diff --git a/PROJECT b/PROJECT
index 4776e451..1c1b6fd9 100644
--- a/PROJECT
+++ b/PROJECT
@@ -1,4 +1,4 @@
-domain: authorino.3scale.net
+domain: authorino.kuadrant.io
 layout: go.kubebuilder.io/v2
 projectName: authorino
 repo: github.com/kuadrant/authorino/
diff --git a/api/v1beta1/groupversion_info.go b/api/v1beta1/groupversion_info.go
index 1391ed14..455748f8 100644
--- a/api/v1beta1/groupversion_info.go
+++ b/api/v1beta1/groupversion_info.go
@@ -16,7 +16,7 @@ limitations under the License.
 
 // Package v1beta1 contains API Schema definitions for the config v1beta1 API group
 // +kubebuilder:object:generate=true
-// +groupName=authorino.3scale.net
+// +groupName=authorino.kuadrant.io
 package v1beta1
 
 import (
@@ -26,7 +26,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "authorino.3scale.net", Version: "v1beta1"}
+	GroupVersion = schema.GroupVersion{Group: "authorino.kuadrant.io", Version: "v1beta1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go
index b8867f90..cf5657a5 100644
--- a/controllers/auth_config_controller.go
+++ b/controllers/auth_config_controller.go
@@ -54,7 +54,7 @@ type AuthConfigReconciler struct {
 	LabelSelector labels.Selector
 }
 
-// +kubebuilder:rbac:groups=authorino.3scale.net,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 // +kubebuilder:rbac:groups=authorization.k8s.io,resources=subjectaccessreviews,verbs=create
 
diff --git a/controllers/auth_config_controller_test.go b/controllers/auth_config_controller_test.go
index 89c28ddd..9184ebb6 100644
--- a/controllers/auth_config_controller_test.go
+++ b/controllers/auth_config_controller_test.go
@@ -41,7 +41,7 @@ func newTestAuthConfig(authConfigLabels map[string]string) v1beta1.AuthConfig {
 	return v1beta1.AuthConfig{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "AuthConfig",
-			APIVersion: "authorino.3scale.net/v1beta1",
+			APIVersion: "authorino.kuadrant.io/v1beta1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "auth-config-1",
@@ -211,7 +211,7 @@ func TestMissingWatchedAuthConfigLabels(t *testing.T) {
 	defer mockController.Finish()
 	cacheMock := mock_cache.NewMockCache(mockController)
 
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "authorino"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "authorino"})
 	authConfigName := types.NamespacedName{Name: authConfig.Name, Namespace: authConfig.Namespace}
 	secret := newTestOAuthClientSecret()
 	client := newTestK8sClient(&authConfig, &secret)
@@ -232,12 +232,12 @@ func TestMatchingAuthConfigLabels(t *testing.T) {
 	defer mockController.Finish()
 	cacheMock := mock_cache.NewMockCache(mockController)
 
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "authorino"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "authorino"})
 	authConfigName := types.NamespacedName{Name: authConfig.Name, Namespace: authConfig.Namespace}
 	secret := newTestOAuthClientSecret()
 	client := newTestK8sClient(&authConfig, &secret)
 	reconciler := newTestAuthConfigReconciler(client, cacheMock)
-	reconciler.LabelSelector = ToLabelSelector("authorino.3scale.net/managed-by=authorino")
+	reconciler.LabelSelector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino")
 
 	cacheMock.EXPECT().FindKeys(authConfigName.String()).Return([]string{})
 	cacheMock.EXPECT().FindId("echo-api").Return("", false)
@@ -254,12 +254,12 @@ func TestUnmatchingAuthConfigLabels(t *testing.T) {
 	defer mockController.Finish()
 	cacheMock := mock_cache.NewMockCache(mockController)
 
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "other"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "other"})
 	authConfigName := types.NamespacedName{Name: authConfig.Name, Namespace: authConfig.Namespace}
 	secret := newTestOAuthClientSecret()
 	client := newTestK8sClient(&authConfig, &secret)
 	reconciler := newTestAuthConfigReconciler(client, cacheMock)
-	reconciler.LabelSelector = ToLabelSelector("authorino.3scale.net/managed-by=authorino")
+	reconciler.LabelSelector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino")
 
 	cacheMock.EXPECT().FindKeys(authConfigName.String()).Return([]string{})
 	cacheMock.EXPECT().Delete(authConfigName.String())
diff --git a/controllers/auth_config_status_updater.go b/controllers/auth_config_status_updater.go
index 11b95004..0d6445a6 100644
--- a/controllers/auth_config_status_updater.go
+++ b/controllers/auth_config_status_updater.go
@@ -20,7 +20,7 @@ type AuthConfigStatusUpdater struct {
 	LabelSelector labels.Selector
 }
 
-// +kubebuilder:rbac:groups=authorino.3scale.net,resources=authconfigs/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=authorino.kuadrant.io,resources=authconfigs/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update
 
 func (u *AuthConfigStatusUpdater) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
diff --git a/controllers/auth_config_status_updater_test.go b/controllers/auth_config_status_updater_test.go
index bf4062f4..3619fbb1 100644
--- a/controllers/auth_config_status_updater_test.go
+++ b/controllers/auth_config_status_updater_test.go
@@ -19,7 +19,7 @@ func newStatusUpdateAuthConfig(authConfigLabels map[string]string) v1beta1.AuthC
 	return v1beta1.AuthConfig{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "AuthConfig",
-			APIVersion: "authorino.3scale.net/v1beta1",
+			APIVersion: "authorino.kuadrant.io/v1beta1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "auth-config-1",
@@ -59,7 +59,7 @@ func TestAuthConfigStatusUpdater_Reconcile(t *testing.T) {
 }
 
 func TestAuthConfigStatusUpdater_MissingWatchedAuthConfigLabels(t *testing.T) {
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "authorino"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "authorino"})
 	resourceName := types.NamespacedName{Namespace: authConfig.Namespace, Name: authConfig.Name}
 	client := newTestK8sClient(&authConfig)
 	reconciler := newStatusUpdaterReconciler(client)
@@ -75,11 +75,11 @@ func TestAuthConfigStatusUpdater_MissingWatchedAuthConfigLabels(t *testing.T) {
 }
 
 func TestAuthConfigStatusUpdater_MatchingAuthConfigLabels(t *testing.T) {
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "authorino"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "authorino"})
 	resourceName := types.NamespacedName{Namespace: authConfig.Namespace, Name: authConfig.Name}
 	client := newTestK8sClient(&authConfig)
 	reconciler := newStatusUpdaterReconciler(client)
-	reconciler.LabelSelector = ToLabelSelector("authorino.3scale.net/managed-by=authorino")
+	reconciler.LabelSelector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino")
 
 	result, err := reconciler.Reconcile(context.Background(), controllerruntime.Request{NamespacedName: resourceName})
 
@@ -92,11 +92,11 @@ func TestAuthConfigStatusUpdater_MatchingAuthConfigLabels(t *testing.T) {
 }
 
 func TestAuthConfigStatusUpdater_UnmatchingAuthConfigLabels(t *testing.T) {
-	authConfig := newTestAuthConfig(map[string]string{"authorino.3scale.net/managed-by": "other"})
+	authConfig := newTestAuthConfig(map[string]string{"authorino.kuadrant.io/managed-by": "other"})
 	resourceName := types.NamespacedName{Namespace: authConfig.Namespace, Name: authConfig.Name}
 	client := newTestK8sClient(&authConfig)
 	reconciler := newStatusUpdaterReconciler(client)
-	reconciler.LabelSelector = ToLabelSelector("authorino.3scale.net/managed-by=authorino")
+	reconciler.LabelSelector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino")
 
 	result, err := reconciler.Reconcile(context.Background(), controllerruntime.Request{NamespacedName: resourceName})
 
diff --git a/controllers/label_selector_test.go b/controllers/label_selector_test.go
index 1d853fac..4f61438c 100644
--- a/controllers/label_selector_test.go
+++ b/controllers/label_selector_test.go
@@ -82,36 +82,36 @@ func TestToLabelSelector(t *testing.T) {
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 0)
 	assert.Check(t, selector.Matches(labels.Set{}))
-	assert.Check(t, selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "authorino"}))
+	assert.Check(t, selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "authorino"}))
 
-	selector = ToLabelSelector("authorino.3scale.net/managed-by=authorino")
+	selector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino")
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 1)
-	assert.Check(t, selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "authorino"}))
+	assert.Check(t, selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "authorino"}))
 
-	selector = ToLabelSelector("authorino.3scale.net/managed-by!=authorino")
+	selector = ToLabelSelector("authorino.kuadrant.io/managed-by!=authorino")
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 1)
-	assert.Check(t, !selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "authorino"}))
+	assert.Check(t, !selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "authorino"}))
 
-	selector = ToLabelSelector("!authorino.3scale.net/managed-by")
+	selector = ToLabelSelector("!authorino.kuadrant.io/managed-by")
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 1)
-	assert.Check(t, !selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "authorino"}))
+	assert.Check(t, !selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "authorino"}))
 
-	selector = ToLabelSelector("authorino.3scale.net/managed-by=authorino,other-label=other-value")
+	selector = ToLabelSelector("authorino.kuadrant.io/managed-by=authorino,other-label=other-value")
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 2)
 	assert.Check(t, selector.Matches(labels.Set{
-		"authorino.3scale.net/managed-by": "authorino",
-		"other-label":                     "other-value",
+		"authorino.kuadrant.io/managed-by": "authorino",
+		"other-label":                      "other-value",
 	}))
 
-	selector = ToLabelSelector("authorino.3scale.net/managed-by in (authorino,kuadrant)")
+	selector = ToLabelSelector("authorino.kuadrant.io/managed-by in (authorino,kuadrant)")
 	reqs, _ = selector.Requirements()
 	assert.Equal(t, len(reqs), 1)
-	assert.Check(t, selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "authorino"}))
-	assert.Check(t, selector.Matches(labels.Set{"authorino.3scale.net/managed-by": "kuadrant"}))
+	assert.Check(t, selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "authorino"}))
+	assert.Check(t, selector.Matches(labels.Set{"authorino.kuadrant.io/managed-by": "kuadrant"}))
 
 	selector = ToLabelSelector("inval*id-lab?el")
 	reqs, _ = selector.Requirements()
diff --git a/controllers/secret_controller_test.go b/controllers/secret_controller_test.go
index fc1f8976..f96e7dd4 100644
--- a/controllers/secret_controller_test.go
+++ b/controllers/secret_controller_test.go
@@ -74,7 +74,7 @@ func newSecretReconcilerTest(secretLabels map[string]string) secretReconcilerTes
 	authConfig := v1beta1.AuthConfig{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "AuthConfig",
-			APIVersion: "authorino.3scale.net/v1beta1",
+			APIVersion: "authorino.kuadrant.io/v1beta1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "auth-config-1",
@@ -87,8 +87,8 @@ func newSecretReconcilerTest(secretLabels map[string]string) secretReconcilerTes
 					Name: "friends",
 					APIKey: &v1beta1.Identity_APIKey{
 						LabelSelectors: map[string]string{
-							"authorino.3scale.net/managed-by": "authorino",
-							"target":                          "echo-api",
+							"authorino.kuadrant.io/managed-by": "authorino",
+							"target":                           "echo-api",
 						},
 					},
 				},
@@ -115,7 +115,7 @@ func newSecretReconcilerTest(secretLabels map[string]string) secretReconcilerTes
 		Client:               client,
 		Logger:               log.WithName("test").WithName("secretreconciler"),
 		Scheme:               nil,
-		LabelSelector:        ToLabelSelector("authorino.3scale.net/managed-by=authorino"),
+		LabelSelector:        ToLabelSelector("authorino.kuadrant.io/managed-by=authorino"),
 		AuthConfigReconciler: authConfigReconciler,
 	}
 
@@ -140,7 +140,7 @@ func (t *secretReconcilerTest) reconcile() (reconcile.Result, error) {
 
 func TestSetupSecretReconcilerWithManager(t *testing.T) {
 	reconcilerTest := newSecretReconcilerTest(map[string]string{
-		"authorino.3scale.net/managed-by": "authorino",
+		"authorino.kuadrant.io/managed-by": "authorino",
 	})
 	secretReconciler := reconcilerTest.secretReconciler
 
@@ -162,7 +162,7 @@ func TestSetupSecretReconcilerWithManager(t *testing.T) {
 func TestMissingWatchedSecretLabels(t *testing.T) {
 	// secret missing the authorino "managed-by" label
 	reconcilerTest := newSecretReconcilerTest(map[string]string{
-		"authorino.3scale.net/managed-by": "authorino",
+		"authorino.kuadrant.io/managed-by": "authorino",
 	})
 
 	_, err := reconcilerTest.reconcile()
@@ -174,8 +174,8 @@ func TestMissingWatchedSecretLabels(t *testing.T) {
 func TestMatchingSecretLabels(t *testing.T) {
 	// secret with the authorino "managed-by" label and the same labels as specified in the auth config
 	reconcilerTest := newSecretReconcilerTest(map[string]string{
-		"authorino.3scale.net/managed-by": "authorino",
-		"target":                          "echo-api",
+		"authorino.kuadrant.io/managed-by": "authorino",
+		"target":                           "echo-api",
 	})
 
 	_, err := reconcilerTest.reconcile()
@@ -190,7 +190,7 @@ func TestMatchingSecretLabels(t *testing.T) {
 func TestUnmatchingSecretLabels(t *testing.T) {
 	// secret with the authorino "managed-by" label but not the same labels as specified in the auth config
 	reconcilerTest := newSecretReconcilerTest(map[string]string{
-		"authorino.3scale.net/managed-by": "authorino",
+		"authorino.kuadrant.io/managed-by": "authorino",
 	})
 
 	_, err := reconcilerTest.reconcile()
diff --git a/docs/architecture.md b/docs/architecture.md
index c5d331b9..5a942a97 100644
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -91,7 +91,7 @@ The desired protection for a service is declaratively stated by applying an `Aut
 An `AuthConfig` resource typically looks like the following:
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: my-api-protection
@@ -140,7 +140,7 @@ spec:
     unauthorized: {…}
 ```
 
-Check out the [OAS](/install/crd/authorino.3scale.net_authconfigs.yaml) of the `AuthConfig` CRD for a formal specification of the options for `identity` verification, external `metadata` fetching, `authorization` policies, and dynamic `response`, as well as any other host protection capability implemented by Authorino.
+Check out the [OAS](/install/crd/authorino.kuadrant.io_authconfigs.yaml) of the `AuthConfig` CRD for a formal specification of the options for `identity` verification, external `metadata` fetching, `authorization` policies, and dynamic `response`, as well as any other host protection capability implemented by Authorino.
 
 You can also read the specification from the CLI using the [`kubectl explain`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#explain) command. The Authorino CRD is required to have been installed in Kubernetes cluster. E.g. `kubectl explain authconfigs.spec.identity.extendedProperties`.
 
@@ -162,7 +162,7 @@ The status of an `AuthConfig` tells whether the resource is "ready" (i.e. cached
 
 Apart from watching events related to `AuthConfig` custom resources, Authorino also watches events related to Kubernetes `Secret`s, as part of Authorino's [API key authentication](./features.md#api-key-identityapikey) feature. `Secret` resources that store API keys are linked-cached to their corresponding `AuthConfig`s. Whenever the Authorino instance detects a change in the set of API key `Secret`s linked to an `AuthConfig`s, the instance reconciles the cache.
 
-Authorino only watches events related to `Secret`s whose `metadata.labels` match the label selector `SECRET_LABEL_SELECTOR` of the Authorino instance. The default values of the label selector for Kubernetes `Secret`s representing Authorino API keys is `authorino.3scale.net/managed-by=authorino`.
+Authorino only watches events related to `Secret`s whose `metadata.labels` match the label selector `SECRET_LABEL_SELECTOR` of the Authorino instance. The default values of the label selector for Kubernetes `Secret`s representing Authorino API keys is `authorino.kuadrant.io/managed-by=authorino`.
 
 ## The "Auth Pipeline" (_aka:_ enforcing protection in request-time)
 
@@ -317,10 +317,10 @@ Authorino's custom controllers filter the `AuthConfig`-related events to be reco
 The following are all valid examples of `AuthConfig` label selector filters:
 
 ```
-AUTH_CONFIG_LABEL_SELECTOR="authorino.3scale.net/managed-by=authorino"
-AUTH_CONFIG_LABEL_SELECTOR="authorino.3scale.net/managed-by=authorino,other-label=other-value"
-AUTH_CONFIG_LABEL_SELECTOR="authorino.3scale.net/managed-by in (authorino,kuadrant)"
-AUTH_CONFIG_LABEL_SELECTOR="authorino.3scale.net/managed-by!=authorino-v0.4"
+AUTH_CONFIG_LABEL_SELECTOR="authorino.kuadrant.io/managed-by=authorino"
+AUTH_CONFIG_LABEL_SELECTOR="authorino.kuadrant.io/managed-by=authorino,other-label=other-value"
+AUTH_CONFIG_LABEL_SELECTOR="authorino.kuadrant.io/managed-by in (authorino,kuadrant)"
+AUTH_CONFIG_LABEL_SELECTOR="authorino.kuadrant.io/managed-by!=authorino-v0.4"
 AUTH_CONFIG_LABEL_SELECTOR="!disabled"
 ```
 
diff --git a/docs/features.md b/docs/features.md
index 34aa03fe..1130dc0c 100644
--- a/docs/features.md
+++ b/docs/features.md
@@ -42,7 +42,7 @@ Most features of Authorino relate to the different phases of the [Auth Pipeline]
 
 At a deeper level, a _feature_ can also be an additional funcionality within a bigger feature, usually applicable to the whole class the bigger feature belongs to. For instance, the configuration of the location and key selector of [auth credentials](#extra-auth-credentials-credentials), available for all identity verification-related features. Other examples would be [_Identity extension_](#extra-identity-extension-extendedproperties) and [_Response wrappers_](#extra-response-wrappers-wrapper-and-wrapperkey).
 
-A full specification of all features of Authorino that can be configured in an `AuthConfig` can be found in the official [spec](../install/crd/authorino.3scale.net_authconfigs.yaml) of the custom resource definition.
+A full specification of all features of Authorino that can be configured in an `AuthConfig` can be found in the official [spec](../install/crd/authorino.kuadrant.io_authconfigs.yaml) of the custom resource definition.
 
 You can also learn about Authorino features by using the [`kubectl explain`](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#explain) command in a Kubernetes cluster where the Authorino CRD has been installed. E.g. `kubectl explain authconfigs.spec.identity.extendedProperties`.
 
@@ -107,14 +107,14 @@ _JSON paths_ can be interpolated into strings to build template-like dynamic val
 
 Authorino relies on Kubernetes `Secret` resources to represent API keys. To define an API key, create a `Secret` in the cluster containing an `api_key` entry that holds the value of the API key.
 
-The resource must include a label that matches Authorino's bootstrap configuration `SECRET_LABEL_SELECTOR` (default: `authorino.3scale.net/managed-by=authorino`), otherwise changes related to the resource will be ignored by the reconciler.
+The resource must include a label that matches Authorino's bootstrap configuration `SECRET_LABEL_SELECTOR` (default: `authorino.kuadrant.io/managed-by=authorino`), otherwise changes related to the resource will be ignored by the reconciler.
 
 The resource must be labeled with the same labels specified in `spec.identity.apiKey.labelSelectors` in the `AuthConfig` custom resource. For example:
 
 For the following `AuthConfig` CR:
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: my-api-protection
@@ -136,7 +136,7 @@ kind: Secret
 metadata:
   name: user-1-api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino # required, so the Authorino controller reconciles events related to this secret
+    authorino.kuadrant.io/managed-by: authorino # required, so the Authorino controller reconciles events related to this secret
     group: friends
 stringData:
   api_key: <some-randomly-generated-api-key-value>
@@ -156,7 +156,7 @@ The list of `audiences` of the token must include the requested host and port of
 For the following `AuthConfig` CR, the Kubernetes token must include the audience `my-api.io`:
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: my-api-protection
@@ -171,7 +171,7 @@ spec:
 Whereas for the following `AuthConfig` CR, the Kubernetes token audiences must include **foo** and **bar**:
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: my-api-protection
@@ -397,7 +397,7 @@ User-defined dynamic JSON objects generated by Authorino in the response phase,
 The following Authorino `AuthConfig` custom resource is an example that defines 3 dynamic JSON response items, where two items are returned to the client, stringified, in added HTTP headers, and the third is wrapped as Envoy Dynamic Metadata("emitted", in Envoy terminology). Envoy proxy can be configured to "pipe" dynamic metadata emitted by one filter into another filter – for example, from external authorization to rate limit.
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   namespace: my-namespace
@@ -409,7 +409,7 @@ spec:
     - name: edge
       apiKey:
         labelSelectors:
-          authorino.3scale.net/managed-by: authorino
+          authorino.kuadrant.io/managed-by: authorino
       credentials:
         in: authorization_header
         keySelector: APIKEY
@@ -452,7 +452,7 @@ Festival Wristbands are signed OpenID Connect JSON Web Tokens (JWTs) issued by A
 The Authorino `AuthConfig` custom resource below sets an API protection that issues a wristband after a successful authentication via API key. Apart from standard JWT claims, the wristband contains 2 custom claims: a static value `aud=internal` and a dynamic value `born` that fetches from the authorization JSON the date/time of creation of the secret that represents the API key used to authenticate.
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   namespace: my-namespace
@@ -464,7 +464,7 @@ spec:
     - name: edge
       apiKey:
         labelSelectors:
-          authorino.3scale.net/managed-by: authorino
+          authorino.kuadrant.io/managed-by: authorino
       credentials:
         in: authorization_header
         keySelector: APIKEY
@@ -552,7 +552,7 @@ Priorities can be set using the `priority` property available in all evaluator c
 Consider the following example to understand how priorities work:
 
 ```yaml
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/getting-started.md b/docs/getting-started.md
index 91f0b865..799f27ef 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -323,7 +323,7 @@ For a OpenID Connect/JWT verification authentication and one JWT claim authoriza
 
 ```yaml
 kubectl -n myapp apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: my-api-protection
diff --git a/docs/user-guides/api-key-authentication.md b/docs/user-guides/api-key-authentication.md
index 5e3d713a..5025809b 100644
--- a/docs/user-guides/api-key-authentication.md
+++ b/docs/user-guides/api-key-authentication.md
@@ -89,7 +89,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -116,7 +116,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
diff --git a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md
index a84b5b2c..0d935a8c 100644
--- a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md
+++ b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md
@@ -101,7 +101,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -143,7 +143,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
   annotations:
     auth-data/username: john
@@ -162,7 +162,7 @@ kind: Secret
 metadata:
   name: api-key-2
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
   annotations:
     auth-data/username: jane
diff --git a/docs/user-guides/deny-with-redirect-to-login.md b/docs/user-guides/deny-with-redirect-to-login.md
index 2016bf8b..df6c0021 100644
--- a/docs/user-guides/deny-with-redirect-to-login.md
+++ b/docs/user-guides/deny-with-redirect-to-login.md
@@ -91,7 +91,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: matrix-quotes-protection
@@ -134,7 +134,7 @@ kind: Secret
 metadata:
   name: user-credential-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: users
 stringData:
   api_key: am9objpw # john:p
@@ -202,7 +202,7 @@ kubectl -n authorino set env deployment/matrix-quotes KEYCLOAK_REALM=http://keyc
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: matrix-quotes-protection
diff --git a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md
index 80d2423d..44c82437 100644
--- a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md
+++ b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md
@@ -136,7 +136,7 @@ Create the config:
 
 ```sh
 kubectl -n edge apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: edge-auth
@@ -147,14 +147,14 @@ spec:
   - name: api-clients
     apiKey:
       labelSelectors:
-        authorino.3scale.net/managed-by: authorino
+        authorino.kuadrant.io/managed-by: authorino
     credentials:
       in: authorization_header
       keySelector: APIKEY
     extendedProperties:
     - name: username
       valueFrom:
-        authJSON: auth.identity.metadata.annotations.authorino\.3scale\.net/username
+        authJSON: auth.identity.metadata.annotations.authorino\.kuadrant\.io/username
   - name: idp-users
     oidc:
       endpoint: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/kuadrant
@@ -208,7 +208,7 @@ kubectl -n internal port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n internal apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -231,10 +231,10 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
   annotations:
-    authorino.3scale.net/username: alice
-    authorino.3scale.net/email: alice@host
+    authorino.kuadrant.io/username: alice
+    authorino.kuadrant.io/email: alice@host
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
 type: Opaque
diff --git a/docs/user-guides/external-metadata.md b/docs/user-guides/external-metadata.md
index 9a7634b3..be2701b6 100644
--- a/docs/user-guides/external-metadata.md
+++ b/docs/user-guides/external-metadata.md
@@ -97,7 +97,7 @@ The implementation relies on the [`X-Forwarded-For`](https://datatracker.ietf.or
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -145,7 +145,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
diff --git a/docs/user-guides/hello-world.md b/docs/user-guides/hello-world.md
index 45aac52b..7f9ec0ee 100644
--- a/docs/user-guides/hello-world.md
+++ b/docs/user-guides/hello-world.md
@@ -82,7 +82,7 @@ Authorino does not know about the `talker-api-authorino.127.0.0.1.nip.io` host,
 
 ```sh
 kubectl -n hello-world apply -f https://raw.githubusercontent.com/kuadrant/authorino-examples/main/hello-world/authconfig.yaml
-# authconfig.authorino.3scale.net/talker-api-protection created
+# authconfig.authorino.kuadrant.io/talker-api-protection created
 ```
 
 ## 8. Consume the API without credentials
diff --git a/docs/user-guides/http-basic-authentication.md b/docs/user-guides/http-basic-authentication.md
index e8cfd1ed..40d7401b 100644
--- a/docs/user-guides/http-basic-authentication.md
+++ b/docs/user-guides/http-basic-authentication.md
@@ -92,7 +92,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -143,7 +143,7 @@ kind: Secret
 metadata:
   name: basic-auth-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: users
 stringData:
   api_key: am9objpuZHlCenJlVXpGNHpxRFFzcVNQTUhrUmhyaUVPdGNSeA== # john:ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
@@ -160,7 +160,7 @@ kind: Secret
 metadata:
   name: basic-auth-2
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: users
 stringData:
   api_key: amFuZTpkTnNScnNhcHkwbk5Dd210NTM3ZkhGcHl4MGNCc0xFcA== # jane:dNsRrsapy0nNCwmt537fHFpyx0cBsLEp
diff --git a/docs/user-guides/injecting-data.md b/docs/user-guides/injecting-data.md
index 1083ae93..6ba3bb64 100644
--- a/docs/user-guides/injecting-data.md
+++ b/docs/user-guides/injecting-data.md
@@ -95,7 +95,7 @@ The following defines a JSON object to be injected as an added HTTP header into
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -136,7 +136,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
   annotations:
     auth-data/name: Rita
diff --git a/docs/user-guides/json-pattern-matching-authorization.md b/docs/user-guides/json-pattern-matching-authorization.md
index 28a1da0d..b200ffb8 100644
--- a/docs/user-guides/json-pattern-matching-authorization.md
+++ b/docs/user-guides/json-pattern-matching-authorization.md
@@ -111,7 +111,7 @@ The implementation relies on the [`X-Forwarded-For`](https://datatracker.ietf.or
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/kubernetes-subjectaccessreview.md b/docs/user-guides/kubernetes-subjectaccessreview.md
index 4ea6f447..752ef895 100644
--- a/docs/user-guides/kubernetes-subjectaccessreview.md
+++ b/docs/user-guides/kubernetes-subjectaccessreview.md
@@ -103,7 +103,7 @@ The `AuthConfig` below defines:
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -153,7 +153,7 @@ spec:
         namespace:
           value: authorino
         group:
-          value: talker-api.authorino.3scale.net
+          value: talker-api.authorino.kuadrant.io
         resource:
           value: resources
         name:
@@ -208,7 +208,7 @@ kind: Role
 metadata:
   name: talker-api-resource-reader
 rules:
-- apiGroups: ["talker-api.authorino.3scale.net"]
+- apiGroups: ["talker-api.authorino.kuadrant.io"]
   resources: ["resources"]
   verbs: ["get"]
 EOF
@@ -246,7 +246,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     audiences: talker-api
   annotations:
     username: john
@@ -265,7 +265,7 @@ kind: Secret
 metadata:
   name: api-key-2
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     audiences: talker-api
   annotations:
     username: jane
diff --git a/docs/user-guides/kubernetes-tokenreview.md b/docs/user-guides/kubernetes-tokenreview.md
index d28ae331..c2ecf323 100644
--- a/docs/user-guides/kubernetes-tokenreview.md
+++ b/docs/user-guides/kubernetes-tokenreview.md
@@ -94,7 +94,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/logging.md b/docs/user-guides/logging.md
index 87de1252..9f95c972 100644
--- a/docs/user-guides/logging.md
+++ b/docs/user-guides/logging.md
@@ -57,8 +57,8 @@ Some typical log messages output by the Authorino service are listed in the tabl
 | -------|-------|---------|--------|
 | `authorino` | `info` | "setting instance base logger" | `min level=info\|debug`, `mode=production\|development` |
 | `authorino` | `debug` | "setting up with options" | `WATCH_NAMESPACE`, `AUTH_CONFIG_LABEL_SELECTOR`, `SECRET_LABEL_SELECTOR`, `LOG_LEVEL`, `LOG_MODE`, `EXT_AUTH_GRPC_PORT`, `TLS_CERT`, `TLS_CERT_KEY`, `OIDC_HTTP_PORT`, `OIDC_TLS_CERT`, `OIDC_TLS_CERT_KEY`, `metrics-addr`, `enable-leader-election` |
-| `authorino` | `info` | "attempting to acquire leader lease authorino/cb88a58a.authorino.3scale.net...\n" | |
-| `authorino` | `info` | "successfully acquired lease authorino/cb88a58a.authorino.3scale.net\n" | |
+| `authorino` | `info` | "attempting to acquire leader lease authorino/cb88a58a.authorino.kuadrant.io...\n" | |
+| `authorino` | `info` | "successfully acquired lease authorino/cb88a58a.authorino.kuadrant.io\n" | |
 | `authorino` | `info` | "starting grpc service" | `port`, `tls` |
 | `authorino` | `error` | "failed to obtain port for grpc auth service" | |
 | `authorino` | `error` | "failed to load tls cert" | |
@@ -125,26 +125,26 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 
 ```jsonc
 {"level":"info","ts":1634674939.7563884,"logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"}
-{"level":"debug","ts":1634674939.7567484,"logger":"authorino","msg":"setting up with options","WATCH_NAMESPACE":"","AUTH_CONFIG_LABEL_SELECTOR":"","SECRET_LABEL_SELECTOR":"authorino.3scale.net/managed-by=authorino","LOG_LEVEL":"debug","LOG_MODE":"production","EXT_AUTH_GRPC_PORT":"50051","TLS_CERT":"/etc/ssl/certs/tls.crt","TLS_CERT_KEY":"/etc/ssl/private/tls.key","OIDC_HTTP_PORT":"8083","OIDC_TLS_CERT":"/etc/ssl/certs/oidc.crt","OIDC_TLS_CERT_KEY":"/etc/ssl/private/oidc.key","metrics-addr":"127.0.0.1:8080","enable-leader-election":true}
+{"level":"debug","ts":1634674939.7567484,"logger":"authorino","msg":"setting up with options","WATCH_NAMESPACE":"","AUTH_CONFIG_LABEL_SELECTOR":"","SECRET_LABEL_SELECTOR":"authorino.kuadrant.io/managed-by=authorino","LOG_LEVEL":"debug","LOG_MODE":"production","EXT_AUTH_GRPC_PORT":"50051","TLS_CERT":"/etc/ssl/certs/tls.crt","TLS_CERT_KEY":"/etc/ssl/private/tls.key","OIDC_HTTP_PORT":"8083","OIDC_TLS_CERT":"/etc/ssl/certs/oidc.crt","OIDC_TLS_CERT_KEY":"/etc/ssl/private/oidc.key","metrics-addr":"127.0.0.1:8080","enable-leader-election":true}
 {"level":"info","ts":1634674941.0670755,"logger":"authorino.controller-runtime.metrics","msg":"metrics server is starting to listen","addr":"127.0.0.1:8080"}
 {"level":"info","ts":1634674941.0946925,"logger":"authorino","msg":"starting grpc service","port":"50051","tls":true}
 {"level":"info","ts":1634674941.103486,"logger":"authorino","msg":"starting oidc service","port":"8083","tls":true}
 {"level":"info","ts":1634674941.1678321,"logger":"authorino","msg":"starting manager"}
-{"level":"info","ts":1634674941.1765432,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting EventSource","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig","source":"kind source: /, Kind="}
-{"level":"info","ts":1634674941.182127,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting Controller","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
+{"level":"info","ts":1634674941.1765432,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting EventSource","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig","source":"kind source: /, Kind="}
+{"level":"info","ts":1634674941.182127,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting Controller","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
 {"level":"info","ts":1634674941.1928735,"logger":"authorino.controller-runtime.manager.controller.secret","msg":"Starting EventSource","reconciler group":"","reconciler kind":"Secret","source":"kind source: /, Kind="}
 {"level":"info","ts":1634674941.1951146,"logger":"authorino.controller-runtime.manager.controller.secret","msg":"Starting Controller","reconciler group":"","reconciler kind":"Secret"}
 {"level":"info","ts":1634674941.203209,"logger":"authorino.controller-runtime.manager","msg":"starting metrics server","path":"/metrics"}
 {"level":"info","ts":1634674942.256725,"logger":"authorino.controller-runtime.manager.controller.secret","msg":"Starting workers","reconciler group":"","reconciler kind":"Secret","worker count":1}
-{"level":"info","ts":1634674942.2595103,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting workers","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig","worker count":1}
+{"level":"info","ts":1634674942.2595103,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting workers","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig","worker count":1}
 {"level":"info","ts":1634674942.5573237,"logger":"authorino","msg":"starting status update manager"}
-{"level":"info","ts":1634674942.5718815,"logger":"authorino","msg":"attempting to acquire leader lease authorino/cb88a58a.authorino.3scale.net...\n"}
-{"level":"info","ts":1634674959.4286165,"logger":"authorino","msg":"successfully acquired lease authorino/cb88a58a.authorino.3scale.net\n"}
-{"level":"info","ts":1634674959.4316218,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting EventSource","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig","source":"kind source: /, Kind="}
-{"level":"info","ts":1634674959.4348314,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting Controller","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
-{"level":"debug","ts":1634674959.4354987,"logger":"authorino.controller-runtime.manager.events","msg":"Normal","object":{"kind":"ConfigMap","namespace":"authorino","name":"cb88a58a.authorino.3scale.net","uid":"fcefe0d5-87f6-4a01-8e80-7cf290bc269b","apiVersion":"v1","resourceVersion":"55791"},"reason":"LeaderElection","message":"authorino-controller-manager-5d86dbb56f-th8mf_c416d2c6-fe44-421b-a025-344a60b70614 became leader"}
-{"level":"debug","ts":1634674959.5168512,"logger":"authorino.controller-runtime.manager.events","msg":"Normal","object":{"kind":"Lease","namespace":"authorino","name":"cb88a58a.authorino.3scale.net","uid":"2753012c-4a06-4cb3-93c9-857d092bf289","apiVersion":"coordination.k8s.io/v1","resourceVersion":"55792"},"reason":"LeaderElection","message":"authorino-controller-manager-5d86dbb56f-th8mf_c416d2c6-fe44-421b-a025-344a60b70614 became leader"}
-{"level":"info","ts":1634674959.5356445,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting workers","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig","worker count":1}
+{"level":"info","ts":1634674942.5718815,"logger":"authorino","msg":"attempting to acquire leader lease authorino/cb88a58a.authorino.kuadrant.io...\n"}
+{"level":"info","ts":1634674959.4286165,"logger":"authorino","msg":"successfully acquired lease authorino/cb88a58a.authorino.kuadrant.io\n"}
+{"level":"info","ts":1634674959.4316218,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting EventSource","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig","source":"kind source: /, Kind="}
+{"level":"info","ts":1634674959.4348314,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting Controller","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
+{"level":"debug","ts":1634674959.4354987,"logger":"authorino.controller-runtime.manager.events","msg":"Normal","object":{"kind":"ConfigMap","namespace":"authorino","name":"cb88a58a.authorino.kuadrant.io","uid":"fcefe0d5-87f6-4a01-8e80-7cf290bc269b","apiVersion":"v1","resourceVersion":"55791"},"reason":"LeaderElection","message":"authorino-controller-manager-5d86dbb56f-th8mf_c416d2c6-fe44-421b-a025-344a60b70614 became leader"}
+{"level":"debug","ts":1634674959.5168512,"logger":"authorino.controller-runtime.manager.events","msg":"Normal","object":{"kind":"Lease","namespace":"authorino","name":"cb88a58a.authorino.kuadrant.io","uid":"2753012c-4a06-4cb3-93c9-857d092bf289","apiVersion":"coordination.k8s.io/v1","resourceVersion":"55792"},"reason":"LeaderElection","message":"authorino-controller-manager-5d86dbb56f-th8mf_c416d2c6-fe44-421b-a025-344a60b70614 became leader"}
+{"level":"info","ts":1634674959.5356445,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Starting workers","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig","worker count":1}
 ```
 
 #### Reconciling an `AuthConfig` and 2 related API key `Secret`s:
@@ -175,7 +175,7 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 {"level":"info","ts":1634830460.1486168,"logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8157480586935853928","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":53144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"http":{"id":"8157480586935853928","method":"GET","path":"/hello","host":"talker-api","scheme":"http"}}}}
 {"level":"debug","ts":1634830460.1491194,"logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8157480586935853928","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":53144}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"time":{"seconds":1634830460,"nanos":147259000},"http":{"id":"8157480586935853928","method":"GET","headers":{":authority":"talker-api",":method":"GET",":path":"/hello",":scheme":"http","accept":"*/*","authorization":"Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkRsVWJZMENyVy1sZ0tFMVRMd19pcTFUWGtTYUl6T0hyWks0VHhKYnpEZUUifQ.eyJhdWQiOlsidGFsa2VyLWFwaSJdLCJleHAiOjE2MzQ4MzEwNTEsImlhdCI6MTYzNDgzMDQ1MSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImF1dGhvcmlubyIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhcGktY29uc3VtZXItMSIsInVpZCI6ImI0MGY1MzFjLWVjYWItNGYzMS1hNDk2LTJlYmM3MmFkZDEyMSJ9fSwibmJmIjoxNjM0ODMwNDUxLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YXV0aG9yaW5vOmFwaS1jb25zdW1lci0xIn0.PaP0vqdl5DPfErr84KfVhPdlsGAPgsw0NkDaA9rne1zXjzcO7KPPbXhFwZC-oIjSGG1HfRMSoQeCXbQz24PSATmX8l1T52a9IFeXgP7sQmXZIDbiPfTm3X09kIIlfPKHhK_f-jQwRIpMRqNgLntlZ-xXX3P1fOBBUYR8obTPAQ6NDDaLHxw2SAmHFTQWjM_DInPDemXX0mEm7nCPKifsNxHaQH4wx4CD3LCLGbCI9FHNf2Crid8mmGJXf4wzcH1VuKkpUlsmnlUgTG2bfT2lbhSF2lBmrrhTJyYk6_aA09DwL4Bf4kvG-JtCq0Bkd_XynViIsOtOnAhgmdSPkfr-oA","user-agent":"curl/7.65.3","x-envoy-internal":"true","x-forwarded-for":"10.244.0.11","x-forwarded-proto":"http","x-request-id":"4c5d5c97-e15b-46a3-877a-d8188e09e08f"},"path":"/hello","host":"talker-api","scheme":"http","protocol":"HTTP/1.1"}},"context_extensions":{"virtual_host":"local_service"},"metadata_context":{}}}
 {"level":"debug","ts":1634830460.150506,"logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"8157480586935853928","tokenreview":{"metadata":{"creationTimestamp":null},"spec":{"token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IkRsVWJZMENyVy1sZ0tFMVRMd19pcTFUWGtTYUl6T0hyWks0VHhKYnpEZUUifQ.eyJhdWQiOlsidGFsa2VyLWFwaSJdLCJleHAiOjE2MzQ4MzEwNTEsImlhdCI6MTYzNDgzMDQ1MSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImF1dGhvcmlubyIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhcGktY29uc3VtZXItMSIsInVpZCI6ImI0MGY1MzFjLWVjYWItNGYzMS1hNDk2LTJlYmM3MmFkZDEyMSJ9fSwibmJmIjoxNjM0ODMwNDUxLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YXV0aG9yaW5vOmFwaS1jb25zdW1lci0xIn0.PaP0vqdl5DPfErr84KfVhPdlsGAPgsw0NkDaA9rne1zXjzcO7KPPbXhFwZC-oIjSGG1HfRMSoQeCXbQz24PSATmX8l1T52a9IFeXgP7sQmXZIDbiPfTm3X09kIIlfPKHhK_f-jQwRIpMRqNgLntlZ-xXX3P1fOBBUYR8obTPAQ6NDDaLHxw2SAmHFTQWjM_DInPDemXX0mEm7nCPKifsNxHaQH4wx4CD3LCLGbCI9FHNf2Crid8mmGJXf4wzcH1VuKkpUlsmnlUgTG2bfT2lbhSF2lBmrrhTJyYk6_aA09DwL4Bf4kvG-JtCq0Bkd_XynViIsOtOnAhgmdSPkfr-oA","audiences":["talker-api"]},"status":{"user":{}}}}
-{"level":"debug","ts":1634830460.1509938,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8157480586935853928","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.3scale.net/managed-by":"authorino"}},"KubernetesAuth":null},"reason":"credential not found"}
+{"level":"debug","ts":1634830460.1509938,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"8157480586935853928","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.kuadrant.io/managed-by":"authorino"}},"KubernetesAuth":null},"reason":"credential not found"}
 {"level":"debug","ts":1634830460.1517606,"logger":"authorino.service.auth.authpipeline.identity.oauth2","msg":"sending token introspection request","request id":"8157480586935853928","url":"http://talker-api:523b92b6-625d-4e1e-a313-77e7a8ae4e88@keycloak:8080/auth/realms/kuadrant/protocol/openid-connect/token/introspect","data":"token=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRsVWJZMENyVy1sZ0tFMVRMd19pcTFUWGtTYUl6T0hyWks0VHhKYnpEZUUifQ.eyJhdWQiOlsidGFsa2VyLWFwaSJdLCJleHAiOjE2MzQ4MzEwNTEsImlhdCI6MTYzNDgzMDQ1MSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImF1dGhvcmlubyIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhcGktY29uc3VtZXItMSIsInVpZCI6ImI0MGY1MzFjLWVjYWItNGYzMS1hNDk2LTJlYmM3MmFkZDEyMSJ9fSwibmJmIjoxNjM0ODMwNDUxLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6YXV0aG9yaW5vOmFwaS1jb25zdW1lci0xIn0.PaP0vqdl5DPfErr84KfVhPdlsGAPgsw0NkDaA9rne1zXjzcO7KPPbXhFwZC-oIjSGG1HfRMSoQeCXbQz24PSATmX8l1T52a9IFeXgP7sQmXZIDbiPfTm3X09kIIlfPKHhK_f-jQwRIpMRqNgLntlZ-xXX3P1fOBBUYR8obTPAQ6NDDaLHxw2SAmHFTQWjM_DInPDemXX0mEm7nCPKifsNxHaQH4wx4CD3LCLGbCI9FHNf2Crid8mmGJXf4wzcH1VuKkpUlsmnlUgTG2bfT2lbhSF2lBmrrhTJyYk6_aA09DwL4Bf4kvG-JtCq0Bkd_XynViIsOtOnAhgmdSPkfr-oA&token_type_hint=requesting_party_token"}
 {"level":"debug","ts":1634830460.1620777,"logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8157480586935853928","config":{"Name":"k8s-service-accounts","ExtendedProperties":[],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}}},"object":{"aud":["talker-api"],"exp":1634831051,"iat":1634830451,"iss":"https://kubernetes.default.svc.cluster.local","kubernetes.io":{"namespace":"authorino","serviceaccount":{"name":"api-consumer-1","uid":"b40f531c-ecab-4f31-a496-2ebc72add121"}},"nbf":1634830451,"sub":"system:serviceaccount:authorino:api-consumer-1"}}
 {"level":"debug","ts":1634830460.1622565,"logger":"authorino.service.auth.authpipeline.metadata.uma","msg":"requesting pat","request id":"8157480586935853928","url":"http://talker-api:523b92b6-625d-4e1e-a313-77e7a8ae4e88@keycloak:8080/auth/realms/kuadrant/protocol/openid-connect/token","data":"grant_type=client_credentials","headers":{"Content-Type":["application/x-www-form-urlencoded"]}}
@@ -210,7 +210,7 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 {"level":"debug","ts":1634830413.2426975,"logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7199257136822741594","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":52702}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"time":{"seconds":1634830413,"nanos":240094000},"http":{"id":"7199257136822741594","method":"GET","headers":{":authority":"talker-api",":method":"GET",":path":"/hello",":scheme":"http","accept":"*/*","authorization":"APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx","user-agent":"curl/7.65.3","x-envoy-internal":"true","x-forwarded-for":"10.244.0.11","x-forwarded-proto":"http","x-request-id":"d38f5e66-bd72-4733-95d1-3179315cdd60"},"path":"/hello","host":"talker-api","scheme":"http","protocol":"HTTP/1.1"}},"context_extensions":{"virtual_host":"local_service"},"metadata_context":{}}}
 {"level":"debug","ts":1634830413.2428744,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"7199257136822741594","config":{"Name":"k8s-service-accounts","ExtendedProperties":[],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}}},"reason":"credential not found"}
 {"level":"debug","ts":1634830413.2434332,"logger":"authorino.service.auth.authpipeline","msg":"skipping config","request id":"7199257136822741594","config":{"Name":"keycloak-jwts","ExtendedProperties":[],"OAuth2":null,"OIDC":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"},"Endpoint":"http://keycloak:8080/auth/realms/kuadrant"},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null},"reason":"context canceled"}
-{"level":"debug","ts":1634830413.2479305,"logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7199257136822741594","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.3scale.net/managed-by":"authorino"}},"KubernetesAuth":null},"object":{"apiVersion":"v1","data":{"api_key":"bmR5QnpyZVV6RjR6cURRc3FTUE1Ia1JocmlFT3RjUng="},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"userid\":\"john\"},\"labels\":{\"audience\":\"talker-api\",\"authorino.3scale.net/managed-by\":\"authorino\"},\"name\":\"api-key-1\",\"namespace\":\"authorino\"},\"stringData\":{\"api_key\":\"ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx\"},\"type\":\"Opaque\"}\n","userid":"john"},"creationTimestamp":"2021-10-21T14:45:54Z","labels":{"audience":"talker-api","authorino.3scale.net/managed-by":"authorino"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:api_key":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:userid":{}},"f:labels":{".":{},"f:audience":{},"f:authorino.3scale.net/managed-by":{}}},"f:type":{}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2021-10-21T14:45:54Z"}],"name":"api-key-1","namespace":"authorino","resourceVersion":"8979","uid":"c369852a-7e1a-43bd-94ca-e2b3f617052e"},"sub":"john","type":"Opaque"}}
+{"level":"debug","ts":1634830413.2479305,"logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7199257136822741594","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.kuadrant.io/managed-by":"authorino"}},"KubernetesAuth":null},"object":{"apiVersion":"v1","data":{"api_key":"bmR5QnpyZVV6RjR6cURRc3FTUE1Ia1JocmlFT3RjUng="},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"userid\":\"john\"},\"labels\":{\"audience\":\"talker-api\",\"authorino.kuadrant.io/managed-by\":\"authorino\"},\"name\":\"api-key-1\",\"namespace\":\"authorino\"},\"stringData\":{\"api_key\":\"ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx\"},\"type\":\"Opaque\"}\n","userid":"john"},"creationTimestamp":"2021-10-21T14:45:54Z","labels":{"audience":"talker-api","authorino.kuadrant.io/managed-by":"authorino"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:api_key":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:userid":{}},"f:labels":{".":{},"f:audience":{},"f:authorino.kuadrant.io/managed-by":{}}},"f:type":{}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2021-10-21T14:45:54Z"}],"name":"api-key-1","namespace":"authorino","resourceVersion":"8979","uid":"c369852a-7e1a-43bd-94ca-e2b3f617052e"},"sub":"john","type":"Opaque"}}
 {"level":"debug","ts":1634830413.248768,"logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"7199257136822741594","method":"GET","url":"http://talker-api.authorino.svc.cluster.local:3000/metadata?encoding=text/plain&original_path=/hello","headers":{"Content-Type":["text/plain"]}}
 {"level":"debug","ts":1634830413.2496722,"logger":"authorino.service.auth.authpipeline.metadata","msg":"cannot fetch metadata","request id":"7199257136822741594","config":{"Name":"oidc-userinfo","UserInfo":{"OIDC":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"},"Endpoint":"http://keycloak:8080/auth/realms/kuadrant"}},"UMA":null,"GenericHTTP":null},"reason":"Missing identity for OIDC issuer http://keycloak:8080/auth/realms/kuadrant. Skipping related UserInfo metadata."}
 {"level":"debug","ts":1634830413.2497928,"logger":"authorino.service.auth.authpipeline.metadata.uma","msg":"requesting pat","request id":"7199257136822741594","url":"http://talker-api:523b92b6-625d-4e1e-a313-77e7a8ae4e88@keycloak:8080/auth/realms/kuadrant/protocol/openid-connect/token","data":"grant_type=client_credentials","headers":{"Content-Type":["application/x-www-form-urlencoded"]}}
@@ -218,7 +218,7 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 {"level":"debug","ts":1634830413.2945344,"logger":"authorino.service.auth.authpipeline.metadata.uma","msg":"querying resources by uri","request id":"7199257136822741594","url":"http://keycloak:8080/auth/realms/kuadrant/authz/protection/resource_set?uri=/hello"}
 {"level":"debug","ts":1634830413.3123596,"logger":"authorino.service.auth.authpipeline.metadata.uma","msg":"getting resource data","request id":"7199257136822741594","url":"http://keycloak:8080/auth/realms/kuadrant/authz/protection/resource_set/e20d194c-274c-4845-8c02-0ca413c9bf18"}
 {"level":"debug","ts":1634830413.3340268,"logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"7199257136822741594","config":{"Name":"uma-resource-registry","UserInfo":null,"UMA":{"Endpoint":"http://keycloak:8080/auth/realms/kuadrant","ClientID":"talker-api","ClientSecret":"523b92b6-625d-4e1e-a313-77e7a8ae4e88"},"GenericHTTP":null},"object":[{"_id":"e20d194c-274c-4845-8c02-0ca413c9bf18","attributes":{},"displayName":"hello","name":"hello","owner":{"id":"57a645a5-fb67-438b-8be5-dfb971666dbc"},"ownerManagedAccess":false,"resource_scopes":[],"uris":["/hi","/hello"]}]}
-{"level":"debug","ts":1634830413.3367748,"logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7199257136822741594","input":{"context":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":52702}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"time":{"seconds":1634830413,"nanos":240094000},"http":{"id":"7199257136822741594","method":"GET","headers":{":authority":"talker-api",":method":"GET",":path":"/hello",":scheme":"http","accept":"*/*","authorization":"APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx","user-agent":"curl/7.65.3","x-envoy-internal":"true","x-forwarded-for":"10.244.0.11","x-forwarded-proto":"http","x-request-id":"d38f5e66-bd72-4733-95d1-3179315cdd60"},"path":"/hello","host":"talker-api","scheme":"http","protocol":"HTTP/1.1"}},"context_extensions":{"virtual_host":"local_service"},"metadata_context":{}},"auth":{"identity":{"apiVersion":"v1","data":{"api_key":"bmR5QnpyZVV6RjR6cURRc3FTUE1Ia1JocmlFT3RjUng="},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"userid\":\"john\"},\"labels\":{\"audience\":\"talker-api\",\"authorino.3scale.net/managed-by\":\"authorino\"},\"name\":\"api-key-1\",\"namespace\":\"authorino\"},\"stringData\":{\"api_key\":\"ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx\"},\"type\":\"Opaque\"}\n","userid":"john"},"creationTimestamp":"2021-10-21T14:45:54Z","labels":{"audience":"talker-api","authorino.3scale.net/managed-by":"authorino"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:api_key":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:userid":{}},"f:labels":{".":{},"f:audience":{},"f:authorino.3scale.net/managed-by":{}}},"f:type":{}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2021-10-21T14:45:54Z"}],"name":"api-key-1","namespace":"authorino","resourceVersion":"8979","uid":"c369852a-7e1a-43bd-94ca-e2b3f617052e"},"sub":"john","type":"Opaque"},"metadata":{"http-metadata":{"body":"","headers":{"Accept-Encoding":"gzip","Content-Type":"text/plain","Host":"talker-api.authorino.svc.cluster.local:3000","User-Agent":"Go-http-client/1.1","Version":"HTTP/1.1"},"method":"GET","path":"/metadata","query_string":"encoding=text/plain&original_path=/hello","uuid":"97529f8c-587b-4121-a4db-cd90c63871fd"},"uma-resource-registry":[{"_id":"e20d194c-274c-4845-8c02-0ca413c9bf18","attributes":{},"displayName":"hello","name":"hello","owner":{"id":"57a645a5-fb67-438b-8be5-dfb971666dbc"},"ownerManagedAccess":false,"resource_scopes":[],"uris":["/hi","/hello"]}]}}}}
+{"level":"debug","ts":1634830413.3367748,"logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7199257136822741594","input":{"context":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":52702}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"time":{"seconds":1634830413,"nanos":240094000},"http":{"id":"7199257136822741594","method":"GET","headers":{":authority":"talker-api",":method":"GET",":path":"/hello",":scheme":"http","accept":"*/*","authorization":"APIKEY ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx","user-agent":"curl/7.65.3","x-envoy-internal":"true","x-forwarded-for":"10.244.0.11","x-forwarded-proto":"http","x-request-id":"d38f5e66-bd72-4733-95d1-3179315cdd60"},"path":"/hello","host":"talker-api","scheme":"http","protocol":"HTTP/1.1"}},"context_extensions":{"virtual_host":"local_service"},"metadata_context":{}},"auth":{"identity":{"apiVersion":"v1","data":{"api_key":"bmR5QnpyZVV6RjR6cURRc3FTUE1Ia1JocmlFT3RjUng="},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"userid\":\"john\"},\"labels\":{\"audience\":\"talker-api\",\"authorino.kuadrant.io/managed-by\":\"authorino\"},\"name\":\"api-key-1\",\"namespace\":\"authorino\"},\"stringData\":{\"api_key\":\"ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx\"},\"type\":\"Opaque\"}\n","userid":"john"},"creationTimestamp":"2021-10-21T14:45:54Z","labels":{"audience":"talker-api","authorino.kuadrant.io/managed-by":"authorino"},"managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:api_key":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:userid":{}},"f:labels":{".":{},"f:audience":{},"f:authorino.kuadrant.io/managed-by":{}}},"f:type":{}},"manager":"kubectl-client-side-apply","operation":"Update","time":"2021-10-21T14:45:54Z"}],"name":"api-key-1","namespace":"authorino","resourceVersion":"8979","uid":"c369852a-7e1a-43bd-94ca-e2b3f617052e"},"sub":"john","type":"Opaque"},"metadata":{"http-metadata":{"body":"","headers":{"Accept-Encoding":"gzip","Content-Type":"text/plain","Host":"talker-api.authorino.svc.cluster.local:3000","User-Agent":"Go-http-client/1.1","Version":"HTTP/1.1"},"method":"GET","path":"/metadata","query_string":"encoding=text/plain&original_path=/hello","uuid":"97529f8c-587b-4121-a4db-cd90c63871fd"},"uma-resource-registry":[{"_id":"e20d194c-274c-4845-8c02-0ca413c9bf18","attributes":{},"displayName":"hello","name":"hello","owner":{"id":"57a645a5-fb67-438b-8be5-dfb971666dbc"},"ownerManagedAccess":false,"resource_scopes":[],"uris":["/hi","/hello"]}]}}}}
 {"level":"debug","ts":1634830413.339894,"logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7199257136822741594","config":{"Name":"my-policy","OPA":{"Rego":"fail := input.context.request.http.headers[\"x-ext-auth-mock\"] == \"FAIL\"\nallow { not fail }\n","OPAExternalSource":{"Endpoint":"","SharedSecret":"","AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}}},"JSON":null,"KubernetesAuthz":null},"object":true}
 {"level":"debug","ts":1634830413.3444238,"logger":"authorino.service.auth.authpipeline.authorization.kubernetesauthz","msg":"calling kubernetes subject access review api","request id":"7199257136822741594","subjectaccessreview":{"metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/hello","verb":"get"},"user":"john"},"status":{"allowed":false}}}
 {"level":"debug","ts":1634830413.3547812,"logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7199257136822741594","config":{"Name":"kubernetes-rbac","OPA":null,"JSON":null,"KubernetesAuthz":{"Conditions":[],"User":{"Static":"","Pattern":"auth.identity.sub"},"Groups":null,"ResourceAttributes":null}},"object":true}
@@ -242,7 +242,7 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 {"level":"info","ts":1634830373.2066543,"logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12947265773116138711","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":52288}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"http":{"id":"12947265773116138711","method":"GET","path":"/hello","host":"talker-api","scheme":"http"}}}}
 {"level":"debug","ts":1634830373.2068064,"logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12947265773116138711","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":52288}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"127.0.0.1","PortSpecifier":{"PortValue":8000}}}}},"request":{"time":{"seconds":1634830373,"nanos":198329000},"http":{"id":"12947265773116138711","method":"GET","headers":{":authority":"talker-api",":method":"GET",":path":"/hello",":scheme":"http","accept":"*/*","authorization":"APIKEY invalid","user-agent":"curl/7.65.3","x-envoy-internal":"true","x-forwarded-for":"10.244.0.11","x-forwarded-proto":"http","x-request-id":"9e391846-afe4-489a-8716-23a2e1c1aa77"},"path":"/hello","host":"talker-api","scheme":"http","protocol":"HTTP/1.1"}},"context_extensions":{"virtual_host":"local_service"},"metadata_context":{}}}
 {"level":"debug","ts":1634830373.2070816,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12947265773116138711","config":{"Name":"keycloak-opaque","ExtendedProperties":[],"OAuth2":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"},"TokenIntrospectionUrl":"http://keycloak:8080/auth/realms/kuadrant/protocol/openid-connect/token/introspect","TokenTypeHint":"requesting_party_token","ClientID":"talker-api","ClientSecret":"523b92b6-625d-4e1e-a313-77e7a8ae4e88"},"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null},"reason":"credential not found"}
-{"level":"debug","ts":1634830373.207225,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12947265773116138711","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.3scale.net/managed-by":"authorino"}},"KubernetesAuth":null},"reason":"the API Key provided is invalid"}
+{"level":"debug","ts":1634830373.207225,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12947265773116138711","config":{"Name":"api-keys","ExtendedProperties":[{"Name":"sub","Value":{"Static":null,"Pattern":"auth.identity.metadata.annotations.userid"}}],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":{"AuthCredentials":{"KeySelector":"APIKEY","In":"authorization_header"},"Name":"api-keys","LabelSelectors":{"audience":"talker-api","authorino.kuadrant.io/managed-by":"authorino"}},"KubernetesAuth":null},"reason":"the API Key provided is invalid"}
 {"level":"debug","ts":1634830373.2072473,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12947265773116138711","config":{"Name":"k8s-service-accounts","ExtendedProperties":[],"OAuth2":null,"OIDC":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}}},"reason":"credential not found"}
 {"level":"debug","ts":1634830373.2072592,"logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"12947265773116138711","config":{"Name":"keycloak-jwts","ExtendedProperties":[],"OAuth2":null,"OIDC":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"},"Endpoint":"http://keycloak:8080/auth/realms/kuadrant"},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null},"reason":"credential not found"}
 {"level":"info","ts":1634830373.2073083,"logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"12947265773116138711","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":302,"message":"Redirecting to login"}}
@@ -260,10 +260,10 @@ The examples below are all with `LOG_LEVEL=debug` and `LOG_MODE=production`.
 #### Shutting down the service:
 
 ```jsonc
-{"level":"info","ts":1634675390.0908618,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Shutdown signal received, waiting for all workers to finish","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
+{"level":"info","ts":1634675390.0908618,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Shutdown signal received, waiting for all workers to finish","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
 {"level":"info","ts":1634675390.0909622,"logger":"authorino.controller-runtime.manager.controller.secret","msg":"Shutdown signal received, waiting for all workers to finish","reconciler group":"","reconciler kind":"Secret"}
-{"level":"info","ts":1634675390.0968425,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Shutdown signal received, waiting for all workers to finish","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
+{"level":"info","ts":1634675390.0968425,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"Shutdown signal received, waiting for all workers to finish","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
 {"level":"info","ts":1634675390.101609,"logger":"authorino.controller-runtime.manager.controller.secret","msg":"All workers finished","reconciler group":"","reconciler kind":"Secret"}
-{"level":"info","ts":1634675390.10166,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"All workers finished","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
-{"level":"info","ts":1634675390.1017516,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"All workers finished","reconciler group":"authorino.3scale.net","reconciler kind":"AuthConfig"}
+{"level":"info","ts":1634675390.10166,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"All workers finished","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
+{"level":"info","ts":1634675390.1017516,"logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"All workers finished","reconciler group":"authorino.kuadrant.io","reconciler kind":"AuthConfig"}
 ```
diff --git a/docs/user-guides/oauth2-token-introspection.md b/docs/user-guides/oauth2-token-introspection.md
index 9cbd5b67..4215f820 100644
--- a/docs/user-guides/oauth2-token-introspection.md
+++ b/docs/user-guides/oauth2-token-introspection.md
@@ -150,7 +150,7 @@ Create the config:
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/oidc-jwt-authentication.md b/docs/user-guides/oidc-jwt-authentication.md
index 644ab83b..f3bb7fdc 100644
--- a/docs/user-guides/oidc-jwt-authentication.md
+++ b/docs/user-guides/oidc-jwt-authentication.md
@@ -104,7 +104,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/oidc-user-info.md b/docs/user-guides/oidc-user-info.md
index 7c7835bb..51c76529 100644
--- a/docs/user-guides/oidc-user-info.md
+++ b/docs/user-guides/oidc-user-info.md
@@ -106,7 +106,7 @@ kubectl -n authorino port-forward deployment/envoy 8000:8000 &
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/opa-authorization.md b/docs/user-guides/opa-authorization.md
index 6037d17f..2da4f644 100644
--- a/docs/user-guides/opa-authorization.md
+++ b/docs/user-guides/opa-authorization.md
@@ -98,7 +98,7 @@ _Optional._ Set [`use_remote_address: true`](https://www.envoyproxy.io/docs/envo
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -134,7 +134,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
diff --git a/docs/user-guides/passing-credentials.md b/docs/user-guides/passing-credentials.md
index 2d5b7399..5297f205 100644
--- a/docs/user-guides/passing-credentials.md
+++ b/docs/user-guides/passing-credentials.md
@@ -98,7 +98,7 @@ In this example, `member` users can authenticate supplying the API key in any of
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -152,7 +152,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: members
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
@@ -169,7 +169,7 @@ kind: Secret
 metadata:
   name: api-key-2
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: admins
 stringData:
   api_key: 7BNaTmYGItSzXiwQLNHu82+x52p1XHgY
diff --git a/docs/user-guides/resource-level-authorization-uma.md b/docs/user-guides/resource-level-authorization-uma.md
index 602f992d..5d5c3a78 100644
--- a/docs/user-guides/resource-level-authorization-uma.md
+++ b/docs/user-guides/resource-level-authorization-uma.md
@@ -125,14 +125,14 @@ Create the config:
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
 spec:
   hosts:
   - talker-api-authorino.127.0.0.1.nip.io
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
diff --git a/docs/user-guides/sharding.md b/docs/user-guides/sharding.md
index 77a361c3..f2c712bb 100644
--- a/docs/user-guides/sharding.md
+++ b/docs/user-guides/sharding.md
@@ -104,7 +104,7 @@ Create an `AuthConfig`:
 
 ```sh
 kubectl -n myapp apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: auth-config-1
@@ -154,7 +154,7 @@ Create an `AuthConfig`:
 
 ```sh
 kubectl -n myapp apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: auth-config-2
@@ -202,7 +202,7 @@ kubectl -n authorino logs $(kubectl -n authorino get pods -l authorino-resource=
 
 ```sh
 kubectl -n myapp label authconfig/auth-config-2 disabled=true
-# authconfig.authorino.3scale.net/auth-config-2 labeled
+# authconfig.authorino.kuadrant.io/auth-config-2 labeled
 ```
 
 Verify in the logs that only the `authorino-production` instance adds the resources to the cache:
diff --git a/docs/user-guides/token-normalization.md b/docs/user-guides/token-normalization.md
index 02102cd1..fa5c5416 100644
--- a/docs/user-guides/token-normalization.md
+++ b/docs/user-guides/token-normalization.md
@@ -111,7 +111,7 @@ Without normalizing identity claims from these two different sources, the policy
 
 ```sh
 kubectl -n authorino apply -f -<<EOF
-apiVersion: authorino.3scale.net/v1beta1
+apiVersion: authorino.kuadrant.io/v1beta1
 kind: AuthConfig
 metadata:
   name: talker-api-protection
@@ -159,7 +159,7 @@ kind: Secret
 metadata:
   name: api-key-1
   labels:
-    authorino.3scale.net/managed-by: authorino
+    authorino.kuadrant.io/managed-by: authorino
     group: friends
 stringData:
   api_key: ndyBzreUzF4zqDQsqSPMHkRhriEOtcRx
diff --git a/install/crd/authorino.3scale.net_authconfigs.yaml b/install/crd/authorino.3scale.net_authconfigs.yaml
index db5ab32e..4a40de37 100644
--- a/install/crd/authorino.3scale.net_authconfigs.yaml
+++ b/install/crd/authorino.3scale.net_authconfigs.yaml
@@ -6,9 +6,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
-  name: authconfigs.authorino.3scale.net
+  name: authconfigs.authorino.kuadrant.io
 spec:
-  group: authorino.3scale.net
+  group: authorino.kuadrant.io
   names:
     kind: AuthConfig
     listKind: AuthConfigList
diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml
new file mode 100644
index 00000000..4a40de37
--- /dev/null
+++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml
@@ -0,0 +1,1100 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.6.1
+  creationTimestamp: null
+  name: authconfigs.authorino.kuadrant.io
+spec:
+  group: authorino.kuadrant.io
+  names:
+    kind: AuthConfig
+    listKind: AuthConfigList
+    plural: authconfigs
+    singular: authconfig
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Ready?
+      jsonPath: .status.ready
+      name: Ready
+      type: boolean
+    - description: Number of trusted identity sources
+      jsonPath: .status.numIdentitySources
+      name: Id sources
+      priority: 2
+      type: integer
+    - description: Number of external metadata sources
+      jsonPath: .status.numMetadataSources
+      name: Metadata sources
+      priority: 2
+      type: integer
+    - description: Number of authorization policies
+      jsonPath: .status.numAuthorizationPolicies
+      name: Authz policies
+      priority: 2
+      type: integer
+    - description: Number of items added to the client response
+      jsonPath: .status.numResponseItems
+      name: Response items
+      priority: 2
+      type: integer
+    - description: Whether issuing Festival Wristbands
+      jsonPath: .status.festivalWristbandEnabled
+      name: Wristband
+      priority: 2
+      type: boolean
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: AuthConfig is the schema for Authorino's AuthConfig API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Specifies the desired state of the AuthConfig resource, i.e.
+              the authencation/authorization scheme to be applied to protect the matching
+              service hosts.
+            properties:
+              authorization:
+                description: Authorization is the list of authorization policies.
+                  All policies in this list MUST evaluate to "true" for a request
+                  be successful in the authorization phase.
+                items:
+                  description: 'Authorization policy to be enforced. Apart from "name",
+                    one of the following parameters is required and only one of the
+                    following parameters is allowed: "opa", "json" or "kubernetes".'
+                  properties:
+                    json:
+                      description: JSON pattern matching authorization policy.
+                      properties:
+                        conditions:
+                          description: Conditions that must match for Authorino to
+                            enforce this policy; otherwise, the policy will be skipped.
+                          items:
+                            properties:
+                              operator:
+                                description: 'The binary operator to be applied to
+                                  the content fetched from the authorization JSON,
+                                  for comparison with "value". Possible values are:
+                                  "eq" (equal to), "neq" (not equal to), "incl" (includes;
+                                  for arrays), "excl" (excludes; for arrays), "matches"
+                                  (regex)'
+                                enum:
+                                - eq
+                                - neq
+                                - incl
+                                - excl
+                                - matches
+                                type: string
+                              selector:
+                                description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+                                  The value is used to fetch content from the input
+                                  authorization JSON built by Authorino along the
+                                  identity and metadata phases.
+                                type: string
+                              value:
+                                description: The value of reference for the comparison
+                                  with the content fetched from the authorization
+                                  policy. If used with the "matches" operator, the
+                                  value must compile to a valid Golang regex.
+                                type: string
+                            required:
+                            - operator
+                            - selector
+                            - value
+                            type: object
+                          type: array
+                        rules:
+                          description: The rules that must all evaluate to "true"
+                            for the request to be authorized.
+                          items:
+                            properties:
+                              operator:
+                                description: 'The binary operator to be applied to
+                                  the content fetched from the authorization JSON,
+                                  for comparison with "value". Possible values are:
+                                  "eq" (equal to), "neq" (not equal to), "incl" (includes;
+                                  for arrays), "excl" (excludes; for arrays), "matches"
+                                  (regex)'
+                                enum:
+                                - eq
+                                - neq
+                                - incl
+                                - excl
+                                - matches
+                                type: string
+                              selector:
+                                description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+                                  The value is used to fetch content from the input
+                                  authorization JSON built by Authorino along the
+                                  identity and metadata phases.
+                                type: string
+                              value:
+                                description: The value of reference for the comparison
+                                  with the content fetched from the authorization
+                                  policy. If used with the "matches" operator, the
+                                  value must compile to a valid Golang regex.
+                                type: string
+                            required:
+                            - operator
+                            - selector
+                            - value
+                            type: object
+                          type: array
+                      type: object
+                    kubernetes:
+                      description: Kubernetes authorization policy based on `SubjectAccessReview`
+                        Path and Verb are inferred from the request.
+                      properties:
+                        conditions:
+                          description: Conditions that must match for Authorino to
+                            enforce this policy; otherwise, the policy will be skipped.
+                          items:
+                            properties:
+                              operator:
+                                description: 'The binary operator to be applied to
+                                  the content fetched from the authorization JSON,
+                                  for comparison with "value". Possible values are:
+                                  "eq" (equal to), "neq" (not equal to), "incl" (includes;
+                                  for arrays), "excl" (excludes; for arrays), "matches"
+                                  (regex)'
+                                enum:
+                                - eq
+                                - neq
+                                - incl
+                                - excl
+                                - matches
+                                type: string
+                              selector:
+                                description: Any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson.
+                                  The value is used to fetch content from the input
+                                  authorization JSON built by Authorino along the
+                                  identity and metadata phases.
+                                type: string
+                              value:
+                                description: The value of reference for the comparison
+                                  with the content fetched from the authorization
+                                  policy. If used with the "matches" operator, the
+                                  value must compile to a valid Golang regex.
+                                type: string
+                            required:
+                            - operator
+                            - selector
+                            - value
+                            type: object
+                          type: array
+                        groups:
+                          description: Groups to test for.
+                          items:
+                            type: string
+                          type: array
+                        resourceAttributes:
+                          description: Use ResourceAttributes for checking permissions
+                            on Kubernetes resources If omitted, it performs a non-resource
+                            `SubjectAccessReview`, with verb and path inferred from
+                            the request.
+                          properties:
+                            group:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                            name:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                            namespace:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                            resource:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                            subresource:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                            verb:
+                              properties:
+                                value:
+                                  type: string
+                                valueFrom:
+                                  properties:
+                                    authJSON:
+                                      description: 'Selector to fill the value from
+                                        the authorization JSON. Any patterns supported
+                                        by https://pkg.go.dev/github.com/tidwall/gjson
+                                        can be used. The value can be just the pattern
+                                        with the path to fetch from the authorization
+                                        JSON (e.g. ''context.request.http.host'')
+                                        or a string template with variable placeholders
+                                        that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                        The following string modifiers are available:
+                                        @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                        @case:upper|lower, and @base64:encode|decode.'
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        user:
+                          description: User to test for. If without "Groups", then
+                            is it interpreted as "What if User were not a member of
+                            any groups"
+                          properties:
+                            value:
+                              type: string
+                            valueFrom:
+                              properties:
+                                authJSON:
+                                  description: 'Selector to fill the value from the
+                                    authorization JSON. Any patterns supported by
+                                    https://pkg.go.dev/github.com/tidwall/gjson can
+                                    be used. The value can be just the pattern with
+                                    the path to fetch from the authorization JSON
+                                    (e.g. ''context.request.http.host'') or a string
+                                    template with variable placeholders that resolve
+                                    to patterns (e.g. "Hello, {auth.identity.name}!")
+                                    The following string modifiers are available:
+                                    @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                    @case:upper|lower, and @base64:encode|decode.'
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                      - user
+                      type: object
+                    name:
+                      description: Name of the authorization policy. It can be used
+                        to refer to the resolved authorization object in other configs.
+                      type: string
+                    opa:
+                      description: Open Policy Agent (OPA) authorization policy.
+                      properties:
+                        externalRegistry:
+                          description: External registry of OPA policies.
+                          properties:
+                            credentials:
+                              description: Defines where client credentials will be
+                                passed in the request to the service. If omitted,
+                                it defaults to client credentials passed in the HTTP
+                                Authorization header and the "Bearer" prefix expected
+                                prepended to the secret value.
+                              properties:
+                                in:
+                                  default: authorization_header
+                                  description: The location in the request where client
+                                    credentials shall be passed on requests authenticating
+                                    with this identity source/authentication mode.
+                                  enum:
+                                  - authorization_header
+                                  - custom_header
+                                  - query
+                                  - cookie
+                                  type: string
+                                keySelector:
+                                  description: Used in conjunction with the `in` parameter.
+                                    When used with `authorization_header`, the value
+                                    is the prefix of the client credentials string,
+                                    separated by a white-space, in the HTTP Authorization
+                                    header (e.g. "Bearer", "Basic"). When used with
+                                    `custom_header`, `query` or `cookie`, the value
+                                    is the name of the HTTP header, query string parameter
+                                    or cookie key, respectively.
+                                  type: string
+                              required:
+                              - keySelector
+                              type: object
+                            endpoint:
+                              description: Endpoint of the HTTP external registry.
+                                The endpoint must respond with either plain/text or
+                                application/json content-type. In the latter case,
+                                the JSON returned in the body must include a path
+                                `result.raw`, where the raw Rego policy will be extracted
+                                from. This complies with the specification of the
+                                OPA REST API (https://www.openpolicyagent.org/docs/latest/rest-api/#get-a-policy).
+                              type: string
+                            sharedSecretRef:
+                              description: Reference to a Secret key whose value will
+                                be passed by Authorino in the request. The HTTP service
+                                can use the shared secret to authenticate the origin
+                                of the request.
+                              properties:
+                                key:
+                                  description: The key of the secret to select from.  Must
+                                    be a valid secret key.
+                                  type: string
+                                name:
+                                  description: The name of the secret in the Authorino's
+                                    namespace to select from.
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              type: object
+                          type: object
+                        inlineRego:
+                          description: Authorization policy as a Rego language document.
+                            The Rego document must include the "allow" condition,
+                            set by Authorino to "false" by default (i.e. requests
+                            are unauthorized unless changed). The Rego document must
+                            NOT include the "package" declaration in line 1.
+                          type: string
+                      type: object
+                    priority:
+                      default: 0
+                      description: Priority group of the config. All configs in the
+                        same priority group are evaluated concurrently; consecutive
+                        priority groups are evaluated sequentially.
+                      type: integer
+                  required:
+                  - name
+                  type: object
+                type: array
+              denyWith:
+                description: Custom denial response codes, statuses and headers to
+                  override default 40x's.
+                properties:
+                  unauthenticated:
+                    description: Denial status customization when the request is unauthenticated.
+                    properties:
+                      code:
+                        description: HTTP status code to override the default denial
+                          status code.
+                        format: int64
+                        maximum: 599
+                        minimum: 300
+                        type: integer
+                      headers:
+                        description: HTTP response headers to override the default
+                          denial headers.
+                        items:
+                          properties:
+                            name:
+                              description: The name of the claim
+                              type: string
+                            value:
+                              description: Static value of the claim
+                              x-kubernetes-preserve-unknown-fields: true
+                            valueFrom:
+                              description: Dynamic value of the claim
+                              properties:
+                                authJSON:
+                                  description: 'Selector to fill the value from the
+                                    authorization JSON. Any patterns supported by
+                                    https://pkg.go.dev/github.com/tidwall/gjson can
+                                    be used. The value can be just the pattern with
+                                    the path to fetch from the authorization JSON
+                                    (e.g. ''context.request.http.host'') or a string
+                                    template with variable placeholders that resolve
+                                    to patterns (e.g. "Hello, {auth.identity.name}!")
+                                    The following string modifiers are available:
+                                    @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                    @case:upper|lower, and @base64:encode|decode.'
+                                  type: string
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      message:
+                        description: HTTP message to override the default denial message.
+                        type: string
+                    type: object
+                  unauthorized:
+                    description: Denial status customization when the request is unauthorized.
+                    properties:
+                      code:
+                        description: HTTP status code to override the default denial
+                          status code.
+                        format: int64
+                        maximum: 599
+                        minimum: 300
+                        type: integer
+                      headers:
+                        description: HTTP response headers to override the default
+                          denial headers.
+                        items:
+                          properties:
+                            name:
+                              description: The name of the claim
+                              type: string
+                            value:
+                              description: Static value of the claim
+                              x-kubernetes-preserve-unknown-fields: true
+                            valueFrom:
+                              description: Dynamic value of the claim
+                              properties:
+                                authJSON:
+                                  description: 'Selector to fill the value from the
+                                    authorization JSON. Any patterns supported by
+                                    https://pkg.go.dev/github.com/tidwall/gjson can
+                                    be used. The value can be just the pattern with
+                                    the path to fetch from the authorization JSON
+                                    (e.g. ''context.request.http.host'') or a string
+                                    template with variable placeholders that resolve
+                                    to patterns (e.g. "Hello, {auth.identity.name}!")
+                                    The following string modifiers are available:
+                                    @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                    @case:upper|lower, and @base64:encode|decode.'
+                                  type: string
+                              type: object
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      message:
+                        description: HTTP message to override the default denial message.
+                        type: string
+                    type: object
+                type: object
+              hosts:
+                description: The list of public host names of the services protected
+                  by this authentication/authorization scheme. Authorino uses the
+                  requested host to lookup for the corresponding authentication/authorization
+                  configs to enforce.
+                items:
+                  type: string
+                type: array
+              identity:
+                description: List of identity sources/authentication modes. At least
+                  one config of this list MUST evaluate to a valid identity for a
+                  request to be successful in the identity verification phase.
+                items:
+                  description: 'The identity source/authentication mode config. Apart
+                    from "name", one of the following parameters is required and only
+                    one of the following parameters is allowed: "oicd", "apiKey" or
+                    "kubernetes".'
+                  properties:
+                    apiKey:
+                      properties:
+                        labelSelectors:
+                          additionalProperties:
+                            type: string
+                          description: The map of label selectors used by Authorino
+                            to match secrets from the cluster storing valid credentials
+                            to authenticate to this service
+                          type: object
+                      required:
+                      - labelSelectors
+                      type: object
+                    credentials:
+                      description: Defines where client credentials are required to
+                        be passed in the request for this identity source/authentication
+                        mode. If omitted, it defaults to client credentials passed
+                        in the HTTP Authorization header and the "Bearer" prefix expected
+                        prepended to the credentials value (token, API key, etc).
+                      properties:
+                        in:
+                          default: authorization_header
+                          description: The location in the request where client credentials
+                            shall be passed on requests authenticating with this identity
+                            source/authentication mode.
+                          enum:
+                          - authorization_header
+                          - custom_header
+                          - query
+                          - cookie
+                          type: string
+                        keySelector:
+                          description: Used in conjunction with the `in` parameter.
+                            When used with `authorization_header`, the value is the
+                            prefix of the client credentials string, separated by
+                            a white-space, in the HTTP Authorization header (e.g.
+                            "Bearer", "Basic"). When used with `custom_header`, `query`
+                            or `cookie`, the value is the name of the HTTP header,
+                            query string parameter or cookie key, respectively.
+                          type: string
+                      required:
+                      - keySelector
+                      type: object
+                    extendedProperties:
+                      description: Extends the resolved identity object with additional
+                        custom properties before appending to the authorization JSON.
+                        It requires the resolved identity object to always be of the
+                        JSON type 'object'. Other JSON types (array, string, etc)
+                        will break.
+                      items:
+                        properties:
+                          name:
+                            description: The name of the claim
+                            type: string
+                          value:
+                            description: Static value of the claim
+                            x-kubernetes-preserve-unknown-fields: true
+                          valueFrom:
+                            description: Dynamic value of the claim
+                            properties:
+                              authJSON:
+                                description: 'Selector to fill the value from the
+                                  authorization JSON. Any patterns supported by https://pkg.go.dev/github.com/tidwall/gjson
+                                  can be used. The value can be just the pattern with
+                                  the path to fetch from the authorization JSON (e.g.
+                                  ''context.request.http.host'') or a string template
+                                  with variable placeholders that resolve to patterns
+                                  (e.g. "Hello, {auth.identity.name}!") The following
+                                  string modifiers are available: @extract:{sep:"
+                                  ",pos:0}, @replace{old:"",new:""}, @case:upper|lower,
+                                  and @base64:encode|decode.'
+                                type: string
+                            type: object
+                        required:
+                        - name
+                        type: object
+                      type: array
+                    kubernetes:
+                      properties:
+                        audiences:
+                          description: The list of audiences (scopes) that must be
+                            claimed in a Kubernetes authentication token supplied
+                            in the request, and reviewed by Authorino. If omitted,
+                            Authorino will review tokens expecting the host name of
+                            the requested protected service amongst the audiences.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    name:
+                      description: The name of this identity source/authentication
+                        mode. It usually identifies a source of identities or group
+                        of users/clients of the protected service. It can be used
+                        to refer to the resolved identity object in other configs.
+                      type: string
+                    oauth2:
+                      properties:
+                        credentialsRef:
+                          description: Reference to a Kubernetes secret in the same
+                            namespace, that stores client credentials to the OAuth2
+                            server.
+                          properties:
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                          type: object
+                        tokenIntrospectionUrl:
+                          description: The full URL of the token introspection endpoint.
+                          type: string
+                        tokenTypeHint:
+                          description: The token type hint for the token introspection.
+                            If omitted, it defaults to "access_token".
+                          type: string
+                      required:
+                      - credentialsRef
+                      - tokenIntrospectionUrl
+                      type: object
+                    oidc:
+                      properties:
+                        endpoint:
+                          description: Endpoint of the OIDC issuer. Authorino will
+                            append to this value the well-known path to the OpenID
+                            Connect discovery endpoint (i.e. "/.well-known/openid-configuration"),
+                            used to automatically discover the OpenID Connect configuration,
+                            whose set of claims is expected to include (among others)
+                            the "jkws_uri" claim. The value must coincide with the
+                            value of  the "iss" (issuer) claim of the discovered OpenID
+                            Connect configuration.
+                          type: string
+                        ttl:
+                          description: Decides how long to wait before refreshing
+                            the OIDC configuration (in seconds).
+                          type: integer
+                      required:
+                      - endpoint
+                      type: object
+                    priority:
+                      default: 0
+                      description: Priority group of the config. All configs in the
+                        same priority group are evaluated concurrently; consecutive
+                        priority groups are evaluated sequentially.
+                      type: integer
+                  required:
+                  - name
+                  type: object
+                type: array
+              metadata:
+                description: List of metadata source configs. Authorino fetches JSON
+                  content from sources on this list on every request.
+                items:
+                  description: 'The metadata config. Apart from "name", one of the
+                    following parameters is required and only one of the following
+                    parameters is allowed: "userInfo" or "uma".'
+                  properties:
+                    http:
+                      description: Generic HTTP interface to obtain authorization
+                        metadata from a HTTP service.
+                      properties:
+                        bodyParameters:
+                          description: Custom parameters to encode in the body of
+                            the HTTP request. Use it with method=POST; for GET requests,
+                            specify parameters using placeholders in the endpoint.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the claim
+                                type: string
+                              value:
+                                description: Static value of the claim
+                                x-kubernetes-preserve-unknown-fields: true
+                              valueFrom:
+                                description: Dynamic value of the claim
+                                properties:
+                                  authJSON:
+                                    description: 'Selector to fill the value from
+                                      the authorization JSON. Any patterns supported
+                                      by https://pkg.go.dev/github.com/tidwall/gjson
+                                      can be used. The value can be just the pattern
+                                      with the path to fetch from the authorization
+                                      JSON (e.g. ''context.request.http.host'') or
+                                      a string template with variable placeholders
+                                      that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                      The following string modifiers are available:
+                                      @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                      @case:upper|lower, and @base64:encode|decode.'
+                                    type: string
+                                type: object
+                            required:
+                            - name
+                            type: object
+                          type: array
+                        contentType:
+                          default: application/x-www-form-urlencoded
+                          description: Content-Type of the request body.
+                          enum:
+                          - application/x-www-form-urlencoded
+                          - application/json
+                          type: string
+                        credentials:
+                          description: Defines where client credentials will be passed
+                            in the request to the service. If omitted, it defaults
+                            to client credentials passed in the HTTP Authorization
+                            header and the "Bearer" prefix expected prepended to the
+                            secret value.
+                          properties:
+                            in:
+                              default: authorization_header
+                              description: The location in the request where client
+                                credentials shall be passed on requests authenticating
+                                with this identity source/authentication mode.
+                              enum:
+                              - authorization_header
+                              - custom_header
+                              - query
+                              - cookie
+                              type: string
+                            keySelector:
+                              description: Used in conjunction with the `in` parameter.
+                                When used with `authorization_header`, the value is
+                                the prefix of the client credentials string, separated
+                                by a white-space, in the HTTP Authorization header
+                                (e.g. "Bearer", "Basic"). When used with `custom_header`,
+                                `query` or `cookie`, the value is the name of the
+                                HTTP header, query string parameter or cookie key,
+                                respectively.
+                              type: string
+                          required:
+                          - keySelector
+                          type: object
+                        endpoint:
+                          description: Endpoint of the HTTP service. The endpoint
+                            accepts variable placeholders in the format "{selector}",
+                            where "selector" is any pattern supported by https://pkg.go.dev/github.com/tidwall/gjson
+                            and selects value from the authorization JSON. E.g. https://ext-auth-server.io/metadata?p={context.request.http.path}
+                          type: string
+                        headers:
+                          description: Custom headers in the HTTP request.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the claim
+                                type: string
+                              value:
+                                description: Static value of the claim
+                                x-kubernetes-preserve-unknown-fields: true
+                              valueFrom:
+                                description: Dynamic value of the claim
+                                properties:
+                                  authJSON:
+                                    description: 'Selector to fill the value from
+                                      the authorization JSON. Any patterns supported
+                                      by https://pkg.go.dev/github.com/tidwall/gjson
+                                      can be used. The value can be just the pattern
+                                      with the path to fetch from the authorization
+                                      JSON (e.g. ''context.request.http.host'') or
+                                      a string template with variable placeholders
+                                      that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                      The following string modifiers are available:
+                                      @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                      @case:upper|lower, and @base64:encode|decode.'
+                                    type: string
+                                type: object
+                            required:
+                            - name
+                            type: object
+                          type: array
+                        method:
+                          description: 'HTTP verb used in the request to the service.
+                            Accepted values: GET (default), POST. When the request
+                            method is POST, the authorization JSON is passed in the
+                            body of the request.'
+                          enum:
+                          - GET
+                          - POST
+                          type: string
+                        sharedSecretRef:
+                          description: Reference to a Secret key whose value will
+                            be passed by Authorino in the request. The HTTP service
+                            can use the shared secret to authenticate the origin of
+                            the request.
+                          properties:
+                            key:
+                              description: The key of the secret to select from.  Must
+                                be a valid secret key.
+                              type: string
+                            name:
+                              description: The name of the secret in the Authorino's
+                                namespace to select from.
+                              type: string
+                          required:
+                          - key
+                          - name
+                          type: object
+                      required:
+                      - endpoint
+                      type: object
+                    name:
+                      description: The name of the metadata source. It can be used
+                        to refer to the resolved metadata object in other configs.
+                      type: string
+                    priority:
+                      default: 0
+                      description: Priority group of the config. All configs in the
+                        same priority group are evaluated concurrently; consecutive
+                        priority groups are evaluated sequentially.
+                      type: integer
+                    uma:
+                      description: User-Managed Access (UMA) source of resource data.
+                      properties:
+                        credentialsRef:
+                          description: Reference to a Kubernetes secret in the same
+                            namespace, that stores client credentials to the resource
+                            registration API of the UMA server.
+                          properties:
+                            name:
+                              description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                TODO: Add other useful fields. apiVersion, kind, uid?'
+                              type: string
+                          type: object
+                        endpoint:
+                          description: The endpoint of the UMA server. The value must
+                            coincide with the "issuer" claim of the UMA config discovered
+                            from the well-known uma configuration endpoint.
+                          type: string
+                      required:
+                      - credentialsRef
+                      - endpoint
+                      type: object
+                    userInfo:
+                      description: OpendID Connect UserInfo linked to an OIDC identity
+                        config of this same spec.
+                      properties:
+                        identitySource:
+                          description: The name of an OIDC identity source included
+                            in the "identity" section and whose OpenID Connect configuration
+                            discovered includes the OIDC "userinfo_endpoint" claim.
+                          type: string
+                      required:
+                      - identitySource
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+              response:
+                description: List of response configs. Authorino gathers data from
+                  the auth pipeline to build custom responses for the client.
+                items:
+                  description: 'Dynamic response to return to the client. Apart from
+                    "name", one of the following parameters is required and only one
+                    of the following parameters is allowed: "wristband" or "json".'
+                  properties:
+                    json:
+                      properties:
+                        properties:
+                          description: List of JSON property-value pairs to be added
+                            to the dynamic response.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the claim
+                                type: string
+                              value:
+                                description: Static value of the claim
+                                x-kubernetes-preserve-unknown-fields: true
+                              valueFrom:
+                                description: Dynamic value of the claim
+                                properties:
+                                  authJSON:
+                                    description: 'Selector to fill the value from
+                                      the authorization JSON. Any patterns supported
+                                      by https://pkg.go.dev/github.com/tidwall/gjson
+                                      can be used. The value can be just the pattern
+                                      with the path to fetch from the authorization
+                                      JSON (e.g. ''context.request.http.host'') or
+                                      a string template with variable placeholders
+                                      that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                      The following string modifiers are available:
+                                      @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                      @case:upper|lower, and @base64:encode|decode.'
+                                    type: string
+                                type: object
+                            required:
+                            - name
+                            type: object
+                          type: array
+                      required:
+                      - properties
+                      type: object
+                    name:
+                      description: Name of the custom response. It can be used to
+                        refer to the resolved response object in other configs.
+                      type: string
+                    priority:
+                      default: 0
+                      description: Priority group of the config. All configs in the
+                        same priority group are evaluated concurrently; consecutive
+                        priority groups are evaluated sequentially.
+                      type: integer
+                    wrapper:
+                      default: httpHeader
+                      description: How Authorino wraps the response. Use "httpHeader"
+                        (default) to wrap the response in an HTTP header; or "envoyDynamicMetadata"
+                        to wrap the response as Envoy Dynamic Metadata
+                      enum:
+                      - httpHeader
+                      - envoyDynamicMetadata
+                      type: string
+                    wrapperKey:
+                      description: The name of key used in the wrapped response (name
+                        of the HTTP header or property of the Envoy Dynamic Metadata
+                        JSON). If omitted, it will be set to the name of the configuration.
+                      type: string
+                    wristband:
+                      properties:
+                        customClaims:
+                          description: Any claims to be added to the wristband token
+                            apart from the standard JWT claims (iss, iat, exp) added
+                            by default.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the claim
+                                type: string
+                              value:
+                                description: Static value of the claim
+                                x-kubernetes-preserve-unknown-fields: true
+                              valueFrom:
+                                description: Dynamic value of the claim
+                                properties:
+                                  authJSON:
+                                    description: 'Selector to fill the value from
+                                      the authorization JSON. Any patterns supported
+                                      by https://pkg.go.dev/github.com/tidwall/gjson
+                                      can be used. The value can be just the pattern
+                                      with the path to fetch from the authorization
+                                      JSON (e.g. ''context.request.http.host'') or
+                                      a string template with variable placeholders
+                                      that resolve to patterns (e.g. "Hello, {auth.identity.name}!")
+                                      The following string modifiers are available:
+                                      @extract:{sep:" ",pos:0}, @replace{old:"",new:""},
+                                      @case:upper|lower, and @base64:encode|decode.'
+                                    type: string
+                                type: object
+                            required:
+                            - name
+                            type: object
+                          type: array
+                        issuer:
+                          description: 'The endpoint to the Authorino service that
+                            issues the wristband (format: <scheme>://<host>:<port>/<realm>,
+                            where <realm> = <namespace>/<authorino-auth-config-resource-name/wristband-config-name)'
+                          type: string
+                        signingKeyRefs:
+                          description: Reference by name to Kubernetes secrets and
+                            corresponding signing algorithms. The secrets must contain
+                            a `key.pem` entry whose value is the signing key formatted
+                            as PEM.
+                          items:
+                            properties:
+                              algorithm:
+                                description: Algorithm to sign the wristband token
+                                  using the signing key provided
+                                enum:
+                                - ES256
+                                - ES384
+                                - ES512
+                                - RS256
+                                - RS384
+                                - RS512
+                                type: string
+                              name:
+                                description: Name of the signing key. The value is
+                                  used to reference the Kubernetes secret that stores
+                                  the key and in the `kid` claim of the wristband
+                                  token header.
+                                type: string
+                            required:
+                            - algorithm
+                            - name
+                            type: object
+                          type: array
+                        tokenDuration:
+                          description: Time span of the wristband token, in seconds.
+                          format: int64
+                          type: integer
+                      required:
+                      - issuer
+                      - signingKeyRefs
+                      type: object
+                  required:
+                  - name
+                  type: object
+                type: array
+            required:
+            - hosts
+            type: object
+          status:
+            description: AuthConfigStatus defines the observed state of AuthConfig
+            properties:
+              festivalWristbandEnabled:
+                type: boolean
+              numAuthorizationPolicies:
+                format: int64
+                type: integer
+              numIdentitySources:
+                format: int64
+                type: integer
+              numMetadataSources:
+                format: int64
+                type: integer
+              numResponseItems:
+                format: int64
+                type: integer
+              ready:
+                type: boolean
+            required:
+            - festivalWristbandEnabled
+            - numAuthorizationPolicies
+            - numIdentitySources
+            - numMetadataSources
+            - numResponseItems
+            - ready
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/install/crd/kustomization.yaml b/install/crd/kustomization.yaml
index a1378d8c..b5b8dc3c 100644
--- a/install/crd/kustomization.yaml
+++ b/install/crd/kustomization.yaml
@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- authorino.3scale.net_authconfigs.yaml
+- authorino.kuadrant.io_authconfigs.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 # patchesStrategicMerge:
@@ -18,7 +18,7 @@ patchesJson6902:
     group: apiextensions.k8s.io
     version: v1
     kind: CustomResourceDefinition
-    name: authconfigs.authorino.3scale.net
+    name: authconfigs.authorino.kuadrant.io
 
 configurations:
 - kustomizeconfig.yaml
diff --git a/install/crd/patches/cainjection_in_authconfigs.yaml b/install/crd/patches/cainjection_in_authconfigs.yaml
index 8f25865b..60bd77d0 100644
--- a/install/crd/patches/cainjection_in_authconfigs.yaml
+++ b/install/crd/patches/cainjection_in_authconfigs.yaml
@@ -5,4 +5,4 @@ kind: CustomResourceDefinition
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
-  name: authconfigs.authorino.3scale.net
+  name: authconfigs.authorino.kuadrant.io
diff --git a/install/crd/patches/webhook_in_authconfigs.yaml b/install/crd/patches/webhook_in_authconfigs.yaml
index 8aef6880..bcb9cb1c 100644
--- a/install/crd/patches/webhook_in_authconfigs.yaml
+++ b/install/crd/patches/webhook_in_authconfigs.yaml
@@ -3,7 +3,7 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  name: authconfigs.authorino.3scale.net
+  name: authconfigs.authorino.kuadrant.io
 spec:
   conversion:
     strategy: Webhook
diff --git a/install/manifests.yaml b/install/manifests.yaml
index 2bff7eed..5e9a825b 100644
--- a/install/manifests.yaml
+++ b/install/manifests.yaml
@@ -4,9 +4,9 @@ metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.6.1
   creationTimestamp: null
-  name: authconfigs.authorino.3scale.net
+  name: authconfigs.authorino.kuadrant.io
 spec:
-  group: authorino.3scale.net
+  group: authorino.kuadrant.io
   names:
     kind: AuthConfig
     listKind: AuthConfigList
@@ -1170,7 +1170,7 @@ metadata:
   name: authorino-authconfig-editor-role
 rules:
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -1181,7 +1181,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
@@ -1193,7 +1193,7 @@ metadata:
   name: authorino-authconfig-viewer-role
 rules:
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -1201,7 +1201,7 @@ rules:
   - list
   - watch
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
@@ -1220,7 +1220,7 @@ rules:
   verbs:
   - create
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -1232,7 +1232,7 @@ rules:
   - update
   - watch
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
diff --git a/install/rbac/auth_config_editor_role.yaml b/install/rbac/auth_config_editor_role.yaml
index b95f7bb3..65245875 100644
--- a/install/rbac/auth_config_editor_role.yaml
+++ b/install/rbac/auth_config_editor_role.yaml
@@ -5,7 +5,7 @@ metadata:
   name: authconfig-editor-role
 rules:
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -16,7 +16,7 @@ rules:
   - patch
   - update
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
diff --git a/install/rbac/auth_config_viewer_role.yaml b/install/rbac/auth_config_viewer_role.yaml
index a17e8f3e..44d5f7cb 100644
--- a/install/rbac/auth_config_viewer_role.yaml
+++ b/install/rbac/auth_config_viewer_role.yaml
@@ -5,7 +5,7 @@ metadata:
   name: authconfig-viewer-role
 rules:
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -13,7 +13,7 @@ rules:
   - list
   - watch
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
diff --git a/install/rbac/role.yaml b/install/rbac/role.yaml
index b9f31058..b914eba0 100644
--- a/install/rbac/role.yaml
+++ b/install/rbac/role.yaml
@@ -13,7 +13,7 @@ rules:
   verbs:
   - create
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs
   verbs:
@@ -25,7 +25,7 @@ rules:
   - update
   - watch
 - apiGroups:
-  - authorino.3scale.net
+  - authorino.kuadrant.io
   resources:
   - authconfigs/status
   verbs:
diff --git a/main.go b/main.go
index 6c01c62f..54ab1ce4 100644
--- a/main.go
+++ b/main.go
@@ -63,7 +63,7 @@ const (
 
 	defaultWatchNamespace                 = ""
 	defaultWatchedAuthConfigLabelSelector = ""
-	defaultWatchedSecretLabelSelector     = "authorino.3scale.net/managed-by=authorino"
+	defaultWatchedSecretLabelSelector     = "authorino.kuadrant.io/managed-by=authorino"
 	defaultLogLevel                       = "info"
 	defaultLogMode                        = "production"
 	defaultExtAuthGRPCPort                = "50051"
@@ -76,7 +76,7 @@ const (
 	defaultEnableLeaderElection           = false
 
 	gRPCMaxConcurrentStreams = 10000
-	leaderElectionIDSuffix   = "authorino.3scale.net"
+	leaderElectionIDSuffix   = "authorino.kuadrant.io"
 )
 
 var (
diff --git a/pkg/common/json_test.go b/pkg/common/json_test.go
index dafd2c62..62736813 100644
--- a/pkg/common/json_test.go
+++ b/pkg/common/json_test.go
@@ -87,10 +87,10 @@ func TestIsTemplate(t *testing.T) {
 	assert.Check(t, value.IsTemplate())
 
 	// json path
-	value = &JSONValue{Pattern: `auth.identity.metadata.annotations.authorino\.3scale\.net/username`}
+	value = &JSONValue{Pattern: `auth.identity.metadata.annotations.authorino\.kuadrant\.io/username`}
 	assert.Check(t, !value.IsTemplate())
 
-	value = &JSONValue{Pattern: `auth.identity.metadata.annotations.authorino\.3scale\.net/username|@case:lower`}
+	value = &JSONValue{Pattern: `auth.identity.metadata.annotations.authorino\.kuadrant\.io/username|@case:lower`}
 	assert.Check(t, !value.IsTemplate())
 
 	value = &JSONValue{Pattern: `auth.identity.metadata.creationTimestamp`}
@@ -105,10 +105,10 @@ func TestIsTemplate(t *testing.T) {
 	assert.Check(t, value.IsTemplate())
 
 	// template with modifier
-	value = &JSONValue{Pattern: `Hello, {auth.identity.metadata.annotations.authorino\.3scale\.net/name|@extract:{"pos":1}}!`}
+	value = &JSONValue{Pattern: `Hello, {auth.identity.metadata.annotations.authorino\.kuadrant\.io/name|@extract:{"pos":1}}!`}
 	assert.Check(t, value.IsTemplate())
 
-	value = &JSONValue{Pattern: `Hello, \{auth.identity.metadata.annotations.authorino\.3scale\.net/name|@extract:\{"pos":1}}!`}
+	value = &JSONValue{Pattern: `Hello, \{auth.identity.metadata.annotations.authorino\.kuadrant\.io/name|@extract:\{"pos":1}}!`}
 	assert.Check(t, value.IsTemplate())
 
 	value = &JSONValue{Pattern: `Email domain: {auth.identity.email.@extract:{"sep":"@","pos":1}}`}
@@ -121,7 +121,7 @@ func TestIsTemplate(t *testing.T) {
 	value = &JSONValue{Pattern: `The JSON path is \{auth.identity.metadata.annotations.name.@replace:\{"old":"john","new":"John"\}\}!`}
 	assert.Check(t, value.IsTemplate())
 
-	value = &JSONValue{Pattern: `Hello, {auth.identity.metadata.annotations.authorino\.3scale\.net/name}!`}
+	value = &JSONValue{Pattern: `Hello, {auth.identity.metadata.annotations.authorino\.kuadrant\.io/name}!`}
 	assert.Check(t, value.IsTemplate())
 
 	// template with more than one variable placeholder