diff --git a/Dockerfile b/Dockerfile
index af9338dff..070be277b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,8 +10,5 @@ RUN unzip /tmp/sonar-scanner-cli-5.0.1.3006-linux.zip -d /tmp
 RUN python -m venv /tmp/venv
 RUN . /tmp/venv/bin/activate
 ENV PATH="/tmp/sonar-scanner-5.0.1.3006-linux/bin:/tmp/venv/bin:${PATH}"
-RUN pip install --upgrade pip
-RUN pip install --upgrade pip-tools
-RUN pip install --upgrade setuptools
-RUN pip install --upgrade coverage
-RUN pip install -r requirements/requirements.dev.txt --no-index --find-links ./vendor/
\ No newline at end of file
+RUN pip install --upgrade pip pip-tools setuptools coverage
+RUN pip install -r requirements/requirements.dev.txt --no-index --find-links ./vendor/
diff --git a/Dockerfile.selenium b/Dockerfile.selenium
index 0acfde1e8..c2757e9de 100755
--- a/Dockerfile.selenium
+++ b/Dockerfile.selenium
@@ -1,16 +1,18 @@
-FROM seleniarm/standalone-chromium
+FROM selenium/standalone-chromium
 
-ENV PYTHONUNBUFFERED 1
 USER root
-#RUN apt-get update ; apt-get install -yq git curl libpq-dev libffi-dev
+
 RUN apt-get update ; apt-get install -yq python3 python3-venv
 RUN ln -s /usr/bin/python3 /usr/local/bin/python
-RUN useradd -m -s /bin/bash DEV
-USER DEV
+
+# switch to existing seluser from selenium docker
+USER seluser
+
 ADD . /code
 WORKDIR /code
 RUN python -m venv /tmp/venv
 RUN . /tmp/venv/bin/activate
 ENV PATH="/tmp/venv/bin:${PATH}"
+
 RUN pip3 install --upgrade pip
 RUN pip3 install selenium pytest debugpy jsonschema python-dateutil
diff --git a/Dockerfiles/Dockerfile.selenium-jenkins b/Dockerfiles/Dockerfile.selenium-jenkins
deleted file mode 100755
index 7280a63af..000000000
--- a/Dockerfiles/Dockerfile.selenium-jenkins
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM python:3.7.10
-# For build CBC Jenkins job ECR image
-ENV PYTHONUNBUFFERED 1
-# ENV PYTHONDEVMODE 1
-
-RUN mkdir /code
-ADD . /code/
-WORKDIR /code
-
-RUN pip install --upgrade pip
-
-RUN apt-get update && apt-get install -yq git unzip curl
-
-# Install Chrome for Selenium
-RUN curl https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /chrome.deb \
-    && dpkg -i /chrome.deb || apt-get install -yf \
-    && rm /chrome.deb
-
-# Install chromedriver for Selenium
-RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip \
-    && unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ \
-    && chmod +x /usr/local/bin/chromedriver
diff --git a/Dockerfiles/Dockerfile.selenium-jenkins-python311 b/Dockerfiles/Dockerfile.selenium-jenkins-python311
deleted file mode 100755
index 9f31ac753..000000000
--- a/Dockerfiles/Dockerfile.selenium-jenkins-python311
+++ /dev/null
@@ -1,18 +0,0 @@
-FROM --platform=linux/amd64 python:3.11
-# For build CBC Jenkins job ECR image
-ENV PYTHONUNBUFFERED 1
-
-RUN mkdir /code
-ADD . /code/
-WORKDIR /code
-
-RUN pip install --upgrade pip
-RUN apt-get update && apt-get install -yq git unzip curl
-# Install Chrome for Selenium
-RUN curl https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /chrome.deb \
-    && dpkg -i /chrome.deb || apt-get install -yf \
-    && rm /chrome.deb
-# Install chromedriver for Selenium
-RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip \
-    && unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ \
-    && chmod +x /usr/local/bin/chromedriver
diff --git a/Dockerfiles/Dockerfile.selenium-jenkins-python311-plus-chromedriver b/Dockerfiles/Dockerfile.selenium-jenkins-python311-plus-chromedriver
new file mode 100644
index 000000000..4edc89e03
--- /dev/null
+++ b/Dockerfiles/Dockerfile.selenium-jenkins-python311-plus-chromedriver
@@ -0,0 +1,27 @@
+FROM --platform=linux/amd64 python:3.11
+# For build CBC Jenkins job ECR image
+ENV PYTHONUNBUFFERED 1
+
+RUN mkdir /code
+ADD . /code/
+WORKDIR /code
+
+RUN pip install --upgrade pip
+RUN apt-get update && apt-get install -yq git unzip curl
+
+# Install Chrome for Selenium
+RUN curl https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /chrome.deb \
+    && dpkg -i /chrome.deb || apt-get install -yf \
+    && rm /chrome.deb
+
+# Install chromedriver for Selenium: keep the previous chrome driver install code for reference
+# RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip \
+#     && unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ \
+#     && chmod +x /usr/local/bin/chromedriver
+
+# hard code the zip URL here since `curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE` still points to 114 which is out of date
+# this is the current way google publish the chrome drivers, going forward, need to make changes to keep up with the way google publish the
+# drivers.
+RUN wget -O /tmp/chromedriver.zip https://storage.googleapis.com/chrome-for-testing-public/131.0.6778.108/linux64/chromedriver-linux64.zip \
+    && unzip -p /tmp/chromedriver.zip chromedriver-linux64/chromedriver > /usr/local/bin/chromedriver \
+    && chmod +x /usr/local/bin/chromedriver
diff --git a/Dockerfiles/Dockerfile.selenium-jenkins-python38 b/Dockerfiles/Dockerfile.selenium-jenkins-python38
deleted file mode 100644
index e0c8dafd5..000000000
--- a/Dockerfiles/Dockerfile.selenium-jenkins-python38
+++ /dev/null
@@ -1,18 +0,0 @@
-FROM python:3.8
-# For build CBC Jenkins job ECR image
-ENV PYTHONUNBUFFERED 1
-
-RUN mkdir /code
-ADD . /code/
-WORKDIR /code
-
-RUN pip install --upgrade pip
-RUN apt-get update && apt-get install -yq git unzip curl
-# Install Chrome for Selenium
-RUN curl https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /chrome.deb \
-    && dpkg -i /chrome.deb || apt-get install -yf \
-    && rm /chrome.deb
-# Install chromedriver for Selenium
-RUN wget -O /tmp/chromedriver.zip http://chromedriver.storage.googleapis.com/`curl -sS chromedriver.storage.googleapis.com/LATEST_RELEASE`/chromedriver_linux64.zip \
-    && unzip /tmp/chromedriver.zip chromedriver -d /usr/local/bin/ \
-    && chmod +x /usr/local/bin/chromedriver
diff --git a/Dockerfiles/readme.md b/Dockerfiles/readme.md
index 9dd2bf502..5d9395243 100755
--- a/Dockerfiles/readme.md
+++ b/Dockerfiles/readme.md
@@ -1,13 +1,11 @@
-# Build, Tag, and Publish integration and selenium tests ECR iamge
+# Build, Tag, and Publish integration and selenium tests ECR image - used by github CI check
 
 Go to BB2 local repo base directory and do the followings (assume aws cli installed and configured properly):
 
 ```
-
 aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/f5g8o1y9
 cd <bb2-local-repo-base-dir>/Dockerfiles
-docker build -f Dockerfile.selenium-jenkins -t bb2-cbc-build-selenium .
-docker tag bb2-cbc-build-selenium:latest public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium:latest
-docker push public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium:latest
-
-```
\ No newline at end of file
+docker build -f Dockerfile.selenium-jenkins-python311-plus-chromedriver -t bb2-cbc-build-selenium-python311-chromium .
+docker tag bb2-cbc-build-selenium-python311-chromium:latest public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium-python311-chromium:latest
+docker push public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium-python311-chromium:latest
+```
diff --git a/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium b/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium
index 959d3db68..19697aa11 100755
--- a/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium
+++ b/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium
@@ -56,7 +56,6 @@ pipeline {
           python -m venv venv
           . venv/bin/activate
           python -m pip install --upgrade pip setuptools wheel cryptography
-          make reqs-download
           make reqs-install-dev
           pip install --upgrade coverage
         """
@@ -101,7 +100,7 @@ pipeline {
        steps{
         sh """
           . venv/bin/activate
-          pytest ./apps/integration_tests/logging_tests.py::TestLoggings::test_auth_fhir_flows_logging
+          USE_NEW_PERM_SCREEN=true pytest ./apps/integration_tests/logging_tests.py::TestLoggings::test_auth_fhir_flows_logging
         """
        }
     }
@@ -136,7 +135,7 @@ pipeline {
         sh 'echo "RUN selenium tests - testclient based authorization flow tests and data flow tests"'
         sh """
           . venv/bin/activate
-          pytest ./apps/integration_tests/selenium_tests.py
+          USE_NEW_PERM_SCREEN=true pytest ./apps/integration_tests/selenium_tests.py
         """
        }
     }
diff --git a/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium-chromium b/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium-chromium
new file mode 100644
index 000000000..0a7ce0d1b
--- /dev/null
+++ b/Jenkinsfiles/Jenkinsfile.cbc-run-multi-pr-checks-w-selenium-chromium
@@ -0,0 +1,151 @@
+pipeline {
+  agent {
+    kubernetes {
+      defaultContainer "bb2-cbc-build-selenium-python311-chromium"
+      yamlFile "Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311-chromium.yaml"
+    }
+  }
+
+  environment {
+    DJANGO_LOG_JSON_FORMAT_PRETTY = true
+    DJANGO_SETTINGS_MODULE = "hhs_oauth_server.settings.logging_it"
+    OAUTHLIB_INSECURE_TRANSPORT = true
+    DJANGO_SECURE_SESSION = false
+    DJANGO_FHIR_CERTSTORE = "./certstore"
+    // use mock login - safer, faster
+    USE_MSLSX = true
+    DJANGO_MEDICARE_SLSX_REDIRECT_URI = "http://localhost:8000/mymedicare/sls-callback"
+    DJANGO_MEDICARE_SLSX_LOGIN_URI = "http://localhost:8080/sso/authorize?client_id=bb2api"
+    DJANGO_SLSX_HEALTH_CHECK_ENDPOINT = "http://localhost:8080/health"
+    DJANGO_SLSX_TOKEN_ENDPOINT = "http://localhost:8080/sso/session"
+    DJANGO_SLSX_SIGNOUT_ENDPOINT = "http://localhost:8080/sso/signout"
+    DJANGO_SLSX_USERINFO_ENDPOINT="http://localhost:8080/v1/users"
+    DJANGO_SLSX_CLIENT_ID = credentials("bb2-selenium-tests-slsx-client-id")
+    DJANGO_SLSX_CLIENT_SECRET = credentials("bb2-selenium-tests-slsx-client-secret")
+    DJANGO_USER_ID_ITERATIONS = credentials("bb2-integration-tests-bfd-iterations")
+    DJANGO_USER_ID_SALT = credentials("bb2-integration-tests-bfd-salt")
+    FHIR_CERT = credentials("bb2-integration-tests-bfd-cert")
+    FHIR_KEY = credentials("bb2-integration-tests-bfd-key")
+    FHIR_URL = "${params.FHIR_URL}"
+    HOSTNAME_URL = "http://localhost:8000"
+  }
+
+  parameters {
+    string(
+      name: 'FHIR_URL',
+      defaultValue: "https://prod-sbx.bfd.cms.gov",
+      description: 'The default FHIR URL for the back end BFD service.'
+    )
+    booleanParam(
+        name: 'RUN_SELENIUM_TESTS', 
+        defaultValue: false, 
+        description: 'Set to true, selenium tests will be run as part of integration tests'
+    )
+  }
+
+  stages {
+    stage("SETUP FHIR cert and key") {
+      steps {
+        writeFile(file: "${env.DJANGO_FHIR_CERTSTORE}/certstore/ca.cert.pem", text: readFile(env.FHIR_CERT))
+        writeFile(file: "${env.DJANGO_FHIR_CERTSTORE}/certstore/ca.key.nocrypt.pem", text: readFile(env.FHIR_KEY))
+      }
+    }
+
+    stage("INSTALL Python Packages") {
+      steps {
+        sh """
+          pip3 install --upgrade pip setuptools wheel
+          pip3 install -r requirements/requirements.dev.txt --no-index --find-links ./vendor/
+        """
+      }
+    }
+
+    stage("CHECK Flake8 Python Lint/Style") {
+      steps{
+        sh """
+          flake8
+        """
+      }
+    }
+
+    stage("START BB2 server in background") {
+       when {
+        expression { params.RUN_SELENIUM_TESTS == true }
+       }
+       steps{
+        sh """
+          mkdir ./docker-compose/tmp/
+          (python3 ./dev-local/app.py&) && 
+          python3 manage.py migrate &&
+          python3 manage.py create_admin_groups &&
+          python3 manage.py loaddata scopes.json &&
+          python3 manage.py create_blue_button_scopes &&
+          python3 manage.py create_test_user_and_application &&
+          python3 manage.py create_user_identification_label_selection &&
+          python3 manage.py create_test_feature_switches &&
+          (if [ ! -d 'bluebutton-css' ] ; then git clone https://github.com/CMSgov/bluebutton-css.git ; else echo 'CSS already installed.' ; fi) &&
+          echo 'starting bb2...' &&
+          (export DJANGO_SETTINGS_MODULE=hhs_oauth_server.settings.logging_it && python3 manage.py runserver 0.0.0.0:8000 > ./docker-compose/tmp/bb2_email_to_stdout.log 2>&1 &)
+        """
+       }
+    }
+
+    stage("RUN logging integration tests") {
+       when {
+        expression { params.RUN_SELENIUM_TESTS == true }
+       }
+       steps{
+        catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') {
+          sh """
+            USE_NEW_PERM_SCREEN=true ON_REMOTE_CI=true pytest -s ./apps/integration_tests/logging_tests.py::TestLoggings::test_auth_fhir_flows_logging
+          """
+        }
+        sh """
+          echo '======================'
+          cat ./docker-compose/tmp/bb2_email_to_stdout.log
+          echo '======================'
+        """
+       }
+    }
+
+    stage("RUN selenium user and apps management tests") {
+       when {
+        expression { params.RUN_SELENIUM_TESTS == true }
+       }
+       steps{
+        sh 'echo "RUN selenium tests - user account and app management tests"'
+        sh """
+          USE_NEW_PERM_SCREEN=true ON_REMOTE_CI=true pytest -s ./apps/integration_tests/selenium_accounts_tests.py::TestUserAndAppMgmt::testAccountAndAppMgmt
+        """
+       }
+    }
+
+    stage("RUN integration tests") {
+      steps{
+        sh """
+          python3 runtests.py --integration apps.integration_tests.integration_test_fhir_resources.IntegrationTestFhirApiResources
+        """
+      }
+    }
+
+    stage("RUN Django Unit Tests") {
+      steps{
+        sh """
+          python3 runtests.py
+        """
+      }
+    }
+
+    stage("RUN selenium tests") {
+       when {
+        expression { params.RUN_SELENIUM_TESTS == true }
+       }
+       steps{
+        sh 'echo "RUN selenium tests - testclient based authorization flow tests and data flow tests"'
+        sh """
+          USE_NEW_PERM_SCREEN=true ON_REMOTE_CI=true pytest -s ./apps/integration_tests/selenium_tests.py
+        """
+       }
+    }
+  }
+}
diff --git a/Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311-chromium.yaml b/Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311-chromium.yaml
new file mode 100644
index 000000000..016438567
--- /dev/null
+++ b/Jenkinsfiles/cbc-pod-deployment-config-w-selenium-p311-chromium.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+spec:
+  containers:
+    - name: bb2-cbc-build-selenium-python311-chromium
+      image: "public.ecr.aws/f5g8o1y9/bb2-cbc-build-selenium-python311-chromium:latest"
+      tty: true
+      command: ["tail", "-f"]
+      imagePullPolicy: Always
+  nodeSelector:
+      Agents: true
diff --git a/README.md b/README.md
index 903baa2b2..e8285f23b 100644
--- a/README.md
+++ b/README.md
@@ -167,4 +167,4 @@ by their respective authors.
 License
 -------
 
-This project is free and open source software under the Apache 2 license. See LICENSE for more information.
\ No newline at end of file
+This project is free and open source software under the Apache 2 license. See LICENSE for more information.
diff --git a/apps/authorization/models.py b/apps/authorization/models.py
index 91720a387..f3761d176 100644
--- a/apps/authorization/models.py
+++ b/apps/authorization/models.py
@@ -8,7 +8,6 @@
 from django.utils import timezone
 from oauth2_provider.settings import oauth2_settings
 from oauth2_provider.models import get_access_token_model
-from waffle import get_waffle_flag_model
 
 
 class DataAccessGrant(models.Model):
@@ -41,22 +40,17 @@ def user(self):
 
     def update_expiration_date(self):
         # For THIRTEEN_MONTH type update expiration_date
-        if self.application:
-            flag = get_waffle_flag_model().get("limit_data_access")
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.application.user)):
-                if self.application.data_access_type == "THIRTEEN_MONTH":
-                    self.expiration_date = datetime.now().replace(
-                        tzinfo=pytz.UTC
-                    ) + relativedelta(months=+13)
-                    self.save()
+        if self.application and self.application.data_access_type == "THIRTEEN_MONTH":
+            self.expiration_date = datetime.now().replace(
+                tzinfo=pytz.UTC
+            ) + relativedelta(months=+13)
+            self.save()
 
     def has_expired(self):
-        flag = get_waffle_flag_model().get("limit_data_access")
-        if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.application.user)):
-            if self.application.data_access_type == "THIRTEEN_MONTH":
-                if self.expiration_date:
-                    if self.expiration_date < datetime.now().replace(tzinfo=pytz.UTC):
-                        return True
+        if self.application.data_access_type == "THIRTEEN_MONTH":
+            if self.expiration_date:
+                if self.expiration_date < datetime.now().replace(tzinfo=pytz.UTC):
+                    return True
 
         return False
 
diff --git a/apps/authorization/tests/test_data_access_grant.py b/apps/authorization/tests/test_data_access_grant.py
index b7a83bc1b..6f0a82df2 100644
--- a/apps/authorization/tests/test_data_access_grant.py
+++ b/apps/authorization/tests/test_data_access_grant.py
@@ -18,15 +18,14 @@
     get_access_token_model,
 )
 
-from apps.test import BaseApiTest, flag_is_active
+from apps.test import BaseApiTest
 from apps.authorization.models import (
     DataAccessGrant,
     ArchivedDataAccessGrant,
     check_grants,
     update_grants,
 )
-from waffle import get_waffle_flag_model
-from waffle.testutils import override_flag, override_switch
+from waffle.testutils import override_switch
 
 Application = get_application_model()
 AccessToken = get_access_token_model()
@@ -95,56 +94,7 @@ def test_create_update_delete(self):
         #    Verify expiration_date copied OK.
         self.assertEqual("2030-01-15 00:00:00+00:00", str(arch_dag.expiration_date))
 
-    @override_flag("limit_data_access", active=False)
-    def test_thirteen_month_app_type_without_switch_limit_data_access(self):
-        assert not flag_is_active("limit_data_access")
-
-        # 1. Create bene and app for tests
-        dev_user = self._create_user("developer_test", "123456")
-        bene_user = self._create_user("test_beneficiary", "123456")
-        test_app = self._create_application(
-            "test_app", user=dev_user, data_access_type="THIRTEEN_MONTH"
-        )
-
-        flag = get_waffle_flag_model().get("limit_data_access")
-        assert flag.id is None or flag.is_active_for_user(dev_user) is False
-
-        # 2. Create grant with expiration date in future.
-        dag = DataAccessGrant.objects.create(
-            application=test_app, beneficiary=bene_user
-        )
-
-        # 3. Test expiration_date not set
-        self.assertEqual(dag.expiration_date, None)
-        #    Test has_expired() with None is false
-        self.assertEqual(dag.has_expired(), False)
-
-        # 4. Test has_expired() true for -1 hour ago is false w/o switch enabled
-        dag.expiration_date = datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(
-            hours=-1
-        )
-        self.assertEqual(dag.has_expired(), False)
-
-        # 5. Test has_expired() false for +1 hour in future.
-        dag.expiration_date = datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(
-            hours=+1
-        )
-        self.assertEqual(dag.has_expired(), False)
-
-        # 6. Test has_expired() false for ONE_TIME type
-        test_app.data_access_type = "ONE_TIME"
-        test_app.save()
-        self.assertEqual(dag.has_expired(), False)
-
-        # 7. Test has_expired() false for RESEARCH_STUDY type
-        test_app.data_access_type = "RESEARCH_STUDY"
-        test_app.save()
-        self.assertEqual(dag.has_expired(), False)
-
-    @override_flag("limit_data_access", active=True)
     def test_thirteen_month_app_type_with_switch_limit_data_access(self):
-        assert flag_is_active("limit_data_access")
-
         # 1. Create bene and app for tests
         dev_user = self._create_user("developer_test", "123456")
         bene_user = self._create_user("test_beneficiary", "123456")
@@ -152,9 +102,6 @@ def test_thirteen_month_app_type_with_switch_limit_data_access(self):
             "test_app", user=dev_user, data_access_type="THIRTEEN_MONTH"
         )
 
-        flag = get_waffle_flag_model().get("limit_data_access")
-        assert flag.id is not None and flag.is_active_for_user(dev_user)
-
         # 2. Create grant with expiration date in future.
         dag = DataAccessGrant.objects.create(
             application=test_app, beneficiary=bene_user
@@ -463,40 +410,3 @@ def test_permission_deny_on_app_or_org_disabled(self):
         # set back app and user to active - not to affect other tests
         application.active = True
         application.save()
-
-    def test_thirteen_month_app_needs_limit_data_access_set(self):
-
-        # 1. Create benes
-        dev_user = self._create_user("developer_test", "123456")
-        bene_user = self._create_user("test_beneficiary", "123456")
-        flag_bene_user = self._create_user("flag_beneficiary", "123456")
-        test_app = self._create_application(
-            "test_app", user=dev_user, data_access_type="THIRTEEN_MONTH"
-        )
-
-        # 2. Create flag and show is not set for dev_user
-        flag = get_waffle_flag_model().objects.create(name="limit_data_access")
-        assert flag.id is not None
-        assert not flag.is_active_for_user(dev_user)
-
-        # 3. Create grant and expire expiration to show it doesn't matter
-        dag = DataAccessGrant.objects.create(
-            application=test_app, beneficiary=bene_user
-        )
-        # 4. Test has_expired() true for -1 hour ago
-        dag.expiration_date = datetime.now().replace(tzinfo=pytz.UTC) + relativedelta(
-            hours=-1
-        )
-        self.assertEqual(dag.has_expired(), False)
-
-        # 4. Add dev_user to flag
-        flag.users.add(dev_user)
-
-        # 5. Create new grant and show expiration is working
-        flag_dag = DataAccessGrant.objects.create(
-            application=test_app, beneficiary=flag_bene_user
-        )
-        flag_dag.expiration_date = datetime.now().replace(
-            tzinfo=pytz.UTC
-        ) + relativedelta(hours=-1)
-        self.assertEqual(dag.has_expired(), True)
diff --git a/apps/authorization/tests/test_data_access_grant_permissions.py b/apps/authorization/tests/test_data_access_grant_permissions.py
index 657cb959e..d2c326e1f 100644
--- a/apps/authorization/tests/test_data_access_grant_permissions.py
+++ b/apps/authorization/tests/test_data_access_grant_permissions.py
@@ -7,9 +7,8 @@
 from httmock import HTTMock, urlmatch
 from oauth2_provider.models import get_access_token_model, get_refresh_token_model
 from unittest import mock
-from waffle.testutils import override_flag
 
-from apps.test import BaseApiTest, flag_is_active
+from apps.test import BaseApiTest
 from apps.authorization.models import (
     DataAccessGrant,
 )
@@ -257,18 +256,12 @@ def _assert_call_token_refresh_endpoint(
             )
         return content
 
-    @override_flag("limit_data_access", active=False)
-    def test_revoked_data_access_grant_without_flag_limit_data_access(self):
+    def test_revoked_data_access_grant(self):
         """
         Test data access grant deleted / revoked
 
-        Test data access for FHIR and profile end points
-        with limit_data_access flag False.
-
-        This will be the flag setting in Sandbox.
+        Test data access for FHIR and profile end points.
         """
-        assert not flag_is_active("limit_data_access")
-
         # 1. Use helper method to create app, user, authorized grant & access token.
         user, app, ac = self._create_user_app_token_grant(
             first_name="first",
@@ -277,10 +270,11 @@ def test_revoked_data_access_grant_without_flag_limit_data_access(self):
             app_name="test_app1",
             app_username="devuser1",
             app_user_organization="org1",
+            app_data_access_type="RESEARCH_STUDY",
         )
 
         # 2. Test application data access type
-        self.assertEqual(app.data_access_type, "THIRTEEN_MONTH")
+        self.assertEqual(app.data_access_type, "RESEARCH_STUDY")
 
         # 3. Test grant obj created OK.
         dag = DataAccessGrant.objects.get(beneficiary=user, application=app)
@@ -329,116 +323,12 @@ def test_revoked_data_access_grant_without_flag_limit_data_access(self):
             expected_response_detail_mesg="Authentication credentials were not provided.",
         )
 
-    @override_flag("limit_data_access", active=False)
-    def test_research_study_app_type_without_flag_limit_data_access(self):
+    def test_research_study_app_type(self):
         """
         Test Application.data_access_type="RESEARCH_STUDY".
 
         Test data access for FHIR and profile end points
-        with limit_data_access flag False.
-
-        This will be the flag setting in Sandbox.
         """
-        assert not flag_is_active("limit_data_access")
-
-        # 1. Use helper method to create app, user, authorized grant & access token.
-        user, app, ac = self._create_user_app_token_grant(
-            first_name="first",
-            last_name="last1",
-            fhir_id="-20140000008325",
-            app_name="test_app1",
-            app_username="devuser1",
-            app_user_organization="org1",
-            app_data_access_type="RESEARCH_STUDY",
-        )
-        self.assertEqual(app.data_access_type, "RESEARCH_STUDY")
-
-        #     Test grant exists.
-        self.assertTrue(
-            DataAccessGrant.objects.filter(
-                beneficiary=user,
-                application=app,
-            ).exists()
-        )
-
-        # 2. Test that all calls are successful (response_code=200)
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"], expected_response_code=200
-        )
-
-        # 3. Test token refresh is successful (response_code=200)
-        ac = self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=200,
-        )
-
-        # 4. Set application to in-active/disabled
-        app.active = False
-        app.save()
-
-        # 5. Test FHIR end point while app in-active/disabled (response_code=401)
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"],
-            expected_response_code=401,
-            expected_response_detail_mesg=settings.APPLICATION_TEMPORARILY_INACTIVE.format(
-                app.name
-            ),
-        )
-
-        # 6. Test token refresh after applciation in-active/disabled (response_code=401)
-        self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=401,
-            expected_response_error_mesg="invalid_client",
-            expected_response_error_description_mesg=settings.APPLICATION_TEMPORARILY_INACTIVE.format(
-                app.name
-            ),
-        )
-
-        # 7. Set application to active/endabled
-        app.active = True
-        app.save()
-
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"], expected_response_code=200
-        )
-
-        # 9. Test app not expired token refresh (response_code=200)
-        ac = self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=200,
-        )
-
-        # 10. Test with RESEARCH_STUDY application end_date IS expired w/o feature flag (response_code=200)
-        app.data_access_type = "RESEARCH_STUDY"
-        app.save()
-
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"], expected_response_code=200
-        )
-
-        # 11. Test app expired token refresh (response_code=200)
-        ac = self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=200,
-        )
-
-    @override_flag("limit_data_access", active=True)
-    def test_research_study_app_type_with_flag_limit_data_access(self):
-        """
-        Test Application.data_access_type="RESEARCH_STUDY".
-
-        Test data access for FHIR and profile end points
-        with limit_data_access flag True.
-
-        This will be the flag setting in PROD.
-        """
-        assert flag_is_active("limit_data_access")
-
         # 1. Use helper method to create app, user, authorized grant & access token.
         user, app, ac = self._create_user_app_token_grant(
             first_name="first",
@@ -514,66 +404,12 @@ def test_research_study_app_type_with_flag_limit_data_access(self):
             expected_response_code=200,
         )
 
-    @override_flag("limit_data_access", active=False)
-    def test_one_time_app_type_without_flag_limit_data_access(self):
+    def test_one_time_app_type(self):
         """
         Test Application.data_access_type="ONE_TIME"
-        with limit_data_access flag False.
-
-        This will be the flag setting in Sandbox.
 
         NOTE: This type of application does not allow token refreshes
-              when the feature flag is enabled.
         """
-        assert not flag_is_active("limit_data_access")
-
-        # 1. Use helper method to create app, user, authorized grant & access token.
-        user, app, ac = self._create_user_app_token_grant(
-            first_name="first",
-            last_name="last1",
-            fhir_id="-20140000008325",
-            app_name="test_app1",
-            app_username="devuser1",
-            app_user_organization="org1",
-            app_data_access_type="ONE_TIME",
-        )
-
-        #     Test application default data access type
-        self.assertEqual(app.data_access_type, "ONE_TIME")
-
-        #     Test grant exists.
-        self.assertTrue(
-            DataAccessGrant.objects.filter(
-                beneficiary=user,
-                application=app,
-            ).exists()
-        )
-
-        # 2. Test token refresh is working OK (response_code=200)
-        ac = self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=200,
-        )
-
-        # 3. Test that all calls are successful (response_code=200)
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"], expected_response_code=200
-        )
-
-    @override_flag("limit_data_access", active=True)
-    def test_one_time_app_type_with_flag_limit_data_access(self):
-        """
-        Test Application.data_access_type="ONE_TIME"
-        with limit_data_access flag True
-
-        This will be the flag setting in PROD.
-
-        NOTE: This type of application does not allow token refreshes
-              when the feature flag is enabled.
-        """
-        assert flag_is_active("limit_data_access")
-
         # 1. Use helper method to create app, user, authorized grant & access token.
         user, app, ac = self._create_user_app_token_grant(
             first_name="first",
@@ -610,62 +446,11 @@ def test_one_time_app_type_with_flag_limit_data_access(self):
             access_token=ac["access_token"], expected_response_code=200
         )
 
-    @override_flag("limit_data_access", active=False)
     @mock.patch("apps.authorization.models.datetime", StubDate)
-    def test_thirteen_month_app_type_without_flag_limit_data_access(self):
+    def test_thirteen_month_app_type(self):
         """
         Test Application.data_access_type="THIRTEEN_MONTH"
-        with limit_data_access flag False
-
-        This will be the flag setting in Sandbox.
         """
-        assert not flag_is_active("limit_data_access")
-
-        # 1. Use helper method to create app, user, authorized grant & access token.
-        user, app, ac = self._create_user_app_token_grant(
-            first_name="first",
-            last_name="last1",
-            fhir_id="-20140000008325",
-            app_name="test_app1",
-            app_username="devuser1",
-            app_user_organization="org1",
-            app_data_access_type="THIRTEEN_MONTH",
-        )
-
-        # 2. Test application data access type
-        self.assertEqual(app.data_access_type, "THIRTEEN_MONTH")
-
-        # 3. Test grant obj created OK.
-        dag = DataAccessGrant.objects.get(beneficiary=user, application=app)
-        #     Assert is not None
-        self.assertNotEqual(dag, None)
-
-        #     Assert expiration date has NOT been set
-        self.assertEqual(dag.expiration_date, None)
-
-        # 4. Test token refresh is enabled for app (response_code=200)
-        ac = self._assert_call_token_refresh_endpoint(
-            application=app,
-            refresh_token=ac["refresh_token"],
-            expected_response_code=200,
-        )
-
-        # 5. Test that all calls are successful (response_code=200)
-        self._assert_call_all_fhir_endpoints(
-            access_token=ac["access_token"], expected_response_code=200
-        )
-
-    @override_flag("limit_data_access", active=True)
-    @mock.patch("apps.authorization.models.datetime", StubDate)
-    def test_thirteen_month_app_type_with_flag_limit_data_access(self):
-        """
-        Test Application.data_access_type="THIRTEEN_MONTH"
-        with limit_data_access flag True
-
-        This will be the flag setting in SBX.
-        """
-        assert flag_is_active("limit_data_access")
-
         # 1. Use helper method to create app, user, authorized grant & access token.
         user, app, ac = self._create_user_app_token_grant(
             first_name="first",
@@ -780,7 +565,6 @@ def test_thirteen_month_app_type_with_flag_limit_data_access(self):
             access_token=ac["access_token"], expected_response_code=200
         )
 
-    @override_flag("limit_data_access", active=False)
     def test_data_access_grant_permissions_has_permission(self):
         """
         Test edge case bug fix for BB2-2130
@@ -791,7 +575,6 @@ def test_data_access_grant_permissions_has_permission(self):
         DataAccessGrant.DoesNotExist: DataAccessGrant matching query
           does not exist.
         """
-
         # 1. Use helper method to create app, user, authorized grant & access token.
         user, app, ac = self._create_user_app_token_grant(
             first_name="first",
diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py
index a7bc3b726..ece09f048 100644
--- a/apps/capabilities/permissions.py
+++ b/apps/capabilities/permissions.py
@@ -37,20 +37,15 @@ def has_permission(self, request, view):
                 slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
-            # this is a shorterm fix to reject all tokens that do not have either
-            # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes):
-                for scope in scopes:
-                    for method, path in json.loads(scope):
-                        if method != request.method:
-                            continue
-                        if path == request.path:
-                            return True
-                        if re.fullmatch(path, request.path) is not None:
-                            return True
-                return False
-            else:
-                return False
+            for scope in scopes:
+                for method, path in json.loads(scope):
+                    if method != request.method:
+                        continue
+                    if path == request.path:
+                        return True
+                    if re.fullmatch(path, request.path) is not None:
+                        return True
+            return False
         else:
             # BB2-237: Replaces ASSERT with exception. We should never reach here.
             mesg = ("TokenHasScope requires the `oauth2_provider.rest_framework.OAuth2Authentication`"
diff --git a/apps/capabilities/tests.py b/apps/capabilities/tests.py
index b320398f5..396faf9d2 100644
--- a/apps/capabilities/tests.py
+++ b/apps/capabilities/tests.py
@@ -1,5 +1,4 @@
 import json
-import unittest
 
 from django.contrib.auth.models import Group
 from django.test import TestCase
@@ -41,7 +40,6 @@ def setUp(self):
             protected_resources=json.dumps([["POST", "/path"]]),
         )
 
-    @unittest.skip("Broke with quick fix")
     def test_request_is_protected(self):
         request = SimpleRequest("scope")
         request.method = "GET"
diff --git a/apps/core/management/commands/create_test_feature_switches.py b/apps/core/management/commands/create_test_feature_switches.py
index 65b45c85b..690ad192a 100644
--- a/apps/core/management/commands/create_test_feature_switches.py
+++ b/apps/core/management/commands/create_test_feature_switches.py
@@ -17,7 +17,6 @@
 )
 
 WAFFLE_FEATURE_FLAGS = (
-    ("limit_data_access", ['fred']),
 )
 
 
diff --git a/apps/docs/templates/oauth2-redirect.html b/apps/docs/templates/oauth2-redirect.html
index 879e177b0..214f39351 100644
--- a/apps/docs/templates/oauth2-redirect.html
+++ b/apps/docs/templates/oauth2-redirect.html
@@ -8,6 +8,7 @@
 <body>
     <script>
         'use strict';
+        const defaultPage = '/docs/openapi';
         function run () {
             function deserializeObject(serialized) {
                 const parsedObj = JSON.parse(serialized);
@@ -23,6 +24,7 @@
             const code = urlParams.get('code');
             if (!code) {
                 console.error('Authorization code not found in URL');
+                window.location.href = defaultPage;
                 return;
             }
 
@@ -32,6 +34,7 @@
             let clientId = oauth2.auth.clientId
             let clientSecret = oauth2.auth.clientSecret;
             let redirectUri = oauth2.redirectUrl
+            let codeVerifier = oauth2.auth.codeVerifier
 
               // Convert client credentials to Base64
             const credentials = btoa(`${clientId}:${clientSecret}`);
@@ -44,13 +47,15 @@
                 },
                 body: new URLSearchParams({
                     code: code,
+                    code_verifier: codeVerifier,
                     grant_type: 'authorization_code',
                     redirect_uri: redirectUri
                 })
             })
             .then(response => {
                 if (!response.ok) {
-                    throw new Error('Token request failed with status ' + response.status);
+                    console.log('Token request failed with status ' + response.status);
+                    window.location.href = defaultPage;
                 }
                 return response.json();
             })
@@ -58,7 +63,7 @@
                 const accessToken = data.access_token;
                 if (accessToken) {
                   localStorage.setItem('access_token', accessToken);
-                  window.location.href = '/docs/openapi';
+                  window.location.href = defaultPage;
                 }
             })
             .catch(error => {
diff --git a/apps/docs/templates/openapi.html b/apps/docs/templates/openapi.html
index 66adb7436..a8e6a4fe0 100755
--- a/apps/docs/templates/openapi.html
+++ b/apps/docs/templates/openapi.html
@@ -141,7 +141,8 @@
               clientId: clientId,
               clientSecret: clientSecret,
               scopeSeparator: " ",
-              scopes: scopes
+              scopes: scopes,
+              usePkceWithAuthorizationCodeGrant: true
           })
       }
 
diff --git a/apps/dot_ext/forms.py b/apps/dot_ext/forms.py
index 6d4345a9e..dee95f8c7 100644
--- a/apps/dot_ext/forms.py
+++ b/apps/dot_ext/forms.py
@@ -335,7 +335,7 @@ def clean(self):
             scope = ""
 
         # Remove demographic information scopes, if beneficiary is not sharing
-        if cleaned_data.get("share_demographic_scopes") == "False":
+        if cleaned_data.get("share_demographic_scopes") != "True":
             cleaned_data["scope"] = " ".join(
                 [
                     s
diff --git a/apps/dot_ext/models.py b/apps/dot_ext/models.py
index e8ffbaa10..ea167ede5 100644
--- a/apps/dot_ext/models.py
+++ b/apps/dot_ext/models.py
@@ -28,7 +28,6 @@
 )
 from oauth2_provider.settings import oauth2_settings
 from urllib.parse import urlparse
-from waffle import get_waffle_flag_model
 
 from apps.capabilities.models import ProtectedCapability
 
@@ -228,11 +227,7 @@ def store_media_file(self, file, filename):
 
     # Has one time only type data access?
     def has_one_time_only_data_access(self):
-        if self.data_access_type == "ONE_TIME":
-            flag = get_waffle_flag_model().get("limit_data_access")
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.user)):
-                return True
-        return False
+        return self.data_access_type == "ONE_TIME"
 
     # Save override to restrict invalid field combos.
     def save(self, *args, **kwargs):
diff --git a/apps/dot_ext/tests/demographic_scopes_test_cases.py b/apps/dot_ext/tests/demographic_scopes_test_cases.py
index 03dd25bf4..23fae8102 100644
--- a/apps/dot_ext/tests/demographic_scopes_test_cases.py
+++ b/apps/dot_ext/tests/demographic_scopes_test_cases.py
@@ -47,7 +47,7 @@
     --------------------------------------------------
     USED in the following test:
       apps.dot_ext.tests.test_form_oauth2
-                        .TestSimpleAllowFormForm.test_form()
+                        .TestSimpleAllowForm.test_form()
     Test case dictionary key and value meanings:
     REQUEST PARAMETERS:
       These are used to setup the authorization request.
@@ -68,7 +68,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_form_is_valid": True,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
     },
     "test 2: share_demographic_scopes = False": {
         # Request:
@@ -181,7 +181,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 1,
         "result_refresh_token_count": 1,
         "result_archived_token_count": 0,
@@ -221,7 +221,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 1,
@@ -314,7 +314,7 @@
         "request_scopes": SCOPES_JUST_PATIENT_AND_A,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": SCOPES_JUST_PATIENT_AND_A,
+        "result_token_scopes_granted": SCOPES_JUST_A,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 8,
diff --git a/apps/dot_ext/tests/test_authorization.py b/apps/dot_ext/tests/test_authorization.py
index 3cc3ee263..2937c3bb1 100644
--- a/apps/dot_ext/tests/test_authorization.py
+++ b/apps/dot_ext/tests/test_authorization.py
@@ -12,9 +12,7 @@
 from django.urls import reverse
 from django.test import Client
 
-from waffle.testutils import override_flag
-
-from apps.test import BaseApiTest, flag_is_active
+from apps.test import BaseApiTest
 from ..models import Application, ArchivedToken
 from apps.authorization.models import DataAccessGrant, ArchivedDataAccessGrant
 
@@ -338,7 +336,6 @@ def test_refresh_with_expired_token(self):
         response = self.client.post(reverse('oauth2_provider:token'), data=refresh_request_data)
         self.assertEqual(response.status_code, 400)
 
-    @override_flag('limit_data_access', active=True)
     def test_refresh_13_month_with_expired_grant(self):
         redirect_uri = 'http://localhost'
         # create a user
@@ -403,9 +400,7 @@ def test_refresh_13_month_with_expired_grant(self):
         response = self.client.post(reverse('oauth2_provider:token'), data=refresh_request_data)
         self.assertEqual(response.status_code, 400)
 
-    @override_flag('limit_data_access', active=True)
     def test_refresh_with_one_time_access_retrieve_app_using_refresh_token(self):
-        assert flag_is_active('limit_data_access')
         redirect_uri = 'http://localhost'
         # create a user
         self._create_user('anna', '123456')
@@ -460,9 +455,7 @@ def test_refresh_with_one_time_access_retrieve_app_using_refresh_token(self):
         response = self.client.post(reverse('oauth2_provider:token'), data=refresh_request_data)
         self.assertEqual(response.status_code, 401)
 
-    @override_flag('limit_data_access', active=True)
     def test_refresh_with_one_time_access_retrieve_app_from_auth_header(self):
-        assert flag_is_active('limit_data_access')
         redirect_uri = 'http://localhost'
         # create a user
         self._create_user('anna', '123456')
@@ -522,9 +515,7 @@ def test_refresh_with_one_time_access_retrieve_app_from_auth_header(self):
         )
         self.assertEqual(response.status_code, 400)
 
-    @override_flag('limit_data_access', active=True)
     def test_dag_expiration_exists(self):
-        assert flag_is_active('limit_data_access')
         redirect_uri = 'http://localhost'
 
         # create a user
@@ -575,9 +566,64 @@ def test_dag_expiration_exists(self):
         c = Client()
         response = c.post('/v1/o/token/', data=token_request_data)
         tkn = response.json()
-        expiration_date_string = strftime('%Y-%m-%d %H:%M:%SZ', expiration_date.timetuple())
+        expiration_date_string = strftime('%Y-%m-%dT%H:%M:%SZ', expiration_date.timetuple())
         self.assertEqual(tkn["access_grant_expiration"][:-4], expiration_date_string[:-4])
 
+    def test_revoke_endpoint(self):
+        redirect_uri = 'http://localhost'
+        # create a user
+        self._create_user('anna', '123456')
+        capability_a = self._create_capability('Capability A', [])
+        capability_b = self._create_capability('Capability B', [])
+        # create an application and add capabilities
+        application = self._create_application(
+            'an app',
+            grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            redirect_uris=redirect_uri)
+        application.scope.add(capability_a, capability_b)
+        # user logs in
+        request = HttpRequest()
+        self.client.login(request=request, username='anna', password='123456')
+        # post the authorization form with only one scope selected
+        payload = {
+            'client_id': application.client_id,
+            'response_type': 'code',
+            'redirect_uri': redirect_uri,
+            'scope': ['capability-a'],
+            'expires_in': 86400,
+            'allow': True,
+        }
+        response = self.client.post(reverse('oauth2_provider:authorize'), data=payload)
+        self.client.logout()
+        self.assertEqual(response.status_code, 302)
+        # now extract the authorization code and use it to request an access_token
+        query_dict = parse_qs(urlparse(response['Location']).query)
+        authorization_code = query_dict.pop('code')
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': redirect_uri,
+            'client_id': application.client_id,
+            'client_secret': application.client_secret_plain,
+        }
+        c = Client()
+        response = c.post('/v1/o/token/', data=token_request_data)
+        self.assertEqual(response.status_code, 200)
+        # extract token and use it to make a revoke request
+        tkn = response.json()['access_token']
+        revoke_request_data = f"token={tkn}&client_id={application.client_id}&client_secret={application.client_secret_plain}"
+        content_type = "application/x-www-form-urlencoded"
+        c = Client()
+        rev_response = c.post('/v1/o/revoke/', data=revoke_request_data, content_type=content_type)
+        self.assertEqual(rev_response.status_code, 200)
+        # check DAG deletion
+        dags_count = DataAccessGrant.objects.count()
+        self.assertEqual(dags_count, 0)
+        # check token deletion
+        tkn_count = AccessToken.objects.filter(token=tkn).count()
+        self.assertEqual(tkn_count, 0)
+
     def test_refresh_with_revoked_token(self):
         redirect_uri = 'http://localhost'
         # create a user
diff --git a/apps/dot_ext/tests/test_form_oauth2.py b/apps/dot_ext/tests/test_form_oauth2.py
index abd5c77f3..5b7fe760e 100644
--- a/apps/dot_ext/tests/test_form_oauth2.py
+++ b/apps/dot_ext/tests/test_form_oauth2.py
@@ -4,7 +4,7 @@
 from .demographic_scopes_test_cases import FORM_OAUTH2_SCOPES_TEST_CASES
 
 
-class TestSimpleAllowFormForm(BaseApiTest):
+class TestSimpleAllowForm(BaseApiTest):
     fixtures = ['scopes.json']
 
     def test_form(self):
diff --git a/apps/dot_ext/tests/test_models.py b/apps/dot_ext/tests/test_models.py
index 04bbda443..c6d70ce7f 100644
--- a/apps/dot_ext/tests/test_models.py
+++ b/apps/dot_ext/tests/test_models.py
@@ -4,7 +4,6 @@
 
 from django.contrib.auth.models import User
 from oauth2_provider.models import get_application_model
-from waffle.testutils import override_flag
 
 from apps.authorization.models import DataAccessGrant, ArchivedDataAccessGrant
 from apps.dot_ext.models import (
@@ -12,7 +11,7 @@
     get_application_require_demographic_scopes_count,
 )
 from apps.logging.utils import redirect_loggers, cleanup_logger, get_log_content
-from apps.test import BaseApiTest, flag_is_active
+from apps.test import BaseApiTest
 
 
 class TestDotExtModels(BaseApiTest):
@@ -22,14 +21,11 @@ def setUp(self):
     def tearDown(self):
         cleanup_logger(self.logger_registry)
 
-    @override_flag('limit_data_access', active=True)
     def test_application_data_access_fields(self):
         """
         Test the CRUD operations & validation
         on new data access fields from apps.dot_ext.models
         """
-        assert flag_is_active('limit_data_access')
-
         # Create dev user for tests.
         dev_user = self._create_user("john", "123456")
 
@@ -69,13 +65,10 @@ def test_application_data_access_fields(self):
             test_app.data_access_type = "BAD_DATA_ACCESS_TYPE"
             test_app.save()
 
-    @override_flag('limit_data_access', active=True)
     def test_application_data_access_type_change(self):
         """
         Test the application.data_access_type change, make sure the change is logged
         """
-        assert flag_is_active('limit_data_access')
-
         # Create dev user for tests.
         dev_user = self._create_user("john", "123456")
 
@@ -113,13 +106,10 @@ def test_application_data_access_type_change(self):
         self.assertEqual(log_entry_json['data_access_type_old'], "THIRTEEN_MONTH")
         self.assertEqual(log_entry_json['data_access_type_new'], "RESEARCH_STUDY")
 
-    @override_flag('limit_data_access', active=False)
     def test_application_data_access_type_change_switch_off(self):
         """
         Test the application.data_access_type change, access grants will not be affected
         """
-        assert (not flag_is_active('limit_data_access'))
-
         # Create dev user for tests.
         dev_user = self._create_user("john", "123456")
 
diff --git a/apps/dot_ext/tests/test_verify_bfd_headers.py b/apps/dot_ext/tests/test_verify_bfd_headers.py
index 84da3c887..a52af5abc 100644
--- a/apps/dot_ext/tests/test_verify_bfd_headers.py
+++ b/apps/dot_ext/tests/test_verify_bfd_headers.py
@@ -63,6 +63,7 @@ def _create_test_token(self, user, application):
             "scope": application.scopes().split(" "),
             "expires_in": 86400,
             "allow": True,
+            "share_demographic_scopes": True
         }
         if application.authorization_grant_type == Application.GRANT_IMPLICIT:
             payload["response_type"] = "token"
diff --git a/apps/dot_ext/tests/test_views.py b/apps/dot_ext/tests/test_views.py
index 4018606bd..b5250877c 100644
--- a/apps/dot_ext/tests/test_views.py
+++ b/apps/dot_ext/tests/test_views.py
@@ -1,6 +1,5 @@
 import json
 import base64
-import unittest
 from datetime import date, timedelta
 
 from django.conf import settings
@@ -163,20 +162,8 @@ def test_post_with_restricted_scopes_issues_token_with_same_scopes(self):
         # and here we test that only the capability-a scope has been issued
         self.assertEqual(content["scope"], "capability-a")
 
-    @unittest.skip("Broke with quick fix")
-    def test_post_with_share_demographic_scopes(self):
-        # Test with-out new_auth switch
-        self.testing_post_with_share_demographic_scopes()
-
-    @unittest.skip("Broke with quick fix")
-    @override_switch("new_auth", active=True)
-    def test_post_with_share_demographic_scopes_new_auth_switch(self):
-        # Test with new_auth switch.
-        self.testing_post_with_share_demographic_scopes()
-
-    @unittest.skip("Broke with quick fix")
     @override_switch("require-scopes", active=True)
-    def testing_post_with_share_demographic_scopes(self):
+    def test_post_with_share_demographic_scopes(self):
         """
         Test authorization related to different, beneficiary "share_demographic_scopes",
         application.require_demographic_scopes, and requested scopes values.
diff --git a/apps/dot_ext/urls.py b/apps/dot_ext/urls.py
index 16a7ba683..99fbed41d 100644
--- a/apps/dot_ext/urls.py
+++ b/apps/dot_ext/urls.py
@@ -15,6 +15,7 @@
     ),
     path("token/", views.TokenView.as_view(), name="token"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
+    path("revoke/", views.RevokeView.as_view(), name="revoke"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
 ]
 
diff --git a/apps/dot_ext/v2/urls.py b/apps/dot_ext/v2/urls.py
index b02112ba3..91ba471b3 100755
--- a/apps/dot_ext/v2/urls.py
+++ b/apps/dot_ext/v2/urls.py
@@ -15,6 +15,7 @@
     ),
     path("token/", views.TokenView.as_view(), name="token-v2"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token-v2"),
+    path("revoke/", views.RevokeView.as_view(), name="revoke-v2"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect-v2"),
 ]
 
diff --git a/apps/dot_ext/views/__init__.py b/apps/dot_ext/views/__init__.py
index bce5a9c09..da038284b 100644
--- a/apps/dot_ext/views/__init__.py
+++ b/apps/dot_ext/views/__init__.py
@@ -1,2 +1,2 @@
 from .application import ApplicationRegistration, ApplicationUpdate, ApplicationDelete  # NOQA
-from .authorization import AuthorizationView, ApprovalView, TokenView, RevokeTokenView, IntrospectTokenView  # NOQA
+from .authorization import AuthorizationView, ApprovalView, TokenView, RevokeTokenView, RevokeView, IntrospectTokenView  # NOQA
diff --git a/apps/dot_ext/views/authorization.py b/apps/dot_ext/views/authorization.py
index 770fa395e..0e09478cf 100644
--- a/apps/dot_ext/views/authorization.py
+++ b/apps/dot_ext/views/authorization.py
@@ -3,9 +3,6 @@
 from datetime import datetime, timedelta
 from time import strftime
 
-import waffle
-from waffle import get_waffle_flag_model
-
 from django.http.response import HttpResponse, HttpResponseBadRequest
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
@@ -20,9 +17,10 @@
     IntrospectTokenView as DotIntrospectTokenView,
 )
 from oauth2_provider.models import get_application_model
+from oauthlib.oauth2 import AccessDeniedError
 from oauthlib.oauth2.rfc6749.errors import InvalidClientError, InvalidGrantError
 from urllib.parse import urlparse, parse_qs
-
+import html
 from apps.dot_ext.scopes import CapabilitiesScopes
 import apps.logging.request_logger as bb2logging
 
@@ -116,19 +114,8 @@ def sensitive_info_check(self, request):
                 break
         return result
 
-    # TODO: Clean up use of the require-scopes feature flag  and multiple templates, when no longer required.
     def get_template_names(self):
-        flag = get_waffle_flag_model().get("limit_data_access")
-        if waffle.switch_is_active('require-scopes'):
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.application.user)):
-                return ["design_system/new_authorize_v2.html"]
-            else:
-                return ["design_system/authorize_v2.html"]
-        else:
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.user)):
-                return ["design_system/new_authorize_v2.html"]
-            else:
-                return ["design_system/authorize.html"]
+        return ["design_system/new_authorize_v2.html"]
 
     def get_initial(self):
         initial_data = super().get_initial()
@@ -179,13 +166,19 @@ def form_valid(self, form):
         refresh_token_delete_cnt = 0
 
         try:
+            if not scopes:
+                # Since the create_authorization_response will re-inject scopes even when none are
+                # valid, we want to pre-emptively treat this as an error case
+                raise OAuthToolkitError(
+                    error=AccessDeniedError(state=credentials.get("state", None)), redirect_uri=credentials["redirect_uri"]
+                )
             uri, headers, body, status = self.create_authorization_response(
                 request=self.request, scopes=scopes, credentials=credentials, allow=allow
             )
         except OAuthToolkitError as error:
             response = self.error_response(error, application)
 
-            if allow is False:
+            if allow is False or not scopes:
                 (data_access_grant_delete_cnt,
                  access_token_delete_cnt,
                  refresh_token_delete_cnt) = remove_application_user_pair_tokens_data_access(application, self.request.user)
@@ -322,13 +315,12 @@ def post(self, request, *args, **kwargs):
                             application=app
                         )
                         if dag.expiration_date is not None:
-                            dag_expiry = strftime('%Y-%m-%d %H:%M:%SZ', dag.expiration_date.timetuple())
+                            dag_expiry = strftime('%Y-%m-%dT%H:%M:%SZ', dag.expiration_date.timetuple())
                     except DataAccessGrant.DoesNotExist:
                         dag_expiry = ""
-
                 elif app.data_access_type == "ONE_TIME":
                     expires_at = datetime.utcnow() + timedelta(seconds=body['expires_in'])
-                    dag_expiry = expires_at.strftime('%Y-%m-%d %H:%M:%SZ')
+                    dag_expiry = expires_at.strftime('%Y-%m-%dT%H:%M:%SZ')
                 elif app.data_access_type == "RESEARCH_STUDY":
                     dag_expiry = ""
 
@@ -354,6 +346,40 @@ def post(self, request, *args, **kwargs):
         return super().post(request, args, kwargs)
 
 
+@method_decorator(csrf_exempt, name="dispatch")
+class RevokeView(DotRevokeTokenView):
+
+    @method_decorator(sensitive_post_parameters("password"))
+    def post(self, request, *args, **kwargs):
+        at_model = get_access_token_model()
+        try:
+            app = validate_app_is_active(request)
+        except (InvalidClientError, InvalidGrantError) as error:
+            return json_response_from_oauth2_error(error)
+
+        tkn = request.POST.get('token')
+        if tkn is not None:
+            escaped_tkn = html.escape(tkn)
+        else:
+            escaped_tkn = ""
+
+        try:
+            token = at_model.objects.get(token=tkn)
+        except at_model.DoesNotExist:
+            log.debug(f"Token {escaped_tkn} was not found.")
+
+        try:
+            dag = DataAccessGrant.objects.get(
+                beneficiary=token.user,
+                application=app
+            )
+            dag.delete()
+        except Exception:
+            log.debug(f"DAG lookup failed for token {escaped_tkn}.")
+
+        return super().post(request, args, kwargs)
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 class IntrospectTokenView(DotIntrospectTokenView):
 
diff --git a/apps/fhir/bluebutton/tests/test_utils.py b/apps/fhir/bluebutton/tests/test_utils.py
index e21a6af56..7da820379 100644
--- a/apps/fhir/bluebutton/tests/test_utils.py
+++ b/apps/fhir/bluebutton/tests/test_utils.py
@@ -309,7 +309,7 @@ def test_oauth_resource_xml(self):
         """
         request = self.factory.get('/cmsblue/fhir/v1/metadata')
 
-        result = build_oauth_resource(request, False, "xml")
+        result = build_oauth_resource(request, "xml")
 
         expected = "<cors>true</cors>"
 
diff --git a/apps/fhir/bluebutton/utils.py b/apps/fhir/bluebutton/utils.py
index d5fcbb438..00bc2648b 100644
--- a/apps/fhir/bluebutton/utils.py
+++ b/apps/fhir/bluebutton/utils.py
@@ -599,14 +599,14 @@ def get_response_text(fhir_response=None):
         return text_in
 
 
-def build_oauth_resource(request, v2=False, format_type="json"):
+def build_oauth_resource(request, format_type="json"):
     """
     Create a resource entry for oauth endpoint(s) for insertion
     into the conformance/capabilityStatement
 
     :return: security
     """
-    endpoints = build_endpoint_info(OrderedDict(), v2, issuer=base_issuer(request))
+    endpoints = build_endpoint_info(OrderedDict(), issuer=base_issuer(request))
 
     if format_type.lower() == "xml":
 
@@ -636,12 +636,16 @@ def build_oauth_resource(request, v2=False, format_type="json"):
         <extension url="authorize">
             <valueUri>%s</valueUri>
         </extension>
+        <extension url="revoke">
+            <valueUri>%s</valueUri>
+        </extension>
     </extension>
 
 </security>
         """ % (
             endpoints["token_endpoint"],
             endpoints["authorization_endpoint"],
+            endpoints["revocation_endpoint"],
         )
 
     else:  # json
@@ -680,6 +684,7 @@ def build_oauth_resource(request, v2=False, format_type="json"):
                         "url": "authorize",
                         "valueUri": endpoints["authorization_endpoint"],
                     },
+                    {"url": "revoke", "valueUri": endpoints["revocation_endpoint"]},
                 ],
             }
         ]
diff --git a/apps/fhir/bluebutton/views/home.py b/apps/fhir/bluebutton/views/home.py
index 02015a273..553d3ea89 100644
--- a/apps/fhir/bluebutton/views/home.py
+++ b/apps/fhir/bluebutton/views/home.py
@@ -66,7 +66,7 @@ def fhir_conformance(request, via_oauth=False, v2=False, *args):
     od = conformance_filter(text_out)
 
     # Append Security to ConformanceStatement
-    security_endpoint = build_oauth_resource(request, v2, format_type="json")
+    security_endpoint = build_oauth_resource(request, format_type="json")
     od['rest'][0]['security'] = security_endpoint
     # Fix format values
     od['format'] = ['application/json', 'application/fhir+json']
diff --git a/apps/integration_tests/log_event_schemas.py b/apps/integration_tests/log_event_schemas.py
index a68535afe..dd2b840af 100755
--- a/apps/integration_tests/log_event_schemas.py
+++ b/apps/integration_tests/log_event_schemas.py
@@ -46,7 +46,7 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_share_demographic_scopes": {"pattern": "^True$"},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
     },
@@ -94,7 +94,7 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
         "req_qparam_client_id": {"type": "string"},
         "req_qparam_lang": {"type": "string"},
@@ -129,7 +129,7 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
         "path": {"pattern": "/mymedicare/login"},
         "request_method": {"pattern": "GET"},
@@ -158,7 +158,7 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_crosswalk_action": {"enum": ["R", "C"]},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
         "req_user_id": {"type": "number"},
@@ -195,7 +195,7 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_crosswalk_action": {"enum": ["R", "C"]},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
         "req_qparam_client_id": {"type": "string"},
@@ -235,13 +235,13 @@
         "auth_client_id": {"type": "string"},
         "auth_app_id": {"type": "string"},
         "auth_app_name": {"pattern": "TestApp"},
-        "auth_app_data_access_type": {"pattern": "RESEARCH_STUDY"},
+        "auth_app_data_access_type": {"pattern": "THIRTEEN_MONTH"},
         "auth_crosswalk_action": {"enum": ["R", "C"]},
         "auth_require_demographic_scopes": {"pattern": "^True$"},
         "req_redirect_uri": {"type": "string"},
         "req_scope": {"type": "string"},
         "req_share_demographic_scopes": {"pattern": "^True$"},
-        "req_allow": {"pattern": "Allow"},
+        "req_allow": {"pattern": "Connect"},
         "req_user_id": {"type": "integer"},
         "req_user_username": {"type": "string"},
         "req_fhir_id": {"type": "string"},
diff --git a/apps/integration_tests/selenium_cases.py b/apps/integration_tests/selenium_cases.py
index fc04aea93..e5cd24525 100755
--- a/apps/integration_tests/selenium_cases.py
+++ b/apps/integration_tests/selenium_cases.py
@@ -576,16 +576,17 @@ class Action(Enum):
             "params": [20, By.ID, AUTH_SCREEN_ID_LANG, AUTH_SCREEN_EN_TXT]
         },
         # now check the expiration info section
-        {
-            "display": "Check for authorization screen expire info in English",
-            "action": Action.CONTAIN_TEXT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_EN_EXPIRE_INFO_TXT]
-        },
-        {
-            "display": "Check en_US date format and validate",
-            "action": Action.CHECK_DATE_FORMAT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_EN_DATE_FORMAT, EN_US]
-        },
+        # comment out due to PROD TestApp now is RESEARCH_STUDY which does not have expire info
+        # {
+        #     "display": "Check for authorization screen expire info in English",
+        #     "action": Action.CONTAIN_TEXT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_EN_EXPIRE_INFO_TXT]
+        # },
+        # {
+        #     "display": "Check en_US date format and validate",
+        #     "action": Action.CHECK_DATE_FORMAT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_EN_DATE_FORMAT, EN_US]
+        # },
         # the 'approve' and 'deny' button click not using locale based text
         # so it is lang agnostic
         CLICK_AGREE_ACCESS
@@ -644,16 +645,17 @@ class Action(Enum):
             "params": [20, By.ID, AUTH_SCREEN_ID_LANG, AUTH_SCREEN_ES_TXT]
         },
         # now check the expiration info section
-        {
-            "display": "Check for authorization screen expire info in Spanish",
-            "action": Action.CONTAIN_TEXT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_ES_EXPIRE_INFO_TXT]
-        },
-        {
-            "display": "Check Spanish date format and validate",
-            "action": Action.CHECK_DATE_FORMAT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_ES_DATE_FORMAT, ES_ES]
-        },
+        # comment out due to on PROD TestApp is RESEARCH_STUDY which does not have expire info
+        # {
+        #     "display": "Check for authorization screen expire info in Spanish",
+        #     "action": Action.CONTAIN_TEXT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_ES_EXPIRE_INFO_TXT]
+        # },
+        # {
+        #     "display": "Check Spanish date format and validate",
+        #     "action": Action.CHECK_DATE_FORMAT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_ES_DATE_FORMAT, ES_ES]
+        # },
         # the 'approve' and 'deny' button click not using locale based text
         # so it is lang agnostic
         CLICK_AGREE_ACCESS
@@ -672,16 +674,16 @@ class Action(Enum):
             "params": [20, By.ID, AUTH_SCREEN_ID_LANG, AUTH_SCREEN_ES_TXT]
         },
         # now check the expiration info section
-        {
-            "display": "Check for authorization screen expire info in Spanish",
-            "action": Action.CONTAIN_TEXT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_ES_EXPIRE_INFO_TXT]
-        },
-        {
-            "display": "Check Spanish date format and validate",
-            "action": Action.CHECK_DATE_FORMAT,
-            "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_ES_DATE_FORMAT, ES_ES]
-        },
+        # {
+        #     "display": "Check for authorization screen expire info in Spanish",
+        #     "action": Action.CONTAIN_TEXT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_EXPIRE_INFO, AUTH_SCREEN_ES_EXPIRE_INFO_TXT]
+        # },
+        # {
+        #     "display": "Check Spanish date format and validate",
+        #     "action": Action.CHECK_DATE_FORMAT,
+        #     "params": [20, By.ID, AUTH_SCREEN_ID_END_DATE, AUTH_SCREEN_ES_DATE_FORMAT, ES_ES]
+        # },
         # the 'approve' and 'deny' button click not using locale based text
         # so it is lang agnostic
         CLICK_AGREE_ACCESS
diff --git a/apps/integration_tests/selenium_generic.py b/apps/integration_tests/selenium_generic.py
index f10c105cd..4ca02e488 100644
--- a/apps/integration_tests/selenium_generic.py
+++ b/apps/integration_tests/selenium_generic.py
@@ -9,6 +9,7 @@
 from selenium.webdriver.support import expected_conditions as EC
 from selenium.webdriver.support.wait import WebDriverWait
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.chrome.service import Service
 from .common_utils import extract_href_from_html, extract_last_part_of_url
 
 from .selenium_cases import (
@@ -50,10 +51,15 @@ def setup_method(self, method):
         else:
             print("driver_ready={}".format(SeleniumGenericTests.driver_ready))
 
+        self.on_remote_ci = os.getenv('ON_REMOTE_CI', 'false')
+        self.selenium_grid_host = os.getenv('SELENIUM_GRID_HOST', "chrome")
+        self.selenium_grid = os.getenv('SELENIUM_GRID', "false")
         self.hostname_url = os.environ['HOSTNAME_URL']
         self.use_mslsx = os.environ['USE_MSLSX']
         self.login_seq = SEQ_LOGIN_MSLSX if self.use_mslsx == 'true' else SEQ_LOGIN_SLSX
-        print("use_mslsx={},  hostname_url={}".format(self.use_mslsx, self.hostname_url))
+        msg_fmt = "use_mslsx={}, hostname_url={}, selenium_grid={}"
+        msg = msg_fmt.format(self.use_mslsx, self.hostname_url, self.selenium_grid)
+        print(msg)
 
         opt = webdriver.ChromeOptions()
         opt.add_argument("--disable-dev-shm-usage")
@@ -67,8 +73,20 @@ def setup_method(self, method):
         opt.add_argument('--allow-insecure-localhost')
         opt.add_argument("--whitelisted-ips=''")
 
-        self.driver = webdriver.Remote(
-            command_executor='http://chrome:4444/wd/hub', options=opt)
+        if self.selenium_grid.lower() == 'true':
+            # selenium hub
+            hub_url = "http://{}:4444/wd/hub".format(self.selenium_grid_host)
+            print("RemoteDriver: grid hub url={}".format(hub_url))
+            opt.binary_location = "/usr/bin/chromium"
+            self.driver = webdriver.Remote(
+                command_executor=hub_url, options=opt)
+        else:
+            driver_exec = '/usr/local/bin/chromedriver' if self.on_remote_ci.lower() == 'true' else '/usr/bin/chromedriver'
+            print("Chrome Driver, location={}".format(driver_exec))
+            opt.add_argument("--window-size=1920,980")
+            opt.add_argument("--headless")
+            ser = Service(driver_exec)
+            self.driver = webdriver.Chrome(service=ser, options=opt)
 
         self.actions = {
             Action.LOAD_PAGE: self._load_page,
diff --git a/apps/logging/loggers.py b/apps/logging/loggers.py
index f94054f0d..15446198f 100644
--- a/apps/logging/loggers.py
+++ b/apps/logging/loggers.py
@@ -20,7 +20,6 @@
 from apps.accounts.models import get_developer_counts
 
 from apps.logging.utils import format_timestamp
-from waffle import get_waffle_flag_model
 
 """
   Logger functions for logging module
@@ -340,9 +339,6 @@ def log_global_state_metrics(group_timestamp=None, report_flag=True):
 
         grant_counts = get_grant_bene_counts(application=app)
 
-        flag = get_waffle_flag_model().get("limit_data_access")
-        user_limit_data_access = flag.rollout or (flag.is_active_for_user(app.user) if flag.id is not None else None)
-
         log_dict = {
             "type": "global_state_metrics_per_app",
             "group_timestamp": group_timestamp,
@@ -390,7 +386,7 @@ def log_global_state_metrics(group_timestamp=None, report_flag=True):
             "user_date_joined": format_timestamp(app.user.date_joined),
             "user_last_login": format_timestamp(app.user.last_login),
             "user_organization": getattr(user_profile, "organization_name", None),
-            "user_limit_data_access": user_limit_data_access
+            "user_limit_data_access": True
         }
 
         logger.info(log_dict, cls=DjangoJSONEncoder)
diff --git a/apps/logging/management/commands/log_global_state_metrics.py b/apps/logging/management/commands/log_global_state_metrics.py
index a4c08d0ce..7f3f306c6 100644
--- a/apps/logging/management/commands/log_global_state_metrics.py
+++ b/apps/logging/management/commands/log_global_state_metrics.py
@@ -7,7 +7,7 @@
 
 class Command(BaseCommand):
     help = (
-        "Managment command to log global state type metrics when called on a schedule."
+        "Management command to log global state type metrics when called on a schedule."
     )
 
     def add_arguments(self, parser):
diff --git a/apps/logging/sensitive_logging_filters.py b/apps/logging/sensitive_logging_filters.py
new file mode 100644
index 000000000..7c7926143
--- /dev/null
+++ b/apps/logging/sensitive_logging_filters.py
@@ -0,0 +1,51 @@
+import re
+import logging
+import logging.config
+
+MBI_WITH_HYPHEN_PATTERN = r"""\b
+    [1-9](?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz)])[A-Za-z\d]\d
+    -(?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz])[A-Za-z\d]\d
+    -((?![SLOIBZsloibz])[A-Za-z]){2}\d{2}
+    \b
+    """
+
+MBI_WITHOUT_HYPHEN_PATTERN = r"""\b
+    [1-9](?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz)])[A-Za-z\d]\d
+    (?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz])[A-Za-z\d]\d
+    ((?![SLOIBZsloibzd])[A-Za-z]){2}\d{2}
+    \b"""
+
+MBI_PATTERN = f'({MBI_WITH_HYPHEN_PATTERN}|{MBI_WITHOUT_HYPHEN_PATTERN})'
+SENSITIVE_DATA_FILTER = "sensitive_data_filter"
+
+
+def mask_if_has_mbi(text):
+    return re.sub(MBI_PATTERN, '***MBI***', str(text), flags=re.VERBOSE)
+
+
+def mask_mbi(value_to_mask):
+    if isinstance(value_to_mask, str):
+        return mask_if_has_mbi(value_to_mask)
+
+    if isinstance(value_to_mask, tuple):
+        return tuple([mask_if_has_mbi(arg) for arg in value_to_mask])
+
+    if isinstance(value_to_mask, list):
+        return [mask_if_has_mbi(arg) for arg in value_to_mask]
+
+    if isinstance(value_to_mask, dict):
+        for key, value in value_to_mask.items():
+            value_to_mask[key] = mask_mbi(value)
+
+    return value_to_mask
+
+
+class SensitiveDataFilter(logging.Filter):
+
+    def filter(self, record):
+        try:
+            record.args = mask_mbi(record.args)
+            record.msg = mask_mbi(record.msg)
+            return True
+        except Exception:
+            pass
diff --git a/apps/logging/tests/test_loggers_management_command.py b/apps/logging/tests/test_loggers_management_command.py
index e7458914d..4d95ee70b 100644
--- a/apps/logging/tests/test_loggers_management_command.py
+++ b/apps/logging/tests/test_loggers_management_command.py
@@ -16,9 +16,7 @@
 from apps.fhir.bluebutton.models import Crosswalk, ArchivedCrosswalk
 import apps.logging.request_logger as logging
 from apps.logging.utils import redirect_loggers, cleanup_logger, get_log_content
-from apps.test import BaseApiTest, flag_is_active
-# waffle override_flag decorator make flag true or false for everyone
-from waffle.testutils import override_flag
+from apps.test import BaseApiTest
 
 from .audit_logger_schemas import (
     GLOBAL_STATE_METRICS_LOG_SCHEMA,
@@ -316,10 +314,7 @@ def _validate_global_state_per_app_metrics_log(self, validate_apps_dict):
                 )
             )
 
-    @override_flag('limit_data_access', active=True)
     def test_management_command_logging(self):
-        assert flag_is_active('limit_data_access')
-
         """
         Setup variety of real/synth users, apps and grants for testing global state metrics logging.
         """
diff --git a/apps/wellknown/tests.py b/apps/wellknown/tests.py
index 059d3ada0..9cc0fc648 100644
--- a/apps/wellknown/tests.py
+++ b/apps/wellknown/tests.py
@@ -21,8 +21,8 @@ def test_valid_response(self):
         response = self.client.get(self.url)
         self.assertEqual(response.status_code, 200)
         self.assertContains(
-            response, reverse('oauth2_provider:token'))
-        self.assertContains(response, reverse('openid_connect_userinfo'))
+            response, reverse('oauth2_provider_v2:token-v2'))
+        self.assertContains(response, reverse('openid_connect_userinfo_v2'))
         self.assertContains(response, "response_types_supported")
         self.assertContains(response, getattr(settings, 'HOSTNAME_URL'))
         response_content = response.content
diff --git a/apps/wellknown/views/__init__.py b/apps/wellknown/views/__init__.py
index ad4db96d2..329343281 100644
--- a/apps/wellknown/views/__init__.py
+++ b/apps/wellknown/views/__init__.py
@@ -1,3 +1,3 @@
-from .openid import openid_configuration, base_issuer, build_endpoint_info  # NOQA
+from .openid import openid_configuration, smart_configuration, base_issuer, build_endpoint_info  # NOQA
 from .application import ApplicationListView, ApplicationLabelView  # NOQA
 from .public_applications import ApplicationListView as PublicApplicationListView  # NOQA
diff --git a/apps/wellknown/views/openid.py b/apps/wellknown/views/openid.py
index ef54710ad..f40f6231b 100644
--- a/apps/wellknown/views/openid.py
+++ b/apps/wellknown/views/openid.py
@@ -9,6 +9,16 @@
 import apps.logging.request_logger as bb2logging
 
 logger = logging.getLogger(bb2logging.HHS_SERVER_LOGNAME_FMT.format(__name__))
+SCOPES_SUPPORTED = ["profile", "patient/Patient.read", "patient/ExplanationOfBenefit.read", "patient/Coverage.read"]
+CODE_CHALLENGE_METHODS_SUPPORTED = ["S256"]
+CAPABILITIES = [
+    "client-confidential-symmetric",
+    "launch-standalone",
+    "permission-offline",
+    "permission-patient",
+    "permission-v1",
+    "authorize-post"
+]
 
 
 @require_GET
@@ -18,8 +28,18 @@ def openid_configuration(request):
     """
     data = OrderedDict()
     issuer = base_issuer(request)
-    v2 = request.path.endswith('openid-configuration-v2') or request.path.endswith('openidConfigV2')
-    data = build_endpoint_info(data, issuer=issuer, v2=v2)
+    data = build_endpoint_info(data, issuer=issuer)
+    return JsonResponse(data)
+
+
+@require_GET
+def smart_configuration(request):
+    """
+    Views that returns smart_configuration.
+    """
+    data = OrderedDict()
+    issuer = base_issuer(request)
+    data = build_smart_config_endpoint(data, issuer=issuer)
     return JsonResponse(data)
 
 
@@ -50,7 +70,7 @@ def base_issuer(request):
     return issuer
 
 
-def build_endpoint_info(data=OrderedDict(), v2=False, issuer=""):
+def build_endpoint_info(data=OrderedDict(), issuer=""):
     """
     construct the data package
     issuer should be http: or https:// prefixed url.
@@ -60,11 +80,12 @@ def build_endpoint_info(data=OrderedDict(), v2=False, issuer=""):
     """
     data["issuer"] = issuer
     data["authorization_endpoint"] = issuer + \
-        reverse('oauth2_provider:authorize' if not v2 else 'oauth2_provider_v2:authorize-v2')
+        reverse('oauth2_provider_v2:authorize-v2')
+    data["revocation_endpoint"] = issuer + reverse('oauth2_provider_v2:revoke-token-v2')
     data["token_endpoint"] = issuer + \
-        reverse('oauth2_provider:token' if not v2 else 'oauth2_provider_v2:token-v2')
+        reverse('oauth2_provider_v2:token-v2')
     data["userinfo_endpoint"] = issuer + \
-        reverse('openid_connect_userinfo' if not v2 else 'openid_connect_userinfo_v2')
+        reverse('openid_connect_userinfo_v2')
     data["ui_locales_supported"] = ["en-US", ]
     data["service_documentation"] = getattr(settings,
                                             'DEVELOPER_DOCS_URI',
@@ -81,5 +102,29 @@ def build_endpoint_info(data=OrderedDict(), v2=False, issuer=""):
 
     data["response_types_supported"] = ["code", "token"]
     data["fhir_metadata_uri"] = issuer + \
-        reverse('fhir_conformance_metadata' if not v2 else 'fhir_conformance_metadata_v2')
+        reverse('fhir_conformance_metadata_v2')
+    return data
+
+
+def build_smart_config_endpoint(data=OrderedDict(), issuer=""):
+    """
+    construct the smart config endpoint response. Takes in output of build_endpoint_info since they share many fields
+    issuer should be http: or https:// prefixed url.
+
+    :param data:
+    :return:
+    """
+
+    data = build_endpoint_info(data, issuer=issuer)
+    del (data["issuer"])
+    del (data["userinfo_endpoint"])
+    del (data["ui_locales_supported"])
+    del (data["service_documentation"])
+    del (data["op_tos_uri"])
+    del (data["fhir_metadata_uri"])
+    data["grant_types_supported"].remove("refresh_token")
+    data["scopes_supported"] = SCOPES_SUPPORTED
+    data["code_challenge_methods_supported"] = CODE_CHALLENGE_METHODS_SUPPORTED
+    data["capabilities"] = CAPABILITIES
+
     return data
diff --git a/docker-compose.selenium.remote.yml b/docker-compose.selenium.remote.yml
index 683729f6d..59e8108fd 100644
--- a/docker-compose.selenium.remote.yml
+++ b/docker-compose.selenium.remote.yml
@@ -12,7 +12,7 @@ services:
       - chrome
 
   chrome:
-    image: seleniarm/standalone-chromium
+    image: selenium/standalone-chromium
     hostname: chrome
     ports:
       - "4444:4444"
diff --git a/docker-compose.selenium.yml b/docker-compose.selenium.yml
index a2b156421..f05b58072 100755
--- a/docker-compose.selenium.yml
+++ b/docker-compose.selenium.yml
@@ -17,7 +17,7 @@ services:
         condition: service_started
 
   chrome:
-    image: seleniarm/standalone-chromium
+    image: selenium/standalone-chromium
     hostname: chrome
     ports:
       - "4444:4444"
@@ -50,6 +50,8 @@ services:
   bb2slsx:
     build: .
     command: ./docker-compose/bluebutton_server_start.sh
+    environment:
+      - DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE}
     env_file:
       # local devel specific variables go here!
       - .env
diff --git a/docker-compose/run_selenium_tests_local.sh b/docker-compose/run_selenium_tests_local.sh
index a1fa8522f..5f38c026c 100755
--- a/docker-compose/run_selenium_tests_local.sh
+++ b/docker-compose/run_selenium_tests_local.sh
@@ -40,6 +40,8 @@ display_usage() {
     echo
     echo "-h     Print this Help."
     echo "-p     Use new permissions screen (defaults to old style screen)."
+    echo "-g     Selenium grid used - hub on port 4444."
+    echo "-t     Show test case actions on std out."
     echo
 }
 
@@ -77,17 +79,26 @@ export SERVICE_NAME="selenium-tests"
 export TESTS_LIST="./apps/integration_tests/selenium_tests.py ./apps/integration_tests/selenium_spanish_tests.py"
 export DJANGO_SETTINGS_MODULE="hhs_oauth_server.settings.dev"
 export BB2_SERVER_STD2FILE=""
+# selenium grid
+export SELENIUM_GRID=false
+# Show test actions on std out : pytest -s
+PYTEST_SHOW_TRACE_OPT=''
 
-set_slsx
+# this seems been overridden by set_msls below - comment out for removal
+# set_slsx
 
 # Parse command line option
-while getopts "hp" option; do
+while getopts "hpgt" option; do
    case $option in
       h)
          display_usage
          exit;;
       p)
          export USE_NEW_PERM_SCREEN=true;;
+      g)
+        export SELENIUM_GRID=true;;
+      t)
+        export PYTEST_SHOW_TRACE_OPT='-s';;
      \?)
          display_usage
          exit;;
@@ -96,6 +107,7 @@ done
 
 eval last_arg=\$$#
 
+# the default is to use mock login - e.g. for account mgmt tests and logging integration tests
 set_msls
 
 # Parse command line option
@@ -139,6 +151,7 @@ fi
 
 echo "DJANGO_SETTINGS_MODULE: " ${DJANGO_SETTINGS_MODULE}
 echo "HOSTNAME_URL: " ${HOSTNAME_URL}
+echo "Selenium grid=" ${SELENIUM_GRID}
 
 # Set SYSTEM
 SYSTEM=$(uname -s)
@@ -214,7 +227,7 @@ echo "MSLSX=" ${USE_MSLSX}
 echo "SERVICE NAME=" ${SERVICE_NAME}
 echo "USE_NEW_PERM_SCREEN=" ${USE_NEW_PERM_SCREEN}
 
-docker-compose -f docker-compose.selenium.yml run --service-ports ${SERVICE_NAME} bash -c "pytest ${TESTS_LIST}"
+docker-compose -f docker-compose.selenium.yml run --service-ports ${SERVICE_NAME} bash -c "DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} SELENIUM_GRID=${SELENIUM_GRID} pytest ${PYTEST_SHOW_TRACE_OPT} ${TESTS_LIST}"
 
 #Stop containers after use
 echo_msg
diff --git a/docker-compose/run_selenium_tests_remote.sh b/docker-compose/run_selenium_tests_remote.sh
index 5c36badf3..4380fb64e 100755
--- a/docker-compose/run_selenium_tests_remote.sh
+++ b/docker-compose/run_selenium_tests_remote.sh
@@ -26,6 +26,8 @@ display_usage() {
     echo
     echo "-h     Print this Help."
     echo "-p     Test for newer permissions screen. Defaults to older screen."
+    echo "-g     Selenium grid used."
+    echo "-t     Show test case actions on std out."
     echo
     echo "Examples:"
     echo
@@ -54,15 +56,22 @@ export SERVICE_NAME="selenium-tests-remote"
 export TESTS_LIST="./apps/integration_tests/selenium_tests.py ./apps/integration_tests/selenium_spanish_tests.py"
 # BB2 service end point default (SBX)
 export HOSTNAME_URL="https://sandbox.bluebutton.cms.gov/"
+# selenium grid
+export SELENIUM_GRID=false
+# Show test actions on std out : pytest -s
+PYTEST_SHOW_TRACE_OPT=''
 
-
-while getopts "hp" option; do
+while getopts "hpgt" option; do
    case $option in
       h)
         display_usage;
         exit;;
       p)
         export USE_NEW_PERM_SCREEN=true;;
+      g)
+        export SELENIUM_GRID=true;;
+      t)
+        export PYTEST_SHOW_TRACE_OPT='-s';;
      \?)
         display_usage;
         exit;;
@@ -103,13 +112,14 @@ SYSTEM=$(uname -s)
 
 echo "USE_NEW_PERM_SCREEN=" ${USE_NEW_PERM_SCREEN}
 echo "BB2 Server URL=" ${HOSTNAME_URL}
+echo "Selenium grid=" ${SELENIUM_GRID}
 
 ## export USE_NEW_PERM_SCREEN
 export USE_MSLSX=false
 
 # stop all before run selenium remote tests
 docker-compose -f docker-compose.selenium.remote.yml down --remove-orphans
-docker-compose -f docker-compose.selenium.remote.yml run selenium-remote-tests bash -c "pytest ${TESTS_LIST}"
+docker-compose -f docker-compose.selenium.remote.yml run selenium-remote-tests bash -c "SELENIUM_GRID=${SELENIUM_GRID} pytest ${PYTEST_SHOW_TRACE_OPT} ${TESTS_LIST}"
 
 # Stop containers after use
 echo_msg
diff --git a/hhs_oauth_server/settings/base.py b/hhs_oauth_server/settings/base.py
index 533d903ac..9c17aee88 100644
--- a/hhs_oauth_server/settings/base.py
+++ b/hhs_oauth_server/settings/base.py
@@ -1,4 +1,5 @@
 import os
+from apps.logging.sensitive_logging_filters import SENSITIVE_DATA_FILTER, SensitiveDataFilter
 import dj_database_url
 import socket
 import datetime
@@ -377,6 +378,12 @@
             "console": {
                 "class": "logging.StreamHandler",
                 "formatter": "verbose",
+                "filters": [SENSITIVE_DATA_FILTER],
+            }
+        },
+        "filters": {
+            "sensitive_data_filter": {
+                "()": SensitiveDataFilter,
             }
         },
         "loggers": {
@@ -421,6 +428,10 @@
                 "handlers": ["console"],
                 "level": "INFO",
             },
+            'django': {
+                'handlers': ['console'],
+                'level': 'INFO',
+            },
         },
     },
 )
diff --git a/hhs_oauth_server/settings/logging_it.py b/hhs_oauth_server/settings/logging_it.py
index 8d68dee6e..ac3f511ff 100755
--- a/hhs_oauth_server/settings/logging_it.py
+++ b/hhs_oauth_server/settings/logging_it.py
@@ -15,13 +15,14 @@
 try:
     os.mkdir(logdir_path)
 except FileExistsError as err:
-    print("Error os.mkdir: {}".format(err))
+    print("Warning os.mkdir: {}".format(err))
 
 if logging_handlers is None:
     raise ValueError("Bad settings, expecting handlers defined in settings.LOGGING")
 
 logging_handlers['file'] = {'class': 'logging.FileHandler',
-                            'filename': logfile_path, }
+                            'filename': logfile_path,
+                            "filters": [SENSITIVE_DATA_FILTER]}
 
 loggers = LOGGING.get('loggers')
 
diff --git a/hhs_oauth_server/tests.py b/hhs_oauth_server/tests.py
index 36abf5342..9f93a6999 100644
--- a/hhs_oauth_server/tests.py
+++ b/hhs_oauth_server/tests.py
@@ -7,6 +7,10 @@
 """
 
 from django.test import TestCase
+
+from apps.logging.sensitive_logging_filters import mask_mbi
+
+
 from .utils import bool_env, TRUE_LIST, FALSE_LIST, int_env
 
 
@@ -45,3 +49,268 @@ def test_int_values(self):
         for x, y in int_list:
             result = int_env(x)
             self.assertEqual(result, y)
+
+
+class MBI_tests(TestCase):
+
+    def test_mbi_match_dict(self):
+        valid_mbi = "1EG4-TE5-MK74"
+
+        my_dict = {
+            'key1': valid_mbi,
+            'key2': {
+                'key4': valid_mbi
+            },
+            'key3': (valid_mbi, valid_mbi),
+            'key5': [valid_mbi, valid_mbi]
+        }
+
+        masked_mbi_dict = mask_mbi(my_dict)
+        masked_mbi_string = str(masked_mbi_dict)
+        self.assertIn('***MBI***', masked_mbi_string)
+        self.assertNotIn(valid_mbi, masked_mbi_string)
+
+        mbi_list = [valid_mbi, valid_mbi]
+        masked_mbi_list = mask_mbi(mbi_list)
+        self.assertIn('***MBI***', masked_mbi_list)
+        self.assertNotIn(valid_mbi, masked_mbi_list)
+
+        mbi_tuple = (valid_mbi, valid_mbi)
+        masked_mbi_tuple = mask_mbi(mbi_tuple)
+        self.assertIn('***MBI***', masked_mbi_tuple)
+        self.assertNotIn(valid_mbi, masked_mbi_tuple)
+
+    def test_mbi_match(self):
+
+        mbi_test_list = [
+            # Valid MBI
+            ("1EG4-TE5-MK74", True),
+
+            # Valid MBI Position 3 as 0
+            # Position 3 – alpha-numeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1E04-TE5-MK74", True),
+
+            # Valid MBI Position 4 as 0
+            # Position 4 – numeric values 0 thru 9
+            ("1EG0-TE5-MK74", True),
+
+            # Valid MBI Position 6 as 0
+            # Position 6 – alpha-numeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4-T05-MK74", True),
+
+            # Valid MBI Position 7 as 0
+            # Position 7 – numeric values 0 thru 9
+            ("1EG4-TE0-MK74", True),
+
+            # Valid MBI Position 10 as 0
+            # Position 10 – numeric values 0 thru 9
+            ("1EG4-TE5-MK04", True),
+
+            # Valid MBI Position 11 as 0
+            # Position 11 – numeric values 0 thru 9
+            ("1EG4-TE5-MK70", True),
+
+
+            # Position 1 is invalid
+            # Position 1 – numeric values 1 thru 9
+            ("AEG4-TE5-MK74", False),
+
+            # Position 2 is invalid
+            # P osition 2 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1SG4-TE5-MK74", False),
+            ("1LG4-TE5-MK74", False),
+            ("1OG4-TE5-MK74", False),
+            ("1IG4-TE5-MK74", False),
+            ("1BG4-TE5-MK74", False),
+            ("1ZG4-TE5-MK74", False),
+            ("11G4-TE5-MK74", False),
+
+            # Position 3 is invalid
+            # Position 3 – alpha-numeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1ES4-TE5-MK74", False),
+            ("1EL4-TE5-MK74", False),
+            ("1EO4-TE5-MK74", False),
+            ("1EI4-TE5-MK74", False),
+            ("1EB4-TE5-MK74", False),
+            ("1EZ4-TE5-MK74", False),
+
+            # Position 4 is invalid
+            # Position 4 – numeric values 0 thru 9
+            ("1EGA-TE5-MK74", False),
+
+            # Position 5 is invalid
+            # Position 5 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4-1E5-MK74", False),
+            ("1EG4-SE5-MK74", False),
+            ("1EG4-LE5-MK74", False),
+            ("1EG4-OE5-MK74", False),
+            ("1EG4-IE5-MK74", False),
+            ("1EG4-BE5-MK74", False),
+            ("1EG4-ZE5-MK74", False),
+
+            # Position 6 is invalid
+            # Position 6 – alpha-numeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4-TS5-MK74", False),
+            ("1EG4-TL5-MK74", False),
+            ("1EG4-TO5-MK74", False),
+            ("1EG4-TI5-MK74", False),
+            ("1EG4-TB5-MK74", False),
+            ("1EG4-TZ5-MK74", False),
+
+            # Position 7 is invalid
+            # Position 7 – numeric values 0 thru 9
+            ("1EG4-TEA-MK74", False),
+
+            # Position 8 is invalid
+            # Position 8 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4-TE5-1K74", False),
+            ("1EG4-TE5-SK74", False),
+            ("1EG4-TE5-LK74", False),
+            ("1EG4-TE5-OK74", False),
+            ("1EG4-TE5-IK74", False),
+            ("1EG4-TE5-BK74", False),
+            ("1EG4-TE5-ZK74", False),
+
+            # Position 9 is invalid
+            # Position 9 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4-TE5-M174", False),
+            ("1EG4-TE5-MS74", False),
+            ("1EG4-TE5-ML74", False),
+            ("1EG4-TE5-MO74", False),
+            ("1EG4-TE5-MOI74", False),
+            ("1EG4-TE5-MKB4", False),
+            ("1EG4-TE5-MKZ4", False),
+
+            # Position 10 is invalid
+            # Position 10 – numeric values 0 thru 9
+            ("1EG4-TE5-MKA4", False),
+
+            # Position 11 is invalid
+            # Position 11 – numeric values 0 thru 9
+            ("1EG4-TE5-MK7A", False),
+
+            # WITHOUT HYPHEN MBI TEST CASES BELOW
+            # Valid MBI
+            ("1EG4TE5MK74", True),
+
+            # Valid MBI Position 3 as 0
+            # Position 3 – alphanumeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1E04TE5MK74", True),
+
+            # Valid MBI Position 4 as 0
+            # Position 4 – numeric values 0 thru 9
+            ("1EG0TE5MK74", True),
+
+            # Valid MBI Position 6 as 0
+            # Position 6 – alphanumeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4T05MK74", True),
+
+            # Valid MBI Position 7 as 0
+            # Position 7 – numeric values 0 thru 9
+            ("1EG4TE0MK74", True),
+
+            # Valid MBI Position 10 as 0
+            # Position 10 – numeric values 0 thru 9
+            ("1EG4TE5MK04", True),
+
+            # Valid MBI Position 11 as 0
+            # Position 11 – numeric values 0 thru 9
+            ("1EG4TE5MK70", True),
+
+
+            # Position 1 is invalid
+            # Position 1 – numeric values 1 thru 9
+            ("AEG4TE5MK74", False),
+
+            # Position 2 is invalid
+            # P osition 2 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1SG4TE5MK74", False),
+            ("1LG4TE5MK74", False),
+            ("1OG4TE5MK74", False),
+            ("1IG4TE5MK74", False),
+            ("1BG4TE5MK74", False),
+            ("1ZG4TE5MK74", False),
+            ("11G4TE5MK74", False),
+
+            # Position 3 is invalid
+            # Position 3 – alphanumeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1ES4TE5MK74", False),
+            ("1EL4TE5MK74", False),
+            ("1EO4TE5MK74", False),
+            ("1EI4TE5MK74", False),
+            ("1EB4TE5MK74", False),
+            ("1EZ4TE5MK74", False),
+
+            # Position 4 is invalid
+            # Position 4 – numeric values 0 thru 9
+            ("1EGATE5MK74", False),
+
+            # Position 5 is invalid
+            # Position 5 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG41E5MK74", False),
+            ("1EG4SE5MK74", False),
+            ("1EG4LE5MK74", False),
+            ("1EG4OE5MK74", False),
+            ("1EG4IE5MK74", False),
+            ("1EG4BE5MK74", False),
+            ("1EG4ZE5MK74", False),
+
+            # Position 6 is invalid
+            # Position 6 – alphanumeric values 0 thru 9and A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4TS5MK74", False),
+            ("1EG4TL5MK74", False),
+            ("1EG4TO5MK74", False),
+            ("1EG4TI5MK74", False),
+            ("1EG4TB5MK74", False),
+            ("1EG4TZ5MK74", False),
+
+            # Position 7 is invalid
+            # Position 7 – numeric values 0 thru 9
+            ("1EG4TEAMK74", False),
+
+            # Position 8 is invalid
+            # Position 8 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4TE51K74", False),
+            ("1EG4TE5SK74", False),
+            ("1EG4TE5LK74", False),
+            ("1EG4TE5OK74", False),
+            ("1EG4TE5IK74", False),
+            ("1EG4TE5BK74", False),
+            ("1EG4TE5ZK74", False),
+
+            # Position 9 is invalid
+            # Position 9 – alphabetic values A thru Z (minus S, L, O, I, B, Z)
+            ("1EG4TE5M174", False),
+            ("1EG4TE5MS74", False),
+            ("1EG4TE5ML74", False),
+            ("1EG4TE5MO74", False),
+            ("1EG4TE5MOI74", False),
+            ("1EG4TE5MKB4", False),
+            ("1EG4TE5MKZ4", False),
+
+            # Position 10 is invalid
+            # Position 10 – numeric values 0 thru 9
+            ("1EG4TE5MKA4", False),
+
+            # Position 11 is invalid
+            # Position 11 – numeric values 0 thru 9
+            ("1EG4TE5MK7A", False),
+        ]
+
+        for mbi_value, expected in mbi_test_list:
+            # Create a text that contains the MBI
+            uppercase_mbi_text = f"This is a test string with MBI: {mbi_value}, expected: {expected}."
+            masked_uppercase_text = mask_mbi(uppercase_mbi_text)
+            lowercase_mbi_text = uppercase_mbi_text.lower()
+            masked_mbi_lowercase_text = mask_mbi(lowercase_mbi_text)
+            # Check if the MBI was masked
+            if expected:
+                self.assertIn('***MBI***', masked_uppercase_text)
+                self.assertIn('***MBI***', masked_mbi_lowercase_text)
+                self.assertNotIn(mbi_value, masked_uppercase_text)
+                self.assertNotIn(mbi_value.lower(), masked_mbi_lowercase_text)
+            else:
+                self.assertNotIn('***MBI***', masked_uppercase_text)
+                self.assertNotIn('***MBI***', masked_mbi_lowercase_text)
+                self.assertIn(mbi_value, masked_uppercase_text)
+                self.assertIn(mbi_value.lower(), masked_mbi_lowercase_text)
diff --git a/hhs_oauth_server/urls.py b/hhs_oauth_server/urls.py
index 6e9812530..5c05de7ab 100644
--- a/hhs_oauth_server/urls.py
+++ b/hhs_oauth_server/urls.py
@@ -6,6 +6,7 @@
 from django.contrib import admin
 from apps.accounts.views.oauth2_profile import openidconnect_userinfo
 from apps.fhir.bluebutton.views.home import fhir_conformance, fhir_conformance_v2
+from apps.wellknown.views.openid import smart_configuration
 from hhs_oauth_server.hhs_oauth_server_context import IsAppInstalled
 
 admin.autodiscover()
@@ -17,6 +18,7 @@
 urlpatterns = [
     path("health", include("apps.health.urls")),
     re_path(r"^.well-known/", include("apps.wellknown.urls")),
+    path("v1/fhir/.well-known/smart-configuration", smart_configuration, name="smart_configuration"),
     path("forms/", include("apps.forms.urls")),
     path("v1/accounts/", include("apps.accounts.urls")),
     re_path(
@@ -32,6 +34,7 @@
         openidconnect_userinfo,
         name="openid_connect_userinfo_v2",
     ),
+    path("v2/fhir/.well-known/smart-configuration", smart_configuration, name="smart_configuration"),
     path("v2/fhir/metadata", fhir_conformance_v2, name="fhir_conformance_metadata_v2"),
     path("v2/fhir/", include("apps.fhir.bluebutton.v2.urls")),
     path("v2/o/", include("apps.dot_ext.v2.urls")),
diff --git a/requirements/requirements.dev.in b/requirements/requirements.dev.in
index c3b3cf97c..89104a52b 100644
--- a/requirements/requirements.dev.in
+++ b/requirements/requirements.dev.in
@@ -10,4 +10,5 @@ selenium
 pytest 
 Flask 
 Flask-WTF
-
+setuptools_scm<7,>=3.2
+setuptools>=40.8.0
diff --git a/requirements/requirements.dev.txt b/requirements/requirements.dev.txt
index be57b6eb7..a4ab3e329 100644
--- a/requirements/requirements.dev.txt
+++ b/requirements/requirements.dev.txt
@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile --generate-hashes --output-file=requirements/requirements.dev.txt requirements/requirements.dev.in
@@ -196,39 +196,36 @@ configparser==5.3.0 \
     --hash=sha256:8be267824b541c09b08db124917f48ab525a6c3e837011f3130781a224c57090 \
     --hash=sha256:b065779fd93c6bf4cee42202fa4351b4bb842e96a3fb469440e484517a49b9fa
     # via -r requirements/requirements.in
-cryptography==42.0.8 \
-    --hash=sha256:013629ae70b40af70c9a7a5db40abe5d9054e6f4380e50ce769947b73bf3caad \
-    --hash=sha256:2346b911eb349ab547076f47f2e035fc8ff2c02380a7cbbf8d87114fa0f1c583 \
-    --hash=sha256:2f66d9cd9147ee495a8374a45ca445819f8929a3efcd2e3df6428e46c3cbb10b \
-    --hash=sha256:2f88d197e66c65be5e42cd72e5c18afbfae3f741742070e3019ac8f4ac57262c \
-    --hash=sha256:31f721658a29331f895a5a54e7e82075554ccfb8b163a18719d342f5ffe5ecb1 \
-    --hash=sha256:343728aac38decfdeecf55ecab3264b015be68fc2816ca800db649607aeee648 \
-    --hash=sha256:5226d5d21ab681f432a9c1cf8b658c0cb02533eece706b155e5fbd8a0cdd3949 \
-    --hash=sha256:57080dee41209e556a9a4ce60d229244f7a66ef52750f813bfbe18959770cfba \
-    --hash=sha256:5a94eccb2a81a309806027e1670a358b99b8fe8bfe9f8d329f27d72c094dde8c \
-    --hash=sha256:6b7c4f03ce01afd3b76cf69a5455caa9cfa3de8c8f493e0d3ab7d20611c8dae9 \
-    --hash=sha256:7016f837e15b0a1c119d27ecd89b3515f01f90a8615ed5e9427e30d9cdbfed3d \
-    --hash=sha256:81884c4d096c272f00aeb1f11cf62ccd39763581645b0812e99a91505fa48e0c \
-    --hash=sha256:81d8a521705787afe7a18d5bfb47ea9d9cc068206270aad0b96a725022e18d2e \
-    --hash=sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 \
-    --hash=sha256:961e61cefdcb06e0c6d7e3a1b22ebe8b996eb2bf50614e89384be54c48c6b63d \
-    --hash=sha256:9c0c1716c8447ee7dbf08d6db2e5c41c688544c61074b54fc4564196f55c25a7 \
-    --hash=sha256:a0608251135d0e03111152e41f0cc2392d1e74e35703960d4190b2e0f4ca9c70 \
-    --hash=sha256:a0c5b2b0585b6af82d7e385f55a8bc568abff8923af147ee3c07bd8b42cda8b2 \
-    --hash=sha256:ad803773e9df0b92e0a817d22fd8a3675493f690b96130a5e24f1b8fabbea9c7 \
-    --hash=sha256:b297f90c5723d04bcc8265fc2a0f86d4ea2e0f7ab4b6994459548d3a6b992a14 \
-    --hash=sha256:ba4f0a211697362e89ad822e667d8d340b4d8d55fae72cdd619389fb5912eefe \
-    --hash=sha256:c4783183f7cb757b73b2ae9aed6599b96338eb957233c58ca8f49a49cc32fd5e \
-    --hash=sha256:c9bb2ae11bfbab395bdd072985abde58ea9860ed84e59dbc0463a5d0159f5b71 \
-    --hash=sha256:cafb92b2bc622cd1aa6a1dce4b93307792633f4c5fe1f46c6b97cf67073ec961 \
-    --hash=sha256:d45b940883a03e19e944456a558b67a41160e367a719833c53de6911cabba2b7 \
-    --hash=sha256:dc0fdf6787f37b1c6b08e6dfc892d9d068b5bdb671198c72072828b80bd5fe4c \
-    --hash=sha256:dea567d1b0e8bc5764b9443858b673b734100c2871dc93163f58c46a97a83d28 \
-    --hash=sha256:dec9b018df185f08483f294cae6ccac29e7a6e0678996587363dc352dc65c842 \
-    --hash=sha256:e3ec3672626e1b9e55afd0df6d774ff0e953452886e06e0f1eb7eb0c832e8902 \
-    --hash=sha256:e599b53fd95357d92304510fb7bda8523ed1f79ca98dce2f43c115950aa78801 \
-    --hash=sha256:fa76fbb7596cc5839320000cdd5d0955313696d9511debab7ee7278fc8b5c84a \
-    --hash=sha256:fff12c88a672ab9c9c1cf7b0c80e3ad9e2ebd9d828d955c126be4fd3e5578c9e
+cryptography==44.0.0 \
+    --hash=sha256:1923cb251c04be85eec9fda837661c67c1049063305d6be5721643c22dd4e2b7 \
+    --hash=sha256:37d76e6863da3774cd9db5b409a9ecfd2c71c981c38788d3fcfaf177f447b731 \
+    --hash=sha256:3c672a53c0fb4725a29c303be906d3c1fa99c32f58abe008a82705f9ee96f40b \
+    --hash=sha256:404fdc66ee5f83a1388be54300ae978b2efd538018de18556dde92575e05defc \
+    --hash=sha256:4ac4c9f37eba52cb6fbeaf5b59c152ea976726b865bd4cf87883a7e7006cc543 \
+    --hash=sha256:60eb32934076fa07e4316b7b2742fa52cbb190b42c2df2863dbc4230a0a9b385 \
+    --hash=sha256:62901fb618f74d7d81bf408c8719e9ec14d863086efe4185afd07c352aee1d2c \
+    --hash=sha256:660cb7312a08bc38be15b696462fa7cc7cd85c3ed9c576e81f4dc4d8b2b31591 \
+    --hash=sha256:708ee5f1bafe76d041b53a4f95eb28cdeb8d18da17e597d46d7833ee59b97ede \
+    --hash=sha256:761817a3377ef15ac23cd7834715081791d4ec77f9297ee694ca1ee9c2c7e5eb \
+    --hash=sha256:831c3c4d0774e488fdc83a1923b49b9957d33287de923d58ebd3cec47a0ae43f \
+    --hash=sha256:84111ad4ff3f6253820e6d3e58be2cc2a00adb29335d4cacb5ab4d4d34f2a123 \
+    --hash=sha256:8b3e6eae66cf54701ee7d9c83c30ac0a1e3fa17be486033000f2a73a12ab507c \
+    --hash=sha256:9abcc2e083cbe8dde89124a47e5e53ec38751f0d7dfd36801008f316a127d7ba \
+    --hash=sha256:9e6fc8a08e116fb7c7dd1f040074c9d7b51d74a8ea40d4df2fc7aa08b76b9e6c \
+    --hash=sha256:a01956ddfa0a6790d594f5b34fc1bfa6098aca434696a03cfdbe469b8ed79285 \
+    --hash=sha256:abc998e0c0eee3c8a1904221d3f67dcfa76422b23620173e28c11d3e626c21bd \
+    --hash=sha256:b15492a11f9e1b62ba9d73c210e2416724633167de94607ec6069ef724fad092 \
+    --hash=sha256:be4ce505894d15d5c5037167ffb7f0ae90b7be6f2a98f9a5c3442395501c32fa \
+    --hash=sha256:c5eb858beed7835e5ad1faba59e865109f3e52b3783b9ac21e7e47dc5554e289 \
+    --hash=sha256:cd4e834f340b4293430701e772ec543b0fbe6c2dea510a5286fe0acabe153a02 \
+    --hash=sha256:d2436114e46b36d00f8b72ff57e598978b37399d2786fd39793c36c6d5cb1c64 \
+    --hash=sha256:eb33480f1bad5b78233b0ad3e1b0be21e8ef1da745d8d2aecbb20671658b9053 \
+    --hash=sha256:eca27345e1214d1b9f9490d200f9db5a874479be914199194e746c893788d417 \
+    --hash=sha256:ed3534eb1090483c96178fcb0f8893719d96d5274dfde98aa6add34614e97c8e \
+    --hash=sha256:f3f6fdfa89ee2d9d496e2c087cebef9d4fcbb0ad63c40e821b39f74bf48d9c5e \
+    --hash=sha256:f53c2c87e0fb4b0c00fa9571082a057e37690a8f12233306161c8f4b819960b7 \
+    --hash=sha256:f5e7cb1e5e56ca0933b4873c0220a78b773b24d40d186b6738080b73d3d0a756 \
+    --hash=sha256:f677e1268c4e23420c3acade68fac427fffcb8d19d7df95ed7ad17cdef8404f4
     # via
     #   -r requirements/requirements.in
     #   jwcrypto
@@ -256,9 +253,9 @@ dj-database-url==2.0.0 \
     --hash=sha256:9c9e5f7224f62635a787e9cc3c6762c9be2b19541a21e3c08fa573bd01609b4b \
     --hash=sha256:a35a9f0f43775ca6f90d819dc456233ef7bcc76b47377d5d908b75c7eb320624
     # via -r requirements/requirements.in
-django==4.2.14 \
-    --hash=sha256:3ec32bc2c616ab02834b9cac93143a7dc1cdcd5b822d78ac95fc20a38c534240 \
-    --hash=sha256:fc6919875a6226c7ffcae1a7d51e0f2ceaf6f160393180818f6c95f51b1e7b96
+django==4.2.17 \
+    --hash=sha256:3a93350214ba25f178d4045c0786c61573e7dbfa3c509b3551374f1e11ba8de0 \
+    --hash=sha256:6b56d834cc94c8b21a8f4e775064896be3b4a4ca387f2612d4406a5927cd2fdc
     # via
     #   -r requirements/requirements.in
     #   dj-database-url
@@ -499,7 +496,9 @@ outcome==1.3.0.post0 \
 packaging==24.0 \
     --hash=sha256:2ddfb553fdf02fb784c234c7ba6ccc288296ceabec964ad2eae3777778130bc5 \
     --hash=sha256:eb82c5e3e56209074766e6885bb04b8c38a0c015d0a30036ebe7ece34c9989e9
-    # via pytest
+    # via
+    #   pytest
+    #   setuptools-scm
 pillow==10.3.0 \
     --hash=sha256:048ad577748b9fa4a99a0548c64f2cb8d672d5bf2e643a739ac8faff1164238c \
     --hash=sha256:048eeade4c33fdf7e08da40ef402e748df113fd0b4584e32c4af74fe78baaeb2 \
@@ -794,6 +793,10 @@ selenium==4.16.0 \
     --hash=sha256:aec71f4e6ed6cb3ec25c9c1b5ed56ae31b6da0a7f17474c7566d303f84e6219f \
     --hash=sha256:b2e987a445306151f7be0e6dfe2aa72a479c2ac6a91b9d5ef2d6dd4e49ad0435
     # via -r requirements/requirements.dev.in
+setuptools-scm==6.4.2 \
+    --hash=sha256:6833ac65c6ed9711a4d5d2266f8024cfa07c533a0e55f4c12f6eff280a5a9e30 \
+    --hash=sha256:acea13255093849de7ccb11af9e1fb8bde7067783450cee9ef7a93139bddf6d4
+    # via -r requirements/requirements.dev.in
 six==1.16.0 \
     --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
     --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
@@ -821,6 +824,40 @@ sqlparse==0.5.0 \
     #   -r requirements/requirements.in
     #   django
     #   django-debug-toolbar
+tomli==2.2.1 \
+    --hash=sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6 \
+    --hash=sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd \
+    --hash=sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c \
+    --hash=sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b \
+    --hash=sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8 \
+    --hash=sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6 \
+    --hash=sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77 \
+    --hash=sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff \
+    --hash=sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea \
+    --hash=sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192 \
+    --hash=sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249 \
+    --hash=sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee \
+    --hash=sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4 \
+    --hash=sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98 \
+    --hash=sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8 \
+    --hash=sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4 \
+    --hash=sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281 \
+    --hash=sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744 \
+    --hash=sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69 \
+    --hash=sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13 \
+    --hash=sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140 \
+    --hash=sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e \
+    --hash=sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e \
+    --hash=sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc \
+    --hash=sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff \
+    --hash=sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec \
+    --hash=sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2 \
+    --hash=sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222 \
+    --hash=sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106 \
+    --hash=sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272 \
+    --hash=sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a \
+    --hash=sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7
+    # via setuptools-scm
 trio==0.24.0 \
     --hash=sha256:c3bd3a4e3e3025cd9a2241eae75637c43fe0b9e88b4c97b9161a55b9e54cd72c \
     --hash=sha256:ffa09a74a6bf81b84f8613909fb0beaee84757450183a7a2e0b47b455c0cac5d
@@ -853,9 +890,9 @@ voluptuous==0.13.1 \
     --hash=sha256:4b838b185f5951f2d6e8752b68fcf18bd7a9c26ded8f143f92d6d28f3921a3e6 \
     --hash=sha256:e8d31c20601d6773cb14d4c0f42aee29c6821bbd1018039aac7ac5605b489723
     # via -r requirements/requirements.in
-werkzeug==3.0.3 \
-    --hash=sha256:097e5bfda9f0aba8da6b8545146def481d06aa7d3266e7448e2cccf67dd8bd18 \
-    --hash=sha256:fc9645dc43e03e4d630d23143a04a7f947a9a3b5727cd535fdfe155a17cc48c8
+werkzeug==3.0.6 \
+    --hash=sha256:1bc0c2310d2fbb07b1dd1105eba2f7af72f322e1e455f2f93c993bee8c8a5f17 \
+    --hash=sha256:a8dd59d4de28ca70471a34cba79bed5f7ef2e036a76b3ab0835474246eb41f8d
     # via flask
 wsproto==1.2.0 \
     --hash=sha256:ad565f26ecb92588a3e43bc3d96164de84cd9902482b130d0ddbaa9664a85065 \
diff --git a/requirements/requirements.in b/requirements/requirements.in
index 68a139114..dc931c9b4 100644
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@@ -1,5 +1,5 @@
 # base packages
-django == 4.2.14
+django == 4.2.17
 django-bootstrap-v5
 django-cors-headers
 django-localflavor
@@ -49,5 +49,5 @@ django-ses
 oauthlib
 ## python-openid
 django-oauth-toolkit
-cryptography >= 42.0.8
+cryptography >= 43.0.1
 jwcrypto
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index a7692c63a..470bff62c 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -1,5 +1,5 @@
 #
-# This file is autogenerated by pip-compile with Python 3.12
+# This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
 #
 #    pip-compile --generate-hashes --output-file=requirements/requirements.txt requirements/requirements.in
@@ -185,39 +185,36 @@ configparser==5.3.0 \
     --hash=sha256:8be267824b541c09b08db124917f48ab525a6c3e837011f3130781a224c57090 \
     --hash=sha256:b065779fd93c6bf4cee42202fa4351b4bb842e96a3fb469440e484517a49b9fa
     # via -r requirements/requirements.in
-cryptography==42.0.8 \
-    --hash=sha256:013629ae70b40af70c9a7a5db40abe5d9054e6f4380e50ce769947b73bf3caad \
-    --hash=sha256:2346b911eb349ab547076f47f2e035fc8ff2c02380a7cbbf8d87114fa0f1c583 \
-    --hash=sha256:2f66d9cd9147ee495a8374a45ca445819f8929a3efcd2e3df6428e46c3cbb10b \
-    --hash=sha256:2f88d197e66c65be5e42cd72e5c18afbfae3f741742070e3019ac8f4ac57262c \
-    --hash=sha256:31f721658a29331f895a5a54e7e82075554ccfb8b163a18719d342f5ffe5ecb1 \
-    --hash=sha256:343728aac38decfdeecf55ecab3264b015be68fc2816ca800db649607aeee648 \
-    --hash=sha256:5226d5d21ab681f432a9c1cf8b658c0cb02533eece706b155e5fbd8a0cdd3949 \
-    --hash=sha256:57080dee41209e556a9a4ce60d229244f7a66ef52750f813bfbe18959770cfba \
-    --hash=sha256:5a94eccb2a81a309806027e1670a358b99b8fe8bfe9f8d329f27d72c094dde8c \
-    --hash=sha256:6b7c4f03ce01afd3b76cf69a5455caa9cfa3de8c8f493e0d3ab7d20611c8dae9 \
-    --hash=sha256:7016f837e15b0a1c119d27ecd89b3515f01f90a8615ed5e9427e30d9cdbfed3d \
-    --hash=sha256:81884c4d096c272f00aeb1f11cf62ccd39763581645b0812e99a91505fa48e0c \
-    --hash=sha256:81d8a521705787afe7a18d5bfb47ea9d9cc068206270aad0b96a725022e18d2e \
-    --hash=sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 \
-    --hash=sha256:961e61cefdcb06e0c6d7e3a1b22ebe8b996eb2bf50614e89384be54c48c6b63d \
-    --hash=sha256:9c0c1716c8447ee7dbf08d6db2e5c41c688544c61074b54fc4564196f55c25a7 \
-    --hash=sha256:a0608251135d0e03111152e41f0cc2392d1e74e35703960d4190b2e0f4ca9c70 \
-    --hash=sha256:a0c5b2b0585b6af82d7e385f55a8bc568abff8923af147ee3c07bd8b42cda8b2 \
-    --hash=sha256:ad803773e9df0b92e0a817d22fd8a3675493f690b96130a5e24f1b8fabbea9c7 \
-    --hash=sha256:b297f90c5723d04bcc8265fc2a0f86d4ea2e0f7ab4b6994459548d3a6b992a14 \
-    --hash=sha256:ba4f0a211697362e89ad822e667d8d340b4d8d55fae72cdd619389fb5912eefe \
-    --hash=sha256:c4783183f7cb757b73b2ae9aed6599b96338eb957233c58ca8f49a49cc32fd5e \
-    --hash=sha256:c9bb2ae11bfbab395bdd072985abde58ea9860ed84e59dbc0463a5d0159f5b71 \
-    --hash=sha256:cafb92b2bc622cd1aa6a1dce4b93307792633f4c5fe1f46c6b97cf67073ec961 \
-    --hash=sha256:d45b940883a03e19e944456a558b67a41160e367a719833c53de6911cabba2b7 \
-    --hash=sha256:dc0fdf6787f37b1c6b08e6dfc892d9d068b5bdb671198c72072828b80bd5fe4c \
-    --hash=sha256:dea567d1b0e8bc5764b9443858b673b734100c2871dc93163f58c46a97a83d28 \
-    --hash=sha256:dec9b018df185f08483f294cae6ccac29e7a6e0678996587363dc352dc65c842 \
-    --hash=sha256:e3ec3672626e1b9e55afd0df6d774ff0e953452886e06e0f1eb7eb0c832e8902 \
-    --hash=sha256:e599b53fd95357d92304510fb7bda8523ed1f79ca98dce2f43c115950aa78801 \
-    --hash=sha256:fa76fbb7596cc5839320000cdd5d0955313696d9511debab7ee7278fc8b5c84a \
-    --hash=sha256:fff12c88a672ab9c9c1cf7b0c80e3ad9e2ebd9d828d955c126be4fd3e5578c9e
+cryptography==44.0.0 \
+    --hash=sha256:1923cb251c04be85eec9fda837661c67c1049063305d6be5721643c22dd4e2b7 \
+    --hash=sha256:37d76e6863da3774cd9db5b409a9ecfd2c71c981c38788d3fcfaf177f447b731 \
+    --hash=sha256:3c672a53c0fb4725a29c303be906d3c1fa99c32f58abe008a82705f9ee96f40b \
+    --hash=sha256:404fdc66ee5f83a1388be54300ae978b2efd538018de18556dde92575e05defc \
+    --hash=sha256:4ac4c9f37eba52cb6fbeaf5b59c152ea976726b865bd4cf87883a7e7006cc543 \
+    --hash=sha256:60eb32934076fa07e4316b7b2742fa52cbb190b42c2df2863dbc4230a0a9b385 \
+    --hash=sha256:62901fb618f74d7d81bf408c8719e9ec14d863086efe4185afd07c352aee1d2c \
+    --hash=sha256:660cb7312a08bc38be15b696462fa7cc7cd85c3ed9c576e81f4dc4d8b2b31591 \
+    --hash=sha256:708ee5f1bafe76d041b53a4f95eb28cdeb8d18da17e597d46d7833ee59b97ede \
+    --hash=sha256:761817a3377ef15ac23cd7834715081791d4ec77f9297ee694ca1ee9c2c7e5eb \
+    --hash=sha256:831c3c4d0774e488fdc83a1923b49b9957d33287de923d58ebd3cec47a0ae43f \
+    --hash=sha256:84111ad4ff3f6253820e6d3e58be2cc2a00adb29335d4cacb5ab4d4d34f2a123 \
+    --hash=sha256:8b3e6eae66cf54701ee7d9c83c30ac0a1e3fa17be486033000f2a73a12ab507c \
+    --hash=sha256:9abcc2e083cbe8dde89124a47e5e53ec38751f0d7dfd36801008f316a127d7ba \
+    --hash=sha256:9e6fc8a08e116fb7c7dd1f040074c9d7b51d74a8ea40d4df2fc7aa08b76b9e6c \
+    --hash=sha256:a01956ddfa0a6790d594f5b34fc1bfa6098aca434696a03cfdbe469b8ed79285 \
+    --hash=sha256:abc998e0c0eee3c8a1904221d3f67dcfa76422b23620173e28c11d3e626c21bd \
+    --hash=sha256:b15492a11f9e1b62ba9d73c210e2416724633167de94607ec6069ef724fad092 \
+    --hash=sha256:be4ce505894d15d5c5037167ffb7f0ae90b7be6f2a98f9a5c3442395501c32fa \
+    --hash=sha256:c5eb858beed7835e5ad1faba59e865109f3e52b3783b9ac21e7e47dc5554e289 \
+    --hash=sha256:cd4e834f340b4293430701e772ec543b0fbe6c2dea510a5286fe0acabe153a02 \
+    --hash=sha256:d2436114e46b36d00f8b72ff57e598978b37399d2786fd39793c36c6d5cb1c64 \
+    --hash=sha256:eb33480f1bad5b78233b0ad3e1b0be21e8ef1da745d8d2aecbb20671658b9053 \
+    --hash=sha256:eca27345e1214d1b9f9490d200f9db5a874479be914199194e746c893788d417 \
+    --hash=sha256:ed3534eb1090483c96178fcb0f8893719d96d5274dfde98aa6add34614e97c8e \
+    --hash=sha256:f3f6fdfa89ee2d9d496e2c087cebef9d4fcbb0ad63c40e821b39f74bf48d9c5e \
+    --hash=sha256:f53c2c87e0fb4b0c00fa9571082a057e37690a8f12233306161c8f4b819960b7 \
+    --hash=sha256:f5e7cb1e5e56ca0933b4873c0220a78b773b24d40d186b6738080b73d3d0a756 \
+    --hash=sha256:f677e1268c4e23420c3acade68fac427fffcb8d19d7df95ed7ad17cdef8404f4
     # via
     #   -r requirements/requirements.in
     #   jwcrypto
@@ -225,9 +222,9 @@ dj-database-url==2.0.0 \
     --hash=sha256:9c9e5f7224f62635a787e9cc3c6762c9be2b19541a21e3c08fa573bd01609b4b \
     --hash=sha256:a35a9f0f43775ca6f90d819dc456233ef7bcc76b47377d5d908b75c7eb320624
     # via -r requirements/requirements.in
-django==4.2.14 \
-    --hash=sha256:3ec32bc2c616ab02834b9cac93143a7dc1cdcd5b822d78ac95fc20a38c534240 \
-    --hash=sha256:fc6919875a6226c7ffcae1a7d51e0f2ceaf6f160393180818f6c95f51b1e7b96
+django==4.2.17 \
+    --hash=sha256:3a93350214ba25f178d4045c0786c61573e7dbfa3c509b3551374f1e11ba8de0 \
+    --hash=sha256:6b56d834cc94c8b21a8f4e775064896be3b4a4ca387f2612d4406a5927cd2fdc
     # via
     #   -r requirements/requirements.in
     #   dj-database-url
diff --git a/static/openapi.yaml b/static/openapi.yaml
index 21e36a4fa..4751eecdf 100755
--- a/static/openapi.yaml
+++ b/static/openapi.yaml
@@ -17,8 +17,8 @@ info:
 paths:
   /.well-known/openid-configuration:
     get:
-      operationId: openIdConfig
-      description: "Returns OpenID Connect protocol (OIDC) Discovery: listing of the OpenID/OAuth endpoints, supported scopes and claims (public access, no token needed)"
+      operationId: openIdConfig_v2
+      description: "Returns OIDC (OpenID Connect protocol) Discovery: listing of the OpenID/OAuth endpoints, supported scopes and claims (public access, no token needed)"
       summary: "OpenID Connect protocol (OIDC) Discovery information"
       security: []
       responses:
@@ -26,29 +26,25 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/V1OpenIdConfiguration'
+                $ref: '#/components/schemas/V2OpenIdConfiguration'
               examples:
-                V1OpenIdConfigurationExample:
-                  $ref: '#/components/examples/V1OpenIdConfigurationExample'
+                V2OpenIdConfigurationExample:
+                  $ref: '#/components/examples/V2OpenIdConfigurationExample'
             application/fhir+json:
               schema:
-                $ref: '#/components/schemas/V1OpenIdConfiguration'
+                $ref: '#/components/schemas/V2OpenIdConfiguration'
               examples:
-                V1OpenIdConfigurationExample:
-                  $ref: '#/components/examples/V1OpenIdConfigurationExample'
+                V2OpenIdConfigurationExample:
+                  $ref: '#/components/examples/V2OpenIdConfigurationExample'
           description: "OIDC Discovery: listing of the OpenID/OAuth endpoints, supported scopes and claims"
       tags:
-        - v1
-  /v1/fhir/metadata:
-    get: 
-      operationId: fhirMetaData
+        - v2
+  /v2/fhir/metadata:
+    get:
+      operationId: fhirMetaData_v2
       description: "Returns FHIR CapabilityStatement resource (public access, no token needed)"
       summary: "FHIR CapabilityStatement resource"
-      security: 
-        - oAuth2Security: 
-          - patient/Patient.read
-          - patient/Coverage.read
-          - patient/ExplanationOfBenefit.read
+      security: []
       responses:
         '200':
           content:
@@ -56,49 +52,41 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirMetadataExample:
-                  $ref: '#/components/examples/V1FhirMetadataExample'
+                V2FhirMetadataExample:
+                  $ref: '#/components/examples/V2FhirMetadataExample'
           description: "FHIR CapabilityStatement resource"
         '502':
 
-          description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server"
+          description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  /v1/connect/userinfo:
-    get: 
-      operationId: listopenidconnect_userinfos
+        - v2
+  /v2/connect/userinfo:
+    get:
+      operationId: listopenidconnect_userinfos_v2
       description: "Returns OpenID Connect protocol (OIDC) userinfo"
       summary: "OpenID Connect protocol (OIDC) userinfo"
-      security: 
-        - oAuth2Security: 
-          - patient/Patient.read
-          - patient/Coverage.read
-          - patient/ExplanationOfBenefit.read
       parameters: []
       responses:
         '200':
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/V1UserInfo'
+                $ref: '#/components/schemas/V2UserInfo'
               examples:
-                V1UserInfoExample:
-                  $ref: '#/components/examples/V1UserInfoExample'
-          description: "OIDC userinfo"
+                V2UserInfoExample:
+                  $ref: '#/components/examples/V2UserInfoExample'
+          description:  "OIDC userinfo"
         '401':
-
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '403':
-
           description: "Error: Forbidden, e.g. beneficiary does not grant access to PII."
         '502':
-
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  '/v1/fhir/Patient/{resource_id}':
-    get: 
-      operationId: listReadViewPatients
+        - v2
+  /v2/fhir/Patient/{resource_id}:
+    get:
+      operationId: listReadViewPatients_v2
       description: "Returns Patient FHIR resource identified by resource_id"
       summary: "Patient FHIR resource identified by resource_id"
       parameters:
@@ -115,33 +103,24 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirPatientByIdExample:
-                  $ref: '#/components/examples/V1FhirPatientByIdExample'
-          description:  "Patient FHIR resource"
+                V2FhirPatientByIdExample:
+                  $ref: '#/components/examples/V2FhirPatientByIdExample'
+          description: "Patient FHIR resource"
         '401':
-
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '403':
-
           description: "Error: Forbidden, e.g. beneficiary does not grant access to PII."
         '404':
-
           description: "Error: Not Found, e.g. The requested resource does not exist."
         '502':
-
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  /v1/fhir/Patient/:
-    get:
-      operationId: listSearchViewPatients
+        - v2
+  /v2/fhir/Patient/:
+    get: 
+      operationId: listSearchViewPatients_v2
       description: "Returns Patient FHIR resources matching search criteria as a FHIR Bundle"
       summary: "Patient FHIR resources matching search criteria as a FHIR Bundle"
-      security: 
-        - oAuth2Security: 
-          - patient/Patient.read
-          - patient/Coverage.read
-          - patient/ExplanationOfBenefit.read
       parameters:
         - in: query
           name: identifier
@@ -154,7 +133,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -186,8 +180,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirPatientExample:
-                  $ref: '#/components/examples/V1FhirPatientExample'
+                V2FhirPatientExample:
+                  $ref: '#/components/examples/V2FhirPatientExample'
           description: "Patient FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
@@ -198,10 +192,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  '/v1/fhir/Coverage/{resource_id}':
+        - v2
+  /v2/fhir/Coverage/{resource_id}:
     get:
-      operationId: listReadViewCoverages
+      operationId: listReadViewCoverages_v2
       description: "Returns Coverage FHIR resource identified by resource_id"
       summary: "Coverage FHIR resource identified by resource_id"
       parameters:
@@ -218,11 +212,11 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirCoverageByIdExample:
-                  $ref: '#/components/examples/V1FhirCoverageByIdExample'
+                V2FhirCoverageByIdExample:
+                  $ref: '#/components/examples/V2FhirCoverageByIdExample'
           description: "Coverage FHIR resource"
         '400':
-          description: "Error: Bad Request, e.g. Unsupported ID pattern: partd-889999ddddddddddddddddddddd."
+          description: "Error: Bad Request, e.g. Unsupported ID pattern: partparta_20140000000001."
         '401':
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '404':
@@ -230,10 +224,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  /v1/fhir/Coverage/:
+        - v2
+  /v2/fhir/Coverage/:
     get:
-      operationId: listSearchViewCoverages
+      operationId: listSearchViewCoverages_v2
       description: "Returns Coverage FHIR resources matching the search criteria as a FHIR Bundle"
       summary: "Coverage FHIR resources matching the search criteria as a FHIR Bundle"
       parameters:
@@ -248,7 +242,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+            
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -262,9 +271,9 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirCoverageExample:
-                  $ref: '#/components/examples/V1FhirCoverageExample'
-          description:  "Coverage FHIR resources bundle"
+                V2FhirCoverageExample:
+                  $ref: '#/components/examples/V2FhirCoverageExample'
+          description: "Coverage FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
         '401':
@@ -272,10 +281,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  /v1/fhir/ExplanationOfBenefit/{resource_id}:
+        - v2
+  /v2/fhir/ExplanationOfBenefit/{resource_id}:
     get:
-      operationId: listReadViewExplanationOfBenefits
+      operationId: listReadViewExplanationOfBenefits_v2
       description: "Returns ExplanationOfBenefit FHIR resource identified by resource_id"
       summary: "ExplanationOfBenefit FHIR resource identified by resource_id"
       parameters:
@@ -292,11 +301,9 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirExplanationOfBenefitByIdExample:
-                  $ref: '#/components/examples/V1FhirExplanationOfBenefitByIdExample'
+                V2FhirExplanationOfBenefitByIdExample:
+                  $ref: '#/components/examples/V2FhirExplanationOfBenefitByIdExample'
           description: "ExplanationOfBenefit FHIR resource"
-        '400':
-          description: "Error: Bad Request, e.g. Unsupported ID pattern: partd238900099."
         '401':
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '404':
@@ -304,10 +311,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v1
-  /v1/fhir/ExplanationOfBenefit/:
+        - v2
+  /v2/fhir/ExplanationOfBenefit/:
     get:
-      operationId: listSearchViewExplanationOfBenefits
+      operationId: listSearchViewExplanationOfBenefits_v2
       description: "Returns ExplanationOfBenefit FHIR resources matching search criteria as a FHIR Bundle"
       summary: "ExplanationOfBenefit FHIR resources matching search criteria as a FHIR Bundle"
       parameters:
@@ -322,7 +329,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+            
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: excludeSAMHSA
           schema:
@@ -334,7 +356,24 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources that completed in the given range"
+          description: |-
+            Only satisfy the Search request if a claim's _billable period_
+            falls within a specified _DateRange_.
+
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+
+            Examples:
+              - _service-date=gt2023-01-02T00:00+00:00&service-date=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - _service-date=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - _service-date=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -354,8 +393,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V1FhirExplanationOfBenefitExample:
-                  $ref: '#/components/examples/V1FhirExplanationOfBenefitExample'
+                V2FhirExplanationOfBenefitExample:
+                  $ref: '#/components/examples/V2FhirExplanationOfBenefitExample'
           description: "ExplanationOfBenefit FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
@@ -363,38 +402,19 @@ paths:
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
-      tags:
-        - v1
-  /.well-known/openid-configuration-v2:
-    get:
-      operationId: openIdConfig_v2
-      description: "Returns OIDC (OpenID Connect protocol) Discovery: listing of the OpenID/OAuth endpoints, supported scopes and claims (public access, no token needed)"
-      summary: "OpenID Connect protocol (OIDC) Discovery information"
-      security: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/V2OpenIdConfiguration'
-              examples:
-                V2OpenIdConfigurationExample:
-                  $ref: '#/components/examples/V2OpenIdConfigurationExample'
-            application/fhir+json:
-              schema:
-                $ref: '#/components/schemas/V2OpenIdConfiguration'
-              examples:
-                V2OpenIdConfigurationExample:
-                  $ref: '#/components/examples/V2OpenIdConfigurationExample'
-          description: "OIDC Discovery: listing of the OpenID/OAuth endpoints, supported scopes and claims"
       tags:
         - v2
-  /v2/fhir/metadata:
-    get:
-      operationId: fhirMetaData_v2
+
+  /v1/fhir/metadata:
+    get: 
+      operationId: fhirMetaData
       description: "Returns FHIR CapabilityStatement resource (public access, no token needed)"
       summary: "FHIR CapabilityStatement resource"
-      security: []
+      security: 
+        - oAuth2Security: 
+          - patient/Patient.read
+          - patient/Coverage.read
+          - patient/ExplanationOfBenefit.read
       responses:
         '200':
           content:
@@ -402,41 +422,49 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirMetadataExample:
-                  $ref: '#/components/examples/V2FhirMetadataExample'
+                V1FhirMetadataExample:
+                  $ref: '#/components/examples/V1FhirMetadataExample'
           description: "FHIR CapabilityStatement resource"
         '502':
 
-          description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
+          description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server"
       tags:
-        - v2
-  /v2/connect/userinfo:
-    get:
-      operationId: listopenidconnect_userinfos_v2
+        - v1
+  /v1/connect/userinfo:
+    get: 
+      operationId: listopenidconnect_userinfos
       description: "Returns OpenID Connect protocol (OIDC) userinfo"
       summary: "OpenID Connect protocol (OIDC) userinfo"
+      security: 
+        - oAuth2Security: 
+          - patient/Patient.read
+          - patient/Coverage.read
+          - patient/ExplanationOfBenefit.read
       parameters: []
       responses:
         '200':
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/V2UserInfo'
+                $ref: '#/components/schemas/V1UserInfo'
               examples:
-                V2UserInfoExample:
-                  $ref: '#/components/examples/V2UserInfoExample'
-          description:  "OIDC userinfo"
+                V1UserInfoExample:
+                  $ref: '#/components/examples/V1UserInfoExample'
+          description: "OIDC userinfo"
         '401':
+
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '403':
+
           description: "Error: Forbidden, e.g. beneficiary does not grant access to PII."
         '502':
+
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/Patient/{resource_id}:
-    get:
-      operationId: listReadViewPatients_v2
+        - v1
+  '/v1/fhir/Patient/{resource_id}':
+    get: 
+      operationId: listReadViewPatients
       description: "Returns Patient FHIR resource identified by resource_id"
       summary: "Patient FHIR resource identified by resource_id"
       parameters:
@@ -453,24 +481,33 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirPatientByIdExample:
-                  $ref: '#/components/examples/V2FhirPatientByIdExample'
-          description: "Patient FHIR resource"
+                V1FhirPatientByIdExample:
+                  $ref: '#/components/examples/V1FhirPatientByIdExample'
+          description:  "Patient FHIR resource"
         '401':
+
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '403':
+
           description: "Error: Forbidden, e.g. beneficiary does not grant access to PII."
         '404':
+
           description: "Error: Not Found, e.g. The requested resource does not exist."
         '502':
+
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/Patient/:
-    get: 
-      operationId: listSearchViewPatients_v2
+        - v1
+  /v1/fhir/Patient/:
+    get:
+      operationId: listSearchViewPatients
       description: "Returns Patient FHIR resources matching search criteria as a FHIR Bundle"
       summary: "Patient FHIR resources matching search criteria as a FHIR Bundle"
+      security: 
+        - oAuth2Security: 
+          - patient/Patient.read
+          - patient/Coverage.read
+          - patient/ExplanationOfBenefit.read
       parameters:
         - in: query
           name: identifier
@@ -483,7 +520,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+            
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -515,8 +567,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirPatientExample:
-                  $ref: '#/components/examples/V2FhirPatientExample'
+                V1FhirPatientExample:
+                  $ref: '#/components/examples/V1FhirPatientExample'
           description: "Patient FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
@@ -527,10 +579,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/Coverage/{resource_id}:
+        - v1
+  '/v1/fhir/Coverage/{resource_id}':
     get:
-      operationId: listReadViewCoverages_v2
+      operationId: listReadViewCoverages
       description: "Returns Coverage FHIR resource identified by resource_id"
       summary: "Coverage FHIR resource identified by resource_id"
       parameters:
@@ -547,11 +599,11 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirCoverageByIdExample:
-                  $ref: '#/components/examples/V2FhirCoverageByIdExample'
+                V1FhirCoverageByIdExample:
+                  $ref: '#/components/examples/V1FhirCoverageByIdExample'
           description: "Coverage FHIR resource"
         '400':
-          description: "Error: Bad Request, e.g. Unsupported ID pattern: partparta_20140000000001."
+          description: "Error: Bad Request, e.g. Unsupported ID pattern: partd-889999ddddddddddddddddddddd."
         '401':
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '404':
@@ -559,10 +611,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/Coverage/:
+        - v1
+  /v1/fhir/Coverage/:
     get:
-      operationId: listSearchViewCoverages_v2
+      operationId: listSearchViewCoverages
       description: "Returns Coverage FHIR resources matching the search criteria as a FHIR Bundle"
       summary: "Coverage FHIR resources matching the search criteria as a FHIR Bundle"
       parameters:
@@ -577,7 +629,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+            
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -591,9 +658,9 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirCoverageExample:
-                  $ref: '#/components/examples/V2FhirCoverageExample'
-          description: "Coverage FHIR resources bundle"
+                V1FhirCoverageExample:
+                  $ref: '#/components/examples/V1FhirCoverageExample'
+          description:  "Coverage FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
         '401':
@@ -601,10 +668,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/ExplanationOfBenefit/{resource_id}:
+        - v1
+  /v1/fhir/ExplanationOfBenefit/{resource_id}:
     get:
-      operationId: listReadViewExplanationOfBenefits_v2
+      operationId: listReadViewExplanationOfBenefits
       description: "Returns ExplanationOfBenefit FHIR resource identified by resource_id"
       summary: "ExplanationOfBenefit FHIR resource identified by resource_id"
       parameters:
@@ -621,9 +688,11 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirExplanationOfBenefitByIdExample:
-                  $ref: '#/components/examples/V2FhirExplanationOfBenefitByIdExample'
+                V1FhirExplanationOfBenefitByIdExample:
+                  $ref: '#/components/examples/V1FhirExplanationOfBenefitByIdExample'
           description: "ExplanationOfBenefit FHIR resource"
+        '400':
+          description: "Error: Bad Request, e.g. Unsupported ID pattern: partd238900099."
         '401':
           description: "Error: Unauthorized, e.g. Authentication credentials were not provided."
         '404':
@@ -631,10 +700,10 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
-  /v2/fhir/ExplanationOfBenefit/:
+        - v1
+  /v1/fhir/ExplanationOfBenefit/:
     get:
-      operationId: listSearchViewExplanationOfBenefits_v2
+      operationId: listSearchViewExplanationOfBenefits
       description: "Returns ExplanationOfBenefit FHIR resources matching search criteria as a FHIR Bundle"
       summary: "ExplanationOfBenefit FHIR resources matching search criteria as a FHIR Bundle"
       parameters:
@@ -649,7 +718,22 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources last updated in the given range"
+          description: |-
+            Only satisfy the Search if the Beneficiary's _last_updated_ Date falls within a specified _DateRange_.
+            
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+            Examples:
+              - __lastUpdated=gt2023-01-02T00:00+00:00&\_lastUpdated=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - __lastUpdated=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - __lastUpdated=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: excludeSAMHSA
           schema:
@@ -661,7 +745,24 @@ paths:
           schema:
             type: string
           required: false
-          description: "Include resources that completed in the given range"
+          description: |-
+            Only satisfy the Search request if a claim's _billable period_
+            falls within a specified _DateRange_.
+
+            A _DateRange_ can be defined by providing _lt_ (less than), _le_
+            (less than or equal to), _gt_ (greater than), and/or _ge_ (greater
+            than or equal to) values.
+
+            This parameter can be included in a request one or more times.
+
+            Inexact timestamps are accepted, but not recommended, since the input will implicitly
+            be converted to use the server's timezone.
+
+
+            Examples:
+              - _service-date=gt2023-01-02T00:00+00:00&service-date=lt2023-05-01T00:00+00:00_ defines a range between two provided dates
+              - _service-date=gt2023-01-02T00:00+00:00_ defines a range between the provided date and today
+              - _service-date=lt2023-05-01T00:00+00:00_ defines a range from the earliest available records until the provided date
         - in: query
           name: startIndex
           schema:
@@ -681,8 +782,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/FHIR-JSON-RESOURCE'
               examples:
-                V2FhirExplanationOfBenefitExample:
-                  $ref: '#/components/examples/V2FhirExplanationOfBenefitExample'
+                V1FhirExplanationOfBenefitExample:
+                  $ref: '#/components/examples/V1FhirExplanationOfBenefitExample'
           description: "ExplanationOfBenefit FHIR resources bundle"
         '400':
           description: "Error: Bad Request, e.g. the _lastUpdated operator is not valid."
@@ -691,7 +792,7 @@ paths:
         '502':
           description: "Error: Bad Gateway, e.g. An error occurred contacting the FHIR server."
       tags:
-        - v2
+        - v1
 
 components:
   securitySchemes:
@@ -717,6 +818,8 @@ components:
           type: string
         authorization_endpoint: 
           type: string
+        revocation_endpoint:
+          type: string
         token_endpoint: 
           type: string
         userinfo_endpoint: 
@@ -746,6 +849,8 @@ components:
           type: string
         authorization_endpoint: 
           type: string
+        revocation_endpoint:
+          type: string
         token_endpoint: 
           type: string
         userinfo_endpoint: 
@@ -812,6 +917,7 @@ components:
       value:
         issuer: 'https://sandbox.bluebutton.cms.gov'
         authorization_endpoint: 'https://sandbox.bluebutton.cms.gov/v1/o/authorize/'
+        revocation_endpoint: 'https://sandbox.bluebutton.cms.gov/v1/o/revoke/'
         token_endpoint: 'https://sandbox.bluebutton.cms.gov/v1/o/token/'
         userinfo_endpoint: 'https://sandbox.bluebutton.cms.gov/v1/connect/userinfo'
         ui_locales_supported:
@@ -830,6 +936,7 @@ components:
       value:
         issuer: 'https://sandbox.bluebutton.cms.gov'
         authorization_endpoint: 'https://sandbox.bluebutton.cms.gov/v2/o/authorize/'
+        revocation_endpoint: 'https://sandbox.bluebutton.cms.gov/v2/o/revoke/'
         token_endpoint: 'https://sandbox.bluebutton.cms.gov/v2/o/token/'
         userinfo_endpoint: 'https://sandbox.bluebutton.cms.gov/v2/connect/userinfo'
         ui_locales_supported:
@@ -1230,6 +1337,8 @@ components:
                       valueUri: 'https://sandbox.bluebutton.cms.gov/v1/o/token/'
                     - url: authorize
                       valueUri: 'https://sandbox.bluebutton.cms.gov/v1/o/authorize/'
+                    - url: revoke
+                      valueUri: 'https://sandbox.bluebutton.cms.gov/v1/o/revoke/'
 
     V2FhirMetadataExample:
       value:
@@ -1665,6 +1774,8 @@ components:
                       valueUri: 'https://sandbox.bluebutton.cms.gov/v2/o/token/'
                     - url: authorize
                       valueUri: 'https://sandbox.bluebutton.cms.gov/v2/o/authorize/'
+                    - url: revoke
+                      valueUri: 'https://sandbox.bluebutton.cms.gov/v2/o/revoke/'
     
     V1UserInfoExample:
       value:
diff --git a/vendor/Django-4.2.11-py3-none-any.whl b/vendor/Django-4.2.11-py3-none-any.whl
deleted file mode 100644
index bdca09a03..000000000
Binary files a/vendor/Django-4.2.11-py3-none-any.whl and /dev/null differ
diff --git a/vendor/Django-4.2.14-py3-none-any.whl b/vendor/Django-4.2.17-py3-none-any.whl
similarity index 91%
rename from vendor/Django-4.2.14-py3-none-any.whl
rename to vendor/Django-4.2.17-py3-none-any.whl
index 7b4591369..aaeb0b5b8 100644
Binary files a/vendor/Django-4.2.14-py3-none-any.whl and b/vendor/Django-4.2.17-py3-none-any.whl differ
diff --git a/vendor/backports.zoneinfo-0.2.1.tar.gz b/vendor/backports.zoneinfo-0.2.1.tar.gz
deleted file mode 100644
index 6a1d3b38d..000000000
Binary files a/vendor/backports.zoneinfo-0.2.1.tar.gz and /dev/null differ
diff --git a/vendor/certifi-2023.7.22-py3-none-any.whl b/vendor/certifi-2023.7.22-py3-none-any.whl
deleted file mode 100644
index 78dfe2713..000000000
Binary files a/vendor/certifi-2023.7.22-py3-none-any.whl and /dev/null differ
diff --git a/vendor/cryptography-42.0.6-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/cryptography-42.0.6-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
deleted file mode 100644
index eaf639866..000000000
Binary files a/vendor/cryptography-42.0.6-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ
diff --git a/vendor/cryptography-42.0.7-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/cryptography-42.0.7-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
deleted file mode 100644
index 6cd6b4548..000000000
Binary files a/vendor/cryptography-42.0.7-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ
diff --git a/vendor/cryptography-42.0.7-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/cryptography-42.0.7-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
deleted file mode 100644
index 96aef59be..000000000
Binary files a/vendor/cryptography-42.0.7-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ
diff --git a/vendor/cryptography-42.0.8-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/cryptography-42.0.8-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
deleted file mode 100644
index fd6520a11..000000000
Binary files a/vendor/cryptography-42.0.8-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ
diff --git a/vendor/cryptography-44.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/cryptography-44.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
new file mode 100644
index 000000000..01478de34
Binary files /dev/null and b/vendor/cryptography-44.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ
diff --git a/vendor/djangorestframework-3.14.0-py3-none-any.whl b/vendor/djangorestframework-3.14.0-py3-none-any.whl
deleted file mode 100644
index 56c7c1c4d..000000000
Binary files a/vendor/djangorestframework-3.14.0-py3-none-any.whl and /dev/null differ
diff --git a/vendor/exceptiongroup-1.2.1-py3-none-any.whl b/vendor/exceptiongroup-1.2.1-py3-none-any.whl
deleted file mode 100644
index 494f2626e..000000000
Binary files a/vendor/exceptiongroup-1.2.1-py3-none-any.whl and /dev/null differ
diff --git a/vendor/requests-2.30.0-py3-none-any.whl b/vendor/requests-2.30.0-py3-none-any.whl
deleted file mode 100644
index 5141cbd01..000000000
Binary files a/vendor/requests-2.30.0-py3-none-any.whl and /dev/null differ
diff --git a/vendor/setuptools-75.6.0-py3-none-any.whl b/vendor/setuptools-75.6.0-py3-none-any.whl
new file mode 100644
index 000000000..d43cfdb98
Binary files /dev/null and b/vendor/setuptools-75.6.0-py3-none-any.whl differ
diff --git a/vendor/setuptools_scm-6.4.2-py3-none-any.whl b/vendor/setuptools_scm-6.4.2-py3-none-any.whl
new file mode 100644
index 000000000..7f6eb84e4
Binary files /dev/null and b/vendor/setuptools_scm-6.4.2-py3-none-any.whl differ
diff --git a/vendor/tomli-2.0.1-py3-none-any.whl b/vendor/tomli-2.0.1-py3-none-any.whl
deleted file mode 100644
index 29670b98d..000000000
Binary files a/vendor/tomli-2.0.1-py3-none-any.whl and /dev/null differ
diff --git a/vendor/tomli-2.2.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/vendor/tomli-2.2.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
new file mode 100644
index 000000000..047d8ec70
Binary files /dev/null and b/vendor/tomli-2.2.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ
diff --git a/vendor/urllib3-1.26.18-py2.py3-none-any.whl b/vendor/urllib3-1.26.18-py2.py3-none-any.whl
deleted file mode 100644
index c7337c761..000000000
Binary files a/vendor/urllib3-1.26.18-py2.py3-none-any.whl and /dev/null differ
diff --git a/vendor/werkzeug-3.0.3-py3-none-any.whl b/vendor/werkzeug-3.0.6-py3-none-any.whl
similarity index 63%
rename from vendor/werkzeug-3.0.3-py3-none-any.whl
rename to vendor/werkzeug-3.0.6-py3-none-any.whl
index f0683a10d..15b739b1e 100644
Binary files a/vendor/werkzeug-3.0.3-py3-none-any.whl and b/vendor/werkzeug-3.0.6-py3-none-any.whl differ
diff --git a/vendor/zipp-3.15.0-py3-none-any.whl b/vendor/zipp-3.15.0-py3-none-any.whl
deleted file mode 100644
index f5bfb6438..000000000
Binary files a/vendor/zipp-3.15.0-py3-none-any.whl and /dev/null differ
diff --git a/vendor/zipp-3.19.1-py3-none-any.whl b/vendor/zipp-3.19.1-py3-none-any.whl
deleted file mode 100644
index b29ccd313..000000000
Binary files a/vendor/zipp-3.19.1-py3-none-any.whl and /dev/null differ