diff --git a/docs/_static/env-vars/activitylog.yaml b/docs/_static/env-vars/activitylog.yaml
index 4227cda1..62c1ba3c 100644
--- a/docs/_static/env-vars/activitylog.yaml
+++ b/docs/_static/env-vars/activitylog.yaml
@@ -20,10 +20,12 @@ store:
   nodes:
   - 127.0.0.1:9233
   database: activitylog
-  table: ""
   ttl: 0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 reva_gateway: eu.opencloud.api.gateway
 grpc_client_tls: null
 http:
diff --git a/docs/_static/env-vars/activitylog_configvars.md b/docs/_static/env-vars/activitylog_configvars.md
index efc1a7d2..22d45b0b 100644
--- a/docs/_static/env-vars/activitylog_configvars.md
+++ b/docs/_static/env-vars/activitylog_configvars.md
@@ -17,10 +17,12 @@
 |`OC_PERSISTENT_STORE`<br/>`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`|
 |`OC_PERSISTENT_STORE_NODES`<br/>`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
 |`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`activitylog`|
-|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
 |`OC_PERSISTENT_STORE_TTL`<br/>`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`ACTIVITYLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`ACTIVITYLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false.`|``|
 |`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`|
 |`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9195`|
 |`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`|
diff --git a/docs/_static/env-vars/collaboration.yaml b/docs/_static/env-vars/collaboration.yaml
index bb26ea05..138e4658 100644
--- a/docs/_static/env-vars/collaboration.yaml
+++ b/docs/_static/env-vars/collaboration.yaml
@@ -24,6 +24,9 @@ store:
   ttl: 30m0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 events:
   endpoint: 127.0.0.1:9233
   cluster: opencloud-cluster
diff --git a/docs/_static/env-vars/collaboration_configvars.md b/docs/_static/env-vars/collaboration_configvars.md
index 2dccd371..f8adb0c2 100644
--- a/docs/_static/env-vars/collaboration_configvars.md
+++ b/docs/_static/env-vars/collaboration_configvars.md
@@ -21,6 +21,9 @@
 |`OC_PERSISTENT_STORE_TTL`<br/>`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|`30m0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`COLLABORATION_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`COLLABORATION_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false.`|``|
 |`OC_EVENTS_ENDPOINT`<br/>`COLLABORATION_EVENTS_ENDPOINT`| next |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
 |`OC_EVENTS_CLUSTER`<br/>`COLLABORATION_EVENTS_CLUSTER`| next |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
 |`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`COLLABORATION_EVENTS_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
diff --git a/docs/_static/env-vars/eventhistory.yaml b/docs/_static/env-vars/eventhistory.yaml
index aa3896ea..32797e2f 100644
--- a/docs/_static/env-vars/eventhistory.yaml
+++ b/docs/_static/env-vars/eventhistory.yaml
@@ -28,3 +28,6 @@ store:
   ttl: 0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/eventhistory_configvars.md b/docs/_static/env-vars/eventhistory_configvars.md
index 0361ed0d..c34fc641 100644
--- a/docs/_static/env-vars/eventhistory_configvars.md
+++ b/docs/_static/env-vars/eventhistory_configvars.md
@@ -22,3 +22,6 @@
 |`OC_PERSISTENT_STORE_TTL`<br/>`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`EVENTHISTORY_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`EVENTHISTORY_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/frontend.yaml b/docs/_static/env-vars/frontend.yaml
index ff3e3cdd..a2e0f001 100644
--- a/docs/_static/env-vars/frontend.yaml
+++ b/docs/_static/env-vars/frontend.yaml
@@ -99,6 +99,9 @@ ocs:
   stat_cache_disable_persistence: false
   stat_cache_auth_username: ""
   stat_cache_auth_password: ""
+  stat_cache_enable_tls: false
+  stat_cache_tls_insecure: false
+  stat_cache_tls_root_ca_certificate: ""
   enable_denials: false
   list_ocm_shares: true
   include_ocm_sharees: false
diff --git a/docs/_static/env-vars/frontend_configvars.md b/docs/_static/env-vars/frontend_configvars.md
index d2726c66..65d310b6 100644
--- a/docs/_static/env-vars/frontend_configvars.md
+++ b/docs/_static/env-vars/frontend_configvars.md
@@ -1,5 +1,5 @@
 
-2026-06-15-00-10-35
+2026-06-17-00-11-00
 
 ## Deprecation Notice
 
@@ -75,6 +75,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`FRONTEND_OCS_STAT_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`FRONTEND_OCS_STAT_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|`false`|
 |`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|`true`|
 |`OC_ENABLE_OCM`<br/>`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|`false`|
@@ -93,7 +96,8 @@
 |`OCDAV_GATEWAY_REQUEST_TIME`<br/>`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`|
 |`OC_MACHINE_AUTH_API_KEY`<br/>`OCDAV_MACHINE_AUTH_API_KEY`<br/>`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``|
 |`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`<br/>`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`|
-|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|``|
+|`OCDAV_NAME_VALIDATION_INVALID_CHARS`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|`[ 
 
+ \]`|
 |`OCDAV_NAME_VALIDATION_MAX_LENGTH`<br/>`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`|
 |`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`|
 |`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`|
diff --git a/docs/_static/env-vars/gateway.yaml b/docs/_static/env-vars/gateway.yaml
index 410ed3ea..3a84ad19 100644
--- a/docs/_static/env-vars/gateway.yaml
+++ b/docs/_static/env-vars/gateway.yaml
@@ -33,6 +33,9 @@ cache:
   provider_cache_disable_persistence: false
   provider_cache_auth_username: ""
   provider_cache_auth_password: ""
+  provider_cache_enable_tls: false
+  provider_cache_tls_insecure: false
+  provider_cache_tls_root_ca_certificate: ""
   create_home_cache_store: memory
   create_home_cache_nodes:
   - 127.0.0.1:9233
@@ -41,6 +44,9 @@ cache:
   create_home_cache_disable_persistence: false
   create_home_cache_auth_username: ""
   create_home_cache_auth_password: ""
+  create_home_cache_enable_tls: false
+  create_home_cache_tls_insecure: false
+  create_home_cache_tls_root_ca_certificate: ""
 frontend_public_url: https://localhost:9200
 users_endpoint: eu.opencloud.api.users
 groups_endpoint: eu.opencloud.api.groups
diff --git a/docs/_static/env-vars/gateway_configvars.md b/docs/_static/env-vars/gateway_configvars.md
index 345bb713..1f2ba988 100644
--- a/docs/_static/env-vars/gateway_configvars.md
+++ b/docs/_static/env-vars/gateway_configvars.md
@@ -26,6 +26,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`GATEWAY_PROVIDER_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`GATEWAY_PROVIDER_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`OC_CACHE_STORE`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
 |`OC_CACHE_STORE_NODES`<br/>`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
 |`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-createhome`|
@@ -33,6 +36,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`OC_URL`<br/>`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`|
 |`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.users`|
 |`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.groups`|
diff --git a/docs/_static/env-vars/global_configvars.md b/docs/_static/env-vars/global_configvars.md
index 460cf7c4..43df0976 100644
--- a/docs/_static/env-vars/global_configvars.md
+++ b/docs/_static/env-vars/global_configvars.md
@@ -5,28 +5,31 @@
 | `IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | The default role assignments the demo users should be setup. | false |
 | `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |  |
 | `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true |
-| `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to use for authentication. Only applies when using the 'nats-js-kv' store type. |  |
-| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to use for authentication. Only applies when using the 'nats-js-kv' store type. |  |
+| `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. |  |
+| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. |  |
 | `OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-stat |
-| `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. | false |
+| `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false |
+| `OC_CACHE_ENABLE_TLS` | next | bool | Enable TLS for the connection to file metadata cache. | false |
 | `OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory |
-| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
-| `OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 5m0s |
-| `OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | false |
-| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control] |
-| `OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] |
-| `OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [https://localhost:9200] |
+| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
+| `OC_CACHE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false |
+| `OC_CACHE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false. |  |
+| `OC_CACHE_TTL` | 1.0.0 | Duration | Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 24h0m0s |
+| `OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | true |
+| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore] |
+| `OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [GET POST PUT PATCH DELETE OPTIONS] |
+| `OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [*] |
 | `OC_DECOMPOSEDFS_PROPAGATOR` | 1.0.0 | string | The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. | sync |
 | `OC_DEFAULT_LANGUAGE` | 1.0.0 | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. |  |
 | `OC_DISABLE_VERSIONING` | 1.0.0 | bool | Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. | false |
-| `OC_ENABLE_OCM` | 1.0.0 | bool | Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed. | false |
+| `OC_ENABLE_OCM` | 1.0.0 | bool | Include OCM sharees when listing users. | false |
 | `OC_EVENTS_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
 | `OC_EVENTS_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
-| `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | opencloud-cluster |
+| `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | opencloud-cluster |
 | `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
-| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 |
+| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 |
 | `OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
-| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided. |  |
+| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false. |  |
 | `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 |
 | `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |  |
 | `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |  |
@@ -34,7 +37,7 @@
 | `OC_HTTP_TLS_CERTIFICATE` | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the http services. |  |
 | `OC_HTTP_TLS_ENABLED` | 1.0.0 | bool | Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. | false |
 | `OC_HTTP_TLS_KEY` | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |  |
-| `OC_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
+| `OC_INSECURE` | 1.0.0 | bool | Allow insecure connections to the OIDC issuer. | false |
 | `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. |  |
 | `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. |  |
 | `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client id to authenticate with keycloak. |  |
@@ -42,39 +45,39 @@
 | `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. |  |
 | `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false |
 | `OC_KEYCLOAK_USER_REALM` | 1.0.0 | string | The realm users are defined. |  |
-| `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=reva,ou=sysusers,o=libregraph-idm |
+| `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=libregraph,ou=sysusers,o=libregraph-idm |
 | `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. |  |
 | `OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. |  |
 | `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
-| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute |
+| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'. | attribute |
 | `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm |
 | `OC_LDAP_GROUP_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for group searches. |  |
 | `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames |
 | `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn |
 | `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn |
-| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). | openCloudUUID |
-| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. | false |
+| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. | openCloudUUID |
+| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false |
 | `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail |
 | `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member |
-| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub |
+| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. | sub |
 | `OC_LDAP_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. | false |
 | `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true |
 | `OC_LDAP_URI` | 1.0.0 | string | URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' | ldap://localhost:9236 |
 | `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm |
-| `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
+| `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP Attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
 | `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. |  |
 | `OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter ('inetOrgPerson'). | inetOrgPerson |
-| `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname |
+| `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the display name of users. | displayName |
 | `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openCloudUUID |
-| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. | false |
+| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false |
 | `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of users. | mail |
 | `OC_LDAP_USER_SCHEMA_TENANT_ID` | 4.0.0 | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. |  |
 | `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP Attribute to use for username of users. | uid |
 | `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType |
-| `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. | sub |
+| `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. | sub |
 | `OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error |
 | `OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | The machine auth API key used to validate internal requests necessary to access resources from other services. |  |
-| `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
+| `OC_MAX_CONCURRENCY` | 1.0.0 | int | The maximum number of concurrent requests the service will handle. | 20 |
 | `OC_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web |
 | `OC_OIDC_CLIENT_SCOPES` | 6.0.0 | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] |
 | `OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
@@ -85,11 +88,14 @@
 | `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of uppercase letters. Defaults to 1 if not set. | 1 |
 | `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | 1.0.0 | int | Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set. | 1 |
 | `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of lowercase letters. Defaults to 1 if not set. | 1 |
-| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | nats-js-kv |
+| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | memory |
 | `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
 | `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
+| `OC_PERSISTENT_STORE_ENABLE_TLS` | next | bool | Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured. | false |
 | `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
-| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 0s |
+| `OC_PERSISTENT_STORE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false |
+| `OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false. |  |
+| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 336h0m0s |
 | `OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
 | `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. |  |
 | `OC_SERVICE_ACCOUNT_SECRET` | 1.0.0 | string | The service account secret. |  |
@@ -97,12 +103,12 @@
 | `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false. | false |
 | `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false |
 | `OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. | 0 |
-| `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. |  |
-| `OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |  |
+| `OC_SYSTEM_USER_API_KEY` | 4.0.0 | string | API key for the STORAGE-SYSTEM system user. |  |
+| `OC_SYSTEM_USER_ID` | 4.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |  |
 | `OC_SYSTEM_USER_IDP` | 4.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal |
 | `OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. |  |
 | `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. |  |
-| `OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud frontend. | https://localhost:9200 |
+| `OC_URL` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
 | `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false |
 | `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s |
 | `SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 |
diff --git a/docs/_static/env-vars/graph.yaml b/docs/_static/env-vars/graph.yaml
index 163c4735..84569124 100644
--- a/docs/_static/env-vars/graph.yaml
+++ b/docs/_static/env-vars/graph.yaml
@@ -12,6 +12,9 @@ cache:
   disable_persistence: false
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 debug:
   addr: 127.0.0.1:9124
   token: ""
@@ -158,3 +161,6 @@ store:
   database: graph
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/graph_configvars.md b/docs/_static/env-vars/graph_configvars.md
index bc1daaf9..b3228de0 100644
--- a/docs/_static/env-vars/graph_configvars.md
+++ b/docs/_static/env-vars/graph_configvars.md
@@ -11,6 +11,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`GRAPH_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`GRAPH_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9124`|
 |`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``|
 |`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`|
@@ -114,3 +117,6 @@
 |`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`graph`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`GRAPH_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`GRAPH_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/notifications.yaml b/docs/_static/env-vars/notifications.yaml
index cc6a0c10..0c49b9ae 100644
--- a/docs/_static/env-vars/notifications.yaml
+++ b/docs/_static/env-vars/notifications.yaml
@@ -46,3 +46,6 @@ store:
   ttl: 336h0m0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
diff --git a/docs/_static/env-vars/notifications_configvars.md b/docs/_static/env-vars/notifications_configvars.md
index ba8e6f06..3e8a1c13 100644
--- a/docs/_static/env-vars/notifications_configvars.md
+++ b/docs/_static/env-vars/notifications_configvars.md
@@ -38,3 +38,6 @@
 |`OC_PERSISTENT_STORE_TTL`<br/>`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`NOTIFICATIONS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`NOTIFICATIONS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false.`|``|
diff --git a/docs/_static/env-vars/ocs.yaml b/docs/_static/env-vars/ocs.yaml
index ef58a4b5..7bcc8690 100644
--- a/docs/_static/env-vars/ocs.yaml
+++ b/docs/_static/env-vars/ocs.yaml
@@ -41,5 +41,8 @@ signing_keys:
   ttl: 24h0m0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 token_manager:
   jwt_secret: ""
diff --git a/docs/_static/env-vars/ocs_configvars.md b/docs/_static/env-vars/ocs_configvars.md
index 2dc39ab4..b7f82885 100644
--- a/docs/_static/env-vars/ocs_configvars.md
+++ b/docs/_static/env-vars/ocs_configvars.md
@@ -21,4 +21,7 @@
 |`OC_CACHE_TTL`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`24h0m0s`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``|
 |`OC_JWT_SECRET`<br/>`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
diff --git a/docs/_static/env-vars/postprocessing.yaml b/docs/_static/env-vars/postprocessing.yaml
index 83de9136..74de6abe 100644
--- a/docs/_static/env-vars/postprocessing.yaml
+++ b/docs/_static/env-vars/postprocessing.yaml
@@ -16,6 +16,9 @@ store:
   ttl: 168h0m0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 postprocessing:
   events:
     endpoint: 127.0.0.1:9233
diff --git a/docs/_static/env-vars/postprocessing_configvars.md b/docs/_static/env-vars/postprocessing_configvars.md
index 5e4ec8de..0a30165f 100644
--- a/docs/_static/env-vars/postprocessing_configvars.md
+++ b/docs/_static/env-vars/postprocessing_configvars.md
@@ -14,6 +14,9 @@
 |`OC_PERSISTENT_STORE_TTL`<br/>`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`168h0m0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`POSTPROCESSING_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`POSTPROCESSING_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false.`|``|
 |`OC_EVENTS_ENDPOINT`<br/>`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`|
 |`OC_EVENTS_CLUSTER`<br/>`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`|
 |`OC_INSECURE`<br/>`OC_EVENTS_TLS_INSECURE`<br/>`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|`false`|
diff --git a/docs/_static/env-vars/proxy.yaml b/docs/_static/env-vars/proxy.yaml
index f809ec5b..afcf227b 100644
--- a/docs/_static/env-vars/proxy.yaml
+++ b/docs/_static/env-vars/proxy.yaml
@@ -181,6 +181,9 @@ oidc:
     disable_persistence: false
     username: ""
     password: ""
+    enable_tls: false
+    tls_insecure: false
+    tls_root_ca_certificate: ""
   jwks:
     refresh_interval: 60
     refresh_timeout: 10
@@ -220,6 +223,9 @@ pre_signed_url:
     disable_persistence: true
     username: ""
     password: ""
+    enable_tls: false
+    tls_insecure: false
+    tls_root_ca_certificate: ""
 account_backend: cs3
 user_oidc_claim: preferred_username
 user_cs3_claim: username
diff --git a/docs/_static/env-vars/proxy_configvars.md b/docs/_static/env-vars/proxy_configvars.md
index aac765c9..91ab670d 100644
--- a/docs/_static/env-vars/proxy_configvars.md
+++ b/docs/_static/env-vars/proxy_configvars.md
@@ -23,10 +23,13 @@
 |`OC_CACHE_STORE_NODES`<br/>`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
 |`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-userinfo`|
 |`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``|
-|`OC_CACHE_TTL`<br/>`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details.`|`10s`|
+|`OC_CACHE_TTL`<br/>`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10s`|
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|`60`|
 |`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|`10`|
 |`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|`60`|
@@ -43,6 +46,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|`true`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``|
 |`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`|
 |`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`|
 |`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`|
diff --git a/docs/_static/env-vars/settings.yaml b/docs/_static/env-vars/settings.yaml
index 8eed1467..e53233d2 100644
--- a/docs/_static/env-vars/settings.yaml
+++ b/docs/_static/env-vars/settings.yaml
@@ -53,6 +53,9 @@ metadata_config:
     disable_persistence: false
     username: ""
     password: ""
+    enable_tls: false
+    tls_insecure: false
+    tls_root_ca_certificate: ""
 bundles_path: ""
 admin_user_id: ""
 token_manager:
diff --git a/docs/_static/env-vars/settings_configvars.md b/docs/_static/env-vars/settings_configvars.md
index d082fadc..b252dcb3 100644
--- a/docs/_static/env-vars/settings_configvars.md
+++ b/docs/_static/env-vars/settings_configvars.md
@@ -31,6 +31,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`SETTINGS_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`SETTINGS_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`|``|
 |`OC_ADMIN_USER_ID`<br/>`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``|
 |`OC_JWT_SECRET`<br/>`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``|
diff --git a/docs/_static/env-vars/storage-system.yaml b/docs/_static/env-vars/storage-system.yaml
index e37b5e95..85052491 100644
--- a/docs/_static/env-vars/storage-system.yaml
+++ b/docs/_static/env-vars/storage-system.yaml
@@ -33,6 +33,9 @@ cache:
   disable_persistence: false
   auth_username: ""
   auth_password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 driver: decomposed
 drivers:
   decomposed:
diff --git a/docs/_static/env-vars/storage-system_configvars.md b/docs/_static/env-vars/storage-system_configvars.md
index 7e24afc4..8ad08ebb 100644
--- a/docs/_static/env-vars/storage-system_configvars.md
+++ b/docs/_static/env-vars/storage-system_configvars.md
@@ -25,6 +25,9 @@
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`STORAGE_SYSTEM_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`STORAGE_SYSTEM_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|`decomposed`|
 |`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/metadata`|
 |`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`|
diff --git a/docs/_static/env-vars/storage-users.yaml b/docs/_static/env-vars/storage-users.yaml
index 9fafb297..b17172a6 100644
--- a/docs/_static/env-vars/storage-users.yaml
+++ b/docs/_static/env-vars/storage-users.yaml
@@ -170,14 +170,21 @@ filemetadata_cache:
   disable_persistence: false
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 id_cache:
   store: nats-js-kv
   nodes:
   - 127.0.0.1:9233
   database: ids-storage-users
+  ttl: 0s
   disable_persistence: false
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 mount_id: ""
 expose_data_server: false
 readonly: false
diff --git a/docs/_static/env-vars/storage-users_configvars.md b/docs/_static/env-vars/storage-users_configvars.md
index d22339bd..8b6aa0d9 100644
--- a/docs/_static/env-vars/storage-users_configvars.md
+++ b/docs/_static/env-vars/storage-users_configvars.md
@@ -1,5 +1,5 @@
 
-2026-06-15-00-10-35
+2026-06-17-00-11-00
 
 ## Deprecation Notice
 
@@ -123,17 +123,24 @@
 |`OC_EVENTS_AUTH_PASSWORD`<br/>`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``|
 |`OC_CACHE_STORE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`|
 |`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
-|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`|
+|`OC_CACHE_DATABASE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`|
 |`OC_CACHE_TTL`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24h0m0s`|
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`OC_CACHE_STORE`<br/>`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`|
 |`OC_CACHE_STORE_NODES`<br/>`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`|
 |`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`ids-storage-users`|
+|`OC_CACHE_TTL`<br/>`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|`0s`|
 |`OC_CACHE_DISABLE_PERSISTENCE`<br/>`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`|
 |`OC_CACHE_AUTH_USERNAME`<br/>`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_CACHE_AUTH_PASSWORD`<br/>`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_CACHE_ENABLE_TLS`<br/>`STORAGE_USERS_ID_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`|
+|`OC_INSECURE`<br/>`OC_CACHE_TLS_INSECURE`<br/>`STORAGE_USERS_ID_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`<br/>`STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false.`|``|
 |`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`|``|
 |`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|`false`|
 |`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`|
diff --git a/docs/_static/env-vars/userlog.yaml b/docs/_static/env-vars/userlog.yaml
index 8c6d40e2..756fa70d 100644
--- a/docs/_static/env-vars/userlog.yaml
+++ b/docs/_static/env-vars/userlog.yaml
@@ -51,6 +51,9 @@ persistence:
   ttl: 336h0m0s
   username: ""
   password: ""
+  enable_tls: false
+  tls_insecure: false
+  tls_root_ca_certificate: ""
 disable_sse: false
 global_notifications_secret: ""
 service_account:
diff --git a/docs/_static/env-vars/userlog_configvars.md b/docs/_static/env-vars/userlog_configvars.md
index 61fb334a..34ae372c 100644
--- a/docs/_static/env-vars/userlog_configvars.md
+++ b/docs/_static/env-vars/userlog_configvars.md
@@ -35,6 +35,9 @@
 |`OC_PERSISTENT_STORE_TTL`<br/>`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`|
 |`OC_PERSISTENT_STORE_AUTH_USERNAME`<br/>`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
 |`OC_PERSISTENT_STORE_AUTH_PASSWORD`<br/>`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``|
+|`OC_PERSISTENT_STORE_ENABLE_TLS`<br/>`USERLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`|
+|`OC_INSECURE`<br/>`OC_PERSISTENT_STORE_TLS_INSECURE`<br/>`USERLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`|
+|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`<br/>`USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false.`|``|
 |`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|`false`|
 |`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`|``|
 |`OC_SERVICE_ACCOUNT_ID`<br/>`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``|
diff --git a/docs/_static/env-vars/web_configvars.md b/docs/_static/env-vars/web_configvars.md
index aa2af893..0f1cb990 100644
--- a/docs/_static/env-vars/web_configvars.md
+++ b/docs/_static/env-vars/web_configvars.md
@@ -1,5 +1,5 @@
 
-2026-06-15-00-10-35
+2026-06-17-00-11-00
 
 ## Deprecation Notice