From 94c65bf8be49aa1070870c6e9297d8c792657db2 Mon Sep 17 00:00:00 2001
From: Nico Burniske <nicoburniske@gmail.com>
Date: Wed, 27 Mar 2024 15:18:37 -0400
Subject: [PATCH] remove namespace first part

---
 golem-service-base/src/model.rs               |  28 +
 golem-worker-service-base/src/api/common.rs   |   7 -
 golem-worker-service-base/src/auth.rs         |  47 +-
 .../src/service/api_definition.rs             | 208 ++++----
 golem-worker-service-base/src/service/mod.rs  |  20 +
 .../src/service/template/default.rs           |  96 ++--
 .../src/service/worker/default.rs             | 492 +++++++-----------
 golem-worker-service/src/api/mod.rs           |   1 -
 .../src/api/register_api_definition_api.rs    |  60 +--
 golem-worker-service/src/api/worker.rs        |  32 +-
 .../src/api/worker_connect.rs                 |   6 +-
 golem-worker-service/src/grpcapi/worker.rs    |  39 +-
 golem-worker-service/src/lib.rs               |  11 +
 golem-worker-service/src/service/mod.rs       |  34 +-
 golem-worker-service/src/service/template.rs  |  38 +-
 golem-worker-service/src/service/worker.rs    |   9 +-
 .../src/worker_request_to_http_response.rs    |  17 +-
 17 files changed, 481 insertions(+), 664 deletions(-)

diff --git a/golem-service-base/src/model.rs b/golem-service-base/src/model.rs
index 19ee0e128..292470e4b 100644
--- a/golem-service-base/src/model.rs
+++ b/golem-service-base/src/model.rs
@@ -3116,3 +3116,31 @@ impl From<GrpcRoutingTableEntry> for RoutingTableEntry {
         }
     }
 }
+
+#[derive(
+    Debug, Clone, PartialEq, Eq, Hash, Ord, PartialOrd, serde::Serialize, serde::Deserialize, Object,
+)]
+#[serde(rename_all = "camelCase")]
+#[oai(rename_all = "camelCase")]
+pub struct ResourceLimits {
+    pub available_fuel: i64,
+    pub max_memory_per_worker: i64,
+}
+
+impl From<ResourceLimits> for golem_api_grpc::proto::golem::common::ResourceLimits {
+    fn from(value: ResourceLimits) -> Self {
+        Self {
+            available_fuel: value.available_fuel,
+            max_memory_per_worker: value.max_memory_per_worker,
+        }
+    }
+}
+
+impl From<golem_api_grpc::proto::golem::common::ResourceLimits> for ResourceLimits {
+    fn from(value: golem_api_grpc::proto::golem::common::ResourceLimits) -> Self {
+        Self {
+            available_fuel: value.available_fuel,
+            max_memory_per_worker: value.max_memory_per_worker,
+        }
+    }
+}
diff --git a/golem-worker-service-base/src/api/common.rs b/golem-worker-service-base/src/api/common.rs
index 76c9ffd26..2faa20e61 100644
--- a/golem-worker-service-base/src/api/common.rs
+++ b/golem-worker-service-base/src/api/common.rs
@@ -99,7 +99,6 @@ impl ApiEndpointError {
 }
 
 mod conversion {
-    use golem_service_base::service::auth::AuthError;
     use poem_openapi::payload::Json;
 
     use super::{
@@ -112,12 +111,6 @@ mod conversion {
     impl From<ApiRegistrationError> for ApiEndpointError {
         fn from(error: ApiRegistrationError) -> Self {
             match error {
-                ApiRegistrationError::AuthenticationError(auth) => match auth {
-                    AuthError::Forbidden(_) => ApiEndpointError::forbidden(auth),
-                    AuthError::Unauthorized(_) => ApiEndpointError::unauthorized(auth),
-                    AuthError::Internal(_) => ApiEndpointError::internal(auth),
-                    AuthError::NotFound(_) => ApiEndpointError::not_found(auth),
-                },
                 ApiRegistrationError::RepoError(error) => match error {
                     ApiRegistrationRepoError::AlreadyExists(_) => {
                         ApiEndpointError::already_exists(error)
diff --git a/golem-worker-service-base/src/auth.rs b/golem-worker-service-base/src/auth.rs
index b6c2086ea..dd23023a3 100644
--- a/golem-worker-service-base/src/auth.rs
+++ b/golem-worker-service-base/src/auth.rs
@@ -1,12 +1,7 @@
 use std::fmt::{Display, Formatter};
 
-use async_trait::async_trait;
-use golem_api_grpc::proto::golem::common::ResourceLimits;
-use golem_common::model::AccountId;
-use golem_service_base::service::auth::{AuthError, AuthService, Permission};
 use serde::Deserialize;
 
-pub struct AuthServiceNoop {}
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
 pub struct EmptyAuthCtx {}
 
@@ -16,6 +11,15 @@ impl Display for EmptyAuthCtx {
     }
 }
 
+impl IntoIterator for EmptyAuthCtx {
+    type Item = (String, String);
+    type IntoIter = std::iter::Empty<Self::Item>;
+
+    fn into_iter(self) -> Self::IntoIter {
+        std::iter::empty()
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Hash, bincode::Encode, bincode::Decode, Deserialize)]
 pub struct CommonNamespace(String);
 
@@ -30,36 +34,3 @@ impl Display for CommonNamespace {
         write!(f, "{}", self.0)
     }
 }
-
-#[async_trait]
-impl<AuthCtx, Namespace: Default> AuthService<AuthCtx, Namespace> for AuthServiceNoop {
-    async fn is_authorized(
-        &self,
-        _permission: Permission,
-        _ctx: &AuthCtx,
-    ) -> Result<Namespace, AuthError> {
-        Ok(Namespace::default())
-    }
-}
-
-// TODO: Replace with metadata map
-pub trait HasMetadata {
-    fn get_metadata(&self) -> WorkerMetadata;
-}
-
-#[derive(Clone, Debug)]
-pub struct WorkerMetadata {
-    pub account_id: Option<AccountId>,
-    pub limits: Option<ResourceLimits>,
-}
-
-impl HasMetadata for CommonNamespace {
-    fn get_metadata(&self) -> WorkerMetadata {
-        WorkerMetadata {
-            account_id: Some(golem_common::model::AccountId {
-                value: "-1".to_string(),
-            }),
-            limits: None,
-        }
-    }
-}
diff --git a/golem-worker-service-base/src/service/api_definition.rs b/golem-worker-service-base/src/service/api_definition.rs
index 3fd6b5eba..f8c88c7c1 100644
--- a/golem-worker-service-base/src/service/api_definition.rs
+++ b/golem-worker-service-base/src/service/api_definition.rs
@@ -5,15 +5,13 @@ use std::sync::Arc;
 
 use crate::api_definition::{ApiDefinition, ApiDefinitionId, Version};
 use crate::api_definition_repo::{ApiDefinitionRepo, ApiRegistrationRepoError};
-use crate::auth::{CommonNamespace, EmptyAuthCtx};
 use async_trait::async_trait;
 use golem_service_base::model::Template;
-use golem_service_base::service::auth::{AuthError, AuthService, Permission, WithNamespace};
 
 use super::api_definition_validator::{ApiDefinitionValidatorService, ValidationError};
 use super::template::TemplateService;
 
-pub type ApiResult<T, Namespace> = Result<WithNamespace<T, Namespace>, ApiRegistrationError>;
+pub type ApiResult<T> = Result<T, ApiRegistrationError>;
 
 // A namespace here can be example: (account, project) etc.
 // Ideally a repo service and its implementation with a different service impl that takes care of
@@ -23,30 +21,38 @@ pub trait ApiDefinitionService<AuthCtx, Namespace> {
     async fn register(
         &self,
         definition: &ApiDefinition,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<ApiDefinitionId, Namespace>;
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<ApiDefinitionId>;
 
     async fn get(
         &self,
         api_definition_id: &ApiDefinitionId,
         version: &Version,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Option<ApiDefinition>, Namespace>;
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinition>>;
 
     async fn delete(
         &self,
         api_definition_id: &ApiDefinitionId,
         version: &Version,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Option<ApiDefinitionId>, Namespace>;
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinitionId>>;
 
-    async fn get_all(&self, auth_ctx: AuthCtx) -> ApiResult<Vec<ApiDefinition>, Namespace>;
+    async fn get_all(
+        &self,
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>>;
 
     async fn get_all_versions(
         &self,
         api_id: &ApiDefinitionId,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Vec<ApiDefinition>, Namespace>;
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>>;
 }
 
 pub trait ApiNamespace:
@@ -104,53 +110,34 @@ impl<Namespace: Display> ApiDefinitionKey<Namespace> {
 
 #[derive(Debug, Clone, thiserror::Error)]
 pub enum ApiRegistrationError {
-    #[error(transparent)]
-    AuthenticationError(#[from] AuthError),
     #[error(transparent)]
     RepoError(#[from] ApiRegistrationRepoError),
     #[error(transparent)]
     ValidationError(#[from] ValidationError),
 }
 
-pub struct RegisterApiDefinitionDefault<AuthCtx, ApiDefNamespace, TemplateNamespace> {
-    pub template_service: Arc<dyn TemplateService<AuthCtx, TemplateNamespace> + Send + Sync>,
-    pub auth_service: Arc<dyn AuthService<AuthCtx, ApiDefNamespace> + Sync + Send>,
-    pub register_repo: Arc<dyn ApiDefinitionRepo<ApiDefNamespace> + Sync + Send>,
+pub struct RegisterApiDefinitionDefault<AuthCtx, Namespace> {
+    pub template_service: Arc<dyn TemplateService<AuthCtx> + Send + Sync>,
+    pub register_repo: Arc<dyn ApiDefinitionRepo<Namespace> + Sync + Send>,
     pub api_definition_validator: Arc<dyn ApiDefinitionValidatorService + Sync + Send>,
 }
 
-impl<AuthCtx, ApiDefNamespace, TemplateNamespace>
-    RegisterApiDefinitionDefault<AuthCtx, ApiDefNamespace, TemplateNamespace>
+impl<AuthCtx, Namespace> RegisterApiDefinitionDefault<AuthCtx, Namespace>
 where
-    AuthCtx: Send + Sync,
-    ApiDefNamespace: ApiNamespace,
-    TemplateNamespace: std::fmt::Debug + Send + Sync,
+    Namespace: ApiNamespace + Send + Sync,
 {
     pub fn new(
-        template_service: Arc<dyn TemplateService<AuthCtx, TemplateNamespace> + Send + Sync>,
-        auth_service: Arc<dyn AuthService<AuthCtx, ApiDefNamespace> + Sync + Send>,
-        register_repo: Arc<dyn ApiDefinitionRepo<ApiDefNamespace> + Sync + Send>,
+        template_service: Arc<dyn TemplateService<AuthCtx> + Send + Sync>,
+        register_repo: Arc<dyn ApiDefinitionRepo<Namespace> + Sync + Send>,
         api_definition_validator: Arc<dyn ApiDefinitionValidatorService + Sync + Send>,
     ) -> Self {
         Self {
             template_service,
-            auth_service,
             register_repo,
             api_definition_validator,
         }
     }
 
-    pub async fn is_authorized(
-        &self,
-        permission: Permission,
-        auth_ctx: &AuthCtx,
-    ) -> Result<ApiDefNamespace, ApiRegistrationError> {
-        Ok(self
-            .auth_service
-            .is_authorized(permission, auth_ctx)
-            .await?)
-    }
-
     async fn get_all_templates(
         &self,
         definition: &ApiDefinition,
@@ -163,19 +150,18 @@ where
             .map(|route| (route.binding.template.clone(), route))
             .collect::<HashMap<_, _>>()
             .into_values()
-            .map(|route| async move {
-                let id = &route.binding.template;
-                self.template_service
-                    .get_latest(id, auth_ctx)
-                    .await
-                    .map_err(|e| {
-                        tracing::error!("Error getting latest template: {:?}", e);
-                        // TODO: Better error message.
-                        crate::service::api_definition_validator::RouteValidationError::from_route(
-                            route,
-                            "Error getting latest template".into(),
-                        )
-                    })
+            .map(|route| {
+                async move {
+                    let id = &route.binding.template;
+                    self.template_service.get_latest(id, auth_ctx).await.map_err(|e| {
+                    tracing::error!("Error getting latest template: {:?}", e);
+                    // TODO: Better error message.
+                    crate::service::api_definition_validator::RouteValidationError::from_route(
+                        route,
+                        "Error getting latest template".into(),
+                    )
+                })
+                }
             })
             .collect::<Vec<_>>();
 
@@ -191,11 +177,7 @@ where
                 return Err(ValidationError { errors }.into());
             }
 
-            successes
-                .into_iter()
-                .map(|r| r.unwrap())
-                .map(|t| t.value)
-                .collect()
+            successes.into_iter().map(|r| r.unwrap()).collect()
         };
 
         Ok(templates)
@@ -203,21 +185,19 @@ where
 }
 
 #[async_trait]
-impl<AuthCtx, ApiDefNamespace, TemplateNamespace> ApiDefinitionService<AuthCtx, ApiDefNamespace>
-    for RegisterApiDefinitionDefault<AuthCtx, ApiDefNamespace, TemplateNamespace>
+impl<AuthCtx, Namespace> ApiDefinitionService<AuthCtx, Namespace>
+    for RegisterApiDefinitionDefault<AuthCtx, Namespace>
 where
     AuthCtx: Send + Sync,
-    ApiDefNamespace: ApiNamespace,
-    TemplateNamespace: std::fmt::Debug + Send + Sync,
+    Namespace: ApiNamespace + Send + Sync,
 {
     async fn register(
         &self,
         definition: &ApiDefinition,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<ApiDefinitionId, ApiDefNamespace> {
-        let namespace = self.is_authorized(Permission::Create, &auth_ctx).await?;
-
-        let templates = self.get_all_templates(definition, &auth_ctx).await?;
+        namespace: Namespace,
+        auth_ctx: &AuthCtx,
+    ) -> ApiResult<ApiDefinitionId> {
+        let templates = self.get_all_templates(definition, auth_ctx).await?;
 
         self.api_definition_validator
             .validate(definition, templates.as_slice())?;
@@ -230,20 +210,16 @@ where
 
         self.register_repo.register(definition, &key).await?;
 
-        Ok(WithNamespace {
-            value: key.id,
-            namespace,
-        })
+        Ok(key.id)
     }
 
     async fn get(
         &self,
         api_definition_id: &ApiDefinitionId,
         version: &Version,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Option<ApiDefinition>, ApiDefNamespace> {
-        let namespace = self.is_authorized(Permission::View, &auth_ctx).await?;
-
+        namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinition>> {
         let key = ApiDefinitionKey {
             namespace: namespace.clone(),
             id: api_definition_id.clone(),
@@ -252,17 +228,16 @@ where
 
         let value = self.register_repo.get(&key).await?;
 
-        Ok(WithNamespace { value, namespace })
+        Ok(value)
     }
 
     async fn delete(
         &self,
         api_definition_id: &ApiDefinitionId,
         version: &Version,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Option<ApiDefinitionId>, ApiDefNamespace> {
-        let namespace = self.is_authorized(Permission::Delete, &auth_ctx).await?;
-
+        namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinitionId>> {
         let key = ApiDefinitionKey {
             namespace: namespace.clone(),
             id: api_definition_id.clone(),
@@ -273,88 +248,83 @@ where
 
         let value = if deleted { Some(key.id) } else { None };
 
-        Ok(WithNamespace { value, namespace })
+        Ok(value)
     }
 
-    async fn get_all(&self, auth_ctx: AuthCtx) -> ApiResult<Vec<ApiDefinition>, ApiDefNamespace> {
-        let namespace = self.is_authorized(Permission::View, &auth_ctx).await?;
+    async fn get_all(
+        &self,
+        namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>> {
         let value = self.register_repo.get_all(&namespace).await?;
-        Ok(WithNamespace { value, namespace })
+        Ok(value)
     }
 
     async fn get_all_versions(
         &self,
         api_id: &ApiDefinitionId,
-        auth_ctx: AuthCtx,
-    ) -> ApiResult<Vec<ApiDefinition>, ApiDefNamespace> {
-        let namespace = self.is_authorized(Permission::View, &auth_ctx).await?;
-
+        namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>> {
         let value = self
             .register_repo
             .get_all_versions(api_id, &namespace)
             .await?;
 
-        Ok(WithNamespace { value, namespace })
+        Ok(value)
     }
 }
 
 pub struct RegisterApiDefinitionNoop {}
 
 #[async_trait]
-impl ApiDefinitionService<EmptyAuthCtx, CommonNamespace> for RegisterApiDefinitionNoop {
+impl<AuthCtx, Namespace> ApiDefinitionService<AuthCtx, Namespace> for RegisterApiDefinitionNoop
+where
+    Namespace: Default + Send + Sync + 'static,
+{
     async fn register(
         &self,
-        api_definition: &ApiDefinition,
-        _auth_ctx: EmptyAuthCtx,
-    ) -> ApiResult<ApiDefinitionId, CommonNamespace> {
-        Ok(WithNamespace {
-            value: api_definition.id.clone(),
-            namespace: Default::default(),
-        })
+        _definition: &ApiDefinition,
+        _namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<ApiDefinitionId> {
+        Ok(ApiDefinitionId("noop".to_string()))
     }
 
     async fn get(
         &self,
         _api_definition_id: &ApiDefinitionId,
         _version: &Version,
-        _auth_ctx: EmptyAuthCtx,
-    ) -> ApiResult<Option<ApiDefinition>, CommonNamespace> {
-        Ok(WithNamespace {
-            value: None,
-            namespace: Default::default(),
-        })
+        _namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinition>> {
+        Ok(None)
     }
 
     async fn delete(
         &self,
         _api_definition_id: &ApiDefinitionId,
         _version: &Version,
-        _auth_ctx: EmptyAuthCtx,
-    ) -> ApiResult<Option<ApiDefinitionId>, CommonNamespace> {
-        Ok(WithNamespace {
-            value: None,
-            namespace: Default::default(),
-        })
+        _namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Option<ApiDefinitionId>> {
+        Ok(None)
     }
 
     async fn get_all(
         &self,
-        _auth_ctx: EmptyAuthCtx,
-    ) -> ApiResult<Vec<ApiDefinition>, CommonNamespace> {
-        Ok(WithNamespace {
-            value: vec![],
-            namespace: Default::default(),
-        })
+        _namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>> {
+        Ok(vec![])
     }
 
     async fn get_all_versions(
         &self,
         _api_id: &ApiDefinitionId,
-        _auth_ctx: EmptyAuthCtx,
-    ) -> ApiResult<Vec<ApiDefinition>, CommonNamespace> {
-        Ok(WithNamespace {
-            value: vec![],
-            namespace: Default::default(),
-        })
+        _namespace: Namespace,
+        _auth_ctx: &AuthCtx,
+    ) -> ApiResult<Vec<ApiDefinition>> {
+        Ok(vec![])
     }
 }
diff --git a/golem-worker-service-base/src/service/mod.rs b/golem-worker-service-base/src/service/mod.rs
index 7cb60bf97..641a7e1cd 100644
--- a/golem-worker-service-base/src/service/mod.rs
+++ b/golem-worker-service-base/src/service/mod.rs
@@ -3,3 +3,23 @@ pub mod api_definition_validator;
 pub mod http_request_definition_lookup;
 pub mod template;
 pub mod worker;
+
+pub fn with_metadata<T, I, K, V>(request: T, metadata: I) -> tonic::Request<T>
+where
+    I: IntoIterator<Item = (K, V)>,
+    K: AsRef<str>,
+    V: AsRef<str>,
+{
+    let mut req = tonic::Request::new(request);
+    let req_metadata = req.metadata_mut();
+
+    for (key, value) in metadata {
+        let key = tonic::metadata::MetadataKey::from_bytes(key.as_ref().as_bytes());
+        let value = value.as_ref().parse();
+        if let (Ok(key), Ok(value)) = (key, value) {
+            req_metadata.insert(key, value);
+        }
+    }
+
+    req
+}
diff --git a/golem-worker-service-base/src/service/template/default.rs b/golem-worker-service-base/src/service/template/default.rs
index 5686241c2..147cc278b 100644
--- a/golem-worker-service-base/src/service/template/default.rs
+++ b/golem-worker-service-base/src/service/template/default.rs
@@ -1,4 +1,5 @@
 use crate::service::template::TemplateServiceError;
+use crate::service::with_metadata;
 use crate::UriBackConversion;
 
 use async_trait::async_trait;
@@ -10,86 +11,65 @@ use golem_common::config::RetryConfig;
 use golem_common::model::TemplateId;
 use golem_common::retries::with_retries;
 use golem_service_base::model::Template;
-use golem_service_base::service::auth::{AuthService, Permission, WithAuth, WithNamespace};
 use http::Uri;
-use std::sync::Arc;
 use tracing::info;
 
-pub type TemplateResult<T, Namespace> = Result<WithNamespace<T, Namespace>, TemplateServiceError>;
+pub type TemplateResult<T> = Result<T, TemplateServiceError>;
 
 #[async_trait]
-pub trait TemplateService<AuthCtx, Namespace> {
+pub trait TemplateService<AuthCtx> {
     async fn get_by_version(
         &self,
         template_id: &TemplateId,
         version: i32,
         auth_ctx: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace>;
+    ) -> TemplateResult<Template>;
 
     async fn get_latest(
         &self,
         template_id: &TemplateId,
         auth_ctx: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace>;
+    ) -> TemplateResult<Template>;
 }
 
 #[derive(Clone)]
-pub struct TemplateServiceDefault<AuthCtx, Namespace> {
+pub struct RemoteTemplateService {
     uri: Uri,
     retry_config: RetryConfig,
-    auth_service: InnerAuthService<AuthCtx, Namespace>,
 }
 
-type InnerAuthService<AuthCtx, Namespace> =
-    Arc<dyn AuthService<WithAuth<TemplateId, AuthCtx>, Namespace> + Send + Sync>;
-
-impl<AuthCtx, Namespace> TemplateServiceDefault<AuthCtx, Namespace> {
-    pub fn new(
-        uri: Uri,
-        retry_config: RetryConfig,
-        auth_service: InnerAuthService<AuthCtx, Namespace>,
-    ) -> Self {
-        Self {
-            uri,
-            retry_config,
-            auth_service,
-        }
+impl RemoteTemplateService {
+    pub fn new(uri: Uri, retry_config: RetryConfig) -> Self {
+        Self { uri, retry_config }
     }
 }
 
 #[async_trait]
-impl<AuthCtx, Namespace> TemplateService<AuthCtx, Namespace>
-    for TemplateServiceDefault<AuthCtx, Namespace>
+impl<AuthCtx> TemplateService<AuthCtx> for RemoteTemplateService
 where
-    Namespace: Send + Sync,
-    AuthCtx: Clone + Send + Sync,
+    AuthCtx: IntoIterator<Item = (String, String)> + Clone + Send + Sync,
 {
     async fn get_latest(
         &self,
         template_id: &TemplateId,
-        auth_ctx: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace> {
+        metadata: &AuthCtx,
+    ) -> TemplateResult<Template> {
         let desc = format!("Getting latest version of template: {}", template_id);
         info!("{}", &desc);
-        let auth_ctx = WithAuth::new(template_id.clone(), auth_ctx.clone());
-
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::View, &auth_ctx)
-            .await?;
 
         let value = with_retries(
             &desc,
             "template",
             "get_latest",
             &self.retry_config,
-            &(self.uri.clone(), template_id.clone()),
-            |(uri, id)| {
+            &(self.uri.clone(), template_id.clone(), metadata.clone()),
+            |(uri, id, metadata)| {
                 Box::pin(async move {
                     let mut client = TemplateServiceClient::connect(uri.as_http_02()).await?;
                     let request = GetLatestTemplateRequest {
                         template_id: Some(id.clone().into()),
                     };
+                    let request = with_metadata(request, metadata.clone());
 
                     let response = client
                         .get_latest_template_metadata(request)
@@ -128,32 +108,25 @@ where
         )
         .await?;
 
-        Ok(WithNamespace { namespace, value })
+        Ok(value)
     }
 
     async fn get_by_version(
         &self,
         template_id: &TemplateId,
         version: i32,
-        auth_ctx: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace> {
+        metadata: &AuthCtx,
+    ) -> TemplateResult<Template> {
         let desc = format!("Getting template: {}", template_id);
         info!("{}", &desc);
 
-        let auth_ctx = WithAuth::new(template_id.clone(), auth_ctx.clone());
-
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::View, &auth_ctx)
-            .await?;
-
         let value = with_retries(
             &desc,
             "template",
             "get_template",
             &self.retry_config,
-            &(self.uri.clone(), template_id.clone()),
-            |(uri, id)| {
+            &(self.uri.clone(), template_id.clone(), metadata.clone()),
+            |(uri, id, metadata)| {
                 Box::pin(async move {
                     let mut client = TemplateServiceClient::connect(uri.as_http_02()).await?;
                     let request = GetVersionedTemplateRequest {
@@ -161,6 +134,8 @@ where
                         version,
                     };
 
+                    let request = with_metadata(request, metadata.clone());
+
                     let response = client.get_template_metadata(request).await?.into_inner();
 
                     match response.result {
@@ -196,7 +171,7 @@ where
         )
         .await?;
 
-        Ok(WithNamespace { value, namespace })
+        Ok(value)
     }
 }
 
@@ -206,3 +181,26 @@ fn is_retriable(error: &TemplateServiceError) -> bool {
         _ => false,
     }
 }
+
+#[derive(Clone, Debug)]
+pub struct TemplateServiceNoop {}
+
+#[async_trait]
+impl<AuthCtx> TemplateService<AuthCtx> for TemplateServiceNoop {
+    async fn get_by_version(
+        &self,
+        _template_id: &TemplateId,
+        _version: i32,
+        _auth_ctx: &AuthCtx,
+    ) -> TemplateResult<Template> {
+        Err(TemplateServiceError::internal("Not implemented"))
+    }
+
+    async fn get_latest(
+        &self,
+        _template_id: &TemplateId,
+        _auth_ctx: &AuthCtx,
+    ) -> TemplateResult<Template> {
+        Err(TemplateServiceError::internal("Not implemented"))
+    }
+}
diff --git a/golem-worker-service-base/src/service/worker/default.rs b/golem-worker-service-base/src/service/worker/default.rs
index 289eec47b..11f37032a 100644
--- a/golem-worker-service-base/src/service/worker/default.rs
+++ b/golem-worker-service-base/src/service/worker/default.rs
@@ -2,7 +2,6 @@ use std::future::Future;
 use std::pin::Pin;
 use std::{collections::HashMap, sync::Arc, time::Duration};
 
-use crate::auth::{EmptyAuthCtx, HasMetadata};
 use crate::service::template::TemplateService;
 use golem_api_grpc::proto::golem::workerexecutor::worker_executor_client::WorkerExecutorClient;
 use golem_api_grpc::proto::golem::workerexecutor::{
@@ -13,16 +12,14 @@ use golem_api_grpc::proto::golem::workerexecutor::{
 
 use async_trait::async_trait;
 use golem_api_grpc::proto::golem::worker::InvokeResult as ProtoInvokeResult;
-use golem_common::model::{CallingConvention, InvocationKey, TemplateId};
+use golem_common::model::{AccountId, CallingConvention, InvocationKey, TemplateId};
 use golem_service_base::model::{
-    GolemErrorUnknown, PromiseId, VersionedWorkerId, WorkerId, WorkerMetadata,
+    GolemErrorUnknown, PromiseId, ResourceLimits, VersionedWorkerId, WorkerId, WorkerMetadata,
 };
-use golem_service_base::service::auth::{WithAuth, WithNamespace};
 use golem_service_base::typechecker::{TypeCheckIn, TypeCheckOut};
 use golem_service_base::{
     model::{GolemError, GolemErrorInvalidShardId, GolemErrorRuntimeError, Template},
     routing_table::{RoutingTableError, RoutingTableService},
-    service::auth::{AuthService, Permission},
     worker_executor_clients::WorkerExecutorClients,
 };
 use golem_wasm_ast::analysis::AnalysedFunctionResult;
@@ -34,15 +31,15 @@ use tracing::{debug, info};
 
 use super::{ConnectWorkerStream, WorkerServiceError};
 
-pub type WorkerResult<T, Namespace> = Result<WithNamespace<T, Namespace>, WorkerServiceError>;
+pub type WorkerResult<T> = Result<T, WorkerServiceError>;
 
 #[async_trait]
-pub trait WorkerService<AuthCtx, Namespace> {
+pub trait WorkerService<AuthCtx> {
     async fn get_by_id(
         &self,
         worker_id: &WorkerId,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, Namespace>;
+    ) -> WorkerResult<VersionedWorkerId>;
 
     async fn create(
         &self,
@@ -50,23 +47,24 @@ pub trait WorkerService<AuthCtx, Namespace> {
         template_version: i32,
         arguments: Vec<String>,
         environment_variables: HashMap<String, String>,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, Namespace>;
+    ) -> WorkerResult<VersionedWorkerId>;
 
     async fn connect(
         &self,
         worker_id: &WorkerId,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<ConnectWorkerStream, Namespace>;
+    ) -> WorkerResult<ConnectWorkerStream>;
 
-    async fn delete(&self, worker_id: &WorkerId, auth_ctx: &AuthCtx)
-        -> WorkerResult<(), Namespace>;
+    async fn delete(&self, worker_id: &WorkerId, auth_ctx: &AuthCtx) -> WorkerResult<()>;
 
     async fn get_invocation_key(
         &self,
         worker_id: &WorkerId,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<InvocationKey, Namespace>;
+    ) -> WorkerResult<InvocationKey>;
 
     async fn invoke_and_await_function(
         &self,
@@ -75,8 +73,9 @@ pub trait WorkerService<AuthCtx, Namespace> {
         invocation_key: &InvocationKey,
         params: Value,
         calling_convention: &CallingConvention,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<Value, Namespace>;
+    ) -> WorkerResult<Value>;
 
     async fn invoke_and_await_function_proto(
         &self,
@@ -85,24 +84,27 @@ pub trait WorkerService<AuthCtx, Namespace> {
         invocation_key: &InvocationKey,
         params: Vec<ProtoVal>,
         calling_convention: &CallingConvention,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<ProtoInvokeResult, Namespace>;
+    ) -> WorkerResult<ProtoInvokeResult>;
 
     async fn invoke_function(
         &self,
         worker_id: &WorkerId,
         function_name: String,
         params: Value,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), Namespace>;
+    ) -> WorkerResult<()>;
 
     async fn invoke_fn_proto(
         &self,
         worker_id: &WorkerId,
         function_name: String,
         params: Vec<ProtoVal>,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), Namespace>;
+    ) -> WorkerResult<()>;
 
     async fn complete_promise(
         &self,
@@ -110,50 +112,44 @@ pub trait WorkerService<AuthCtx, Namespace> {
         oplog_id: u64,
         data: Vec<u8>,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<bool, Namespace>;
+    ) -> WorkerResult<bool>;
 
     async fn interrupt(
         &self,
         worker_id: &WorkerId,
         recover_immediately: bool,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), Namespace>;
+    ) -> WorkerResult<()>;
 
     async fn get_metadata(
         &self,
         worker_id: &WorkerId,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<WorkerMetadata, Namespace>;
+    ) -> WorkerResult<WorkerMetadata>;
 
-    async fn resume(&self, worker_id: &WorkerId, auth_ctx: &AuthCtx)
-        -> WorkerResult<(), Namespace>;
+    async fn resume(&self, worker_id: &WorkerId, auth_ctx: &AuthCtx) -> WorkerResult<()>;
+}
+
+#[derive(Clone, Debug)]
+pub struct WorkerRequestMetadata {
+    pub account_id: Option<AccountId>,
+    pub limits: Option<ResourceLimits>,
 }
 
 #[derive(Clone)]
-pub struct WorkerServiceDefault<AuthCtx, WorkerNamespace, TemplateNamespace> {
-    auth_service: InnerAuthService<AuthCtx, WorkerNamespace>,
+pub struct WorkerServiceDefault<AuthCtx> {
     worker_executor_clients: Arc<dyn WorkerExecutorClients + Send + Sync>,
-    template_service: Arc<dyn TemplateService<AuthCtx, TemplateNamespace> + Send + Sync>,
+    template_service: Arc<dyn TemplateService<AuthCtx> + Send + Sync>,
     routing_table_service: Arc<dyn RoutingTableService + Send + Sync>,
 }
 
-type InnerAuthService<AuthCtx, Namespace> =
-    Arc<dyn AuthService<WithAuth<TemplateId, AuthCtx>, Namespace> + Send + Sync>;
-
-impl<AuthCtx, WorkerNamespace, TemplateNamespace>
-    WorkerServiceDefault<AuthCtx, WorkerNamespace, TemplateNamespace>
-where
-    AuthCtx: Send + Sync,
-    WorkerNamespace: HasMetadata + Send + Sync,
-{
+impl<AuthCtx> WorkerServiceDefault<AuthCtx> {
     pub fn new(
-        auth_service: InnerAuthService<AuthCtx, WorkerNamespace>,
         worker_executor_clients: Arc<dyn WorkerExecutorClients + Send + Sync>,
-        template_service: Arc<dyn TemplateService<AuthCtx, TemplateNamespace> + Send + Sync>,
+        template_service: Arc<dyn TemplateService<AuthCtx> + Send + Sync>,
         routing_table_service: Arc<dyn RoutingTableService + Send + Sync>,
     ) -> Self {
         Self {
-            auth_service,
             worker_executor_clients,
             template_service,
             routing_table_service,
@@ -162,31 +158,19 @@ where
 }
 
 #[async_trait]
-impl<AuthCtx, WorkerNamespace, TemplateNamespace> WorkerService<AuthCtx, WorkerNamespace>
-    for WorkerServiceDefault<AuthCtx, WorkerNamespace, TemplateNamespace>
+impl<AuthCtx> WorkerService<AuthCtx> for WorkerServiceDefault<AuthCtx>
 where
-    AuthCtx: Clone + Send + Sync,
-    WorkerNamespace: HasMetadata + Send + Sync,
+    AuthCtx: Send + Sync,
 {
     async fn get_by_id(
         &self,
         worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, WorkerNamespace> {
-        let auth_ctx = WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone());
-
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::View, &auth_ctx)
-            .await?;
-
-        Ok(WithNamespace::new(
-            VersionedWorkerId {
-                worker_id: worker_id.clone(),
-                template_version_used: 0,
-            },
-            namespace,
-        ))
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<VersionedWorkerId> {
+        Ok(VersionedWorkerId {
+            worker_id: worker_id.clone(),
+            template_version_used: 0,
+        })
     }
 
     async fn create(
@@ -195,16 +179,9 @@ where
         template_version: i32,
         arguments: Vec<String>,
         environment_variables: HashMap<String, String>,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, WorkerNamespace> {
-        let auth_ctx = WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone());
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::Create, &auth_ctx)
-            .await?;
-
-        let metadata = namespace.get_metadata();
-
+        metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<VersionedWorkerId> {
         self.retry_on_invalid_shard_id(
             &worker_id.clone(),
             &(worker_id.clone(), template_version, arguments, environment_variables, metadata),
@@ -218,7 +195,7 @@ where
                                 args: args.clone(),
                                 env: env.clone(),
                                 account_id: metadata.account_id.clone().map(|id| id.into()),
-                                account_limits: metadata.limits.clone(),
+                                account_limits: metadata.limits.clone().map(|id| id.into()),
                             }
                         )
                         .await
@@ -249,21 +226,15 @@ where
             template_version_used: template_version,
         };
 
-        Ok(WithNamespace::new(worker_id, namespace))
+        Ok(worker_id)
     }
 
     async fn connect(
         &self,
         worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<ConnectWorkerStream, WorkerNamespace> {
-        let auth_ctx = WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone());
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::View, &auth_ctx)
-            .await?;
-
-        let metadata = namespace.get_metadata();
+        metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<ConnectWorkerStream> {
         let stream = self
             .retry_on_invalid_shard_id(
                 worker_id,
@@ -274,7 +245,7 @@ where
                             .connect_worker(ConnectWorkerRequest {
                                 worker_id: Some(worker_id.clone().into()),
                                 account_id: metadata.account_id.clone().map(|id| id.into()),
-                                account_limits: metadata.limits.clone(),
+                                account_limits: metadata.limits.clone().map(|id| id.into()),
                             })
                             .await
                         {
@@ -300,20 +271,10 @@ where
             )
             .await?;
 
-        Ok(WithNamespace::new(stream, namespace))
+        Ok(stream)
     }
 
-    async fn delete(
-        &self,
-        worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), WorkerNamespace> {
-        let auth_ctx = WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone());
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::Delete, &auth_ctx)
-            .await?;
-
+    async fn delete(&self, worker_id: &WorkerId, _auth_ctx: &AuthCtx) -> WorkerResult<()> {
         self.retry_on_invalid_shard_id(
                 worker_id,
                 worker_id,
@@ -347,20 +308,14 @@ where
             )
             .await?;
 
-        Ok(WithNamespace::new((), namespace))
+        Ok(())
     }
 
     async fn get_invocation_key(
         &self,
         worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<InvocationKey, WorkerNamespace> {
-        let auth_ctx = WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone());
-        let namespace = self
-            .auth_service
-            .is_authorized(Permission::Create, &auth_ctx)
-            .await?;
-
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<InvocationKey> {
         let invocation_key = self
                 .retry_on_invalid_shard_id(worker_id, worker_id, |worker_executor_client, worker_id| {
                     Box::pin(async move {
@@ -396,7 +351,8 @@ where
                     })
                 })
                 .await?;
-        Ok(WithNamespace::new(invocation_key, namespace))
+
+        Ok(invocation_key)
     }
 
     async fn invoke_and_await_function(
@@ -406,8 +362,9 @@ where
         invocation_key: &InvocationKey,
         params: Value,
         calling_convention: &CallingConvention,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<Value, WorkerNamespace> {
+    ) -> WorkerResult<Value> {
         let template_details = self
             .try_get_template_for_worker(worker_id, auth_ctx)
             .await?;
@@ -428,16 +385,14 @@ where
                 calling_convention.clone(),
             )
             .map_err(|err| WorkerServiceError::TypeChecker(err.join(", ")))?;
-        let WithNamespace {
-            value: results_val,
-            namespace,
-        } = self
+        let results_val = self
             .invoke_and_await_function_proto(
                 worker_id,
                 function_name,
                 invocation_key,
                 params_val,
                 calling_convention,
+                metadata,
                 auth_ctx,
             )
             .await?;
@@ -453,7 +408,7 @@ where
             .validate_function_result(function_results, calling_convention.clone())
             .map_err(|err| WorkerServiceError::TypeChecker(err.join(", ")))?;
 
-        Ok(WithNamespace::new(invoke_response_json, namespace))
+        Ok(invoke_response_json)
     }
 
     async fn invoke_and_await_function_proto(
@@ -463,17 +418,9 @@ where
         invocation_key: &InvocationKey,
         params: Vec<ProtoVal>,
         calling_convention: &CallingConvention,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<ProtoInvokeResult, WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Create,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-
-        let metadata = namespace.get_metadata();
+    ) -> WorkerResult<ProtoInvokeResult> {
         let template_details = self
             .try_get_template_for_worker(worker_id, auth_ctx)
             .await?;
@@ -507,7 +454,7 @@ where
                             invocation_key: Some(invocation_key.clone().into()),
                             calling_convention: calling_convention.clone().into(),
                             account_id: metadata.account_id.clone().map(|id| id.into()),
-                            account_limits: metadata.limits.clone(),
+                            account_limits: metadata.limits.clone().map(|id| id.into()),
                         }
                     ).await.map_err(|err| {
                         GolemError::RuntimeError(GolemErrorRuntimeError {
@@ -536,7 +483,8 @@ where
                 })
             },
         ).await?;
-        Ok(WithNamespace::new(invoke_response, namespace))
+
+        Ok(invoke_response)
     }
 
     async fn invoke_function(
@@ -544,17 +492,9 @@ where
         worker_id: &WorkerId,
         function_name: String,
         params: Value,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Create,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-        let _ = namespace.get_metadata();
-
+    ) -> WorkerResult<()> {
         let template_details = self
             .try_get_template_for_worker(worker_id, auth_ctx)
             .await?;
@@ -574,10 +514,16 @@ where
                 CallingConvention::Component,
             )
             .map_err(|err| WorkerServiceError::TypeChecker(err.join(", ")))?;
-        self.invoke_fn_proto(worker_id, function_name.clone(), params_val, auth_ctx)
-            .await?;
+        self.invoke_fn_proto(
+            worker_id,
+            function_name.clone(),
+            params_val,
+            metadata,
+            auth_ctx,
+        )
+        .await?;
 
-        Ok(WithNamespace::new((), namespace))
+        Ok(())
     }
 
     async fn invoke_fn_proto(
@@ -585,17 +531,9 @@ where
         worker_id: &WorkerId,
         function_name: String,
         params: Vec<ProtoVal>,
+        metadata: WorkerRequestMetadata,
         auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Create,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-        let _ = namespace.get_metadata();
-
+    ) -> WorkerResult<()> {
         let template_details = self
             .try_get_template_for_worker(worker_id, auth_ctx)
             .await?;
@@ -616,8 +554,6 @@ where
             )
             .map_err(|err| WorkerServiceError::TypeChecker(err.join(", ")))?;
 
-        let metadata = namespace.get_metadata();
-
         self.retry_on_invalid_shard_id(
             worker_id,
             &(
@@ -635,7 +571,7 @@ where
                             name: function_name.clone(),
                             input: params_val.clone(),
                             account_id: metadata.account_id.clone().map(|id| id.into()),
-                            account_limits: metadata.limits.clone(),
+                            account_limits: metadata.limits.clone().map(|id| id.into()),
                         })
                         .await
                         .map_err(|err| {
@@ -660,7 +596,7 @@ where
             },
         )
             .await?;
-        Ok(WithNamespace::new((), namespace))
+        Ok(())
     }
 
     async fn complete_promise(
@@ -668,17 +604,8 @@ where
         worker_id: &WorkerId,
         oplog_id: u64,
         data: Vec<u8>,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<bool, WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Create,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-        let _ = namespace.get_metadata();
-
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<bool> {
         let promise_id = PromiseId {
             worker_id: worker_id.clone(),
             oplog_idx: oplog_id,
@@ -724,23 +651,15 @@ where
                 },
             )
             .await?;
-        Ok(WithNamespace::new(result, namespace))
+        Ok(result)
     }
 
     async fn interrupt(
         &self,
         worker_id: &WorkerId,
         recover_immediately: bool,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Update,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<()> {
         self.retry_on_invalid_shard_id(
             worker_id,
             worker_id,
@@ -774,22 +693,14 @@ where
             },
         ).await?;
 
-        Ok(WithNamespace::new((), namespace))
+        Ok(())
     }
 
     async fn get_metadata(
         &self,
         worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<WorkerMetadata, WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::View,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<WorkerMetadata> {
         let metadata = self.retry_on_invalid_shard_id(
             worker_id,
             worker_id,
@@ -821,22 +732,10 @@ where
             },
         ).await?;
 
-        Ok(WithNamespace::new(metadata, namespace))
+        Ok(metadata)
     }
 
-    async fn resume(
-        &self,
-        worker_id: &WorkerId,
-        auth_ctx: &AuthCtx,
-    ) -> WorkerResult<(), WorkerNamespace> {
-        let namespace = self
-            .auth_service
-            .is_authorized(
-                Permission::Update,
-                &WithAuth::new(worker_id.template_id.clone(), auth_ctx.clone()),
-            )
-            .await?;
-
+    async fn resume(&self, worker_id: &WorkerId, _auth_ctx: &AuthCtx) -> WorkerResult<()> {
         self.retry_on_invalid_shard_id(
             worker_id,
             worker_id,
@@ -869,15 +768,13 @@ where
             },
         )
         .await?;
-        Ok(WithNamespace::new((), namespace))
+        Ok(())
     }
 }
 
-impl<AuthCtx, WorkerNamespace, TemplateNamespace>
-    WorkerServiceDefault<AuthCtx, WorkerNamespace, TemplateNamespace>
+impl<AuthCtx> WorkerServiceDefault<AuthCtx>
 where
-    AuthCtx: Clone + Send + Sync,
-    WorkerNamespace: HasMetadata + Send + Sync,
+    AuthCtx: Send + Sync,
 {
     async fn try_get_template_for_worker(
         &self,
@@ -885,27 +782,23 @@ where
         auth_ctx: &AuthCtx,
     ) -> Result<Template, WorkerServiceError> {
         match self.get_metadata(worker_id, auth_ctx).await {
-            Ok(result) => {
-                let metadata = result.value;
+            Ok(metadata) => {
                 let template_version = metadata.template_version;
                 let template_details = self
                     .template_service
                     .get_by_version(&worker_id.template_id, template_version, auth_ctx)
-                    .await?
-                    .value;
+                    .await?;
 
                 Ok(template_details)
             }
             Err(WorkerServiceError::WorkerNotFound(_)) => Ok(self
                 .template_service
                 .get_latest(&worker_id.template_id, auth_ctx)
-                .await?
-                .value),
+                .await?),
             Err(WorkerServiceError::Golem(GolemError::WorkerNotFound(_))) => Ok(self
                 .template_service
                 .get_latest(&worker_id.template_id, auth_ctx)
-                .await?
-                .value),
+                .await?),
             Err(other) => Err(other),
         }
     }
@@ -1019,159 +912,148 @@ enum GetWorkerExecutorClientError {
     FailedToConnectToPod(String),
 }
 
-#[derive(Default)]
-pub struct WorkerServiceNoOp<Namespace> {
-    pub namespace: Namespace,
+#[derive(Clone, Debug)]
+pub struct WorkerServiceNoOp {
+    pub metadata: WorkerRequestMetadata,
 }
 
 #[async_trait]
-impl<Namespace> WorkerService<EmptyAuthCtx, Namespace> for WorkerServiceNoOp<Namespace>
+impl<AuthCtx> WorkerService<AuthCtx> for WorkerServiceNoOp
 where
-    Namespace: Clone + Send + Sync,
+    AuthCtx: Send + Sync,
 {
     async fn get_by_id(
         &self,
-        worker_id: &WorkerId,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, Namespace> {
-        Ok(WithNamespace::new(
-            VersionedWorkerId {
-                worker_id: worker_id.clone(),
-                template_version_used: 0,
-            },
-            self.namespace.clone(),
-        ))
+        _worker_id: &WorkerId,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<VersionedWorkerId> {
+        Ok(VersionedWorkerId {
+            worker_id: WorkerId::new(TemplateId::new_v4(), "no-op".to_string()).unwrap(),
+            template_version_used: 0,
+        })
     }
 
     async fn create(
         &self,
-        worker_id: &WorkerId,
-        _: i32,
-        _: Vec<String>,
-        _: HashMap<String, String>,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<VersionedWorkerId, Namespace> {
-        Ok(WithNamespace::new(
-            VersionedWorkerId {
-                worker_id: worker_id.clone(),
-                template_version_used: 0,
-            },
-            self.namespace.clone(),
-        ))
+        _worker_id: &WorkerId,
+        _template_version: i32,
+        _arguments: Vec<String>,
+        _environment_variables: HashMap<String, String>,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<VersionedWorkerId> {
+        Ok(VersionedWorkerId {
+            worker_id: WorkerId::new(TemplateId::new_v4(), "no-op".to_string()).unwrap(),
+            template_version_used: 0,
+        })
     }
 
     async fn connect(
         &self,
-        _: &WorkerId,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<ConnectWorkerStream, Namespace> {
+        _worker_id: &WorkerId,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<ConnectWorkerStream> {
         Err(WorkerServiceError::Internal(anyhow::Error::msg(
             "Not supported",
         )))
     }
 
-    async fn delete(&self, _: &WorkerId, _: &EmptyAuthCtx) -> WorkerResult<(), Namespace> {
-        Ok(WithNamespace::new((), self.namespace.clone()))
+    async fn delete(&self, _worker_id: &WorkerId, _auth_ctx: &AuthCtx) -> WorkerResult<()> {
+        Ok(())
     }
 
     async fn get_invocation_key(
         &self,
-        _: &WorkerId,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<InvocationKey, Namespace> {
-        Ok(WithNamespace::new(
-            InvocationKey {
-                value: "".to_string(),
-            },
-            self.namespace.clone(),
-        ))
+        _worker_id: &WorkerId,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<InvocationKey> {
+        Ok(InvocationKey::new("no-op".to_string()))
     }
 
     async fn invoke_and_await_function(
         &self,
-        _: &WorkerId,
-        _: String,
-        _: &InvocationKey,
-        _: Value,
-        _: &CallingConvention,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<Value, Namespace> {
-        Ok(WithNamespace::new(Value::Null, self.namespace.clone()))
+        _worker_id: &WorkerId,
+        _function_name: String,
+        _invocation_key: &InvocationKey,
+        _params: Value,
+        _calling_convention: &CallingConvention,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<Value> {
+        Ok(Value::default())
     }
 
     async fn invoke_and_await_function_proto(
         &self,
-        _: &WorkerId,
-        _: String,
-        _: &InvocationKey,
-        _: Vec<ProtoVal>,
-        _: &CallingConvention,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<ProtoInvokeResult, Namespace> {
-        Ok(WithNamespace::new(
-            ProtoInvokeResult { result: vec![] },
-            self.namespace.clone(),
-        ))
+        _worker_id: &WorkerId,
+        _function_name: String,
+        _invocation_key: &InvocationKey,
+        _params: Vec<ProtoVal>,
+        _calling_convention: &CallingConvention,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<ProtoInvokeResult> {
+        Ok(ProtoInvokeResult::default())
     }
 
     async fn invoke_function(
         &self,
-        _: &WorkerId,
-        _: String,
-        _: Value,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<(), Namespace> {
-        Ok(WithNamespace::new((), self.namespace.clone()))
+        _worker_id: &WorkerId,
+        _function_name: String,
+        _params: Value,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<()> {
+        Ok(())
     }
 
     async fn invoke_fn_proto(
         &self,
-        _: &WorkerId,
-        _: String,
-        _: Vec<ProtoVal>,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<(), Namespace> {
-        Ok(WithNamespace::new((), self.namespace.clone()))
+        _worker_id: &WorkerId,
+        _function_name: String,
+        _params: Vec<ProtoVal>,
+        _metadata: WorkerRequestMetadata,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<()> {
+        Ok(())
     }
 
     async fn complete_promise(
         &self,
-        _: &WorkerId,
-        _: u64,
-        _: Vec<u8>,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<bool, Namespace> {
-        Ok(WithNamespace::new(true, self.namespace.clone()))
+        _worker_id: &WorkerId,
+        _oplog_id: u64,
+        _data: Vec<u8>,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<bool> {
+        Ok(true)
     }
 
     async fn interrupt(
         &self,
-        _: &WorkerId,
-        _: bool,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<(), Namespace> {
-        Ok(WithNamespace::new((), self.namespace.clone()))
+        _worker_id: &WorkerId,
+        _recover_immediately: bool,
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<()> {
+        Ok(())
     }
 
     async fn get_metadata(
         &self,
         worker_id: &WorkerId,
-        _: &EmptyAuthCtx,
-    ) -> WorkerResult<WorkerMetadata, Namespace> {
-        Ok(WithNamespace::new(
-            WorkerMetadata {
-                worker_id: worker_id.clone(),
-                args: vec![],
-                env: Default::default(),
-                status: golem_common::model::WorkerStatus::Running,
-                template_version: 0,
-                retry_count: 0,
-            },
-            self.namespace.clone(),
-        ))
+        _auth_ctx: &AuthCtx,
+    ) -> WorkerResult<WorkerMetadata> {
+        Ok(WorkerMetadata {
+            worker_id: worker_id.clone(),
+            args: vec![],
+            env: Default::default(),
+            status: golem_common::model::WorkerStatus::Running,
+            template_version: 0,
+            retry_count: 0,
+        })
     }
 
-    async fn resume(&self, _: &WorkerId, _: &EmptyAuthCtx) -> WorkerResult<(), Namespace> {
-        Ok(WithNamespace::new((), self.namespace.clone()))
+    async fn resume(&self, _worker_id: &WorkerId, _auth_ctx: &AuthCtx) -> WorkerResult<()> {
+        Ok(())
     }
 }
diff --git a/golem-worker-service/src/api/mod.rs b/golem-worker-service/src/api/mod.rs
index 859655d2c..bdd4a7e59 100644
--- a/golem-worker-service/src/api/mod.rs
+++ b/golem-worker-service/src/api/mod.rs
@@ -58,7 +58,6 @@ pub fn make_open_api_service(services: &Services) -> OpenApiService<ApiServices,
             },
             register_api_definition_api::RegisterApiDefinitionApi::new(
                 services.definition_service.clone(),
-                services.auth_service.clone(),
             ),
             healthcheck::HealthcheckApi,
         ),
diff --git a/golem-worker-service/src/api/register_api_definition_api.rs b/golem-worker-service/src/api/register_api_definition_api.rs
index 0743a99ad..e06dc4aed 100644
--- a/golem-worker-service/src/api/register_api_definition_api.rs
+++ b/golem-worker-service/src/api/register_api_definition_api.rs
@@ -1,7 +1,6 @@
 use std::result::Result;
 use std::sync::Arc;
 
-use golem_service_base::service::auth::AuthService;
 use poem_openapi::param::Query;
 use poem_openapi::payload::Json;
 use poem_openapi::*;
@@ -17,23 +16,15 @@ use golem_worker_service_base::oas_worker_bridge::*;
 use golem_worker_service_base::service::api_definition::ApiDefinitionService;
 
 pub struct RegisterApiDefinitionApi {
-    pub definition_service:
-        Arc<dyn ApiDefinitionService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
-    pub auth_service: Arc<dyn AuthService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
+    pub definition_service: DefinitionService,
 }
 
+type DefinitionService = Arc<dyn ApiDefinitionService<EmptyAuthCtx, CommonNamespace> + Sync + Send>;
+
 #[OpenApi(prefix_path = "/v1/api/definitions", tag = ApiTags::ApiDefinition)]
 impl RegisterApiDefinitionApi {
-    pub fn new(
-        definition_service: Arc<
-            dyn ApiDefinitionService<EmptyAuthCtx, CommonNamespace> + Sync + Send,
-        >,
-        auth_service: Arc<dyn AuthService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
-    ) -> Self {
-        Self {
-            definition_service,
-            auth_service,
-        }
+    pub fn new(definition_service: DefinitionService) -> Self {
+        Self { definition_service }
     }
 
     #[oai(path = "/oas", method = "put")]
@@ -91,9 +82,13 @@ impl RegisterApiDefinitionApi {
 
         let data = self
             .definition_service
-            .get(&api_definition_id, &api_version, EmptyAuthCtx {})
-            .await?
-            .value;
+            .get(
+                &api_definition_id,
+                &api_version,
+                CommonNamespace::default(),
+                &EmptyAuthCtx {},
+            )
+            .await?;
 
         let values: Vec<ApiDefinition> = match data {
             Some(d) => {
@@ -119,9 +114,13 @@ impl RegisterApiDefinitionApi {
 
         let deleted = self
             .definition_service
-            .delete(&api_definition_id, &api_definition_version, EmptyAuthCtx {})
-            .await?
-            .value;
+            .delete(
+                &api_definition_id,
+                &api_definition_version,
+                CommonNamespace::default(),
+                &EmptyAuthCtx {},
+            )
+            .await?;
 
         if deleted.is_some() {
             Ok(Json("API definition deleted".to_string()))
@@ -134,9 +133,8 @@ impl RegisterApiDefinitionApi {
     async fn get_all(&self) -> Result<Json<Vec<ApiDefinition>>, ApiEndpointError> {
         let data = self
             .definition_service
-            .get_all(EmptyAuthCtx {})
-            .await?
-            .value;
+            .get_all(CommonNamespace::default(), &EmptyAuthCtx {})
+            .await?;
 
         let values = data
             .into_iter()
@@ -154,7 +152,7 @@ impl RegisterApiDefinitionApi {
         definition: &api_definition::ApiDefinition,
     ) -> Result<(), ApiEndpointError> {
         self.definition_service
-            .register(definition, EmptyAuthCtx {})
+            .register(definition, CommonNamespace::default(), &EmptyAuthCtx {})
             .await
             .map_err(|e| {
                 error!("API definition id: {} - register error: {e}", definition.id,);
@@ -167,32 +165,26 @@ impl RegisterApiDefinitionApi {
 
 #[cfg(test)]
 mod test {
-    use golem_worker_service_base::auth::AuthServiceNoop;
     use golem_worker_service_base::service::api_definition_validator::ApiDefinitionValidatorNoop;
-    use golem_worker_service_base::service::template::TemplateService;
+    use golem_worker_service_base::service::template::TemplateServiceNoop;
     use poem::test::TestClient;
 
     use golem_worker_service_base::api_definition_repo::InMemoryRegistry;
     use golem_worker_service_base::service::api_definition::RegisterApiDefinitionDefault;
 
-    use crate::service::template::TemplateServiceNoop;
+    use crate::service::template::TemplateService;
 
     use super::*;
 
     fn make_route() -> poem::Route {
-        let template_service: Arc<dyn TemplateService<EmptyAuthCtx, ()> + Send + Sync> =
-            Arc::new(TemplateServiceNoop {});
+        let template_service: TemplateService = Arc::new(TemplateServiceNoop {});
         let definition_service = RegisterApiDefinitionDefault::new(
             template_service,
-            Arc::new(AuthServiceNoop {}),
             Arc::new(InMemoryRegistry::default()),
             Arc::new(ApiDefinitionValidatorNoop {}),
         );
 
-        let endpoint = RegisterApiDefinitionApi::new(
-            Arc::new(definition_service),
-            Arc::new(AuthServiceNoop {}),
-        );
+        let endpoint = RegisterApiDefinitionApi::new(Arc::new(definition_service));
 
         poem::Route::new().nest("", OpenApiService::new(endpoint, "test", "1.0"))
     }
diff --git a/golem-worker-service/src/api/worker.rs b/golem-worker-service/src/api/worker.rs
index 3d12af53d..0793da5a3 100644
--- a/golem-worker-service/src/api/worker.rs
+++ b/golem-worker-service/src/api/worker.rs
@@ -11,6 +11,7 @@ use tap::TapFallible;
 use golem_service_base::model::*;
 use golem_worker_service_base::api::error::WorkerApiBaseError;
 
+use crate::empty_worker_metadata;
 use crate::service::{template::TemplateService, worker::WorkerService};
 
 pub struct WorkerApi {
@@ -32,8 +33,7 @@ impl WorkerApi {
         let worker = self
             .worker_service
             .get_by_id(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(worker))
     }
@@ -61,8 +61,7 @@ impl WorkerApi {
                         &template_id, error
                     ),
                 }))
-            })?
-            .value;
+            })?;
 
         let WorkerCreationRequest { name, args, env } = request.0;
 
@@ -74,10 +73,10 @@ impl WorkerApi {
                 latest_template.versioned_template_id.version,
                 args,
                 env,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(worker))
     }
@@ -116,8 +115,7 @@ impl WorkerApi {
         let invocation_key = self
             .worker_service
             .get_invocation_key(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(invocation_key))
     }
@@ -150,10 +148,10 @@ impl WorkerApi {
                 },
                 params.0.params,
                 &calling_convention,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(InvokeResult { result }))
     }
@@ -173,7 +171,13 @@ impl WorkerApi {
         let worker_id = make_worker_id(template_id.0, worker_name.0)?;
 
         self.worker_service
-            .invoke_function(&worker_id, function.0, params.0.params, &EmptyAuthCtx {})
+            .invoke_function(
+                &worker_id,
+                function.0,
+                params.0.params,
+                empty_worker_metadata(),
+                &EmptyAuthCtx {},
+            )
             .await?;
 
         Ok(Json(InvokeResponse {}))
@@ -196,8 +200,7 @@ impl WorkerApi {
         let result = self
             .worker_service
             .complete_promise(&worker_id, oplog_idx, data, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(result))
     }
@@ -240,8 +243,7 @@ impl WorkerApi {
         let result = self
             .worker_service
             .get_metadata(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(Json(result))
     }
diff --git a/golem-worker-service/src/api/worker_connect.rs b/golem-worker-service/src/api/worker_connect.rs
index 48ba91a9b..6d9b5a0ce 100644
--- a/golem-worker-service/src/api/worker_connect.rs
+++ b/golem-worker-service/src/api/worker_connect.rs
@@ -23,6 +23,7 @@ use poem::web::websocket::WebSocket;
 use poem::web::Data;
 use poem::*;
 
+use crate::empty_worker_metadata;
 use crate::service::worker::WorkerService;
 
 #[derive(Clone)]
@@ -81,10 +82,9 @@ async fn get_worker_stream(
 
     let worker_stream = service
         .worker_service
-        .connect(&worker_id, &EmptyAuthCtx {})
+        .connect(&worker_id, empty_worker_metadata(), &EmptyAuthCtx {})
         .await
-        .map_err(|e| (http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
-        .value;
+        .map_err(|e| (http::StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
 
     Ok((worker_id, worker_stream))
 }
diff --git a/golem-worker-service/src/grpcapi/worker.rs b/golem-worker-service/src/grpcapi/worker.rs
index f08c81169..43f0352d7 100644
--- a/golem-worker-service/src/grpcapi/worker.rs
+++ b/golem-worker-service/src/grpcapi/worker.rs
@@ -35,6 +35,7 @@ use golem_worker_service_base::service::worker::ConnectWorkerStream;
 use tap::TapFallible;
 use tonic::{Request, Response, Status};
 
+use crate::empty_worker_metadata;
 use crate::service::template::TemplateService;
 use crate::service::worker::WorkerService;
 
@@ -264,8 +265,7 @@ impl WorkerGrpcApi {
                 error: Some(worker_error::Error::NotFound(ErrorBody {
                     error: format!("Template not found: {}", &template_id),
                 })),
-            })?
-            .value;
+            })?;
 
         let worker_id = make_worker_id(template_id, request.name)?;
 
@@ -276,10 +276,10 @@ impl WorkerGrpcApi {
                 latest_template_version.versioned_template_id.version,
                 request.args,
                 request.env,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(worker.into())
     }
@@ -312,8 +312,7 @@ impl WorkerGrpcApi {
                 parameters.data,
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(result)
     }
@@ -327,8 +326,7 @@ impl WorkerGrpcApi {
         let metadata = self
             .worker_service
             .get_metadata(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(metadata.into())
     }
@@ -355,8 +353,7 @@ impl WorkerGrpcApi {
         let invocation_key = self
             .worker_service
             .get_invocation_key(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .await?;
 
         Ok(invocation_key.into())
     }
@@ -373,6 +370,7 @@ impl WorkerGrpcApi {
                 &worker_id,
                 request.function,
                 params.params,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
             .await?;
@@ -407,10 +405,10 @@ impl WorkerGrpcApi {
                 &invocation_key.into(),
                 params.params,
                 &calling_convention,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(result)
     }
@@ -433,7 +431,13 @@ impl WorkerGrpcApi {
                 .map_err(|e| bad_request_error(format!("Error parsing invoke parameters: {e}")))?;
 
         self.worker_service
-            .invoke_function(&worker_id, request.function, params, &EmptyAuthCtx {})
+            .invoke_function(
+                &worker_id,
+                request.function,
+                params,
+                empty_worker_metadata(),
+                &EmptyAuthCtx {},
+            )
             .await?;
 
         Ok(())
@@ -466,10 +470,10 @@ impl WorkerGrpcApi {
                 &invocation_key.into(),
                 params,
                 &calling_convention,
+                empty_worker_metadata(),
                 &EmptyAuthCtx {},
             )
-            .await?
-            .value;
+            .await?;
 
         Ok(result)
     }
@@ -481,9 +485,8 @@ impl WorkerGrpcApi {
         let worker_id = make_crate_worker_id(request.worker_id)?;
         let stream = self
             .worker_service
-            .connect(&worker_id, &EmptyAuthCtx {})
-            .await?
-            .value;
+            .connect(&worker_id, empty_worker_metadata(), &EmptyAuthCtx {})
+            .await?;
 
         Ok(stream)
     }
diff --git a/golem-worker-service/src/lib.rs b/golem-worker-service/src/lib.rs
index 13e6f01e5..e19d156a0 100644
--- a/golem-worker-service/src/lib.rs
+++ b/golem-worker-service/src/lib.rs
@@ -1,5 +1,16 @@
+use golem_worker_service_base::service::worker::WorkerRequestMetadata;
+
 pub mod api;
 pub mod config;
 pub mod grpcapi;
 pub mod service;
 pub mod worker_request_to_http_response;
+
+fn empty_worker_metadata() -> WorkerRequestMetadata {
+    WorkerRequestMetadata {
+        account_id: Some(golem_common::model::AccountId {
+            value: "-1".to_string(),
+        }),
+        limits: None,
+    }
+}
diff --git a/golem-worker-service/src/service/mod.rs b/golem-worker-service/src/service/mod.rs
index 503a80214..e20a8ece6 100644
--- a/golem-worker-service/src/service/mod.rs
+++ b/golem-worker-service/src/service/mod.rs
@@ -3,7 +3,6 @@ pub mod worker;
 
 use crate::worker_request_to_http_response::WorkerRequestToHttpResponse;
 use async_trait::async_trait;
-use golem_service_base::service::auth::AuthService;
 use golem_worker_service_base::api_definition::{
     ApiDefinition, ApiDefinitionId, ResponseMapping, Version,
 };
@@ -11,7 +10,7 @@ use golem_worker_service_base::api_definition_repo::{
     ApiDefinitionRepo, InMemoryRegistry, RedisApiRegistry,
 };
 use golem_worker_service_base::app_config::WorkerServiceBaseConfig;
-use golem_worker_service_base::auth::{AuthServiceNoop, CommonNamespace, EmptyAuthCtx};
+use golem_worker_service_base::auth::{CommonNamespace, EmptyAuthCtx};
 use golem_worker_service_base::http_request::InputHttpRequest;
 use golem_worker_service_base::oas_worker_bridge::{
     GOLEM_API_DEFINITION_ID_EXTENSION, GOLEM_API_DEFINITION_VERSION,
@@ -25,16 +24,16 @@ use golem_worker_service_base::service::api_definition_validator::{
 use golem_worker_service_base::service::http_request_definition_lookup::{
     ApiDefinitionLookupError, HttpRequestDefinitionLookup,
 };
-use golem_worker_service_base::service::template::TemplateServiceDefault;
-use golem_worker_service_base::service::worker::{WorkerServiceDefault, WorkerServiceNoOp};
+use golem_worker_service_base::service::template::{RemoteTemplateService, TemplateServiceNoop};
+use golem_worker_service_base::service::worker::{
+    WorkerRequestMetadata, WorkerServiceDefault, WorkerServiceNoOp,
+};
 use golem_worker_service_base::worker_request_to_response::WorkerRequestToResponse;
 use http::HeaderMap;
 use poem::Response;
 use std::sync::Arc;
 use tracing::error;
 
-use self::template::TemplateServiceNoop;
-
 #[derive(Clone)]
 pub struct Services {
     pub worker_service: worker::WorkerService,
@@ -44,15 +43,11 @@ pub struct Services {
     pub definition_lookup_service: Arc<dyn HttpRequestDefinitionLookup + Sync + Send>,
     pub worker_to_http_service:
         Arc<dyn WorkerRequestToResponse<ResponseMapping, Response> + Sync + Send>,
-    pub auth_service: Arc<dyn AuthService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
     pub api_definition_validator_service: Arc<dyn ApiDefinitionValidatorService + Sync + Send>,
 }
 
 impl Services {
     pub async fn new(config: &WorkerServiceBaseConfig) -> Result<Services, String> {
-        let auth_service: Arc<dyn AuthService<EmptyAuthCtx, CommonNamespace> + Sync + Send> =
-            Arc::new(AuthServiceNoop {});
-
         let routing_table_service: Arc<
             dyn golem_service_base::routing_table::RoutingTableService + Send + Sync,
         > = Arc::new(
@@ -75,15 +70,10 @@ impl Services {
             let uri = config.uri();
             let retry_config = config.retries.clone();
 
-            Arc::new(TemplateServiceDefault::new(
-                uri,
-                retry_config,
-                Arc::new(AuthServiceNoop {}),
-            ))
+            Arc::new(RemoteTemplateService::new(uri, retry_config))
         };
 
         let worker_service: worker::WorkerService = Arc::new(WorkerServiceDefault::new(
-            Arc::new(AuthServiceNoop {}),
             worker_executor_grpc_clients.clone(),
             template_service.clone(),
             routing_table_service.clone(),
@@ -110,7 +100,6 @@ impl Services {
             dyn ApiDefinitionService<EmptyAuthCtx, CommonNamespace> + Sync + Send,
         > = Arc::new(RegisterApiDefinitionDefault::new(
             template_service.clone(),
-            auth_service.clone(),
             definition_repo.clone(),
             api_definition_validator_service.clone(),
         ));
@@ -121,7 +110,6 @@ impl Services {
             definition_lookup_service,
             worker_to_http_service,
             template_service,
-            auth_service,
             api_definition_validator_service,
         })
     }
@@ -130,12 +118,12 @@ impl Services {
         let template_service: template::TemplateService = Arc::new(TemplateServiceNoop {});
 
         let worker_service: worker::WorkerService = Arc::new(WorkerServiceNoOp {
-            namespace: CommonNamespace::default(),
+            metadata: WorkerRequestMetadata {
+                account_id: None,
+                limits: None,
+            },
         });
 
-        let auth_service: Arc<dyn AuthService<EmptyAuthCtx, CommonNamespace> + Sync + Send> =
-            Arc::new(AuthServiceNoop {});
-
         let definition_repo: Arc<dyn ApiDefinitionRepo<CommonNamespace> + Sync + Send> =
             Arc::new(InMemoryRegistry::default());
 
@@ -149,7 +137,6 @@ impl Services {
 
         let definition_service = Arc::new(RegisterApiDefinitionDefault::new(
             template_service.clone(),
-            auth_service.clone(),
             Arc::new(InMemoryRegistry::default()),
             api_definition_validator_service.clone(),
         ));
@@ -164,7 +151,6 @@ impl Services {
             definition_lookup_service,
             worker_to_http_service,
             template_service,
-            auth_service,
             api_definition_validator_service,
         }
     }
diff --git a/golem-worker-service/src/service/template.rs b/golem-worker-service/src/service/template.rs
index 96aa85c66..556a3fe3a 100644
--- a/golem-worker-service/src/service/template.rs
+++ b/golem-worker-service/src/service/template.rs
@@ -1,40 +1,6 @@
-use async_trait::async_trait;
+use golem_worker_service_base::auth::EmptyAuthCtx;
 use std::sync::Arc;
 
-use golem_common::model::TemplateId;
-use golem_service_base::model::Template;
-use golem_worker_service_base::{
-    auth::{CommonNamespace, EmptyAuthCtx},
-    service::template::{TemplateResult, TemplateServiceError},
-};
-
 pub type TemplateService = Arc<
-    dyn golem_worker_service_base::service::template::TemplateService<EmptyAuthCtx, CommonNamespace>
-        + Sync
-        + Send,
+    dyn golem_worker_service_base::service::template::TemplateService<EmptyAuthCtx> + Sync + Send,
 >;
-
-pub struct TemplateServiceNoop;
-
-#[async_trait]
-impl<AuthCtx, Namespace>
-    golem_worker_service_base::service::template::TemplateService<AuthCtx, Namespace>
-    for TemplateServiceNoop
-{
-    async fn get_by_version(
-        &self,
-        _template_id: &TemplateId,
-        _version: i32,
-        _auth: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace> {
-        Err(TemplateServiceError::internal("Not implemented"))
-    }
-
-    async fn get_latest(
-        &self,
-        _template_id: &TemplateId,
-        _auth: &AuthCtx,
-    ) -> TemplateResult<Template, Namespace> {
-        Err(TemplateServiceError::internal("Not implemented"))
-    }
-}
diff --git a/golem-worker-service/src/service/worker.rs b/golem-worker-service/src/service/worker.rs
index 02d7a1907..e7e0fd9ff 100644
--- a/golem-worker-service/src/service/worker.rs
+++ b/golem-worker-service/src/service/worker.rs
@@ -1,9 +1,6 @@
 use std::sync::Arc;
 
-use golem_worker_service_base::auth::{CommonNamespace, EmptyAuthCtx};
+use golem_worker_service_base::auth::EmptyAuthCtx;
 
-pub type WorkerService = Arc<
-    dyn golem_worker_service_base::service::worker::WorkerService<EmptyAuthCtx, CommonNamespace>
-        + Sync
-        + Send,
->;
+pub type WorkerService =
+    Arc<dyn golem_worker_service_base::service::worker::WorkerService<EmptyAuthCtx> + Sync + Send>;
diff --git a/golem-worker-service/src/worker_request_to_http_response.rs b/golem-worker-service/src/worker_request_to_http_response.rs
index a9f9de7d0..e6aac0375 100644
--- a/golem-worker-service/src/worker_request_to_http_response.rs
+++ b/golem-worker-service/src/worker_request_to_http_response.rs
@@ -5,7 +5,7 @@ use async_trait::async_trait;
 use golem_common::model::CallingConvention;
 use golem_service_base::model::WorkerId;
 use golem_worker_service_base::api_definition::ResponseMapping;
-use golem_worker_service_base::auth::{CommonNamespace, EmptyAuthCtx};
+use golem_worker_service_base::auth::EmptyAuthCtx;
 use golem_worker_service_base::resolved_variables::ResolvedVariables;
 use golem_worker_service_base::service::worker::WorkerService;
 use golem_worker_service_base::worker_request::WorkerRequest;
@@ -15,14 +15,14 @@ use http::StatusCode;
 use poem::Body;
 use tracing::info;
 
+use crate::empty_worker_metadata;
+
 pub struct WorkerRequestToHttpResponse {
-    pub worker_service: Arc<dyn WorkerService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
+    pub worker_service: Arc<dyn WorkerService<EmptyAuthCtx> + Sync + Send>,
 }
 
 impl WorkerRequestToHttpResponse {
-    pub fn new(
-        worker_service: Arc<dyn WorkerService<EmptyAuthCtx, CommonNamespace> + Sync + Send>,
-    ) -> Self {
+    pub fn new(worker_service: Arc<dyn WorkerService<EmptyAuthCtx> + Sync + Send>) -> Self {
         Self { worker_service }
     }
 }
@@ -70,8 +70,7 @@ async fn execute(
         .worker_service
         .get_invocation_key(&worker_id, &EmptyAuthCtx {})
         .await
-        .map_err(|e| e.to_string())?
-        .value;
+        .map_err(|e| e.to_string())?;
 
     let invoke_parameters = worker_request_params.function_params;
 
@@ -88,11 +87,11 @@ async fn execute(
             &invocation_key,
             invoke_parameters,
             &CallingConvention::Component,
+            empty_worker_metadata(),
             &EmptyAuthCtx {},
         )
         .await
-        .map_err(|e| e.to_string())?
-        .value;
+        .map_err(|e| e.to_string())?;
 
     Ok(WorkerResponse {
         result: invoke_result,