeEnvironment()) && options.apiKey === "mock_stack_freestyle_key") {
+    if (apiKey === "mock_stack_freestyle_key") {
+      if (!["development", "test"].includes(getNodeEnvironment())) {
+        throw new StackAssertionError("Mock Freestyle key used in production; please set the STACK_FREESTYLE_API_KEY environment variable.");
+      }
       baseUrl = "http://localhost:8122";
     }
     this.freestyle = new FreestyleSandboxes({
-      apiKey: options.apiKey,
+      apiKey,
       baseUrl,
     });
   }
@@ -27,10 +33,15 @@ export class Freestyle {
       }
     }, async () => {
       try {
-        return await this.freestyle.executeScript(script, options);
-      } catch (error) {
-        captureError("freestyle.executeScript", error);
-        throw new StackAssertionError("Error executing script with Freestyle! " + errorToNiceString(error), { cause: error });
+        const res = await this.freestyle.executeScript(script, options);
+        return Result.ok(res);
+      } catch (e: unknown) {
+        // for whatever reason, Freestyle's errors are sometimes returned in JSON.parse(e.error.error).error (lol)
+        const wrap1 = e && typeof e === "object" && "error" in e ? e.error : e;
+        const wrap2 = wrap1 && typeof wrap1 === "object" && "error" in wrap1 ? wrap1.error : wrap1;
+        const wrap3 = wrap2 && typeof wrap2 === "string" ? Result.or(parseJson(wrap2), wrap2) : wrap2;
+        const wrap4 = wrap3 && typeof wrap3 === "object" && "error" in wrap3 ? wrap3.error : wrap3;
+        return Result.error(`${wrap4}`);
       }
     });
   }
diff --git a/apps/backend/src/lib/workflows.tsx b/apps/backend/src/lib/workflows.tsx
new file mode 100644
index 0000000000..de084ef89e
--- /dev/null
+++ b/apps/backend/src/lib/workflows.tsx
@@ -0,0 +1,515 @@
+import { getPrismaClientForTenancy, globalPrismaClient, retryTransaction } from "@/prisma-client";
+import { traceSpan } from "@/utils/telemetry";
+import { allPromisesAndWaitUntilEach, runAsynchronouslyAndWaitUntil } from "@/utils/vercel";
+import { CompiledWorkflow, Prisma } from "@prisma/client";
+import { isStringArray } from "@stackframe/stack-shared/dist/utils/arrays";
+import { encodeBase64 } from "@stackframe/stack-shared/dist/utils/bytes";
+import { generateSecureRandomString, hash } from "@stackframe/stack-shared/dist/utils/crypto";
+import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
+import { StackAssertionError, captureError, errorToNiceString, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { bundleJavaScript } from "@stackframe/stack-shared/dist/utils/esbuild";
+import { runAsynchronously, timeout, wait } from "@stackframe/stack-shared/dist/utils/promises";
+import { Result } from "@stackframe/stack-shared/dist/utils/results";
+import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
+import { Freestyle } from "./freestyle";
+import { Tenancy } from "./tenancies";
+
+const externalPackages = {
+  '@stackframe/stack': 'latest',
+};
+
+type WorkflowRegisteredTriggerType = "sign-up";
+
+type WorkflowTrigger =
+  | {
+    type: "sign-up",
+    userId: string,
+  }
+  | {
+    type: "compile",
+  }
+  | {
+    type: "callback",
+    callbackId: string,
+    scheduledAtMillis: number,
+    data: unknown,
+    callerTriggerId: string,
+    executionId: string,
+  };
+
+async function hashWorkflowSource(source: string) {
+  return encodeBase64(await hash({
+    purpose: "stack-auth-workflow-source",
+    value: JSON.stringify(source),
+  }));
+}
+
+export async function hashWorkflowTriggerToken(token: string) {
+  return encodeBase64(await hash({
+    purpose: "stack-auth-workflow-trigger-token",
+    value: token,
+  }));
+}
+
+export async function compileWorkflowSource(source: string): Promise<Result<string, string>> {
+  const bundleResult = await bundleJavaScript({
+    "/source.tsx": source,
+    "/entry.js": `
+      import { StackServerApp } from '@stackframe/stack';
+
+      export default async () => {
+        globalThis.stackApp = new StackServerApp({
+          tokenStore: null,
+          extraRequestHeaders: {
+            "x-stack-workflow-token": process.env.STACK_WORKFLOW_TOKEN_SECRET,
+          }
+        });
+
+        const registeredTriggers = new Map();
+        globalThis._registerTrigger = (triggerType, func) => {
+          registeredTriggers.set(triggerType, func);
+        };
+        _registerTrigger("compile", () => ({
+          registeredTriggers: [...registeredTriggers.keys()],
+        }));
+
+        const registeredCallbacks = new Map();
+        globalThis.registerCallback = (callbackId, func) => {
+          registeredCallbacks.set(callbackId, func);
+        };
+        _registerTrigger("callback", ({ callbackId, data }) => {
+          const callbackFunc = registeredCallbacks.get(callbackId);
+          if (!callbackFunc) {
+            throw new Error(\`Callback \${callbackId} not found. Was it maybe deleted from the workflow?\`);
+          }
+          return callbackFunc(JSON.parse(data.dataJson));
+        });
+        let scheduledCallback = undefined;
+        globalThis.scheduleCallback = ({ callbackId, data, scheduleAt }) => {
+          if (scheduledCallback) {
+            throw new Error("Only one callback can be scheduled at a time!");
+          }
+          scheduledCallback = { callbackId, data, scheduleAtMillis: scheduleAt.getTime() };
+          return scheduledCallback;
+        };
+
+        function makeTriggerRegisterer(str, typeCb, argsCb) {
+          globalThis[str] = (...args) => _registerTrigger(typeCb(...args.slice(0, -1)), async (data) => args[args.length - 1](...await argsCb(data))); 
+        }
+
+        makeTriggerRegisterer("onSignUp", () => "sign-up", async (data) => [await stackApp.getUser(data.userId, { or: "throw" })]);
+
+        await import("./source.tsx");
+
+        const triggerData = JSON.parse(process.env.STACK_WORKFLOW_TRIGGER_DATA);
+        const trigger = registeredTriggers.get(triggerData.type);
+        if (!trigger) {
+          throw new Error(\`Workflow trigger \${triggerData.type} invoked but not found. Please report this to the developers.\`);
+        }
+        const triggerOutput = await trigger(triggerData);
+        if (scheduledCallback !== undefined) {
+          if (triggerOutput !== scheduledCallback) {
+            throw new Error("When calling scheduleCallback, you must return its return value in the event handler!");
+          }
+          return {
+            scheduledCallback: triggerOutput,
+          };
+        } else {
+          return {
+            triggerOutput,
+          };
+        }
+      }
+    `,
+  }, {
+    format: 'esm',
+    keepAsImports: Object.keys(externalPackages),
+  });
+  if (bundleResult.status === "error") {
+    return Result.error(bundleResult.error);
+  }
+  return Result.ok(bundleResult.data);
+}
+
+async function compileWorkflow(tenancy: Tenancy, workflowId: string): Promise<Result<{ compiledCode: string, registeredTriggers: string[] }, { compileError?: string }>> {
+  return await traceSpan(`compileWorkflow ${workflowId}`, async () => {
+    if (!(workflowId in tenancy.config.workflows.availableWorkflows)) {
+      throw new StackAssertionError(`Workflow ${workflowId} not found`);
+    }
+    const workflow = tenancy.config.workflows.availableWorkflows[workflowId];
+    const res = await timeout(async () => {
+      const compiledCodeResult = await compileWorkflowSource(workflow.tsSource);
+      if (compiledCodeResult.status === "error") {
+        return Result.error({ compileError: `Failed to compile workflow: ${compiledCodeResult.error}` });
+      }
+
+      const compileTriggerResult = await triggerWorkflowRaw(tenancy, compiledCodeResult.data, {
+        type: "compile",
+      });
+      if (compileTriggerResult.status === "error") {
+        return Result.error({ compileError: `Failed to initialize workflow: ${compileTriggerResult.error}` });
+      }
+      const compileTriggerOutputResult = compileTriggerResult.data;
+      if (typeof compileTriggerOutputResult !== "object" || !compileTriggerOutputResult || !("triggerOutput" in compileTriggerOutputResult)) {
+        captureError("workflows-compile-trigger-output", new StackAssertionError(`Failed to parse compile trigger output`, { compileTriggerOutputResult }));
+        return Result.error({ compileError: `Failed to parse compile trigger output` });
+      }
+      const registeredTriggers = (compileTriggerOutputResult.triggerOutput as any)?.registeredTriggers;
+      if (!isStringArray(registeredTriggers)) {
+        captureError("workflows-compile-trigger-output", new StackAssertionError(`Failed to parse compile trigger output, should be array of strings`, { compileTriggerOutputResult }));
+        return Result.error({ compileError: `Failed to parse compile trigger output, should be array of strings` });
+      }
+
+      return Result.ok({
+        compiledCode: compiledCodeResult.data,
+        registeredTriggers: registeredTriggers,
+      });
+    }, 10_000);
+
+    if (res.status === "error") {
+      return Result.error({ compileError: `Timed out compiling workflow ${workflowId} after ${res.error.ms}ms` });
+    }
+    return res.data;
+  });
+}
+
+import.meta.vitest?.test("compileWorkflow", async ({ expect }) => {
+  const compileAndGetResult = async (tsSource: string) => {
+    const tenancy = {
+      id: "01234567-89ab-cdef-0123-456789abcdef",
+      project: {
+        id: "test-project",
+      },
+      config: {
+        workflows: {
+          availableWorkflows: {
+            "test-workflow": {
+              enabled: true,
+              tsSource,
+            },
+          },
+        },
+      },
+    };
+
+    return await compileWorkflow(tenancy as any, "test-workflow");
+  };
+  const compileAndGetRegisteredTriggers = async (tsSource: string) => {
+    const res = await compileAndGetResult(tsSource);
+    if (res.status === "error") throw new StackAssertionError(`Failed to compile workflow: ${errorToNiceString(res.error)}`, { cause: res.error });
+    return res.data.registeredTriggers;
+  };
+
+  expect(await compileAndGetRegisteredTriggers("console.log('hello, world!');")).toEqual([
+    "compile",
+    "callback",
+  ]);
+  expect(await compileAndGetRegisteredTriggers("onSignUp(() => {}); registerCallback('test', () => {});")).toEqual([
+    "compile",
+    "callback",
+    "sign-up",
+  ]);
+  expect(await compileAndGetResult("return return return return;")).toMatchInlineSnapshot(`
+    {
+      "error": {
+        "compileError": "Failed to compile workflow: Build failed with 1 error:
+    virtual:/source.tsx:1:7: ERROR: Unexpected "return"",
+      },
+      "status": "error",
+    }
+  `);
+  expect(await compileAndGetResult("console.log('hello, world!'); throw new Error('test');")).toMatchInlineSnapshot(`
+    {
+      "error": {
+        "compileError": "Failed to initialize workflow: test",
+      },
+      "status": "error",
+    }
+  `);
+});
+
+async function compileAndGetEnabledWorkflows(tenancy: Tenancy): Promise<Map<string, CompiledWorkflow>> {
+  const compilationVersion = 1;
+  const enabledWorkflows = new Map(await Promise.all(Object.entries(tenancy.config.workflows.availableWorkflows)
+    .filter(([_, workflow]) => workflow.enabled)
+    .map(async ([workflowId, workflow]) => [workflowId, {
+      id: workflowId,
+      workflow,
+      sourceHash: await hashWorkflowSource(workflow.tsSource),
+    }] as const)));
+
+  const getWorkflowsToCompile = async (tx: Prisma.TransactionClient) => {
+    const compiledWorkflows = await tx.compiledWorkflow.findMany({
+      where: {
+        tenancyId: tenancy.id,
+        workflowId: { in: [...enabledWorkflows.keys()] },
+        compilationVersion,
+        sourceHash: { in: [...enabledWorkflows.values()].map(({ sourceHash }) => sourceHash) },
+      },
+    });
+
+    const found = new Map<string, CompiledWorkflow>();
+    const missing = new Set(enabledWorkflows.keys());
+    for (const compiledWorkflow of compiledWorkflows) {
+      const enabledWorkflow = enabledWorkflows.get(compiledWorkflow.workflowId) ?? throwErr(`Compiled workflow ${compiledWorkflow.workflowId} not found in enabled workflows — this should not happen due to our Prisma filter!`);
+      if (enabledWorkflow.sourceHash === compiledWorkflow.sourceHash) {
+        found.set(compiledWorkflow.workflowId, compiledWorkflow);
+        missing.delete(compiledWorkflow.workflowId);
+      }
+    }
+
+    const toCompile: string[] = [];
+    const waiting: string[] = [];
+    for (const workflowId of missing) {
+      const enabledWorkflow = enabledWorkflows.get(workflowId) ?? throwErr(`Enabled workflow ${workflowId} not found in enabled workflows — this should not happen due to our Prisma filter!`);
+      const currentlyCompiling = await tx.currentlyCompilingWorkflow.findUnique({
+        where: {
+          tenancyId_workflowId_compilationVersion_sourceHash: {
+            tenancyId: tenancy.id,
+            workflowId,
+            compilationVersion,
+            sourceHash: enabledWorkflow.sourceHash,
+          },
+        },
+      });
+      if (currentlyCompiling) {
+        waiting.push(workflowId);
+      } else {
+        toCompile.push(workflowId);
+      }
+    }
+
+    if (toCompile.length > 0) {
+      await tx.currentlyCompilingWorkflow.createMany({
+        data: toCompile.map((workflowId) => ({
+          tenancyId: tenancy.id,
+          compilationVersion,
+          workflowId,
+          sourceHash: enabledWorkflows.get(workflowId)?.sourceHash ?? throwErr(`Enabled workflow ${workflowId} not found in enabled workflows — this should not happen due to our Prisma filter!`),
+        })),
+      });
+    }
+
+    return {
+      toCompile,
+      waiting,
+      workflows: found,
+    };
+  };
+
+  let retryInfo = [];
+  const prisma = await getPrismaClientForTenancy(tenancy);
+  for (let retries = 0; retries < 10; retries++) {
+    const todo = await retryTransaction(prisma, async (tx) => {
+      return await getWorkflowsToCompile(tx);
+    }, { level: "serializable" });
+
+    retryInfo.push({
+      toCompile: todo.toCompile,
+      waiting: todo.waiting,
+      done: [...todo.workflows.entries()].map(([workflowId, workflow]) => workflowId),
+    });
+
+    if (todo.toCompile.length === 0 && todo.waiting.length === 0) {
+      return todo.workflows;
+    }
+
+    await allPromisesAndWaitUntilEach(todo.toCompile.map(async (workflowId) => {
+      const enabledWorkflow = enabledWorkflows.get(workflowId) ?? throwErr(`Enabled workflow ${workflowId} not found in enabled workflows — this should not happen due to our Prisma filter!`);
+      try {
+        const compiledWorkflow = await compileWorkflow(tenancy, workflowId);
+        await prisma.compiledWorkflow.create({
+          data: {
+            tenancyId: tenancy.id,
+            compilationVersion,
+            workflowId,
+            sourceHash: enabledWorkflow.sourceHash,
+            ...compiledWorkflow.status === "ok" ? {
+              compiledCode: compiledWorkflow.data.compiledCode,
+              registeredTriggers: compiledWorkflow.data.registeredTriggers,
+            } : {
+              compileError: compiledWorkflow.error.compileError,
+              registeredTriggers: [],
+            },
+          },
+        });
+        console.log(`Compiled workflow ${workflowId}`);
+      } finally {
+        await prisma.currentlyCompilingWorkflow.delete({
+          where: {
+            tenancyId_workflowId_compilationVersion_sourceHash: {
+              tenancyId: tenancy.id,
+              compilationVersion,
+              workflowId,
+              sourceHash: enabledWorkflow.sourceHash,
+            },
+          },
+        });
+      }
+    }));
+
+    const { count } = await prisma.currentlyCompilingWorkflow.deleteMany({
+      where: {
+        tenancyId: tenancy.id,
+        startedCompilingAt: { lt: new Date(Date.now() - 20_000) },
+      },
+    });
+    if (count > 0) {
+      captureError("workflows-compile-timeout", new StackAssertionError(`Deleted ${count} currently compiling workflows that were compiling for more than 20 seconds; this probably indicates a bug in the workflow compilation code`));
+    }
+
+    await wait(1000);
+  }
+
+  throw new StackAssertionError(`Timed out compiling workflows after retries`, { retryInfo });
+}
+
+async function triggerWorkflowRaw(tenancy: Tenancy, compiledWorkflowCode: string, trigger: WorkflowTrigger): Promise<Result<unknown, string>> {
+  const workflowToken = generateSecureRandomString();
+  const workflowTriggerToken = await globalPrismaClient.workflowTriggerToken.create({
+    data: {
+      expiresAt: new Date(Date.now() + 1000 * 35),
+      tenancyId: tenancy.id,
+      tokenHash: await hashWorkflowTriggerToken(workflowToken),
+    },
+  });
+
+  const tokenRefreshInterval = setInterval(() => {
+    runAsynchronously(async () => {
+      await globalPrismaClient.workflowTriggerToken.update({
+        where: {
+          tenancyId_id: {
+            tenancyId: tenancy.id,
+            id: workflowTriggerToken.id,
+          },
+        },
+        data: { expiresAt: new Date(Date.now() + 1000 * 35) },
+      });
+    });
+  }, 10_000);
+
+  try {
+    const freestyle = new Freestyle();
+    const freestyleRes = await freestyle.executeScript(compiledWorkflowCode, {
+      envVars: {
+        STACK_WORKFLOW_TRIGGER_DATA: JSON.stringify(trigger),
+        NEXT_PUBLIC_STACK_PROJECT_ID: tenancy.project.id,
+        NEXT_PUBLIC_STACK_API_URL: getEnvVariable("NEXT_PUBLIC_STACK_API_URL").replace("http://localhost", "http://host.docker.internal"),  // the replace is a hardcoded hack for the Freestyle mock server
+        NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY: "<placeholder publishable client key; the actual auth happens with the workflow token>",
+        STACK_SECRET_SERVER_KEY: "<placeholder secret server key; the actual auth happens with the workflow token>",
+        STACK_WORKFLOW_TOKEN_SECRET: workflowToken,
+      },
+      nodeModules: Object.fromEntries(Object.entries(externalPackages).map(([packageName, version]) => [packageName, version])),
+    });
+    return Result.map(freestyleRes, (data) => data.result);
+  } finally {
+    clearInterval(tokenRefreshInterval);
+  }
+}
+
+async function createScheduledTrigger(tenancy: Tenancy, workflowId: string, trigger: WorkflowTrigger, scheduledAt: Date) {
+  const executionId = trigger.type === "callback" ? trigger.executionId : generateUuid();
+
+  const prisma = await getPrismaClientForTenancy(tenancy);
+  const dbTrigger = await prisma.workflowTrigger.create({
+    data: {
+      triggerData: trigger as any,
+      scheduledAt,
+      execution: {
+        connectOrCreate: {
+          where: {
+            tenancyId_id: {
+              tenancyId: tenancy.id,
+              id: executionId,
+            },
+          },
+          create: {
+            tenancyId: tenancy.id,
+            workflowId,
+          },
+        },
+      },
+    },
+  });
+  return dbTrigger;
+}
+
+async function triggerWorkflow(tenancy: Tenancy, compiledWorkflow: CompiledWorkflow, triggerId: string): Promise<Result<void, string>> {
+  if (compiledWorkflow.compiledCode === null) {
+    return Result.error(`Workflow ${compiledWorkflow.id} failed to compile: ${compiledWorkflow.compileError}`);
+  }
+
+  const prisma = await getPrismaClientForTenancy(tenancy);
+  const trigger = await prisma.workflowTrigger.update({
+    where: {
+      tenancyId_id: {
+        tenancyId: tenancy.id,
+        id: triggerId,
+      },
+    },
+    data: {
+      compiledWorkflowId: compiledWorkflow.id,
+      scheduledAt: null,
+      output: Prisma.DbNull,
+      error: Prisma.DbNull,
+    },
+  });
+
+  const res = await triggerWorkflowRaw(tenancy, compiledWorkflow.compiledCode, trigger.triggerData as WorkflowTrigger);
+  if (res.status === "error") {
+    console.log(`Compiled workflow failed to process trigger: ${res.error}`, { trigger, compiledWorkflowId: compiledWorkflow.id, res });
+  } else {
+    if (res.data && typeof res.data === "object" && "scheduledCallback" in res.data && res.data.scheduledCallback && typeof res.data.scheduledCallback === "object") {
+      const scheduledCallback: any = res.data.scheduledCallback;
+      const callbackId = `${scheduledCallback.callbackId}`;
+      const scheduleAt = new Date(scheduledCallback.scheduleAtMillis);
+      const callbackData = scheduledCallback.data;
+      await createScheduledTrigger(
+        tenancy,
+        compiledWorkflow.id,
+        {
+          type: "callback",
+          callbackId,
+          data: callbackData,
+          scheduledAtMillis: scheduleAt.getTime(),
+          callerTriggerId: triggerId,
+          executionId: trigger.executionId,
+        },
+        scheduleAt
+      );
+    }
+  }
+  await prisma.workflowTrigger.update({
+    where: {
+      tenancyId_id: {
+        tenancyId: tenancy.id,
+        id: triggerId,
+      },
+    },
+    data: {
+      ...res.status === "ok" ? {
+        output: res.data as any,
+      } : {
+        error: res.error,
+      },
+    },
+  });
+  return Result.ok(undefined);
+}
+
+export async function triggerScheduledCallbacks(tenancy: Tenancy) {
+
+}
+
+export async function triggerWorkflows(tenancy: Tenancy, trigger: WorkflowTrigger & { type: WorkflowRegisteredTriggerType }) {
+  runAsynchronouslyAndWaitUntil(async () => {
+    const compiledWorkflows = await compileAndGetEnabledWorkflows(tenancy);
+    const promises = [...compiledWorkflows]
+      .filter(([_, compiledWorkflow]) => compiledWorkflow.registeredTriggers.includes(trigger.type))
+      .map(async ([workflowId, compiledWorkflow]) => {
+        const dbTrigger = await createScheduledTrigger(tenancy, workflowId, trigger, new Date());
+        await triggerWorkflow(tenancy, compiledWorkflow, dbTrigger.id);
+      });
+    await Promise.all(promises);
+  });
+}
diff --git a/apps/backend/src/middleware.tsx b/apps/backend/src/middleware.tsx
index b7b5aa792a..1dd940a2f1 100644
--- a/apps/backend/src/middleware.tsx
+++ b/apps/backend/src/middleware.tsx
@@ -26,6 +26,7 @@ const corsAllowedRequestHeaders = [
   'x-stack-secret-server-key',
   'x-stack-super-secret-admin-key',
   'x-stack-admin-access-token',
+  'x-stack-workflow-token',
 
   // User auth
   'x-stack-refresh-token',
diff --git a/apps/backend/src/prisma-client.tsx b/apps/backend/src/prisma-client.tsx
index e651de3ee6..7b138ae380 100644
--- a/apps/backend/src/prisma-client.tsx
+++ b/apps/backend/src/prisma-client.tsx
@@ -121,9 +121,9 @@ class TransactionErrorThatShouldNotBeRetried extends Error {
   }
 }
 
-export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaClientTransaction) => Promise<T>): Promise<T> {
-  // disable serializable transactions for now, later we may re-add them
-  const enableSerializable = false as boolean;
+export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaClientTransaction) => Promise<T>, options: { level?: "default" | "serializable" } = {}): Promise<T> {
+  // serializable transactions are currently off by default, later we may turn them on
+  const enableSerializable = options.level === "serializable";
 
   return await traceSpan('Prisma transaction', async (span) => {
     const res = await Result.retry(async (attemptIndex) => {
@@ -154,7 +154,7 @@ export async function retryTransaction<T>(client: PrismaClient, fn: (tx: PrismaC
               }
               return res;
             }, {
-              isolationLevel: enableSerializable && attemptIndex < 4 ? Prisma.TransactionIsolationLevel.Serializable : undefined,
+              isolationLevel: enableSerializable ? Prisma.TransactionIsolationLevel.Serializable : undefined,
             }));
           } catch (e) {
             // we don't want to retry too aggressively here, because the error may have been thrown after the transaction was already committed
diff --git a/apps/backend/src/route-handlers/smart-request.tsx b/apps/backend/src/route-handlers/smart-request.tsx
index aca6985c48..e6035124eb 100644
--- a/apps/backend/src/route-handlers/smart-request.tsx
+++ b/apps/backend/src/route-handlers/smart-request.tsx
@@ -6,6 +6,7 @@ import { checkApiKeySet, checkApiKeySetQuery } from "@/lib/internal-api-keys";
 import { getProjectQuery, listManagedProjectIds } from "@/lib/projects";
 import { DEFAULT_BRANCH_ID, Tenancy, getSoleTenancyFromProjectBranch } from "@/lib/tenancies";
 import { decodeAccessToken } from "@/lib/tokens";
+import { hashWorkflowTriggerToken } from "@/lib/workflows";
 import { globalPrismaClient, rawQueryAll } from "@/prisma-client";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { ProjectsCrud } from "@stackframe/stack-shared/dist/interface/crud/projects";
@@ -167,6 +168,7 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
   const secretServerKey = req.headers.get("x-stack-secret-server-key");
   const superSecretAdminKey = req.headers.get("x-stack-super-secret-admin-key");
   const adminAccessToken = req.headers.get("x-stack-admin-access-token");
+  const workflowToken = req.headers.get("x-stack-workflow-token");
   const accessToken = req.headers.get("x-stack-access-token");
   const developmentKeyOverride = req.headers.get("x-stack-development-override-key");  // in development, the internal project's API key can optionally be used to access any project
   const allowAnonymousUser = req.headers.get("x-stack-allow-anonymous-user") === "true";
@@ -273,8 +275,27 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
     const result = await checkApiKeySet("internal", { superSecretAdminKey: developmentKeyOverride });
     if (!result) throw new StatusError(401, "Invalid development key override");
   } else if (adminAccessToken) {
-    // TODO put the assertion below into the bundled queries above (not so important because this path is quite rare)
+    // TODO put this into the bundled queries above (not so important because this path is quite rare)
     await extractUserFromAdminAccessToken({ token: adminAccessToken, projectId });  // assert that the admin token is valid
+  } else if (workflowToken) {
+    // TODO put this into the bundled queries above (not so important because this path is quite rare)
+    if (requestType === "admin") {
+      throw new KnownErrors.AdminAuthenticationRequired();
+    }
+    if (!["client", "server"].includes(requestType)) {
+      throw new StackAssertionError(`Unexpected request type in workflow token auth: ${requestType}. This should never happen because we should've filtered this earlier`);
+    }
+    const workflowTokenHash = await hashWorkflowTriggerToken(workflowToken);
+    const workflowTriggerToken = tenancy ? await globalPrismaClient.workflowTriggerToken.findUnique({
+      where: {
+        tenancyId_tokenHash: {
+          tenancyId: tenancy.id,
+          tokenHash: workflowTokenHash,
+        },
+      },
+    }) : undefined;
+    if (!workflowTriggerToken) throw new KnownErrors.WorkflowTokenDoesNotExist();
+    if (workflowTriggerToken.expiresAt < new Date()) throw new KnownErrors.WorkflowTokenExpired();
   } else {
     switch (requestType) {
       case "client": {
@@ -288,7 +309,7 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
         break;
       }
       case "admin": {
-        if (!superSecretAdminKey) throw new KnownErrors.AdminAuthenticationRequired;
+        if (!superSecretAdminKey) throw new KnownErrors.AdminAuthenticationRequired();
         if (!queriesResults.isAdminKeyValid) throw new KnownErrors.InvalidSuperSecretAdminKey(projectId);
         break;
       }
@@ -297,6 +318,7 @@ const parseAuth = withTraceSpan('smart request parseAuth', async (req: NextReque
       }
     }
   }
+
   if (!tenancy) {
     throw new KnownErrors.BranchDoesNotExist(branchId);
   }
diff --git a/apps/backend/src/utils/vercel.tsx b/apps/backend/src/utils/vercel.tsx
index 0dc1de32af..1ca40dfa9d 100644
--- a/apps/backend/src/utils/vercel.tsx
+++ b/apps/backend/src/utils/vercel.tsx
@@ -2,7 +2,15 @@ import { runAsynchronously } from "@stackframe/stack-shared/dist/utils/promises"
 // eslint-disable-next-line no-restricted-imports
 import { waitUntil as waitUntilVercel } from "@vercel/functions";
 
-export function runAsynchronouslyAndWaitUntil(promise: Promise<unknown>) {
+export function runAsynchronouslyAndWaitUntil<T>(promiseOrFunction: Promise<T> | (() => Promise<T>)) {
+  const promise = typeof promiseOrFunction === "function" ? promiseOrFunction() : promiseOrFunction;
   runAsynchronously(promise);
   waitUntilVercel(promise);
 }
+
+export async function allPromisesAndWaitUntilEach(promises: Promise<unknown>[]): Promise<unknown[]> {
+  for (const promise of promises) {
+    waitUntilVercel(promise);
+  }
+  return await Promise.all(promises);
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/auth-methods/providers.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/auth-methods/providers.tsx
index 958ad7abe7..600a28a41a 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/auth-methods/providers.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/auth-methods/providers.tsx
@@ -125,6 +125,10 @@ export function ProviderSettingDialog(props: Props & { open: boolean, onClose: (
               </Typography>
             </div>}
 
+          <Typography variant="secondary" type="footnote">
+            Existing user accounts will be transferred over automatically when you change the OAuth keys.
+          </Typography>
+
           {!form.watch("shared") && (
             <>
               <InputField
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx
new file mode 100644
index 0000000000..6d4c3aaaa5
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/data-vault/page.tsx
@@ -0,0 +1,5 @@
+import { redirect } from "next/navigation";
+
+export default function Page() {
+  redirect("stores");
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx
index a21d580d2b..20949e6f9b 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/payments/page-client.tsx
@@ -773,7 +773,7 @@ export default function PageClient() {
     innerContent = <WelcomeScreen onCreateOffer={handleCreateOffer} />;
   } else {
     innerContent = (
-      <PageLayout title="Payments" actions={process.env.NODE_ENV === "development" && (
+      <PageLayout title="Offers & Items" actions={process.env.NODE_ENV === "development" && (
         <div className="flex items-center gap-2">
           <Checkbox
             checked={shouldUseDummyData}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx
new file mode 100644
index 0000000000..885058b240
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/[workflowId]/page.tsx
@@ -0,0 +1,104 @@
+"use client";
+
+import { useRouter } from "@/components/router";
+import { Button, Card, CardContent, CardHeader, CardTitle, toast } from "@stackframe/stack-ui";
+import { ArrowLeft, Save } from "lucide-react";
+import { useParams } from "next/navigation";
+import { useEffect, useState } from "react";
+import { PageLayout } from "../../page-layout";
+import { useAdminApp } from "../../use-admin-app";
+
+export default function WorkflowDetailPage() {
+  const params = useParams();
+  const router = useRouter();
+  const workflowId = params.workflowId as string;
+  const projectId = params.projectId as string;
+
+  const stackAdminApp = useAdminApp();
+  const project = stackAdminApp.useProject();
+  const config = project.useConfig();
+
+  const availableWorkflows = config.workflows.availableWorkflows;
+  const workflow = workflowId in availableWorkflows ? availableWorkflows[workflowId] : undefined;
+  const [workflowContent, setWorkflowContent] = useState("");
+  const [isLoading, setIsLoading] = useState(false);
+
+  useEffect(() => {
+    if (workflow && workflow.tsSource) {
+      setWorkflowContent(workflow.tsSource);
+    }
+  }, [workflow]);
+
+  const handleSave = async () => {
+    setIsLoading(true);
+    try {
+      await project.updateConfig({
+        [`workflows.availableWorkflows.${workflowId}.tsSource`]: workflowContent
+      });
+      toast({ title: "Workflow saved successfully" });
+    } catch (error) {
+      toast({ title: "Failed to save workflow", variant: "destructive" });
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  const handleBack = () => {
+    router.push(`/projects/${projectId}/workflows`);
+  };
+
+  if (workflow === undefined) {
+    return (
+      <PageLayout title="Workflow Not Found">
+        <div className="flex flex-col items-center justify-center h-full">
+          <p className="text-muted-foreground mb-4">The workflow {JSON.stringify(workflowId)} was not found.</p>
+          <Button onClick={handleBack} variant="outline">
+            <ArrowLeft className="h-4 w-4 mr-2" />
+            Back to Workflows
+          </Button>
+        </div>
+      </PageLayout>
+    );
+  }
+
+  return (
+    <PageLayout
+      title={workflow.displayName || workflowId}
+      actions={
+        <div className="flex gap-2">
+          <Button onClick={handleBack} variant="outline" size="sm">
+            <ArrowLeft className="h-4 w-4 mr-2" />
+            Back
+          </Button>
+          <Button onClick={handleSave} size="sm" disabled={isLoading}>
+            <Save className="h-4 w-4 mr-2" />
+            {isLoading ? "Saving..." : "Save"}
+          </Button>
+        </div>
+      }
+    >
+      <div className="flex gap-6 flex-1" style={{ flexBasis: "0px", overflow: "scroll" }}>
+        <Card className="w-full">
+          <CardHeader>
+            <CardTitle className="text-base">Workflow Definition</CardTitle>
+            <p className="text-sm text-muted-foreground">
+              {workflow.enabled ? "This workflow is enabled" : "This workflow is disabled"}
+            </p>
+          </CardHeader>
+          <CardContent>
+            <div className="relative">
+              <textarea
+                value={workflowContent}
+                onChange={(e) => setWorkflowContent(e.target.value)}
+                className="w-full min-h-[600px] p-4 font-mono text-sm bg-muted/50 border rounded-md resize-none focus:outline-none focus:ring-2 focus:ring-primary"
+                spellCheck={false}
+                placeholder="Enter your workflow code here..."
+                disabled={isLoading}
+              />
+            </div>
+          </CardContent>
+        </Card>
+      </div>
+    </PageLayout>
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx
new file mode 100644
index 0000000000..754576ebd2
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/page.tsx
@@ -0,0 +1,362 @@
+"use client";
+
+import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
+import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
+import { Button, Card, CardContent, Dialog, DialogContent, DialogFooter, DialogHeader, DialogTitle, Input, Label, Textarea, toast } from "@stackframe/stack-ui";
+import { Plus } from "lucide-react";
+import { useState } from "react";
+import { IllustratedInfo } from "../../../../../../components/illustrated-info";
+import { PageLayout } from "../page-layout";
+import { useAdminApp } from "../use-admin-app";
+import { WorkflowList } from "./workflow-list";
+
+function EmptyState({ onCreateWorkflow }: { onCreateWorkflow: () => void }) {
+  return (
+    <div className="flex flex-col items-center justify-center h-full px-4 py-12 max-w-3xl mx-auto">
+      <IllustratedInfo
+        illustration={
+          <div className="grid grid-cols-2 gap-3">
+            <div className="bg-background rounded p-3 shadow-sm border">
+              <div className="h-2 bg-muted rounded mb-2"></div>
+              <div className="space-y-2">
+                <div className="flex gap-2">
+                  <div className="h-6 w-6 bg-primary/20 rounded"></div>
+                  <div className="h-6 flex-1 bg-muted rounded"></div>
+                </div>
+                <div className="flex gap-2 ml-6">
+                  <div className="h-6 w-6 bg-primary/20 rounded"></div>
+                  <div className="h-6 flex-1 bg-muted rounded"></div>
+                </div>
+                <div className="flex gap-2 ml-12">
+                  <div className="h-6 w-6 bg-primary/20 rounded"></div>
+                  <div className="h-6 flex-1 bg-muted rounded"></div>
+                </div>
+              </div>
+            </div>
+            <div className="bg-background rounded p-3 shadow-sm border">
+              <div className="h-2 bg-muted rounded mb-2"></div>
+              <div className="space-y-2">
+                <div className="flex gap-2">
+                  <div className="h-6 w-6 bg-primary/20 rounded"></div>
+                  <div className="h-6 flex-1 bg-muted rounded"></div>
+                </div>
+                <div className="flex gap-2 ml-6">
+                  <div className="h-6 w-6 bg-primary/20 rounded"></div>
+                  <div className="h-6 flex-1 bg-muted rounded"></div>
+                </div>
+              </div>
+            </div>
+          </div>
+        }
+        title="Welcome to Workflows!"
+        description={[
+          <>Workflows help you automate complex business processes.</>,
+          <>Create your first workflow to get started with automation.</>,
+        ]}
+      />
+      <Button onClick={onCreateWorkflow}>
+        <Plus className="h-4 w-4 mr-2" />
+        Create Your First Workflow
+      </Button>
+    </div>
+  );
+}
+
+function CreateWorkflowDialog({
+  open,
+  onOpenChange,
+  onSave
+}: {
+  open: boolean,
+  onOpenChange: (open: boolean) => void,
+  onSave: (id: string, displayName: string, tsSource: string) => Promise<void>,
+}) {
+  const [displayName, setDisplayName] = useState("");
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const handleSubmit = async () => {
+    if (!displayName) {
+      alert("Please fill in all required fields");
+      return;
+    }
+
+    setIsSubmitting(true);
+    try {
+      await onSave(generateUuid(), displayName, deindent`
+        onSignUp(async (user) => {
+          await stackApp.sendEmail({ userIds: [user.id], subject: "Welcome to the app!", html: "<p>Example email</p>" });
+          return scheduleCallback({
+            scheduleAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 7),
+            data: { "userId": user.id },
+            callbackId: "in-7-days",
+          });
+        });
+
+        registerCallback("in-7-days", async (data) => {
+          await stackApp.sendEmail({ userIds: [data.userId], subject: "Welcome to the app!", html: "<p>Example email</p>" });
+        });
+      `);
+      onOpenChange(false);
+      setDisplayName("");
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="max-w-2xl">
+        <DialogHeader>
+          <DialogTitle>Create New Workflow</DialogTitle>
+        </DialogHeader>
+        <div className="space-y-4 mb-4 mt-4">
+          <div>
+            <Label htmlFor="workflow-name">Display Name</Label>
+            <Input
+              id="workflow-name"
+              placeholder="e.g., User Onboarding"
+              value={displayName}
+              onChange={(e) => setDisplayName(e.target.value)}
+              width="200px"
+            />
+          </div>
+        </div>
+        <DialogFooter>
+          <Button variant="outline" onClick={() => onOpenChange(false)} disabled={isSubmitting}>
+            Cancel
+          </Button>
+          <Button onClick={handleSubmit} disabled={isSubmitting}>
+            {isSubmitting ? "Creating..." : "Create Workflow"}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+export default function WorkflowsPage() {
+  const stackAdminApp = useAdminApp();
+  const project = stackAdminApp.useProject();
+  const config = project.useConfig();
+  const [showCreateDialog, setShowCreateDialog] = useState(false);
+  const [showEditDialog, setShowEditDialog] = useState(false);
+  const [editingWorkflow, setEditingWorkflow] = useState<any>(null);
+
+  const workflows = Object.entries(config.workflows.availableWorkflows).map(([id, workflow]) => ({
+    id,
+    ...workflow
+  }));
+
+  const handleCreateWorkflow = () => {
+    setShowCreateDialog(true);
+  };
+
+  const handleSaveWorkflow = async (id: string, displayName: string, tsSource: string) => {
+    await project.updateConfig({
+      [`workflows.availableWorkflows.${id}`]: {
+        displayName,
+        tsSource,
+        enabled: true
+      }
+    });
+    toast({ title: "Workflow created successfully" });
+  };
+
+  const handleEditWorkflow = (workflow: any) => {
+    setEditingWorkflow(workflow);
+    setShowEditDialog(true);
+  };
+
+  const handleUpdateWorkflow = async (id: string, displayName: string, tsSource: string) => {
+    await project.updateConfig({
+      [`workflows.availableWorkflows.${id}`]: {
+        displayName,
+        tsSource,
+        enabled: editingWorkflow?.enabled ?? true
+      }
+    });
+    toast({ title: "Workflow updated successfully" });
+    setShowEditDialog(false);
+    setEditingWorkflow(null);
+  };
+
+  const handleDeleteWorkflow = async (workflowId: string) => {
+    if (confirm(`Are you sure you want to delete the workflow "${workflowId}"?`)) {
+      await project.updateConfig({
+        [`workflows.availableWorkflows.${workflowId}`]: null
+      });
+      toast({ title: "Workflow deleted" });
+    }
+  };
+
+  const handleDuplicateWorkflow = async (workflow: any) => {
+    const newId = `${workflow.id}_copy`;
+    let finalId = newId;
+    let counter = 1;
+
+    // Find unique ID
+    const availableWorkflows = config.workflows.availableWorkflows;
+    while (finalId in availableWorkflows) {
+      finalId = `${newId}_${counter}`;
+      counter++;
+    }
+
+    await project.updateConfig({
+      [`workflows.availableWorkflows.${finalId}`]: {
+        displayName: `${workflow.displayName} (Copy)`,
+        tsSource: workflow.tsSource,
+        enabled: false
+      }
+    });
+    toast({ title: "Workflow duplicated successfully" });
+  };
+
+  const handleToggleEnabled = async (workflow: any) => {
+    await project.updateConfig({
+      [`workflows.availableWorkflows.${workflow.id}.enabled`]: !workflow.enabled
+    });
+    toast({
+      title: workflow.enabled ? "Workflow disabled" : "Workflow enabled"
+    });
+  };
+
+  if (workflows.length === 0) {
+    return (
+      <>
+        <EmptyState onCreateWorkflow={handleCreateWorkflow} />
+        <CreateWorkflowDialog
+          open={showCreateDialog}
+          onOpenChange={setShowCreateDialog}
+          onSave={handleSaveWorkflow}
+        />
+      </>
+    );
+  }
+
+  return (
+    <>
+      <PageLayout title="Workflows">
+        <div className="flex gap-6 flex-1" style={{ flexBasis: "0px", overflow: "scroll" }}>
+          <Card className="flex w-full">
+            <CardContent className="flex w-full p-0">
+              <div className="flex-1">
+                <WorkflowList
+                  workflows={workflows}
+                  projectId={project.id}
+                  onAddClick={handleCreateWorkflow}
+                  onEdit={handleEditWorkflow}
+                  onDelete={(id) => {
+                    handleDeleteWorkflow(id).catch(() => {
+                      toast({ title: "Failed to delete workflow", variant: "destructive" });
+                    });
+                  }}
+                  onDuplicate={(workflow) => {
+                    handleDuplicateWorkflow(workflow).catch(() => {
+                      toast({ title: "Failed to duplicate workflow", variant: "destructive" });
+                    });
+                  }}
+                  onToggleEnabled={(workflow) => {
+                    handleToggleEnabled(workflow).catch(() => {
+                      toast({ title: "Failed to toggle workflow", variant: "destructive" });
+                    });
+                  }}
+                />
+              </div>
+            </CardContent>
+          </Card>
+        </div>
+      </PageLayout>
+      <CreateWorkflowDialog
+        open={showCreateDialog}
+        onOpenChange={setShowCreateDialog}
+        onSave={handleSaveWorkflow}
+      />
+      {editingWorkflow && (
+        <Dialog open={showEditDialog} onOpenChange={setShowEditDialog}>
+          <DialogContent className="max-w-2xl">
+            <DialogHeader>
+              <DialogTitle>Edit Workflow</DialogTitle>
+            </DialogHeader>
+            <EditWorkflowForm
+              workflow={editingWorkflow}
+              onSave={handleUpdateWorkflow}
+              onCancel={() => {
+                setShowEditDialog(false);
+                setEditingWorkflow(null);
+              }}
+            />
+          </DialogContent>
+        </Dialog>
+      )}
+    </>
+  );
+}
+
+function EditWorkflowForm({
+  workflow,
+  onSave,
+  onCancel
+}: {
+  workflow: any,
+  onSave: (id: string, displayName: string, tsSource: string) => Promise<void>,
+  onCancel: () => void,
+}) {
+  const [displayName, setDisplayName] = useState(workflow.displayName);
+  const [tsSource, setTsSource] = useState(workflow.tsSource);
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const handleSubmit = async () => {
+    if (!displayName) {
+      toast({ title: "Please fill in all required fields", variant: "destructive" });
+      return;
+    }
+
+    setIsSubmitting(true);
+    try {
+      await onSave(workflow.id, displayName, tsSource);
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <>
+      <div className="space-y-4">
+        <div>
+          <Label htmlFor="edit-workflow-id">Workflow ID</Label>
+          <Input
+            id="edit-workflow-id"
+            value={workflow.id}
+            disabled
+            className="bg-muted"
+          />
+        </div>
+        <div>
+          <Label htmlFor="edit-workflow-name">Display Name</Label>
+          <Input
+            id="edit-workflow-name"
+            value={displayName}
+            onChange={(e) => setDisplayName(e.target.value)}
+          />
+        </div>
+        <div>
+          <Label htmlFor="edit-workflow-source">TypeScript Source</Label>
+          <Textarea
+            id="edit-workflow-source"
+            className="font-mono text-sm min-h-[200px]"
+            value={tsSource}
+            onChange={(e) => setTsSource(e.target.value)}
+          />
+        </div>
+      </div>
+      <DialogFooter>
+        <Button variant="outline" onClick={onCancel} disabled={isSubmitting}>
+          Cancel
+        </Button>
+        <Button onClick={handleSubmit} disabled={isSubmitting}>
+          {isSubmitting ? "Saving..." : "Save Changes"}
+        </Button>
+      </DialogFooter>
+    </>
+  );
+}
diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/workflow-list.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/workflow-list.tsx
new file mode 100644
index 0000000000..8519280294
--- /dev/null
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/workflows/workflow-list.tsx
@@ -0,0 +1,160 @@
+import { useRouter } from "@/components/router";
+import { cn } from "@/lib/utils";
+import { Button, DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuSeparator, DropdownMenuTrigger, toast } from "@stackframe/stack-ui";
+import { MoreVertical } from "lucide-react";
+import { useState } from "react";
+import { ListSection } from "../payments/list-section";
+import { useAdminApp } from "../use-admin-app";
+
+type Workflow = {
+  id: string,
+  displayName: string,
+  tsSource: string,
+  enabled: boolean,
+};
+
+type WorkflowListItemProps = {
+  workflow: Workflow,
+  projectId: string,
+  onEdit?: () => void,
+  onDelete?: () => void,
+  onDuplicate?: () => void,
+  onToggleEnabled?: () => void,
+};
+
+function WorkflowListItem({
+  workflow,
+  projectId,
+  onEdit,
+  onDelete,
+  onDuplicate,
+  onToggleEnabled,
+}: WorkflowListItemProps) {
+  const router = useRouter();
+  const [isMenuOpen, setIsMenuOpen] = useState(false);
+
+  const handleClick = () => {
+    router.push(`/projects/${projectId}/workflows/${workflow.id}`);
+  };
+
+  return (
+    <div
+      className={cn(
+        "px-3 py-3 cursor-pointer relative duration-200 hover:duration-0 hover:bg-primary/10 transition-colors flex items-center justify-between group"
+      )}
+      onClick={handleClick}
+    >
+      <div className="flex-1">
+        <div className="flex items-center gap-2 mb-1">
+          <span className="font-medium text-sm">{workflow.displayName}</span>
+          <span
+            className={cn(
+              "px-2 py-0.5 text-xs rounded-full border",
+              workflow.enabled
+                ? "bg-green-500/10 text-green-600 border-green-500/20"
+                : "bg-gray-500/10 text-gray-600 border-gray-500/20"
+            )}
+          >
+            {workflow.enabled ? "Enabled" : "Disabled"}
+          </span>
+        </div>
+        <div className="text-xs text-muted-foreground font-mono mb-1">
+          {workflow.id}
+        </div>
+        <div className="text-xs text-muted-foreground">
+          {workflow.tsSource ? `${workflow.tsSource.split('\n').length} lines of code` : "No source code"}
+        </div>
+      </div>
+      <div
+        onClick={(e) => e.stopPropagation()}
+        onMouseEnter={() => setIsMenuOpen(true)}
+        onMouseLeave={() => setIsMenuOpen(false)}
+      >
+        <DropdownMenu open={isMenuOpen} onOpenChange={setIsMenuOpen}>
+          <DropdownMenuTrigger asChild>
+            <Button
+              variant="ghost"
+              className={cn(
+                "h-8 w-8 p-0 relative",
+                "hover:bg-secondary/80",
+                isMenuOpen && "bg-secondary/80"
+              )}
+            >
+              <MoreVertical className="h-4 w-4" />
+              <span className="sr-only">Open menu</span>
+            </Button>
+          </DropdownMenuTrigger>
+          <DropdownMenuContent align="end" className="min-w-[150px]">
+            <DropdownMenuItem onClick={onToggleEnabled}>
+              {workflow.enabled ? "Disable" : "Enable"}
+            </DropdownMenuItem>
+            <DropdownMenuItem onClick={onEdit}>Edit</DropdownMenuItem>
+            <DropdownMenuItem onClick={onDuplicate}>Duplicate</DropdownMenuItem>
+            <DropdownMenuSeparator />
+            <DropdownMenuItem
+              onClick={onDelete}
+              className="text-destructive focus:text-destructive"
+            >
+              Delete
+            </DropdownMenuItem>
+          </DropdownMenuContent>
+        </DropdownMenu>
+      </div>
+    </div>
+  );
+}
+
+
+export function WorkflowList({
+  workflows,
+  projectId,
+  onAddClick,
+  onEdit,
+  onDelete,
+  onDuplicate,
+  onToggleEnabled
+}: {
+  workflows: Workflow[],
+  projectId: string,
+  onAddClick?: () => void,
+  onEdit?: (workflow: Workflow) => void,
+  onDelete?: (workflowId: string) => void,
+  onDuplicate?: (workflow: Workflow) => void,
+  onToggleEnabled?: (workflow: Workflow) => void,
+}) {
+  const [searchQuery, setSearchQuery] = useState("");
+
+  const filteredWorkflows = workflows.filter((workflow) => {
+    const query = searchQuery.toLowerCase();
+    return (
+      workflow.id.toLowerCase().includes(query) ||
+      workflow.displayName.toLowerCase().includes(query) ||
+      (workflow.tsSource && workflow.tsSource.toLowerCase().includes(query))
+    );
+  });
+
+  return (
+    <ListSection
+      title="Workflows"
+      titleTooltip="Workflows automate complex business processes and integrations"
+      onAddClick={onAddClick}
+      searchValue={searchQuery}
+      onSearchChange={setSearchQuery}
+      searchPlaceholder="Search workflows..."
+    >
+      <div>
+        {filteredWorkflows.map((workflow) => (
+          <WorkflowListItem
+            key={workflow.id}
+            workflow={workflow}
+            projectId={projectId}
+            onEdit={() => onEdit?.(workflow)}
+            onDelete={() => onDelete?.(workflow.id)}
+            onDuplicate={() => onDuplicate?.(workflow)}
+            onToggleEnabled={() => onToggleEnabled?.(workflow)}
+          />
+        ))}
+      </div>
+    </ListSection>
+  );
+}
diff --git a/apps/e2e/tests/backend/workflows.test.ts b/apps/e2e/tests/backend/workflows.test.ts
new file mode 100644
index 0000000000..186abe5bca
--- /dev/null
+++ b/apps/e2e/tests/backend/workflows.test.ts
@@ -0,0 +1,289 @@
+import { wait } from "@stackframe/stack-shared/dist/utils/promises";
+import { Mailbox, test } from "../helpers";
+import { Auth, InternalApiKey, Project, bumpEmailAddress, createMailbox, niceBackendFetch } from "./backend-helpers";
+
+async function configureEmailAndWorkflow(workflowId: string, tsSource: string, enabled = true) {
+  await Project.updateConfig({
+    emails: {
+      server: {
+        isShared: false,
+        host: "localhost",
+        port: 2500,
+        username: "test",
+        password: "test",
+        senderEmail: "test@example.com",
+        senderName: "Test Project",
+      },
+    },
+    workflows: {
+      availableWorkflows: {
+        [workflowId]: {
+          displayName: workflowId,
+          tsSource,
+          enabled,
+        },
+      },
+    },
+  });
+}
+
+async function waitForMailboxSubject(mailbox: Mailbox, subject: string) {
+  for (let i = 0; i < 10; i++) {
+    const messages = await mailbox.fetchMessages();
+    const message = messages.find((m) => m.subject === subject);
+    if (message) return;
+    await wait(1_000);
+  }
+  throw new Error(`Message with subject ${subject} not found after 10 tries`);
+}
+
+test("onSignUp workflow sends email for client sign-up", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const mailbox = await bumpEmailAddress({ unindexed: true });
+  const subject = `WF client signup ${crypto.randomUUID()}`;
+
+  await configureEmailAndWorkflow("wf-email", `
+    onSignUp(async (user) => {
+      await stackApp.sendEmail({ userIds: [user.id], subject: ${JSON.stringify(subject)}, html: "<p>hi</p>" });
+      return scheduleCallback({
+        scheduleAt: new Date(Date.now() + 120_000),
+        data: { "example": "data" },
+        callbackId: "my-callback",
+      });
+    });
+
+    registerCallback("my-callback", async (data) => {
+      console.log("my-callback", data);
+    });
+  `);
+
+  await Auth.Password.signUpWithEmail({ password: "password" });
+
+  await waitForMailboxSubject(mailbox, subject);
+
+  expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
+    [
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+          "text": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "Verify your email at New Project",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "<!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\" \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"><html dir=\\"ltr\\" lang=\\"en\\"><head><meta content=\\"text/html; charset=UTF-8\\" http-equiv=\\"Content-Type\\"/><meta name=\\"x-apple-disable-message-reformatting\\"/></head><body style=\\"background-color:rgb(250,251,251);font-family:ui-sans-serif, system-ui, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;;font-size:1rem;line-height:1.5rem\\"><!--$--><table align=\\"center\\" width=\\"100%\\" border=\\"0\\" cellPadding=\\"0\\" cellSpacing=\\"0\\" role=\\"presentation\\" style=\\"background-color:rgb(255,255,255);padding:45px;border-radius:0.5rem;max-width:37.5em\\"><tbody><tr style=\\"width:100%\\"><td><div><p>hi</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>",
+          "text": "hi",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "WF client signup <stripped UUID>",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+    ]
+  `);
+});
+
+test("onSignUp workflow sends email for server-created user", async ({ expect }) => {
+  await Project.createAndSwitch();
+  await InternalApiKey.createAndSetProjectKeys();
+
+  const mailbox = createMailbox(`wf-server-${crypto.randomUUID()}@stack-generated.example.com`);
+  const subject = `WF server create ${crypto.randomUUID()}`;
+
+  await configureEmailAndWorkflow("wf-email-server", `
+    onSignUp(async (user) => {
+      await stackApp.sendEmail({ userIds: [user.id], subject: ${JSON.stringify(subject)}, html: "<p>server</p>" });
+    });
+  `);
+
+  const createUserRes = await niceBackendFetch("/api/v1/users", {
+    method: "POST",
+    accessType: "server",
+    body: {
+      primary_email: mailbox.emailAddress,
+      primary_email_verified: true,
+    },
+  });
+  expect(createUserRes.status).toBe(201);
+
+  await waitForMailboxSubject(mailbox, subject);
+  expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
+    [
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "<!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\" \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"><html dir=\\"ltr\\" lang=\\"en\\"><head><meta content=\\"text/html; charset=UTF-8\\" http-equiv=\\"Content-Type\\"/><meta name=\\"x-apple-disable-message-reformatting\\"/></head><body style=\\"background-color:rgb(250,251,251);font-family:ui-sans-serif, system-ui, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;;font-size:1rem;line-height:1.5rem\\"><!--$--><table align=\\"center\\" width=\\"100%\\" border=\\"0\\" cellPadding=\\"0\\" cellSpacing=\\"0\\" role=\\"presentation\\" style=\\"background-color:rgb(255,255,255);padding:45px;border-radius:0.5rem;max-width:37.5em\\"><tbody><tr style=\\"width:100%\\"><td><div><p>server</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>",
+          "text": "server",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "WF server create <stripped UUID>",
+        "to": ["<wf-server-<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+    ]
+  `);
+});
+
+test("disabled workflows do not trigger", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const mailbox = await bumpEmailAddress({ unindexed: true });
+  const subject = `WF disabled ${crypto.randomUUID()}`;
+
+  await configureEmailAndWorkflow("wf-disabled", `
+    onSignUp(async (user) => {
+      await stackApp.sendEmail({ userIds: [user.id], subject: ${JSON.stringify(subject)}, html: "<p>nope</p>" });
+    });
+  `, /* enabled */ false);
+
+  await Auth.Password.signUpWithEmail({ password: "password" });
+
+  await wait(12_000);
+
+  expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
+    [
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+          "text": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "Verify your email at New Project",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+    ]
+  `);
+});
+
+test("compile/runtime errors in one workflow don't block others", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const mailbox = await bumpEmailAddress({ unindexed: true });
+  const subject = `WF ok ${crypto.randomUUID()}`;
+
+  // bad compile
+  await configureEmailAndWorkflow("wf-bad-compile", `return return`);
+  // bad runtime
+  await configureEmailAndWorkflow("wf-bad-runtime", `onSignUp(() => { throw new Error('boom') });`);
+  // good one
+  await configureEmailAndWorkflow("wf-good", `
+    onSignUp(async (user) => {
+      await stackApp.sendEmail({ userIds: [user.id], subject: ${JSON.stringify(subject)}, html: "<p>ok</p>" });
+    });
+  `);
+
+  await Auth.Password.signUpWithEmail({ password: "password" });
+
+  await waitForMailboxSubject(mailbox, subject);
+  expect(await mailbox.fetchMessages()).toMatchInlineSnapshot(`
+    [
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+          "text": "http://localhost:12345/some-callback-url?code=%3Cstripped+query+param%3E",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "Verify your email at New Project",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+      MailboxMessage {
+        "attachments": [],
+        "body": {
+          "html": "<!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\" \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"><html dir=\\"ltr\\" lang=\\"en\\"><head><meta content=\\"text/html; charset=UTF-8\\" http-equiv=\\"Content-Type\\"/><meta name=\\"x-apple-disable-message-reformatting\\"/></head><body style=\\"background-color:rgb(250,251,251);font-family:ui-sans-serif, system-ui, sans-serif, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;;font-size:1rem;line-height:1.5rem\\"><!--$--><table align=\\"center\\" width=\\"100%\\" border=\\"0\\" cellPadding=\\"0\\" cellSpacing=\\"0\\" role=\\"presentation\\" style=\\"background-color:rgb(255,255,255);padding:45px;border-radius:0.5rem;max-width:37.5em\\"><tbody><tr style=\\"width:100%\\"><td><div><p>ok</p></div></td></tr></tbody></table><!--7--><!--/$--></body></html>",
+          "text": "ok",
+        },
+        "from": "Test Project <test@example.com>",
+        "subject": "WF ok <stripped UUID>",
+        "to": ["<unindexed-mailbox--<stripped UUID>@stack-generated.example.com>"],
+        <some fields may have been hidden>,
+      },
+    ]
+  `);
+});
+
+test("anonymous sign-up does not trigger; upgrade triggers workflow", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const markerKey = `wfMarker-${crypto.randomUUID()}`;
+
+  await Project.updateConfig({
+    workflows: {
+      availableWorkflows: {
+        "wf-anon-upgrade": {
+          displayName: "wf-anon-upgrade",
+          enabled: true,
+          tsSource: `onSignUp(async (user) => { await user.update({ serverMetadata: { ${JSON.stringify(markerKey)}: user.primaryEmail } }); });`,
+        },
+      },
+    },
+  });
+
+  // create anonymous session/user
+  const { userId: anonUserId } = await Auth.Anonymous.signUp();
+
+  // ensure marker not present yet
+  await wait(12_000);
+  const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
+  expect(me1.body.server_metadata?.[markerKey]).toBeUndefined();
+
+  // upgrade via password sign-up
+  const { userId } = await Auth.Password.signUpWithEmail({ password: "password" });
+  expect(userId).toEqual(anonUserId);
+
+  await wait(12_000);
+  const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
+  expect(me2.body.is_anonymous).toBe(false);
+  expect(me2.body.server_metadata?.[markerKey]).toBe(me2.body.primary_email);
+}, {
+  timeout: 40_000,
+});
+
+test("workflow source changes take effect for subsequent sign-ups", async ({ expect }) => {
+  await Project.createAndSwitch();
+  const markerKey = `versionMarker-${crypto.randomUUID()}`;
+
+  // v1
+  await Project.updateConfig({
+    workflows: {
+      availableWorkflows: {
+        "wf-versioned": {
+          displayName: "wf-versioned",
+          enabled: true,
+          tsSource: `onSignUp(async (user) => { await user.update({ serverMetadata: { ${JSON.stringify(markerKey)}: "v1" } }); });`,
+        },
+      },
+    },
+  });
+  await bumpEmailAddress({ unindexed: true });
+  await Auth.Password.signUpWithEmail({ password: "password" });
+  await wait(12_000);
+  const me1 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
+  expect(me1.body.server_metadata?.[markerKey]).toBe("v1");
+
+  // v2
+  await Project.updateConfig({
+    workflows: {
+      availableWorkflows: {
+        "wf-versioned": {
+          displayName: "wf-versioned",
+          enabled: true,
+          tsSource: `onSignUp(async (user) => { await user.update({ serverMetadata: { ${JSON.stringify(markerKey)}: "v2" } }); });`,
+        },
+      },
+    },
+  });
+  await bumpEmailAddress({ unindexed: true });
+  await Auth.Password.signUpWithEmail({ password: "password" });
+  await wait(12_000);
+  const me2 = await niceBackendFetch("/api/v1/users/me", { accessType: "server" });
+  expect(me2.body.server_metadata?.[markerKey]).toBe("v2");
+}, {
+  timeout: 40_000,
+});
diff --git a/apps/e2e/tests/js/email.test.ts b/apps/e2e/tests/js/email.test.ts
index 62957e9374..c7e1b046c7 100644
--- a/apps/e2e/tests/js/email.test.ts
+++ b/apps/e2e/tests/js/email.test.ts
@@ -1,7 +1,7 @@
 import { KnownErrors } from "@stackframe/stack-shared";
+import { DEFAULT_EMAIL_THEME_ID, DEFAULT_TEMPLATE_IDS } from "@stackframe/stack-shared/dist/helpers/emails";
 import { it } from "../helpers";
 import { createApp } from "./js-helpers";
-import { DEFAULT_TEMPLATE_IDS, DEFAULT_EMAIL_THEME_ID } from "@stackframe/stack-shared/dist/helpers/emails";
 
 async function setupEmailServer(adminApp: any) {
   const project = await adminApp.getProject();
@@ -29,13 +29,11 @@ it("should successfully send email with HTML content", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     html: "<h1>Test Email</h1><p>This is a test email with HTML content.</p>",
     subject: "Test Subject",
-  });
-
-  expect(result.status).toBe("ok");
+  })).resolves.not.toThrow();
 });
 
 it("should successfully send email with template", async ({ expect }) => {
@@ -47,7 +45,7 @@ it("should successfully send email with template", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     templateId: DEFAULT_TEMPLATE_IDS.sign_in_invitation,
     variables: {
@@ -55,9 +53,7 @@ it("should successfully send email with template", async ({ expect }) => {
       signInInvitationLink: "https://example.com",
     },
     subject: "Welcome!",
-  });
-
-  expect(result.status).toBe("ok");
+  })).resolves.not.toThrow();
 });
 
 it("should successfully send email to multiple users", async ({ expect }) => {
@@ -74,13 +70,11 @@ it("should successfully send email to multiple users", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user1.id, user2.id],
     html: "<p>Bulk email test</p>",
     subject: "Bulk Email Test",
-  });
-
-  expect(result.status).toBe("ok");
+  })).resolves.not.toThrow();
 });
 
 it("should send email with theme customization", async ({ expect }) => {
@@ -92,14 +86,12 @@ it("should send email with theme customization", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     html: "<p>Themed email test</p>",
     subject: "Themed Email",
     themeId: DEFAULT_EMAIL_THEME_ID,
-  });
-
-  expect(result.status).toBe("ok");
+  })).resolves.not.toThrow();
 });
 
 it("should send email with notification category", async ({ expect }) => {
@@ -111,17 +103,15 @@ it("should send email with notification category", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     html: "<p>Notification email test</p>",
     subject: "Notification Email",
     notificationCategoryName: "Transactional",
-  });
-
-  expect(result.status).toBe("ok");
+  })).resolves.not.toThrow();
 });
 
-it("should return RequiresCustomEmailServer error when email server is not configured", async ({ expect }) => {
+it("should throw RequiresCustomEmailServer error when email server is not configured", async ({ expect }) => {
   const { serverApp } = await createApp();
 
   const user = await serverApp.createUser({
@@ -129,35 +119,23 @@ it("should return RequiresCustomEmailServer error when email server is not confi
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     html: "<p>This should fail</p>",
     subject: "Test Email",
-  });
-
-  expect(result.status).toBe("error");
-  if (result.status === "error") {
-    expect(KnownErrors.RequiresCustomEmailServer.isInstance(result.error)).toBe(true);
-  }
+  })).rejects.toThrow(KnownErrors.RequiresCustomEmailServer);
 });
 
-
 it("should handle non-existent user IDs", async ({ expect }) => {
   const { adminApp, serverApp } = await createApp();
   await setupEmailServer(adminApp);
 
   // Use a properly formatted UUID that doesn't exist
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: ["123e4567-e89b-12d3-a456-426614174000"],
     html: "<p>Non-existent user test</p>",
     subject: "Test Email",
-  });
-
-  expect(result.status).toBe("error");
-  if (result.status === "error") {
-    expect(KnownErrors.UserIdDoesNotExist.isInstance(result.error)).toBe(true);
-    expect(result.error.message).toMatchInlineSnapshot(`"The given user with the ID <stripped UUID> does not exist."`);
-  }
+  })).rejects.toThrow(KnownErrors.UserIdDoesNotExist);
 });
 
 it("should handle missing required email content", async ({ expect }) => {
@@ -169,16 +147,10 @@ it("should handle missing required email content", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     subject: "Test Email",
-  } as any);
-
-  expect(result.status).toBe("error");
-  if (result.status === "error") {
-    expect(KnownErrors.SchemaError.isInstance(result.error)).toBe(true);
-    expect(result.error.message).toMatchInlineSnapshot(`"Either html or template_id must be provided"`);
-  }
+  } as any)).rejects.toThrow(KnownErrors.SchemaError);
 });
 
 it("should handle html and templateId at the same time", async ({ expect }) => {
@@ -190,16 +162,10 @@ it("should handle html and templateId at the same time", async ({ expect }) => {
     primaryEmailVerified: true,
   });
 
-  const result = await serverApp.sendEmail({
+  await expect(serverApp.sendEmail({
     userIds: [user.id],
     html: "<p>Test Email</p>",
     templateId: DEFAULT_TEMPLATE_IDS.sign_in_invitation,
     subject: "Test Email",
-  });
-
-  expect(result.status).toBe("error");
-  if (result.status === "error") {
-    expect(KnownErrors.SchemaError.isInstance(result.error)).toBe(true);
-    expect(result.error.message).toMatchInlineSnapshot(`"If html is provided, cannot provide template_id or variables"`);
-  }
+  })).rejects.toThrow(KnownErrors.SchemaError);
 });
diff --git a/docker/dependencies/docker.compose.yaml b/docker/dependencies/docker.compose.yaml
index f50a99f11b..a66276bae0 100644
--- a/docker/dependencies/docker.compose.yaml
+++ b/docker/dependencies/docker.compose.yaml
@@ -176,8 +176,11 @@ services:
     container_name: freestyle-mock
     ports:
       - "8122:8080"       # POST http://localhost:8119/execute/v1/script
+    extra_hosts:
+      - "host.docker.internal:host-gateway"  # noop on Docker Desktop/Orbstack enables host.docker.internal on Linux
     environment:
       DENO_DIR: /deno-cache
+      HOST_ON_HOST: host.docker.internal
     volumes:
       - deno-cache:/deno-cache
 
diff --git a/packages/stack-shared/src/config/schema.ts b/packages/stack-shared/src/config/schema.ts
index 50ef6db64f..bee1837aca 100644
--- a/packages/stack-shared/src/config/schema.ts
+++ b/packages/stack-shared/src/config/schema.ts
@@ -42,7 +42,7 @@ export const projectConfigSchema = yupObject({
     yupObject({
       type: yupString().oneOf(['neon']).defined(),
       connectionStrings: yupRecord(
-        yupString().defined(),
+        userSpecifiedIdSchema("connectionStringId").defined(),
         yupString().defined(),
       ).defined(),
     }),
@@ -140,6 +140,17 @@ const branchDomain = yupObject({
   allowLocalhost: yupBoolean(),
 });
 
+const branchWorkflowsSchema = yupObject({
+  availableWorkflows: yupRecord(
+    userSpecifiedIdSchema("workflowId"),
+    yupObject({
+      displayName: yupString(),
+      tsSource: yupString(),
+      enabled: yupBoolean(),
+    }),
+  ),
+});
+
 export const branchConfigSchema = canNoLongerBeOverridden(projectConfigSchema, ["sourceOfTruth"]).concat(yupObject({
   rbac: branchRbacSchema,
 
@@ -168,12 +179,14 @@ export const branchConfigSchema = canNoLongerBeOverridden(projectConfigSchema, [
 
   dataVault: yupObject({
     stores: yupRecord(
-      yupString(),
+      userSpecifiedIdSchema("storeId"),
       yupObject({
         displayName: yupString(),
       }),
     ),
   }),
+
+  workflows: branchWorkflowsSchema,
 }));
 
 
@@ -491,6 +504,14 @@ const organizationConfigDefaults = {
       displayName: "Unnamed Vault",
     }),
   },
+
+  workflows: {
+    availableWorkflows: (key: string) => ({
+      displayName: "Unnamed Workflow",
+      tsSource: "Error: Workflow config is missing TypeScript source code.",
+      enabled: false,
+    }),
+  },
 } as const satisfies DefaultsType<OrganizationRenderedConfigBeforeDefaults, [typeof environmentConfigDefaults, typeof branchConfigDefaults, typeof projectConfigDefaults]>;
 
 type _DeepOmitDefaultsImpl<T, U> = T extends object ? (
@@ -855,7 +876,7 @@ export async function getConfigOverrideErrors<T extends yup.AnySchema>(schema: T
 }
 export async function assertNoConfigOverrideErrors<T extends yup.AnySchema>(schema: T, config: unknown, options: { allowPropertiesThatCanNoLongerBeOverridden?: boolean, extraInfo?: any } = {}): Promise<void> {
   const res = await getConfigOverrideErrors(schema, config, options);
-  if (res.status === "error") throw new StackAssertionError(`Config override is invalid — at a place where it should have already been validated! ${res.error}`, { options, config, schema });
+  if (res.status === "error") throw new StackAssertionError(`Config override is invalid — at a place where it should have already been validated! ${res.error}`, { options, config });
 }
 type _ValidatedToHaveNoConfigOverrideErrorsImpl<T> =
   IsUnion<T & object> extends true ? _ValidatedToHaveNoConfigOverrideErrorsImpl<CollapseObjectUnion<T & object> | Exclude<T, object>>
diff --git a/packages/stack-shared/src/interface/server-interface.ts b/packages/stack-shared/src/interface/server-interface.ts
index 4f70954867..01a3e68c45 100644
--- a/packages/stack-shared/src/interface/server-interface.ts
+++ b/packages/stack-shared/src/interface/server-interface.ts
@@ -811,7 +811,7 @@ export class StackServerInterface extends StackClientInterface {
     templateId?: string,
     variables?: Record<string, any>,
   }): Promise<Result<void, KnownErrors["RequiresCustomEmailServer"] | KnownErrors["SchemaError"] | KnownErrors["UserIdDoesNotExist"]>> {
-    const res = await this.sendServerRequestAndCatchKnownError(
+    const res = await this.sendServerRequest(
       "/emails/send-email",
       {
         method: "POST",
@@ -829,11 +829,7 @@ export class StackServerInterface extends StackClientInterface {
         }),
       },
       null,
-      [KnownErrors.RequiresCustomEmailServer, KnownErrors.SchemaError, KnownErrors.UserIdDoesNotExist]
     );
-    if (res.status === "error") {
-      return Result.error(res.error);
-    }
     return Result.ok(undefined);
   }
 
diff --git a/packages/stack-shared/src/known-errors.tsx b/packages/stack-shared/src/known-errors.tsx
index 33ee05d529..89a93bd22f 100644
--- a/packages/stack-shared/src/known-errors.tsx
+++ b/packages/stack-shared/src/known-errors.tsx
@@ -1547,6 +1547,25 @@ const StripeAccountInfoNotFound = createKnownErrorConstructor(
   () => [] as const,
 );
 
+const WorkflowTokenDoesNotExist = createKnownErrorConstructor(
+  KnownError,
+  "WORKFLOW_TOKEN_DOES_NOT_EXIST",
+  () => [
+    400,
+    "The workflow token you specified does not exist. Make sure the value in x-stack-workflow-token is correct.",
+  ] as const,
+  () => [] as const,
+);
+
+const WorkflowTokenExpired = createKnownErrorConstructor(
+  KnownError,
+  "WORKFLOW_TOKEN_EXPIRED",
+  () => [
+    400,
+    "The workflow token you specified has expired. Make sure the value in x-stack-workflow-token is correct.",
+  ] as const,
+  () => [] as const,
+);
 
 export type KnownErrors = {
   [K in keyof typeof KnownErrors]: InstanceType<typeof KnownErrors[K]>;
@@ -1672,6 +1691,8 @@ export const KnownErrors = {
   StripeAccountInfoNotFound,
   DataVaultStoreDoesNotExist,
   DataVaultStoreHashedKeyDoesNotExist,
+  WorkflowTokenDoesNotExist,
+  WorkflowTokenExpired,
 } satisfies Record<string, KnownErrorConstructor<any, any>>;
 
 
diff --git a/packages/stack-shared/src/utils/arrays.tsx b/packages/stack-shared/src/utils/arrays.tsx
index 04a2cc09ec..4760b188de 100644
--- a/packages/stack-shared/src/utils/arrays.tsx
+++ b/packages/stack-shared/src/utils/arrays.tsx
@@ -201,3 +201,28 @@ import.meta.vitest?.test("unique", ({ expect }) => {
   // Test with different types
   expect(unique([1, "1", true, 1, "1", true])).toEqual([1, "1", true]);
 });
+
+export function isStringArray(arr: unknown): arr is string[] {
+  return Array.isArray(arr) && arr.every((item) => typeof item === "string");
+}
+export function isNumberArray(arr: unknown): arr is number[] {
+  return Array.isArray(arr) && arr.every((item) => typeof item === "number");
+}
+export function isBooleanArray(arr: unknown): arr is boolean[] {
+  return Array.isArray(arr) && arr.every((item) => typeof item === "boolean");
+}
+export function isObjectArray(arr: unknown): arr is object[] {
+  return Array.isArray(arr) && arr.every((item) => typeof item === "object" && item !== null);
+}
+import.meta.vitest?.test("is<Type>Array", ({ expect }) => {
+  expect(isStringArray([])).toBe(true);
+  expect(isNumberArray([1, 2, 3])).toBe(true);
+  expect(isBooleanArray([true, false, true])).toBe(true);
+  expect(isObjectArray([{ a: 1 }, { b: 2 }, { c: 3 }])).toBe(true);
+  expect(isStringArray([1, 2, 3])).toBe(false);
+  expect(isNumberArray(["a", "b", "c"])).toBe(false);
+  expect(isBooleanArray([1, 2, 3])).toBe(false);
+  expect(isObjectArray([1, 2, 3])).toBe(false);
+  expect(isObjectArray([{ a: 1 }, null, { b: 2 }])).toBe(false);
+  expect(isObjectArray([{ a: 1 }, undefined, { b: 2 }])).toBe(false);
+});
diff --git a/packages/stack-shared/src/utils/numbers.tsx b/packages/stack-shared/src/utils/numbers.tsx
index fc9733ea8b..8c97f8969a 100644
--- a/packages/stack-shared/src/utils/numbers.tsx
+++ b/packages/stack-shared/src/utils/numbers.tsx
@@ -1,9 +1,9 @@
 const magnitudes = [
-  [1_000_000_000_000_000, "trln"],
-  [1_000_000_000_000, "bln"],
-  [1_000_000_000, "bn"],
-  [1_000_000, "M"],
   [1_000, "k"],
+  [1_000, "M"],
+  [1_000, "bn"],
+  [1_000, "bln"],
+  [1_000, "trln"],
 ] as const;
 
 export function prettyPrintWithMagnitudes(num: number): string {
@@ -12,18 +12,27 @@ export function prettyPrintWithMagnitudes(num: number): string {
   if (num < 0) return "-" + prettyPrintWithMagnitudes(-num);
   if (!Number.isFinite(num)) return "∞";
 
-  for (const [magnitude, suffix] of magnitudes) {
-    if (num >= magnitude) {
-      return toFixedMax(num / magnitude, 1) + suffix;
+  let current = toFixedMax(num, 1);
+  let lastSuffix = "";
+  for (const [difference, suffix] of magnitudes) {
+    if (+current >= difference) {
+      current = toFixedMax(+current / difference, 1);
+      lastSuffix = suffix;
+    } else {
+      break;
     }
   }
-  return toFixedMax(num, 1); // Handle numbers less than 1,000 without suffix.
+  return current + lastSuffix;
 }
 import.meta.vitest?.test("prettyPrintWithMagnitudes", ({ expect }) => {
   // Test different magnitudes
   expect(prettyPrintWithMagnitudes(999)).toBe("999");
   expect(prettyPrintWithMagnitudes(1000)).toBe("1k");
   expect(prettyPrintWithMagnitudes(1500)).toBe("1.5k");
+  expect(prettyPrintWithMagnitudes(999499)).toBe("999.5k");
+  expect(prettyPrintWithMagnitudes(999500)).toBe("999.5k");
+  expect(prettyPrintWithMagnitudes(999949)).toBe("999.9k");
+  expect(prettyPrintWithMagnitudes(999950)).toBe("1M");
   expect(prettyPrintWithMagnitudes(1000000)).toBe("1M");
   expect(prettyPrintWithMagnitudes(1500000)).toBe("1.5M");
   expect(prettyPrintWithMagnitudes(1000000000)).toBe("1bn");
diff --git a/packages/stack-shared/src/utils/promises.tsx b/packages/stack-shared/src/utils/promises.tsx
index 7ef0835c57..6c71ac100d 100644
--- a/packages/stack-shared/src/utils/promises.tsx
+++ b/packages/stack-shared/src/utils/promises.tsx
@@ -387,7 +387,8 @@ class TimeoutError extends Error {
   }
 }
 
-export async function timeout<T>(promise: Promise<T>, ms: number): Promise<Result<T, TimeoutError>> {
+export async function timeout<T>(promiseOrFunc: Promise<T> | (() => Promise<T>), ms: number): Promise<Result<T, TimeoutError>> {
+  const promise = typeof promiseOrFunc === "function" ? promiseOrFunc() : promiseOrFunc;
   return await Promise.race([
     promise.then(value => Result.ok(value)),
     wait(ms).then(() => Result.error(new TimeoutError(ms))),
diff --git a/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
index 8c89eca8af..ccba766bda 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/admin-app-impl.ts
@@ -15,7 +15,7 @@ import { InternalApiKey, InternalApiKeyBase, InternalApiKeyBaseCrudRead, Interna
 import { AdminProjectPermission, AdminProjectPermissionDefinition, AdminProjectPermissionDefinitionCreateOptions, AdminProjectPermissionDefinitionUpdateOptions, AdminTeamPermission, AdminTeamPermissionDefinition, AdminTeamPermissionDefinitionCreateOptions, AdminTeamPermissionDefinitionUpdateOptions, adminProjectPermissionDefinitionCreateOptionsToCrud, adminProjectPermissionDefinitionUpdateOptionsToCrud, adminTeamPermissionDefinitionCreateOptionsToCrud, adminTeamPermissionDefinitionUpdateOptionsToCrud } from "../../permissions";
 import { AdminOwnedProject, AdminProject, AdminProjectUpdateOptions, adminProjectUpdateOptionsToCrud } from "../../projects";
 import { StackAdminApp, StackAdminAppConstructorOptions } from "../interfaces/admin-app";
-import { clientVersion, createCache, getBaseUrl, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey, getDefaultSuperSecretAdminKey } from "./common";
+import { clientVersion, createCache, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey, getDefaultSuperSecretAdminKey } from "./common";
 import { _StackServerAppImplIncomplete } from "./server-app-impl";
 
 import { CompleteConfig, EnvironmentConfigOverrideOverride } from "@stackframe/stack-shared/dist/config/schema";
@@ -76,7 +76,7 @@ export class _StackAdminAppImplIncomplete<HasTokenStore extends boolean, Project
       interface: new StackAdminInterface({
         getBaseUrl: () => getBaseUrl(options.baseUrl),
         projectId: options.projectId ?? getDefaultProjectId(),
-        extraRequestHeaders: options.extraRequestHeaders ?? {},
+        extraRequestHeaders: options.extraRequestHeaders ?? getDefaultExtraRequestHeaders(),
         clientVersion,
         ..."projectOwnerSession" in options ? {
           projectOwnerSession: options.projectOwnerSession,
diff --git a/packages/template/src/lib/stack-app/apps/implementations/common.ts b/packages/template/src/lib/stack-app/apps/implementations/common.ts
index 0a2826b529..4d3233afeb 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/common.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/common.ts
@@ -65,11 +65,11 @@ export function getUrls(partial: Partial<HandlerUrls>): HandlerUrls {
 }
 
 export function getDefaultProjectId() {
-  return process.env.NEXT_PUBLIC_STACK_PROJECT_ID || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
+  return process.env.NEXT_PUBLIC_STACK_PROJECT_ID || process.env.STACK_PROJECT_ID || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
 }
 
 export function getDefaultPublishableClientKey() {
-  return process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a publishable client key. Please create an API key for your project on the Stack dashboard at https://app.stack-auth.com and copy your publishable client key into the NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY environment variable."));
+  return process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY || process.env.STACK_PUBLISHABLE_CLIENT_KEY || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a publishable client key. Please create an API key for your project on the Stack dashboard at https://app.stack-auth.com and copy your publishable client key into the NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY environment variable."));
 }
 
 export function getDefaultSecretServerKey() {
@@ -81,7 +81,7 @@ export function getDefaultSuperSecretAdminKey() {
 }
 
 export function getDefaultExtraRequestHeaders() {
-  return JSON.parse(process.env.NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS || '{}');
+  return JSON.parse(process.env.NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS || process.env.STACK_EXTRA_REQUEST_HEADERS || '{}');
 }
 
 /**
@@ -115,12 +115,13 @@ export function getBaseUrl(userSpecifiedBaseUrl: string | { browser: string, ser
       }
     }
   } else {
+    // note: NEXT_PUBLIC_BROWSER_STACK_API_URL was renamed to NEXT_PUBLIC_STACK_API_URL_BROWSER, and NEXT_PUBLIC_STACK_URL to NEXT_PUBLIC_STACK_API_URL
     if (isBrowserLike()) {
-      url = process.env.NEXT_PUBLIC_BROWSER_STACK_API_URL;
+      url = process.env.NEXT_PUBLIC_BROWSER_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_API_URL_BROWSER || process.env.STACK_API_URL_BROWSER;
     } else {
-      url = process.env.NEXT_PUBLIC_SERVER_STACK_API_URL;
+      url = process.env.NEXT_PUBLIC_SERVER_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_API_URL_SERVER || process.env.STACK_API_URL_SERVER;
     }
-    url = url || process.env.NEXT_PUBLIC_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
+    url = url || process.env.NEXT_PUBLIC_STACK_API_URL || process.env.STACK_API_URL || process.env.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
   }
 
   return url.endsWith('/') ? url.slice(0, -1) : url;
diff --git a/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
index a33bfe72e1..9009e73a59 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
@@ -32,7 +32,7 @@ import { EditableTeamMemberProfile, ServerListUsersOptions, ServerTeam, ServerTe
 import { ProjectCurrentServerUser, ServerUser, ServerUserCreateOptions, ServerUserUpdateOptions, serverUserCreateOptionsToCrud, serverUserUpdateOptionsToCrud } from "../../users";
 import { StackServerAppConstructorOptions } from "../interfaces/server-app";
 import { _StackClientAppImplIncomplete } from "./client-app-impl";
-import { clientVersion, createCache, createCacheBySession, getBaseUrl, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey } from "./common";
+import { clientVersion, createCache, createCacheBySession, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getDefaultSecretServerKey } from "./common";
 
 import { useAsyncCache } from "./common"; // THIS_LINE_PLATFORM react-like
 
@@ -266,7 +266,7 @@ export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, Projec
       interface: new StackServerInterface({
         getBaseUrl: () => getBaseUrl(options.baseUrl),
         projectId: options.projectId ?? getDefaultProjectId(),
-        extraRequestHeaders: options.extraRequestHeaders ?? {},
+        extraRequestHeaders: options.extraRequestHeaders ?? getDefaultExtraRequestHeaders(),
         clientVersion,
         publishableClientKey: options.publishableClientKey ?? getDefaultPublishableClientKey(),
         secretServerKey: options.secretServerKey ?? getDefaultSecretServerKey(),
@@ -1116,8 +1116,8 @@ export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, Projec
   }
   // END_PLATFORM
 
-  async sendEmail(options: SendEmailOptions): Promise<Result<void, KnownErrors["RequiresCustomEmailServer"] | KnownErrors["SchemaError"] | KnownErrors["UserIdDoesNotExist"]>> {
-    return await this._interface.sendEmail(options);
+  async sendEmail(options: SendEmailOptions): Promise<void> {
+    await this._interface.sendEmail(options);
   }
 
   protected override async _refreshSession(session: InternalSession) {
diff --git a/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts b/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
index ce9be05741..3b753e04b9 100644
--- a/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
+++ b/packages/template/src/lib/stack-app/apps/interfaces/server-app.ts
@@ -1,5 +1,3 @@
-import { KnownErrors } from "@stackframe/stack-shared";
-import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { AsyncStoreProperty, GetUserOptions } from "../../common";
 import { ServerItem } from "../../customers";
 import { DataVaultStore } from "../../data-vault";
@@ -51,7 +49,7 @@ export type StackServerApp<HasTokenStore extends boolean = boolean, ProjectId ex
 
     useUsers(options?: ServerListUsersOptions): ServerUser[] & { nextCursor: string | null }, // THIS_LINE_PLATFORM react-like
     listUsers(options?: ServerListUsersOptions): Promise<ServerUser[] & { nextCursor: string | null }>,
-    sendEmail(options: SendEmailOptions): Promise<Result<void, KnownErrors["RequiresCustomEmailServer"] | KnownErrors["SchemaError"] | KnownErrors["UserIdDoesNotExist"]>>,
+    sendEmail(options: SendEmailOptions): Promise<void>,
   }
   & AsyncStoreProperty<"user", [id: string], ServerUser | null, false>
   & Omit<AsyncStoreProperty<"users", [], ServerUser[], true>, "listUsers" | "useUsers">