diff --git a/.github/workflows/backend_tests.yml b/.github/workflows/backend_tests.yml
index f1d9a1c71..cc11adb63 100644
--- a/.github/workflows/backend_tests.yml
+++ b/.github/workflows/backend_tests.yml
@@ -78,12 +78,12 @@ jobs:
           - { python: "3.11", os: "ubuntu-latest", session: "docs-build" }
 
     env:
-      NOXSESSION: ${{ matrix.session }}
-      SPIFF_DATABASE_TYPE: ${{ matrix.database }}
-      FORCE_COLOR: "1"
-      PRE_COMMIT_COLOR: "always"
-      DB_PASSWORD: password
       FLASK_SESSION_SECRET_KEY: super_secret_key
+      FORCE_COLOR: "1"
+      NOXSESSION: ${{ matrix.session }}
+      PRE_COMMIT_COLOR: "always"
+      SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD: password
+      SPIFFWORKFLOW_BACKEND_DATABASE_TYPE: ${{ matrix.database }}
 
     steps:
       - name: Check out the repository
diff --git a/.github/workflows/frontend_tests.yml b/.github/workflows/frontend_tests.yml
index f4ec6360f..405b359c2 100644
--- a/.github/workflows/frontend_tests.yml
+++ b/.github/workflows/frontend_tests.yml
@@ -56,7 +56,7 @@ jobs:
           path: pr/
 
   cypress-run:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -88,7 +88,7 @@ jobs:
         working-directory: ./spiffworkflow-backend
         run: ./keycloak/bin/wait_for_keycloak 5
       - name: Cypress run
-        uses: cypress-io/github-action@v4
+        uses: cypress-io/github-action@v5
         with:
           working-directory: ./spiffworkflow-frontend
           browser: chrome
@@ -101,6 +101,7 @@ jobs:
           CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
           # pass GitHub token to allow accurately detecting a build vs a re-run build
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "true"
       - name: get_backend_logs_from_docker_compose
         if: failure()
         working-directory: ./spiffworkflow-backend
diff --git a/.github/workflows/release_builds.yml b/.github/workflows/release_builds.yml
index ef1c3b992..d2154ddb4 100644
--- a/.github/workflows/release_builds.yml
+++ b/.github/workflows/release_builds.yml
@@ -115,3 +115,32 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+  quickstart-guide-test:
+    runs-on: ubuntu-latest
+    needs: [create_frontend_docker_container, create_backend_docker_container, create_demo-proxy]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Apps
+        run: ./bin/run_arena_with_docker_compose
+      - name: wait_for_backend
+        working-directory: ./spiffworkflow-backend
+        run: ./bin/wait_for_server_to_be_up 5 8000
+      - name: wait_for_frontend
+        working-directory: ./spiffworkflow-frontend
+        run: ./bin/wait_for_frontend_to_be_up 5 8001
+      - name: Cypress run
+        uses: cypress-io/github-action@v5
+        with:
+          working-directory: ./spiffworkflow-frontend
+          browser: chrome
+          # just run one test to make sure we didn't completely break it
+          spec: cypress/e2e/process_groups.cy.js
+        env:
+          # pass GitHub token to allow accurately detecting a build vs a re-run build
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CYPRESS_SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK: "false"
+          CYPRESS_SPIFFWORKFLOW_FRONTEND_USERNAME: "admin"
+          CYPRESS_SPIFFWORKFLOW_FRONTEND_PASSWORD: "admin"
+          SPIFFWORKFLOW_FRONTEND_PORT: 8001
diff --git a/bin/run_arena_with_docker_compose b/bin/run_arena_with_docker_compose
new file mode 100755
index 000000000..8a479a3ac
--- /dev/null
+++ b/bin/run_arena_with_docker_compose
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+mkdir -p spiffworkflow
+cd spiffworkflow
+wget https://raw.githubusercontent.com/sartography/spiff-arena/main/docker-compose.yml
+docker compose pull
+docker compose up -d
diff --git a/docker-compose.yml b/docker-compose.yml
index 31e348b51..95b87b393 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,9 +7,9 @@ services:
         condition: service_healthy
     environment:
       APPLICATION_ROOT: "/"
-      PORT0: "${SPIFF_FRONTEND_PORT:-8001}"
+      PORT0: "${SPIFFWORKFLOW_FRONTEND_PORT:-8001}"
     ports:
-      - "${SPIFF_FRONTEND_PORT:-8001}:${SPIFF_FRONTEND_PORT:-8001}/tcp"
+      - "${SPIFFWORKFLOW_FRONTEND_PORT:-8001}:${SPIFFWORKFLOW_FRONTEND_PORT:-8001}/tcp"
 
   spiffworkflow-backend:
     container_name: spiffworkflow-backend
@@ -18,24 +18,25 @@ services:
       spiffworkflow-db:
         condition: service_healthy
     environment:
-      APPLICATION_ROOT: "/"
+      SPIFFWORKFLOW_BACKEND_APPLICATION_ROOT: "/"
       SPIFFWORKFLOW_BACKEND_ENV: "local_development"
       FLASK_DEBUG: "0"
       FLASK_SESSION_SECRET_KEY: "${FLASK_SESSION_SECRET_KEY:-super_secret_key}"
-      OPEN_ID_SERVER_URL: "http://localhost:${SPIFF_BACKEND_PORT:-8000}/openid"
-      SPIFFWORKFLOW_FRONTEND_URL: "http://localhost:${SPIFF_FRONTEND_PORT:-8001}"
       # WARNING: Frontend is a static site which assumes frontend port - 1 on localhost.
       SPIFFWORKFLOW_BACKEND_URL: "http://localhost:${SPIFF_BACKEND_PORT:-8000}"
-      SPIFFWORKFLOW_BACKEND_PORT: "${SPIFF_BACKEND_PORT:-8000}"
-      SPIFFWORKFLOW_BACKEND_UPGRADE_DB: "true"
+
+      SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR: "/app/process_models"
+      SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL: "http://spiffworkflow-connector:8004"
       SPIFFWORKFLOW_BACKEND_DATABASE_URI: "mysql+mysqlconnector://root:${SPIFF_MYSQL_PASS:-my-secret-pw}@spiffworkflow-db:${SPIFF_MYSQL_PORT:-8003}/spiffworkflow_backend_development"
-      BPMN_SPEC_ABSOLUTE_DIR: "/app/process_models"
       SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA: "false"
+      SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID: "spiffworkflow-backend"
+      SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY: "my_open_id_secret_key"
+      SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL: "http://localhost:${SPIFF_BACKEND_PORT:-8000}/openid"
       SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME: "example.yml"
-      RUN_BACKGROUND_SCHEDULER: "true"
-      OPEN_ID_CLIENT_ID: "spiffworkflow-backend"
-      OPEN_ID_CLIENT_SECRET_KEY: "my_open_id_secret_key"
-      CONNECTOR_PROXY_URL: "http://spiffworkflow-connector:8004"
+      SPIFFWORKFLOW_BACKEND_PORT: "${SPIFF_BACKEND_PORT:-8000}"
+      SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER: "true"
+      SPIFFWORKFLOW_BACKEND_UPGRADE_DB: "true"
+      SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND: "http://localhost:${SPIFFWORKFLOW_FRONTEND_PORT:-8001}"
     ports:
       - "${SPIFF_BACKEND_PORT:-8000}:${SPIFF_BACKEND_PORT:-8000}/tcp"
     volumes:
diff --git a/spiffworkflow-backend/bin/boot_server_in_docker b/spiffworkflow-backend/bin/boot_server_in_docker
index c0b233a8f..2976e27d8 100755
--- a/spiffworkflow-backend/bin/boot_server_in_docker
+++ b/spiffworkflow-backend/bin/boot_server_in_docker
@@ -10,12 +10,12 @@ set -o errtrace -o errexit -o nounset -o pipefail
 # run migrations
 export FLASK_APP=/app/src/spiffworkflow_backend
 
-if [[ "${WAIT_FOR_DB_TO_BE_READY:-}" == "true" ]]; then
+if [[ "${SPIFFWORKFLOW_BACKEND_WAIT_FOR_DB_TO_BE_READY:-}" == "true" ]]; then
   echo 'Waiting for db to be ready...'
   poetry run python ./bin/wait_for_db_to_be_ready.py
 fi
 
-if [[ "${DOWNGRADE_DB:-}" == "true" ]]; then
+if [[ "${SPIFFWORKFLOW_BACKEND_DOWNGRADE_DB:-}" == "true" ]]; then
   echo 'Downgrading database...'
   poetry run flask db downgrade
 fi
@@ -40,8 +40,8 @@ fi
 
 additional_args=""
 
-if [[ "${APPLICATION_ROOT:-}" != "/" ]]; then
-  additional_args="${additional_args} -e SCRIPT_NAME=${APPLICATION_ROOT}"
+if [[ "${SPIFFWORKFLOW_BACKEND_APPLICATION_ROOT:-}" != "/" ]]; then
+  additional_args="${additional_args} -e SCRIPT_NAME=${SPIFFWORKFLOW_BACKEND_APPLICATION_ROOT}"
 fi
 
 # HACK: if loading fixtures for acceptance tests when we do not need multiple workers
@@ -56,8 +56,8 @@ if [[ "${SPIFFWORKFLOW_BACKEND_RUN_DATA_SETUP:-}" != "false" ]]; then
 fi
 
 # Assure that the the Process Models Directory is initialized as a git repo
-git init "${BPMN_SPEC_ABSOLUTE_DIR}"
-git config --global --add safe.directory "${BPMN_SPEC_ABSOLUTE_DIR}"
+git init "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}"
+git config --global --add safe.directory "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR}"
 
 export IS_GUNICORN="true"
 # THIS MUST BE THE LAST COMMAND!
diff --git a/spiffworkflow-backend/bin/build_and_run_with_docker_compose b/spiffworkflow-backend/bin/build_and_run_with_docker_compose
index c986e3941..58fd61f04 100755
--- a/spiffworkflow-backend/bin/build_and_run_with_docker_compose
+++ b/spiffworkflow-backend/bin/build_and_run_with_docker_compose
@@ -7,8 +7,8 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-BPMN_SPEC_ABSOLUTE_DIR=$(./bin/find_sample_process_models)
-export BPMN_SPEC_ABSOLUTE_DIR
+SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR=$(./bin/find_sample_process_models)
+export SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR
 
 if [[ -z "${SPIFFWORKFLOW_BACKEND_DOCKER_COMPOSE_PROFILE:-}" ]]; then
   export SPIFFWORKFLOW_BACKEND_DOCKER_COMPOSE_PROFILE=run
diff --git a/spiffworkflow-backend/bin/deploy b/spiffworkflow-backend/bin/deploy
index 466bb6d14..ebfd9a553 100755
--- a/spiffworkflow-backend/bin/deploy
+++ b/spiffworkflow-backend/bin/deploy
@@ -31,16 +31,16 @@ if [[ -z "${SPIFFWORKFLOW_BACKEND_DOCKER_COMPOSE_PROFILE:-}" ]]; then
   export SPIFFWORKFLOW_BACKEND_DOCKER_COMPOSE_PROFILE=run
 fi
 
-if [[ -z "${SPIFFWORKFLOW_FRONTEND_URL:-}" ]]; then
-  export SPIFFWORKFLOW_FRONTEND_URL='http://167.172.242.138:7001'
+if [[ -z "${SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND:-}" ]]; then
+  export SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND='http://167.172.242.138:7001'
 fi
 
 if [[ -z "${SPIFFWORKFLOW_BACKEND_URL:-}" ]]; then
   export SPIFFWORKFLOW_BACKEND_URL='http://167.172.242.138:7000'
 fi
 
-if [[ -z "${OPEN_ID_SERVER_URL:-}" ]]; then
-  export OPEN_ID_SERVER_URL='http://167.172.242.138:7002'
+if [[ -z "${SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL:-}" ]]; then
+  export SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL='http://167.172.242.138:7002'
 fi
 
 git pull
diff --git a/spiffworkflow-backend/bin/find_sample_process_models b/spiffworkflow-backend/bin/find_sample_process_models
index 525996399..ead42ca0b 100755
--- a/spiffworkflow-backend/bin/find_sample_process_models
+++ b/spiffworkflow-backend/bin/find_sample_process_models
@@ -7,19 +7,19 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-if [[ -z "${BPMN_SPEC_ABSOLUTE_DIR:-}" ]]; then
+if [[ -z "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR:-}" ]]; then
   script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 
-  BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../../sample-process-models"
-  if [[ ! -d "$BPMN_SPEC_ABSOLUTE_DIR" ]]; then
-    BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../sample-process-models"
-    if [[ ! -d "$BPMN_SPEC_ABSOLUTE_DIR" ]]; then
-      >&2 echo "ERROR: Could not find a location for the sample processes. Last tried: $BPMN_SPEC_ABSOLUTE_DIR"
+  SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../../sample-process-models"
+  if [[ ! -d "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" ]]; then
+    SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../sample-process-models"
+    if [[ ! -d "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" ]]; then
+      >&2 echo "ERROR: Could not find a location for the sample processes. Last tried: $SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
       exit 1
     fi
   fi
 
-  pushd "$BPMN_SPEC_ABSOLUTE_DIR" >/dev/null 2>&1
+  pushd "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" >/dev/null 2>&1
   if [[ "$(git rev-parse --abbrev-ref HEAD)" == "main" ]]; then
     >&2 echo "ERROR: please do not use the main branch of sample-process-models. use dev"
     exit 1
@@ -27,4 +27,4 @@ if [[ -z "${BPMN_SPEC_ABSOLUTE_DIR:-}" ]]; then
   popd >/dev/null 2>&1
 fi
 
-realpath "$BPMN_SPEC_ABSOLUTE_DIR"
+realpath "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
diff --git a/spiffworkflow-backend/bin/get_bpmn_json_for_process_instance b/spiffworkflow-backend/bin/get_bpmn_json_for_process_instance
index 3cfedccc1..d4e3d8ed0 100644
--- a/spiffworkflow-backend/bin/get_bpmn_json_for_process_instance
+++ b/spiffworkflow-backend/bin/get_bpmn_json_for_process_instance
@@ -9,8 +9,8 @@ from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 def main(process_instance_id: str):
     """Main."""
     os.environ["SPIFFWORKFLOW_BACKEND_ENV"] = "local_development"
-    if os.environ.get("BPMN_SPEC_ABSOLUTE_DIR") is None:
-      os.environ["BPMN_SPEC_ABSOLUTE_DIR"] = "hey"
+    if os.environ.get("SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR") is None:
+      os.environ["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"] = "hey"
     flask_env_key = "FLASK_SESSION_SECRET_KEY"
     os.environ[flask_env_key] = "whatevs"
     app = create_app()
diff --git a/spiffworkflow-backend/bin/git_commit_bpmn_models_repo b/spiffworkflow-backend/bin/git_commit_bpmn_models_repo
index 3a2e01504..b475427a7 100755
--- a/spiffworkflow-backend/bin/git_commit_bpmn_models_repo
+++ b/spiffworkflow-backend/bin/git_commit_bpmn_models_repo
@@ -21,8 +21,8 @@ if [[ -z "${5:-}" ]]; then
   exit 1
 fi
 
-if [[ -z "$git_commit_password" && -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
-  >&2 echo "ERROR: A git password or GIT_SSH_PRIVATE_KEY must be provided"
+if [[ -z "$git_commit_password" && -z "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY:-}" ]]; then
+  >&2 echo "ERROR: A git password or SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY must be provided"
   exit 1
 fi
 
@@ -43,10 +43,10 @@ function run() {
     git config --local user.name "$git_commit_username"
     git config --local user.email "$git_commit_email"
 
-    if [[ -n "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
+    if [[ -n "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY:-}" ]]; then
       tmpfile=$(mktemp /tmp/tmp_git.XXXXXX)
       chmod 600 "$tmpfile"
-      echo "$GIT_SSH_PRIVATE_KEY" >"$tmpfile"
+      echo "$SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY" >"$tmpfile"
       export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ${tmpfile} -F /dev/null"
     else
       PAT="${git_commit_username}:${git_commit_password}"
@@ -57,7 +57,7 @@ function run() {
     git commit -m "$git_commit_message"
     git push --set-upstream origin "$git_branch"
 
-    if [[ -z "${GIT_SSH_PRIVATE_KEY:-}" ]]; then
+    if [[ -z "${SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY:-}" ]]; then
       git config --unset --local http.extraHeader
     fi
   fi
diff --git a/spiffworkflow-backend/bin/recreate_db b/spiffworkflow-backend/bin/recreate_db
index 8a4e4b5a9..8a78a9b8c 100755
--- a/spiffworkflow-backend/bin/recreate_db
+++ b/spiffworkflow-backend/bin/recreate_db
@@ -9,18 +9,18 @@ set -o errtrace -o errexit -o nounset -o pipefail
 
 export FLASK_SESSION_SECRET_KEY="this_is_recreate_db_secret_key"
 
-if [[ -z "${BPMN_SPEC_ABSOLUTE_DIR:-}" ]]; then
+if [[ -z "${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR:-}" ]]; then
   script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 
-  BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../../sample-process-models"
-  if [[ ! -d "$BPMN_SPEC_ABSOLUTE_DIR" ]]; then
-    BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../sample-process-models"
-    if [[ ! -d "$BPMN_SPEC_ABSOLUTE_DIR" ]]; then
-      >&2 echo "ERROR: Could not find a location for the sample processes. Last tried: $BPMN_SPEC_ABSOLUTE_DIR"
+  SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../../sample-process-models"
+  if [[ ! -d "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" ]]; then
+    SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR="${script_dir}/../../sample-process-models"
+    if [[ ! -d "$SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" ]]; then
+      >&2 echo "ERROR: Could not find a location for the sample processes. Last tried: $SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
       exit 1
     fi
   fi
-  export BPMN_SPEC_ABSOLUTE_DIR
+  export SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR
 fi
 
 tasks=""
@@ -40,7 +40,7 @@ if [[ "${1:-}" == "clean" ]]; then
 
   # TODO: check to see if the db already exists and we can connect to it. also actually clean it up.
   # start postgres in background with one db
-  if [[ "${SPIFF_DATABASE_TYPE:-}" == "postgres" ]]; then
+  if [[ "${SPIFFWORKFLOW_BACKEND_DATABASE_TYPE:-}" == "postgres" ]]; then
     if ! docker exec -it postgres-spiff psql -U spiffworkflow_backend spiffworkflow_backend_testing -c "select 1"; then
       docker run --name postgres-spiff -p 5432:5432 -e POSTGRES_PASSWORD=spiffworkflow_backend -e POSTGRES_USER=spiffworkflow_backend -e POSTGRES_DB=spiffworkflow_backend_testing -d postgres
       sleep 4 # classy
diff --git a/spiffworkflow-backend/bin/run_server_locally b/spiffworkflow-backend/bin/run_server_locally
index 213a4f396..d27ddf3b0 100755
--- a/spiffworkflow-backend/bin/run_server_locally
+++ b/spiffworkflow-backend/bin/run_server_locally
@@ -17,11 +17,11 @@ if [[ -z "${SPIFFWORKFLOW_BACKEND_ENV:-}" ]]; then
   export SPIFFWORKFLOW_BACKEND_ENV=local_development
 fi
 
-BPMN_SPEC_ABSOLUTE_DIR=$(./bin/find_sample_process_models)
-export BPMN_SPEC_ABSOLUTE_DIR
+SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR=$(./bin/find_sample_process_models)
+export SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR
 
 export FLASK_SESSION_SECRET_KEY=super_secret_key
-export APPLICATION_ROOT="/"
+export SPIFFWORKFLOW_BACKEND_APPLICATION_ROOT="/"
 
 if [[ -n "${SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA:-}" ]]; then
   ./bin/boot_server_in_docker
@@ -29,13 +29,13 @@ else
   export FLASK_DEBUG=1
 
   if [[ "${SPIFFWORKFLOW_BACKEND_RUN_DATA_SETUP:-}" != "false" ]]; then
-    RUN_BACKGROUND_SCHEDULER=false SPIFFWORKFLOW_BACKEND_FAIL_ON_INVALID_PROCESS_MODELS=false poetry run python bin/save_all_bpmn.py
+    SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER=false SPIFFWORKFLOW_BACKEND_FAIL_ON_INVALID_PROCESS_MODELS=false poetry run python bin/save_all_bpmn.py
   fi
 
-  if [[ -z "${RUN_BACKGROUND_SCHEDULER:-}" ]]; then
-    RUN_BACKGROUND_SCHEDULER=true
+  if [[ -z "${SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER:-}" ]]; then
+    SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER=true
   fi
 
   # this line blocks
-  RUN_BACKGROUND_SCHEDULER="${RUN_BACKGROUND_SCHEDULER}" FLASK_APP=src/spiffworkflow_backend poetry run flask run -p 7000
+  SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER="${SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER}" FLASK_APP=src/spiffworkflow_backend poetry run flask run -p 7000
 fi
diff --git a/spiffworkflow-backend/bin/save_to_secrets_from_file b/spiffworkflow-backend/bin/save_to_secrets_from_file
index 5a28c66aa..5fa1b0bd2 100644
--- a/spiffworkflow-backend/bin/save_to_secrets_from_file
+++ b/spiffworkflow-backend/bin/save_to_secrets_from_file
@@ -11,8 +11,8 @@ from spiffworkflow_backend.services.secret_service import SecretService
 def main(env_file: str):
     """Main."""
     os.environ["SPIFFWORKFLOW_BACKEND_ENV"] = "local_development"
-    if os.environ.get("BPMN_SPEC_ABSOLUTE_DIR") is None:
-      os.environ["BPMN_SPEC_ABSOLUTE_DIR"] = "hey"
+    if os.environ.get("SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR") is None:
+      os.environ["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"] = "hey"
     flask_env_key = "FLASK_SESSION_SECRET_KEY"
     os.environ[flask_env_key] = "whatevs"
     app = create_app()
diff --git a/spiffworkflow-backend/bin/wait_for_server_to_be_up b/spiffworkflow-backend/bin/wait_for_server_to_be_up
index 4c845613f..04cff3aa5 100755
--- a/spiffworkflow-backend/bin/wait_for_server_to_be_up
+++ b/spiffworkflow-backend/bin/wait_for_server_to_be_up
@@ -7,14 +7,12 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-max_attempts="${1:-}"
-if [[ -z "$max_attempts" ]]; then
-  max_attempts=100
-fi
+max_attempts="${1:-100}"
+port="${2:-7000}"
 
 echo "waiting for backend to come up..."
 attempts=0
-while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7000/v1.0/status)" != "200" ]]; do
+while [[ "$(curl -s -o /dev/null -w '%{http_code}' "http://localhost:${port}/v1.0/status")" != "200" ]]; do
   if [[ "$attempts" -gt "$max_attempts" ]]; then
     >&2 echo "ERROR: Server not up after $max_attempts attempts. There is probably a problem"
     exit 1
@@ -22,3 +20,4 @@ while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7000/v1.0/st
   attempts=$(( attempts + 1 ))
   sleep 1
 done
+echo "backend up"
diff --git a/spiffworkflow-backend/docker-compose.yml b/spiffworkflow-backend/docker-compose.yml
index 4ec1028f9..8fe552812 100644
--- a/spiffworkflow-backend/docker-compose.yml
+++ b/spiffworkflow-backend/docker-compose.yml
@@ -50,25 +50,25 @@ services:
     build:
       context: .
     environment:
-      - APPLICATION_ROOT=/
-      - SPIFFWORKFLOW_BACKEND_ENV=${SPIFFWORKFLOW_BACKEND_ENV:-local_development}
       - FLASK_DEBUG=0
       - FLASK_SESSION_SECRET_KEY=${FLASK_SESSION_SECRET_KEY:-super_secret_key}
-      - OPEN_ID_SERVER_URL=${OPEN_ID_SERVER_URL:-http://localhost:7002/realms/spiffworkflow}
-      - SPIFFWORKFLOW_FRONTEND_URL=${SPIFFWORKFLOW_FRONTEND_URL:-http://localhost:7001}
-      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://localhost:7000}
-      - SPIFFWORKFLOW_BACKEND_PORT=7000
-      - SPIFFWORKFLOW_BACKEND_UPGRADE_DB=true
+      - SPIFFWORKFLOW_BACKEND_APPLICATION_ROOT=/
+      - SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
       - SPIFFWORKFLOW_BACKEND_DATABASE_URI=mysql+mysqlconnector://root:${SPIFFWORKFLOW_BACKEND_MYSQL_ROOT_DATABASE:-my-secret-pw}@localhost:7003/${SPIFFWORKFLOW_BACKEND_DATABASE_NAME:-spiffworkflow_backend_development}
-      - BPMN_SPEC_ABSOLUTE_DIR=/app/process_models
+      - SPIFFWORKFLOW_BACKEND_ENV=${SPIFFWORKFLOW_BACKEND_ENV:-local_development}
       - SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=${SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA:-false}
+      - SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL=${SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL:-http://localhost:7002/realms/spiffworkflow}
       - SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=${SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME:-acceptance_tests.yml}
-      - RUN_BACKGROUND_SCHEDULER=true
+      - SPIFFWORKFLOW_BACKEND_PORT=7000
+      - SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER=true
+      - SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND=${SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND:-http://localhost:7001}
+      - SPIFFWORKFLOW_BACKEND_UPGRADE_DB=true
+      - SPIFFWORKFLOW_BACKEND_URL=${SPIFFWORKFLOW_BACKEND_URL:-http://localhost:7000}
     ports:
       - "7000:7000"
     network_mode: host
     volumes:
-      - ${BPMN_SPEC_ABSOLUTE_DIR:-../../sample-process-models}:/app/process_models
+      - ${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR:-../../sample-process-models}:/app/process_models
       - ./log:/app/log
     healthcheck:
       test: curl localhost:7000/v1.0/status --fail
@@ -82,7 +82,7 @@ services:
     profiles:
       - debug
     volumes:
-      - ${BPMN_SPEC_ABSOLUTE_DIR:-../../sample-process-models}:/app/process_models
+      - ${SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR:-../../sample-process-models}:/app/process_models
       - ./:/app
     command: /app/bin/boot_in_docker_debug_mode
 
diff --git a/spiffworkflow-backend/keycloak/bin/wait_for_keycloak b/spiffworkflow-backend/keycloak/bin/wait_for_keycloak
index d70184650..1002fb676 100755
--- a/spiffworkflow-backend/keycloak/bin/wait_for_keycloak
+++ b/spiffworkflow-backend/keycloak/bin/wait_for_keycloak
@@ -7,14 +7,12 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-max_attempts="${1:-}"
-if [[ -z "$max_attempts" ]]; then
-  max_attempts=100
-fi
+max_attempts="${1:-100}"
+port="${2:-7002}"
 
-echo "waiting for backend to come up..."
+echo "waiting for keycloak to come up..."
 attempts=0
-while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7002/realms/master/.well-known/openid-configuration)" != "200" ]]; do
+while [[ "$(curl -s -o /dev/null -w '%{http_code}' "http://localhost:${port}/realms/master/.well-known/openid-configuration")" != "200" ]]; do
   if [[ "$attempts" -gt "$max_attempts" ]]; then
     >&2 echo "ERROR: Server not up after $max_attempts attempts. There is probably a problem"
     exit 1
@@ -22,3 +20,4 @@ while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7002/realms/
   attempts=$(( attempts + 1 ))
   sleep 1
 done
+echo "keycloak up"
diff --git a/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json b/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json
index 4e3a82b78..78652bcf4 100644
--- a/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json
+++ b/spiffworkflow-backend/keycloak/realm_exports/spiffworkflow-realm.json
@@ -396,7 +396,7 @@
   "otpPolicyLookAheadWindow" : 1,
   "otpPolicyPeriod" : 30,
   "otpPolicyCodeReusable" : false,
-  "otpSupportedApplications" : [ "totpAppFreeOTPName", "totpAppGoogleName" ],
+  "otpSupportedApplications" : [ "totpAppGoogleName", "totpAppFreeOTPName" ],
   "webAuthnPolicyRpEntityName" : "keycloak",
   "webAuthnPolicySignatureAlgorithms" : [ "ES256" ],
   "webAuthnPolicyRpId" : "",
@@ -970,6 +970,29 @@
     "realmRoles" : [ "default-roles-spiffworkflow" ],
     "notBefore" : 0,
     "groups" : [ ]
+  }, {
+    "id" : "6c8829ab-d37c-4638-99b0-c83e732dc02f",
+    "createdTimestamp" : 1676566095383,
+    "username" : "infra3.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "infra3.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "167" ]
+    },
+    "credentials" : [ {
+      "id" : "06476e91-a1db-4f9c-848b-f9ba120a200e",
+      "type" : "password",
+      "createdDate" : 1676566095417,
+      "secretData" : "{\"value\":\"00UdICckafKEytSulbqdURfya9ZO4UlmAlQQ6R/he44Jv0wkYGIk/vadNE5ACgmIBunoj6jANVbu87ZWNxp1Dw==\",\"salt\":\"etUtwyB9nvChOvyw1P0xkA==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
   }, {
     "id" : "b8d0d90e-9a7e-446c-9984-082cb315af8f",
     "createdTimestamp" : 1675718484095,
@@ -1202,6 +1225,52 @@
     "realmRoles" : [ "default-roles-spiffworkflow" ],
     "notBefore" : 0,
     "groups" : [ ]
+  }, {
+    "id" : "8763cdfb-46d4-4585-a17f-57acc1e44646",
+    "createdTimestamp" : 1676566095195,
+    "username" : "legal2.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "legal2.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "165" ]
+    },
+    "credentials" : [ {
+      "id" : "9322a6c5-0c19-48ee-aa92-c28eae605e95",
+      "type" : "password",
+      "createdDate" : 1676566095260,
+      "secretData" : "{\"value\":\"yfqeGYoyN5ZZM7SoAbVvDCM/J3fwhS17A1/L1GkLZoB3+844lK5g7iWJjrnrmBpzNAPjKKDx0aTGdEWetxt9Qg==\",\"salt\":\"zvh/FXb9F/wdWUupHwNFjw==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "adba601b-d3c0-43fc-ae7e-cb6120ab342d",
+    "createdTimestamp" : 1676566095313,
+    "username" : "legal3.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "legal3.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "166" ]
+    },
+    "credentials" : [ {
+      "id" : "d1bb52f8-92b1-4873-a356-e9dc9739e1e6",
+      "type" : "password",
+      "createdDate" : 1676566095348,
+      "secretData" : "{\"value\":\"END4w4oxI1H5C5l4dqeYqrClb0y+vx3tuI484ELpqouEIol5P/piTiv8Q5/ECbb3jj8opjUFZZfvc12VIukCWw==\",\"salt\":\"e0EvbNYHC9jdqPkX3AneYw==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
   }, {
     "id" : "588e69b9-7534-4073-861d-500475b12b24",
     "createdTimestamp" : 1675718484566,
@@ -1357,6 +1426,52 @@
     "realmRoles" : [ "default-roles-spiffworkflow" ],
     "notBefore" : 0,
     "groups" : [ ]
+  }, {
+    "id" : "2a5d7caa-2c3e-4404-a133-ec220c0307db",
+    "createdTimestamp" : 1676566095780,
+    "username" : "peopleops.partner2.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "peopleops.partner2.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "173" ]
+    },
+    "credentials" : [ {
+      "id" : "64fc835c-b693-4fed-ab9f-952cbaadbbfd",
+      "type" : "password",
+      "createdDate" : 1676566095815,
+      "secretData" : "{\"value\":\"w5nUlwlH1Z46WGhfejPIiRW6OkE9bcjHNCVySUDzMIpkbCm3f78XfuvdGSDeCpJ/FQCJuFo5ciDJ7ExXLyLfnQ==\",\"salt\":\"nz1xSxci+NFsyPZPhFDtZQ==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "2df3aa5e-5e5b-4c4a-b9bc-3a916c651632",
+    "createdTimestamp" : 1676566095846,
+    "username" : "peopleops.partner3.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "peopleops.partner3.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "174" ]
+    },
+    "credentials" : [ {
+      "id" : "efaaec98-45c7-45cc-b4a4-32708882b72f",
+      "type" : "password",
+      "createdDate" : 1676566095880,
+      "secretData" : "{\"value\":\"B9M+AGxXUX4/+ce0y6AgFBm4F7phl5+6zToumcfheXglqcag2jr7iqLTtvwVkz3w8x7rmxUrzs7rkJPhK+/Jpg==\",\"salt\":\"rLFkhDJLxRuCNw7PNswlSQ==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
   }, {
     "id" : "dbf941e7-0b45-4bc6-ae9e-d7153d32ce47",
     "createdTimestamp" : 1676302143401,
@@ -1519,21 +1634,67 @@
     "notBefore" : 0,
     "groups" : [ ]
   }, {
-    "id" : "d0355a9b-43d2-4111-b294-07c4dfa261b1",
-    "createdTimestamp" : 1676302144418,
-    "username" : "ppg.ba.sme1",
+    "id" : "2cc27223-369b-4abb-b7b3-7c3668bb4695",
+    "createdTimestamp" : 1676566095589,
+    "username" : "ppg.ba1.sme",
     "enabled" : true,
     "totp" : false,
     "emailVerified" : false,
-    "email" : "ppg.ba.sme1@status.im",
+    "email" : "ppg.ba1.sme@status.im",
     "attributes" : {
-      "spiffworkflow-employeeid" : [ "139" ]
+      "spiffworkflow-employeeid" : [ "170" ]
     },
     "credentials" : [ {
-      "id" : "cca986d0-d323-4c62-8752-989f4fc7551e",
+      "id" : "80015df9-1c37-4c2c-9862-e4c5bf3c7fe1",
       "type" : "password",
-      "createdDate" : 1676302144451,
-      "secretData" : "{\"value\":\"WcgfAuHzOZIaE5n1+cNRqkHfur2P9HQg5sn+xoucHSGyu0ibXd19LK+x6ITyoG153VEhws6PvPIB195MlSxOsw==\",\"salt\":\"lChW81Tfy5VZruOu/x0RZA==\",\"additionalParameters\":{}}",
+      "createdDate" : 1676566095623,
+      "secretData" : "{\"value\":\"aHhv9WD2OpLT99Pt8adXov9qlO+mHdZc/YnLcwmg/FN1GZ5s1ExKD+PgiJnbUMyiIrEoTaMImRlG0+CaXNB8pA==\",\"salt\":\"WG3QARMAE6XD4CYMq/vVog==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "ccdd9a3c-2df1-4b01-8cd0-f983e2975044",
+    "createdTimestamp" : 1676566095652,
+    "username" : "ppg.ba2.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "ppg.ba2.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "171" ]
+    },
+    "credentials" : [ {
+      "id" : "1a1b635b-78a0-4e1b-be27-54fa8e5bf46e",
+      "type" : "password",
+      "createdDate" : 1676566095686,
+      "secretData" : "{\"value\":\"lvIpCEkCU7VjWkc5HVjIpbEX3m2y0qRAm6vpUOF6jsC3kPOU32kGTpXtoAXRMQYqzwwrZPezkWiBWSc9tZQZmw==\",\"salt\":\"4vtZJjWkwRZZpQHL0y2cFQ==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "6d570a0f-66dc-4059-a9b5-17bcfaf92c25",
+    "createdTimestamp" : 1676566095715,
+    "username" : "ppg.ba3.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "ppg.ba3.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "172" ]
+    },
+    "credentials" : [ {
+      "id" : "81737a3e-74be-48e7-8540-47df7189f6b8",
+      "type" : "password",
+      "createdDate" : 1676566095750,
+      "secretData" : "{\"value\":\"92827vUG05pG+5KqIU0x3YP8KzAygyflfN7ClS+87JOuSvQjElY8yaLtUNftZn2nr2EK/ud1HHfVPdjNHqv3lQ==\",\"salt\":\"ggPrdGdcE+U8spc6rzMAow==\",\"additionalParameters\":{}}",
       "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
     } ],
     "disableableCredentialTypes" : [ ],
@@ -1633,6 +1794,52 @@
     "realmRoles" : [ "default-roles-spiffworkflow" ],
     "notBefore" : 0,
     "groups" : [ ]
+  }, {
+    "id" : "7cf99174-49f1-4036-9eff-f7ba111a691f",
+    "createdTimestamp" : 1676566095455,
+    "username" : "security2.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "security2.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "168" ]
+    },
+    "credentials" : [ {
+      "id" : "2402ab6b-c06f-4db6-a2ab-e2a0d63c7082",
+      "type" : "password",
+      "createdDate" : 1676566095491,
+      "secretData" : "{\"value\":\"SKxvUtsnbbqUMfcNnIU9YnrsrfCE7MH801Mf50pL9rj5/k+ZIrB2nDowGVjip0wdIgiYZbdT7mwHjmc2KBrmoQ==\",\"salt\":\"Ww6KCOsMjQmMkEAP0Pabfg==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
+  }, {
+    "id" : "01daff17-0ead-4ca1-ae90-9da59ac2878d",
+    "createdTimestamp" : 1676566095522,
+    "username" : "security3.sme",
+    "enabled" : true,
+    "totp" : false,
+    "emailVerified" : false,
+    "email" : "security3.sme@status.im",
+    "attributes" : {
+      "spiffworkflow-employeeid" : [ "169" ]
+    },
+    "credentials" : [ {
+      "id" : "99ccf7fb-a8a5-44c1-82a8-074af6f1a21d",
+      "type" : "password",
+      "createdDate" : 1676566095557,
+      "secretData" : "{\"value\":\"LBBgnnqfxU+NqlT33rPCk2IyDrQQs9wdTG0syZ2GyovKe3iwBmarBio+0kSKiWWZQmF085ZO3jeR82hc1TDv3A==\",\"salt\":\"T6qwoJLQaXdaPBZZvhVCvw==\",\"additionalParameters\":{}}",
+      "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+    } ],
+    "disableableCredentialTypes" : [ ],
+    "requiredActions" : [ ],
+    "realmRoles" : [ "default-roles-spiffworkflow" ],
+    "notBefore" : 0,
+    "groups" : [ ]
   }, {
     "id" : "b768e3ef-f905-4493-976c-bc3408c04bec",
     "createdTimestamp" : 1675447832524,
@@ -2968,7 +3175,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-role-list-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-usermodel-property-mapper", "saml-role-list-mapper", "oidc-sha256-pairwise-sub-mapper" ]
       }
     }, {
       "id" : "d68e938d-dde6-47d9-bdc8-8e8523eb08cd",
@@ -2986,7 +3193,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper", "oidc-address-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-attribute-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "saml-user-property-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-full-name-mapper" ]
       }
     }, {
       "id" : "3854361d-3fe5-47fb-9417-a99592e3dc5c",
@@ -3076,7 +3283,7 @@
   "internationalizationEnabled" : false,
   "supportedLocales" : [ ],
   "authenticationFlows" : [ {
-    "id" : "b575ba3a-ceeb-4fcc-8921-906f534107e1",
+    "id" : "01b4b17c-bb82-41c3-b5b5-b9aadd21cb23",
     "alias" : "Account verification options",
     "description" : "Method with which to verity the existing account",
     "providerId" : "basic-flow",
@@ -3098,7 +3305,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "2c8efabb-b397-4bb5-9c62-c7528d755e29",
+    "id" : "57574e2d-3c3d-4286-9fd1-d7f4ab86c6c1",
     "alias" : "Authentication Options",
     "description" : "Authentication options.",
     "providerId" : "basic-flow",
@@ -3127,7 +3334,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "7838ba09-a8a1-4478-bacb-c20abaff7d05",
+    "id" : "1eb0e67c-2856-475e-8563-5eca431fd9d0",
     "alias" : "Browser - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -3149,7 +3356,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "be4254ab-bdb7-4cca-8fa4-14956f460620",
+    "id" : "ff023867-aad5-4d19-a7da-60904727cd77",
     "alias" : "Direct Grant - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -3171,7 +3378,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "3dc1581f-38dc-48d1-9e73-7aa45b38eae8",
+    "id" : "c4f2f1e4-a32c-4559-9fe3-f88cc6cb63da",
     "alias" : "First broker login - Conditional OTP",
     "description" : "Flow to determine if the OTP is required for the authentication",
     "providerId" : "basic-flow",
@@ -3193,7 +3400,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "8b280bec-2423-4590-bc28-8873e4f9c2e8",
+    "id" : "bfb28a5f-98d9-4ce0-ae8d-75a7ba1ad331",
     "alias" : "Handle Existing Account",
     "description" : "Handle what to do if there is existing account with same email/username like authenticated identity provider",
     "providerId" : "basic-flow",
@@ -3215,7 +3422,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "8bc16848-7275-42a7-aaa4-30693d379600",
+    "id" : "8b2075bd-9ad7-44c3-9a06-bc60a13beb7a",
     "alias" : "Reset - Conditional OTP",
     "description" : "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
     "providerId" : "basic-flow",
@@ -3237,7 +3444,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "727a7c7e-aceb-420a-be17-7e1aa1a19ef0",
+    "id" : "1fdcbed7-e44b-4473-ab7b-25037309660b",
     "alias" : "User creation or linking",
     "description" : "Flow for the existing/non-existing user alternatives",
     "providerId" : "basic-flow",
@@ -3260,7 +3467,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "db654134-730a-4e50-841e-5ff9e206625f",
+    "id" : "2f6e9208-b0e6-4941-9bd5-8f83ebc25b6c",
     "alias" : "Verify Existing Account by Re-authentication",
     "description" : "Reauthentication of existing account",
     "providerId" : "basic-flow",
@@ -3282,7 +3489,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "06ced0a0-aec5-43dd-8b39-7d7ea7a5faf8",
+    "id" : "f059067e-d626-4be3-868f-4c8780318497",
     "alias" : "browser",
     "description" : "browser based authentication",
     "providerId" : "basic-flow",
@@ -3318,7 +3525,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "0f8f80e3-56eb-49a1-8b7d-e22242699b78",
+    "id" : "c35098b5-3785-4f52-90e3-39b8f3841f0c",
     "alias" : "clients",
     "description" : "Base authentication for clients",
     "providerId" : "client-flow",
@@ -3354,7 +3561,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "a67ef3ee-332a-4f40-b2dc-69a3d7967808",
+    "id" : "c78934b6-5386-49e7-89e8-9efe1088f5b2",
     "alias" : "direct grant",
     "description" : "OpenID Connect Resource Owner Grant",
     "providerId" : "basic-flow",
@@ -3383,7 +3590,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e2e2fffa-81d3-4a4d-adb2-a0154e2f86cd",
+    "id" : "7a08791f-0c8b-4e11-a588-f5856b75337b",
     "alias" : "docker auth",
     "description" : "Used by Docker clients to authenticate against the IDP",
     "providerId" : "basic-flow",
@@ -3398,7 +3605,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "fc418578-3c89-4f68-ad8f-825929669979",
+    "id" : "11e93dce-9673-4c99-ae7a-0edaf1c9b7e4",
     "alias" : "first broker login",
     "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
     "providerId" : "basic-flow",
@@ -3421,7 +3628,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "31a9e34e-c499-4842-a085-a7ea0a4cab78",
+    "id" : "dbb50df7-ec6e-4a34-97f5-b484f1d8a76c",
     "alias" : "forms",
     "description" : "Username, password, otp and other auth forms.",
     "providerId" : "basic-flow",
@@ -3443,7 +3650,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "ec66a031-7712-438a-91e7-564736cb3f75",
+    "id" : "d7a3dff9-249b-4811-9f36-b78119a4ce3f",
     "alias" : "http challenge",
     "description" : "An authentication flow based on challenge-response HTTP Authentication Schemes",
     "providerId" : "basic-flow",
@@ -3465,7 +3672,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "013a75a6-ae0d-459e-80eb-1681957b769b",
+    "id" : "ed4891ad-657c-45ac-9388-6c50d191124d",
     "alias" : "registration",
     "description" : "registration flow",
     "providerId" : "basic-flow",
@@ -3481,7 +3688,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "e011c6be-e1d0-4f94-80b1-2e2b2eb61832",
+    "id" : "f7c308b0-58de-4ed2-bf69-394144698e5a",
     "alias" : "registration form",
     "description" : "registration form",
     "providerId" : "form-flow",
@@ -3517,7 +3724,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "4f7c3405-ce05-4799-a001-cb6404c72625",
+    "id" : "3fb75774-a3a5-4e01-bc4a-4e564451601d",
     "alias" : "reset credentials",
     "description" : "Reset credentials for a user if they forgot their password or something",
     "providerId" : "basic-flow",
@@ -3553,7 +3760,7 @@
       "userSetupAllowed" : false
     } ]
   }, {
-    "id" : "7bde2ab3-96b9-4323-be48-dfae94c84df1",
+    "id" : "822d5c02-9ab3-4a9b-8fa4-1f020c5ffe08",
     "alias" : "saml ecp",
     "description" : "SAML ECP Profile Authentication Flow",
     "providerId" : "basic-flow",
@@ -3569,13 +3776,13 @@
     } ]
   } ],
   "authenticatorConfig" : [ {
-    "id" : "82c6898c-ff7c-442a-9ae1-8e1972634e01",
+    "id" : "0e613377-2aaa-4fed-bb7d-4dea69d5c340",
     "alias" : "create unique user config",
     "config" : {
       "require.password.update.after.registration" : "false"
     }
   }, {
-    "id" : "5cfbdf35-1766-4eb3-a404-3560ae3f4cac",
+    "id" : "ac6b9188-f0ec-48ec-852a-8e3b331b33a6",
     "alias" : "review profile config",
     "config" : {
       "update.profile.on.first.login" : "missing"
diff --git a/spiffworkflow-backend/keycloak/test_user_lists/status b/spiffworkflow-backend/keycloak/test_user_lists/status
index 4da1297f4..d370b96a7 100644
--- a/spiffworkflow-backend/keycloak/test_user_lists/status
+++ b/spiffworkflow-backend/keycloak/test_user_lists/status
@@ -2,12 +2,12 @@ email,spiffworkflow-employeeid
 # admin@spiffworkflow.org
 amir@status.im
 app.program.lead@status.im,121
-core@status.im,113
 core1.contributor@status.im,155
 core2.contributor@status.im,156
 core3.contributor@status.im,157
 core4.contributor@status.im,158
 core5.contributor@status.im,159
+core@status.im,113
 dao.project.lead@status.im
 desktop.program.lead@status.im
 desktop.project.lead@status.im
@@ -19,26 +19,35 @@ infra.project-lead@status.im,130
 infra.sme@status.im,119
 infra1.sme@status.im,131
 infra2.sme@status.im,132
+infra3.sme@status.im,167
 jakub@status.im
 jarrad@status.im
 lead@status.im,114
 legal.project-lead@status.im,133
 legal.sme@status.im,125
 legal1.sme@status.im,134
+legal2.sme@status.im,165
+legal3.sme@status.im,166
 manuchehr@status.im,110
-peopleops.project-lead@status.im,147
 peopleops.partner.sme@status.im,148
 peopleops.partner1.sme@status.im,149
+peopleops.partner2.sme@status.im,173
+peopleops.partner3.sme@status.im,174
 peopleops.partner@status.im,150
+peopleops.project-lead@status.im,147
 peopleops.talent.sme@status.im,143
 peopleops.talent1.sme@status.im,142
 peopleops.talent@status.im,141
 ppg.ba.project-lead@status.im,137
-ppg.ba.sme1@status.im,139
 ppg.ba.sme@status.im,138
+ppg.ba1.sme@status.im,170
+ppg.ba2.sme@status.im,171
+ppg.ba3.sme@status.im,172
 ppg.ba@status.im,127
 sasha@status.im,112
 security.project-lead@status.im,151
 security.sme@status.im,123
 security1.sme@status.im,135
+security2.sme@status.im,168
+security3.sme@status.im,169
 services.lead@status.im,122
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index eb759d460..92c11037a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -115,7 +115,7 @@ def create_app() -> flask.app.Flask:
     # need to continually keep asking for the same path.
     origins_re = [
         r"^https?:\/\/%s(.*)" % o.replace(".", r"\.")
-        for o in app.config["CORS_ALLOW_ORIGINS"]
+        for o in app.config["SPIFFWORKFLOW_BACKEND_CORS_ALLOW_ORIGINS"]
     ]
     CORS(app, origins=origins_re, max_age=3600, supports_credentials=True)
 
@@ -128,7 +128,7 @@ def create_app() -> flask.app.Flask:
 
     # do not start the scheduler twice in flask debug mode
     if (
-        app.config["RUN_BACKGROUND_SCHEDULER"]
+        app.config["SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER"]
         and os.environ.get("WERKZEUG_RUN_MAIN") != "true"
     ):
         start_scheduler(app)
@@ -147,13 +147,15 @@ def get_hacked_up_app_for_script() -> flask.app.Flask:
     os.environ["SPIFFWORKFLOW_BACKEND_ENV"] = "local_development"
     flask_env_key = "FLASK_SESSION_SECRET_KEY"
     os.environ[flask_env_key] = "whatevs"
-    if "BPMN_SPEC_ABSOLUTE_DIR" not in os.environ:
+    if "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR" not in os.environ:
         home = os.environ["HOME"]
         full_process_model_path = (
             f"{home}/projects/github/sartography/sample-process-models"
         )
         if os.path.isdir(full_process_model_path):
-            os.environ["BPMN_SPEC_ABSOLUTE_DIR"] = full_process_model_path
+            os.environ["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"] = (
+                full_process_model_path
+            )
         else:
             raise Exception(f"Could not find {full_process_model_path}")
     app = create_app()
@@ -198,20 +200,28 @@ def configure_sentry(app: flask.app.Flask) -> None:
                 return None
         return event
 
-    sentry_errors_sample_rate = app.config.get("SENTRY_ERRORS_SAMPLE_RATE")
+    sentry_errors_sample_rate = app.config.get(
+        "SPIFFWORKFLOW_BACKEND_SENTRY_ERRORS_SAMPLE_RATE"
+    )
     if sentry_errors_sample_rate is None:
-        raise Exception("SENTRY_ERRORS_SAMPLE_RATE is not set somehow")
+        raise Exception(
+            "SPIFFWORKFLOW_BACKEND_SENTRY_ERRORS_SAMPLE_RATE is not set somehow"
+        )
 
-    sentry_traces_sample_rate = app.config.get("SENTRY_TRACES_SAMPLE_RATE")
+    sentry_traces_sample_rate = app.config.get(
+        "SPIFFWORKFLOW_BACKEND_SENTRY_TRACES_SAMPLE_RATE"
+    )
     if sentry_traces_sample_rate is None:
-        raise Exception("SENTRY_TRACES_SAMPLE_RATE is not set somehow")
+        raise Exception(
+            "SPIFFWORKFLOW_BACKEND_SENTRY_TRACES_SAMPLE_RATE is not set somehow"
+        )
 
     # profiling doesn't work on windows, because of an issue like https://github.com/nvdv/vprof/issues/62
     # but also we commented out profiling because it was causing segfaults (i guess it is marked experimental)
     # profiles_sample_rate = 0 if sys.platform.startswith("win") else 1
 
     sentry_sdk.init(
-        dsn=app.config.get("SENTRY_DSN"),
+        dsn=app.config.get("SPIFFWORKFLOW_BACKEND_SENTRY_DSN"),
         integrations=[
             FlaskIntegration(),
         ],
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index e0c18ee55..ad5dcb0f5 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -17,17 +17,17 @@ def setup_database_uri(app: Flask) -> None:
     """Setup_database_uri."""
     if app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_URI") is None:
         database_name = f"spiffworkflow_backend_{app.config['ENV_IDENTIFIER']}"
-        if app.config.get("SPIFF_DATABASE_TYPE") == "sqlite":
+        if app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_TYPE") == "sqlite":
             app.config["SQLALCHEMY_DATABASE_URI"] = (
                 f"sqlite:///{app.instance_path}/db_{app.config['ENV_IDENTIFIER']}.sqlite3"
             )
-        elif app.config.get("SPIFF_DATABASE_TYPE") == "postgres":
+        elif app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_TYPE") == "postgres":
             app.config["SQLALCHEMY_DATABASE_URI"] = (
                 f"postgresql://spiffworkflow_backend:spiffworkflow_backend@localhost:5432/{database_name}"
             )
         else:
             # use pswd to trick flake8 with hardcoded passwords
-            db_pswd = os.environ.get("DB_PASSWORD")
+            db_pswd = app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD")
             if db_pswd is None:
                 db_pswd = ""
             app.config["SQLALCHEMY_DATABASE_URI"] = (
@@ -45,22 +45,30 @@ def load_config_file(app: Flask, env_config_module: str) -> None:
         app.config.from_object(env_config_module)
         print(f"loaded config: {env_config_module}")
     except ImportStringError as exception:
-        if os.environ.get("TERRAFORM_DEPLOYED_ENVIRONMENT") != "true":
+        if (
+            os.environ.get("SPIFFWORKFLOW_BACKEND_TERRAFORM_DEPLOYED_ENVIRONMENT")
+            != "true"
+        ):
             raise ModuleNotFoundError(
                 f"Cannot find config module: {env_config_module}"
             ) from exception
 
 
 def _set_up_tenant_specific_fields_as_list_of_strings(app: Flask) -> None:
-    tenant_specific_fields = app.config.get("OPEN_ID_TENANT_SPECIFIC_FIELDS")
+    tenant_specific_fields = app.config.get(
+        "SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"
+    )
 
     if tenant_specific_fields is None or tenant_specific_fields == "":
-        app.config["OPEN_ID_TENANT_SPECIFIC_FIELDS"] = []
+        app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"] = []
     else:
-        app.config["OPEN_ID_TENANT_SPECIFIC_FIELDS"] = tenant_specific_fields.split(",")
-        if len(app.config["OPEN_ID_TENANT_SPECIFIC_FIELDS"]) > 3:
+        app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"] = (
+            tenant_specific_fields.split(",")
+        )
+        if len(app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"]) > 3:
             raise ConfigurationError(
-                "OPEN_ID_TENANT_SPECIFIC_FIELDS can have a maximum of 3 fields"
+                "SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS can have a"
+                " maximum of 3 fields"
             )
 
 
@@ -80,7 +88,7 @@ def setup_config(app: Flask) -> None:
 
     env_config_prefix = "spiffworkflow_backend.config."
     if (
-        os.environ.get("TERRAFORM_DEPLOYED_ENVIRONMENT") == "true"
+        os.environ.get("SPIFFWORKFLOW_BACKEND_TERRAFORM_DEPLOYED_ENVIRONMENT") == "true"
         and os.environ.get("SPIFFWORKFLOW_BACKEND_ENV") is not None
     ):
         load_config_file(app, f"{env_config_prefix}terraform_deployed_environment")
@@ -116,8 +124,10 @@ def setup_config(app: Flask) -> None:
     # src/spiffworkflow_backend/config/secrets.py
     app.config.from_pyfile(os.path.join("config", "secrets.py"), silent=True)
 
-    if app.config["BPMN_SPEC_ABSOLUTE_DIR"] is None:
-        raise ConfigurationError("BPMN_SPEC_ABSOLUTE_DIR config must be set")
+    if app.config["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"] is None:
+        raise ConfigurationError(
+            "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR config must be set"
+        )
 
     app.config["PROCESS_UUID"] = uuid.uuid4()
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 8002a9982..c6994a7cf 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -2,44 +2,52 @@
 import re
 from os import environ
 
-BPMN_SPEC_ABSOLUTE_DIR = environ.get("BPMN_SPEC_ABSOLUTE_DIR")
+SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR = environ.get(
+    "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
+)
 cors_allow_all = "*"
-CORS_ALLOW_ORIGINS = re.split(
-    r",\s*", environ.get("CORS_ALLOW_ORIGINS", default=cors_allow_all)
+SPIFFWORKFLOW_BACKEND_CORS_ALLOW_ORIGINS = re.split(
+    r",\s*",
+    environ.get("SPIFFWORKFLOW_BACKEND_CORS_ALLOW_ORIGINS", default=cors_allow_all),
 )
 
-RUN_BACKGROUND_SCHEDULER = (
-    environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
+SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER = (
+    environ.get("SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER", default="false")
+    == "true"
 )
-SPIFFWORKFLOW_FRONTEND_URL = environ.get(
-    "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
+SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND = environ.get(
+    "SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND", default="http://localhost:7001"
 )
 SPIFFWORKFLOW_BACKEND_URL = environ.get(
     "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
 )
 # service task connector proxy
-CONNECTOR_PROXY_URL = environ.get(
-    "CONNECTOR_PROXY_URL", default="http://localhost:7004"
+SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL", default="http://localhost:7004"
 )
 
 # Open ID server
-OPEN_ID_SERVER_URL = environ.get(
-    "OPEN_ID_SERVER_URL",
-    default="http://localhost:7002/realms/spiffworkflow"
-    # "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid"
+# use "http://localhost:7000/openid" for running with simple openid
+# server hosted by spiffworkflow-backend
+SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL",
+    default="http://localhost:7002/realms/spiffworkflow",
 )
 
-# Replace above line with this to use the built-in Open ID Server.
-# OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7000/openid")
-OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
-OPEN_ID_CLIENT_SECRET_KEY = environ.get(
-    "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
+SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID = environ.get(
+    "SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID", default="spiffworkflow-backend"
+)
+SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY = environ.get(
+    "SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY",
+    default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q",
 )  # noqa: S105
 
 # Tenant specific fields is a comma separated list of field names that we will convert to list of strings
 # and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
 # comma-separated list.
-OPEN_ID_TENANT_SPECIFIC_FIELDS = environ.get("OPEN_ID_TENANT_SPECIFIC_FIELDS")
+SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS = environ.get(
+    "SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"
+)
 
 SPIFFWORKFLOW_BACKEND_LOG_TO_FILE = (
     environ.get("SPIFFWORKFLOW_BACKEND_LOG_TO_FILE", default="false") == "true"
@@ -50,13 +58,21 @@ SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
 )
 
 # Sentry Configuration
-SENTRY_DSN = environ.get("SENTRY_DSN", default="")
-SENTRY_ERRORS_SAMPLE_RATE = environ.get(
-    "SENTRY_ERRORS_SAMPLE_RATE", default="1"
+SPIFFWORKFLOW_BACKEND_SENTRY_DSN = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SENTRY_DSN", default=""
+)
+SPIFFWORKFLOW_BACKEND_SENTRY_ERRORS_SAMPLE_RATE = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SENTRY_ERRORS_SAMPLE_RATE", default="1"
 )  # send all errors
-SENTRY_TRACES_SAMPLE_RATE = environ.get(
-    "SENTRY_TRACES_SAMPLE_RATE", default="0.01"
+SPIFFWORKFLOW_BACKEND_SENTRY_TRACES_SAMPLE_RATE = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SENTRY_TRACES_SAMPLE_RATE", default="0.01"
 )  # send 1% of traces
+SPIFFWORKFLOW_BACKEND_SENTRY_ORGANIZATION_SLUG = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SENTRY_ORGANIZATION_SLUG", default=None
+)
+SPIFFWORKFLOW_BACKEND_SENTRY_PROJECT_SLUG = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SENTRY_PROJECT_SLUG", default=None
+)
 
 SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
     "SPIFFWORKFLOW_BACKEND_LOG_LEVEL", default="info"
@@ -64,31 +80,63 @@ SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
 
 # When a user clicks on the `Publish` button, this is the default branch this server merges into.
 # I.e., dev server could have `staging` here. Staging server might have `production` here.
-GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO")
-GIT_BRANCH = environ.get("GIT_BRANCH")
-GIT_CLONE_URL_FOR_PUBLISHING = environ.get("GIT_CLONE_URL")
-GIT_COMMIT_ON_SAVE = environ.get("GIT_COMMIT_ON_SAVE", default="false") == "true"
-GIT_SSH_PRIVATE_KEY = environ.get("GIT_SSH_PRIVATE_KEY")
-GIT_USERNAME = environ.get("GIT_USERNAME")
-GIT_USER_EMAIL = environ.get("GIT_USER_EMAIL")
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH"
+)
+# This is the branch that the app automatically commits to every time the user clicks the save button
+# or otherwise changes a process model.
+# If publishing is enabled, the contents of this "staging area" / "scratch pad" / WIP spot will be used
+# as the relevant contents for process model that the user wants to publish.
+SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH"
+)
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"
+)
+SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE = (
+    environ.get("SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE", default="false") == "true"
+)
+SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY"
+)
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = environ.get("SPIFFWORKFLOW_BACKEND_GIT_USERNAME")
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL"
+)
+SPIFFWORKFLOW_BACKEND_GITHUB_WEBHOOK_SECRET = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GITHUB_WEBHOOK_SECRET", default=None
+)
+SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY", default=None
+)
+SPIFFWORKFLOW_BACKEND_GIT_USER_PASSWORD = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USER_PASSWORD", default=None
+)
 
 # Database Configuration
-SPIFF_DATABASE_TYPE = environ.get(
-    "SPIFF_DATABASE_TYPE", default="mysql"
+SPIFFWORKFLOW_BACKEND_DATABASE_TYPE = environ.get(
+    "SPIFFWORKFLOW_BACKEND_DATABASE_TYPE", default="mysql"
 )  # can also be sqlite, postgres
 # Overide above with specific sqlalchymy connection string.
 SPIFFWORKFLOW_BACKEND_DATABASE_URI = environ.get(
     "SPIFFWORKFLOW_BACKEND_DATABASE_URI", default=None
 )
-SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID = environ.get(
-    "SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID",
+SPIFFWORKFLOW_BACKEND_SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID = environ.get(
+    "SPIFFWORKFLOW_BACKEND_SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID",
     default="Message_SystemMessageNotification",
 )
 
-ALLOW_CONFISCATING_LOCK_AFTER_SECONDS = int(
-    environ.get("ALLOW_CONFISCATING_LOCK_AFTER_SECONDS", default="600")
+SPIFFWORKFLOW_BACKEND_ALLOW_CONFISCATING_LOCK_AFTER_SECONDS = int(
+    environ.get(
+        "SPIFFWORKFLOW_BACKEND_ALLOW_CONFISCATING_LOCK_AFTER_SECONDS", default="600"
+    )
 )
 
 SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP = environ.get(
     "SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP", default="everybody"
 )
+
+# this is only used in CI. use SPIFFWORKFLOW_BACKEND_DATABASE_URI instead for real configuration
+SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD = environ.get(
+    "SPIFFWORKFLOW_BACKEND_DATABASE_PASSWORD", default=None
+)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/demo.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/demo.py
index 06e9184d7..aec6a03bb 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/demo.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/demo.py
@@ -1,14 +1,15 @@
 """Demo environment."""
 from os import environ
 
-GIT_COMMIT_ON_SAVE = True
-GIT_USERNAME = "demo"
-GIT_USER_EMAIL = "demo@example.com"
+SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE = True
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = "demo"
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = "demo@example.com"
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
     "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME",
     default="terraform_deployed_environment.yml",
 )
 
-RUN_BACKGROUND_SCHEDULER = (
-    environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
+SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER = (
+    environ.get("SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER", default="false")
+    == "true"
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/dev.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/dev.py
index cbbc269a8..ef0250604 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/dev.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/dev.py
@@ -1,9 +1,14 @@
 """Dev."""
 from os import environ
 
-GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="staging")
-GIT_USERNAME = environ.get("GIT_USERNAME", default="sartography-automated-committer")
-GIT_USER_EMAIL = environ.get(
-    "GIT_USER_EMAIL", default="sartography-automated-committer@users.noreply.github.com"
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH", default="staging"
+)
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USERNAME", default="sartography-automated-committer"
+)
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL",
+    default="sartography-automated-committer@users.noreply.github.com",
 )
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = "dev.yml"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/local_development.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/local_development.py
index a1129c67e..197637b4e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/local_development.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/local_development.py
@@ -9,11 +9,15 @@ SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
     "SPIFFWORKFLOW_BACKEND_LOG_LEVEL", default="debug"
 )
 
-RUN_BACKGROUND_SCHEDULER = (
-    environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
+SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER = (
+    environ.get("SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER", default="false")
+    == "true"
 )
-GIT_CLONE_URL_FOR_PUBLISHING = environ.get(
-    "GIT_CLONE_URL", default="https://github.com/sartography/sample-process-models.git"
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL",
+    default="https://github.com/sartography/sample-process-models.git",
+)
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = "sartography-automated-committer"
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = (
+    f"{SPIFFWORKFLOW_BACKEND_GIT_USERNAME}@users.noreply.github.com"
 )
-GIT_USERNAME = "sartography-automated-committer"
-GIT_USER_EMAIL = f"{GIT_USERNAME}@users.noreply.github.com"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/qa1.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/qa1.py
index 8e8f4379c..ac56d84f1 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/qa1.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/qa1.py
@@ -1,10 +1,15 @@
 """Qa1."""
 from os import environ
 
-GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="qa2")
-GIT_USERNAME = environ.get("GIT_USERNAME", default="sartography-automated-committer")
-GIT_USER_EMAIL = environ.get(
-    "GIT_USER_EMAIL", default=f"{GIT_USERNAME}@users.noreply.github.com"
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH", default="qa2"
+)
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USERNAME", default="sartography-automated-committer"
+)
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL",
+    default=f"{SPIFFWORKFLOW_BACKEND_GIT_USERNAME}@users.noreply.github.com",
 )
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
     "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME", default="qa1.yml"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/qa2.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/qa2.py
index 561954f64..f81d88645 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/qa2.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/qa2.py
@@ -4,7 +4,11 @@ from os import environ
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
     "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME", default="qa1.yml"
 )
-SPIFFWORKFLOW_FRONTEND_URL = "https://qa2.spiffworkflow.org"
-OPEN_ID_SERVER_URL = "https://qa2.spiffworkflow.org/keycloak/realms/spiffworkflow"
+SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND = "https://qa2.spiffworkflow.org"
+SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL = (
+    "https://qa2.spiffworkflow.org/keycloak/realms/spiffworkflow"
+)
 SPIFFWORKFLOW_BACKEND_URL = "https://qa2.spiffworkflow.org/api"
-CONNECTOR_PROXY_URL = "https://qa2.spiffworkflow.org/connector-proxy"
+SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL = (
+    "https://qa2.spiffworkflow.org/connector-proxy"
+)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/sartography.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/sartography.py
index 016076b93..083684742 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/sartography.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/sartography.py
@@ -2,9 +2,14 @@
 from os import environ
 
 environment_identifier_for_this_config_file_only = environ["SPIFFWORKFLOW_BACKEND_ENV"]
-OPEN_ID_SERVER_URL = f"https://keycloak.{environment_identifier_for_this_config_file_only}.spiffworkflow.org/realms/sartography"
-GIT_BRANCH = environ.get("GIT_BRANCH", default="main")
-GIT_CLONE_URL_FOR_PUBLISHING = environ.get(
-    "GIT_CLONE_URL",
+SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL = (
+    f"https://keycloak.{environment_identifier_for_this_config_file_only}"
+    ".spiffworkflow.org/realms/sartography"
+)
+SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH", default="main"
+)
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL",
     default="https://github.com/sartography/sartography-process-models.git",
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py
index 807163315..edfe36d79 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/staging.py
@@ -1,7 +1,11 @@
 """Staging."""
 from os import environ
 
-GIT_BRANCH = environ.get("GIT_BRANCH", default="staging")
-GIT_BRANCH_TO_PUBLISH_TO = environ.get("GIT_BRANCH_TO_PUBLISH_TO", default="main")
-GIT_COMMIT_ON_SAVE = False
+SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH", default="staging"
+)
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH", default="main"
+)
+SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE = False
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = "staging.yml"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
index efd451834..b3e5a1130 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/terraform_deployed_environment.py
@@ -4,26 +4,36 @@ from os import environ
 # default.py already ensured that this key existed as was not None
 environment_identifier_for_this_config_file_only = environ["SPIFFWORKFLOW_BACKEND_ENV"]
 
-GIT_COMMIT_ON_SAVE = True
-GIT_USERNAME = "sartography-automated-committer"
-GIT_USER_EMAIL = f"{GIT_USERNAME}@users.noreply.github.com"
+SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE = True
+SPIFFWORKFLOW_BACKEND_GIT_USERNAME = "sartography-automated-committer"
+SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL = (
+    f"{SPIFFWORKFLOW_BACKEND_GIT_USERNAME}@users.noreply.github.com"
+)
 SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
     "SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME",
     default="terraform_deployed_environment.yml",
 )
 
-RUN_BACKGROUND_SCHEDULER = (
-    environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
+SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER = (
+    environ.get("SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER", default="false")
+    == "true"
 )
 
-OPEN_ID_SERVER_URL = f"https://keycloak.{environment_identifier_for_this_config_file_only}.spiffworkflow.org/realms/spiffworkflow"
-SPIFFWORKFLOW_FRONTEND_URL = (
+SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL = (
+    f"https://keycloak.{environment_identifier_for_this_config_file_only}"
+    ".spiffworkflow.org/realms/spiffworkflow"
+)
+SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND = (
     f"https://{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
 )
 SPIFFWORKFLOW_BACKEND_URL = (
     f"https://api.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
 )
-CONNECTOR_PROXY_URL = f"https://connector-proxy.{environment_identifier_for_this_config_file_only}.spiffworkflow.org"
-GIT_CLONE_URL_FOR_PUBLISHING = environ.get(
-    "GIT_CLONE_URL", default="https://github.com/sartography/sample-process-models.git"
+SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL = (
+    f"https://connector-proxy.{environment_identifier_for_this_config_file_only}"
+    ".spiffworkflow.org"
+)
+SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL = environ.get(
+    "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL",
+    default="https://github.com/sartography/sample-process-models.git",
 )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/unit_testing.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/unit_testing.py
index 77f123e98..e486fe769 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/unit_testing.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/unit_testing.py
@@ -15,11 +15,11 @@ SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME = environ.get(
 SPIFFWORKFLOW_BACKEND_LOG_LEVEL = environ.get(
     "SPIFFWORKFLOW_BACKEND_LOG_LEVEL", default="debug"
 )
-GIT_COMMIT_ON_SAVE = False
+SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE = False
 
 # NOTE: set this here since nox shoves tests and src code to
 # different places and this allows us to know exactly where we are at the start
-BPMN_SPEC_ABSOLUTE_DIR = os.path.join(
+SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR = os.path.join(
     os.path.dirname(__file__),
     "..",
     "..",
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/exceptions/api_error.py b/spiffworkflow-backend/src/spiffworkflow_backend/exceptions/api_error.py
index bb6d84f4f..5fff05c2d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/exceptions/api_error.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/exceptions/api_error.py
@@ -206,8 +206,12 @@ def handle_exception(exception: Exception) -> flask.wrappers.Response:
                 f" {exception.error_code}"
             )
 
-        organization_slug = current_app.config.get("SENTRY_ORGANIZATION_SLUG")
-        project_slug = current_app.config.get("SENTRY_PROJECT_SLUG")
+        organization_slug = current_app.config.get(
+            "SPIFFWORKFLOW_BACKEND_SENTRY_ORGANIZATION_SLUG"
+        )
+        project_slug = current_app.config.get(
+            "SPIFFWORKFLOW_BACKEND_SENTRY_PROJECT_SLUG"
+        )
         if organization_slug and project_slug:
             sentry_link = (
                 f"https://sentry.io/{organization_slug}/{project_slug}/events/{id}"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
index a64322a4d..858355c36 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
@@ -15,16 +15,16 @@
     <form id="login" method="post" action="{{ url_for('openid.form_submit') }}">
         <p><b>Important:</b> This login form is for demonstration purposes only.  In production systems you should
         be using a real Open ID System.</p>
-        <input type="text" class="cds--text-input" name="Uname" id="Uname" placeholder="Username">
+        <input type="text" class="cds--text-input" name="Uname" id="username" placeholder="Username">
         <br><br>
-        <input type="Password" class="cds--text-input" name="Pass" id="Pass" placeholder="Password">
+        <input type="Password" class="cds--text-input" name="Pass" id="password" placeholder="Password">
         <br><br>
         <input type="hidden" name="state" value="{{state}}"/>
         <input type="hidden" name="response_type" value="{{response_type}}"/>
         <input type="hidden" name="client_id" value="{{client_id}}"/>
         <input type="hidden" name="scope" value="{{scope}}"/>
         <input type="hidden" name="redirect_uri" value="{{redirect_uri}}"/>
-        <input type="submit" name="log" class="cds--btn cds--btn--primary" value="Log In">
+        <input type="submit" name="log" class="cds--btn cds--btn--primary" id="spiff-login-button" value="Log In">
         <br><br>
         <!-- should maybe add this stuff in eventually, but this is just for testing.
         <input type="checkbox" id="check">
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
index 82263475b..d50255a87 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_api_blueprint.py
@@ -305,7 +305,7 @@ def manual_complete_task(
 
 def _commit_and_push_to_git(message: str) -> None:
     """Commit_and_push_to_git."""
-    if current_app.config["GIT_COMMIT_ON_SAVE"]:
+    if current_app.config["SPIFFWORKFLOW_BACKEND_GIT_COMMIT_ON_SAVE"]:
         git_output = GitService.commit(message=message)
         current_app.logger.info(f"git output: {git_output}")
     else:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_instances_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_instances_controller.py
index c085c9e99..634d21285 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_instances_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_instances_controller.py
@@ -136,7 +136,7 @@ def process_instance_run(
         finally:
             processor.unlock_process_instance("Web")
 
-        if not current_app.config["RUN_BACKGROUND_SCHEDULER"]:
+        if not current_app.config["SPIFFWORKFLOW_BACKEND_RUN_BACKGROUND_SCHEDULER"]:
             MessageService.process_message_instances()
 
     process_instance_api = ProcessInstanceService.processor_to_process_instance_api(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_models_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_models_controller.py
index 120db8cab..1a628c4cb 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_models_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_models_controller.py
@@ -225,10 +225,12 @@ def process_model_publish(
 ) -> flask.wrappers.Response:
     """Process_model_publish."""
     if branch_to_update is None:
-        branch_to_update = current_app.config["GIT_BRANCH_TO_PUBLISH_TO"]
+        branch_to_update = current_app.config[
+            "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH"
+        ]
     if branch_to_update is None:
         raise MissingGitConfigsError(
-            "Missing config for GIT_BRANCH_TO_PUBLISH_TO. "
+            "Missing config for SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH. "
             "This is required for publishing process models"
         )
     process_model_identifier = _un_modify_modified_process_model_id(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/service_tasks_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/service_tasks_controller.py
index a1708ce8d..61c8f6dad 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/service_tasks_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/service_tasks_controller.py
@@ -27,7 +27,9 @@ def authentication_list() -> flask.wrappers.Response:
     available_authentications = ServiceTaskService.authentication_list()
     response_json = {
         "results": available_authentications,
-        "connector_proxy_base_url": current_app.config["CONNECTOR_PROXY_URL"],
+        "connector_proxy_base_url": current_app.config[
+            "SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL"
+        ],
         "redirect_url": f"{current_app.config['SPIFFWORKFLOW_BACKEND_URL']}/v1.0/authentication_callback",
     }
 
@@ -45,5 +47,5 @@ def authentication_callback(
         f"{service}/{auth_method}", response, g.user.id, create_if_not_exists=True
     )
     return redirect(
-        f"{current_app.config['SPIFFWORKFLOW_FRONTEND_URL']}/admin/configuration"
+        f"{current_app.config['SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND']}/admin/configuration"
     )
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/tasks_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/tasks_controller.py
index e40bf0577..c5dab9546 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/tasks_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/tasks_controller.py
@@ -674,7 +674,7 @@ def _get_potential_owner_usernames(assigned_user: AliasedClass) -> Any:
     potential_owner_usernames_from_group_concat_or_similar = func.group_concat(
         assigned_user.username.distinct()
     ).label("potential_owner_usernames")
-    db_type = current_app.config.get("SPIFF_DATABASE_TYPE")
+    db_type = current_app.config.get("SPIFFWORKFLOW_BACKEND_DATABASE_TYPE")
 
     if db_type == "postgres":
         potential_owner_usernames_from_group_concat_or_similar = func.string_agg(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 08727bdd8..7b9a268ae 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -186,7 +186,9 @@ def set_new_access_token_in_cookie(
     """
     tld = current_app.config["THREAD_LOCAL_DATA"]
     domain_for_frontend_cookie: Optional[str] = re.sub(
-        r"^https?:\/\/", "", current_app.config["SPIFFWORKFLOW_FRONTEND_URL"]
+        r"^https?:\/\/",
+        "",
+        current_app.config["SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND"],
     )
     if domain_for_frontend_cookie and domain_for_frontend_cookie.startswith(
         "localhost"
@@ -351,7 +353,7 @@ def logout(id_token: str, redirect_url: Optional[str]) -> Response:
 
 def logout_return() -> Response:
     """Logout_return."""
-    frontend_url = str(current_app.config["SPIFFWORKFLOW_FRONTEND_URL"])
+    frontend_url = str(current_app.config["SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND"])
     return redirect(f"{frontend_url}/")
 
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_frontend_url.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_frontend_url.py
index b128214ab..503b9584f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_frontend_url.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_frontend_url.py
@@ -28,4 +28,4 @@ class GetFrontendUrl(Script):
         **kwargs: Any
     ) -> Any:
         """Run."""
-        return current_app.config["SPIFFWORKFLOW_FRONTEND_URL"]
+        return current_app.config["SPIFFWORKFLOW_BACKEND_URL_FOR_FRONTEND"]
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 9e5cb6cee..143bb7655 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -63,17 +63,19 @@ class AuthenticationService:
     @staticmethod
     def client_id() -> str:
         """Returns the client id from the config."""
-        return current_app.config.get("OPEN_ID_CLIENT_ID", "")
+        return current_app.config.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_ID", "")
 
     @staticmethod
     def server_url() -> str:
         """Returns the server url from the config."""
-        return current_app.config.get("OPEN_ID_SERVER_URL", "")
+        return current_app.config.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_SERVER_URL", "")
 
     @staticmethod
     def secret_key() -> str:
         """Returns the secret key from the config."""
-        return current_app.config.get("OPEN_ID_CLIENT_SECRET_KEY", "")
+        return current_app.config.get(
+            "SPIFFWORKFLOW_BACKEND_OPEN_ID_CLIENT_SECRET_KEY", ""
+        )
 
     @classmethod
     def open_id_endpoint_for_name(cls, name: str) -> str:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index d00fc1620..9db4c39c6 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -107,7 +107,9 @@ class AuthorizationService:
             )
 
         received_sign = auth_header.split("sha256=")[-1].strip()
-        secret = current_app.config["GITHUB_WEBHOOK_SECRET"].encode()
+        secret = current_app.config[
+            "SPIFFWORKFLOW_BACKEND_GITHUB_WEBHOOK_SECRET"
+        ].encode()
         expected_sign = HMAC(key=secret, msg=request.data, digestmod=sha256).hexdigest()
         if not compare_digest(received_sign, expected_sign):
             raise TokenInvalidError(
@@ -504,7 +506,7 @@ class AuthorizationService:
         user_attributes["service_id"] = user_info["sub"]
 
         for field_index, tenant_specific_field in enumerate(
-            current_app.config["OPEN_ID_TENANT_SPECIFIC_FIELDS"]
+            current_app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_TENANT_SPECIFIC_FIELDS"]
         ):
             if tenant_specific_field in user_info:
                 field_number = field_index + 1
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
index ec1f5d36a..740aa1069 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
@@ -81,7 +81,7 @@ class ErrorHandlingService:
         )
         message_payload = {"message_text": message_text, "recipients": recipients}
         message_identifier = current_app.config[
-            "SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID"
+            "SPIFFWORKFLOW_BACKEND_SYSTEM_NOTIFICATION_PROCESS_MODEL_MESSAGE_ID"
         ]
         message_model = MessageModel.query.filter_by(
             identifier=message_identifier
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
index ffca4f2c2..92dcb9bb4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/file_system_service.py
@@ -40,7 +40,7 @@ class FileSystemService:
     @staticmethod
     def root_path() -> str:
         """Root_path."""
-        dir_name = current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]
+        dir_name = current_app.config["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"]
         # ensure this is a string - thanks mypy...
         return os.path.abspath(os.path.join(dir_name, ""))
 
@@ -66,7 +66,7 @@ class FileSystemService:
 
     @staticmethod
     def process_model_relative_path(spec: ProcessModelInfo) -> str:
-        """Get the file path to a process model relative to BPMN_SPEC_ABSOLUTE_DIR.
+        """Get the file path to a process model relative to SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR.
 
         If the full path is /path/to/process-group-a/group-b/process-model-a, it will return:
         process-group-a/group-b/process-model-a
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py
index 3b8f518a4..cf308ef6c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/git_service.py
@@ -37,7 +37,9 @@ class GitService:
     @classmethod
     def get_current_revision(cls) -> str:
         """Get_current_revision."""
-        bpmn_spec_absolute_dir = current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]
+        bpmn_spec_absolute_dir = current_app.config[
+            "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
+        ]
         # The value includes a carriage return character at the end, so we don't grab the last character
         with FileSystemService.cd(bpmn_spec_absolute_dir):
             return cls.run_shell_command_to_get_stdout(
@@ -52,7 +54,9 @@ class GitService:
         file_name: Optional[str] = None,
     ) -> str:
         """Get_instance_file_contents_for_revision."""
-        bpmn_spec_absolute_dir = current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]
+        bpmn_spec_absolute_dir = current_app.config[
+            "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
+        ]
         process_model_relative_path = FileSystemService.process_model_relative_path(
             process_model
         )
@@ -78,22 +82,31 @@ class GitService:
         cls.check_for_basic_configs()
         branch_name_to_use = branch_name
         if branch_name_to_use is None:
-            branch_name_to_use = current_app.config["GIT_BRANCH"]
+            branch_name_to_use = current_app.config[
+                "SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH"
+            ]
         repo_path_to_use = repo_path
         if repo_path is None:
-            repo_path_to_use = current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]
-        if repo_path_to_use is None:
-            raise ConfigurationError("BPMN_SPEC_ABSOLUTE_DIR config must be set")
-        if current_app.config["GIT_SSH_PRIVATE_KEY"]:
-            os.environ["GIT_SSH_PRIVATE_KEY"] = current_app.config[
-                "GIT_SSH_PRIVATE_KEY"
+            repo_path_to_use = current_app.config[
+                "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"
             ]
+        if repo_path_to_use is None:
+            raise ConfigurationError(
+                "SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR config must be set"
+            )
+        if current_app.config["SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY"]:
+            os.environ["SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY"] = (
+                current_app.config["SPIFFWORKFLOW_BACKEND_GIT_SSH_PRIVATE_KEY"]
+            )
 
         git_username = ""
         git_email = ""
-        if current_app.config["GIT_USERNAME"] and current_app.config["GIT_USER_EMAIL"]:
-            git_username = current_app.config["GIT_USERNAME"]
-            git_email = current_app.config["GIT_USER_EMAIL"]
+        if (
+            current_app.config["SPIFFWORKFLOW_BACKEND_GIT_USERNAME"]
+            and current_app.config["SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL"]
+        ):
+            git_username = current_app.config["SPIFFWORKFLOW_BACKEND_GIT_USERNAME"]
+            git_email = current_app.config["SPIFFWORKFLOW_BACKEND_GIT_USER_EMAIL"]
         shell_command_path = os.path.join(
             current_app.root_path, "..", "..", "bin", "git_commit_bpmn_models_repo"
         )
@@ -104,16 +117,16 @@ class GitService:
             branch_name_to_use,
             git_username,
             git_email,
-            current_app.config["GIT_USER_PASSWORD"],
+            current_app.config["SPIFFWORKFLOW_BACKEND_GIT_USER_PASSWORD"],
         ]
         return cls.run_shell_command_to_get_stdout(shell_command)
 
     @classmethod
     def check_for_basic_configs(cls) -> None:
         """Check_for_basic_configs."""
-        if current_app.config["GIT_BRANCH"] is None:
+        if current_app.config["SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH"] is None:
             raise MissingGitConfigsError(
-                "Missing config for GIT_BRANCH. "
+                "Missing config for SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH. "
                 "This is required for publishing process models"
             )
 
@@ -121,15 +134,18 @@ class GitService:
     def check_for_publish_configs(cls) -> None:
         """Check_for_configs."""
         cls.check_for_basic_configs()
-        if current_app.config["GIT_BRANCH_TO_PUBLISH_TO"] is None:
+        if (
+            current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH"]
+            is None
+        ):
             raise MissingGitConfigsError(
-                "Missing config for GIT_BRANCH_TO_PUBLISH_TO. "
+                "Missing config for SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_TARGET_BRANCH. "
                 "This is required for publishing process models"
             )
-        if current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"] is None:
+        if current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"] is None:
             raise MissingGitConfigsError(
-                "Missing config for GIT_CLONE_URL_FOR_PUBLISHING. "
-                "This is required for publishing process models"
+                "Missing config for SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL."
+                " This is required for publishing process models"
             )
 
     @classmethod
@@ -182,7 +198,10 @@ class GitService:
             )
 
         clone_url = webhook["repository"]["clone_url"]
-        if clone_url != current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"]:
+        if (
+            clone_url
+            != current_app.config["SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"]
+        ):
             raise GitCloneUrlMismatchError(
                 "Configured clone url does not match clone url from webhook:"
                 f" {clone_url}"
@@ -193,18 +212,20 @@ class GitService:
                 f"Could not find the 'ref' arg in the webhook boy: {webhook}"
             )
 
-        if current_app.config["GIT_BRANCH"] is None:
+        if current_app.config["SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH"] is None:
             raise MissingGitConfigsError(
-                "Missing config for GIT_BRANCH. This is required for updating the"
-                " repository as a result of the webhook"
+                "Missing config for SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH. This is"
+                " required for updating the repository as a result of the webhook"
             )
 
         ref = webhook["ref"]
-        git_branch = current_app.config["GIT_BRANCH"]
+        git_branch = current_app.config["SPIFFWORKFLOW_BACKEND_GIT_SOURCE_BRANCH"]
         if ref != f"refs/heads/{git_branch}":
             return False
 
-        with FileSystemService.cd(current_app.config["BPMN_SPEC_ABSOLUTE_DIR"]):
+        with FileSystemService.cd(
+            current_app.config["SPIFFWORKFLOW_BACKEND_BPMN_SPEC_ABSOLUTE_DIR"]
+        ):
             cls.run_shell_command(["git", "pull"])
         return True
 
@@ -223,11 +244,13 @@ class GitService:
         # we are adding a guid to this so the flake8 issue has been mitigated
         destination_process_root = f"/tmp/{clone_dir}"  # noqa
 
-        git_clone_url = current_app.config["GIT_CLONE_URL_FOR_PUBLISHING"]
+        git_clone_url = current_app.config[
+            "SPIFFWORKFLOW_BACKEND_GIT_PUBLISH_CLONE_URL"
+        ]
         if git_clone_url.startswith("https://"):
             git_clone_url = git_clone_url.replace(
                 "https://",
-                f"https://{current_app.config['GIT_USERNAME']}:{current_app.config['GIT_USER_PASSWORD']}@",
+                f"https://{current_app.config['SPIFFWORKFLOW_BACKEND_GIT_USERNAME']}:{current_app.config['SPIFFWORKFLOW_BACKEND_GIT_USER_PASSWORD']}@",
             )
         cmd = ["git", "clone", git_clone_url, destination_process_root]
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
index cda7cc2d1..6b2d091c9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@@ -1298,7 +1298,9 @@ class ProcessInstanceProcessor:
         current_time_in_seconds = round(time.time())
         lock_expiry_in_seconds = (
             current_time_in_seconds
-            - current_app.config["ALLOW_CONFISCATING_LOCK_AFTER_SECONDS"]
+            - current_app.config[
+                "SPIFFWORKFLOW_BACKEND_ALLOW_CONFISCATING_LOCK_AFTER_SECONDS"
+            ]
         )
 
         query_text = text(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
index 8d4fd43b4..5931989bc 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
@@ -18,7 +18,7 @@ class ConnectorProxyError(Exception):
 
 def connector_proxy_url() -> Any:
     """Returns the connector proxy url."""
-    return current_app.config["CONNECTOR_PROXY_URL"]
+    return current_app.config["SPIFFWORKFLOW_BACKEND_CONNECTOR_PROXY_URL"]
 
 
 class ServiceTaskDelegate:
diff --git a/spiffworkflow-frontend/bin/wait_for_frontend_to_be_up b/spiffworkflow-frontend/bin/wait_for_frontend_to_be_up
index 951811031..6f16d9af4 100755
--- a/spiffworkflow-frontend/bin/wait_for_frontend_to_be_up
+++ b/spiffworkflow-frontend/bin/wait_for_frontend_to_be_up
@@ -7,14 +7,12 @@ function error_handler() {
 trap 'error_handler ${LINENO} $?' ERR
 set -o errtrace -o errexit -o nounset -o pipefail
 
-max_attempts="${1:-}"
-if [[ -z "$max_attempts" ]]; then
-  max_attempts=100
-fi
+max_attempts="${1:-100}"
+port="${2:-7001}"
 
-echo "waiting for backend to come up..."
+echo "waiting for frontend to come up..."
 attempts=0
-while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7001)" != "200" ]]; do
+while [[ "$(curl -s -o /dev/null -w '%{http_code}' "http://localhost:${port}")" != "200" ]]; do
   if [[ "$attempts" -gt "$max_attempts" ]]; then
     >&2 echo "ERROR: Server not up after $max_attempts attempts. There is probably a problem"
     exit 1
@@ -22,3 +20,4 @@ while [[ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:7001)" != "2
   attempts=$(( attempts + 1 ))
   sleep 1
 done
+echo "frontend up"
diff --git a/spiffworkflow-frontend/cypress.config.js b/spiffworkflow-frontend/cypress.config.js
index 770a3b0d9..3ad774c86 100644
--- a/spiffworkflow-frontend/cypress.config.js
+++ b/spiffworkflow-frontend/cypress.config.js
@@ -30,7 +30,7 @@ const cypressConfig = {
   videoUploadOnPasses: false,
   chromeWebSecurity: false,
   e2e: {
-    baseUrl: 'http://localhost:7001',
+    baseUrl: `http://localhost:${process.env.SPIFFWORKFLOW_FRONTEND_PORT || 7001}`,
     setupNodeEvents(on, config) {
       deleteVideosOnSuccess(on)
       require('@cypress/grep/src/plugin')(config);
diff --git a/spiffworkflow-frontend/cypress/e2e/process_groups.cy.js b/spiffworkflow-frontend/cypress/e2e/process_groups.cy.js
index e10c48575..715102173 100644
--- a/spiffworkflow-frontend/cypress/e2e/process_groups.cy.js
+++ b/spiffworkflow-frontend/cypress/e2e/process_groups.cy.js
@@ -33,7 +33,7 @@ describe('process-groups', () => {
     cy.contains(newGroupDisplayName).should('not.exist');
 
     // meaning the process group list page is loaded, so we can sign out safely without worrying about ajax requests failing
-    cy.get('.tile-process-group-content-container').should('exist');
+    cy.getBySel('process-groups-loaded').should('exist');
   });
 
   // process groups no longer has pagination post-tiles
diff --git a/spiffworkflow-frontend/cypress/support/commands.js b/spiffworkflow-frontend/cypress/support/commands.js
index 05126412d..adf3623c7 100644
--- a/spiffworkflow-frontend/cypress/support/commands.js
+++ b/spiffworkflow-frontend/cypress/support/commands.js
@@ -43,17 +43,27 @@ Cypress.Commands.add('navigateToAdmin', () => {
 
 Cypress.Commands.add('login', (selector, ...args) => {
   cy.visit('/admin');
-  cy.get('#username').type('ciadmin1');
-  cy.get('#password').type('ciadmin1');
-  cy.get('#kc-login').click();
+  const username = Cypress.env('SPIFFWORKFLOW_FRONTEND_USERNAME') || 'ciadmin1';
+  const password = Cypress.env('SPIFFWORKFLOW_FRONTEND_PASSWORD') || 'ciadmin1';
+  cy.get('#username').type(username);
+  cy.get('#password').type(password);
+  if (Cypress.env('SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK') === true) {
+    cy.get('#kc-login').click();
+  } else {
+    cy.get('#spiff-login-button').click();
+  }
 });
 
 Cypress.Commands.add('logout', (selector, ...args) => {
   cy.getBySel('logout-button').click();
 
-  // otherwise we can click logout, quickly load the next page, and the javascript
-  // doesn't have time to actually sign you out
-  cy.contains('Sign in to your account');
+  if (Cypress.env('SPIFFWORKFLOW_FRONTEND_AUTH_WITH_KEYCLOAK') === true) {
+    // otherwise we can click logout, quickly load the next page, and the javascript
+    // doesn't have time to actually sign you out
+    cy.contains('Sign in to your account');
+  } else {
+    cy.get('#spiff-login-button').should('exist');
+  }
 });
 
 Cypress.Commands.add('createGroup', (groupId, groupDisplayName) => {
diff --git a/spiffworkflow-frontend/src/components/ProcessGroupListTiles.tsx b/spiffworkflow-frontend/src/components/ProcessGroupListTiles.tsx
index 06ea43ea0..ae3cb81f3 100644
--- a/spiffworkflow-frontend/src/components/ProcessGroupListTiles.tsx
+++ b/spiffworkflow-frontend/src/components/ProcessGroupListTiles.tsx
@@ -94,7 +94,13 @@ export default function ProcessGroupListTiles({
   };
 
   if (processGroups) {
-    return <>{processGroupArea()}</>;
+    return (
+      <>
+        {/* so we can check if the groups have loaded in cypress tests */}
+        <div data-qa="process-groups-loaded" hidden />
+        {processGroupArea()}
+      </>
+    );
   }
   return null;
 }