diff --git a/core/build.gradle b/core/build.gradle
index dfa49c614..c29a9232e 100644
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -153,7 +153,6 @@ dependencies {
   implementation deps['com.google.apis:google-api-services-monitoring']
   implementation deps['com.google.apis:google-api-services-sheets']
   implementation deps['com.google.apis:google-api-services-storage']
-  testImplementation deps['com.google.appengine:appengine-api-stubs']
   implementation deps['com.google.auth:google-auth-library-credentials']
   implementation deps['com.google.auth:google-auth-library-oauth2-http']
   implementation deps['com.google.cloud.bigdataoss:util']
@@ -250,10 +249,6 @@ dependencies {
   implementation deps['us.fatehi:schemacrawler-tools']
   implementation deps['xerces:xmlParserAPIs']
   implementation deps['org.ogce:xpp3']
-  // This dependency must come after javax.mail:mail as it would otherwise
-  // shadow classes in package javax.mail with its own implementation.
-  implementation deps['com.google.appengine:appengine-api-1.0-sdk']
-
   // Known issue: nebula-lint misses inherited dependency.
   implementation project(':common')
   testImplementation project(path: ':common', configuration: 'testing')
@@ -271,7 +266,6 @@ dependencies {
   testAnnotationProcessor project(':processor')
 
   testImplementation deps['com.google.cloud:google-cloud-nio']
-  testImplementation deps['com.google.appengine:appengine-testing']
   testImplementation deps['com.google.guava:guava-testlib']
   testImplementation deps['com.google.monitoring-client:contrib']
   testImplementation deps['com.google.protobuf:protobuf-java-util']
diff --git a/core/gradle.lockfile b/core/gradle.lockfile
index edd4f25af..32e668067 100644
--- a/core/gradle.lockfile
+++ b/core/gradle.lockfile
@@ -105,11 +105,6 @@ com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240319-2.0.0=testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=deploy_jar,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,deploy_jar,nonprodCompileClasspath,nonprodRuntimeClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=errorprone,nonprodAnnotationProcessor,testAnnotationProcessor
diff --git a/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java b/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java
index 9745ae6e3..44e2bdf90 100644
--- a/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java
+++ b/core/src/main/java/google/registry/batch/CannedScriptExecutionAction.java
@@ -46,7 +46,7 @@ import javax.net.ssl.HttpsURLConnection;
     path = "/_dr/task/executeCannedScript",
     method = {POST, GET},
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class CannedScriptExecutionAction implements Runnable {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
diff --git a/core/src/main/java/google/registry/batch/CheckBulkComplianceAction.java b/core/src/main/java/google/registry/batch/CheckBulkComplianceAction.java
index 19686ca25..7d6575338 100644
--- a/core/src/main/java/google/registry/batch/CheckBulkComplianceAction.java
+++ b/core/src/main/java/google/registry/batch/CheckBulkComplianceAction.java
@@ -38,10 +38,7 @@ import org.joda.time.Days;
  * An action that checks all {@link BulkPricingPackage} objects for compliance with their max create
  * limit.
  */
-@Action(
-    service = Service.BACKEND,
-    path = CheckBulkComplianceAction.PATH,
-    auth = Auth.AUTH_API_ADMIN)
+@Action(service = Service.BACKEND, path = CheckBulkComplianceAction.PATH, auth = Auth.AUTH_ADMIN)
 public class CheckBulkComplianceAction implements Runnable {
 
   public static final String PATH = "/_dr/task/checkBulkCompliance";
diff --git a/core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java b/core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java
index b94348e34..8bb14055a 100644
--- a/core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteExpiredDomainsAction.java
@@ -69,7 +69,7 @@ import org.joda.time.Duration;
 @Action(
     service = Action.Service.BACKEND,
     path = DeleteExpiredDomainsAction.PATH,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class DeleteExpiredDomainsAction implements Runnable {
 
   public static final String PATH = "/_dr/task/deleteExpiredDomains";
diff --git a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
index 7fed9c1a2..c817e61ad 100644
--- a/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteLoadTestDataAction.java
@@ -56,7 +56,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/deleteLoadTestData",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class DeleteLoadTestDataAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
index 0d2ecd470..f39aa3075 100644
--- a/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
+++ b/core/src/main/java/google/registry/batch/DeleteProberDataAction.java
@@ -61,7 +61,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = "/_dr/task/deleteProberData",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class DeleteProberDataAction implements Runnable {
 
   // TODO(b/323026070): Add email alert on failure of this action
diff --git a/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java b/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
index e7389823a..ce4ff474d 100644
--- a/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
+++ b/core/src/main/java/google/registry/batch/ExpandBillingRecurrencesAction.java
@@ -52,7 +52,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Action.Service.BACKEND,
     path = "/_dr/task/expandBillingRecurrences",
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class ExpandBillingRecurrencesAction implements Runnable {
 
   public static final String PARAM_START_TIME = "startTime";
diff --git a/core/src/main/java/google/registry/batch/RelockDomainAction.java b/core/src/main/java/google/registry/batch/RelockDomainAction.java
index 6410e092b..e81fe0387 100644
--- a/core/src/main/java/google/registry/batch/RelockDomainAction.java
+++ b/core/src/main/java/google/registry/batch/RelockDomainAction.java
@@ -53,7 +53,7 @@ import org.joda.time.Duration;
     path = RelockDomainAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class RelockDomainAction implements Runnable {
 
   public static final String PATH = "/_dr/task/relockDomain";
diff --git a/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java b/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
index 80e9aeec4..76e94fd7a 100644
--- a/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
+++ b/core/src/main/java/google/registry/batch/ResaveAllEppResourcesPipelineAction.java
@@ -55,7 +55,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.BACKEND,
     path = ResaveAllEppResourcesPipelineAction.PATH,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class ResaveAllEppResourcesPipelineAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/batch/ResaveEntityAction.java b/core/src/main/java/google/registry/batch/ResaveEntityAction.java
index 7fcb4505d..f27307800 100644
--- a/core/src/main/java/google/registry/batch/ResaveEntityAction.java
+++ b/core/src/main/java/google/registry/batch/ResaveEntityAction.java
@@ -40,7 +40,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Action.Service.BACKEND,
     path = ResaveEntityAction.PATH,
-    auth = Auth.AUTH_API_ADMIN,
+    auth = Auth.AUTH_ADMIN,
     method = Method.POST)
 public class ResaveEntityAction implements Runnable {
 
diff --git a/core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java b/core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java
index 8582732b7..be46a49b7 100644
--- a/core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java
+++ b/core/src/main/java/google/registry/batch/SendExpiringCertificateNotificationEmailAction.java
@@ -51,7 +51,7 @@ import org.joda.time.format.DateTimeFormatter;
 @Action(
     service = Action.Service.BACKEND,
     path = SendExpiringCertificateNotificationEmailAction.PATH,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class SendExpiringCertificateNotificationEmailAction implements Runnable {
 
   public static final String PATH = "/_dr/task/sendExpiringCertificateNotificationEmail";
diff --git a/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java b/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
index 3ecffb341..564e8f914 100644
--- a/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
+++ b/core/src/main/java/google/registry/batch/WipeOutContactHistoryPiiAction.java
@@ -51,7 +51,7 @@ import org.joda.time.DateTime;
 @Action(
     service = Service.BACKEND,
     path = WipeOutContactHistoryPiiAction.PATH,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class WipeOutContactHistoryPiiAction implements Runnable {
 
   public static final String PATH = "/_dr/task/wipeOutContactHistoryPii";
diff --git a/core/src/main/java/google/registry/bsa/BsaDownloadAction.java b/core/src/main/java/google/registry/bsa/BsaDownloadAction.java
index 4e25e894f..f2dba1458 100644
--- a/core/src/main/java/google/registry/bsa/BsaDownloadAction.java
+++ b/core/src/main/java/google/registry/bsa/BsaDownloadAction.java
@@ -53,7 +53,7 @@ import javax.inject.Inject;
     service = Action.Service.BSA,
     path = BsaDownloadAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class BsaDownloadAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/bsa/BsaRefreshAction.java b/core/src/main/java/google/registry/bsa/BsaRefreshAction.java
index d79e7eb74..6bc20e519 100644
--- a/core/src/main/java/google/registry/bsa/BsaRefreshAction.java
+++ b/core/src/main/java/google/registry/bsa/BsaRefreshAction.java
@@ -44,7 +44,7 @@ import org.joda.time.Duration;
     service = Action.Service.BSA,
     path = BsaRefreshAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class BsaRefreshAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/bsa/BsaValidateAction.java b/core/src/main/java/google/registry/bsa/BsaValidateAction.java
index ff1785035..5cbcd1d6d 100644
--- a/core/src/main/java/google/registry/bsa/BsaValidateAction.java
+++ b/core/src/main/java/google/registry/bsa/BsaValidateAction.java
@@ -70,7 +70,7 @@ import org.joda.time.Duration;
     service = Action.Service.BSA,
     path = BsaValidateAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class BsaValidateAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/bsa/UploadBsaUnavailableDomainsAction.java b/core/src/main/java/google/registry/bsa/UploadBsaUnavailableDomainsAction.java
index a9b0fe8bf..5e59c0718 100644
--- a/core/src/main/java/google/registry/bsa/UploadBsaUnavailableDomainsAction.java
+++ b/core/src/main/java/google/registry/bsa/UploadBsaUnavailableDomainsAction.java
@@ -75,7 +75,7 @@ import org.joda.time.DateTime;
     service = Service.BSA,
     path = "/_dr/task/uploadBsaUnavailableNames",
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class UploadBsaUnavailableDomainsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/cron/TldFanoutAction.java b/core/src/main/java/google/registry/cron/TldFanoutAction.java
index 1e76c565c..3c82f3b56 100644
--- a/core/src/main/java/google/registry/cron/TldFanoutAction.java
+++ b/core/src/main/java/google/registry/cron/TldFanoutAction.java
@@ -81,7 +81,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/cron/fanout",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class TldFanoutAction implements Runnable {
 
   /** A set of control params to TldFanoutAction that aren't passed down to the executing action. */
diff --git a/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java b/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java
index 49e11aff9..10a4d0cbe 100644
--- a/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java
+++ b/core/src/main/java/google/registry/dns/PublishDnsUpdatesAction.java
@@ -77,7 +77,7 @@ import org.joda.time.Duration;
     path = PublishDnsUpdatesAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class PublishDnsUpdatesAction implements Runnable, Callable<Void> {
 
   public static final String PATH = "/_dr/task/publishDnsUpdates";
diff --git a/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java b/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java
index 257cd4bc1..cdaa8a0aa 100644
--- a/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java
+++ b/core/src/main/java/google/registry/dns/ReadDnsRefreshRequestsAction.java
@@ -64,7 +64,7 @@ import org.joda.time.Duration;
     path = "/_dr/task/readDnsRefreshRequests",
     automaticallyPrintOk = true,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ReadDnsRefreshRequestsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/dns/RefreshDnsAction.java b/core/src/main/java/google/registry/dns/RefreshDnsAction.java
index d543f7396..ac09fd764 100644
--- a/core/src/main/java/google/registry/dns/RefreshDnsAction.java
+++ b/core/src/main/java/google/registry/dns/RefreshDnsAction.java
@@ -38,7 +38,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/dnsRefresh",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class RefreshDnsAction implements Runnable {
 
   private final Clock clock;
diff --git a/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java b/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java
index 2dc26c1cd..72c020fc1 100644
--- a/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java
+++ b/core/src/main/java/google/registry/dns/RefreshDnsOnHostRenameAction.java
@@ -33,11 +33,7 @@ import google.registry.request.auth.Auth;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
 
-@Action(
-    service = Service.BACKEND,
-    path = PATH,
-    method = Action.Method.POST,
-    auth = Auth.AUTH_API_ADMIN)
+@Action(service = Service.BACKEND, path = PATH, method = Action.Method.POST, auth = Auth.AUTH_ADMIN)
 public class RefreshDnsOnHostRenameAction implements Runnable {
 
   public static final String QUEUE_HOST_RENAME = "async-host-rename";
diff --git a/core/src/main/java/google/registry/export/ExportDomainListsAction.java b/core/src/main/java/google/registry/export/ExportDomainListsAction.java
index 7cb2fc224..e722d337c 100644
--- a/core/src/main/java/google/registry/export/ExportDomainListsAction.java
+++ b/core/src/main/java/google/registry/export/ExportDomainListsAction.java
@@ -49,7 +49,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportDomainLists",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class ExportDomainListsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java b/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java
index 62b865624..a3f61b5d2 100644
--- a/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java
+++ b/core/src/main/java/google/registry/export/ExportPremiumTermsAction.java
@@ -48,7 +48,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportPremiumTerms",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class ExportPremiumTermsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/export/ExportReservedTermsAction.java b/core/src/main/java/google/registry/export/ExportReservedTermsAction.java
index 8cdb565cc..2ac192c54 100644
--- a/core/src/main/java/google/registry/export/ExportReservedTermsAction.java
+++ b/core/src/main/java/google/registry/export/ExportReservedTermsAction.java
@@ -37,7 +37,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/exportReservedTerms",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class ExportReservedTermsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/export/SyncGroupMembersAction.java b/core/src/main/java/google/registry/export/SyncGroupMembersAction.java
index 326d88775..8f1cebf72 100644
--- a/core/src/main/java/google/registry/export/SyncGroupMembersAction.java
+++ b/core/src/main/java/google/registry/export/SyncGroupMembersAction.java
@@ -56,7 +56,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = "/_dr/task/syncGroupMembers",
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class SyncGroupMembersAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java b/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java
index 443068fea..d19d43481 100644
--- a/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java
+++ b/core/src/main/java/google/registry/export/sheet/SyncRegistrarsSheetAction.java
@@ -57,7 +57,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = SyncRegistrarsSheetAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class SyncRegistrarsSheetAction implements Runnable {
 
   private enum Result {
diff --git a/core/src/main/java/google/registry/flows/EppTlsAction.java b/core/src/main/java/google/registry/flows/EppTlsAction.java
index 07cf78c73..908bbd1a8 100644
--- a/core/src/main/java/google/registry/flows/EppTlsAction.java
+++ b/core/src/main/java/google/registry/flows/EppTlsAction.java
@@ -29,7 +29,7 @@ import javax.inject.Inject;
     service = Action.Service.DEFAULT,
     path = "/_dr/epp",
     method = Method.POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class EppTlsAction implements Runnable {
 
   @Inject @Payload byte[] inputXmlBytes;
diff --git a/core/src/main/java/google/registry/flows/EppToolAction.java b/core/src/main/java/google/registry/flows/EppToolAction.java
index b5624637c..0e1312cef 100644
--- a/core/src/main/java/google/registry/flows/EppToolAction.java
+++ b/core/src/main/java/google/registry/flows/EppToolAction.java
@@ -33,7 +33,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = EppToolAction.PATH,
     method = Method.POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class EppToolAction implements Runnable {
 
   public static final String PATH = "/_dr/epptool";
diff --git a/core/src/main/java/google/registry/loadtest/LoadTestAction.java b/core/src/main/java/google/registry/loadtest/LoadTestAction.java
index 354140ed6..d37830bc1 100644
--- a/core/src/main/java/google/registry/loadtest/LoadTestAction.java
+++ b/core/src/main/java/google/registry/loadtest/LoadTestAction.java
@@ -58,7 +58,7 @@ import org.joda.time.DateTime;
     path = LoadTestAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class LoadTestAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
@@ -350,9 +350,8 @@ public class LoadTestAction implements Runnable {
                       .toBuilder()
                       .getAppEngineHttpRequest()
                       .toBuilder()
-                      // instead of adding the X_CSRF_TOKEN to params, this remains as part of
-                      // headers because of the existing setup for authentication in {@link
-                      // google.registry.request.auth.LegacyAuthenticationMechanism}
+                      // TODO: investigate if the following is necessary now that
+                      // LegacyAuthenticationMechanism is gone.
                       .putHeaders(X_CSRF_TOKEN, xsrfToken)
                       .build())
               .setScheduleTime(
diff --git a/core/src/main/java/google/registry/model/annotations/DeleteAfterMigration.java b/core/src/main/java/google/registry/model/annotations/DeleteAfterMigration.java
deleted file mode 100644
index 320c8b8f6..000000000
--- a/core/src/main/java/google/registry/model/annotations/DeleteAfterMigration.java
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2021 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.model.annotations;
-
-/**
- * Annotation to indicate a class that should be deleted after the database migration is complete.
- */
-public @interface DeleteAfterMigration {}
diff --git a/core/src/main/java/google/registry/module/RegistryComponent.java b/core/src/main/java/google/registry/module/RegistryComponent.java
index 6d400950a..f131ba878 100644
--- a/core/src/main/java/google/registry/module/RegistryComponent.java
+++ b/core/src/main/java/google/registry/module/RegistryComponent.java
@@ -47,7 +47,6 @@ import google.registry.rde.JSchModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.RequestHandler;
 import google.registry.request.auth.AuthModule;
 import google.registry.request.auth.RequestAuthenticator;
@@ -88,7 +87,6 @@ import javax.inject.Singleton;
       SheetsServiceModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      UserServiceModule.class,
       UtilsModule.class,
       VoidDnsWriterModule.class,
     })
diff --git a/core/src/main/java/google/registry/module/backend/BackendComponent.java b/core/src/main/java/google/registry/module/backend/BackendComponent.java
index a8415c79d..493ba5d7a 100644
--- a/core/src/main/java/google/registry/module/backend/BackendComponent.java
+++ b/core/src/main/java/google/registry/module/backend/BackendComponent.java
@@ -43,7 +43,6 @@ import google.registry.rde.JSchModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -78,7 +77,6 @@ import javax.inject.Singleton;
       SheetsServiceModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      UserServiceModule.class,
       VoidDnsWriterModule.class,
       UtilsModule.class
     })
diff --git a/core/src/main/java/google/registry/module/bsa/BsaComponent.java b/core/src/main/java/google/registry/module/bsa/BsaComponent.java
index af091ebac..1f5389eb0 100644
--- a/core/src/main/java/google/registry/module/bsa/BsaComponent.java
+++ b/core/src/main/java/google/registry/module/bsa/BsaComponent.java
@@ -28,7 +28,6 @@ import google.registry.persistence.PersistenceModule;
 import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -48,7 +47,6 @@ import javax.inject.Singleton;
       SecretManagerModule.class,
       StackdriverModule.class,
       UrlConnectionServiceModule.class,
-      UserServiceModule.class,
       UtilsModule.class
     })
 interface BsaComponent {
diff --git a/core/src/main/java/google/registry/module/frontend/FrontendComponent.java b/core/src/main/java/google/registry/module/frontend/FrontendComponent.java
index dcbd7d28a..3c6dbadf9 100644
--- a/core/src/main/java/google/registry/module/frontend/FrontendComponent.java
+++ b/core/src/main/java/google/registry/module/frontend/FrontendComponent.java
@@ -35,7 +35,6 @@ import google.registry.monitoring.whitebox.StackdriverModule;
 import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.ui.ConsoleDebug.ConsoleConfigModule;
 import google.registry.util.UtilsModule;
@@ -66,7 +65,6 @@ import javax.inject.Singleton;
       SecretManagerModule.class,
       ServerTridProviderModule.class,
       StackdriverModule.class,
-      UserServiceModule.class,
       UtilsModule.class
     })
 interface FrontendComponent {
diff --git a/core/src/main/java/google/registry/module/pubapi/PubApiComponent.java b/core/src/main/java/google/registry/module/pubapi/PubApiComponent.java
index 7ace50b01..42df55c07 100644
--- a/core/src/main/java/google/registry/module/pubapi/PubApiComponent.java
+++ b/core/src/main/java/google/registry/module/pubapi/PubApiComponent.java
@@ -34,7 +34,6 @@ import google.registry.persistence.PersistenceModule;
 import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -61,7 +60,6 @@ import javax.inject.Singleton;
       SecretManagerModule.class,
       ServerTridProviderModule.class,
       StackdriverModule.class,
-      UserServiceModule.class,
       UtilsModule.class
     })
 interface PubApiComponent {
diff --git a/core/src/main/java/google/registry/module/tools/ToolsComponent.java b/core/src/main/java/google/registry/module/tools/ToolsComponent.java
index 4e0d26814..be38f4390 100644
--- a/core/src/main/java/google/registry/module/tools/ToolsComponent.java
+++ b/core/src/main/java/google/registry/module/tools/ToolsComponent.java
@@ -35,7 +35,6 @@ import google.registry.monitoring.whitebox.StackdriverModule;
 import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.NetHttpTransportModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.request.auth.AuthModule;
 import google.registry.util.UtilsModule;
 import javax.inject.Singleton;
@@ -63,7 +62,6 @@ import javax.inject.Singleton;
       ServerTridProviderModule.class,
       StackdriverModule.class,
       ToolsRequestComponentModule.class,
-      UserServiceModule.class,
       UtilsModule.class
     })
 interface ToolsComponent {
diff --git a/core/src/main/java/google/registry/rdap/RdapModule.java b/core/src/main/java/google/registry/rdap/RdapModule.java
index f013ee2d5..97ec0cd74 100644
--- a/core/src/main/java/google/registry/rdap/RdapModule.java
+++ b/core/src/main/java/google/registry/rdap/RdapModule.java
@@ -18,11 +18,11 @@ import com.google.common.collect.ImmutableSet;
 import com.google.common.flogger.FluentLogger;
 import dagger.Module;
 import dagger.Provides;
+import google.registry.model.console.User;
 import google.registry.request.Parameter;
 import google.registry.request.RequestParameters;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
 
@@ -101,11 +101,11 @@ public final class RdapModule {
   @Provides
   static RdapAuthorization provideRdapAuthorization(
       AuthResult authResult, AuthenticatedRegistrarAccessor registrarAccessor) {
-    if (authResult.userAuthInfo().isEmpty()) {
+    if (authResult.user().isEmpty()) {
       return RdapAuthorization.PUBLIC_AUTHORIZATION;
     }
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
-    if (userAuthInfo.isUserAdmin()) {
+    User user = authResult.user().get();
+    if (user.getUserRoles().isAdmin()) {
       return RdapAuthorization.ADMINISTRATOR_AUTHORIZATION;
     }
     ImmutableSet<String> clientIds = registrarAccessor.getAllRegistrarIdsWithRoles().keySet();
diff --git a/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java b/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
index 64965d3b7..583115d3b 100644
--- a/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
+++ b/core/src/main/java/google/registry/rdap/UpdateRegistrarRdapBaseUrlsAction.java
@@ -55,7 +55,7 @@ import org.apache.commons.csv.CSVRecord;
     service = Action.Service.BACKEND,
     path = "/_dr/task/updateRegistrarRdapBaseUrls",
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class UpdateRegistrarRdapBaseUrlsAction implements Runnable {
 
   private static final String RDAP_IDS_URL =
diff --git a/core/src/main/java/google/registry/rde/BrdaCopyAction.java b/core/src/main/java/google/registry/rde/BrdaCopyAction.java
index 25c653b8e..f59546bfe 100644
--- a/core/src/main/java/google/registry/rde/BrdaCopyAction.java
+++ b/core/src/main/java/google/registry/rde/BrdaCopyAction.java
@@ -66,7 +66,7 @@ import org.joda.time.DateTime;
     path = BrdaCopyAction.PATH,
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class BrdaCopyAction implements Runnable {
 
   public static final String PATH = "/_dr/task/brdaCopy";
diff --git a/core/src/main/java/google/registry/rde/RdeReportAction.java b/core/src/main/java/google/registry/rde/RdeReportAction.java
index 555a52b04..9717bfa1f 100644
--- a/core/src/main/java/google/registry/rde/RdeReportAction.java
+++ b/core/src/main/java/google/registry/rde/RdeReportAction.java
@@ -56,7 +56,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class RdeReportAction implements Runnable, EscrowTask {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/rde/RdeStagingAction.java b/core/src/main/java/google/registry/rde/RdeStagingAction.java
index a56a32065..2cd97a560 100644
--- a/core/src/main/java/google/registry/rde/RdeStagingAction.java
+++ b/core/src/main/java/google/registry/rde/RdeStagingAction.java
@@ -207,7 +207,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeStagingAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class RdeStagingAction implements Runnable {
 
   public static final String PATH = "/_dr/task/rdeStaging";
diff --git a/core/src/main/java/google/registry/rde/RdeUploadAction.java b/core/src/main/java/google/registry/rde/RdeUploadAction.java
index 2ff4906a8..a3f80eb1e 100644
--- a/core/src/main/java/google/registry/rde/RdeUploadAction.java
+++ b/core/src/main/java/google/registry/rde/RdeUploadAction.java
@@ -87,7 +87,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = RdeUploadAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class RdeUploadAction implements Runnable, EscrowTask {
 
   public static final String PATH = "/_dr/task/rdeUpload";
diff --git a/core/src/main/java/google/registry/reporting/billing/CopyDetailReportsAction.java b/core/src/main/java/google/registry/reporting/billing/CopyDetailReportsAction.java
index a7070654e..12856410e 100644
--- a/core/src/main/java/google/registry/reporting/billing/CopyDetailReportsAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/CopyDetailReportsAction.java
@@ -47,7 +47,7 @@ import javax.inject.Inject;
     service = Action.Service.BACKEND,
     path = CopyDetailReportsAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class CopyDetailReportsAction implements Runnable {
 
   public static final String PATH = "/_dr/task/copyDetailReports";
diff --git a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
index 4ec5b7902..bc81da2b5 100644
--- a/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/GenerateInvoicesAction.java
@@ -54,7 +54,7 @@ import org.joda.time.YearMonth;
     service = Action.Service.BACKEND,
     path = GenerateInvoicesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class GenerateInvoicesAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/reporting/billing/PublishInvoicesAction.java b/core/src/main/java/google/registry/reporting/billing/PublishInvoicesAction.java
index a5875fcb0..8ac43e2ad 100644
--- a/core/src/main/java/google/registry/reporting/billing/PublishInvoicesAction.java
+++ b/core/src/main/java/google/registry/reporting/billing/PublishInvoicesAction.java
@@ -52,7 +52,7 @@ import org.joda.time.YearMonth;
     service = Action.Service.BACKEND,
     path = PublishInvoicesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class PublishInvoicesAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java b/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java
index f323441a8..eb8d7f278 100644
--- a/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannReportingStagingAction.java
@@ -67,7 +67,7 @@ import org.joda.time.format.DateTimeFormat;
     service = Action.Service.BACKEND,
     path = IcannReportingStagingAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class IcannReportingStagingAction implements Runnable {
 
   static final String PATH = "/_dr/task/icannReportingStaging";
diff --git a/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java b/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java
index d35b58d06..6cce2cb28 100644
--- a/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java
+++ b/core/src/main/java/google/registry/reporting/icann/IcannReportingUploadAction.java
@@ -70,7 +70,7 @@ import org.joda.time.Duration;
     service = Action.Service.BACKEND,
     path = IcannReportingUploadAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class IcannReportingUploadAction implements Runnable {
 
   static final String PATH = "/_dr/task/icannReportingUpload";
diff --git a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
index 3b147cfb5..b95d8f347 100644
--- a/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/GenerateSpec11ReportAction.java
@@ -53,7 +53,7 @@ import org.joda.time.LocalDate;
     service = Action.Service.BACKEND,
     path = GenerateSpec11ReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class GenerateSpec11ReportAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java b/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
index b9657efa8..43c16db57 100644
--- a/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
+++ b/core/src/main/java/google/registry/reporting/spec11/PublishSpec11ReportAction.java
@@ -59,7 +59,7 @@ import org.json.JSONException;
     service = Action.Service.BACKEND,
     path = PublishSpec11ReportAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class PublishSpec11ReportAction implements Runnable {
 
   static final String PATH = "/_dr/task/publishSpec11";
diff --git a/core/src/main/java/google/registry/request/Modules.java b/core/src/main/java/google/registry/request/Modules.java
index 2a0fe638e..5dabb8600 100644
--- a/core/src/main/java/google/registry/request/Modules.java
+++ b/core/src/main/java/google/registry/request/Modules.java
@@ -18,8 +18,6 @@ import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
 import com.google.api.client.json.gson.GsonFactory;
-import com.google.appengine.api.users.UserService;
-import com.google.appengine.api.users.UserServiceFactory;
 import dagger.Module;
 import dagger.Provides;
 import java.net.HttpURLConnection;
@@ -47,17 +45,6 @@ public final class Modules {
     }
   }
 
-  /** Dagger module for {@link UserService}. */
-  @Module
-  public static final class UserServiceModule {
-    private static final UserService userService = UserServiceFactory.getUserService();
-
-    @Provides
-    static UserService provideUserService() {
-      return userService;
-    }
-  }
-
   /** Dagger module that causes the Google GSON parser to be used for Google APIs requests. */
   @Module
   public static final class GsonModule {
@@ -67,10 +54,7 @@ public final class Modules {
     }
   }
 
-  /**
-   * Dagger module that provides standard {@link NetHttpTransport}. Used in non App Engine
-   * environment.
-   */
+  /** Dagger module that provides standard {@link NetHttpTransport}. */
   @Module
   public static final class NetHttpTransportModule {
 
diff --git a/core/src/main/java/google/registry/request/RouterDisplayHelper.java b/core/src/main/java/google/registry/request/RouterDisplayHelper.java
index c03d8d140..53091ae42 100644
--- a/core/src/main/java/google/registry/request/RouterDisplayHelper.java
+++ b/core/src/main/java/google/registry/request/RouterDisplayHelper.java
@@ -27,7 +27,7 @@ import java.util.Map;
  * Utility class to help in dumping routing maps.
  *
  * <p>Each of the App Engine services (frontend, backend, and tools) has a Dagger component used for
- * routing requests (e.g. FrontendRequestComponent). This class produces a text file representation
+ * routing requests (e.g., FrontendRequestComponent). This class produces a text file representation
  * of the routing configuration, showing what paths map to what action classes, as well as the
  * properties of the action classes' annotations (which cover things like allowable HTTP methods,
  * authentication settings, etc.). The text file can be useful for documentation, and is also used
@@ -37,13 +37,12 @@ import java.util.Map;
  * the content to be displayed. The columns are:
  *
  * <ol>
- * <li>the URL path which maps to this action (with a "(*)" after it if the prefix flag is set)
- * <li>the simple name of the action class
- * <li>the allowable HTTP methods
- * <li>whether to automatically print "ok" in the response
- * <li>the allowable authentication methods
- * <li>the minimum authentication level
- * <li>the user policy
+ *   <li>the URL path which maps to this action (with a "(*)" after it if the prefix flag is set)
+ *   <li>the simple name of the action class
+ *   <li>the allowable HTTP methods
+ *   <li>whether to automatically print "ok" in the response
+ *   <li>the minimum authentication level
+ *   <li>the user policy
  * </ol>
  *
  * <p>See the Auth class for more information about authentication settings.
@@ -53,11 +52,9 @@ public class RouterDisplayHelper {
   private static final String PATH = "path";
   private static final String CLASS = "class";
   private static final String METHODS = "methods";
-  private static final String AUTH_METHODS = "authMethods";
   private static final String MINIMUM_LEVEL = "minLevel";
 
-  private static final String FORMAT =
-      "%%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%-%ds %%s";
+  private static final String FORMAT = "%%-%ds %%-%ds %%-%ds %%-2s %%-%ds %%s";
 
   /** Returns a string representation of the routing map in the specified component. */
   public static String extractHumanReadableRoutesFromComponent(Class<?> componentClass) {
@@ -82,7 +79,6 @@ public class RouterDisplayHelper {
         columnWidths.get(PATH),
         columnWidths.get(CLASS),
         columnWidths.get(METHODS),
-        columnWidths.get(AUTH_METHODS),
         columnWidths.get(MINIMUM_LEVEL));
   }
 
@@ -93,7 +89,6 @@ public class RouterDisplayHelper {
         "CLASS",
         "METHODS",
         "OK",
-        "AUTH_METHODS",
         "MIN",
         "USER_POLICY");
   }
@@ -105,7 +100,6 @@ public class RouterDisplayHelper {
         route.actionClass().getSimpleName(),
         Joiner.on(",").join(route.action().method()),
         route.action().automaticallyPrintOk() ? "y" : "n",
-        Joiner.on(",").join(route.action().auth().authSettings().methods()),
         route.action().auth().authSettings().minimumLevel(),
         route.action().auth().authSettings().userPolicy());
   }
@@ -116,7 +110,6 @@ public class RouterDisplayHelper {
     int pathWidth = 4;
     int classWidth = 5;
     int methodsWidth = 7;
-    int authMethodsWidth = 12;
     int minLevelWidth = 3;
     for (Route route : routes) {
       int len =
@@ -134,10 +127,6 @@ public class RouterDisplayHelper {
       if (len > methodsWidth) {
         methodsWidth = len;
       }
-      len = Joiner.on(",").join(route.action().auth().authSettings().methods()).length();
-      if (len > authMethodsWidth) {
-        authMethodsWidth = len;
-      }
       len = route.action().auth().authSettings().minimumLevel().toString().length();
       if (len > minLevelWidth) {
         minLevelWidth = len;
@@ -149,7 +138,6 @@ public class RouterDisplayHelper {
                 .put(PATH, pathWidth)
                 .put(CLASS, classWidth)
                 .put(METHODS, methodsWidth)
-                .put(AUTH_METHODS, authMethodsWidth)
                 .put(MINIMUM_LEVEL, minLevelWidth)
                 .build());
     return headerToString(formatString)
diff --git a/core/src/main/java/google/registry/request/auth/Auth.java b/core/src/main/java/google/registry/request/auth/Auth.java
index 901107310..8909e1b01 100644
--- a/core/src/main/java/google/registry/request/auth/Auth.java
+++ b/core/src/main/java/google/registry/request/auth/Auth.java
@@ -14,12 +14,8 @@
 
 package google.registry.request.auth;
 
-import com.google.common.collect.ImmutableList;
 import google.registry.request.auth.AuthSettings.AuthLevel;
-import google.registry.request.auth.AuthSettings.AuthMethod;
 import google.registry.request.auth.AuthSettings.UserPolicy;
-import google.registry.ui.server.registrar.HtmlAction;
-import google.registry.ui.server.registrar.JsonGetAction;
 
 /** Enum used to configure authentication settings for Actions. */
 public enum Auth {
@@ -27,35 +23,17 @@ public enum Auth {
   /**
    * Allows anyone to access.
    *
-   * <p>If a user is logged in, will authenticate (and return) them. Otherwise, access is still
-   * granted, but NOT_AUTHENTICATED is returned.
-   *
-   * <p>User-facing legacy console endpoints (those that extend {@link HtmlAction}) use it. They
-   * need to allow requests from signed-out users so that they can redirect users to the login page.
-   * After a user is logged in, they check if the user actually has access to the specific console
-   * using {@link AuthenticatedRegistrarAccessor}.
-   *
-   * @see HtmlAction
+   * <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
    */
-  AUTH_PUBLIC_LEGACY(
-      ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.NONE, UserPolicy.PUBLIC),
+  AUTH_PUBLIC(AuthLevel.NONE, UserPolicy.PUBLIC),
 
   /**
    * Allows anyone to access, as long as they are logged in.
    *
-   * <p>This is used by legacy registrar console programmatic endpoints (those that extend {@link
-   * JsonGetAction}), which are accessed via XHR requests sent from a logged-in user when performing
-   * actions on the console.
+   * <p>Note that the action might use {@link AuthenticatedRegistrarAccessor} to impose a more
+   * fine-grained access control pattern than merely whether the user is logged in/out.
    */
-  AUTH_PUBLIC_LOGGED_IN(
-      ImmutableList.of(AuthMethod.API, AuthMethod.LEGACY), AuthLevel.USER, UserPolicy.PUBLIC),
-
-  /**
-   * Allows anyone to access.
-   *
-   * <p>This is used for public HTML endpoints like RDAP, the check API, and web WHOIS.
-   */
-  AUTH_PUBLIC(ImmutableList.of(AuthMethod.API), AuthLevel.NONE, UserPolicy.PUBLIC),
+  AUTH_PUBLIC_LOGGED_IN(AuthLevel.USER, UserPolicy.PUBLIC),
 
   /**
    * Allows only the app itself (via service accounts) or admins to access.
@@ -64,12 +42,12 @@ public enum Auth {
    * associated service account needs to be allowlisted in the {@code
    * auth.allowedServiceAccountEmails} field in the config YAML file.
    */
-  AUTH_API_ADMIN(ImmutableList.of(AuthMethod.API), AuthLevel.APP, UserPolicy.ADMIN);
+  AUTH_ADMIN(AuthLevel.APP, UserPolicy.ADMIN);
 
   private final AuthSettings authSettings;
 
-  Auth(ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
-    authSettings = AuthSettings.create(methods, minimumLevel, userPolicy);
+  Auth(AuthLevel minimumLevel, UserPolicy userPolicy) {
+    authSettings = new AuthSettings(minimumLevel, userPolicy);
   }
 
   public AuthSettings authSettings() {
diff --git a/core/src/main/java/google/registry/request/auth/AuthResult.java b/core/src/main/java/google/registry/request/auth/AuthResult.java
index 48eb26ad1..20aad0b25 100644
--- a/core/src/main/java/google/registry/request/auth/AuthResult.java
+++ b/core/src/main/java/google/registry/request/auth/AuthResult.java
@@ -18,6 +18,7 @@ import static com.google.common.base.Preconditions.checkArgument;
 import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
 import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
 
+import google.registry.model.console.User;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import java.util.Optional;
 import javax.annotation.Nullable;
@@ -26,24 +27,23 @@ import javax.annotation.Nullable;
  * Results of authentication for a given HTTP request, as emitted by an {@link
  * AuthenticationMechanism}.
  *
- * @param userAuthInfo Information about the authenticated user, if there is one.
- * @param appServiceAccount Service account email of the authenticated app, if there is one. This
- *     will be logged upon successful login.
+ * @param authLevel the level of authentication obtained
+ * @param user information about the authenticated user, if there is one
+ * @param serviceAccountEmail service account email of the authenticated app, if there is one
  */
 public record AuthResult(
-    AuthLevel authLevel, Optional<UserAuthInfo> userAuthInfo, Optional<String> appServiceAccount) {
+    AuthLevel authLevel, Optional<User> user, Optional<String> serviceAccountEmail) {
 
   public boolean isAuthenticated() {
     return authLevel() != AuthLevel.NONE;
   }
 
   public String userIdForLogging() {
-    return userAuthInfo()
-        .map(
-            userAuthInfo ->
+    return user.map(
+            user ->
                 String.format(
                     "%s %s",
-                    userAuthInfo.isUserAdmin() ? "admin" : "user", userAuthInfo.getEmailAddress()))
+                    user.getUserRoles().isAdmin() ? "admin" : "user", user.getEmailAddress()))
         .orElse("<logged-out user>");
   }
 
@@ -51,22 +51,21 @@ public record AuthResult(
     return create(APP, null, email);
   }
 
-  public static AuthResult createUser(UserAuthInfo userAuthInfo) {
-    return create(USER, userAuthInfo, null);
+  public static AuthResult createUser(User user) {
+    return create(USER, user, null);
   }
 
   private static AuthResult create(
-      AuthLevel authLevel, @Nullable UserAuthInfo userAuthInfo, @Nullable String email) {
+      AuthLevel authLevel, @Nullable User user, @Nullable String serviceAccountEmail) {
     checkArgument(
-        userAuthInfo == null || email == null,
-        "User auth info and service account email cannot be specificed at the same time");
+        user == null || serviceAccountEmail == null,
+        "User and service account email cannot be specified at the same time");
+    checkArgument(authLevel != USER || user != null, "User must be specified for auth level USER");
     checkArgument(
-        authLevel != USER || userAuthInfo != null,
-        "User auth info must be specified for auth level USER");
-    checkArgument(
-        authLevel != APP || email != null,
+        authLevel != APP || serviceAccountEmail != null,
         "Service account email must be specified for auth level APP");
-    return new AuthResult(authLevel, Optional.ofNullable(userAuthInfo), Optional.ofNullable(email));
+    return new AuthResult(
+        authLevel, Optional.ofNullable(user), Optional.ofNullable(serviceAccountEmail));
   }
 
   /**
diff --git a/core/src/main/java/google/registry/request/auth/AuthSettings.java b/core/src/main/java/google/registry/request/auth/AuthSettings.java
index 8fe2575c4..6a5638d43 100644
--- a/core/src/main/java/google/registry/request/auth/AuthSettings.java
+++ b/core/src/main/java/google/registry/request/auth/AuthSettings.java
@@ -14,7 +14,6 @@
 
 package google.registry.request.auth;
 
-import com.google.common.collect.ImmutableList;
 import com.google.errorprone.annotations.Immutable;
 import google.registry.model.console.UserRoles;
 
@@ -25,26 +24,7 @@ import google.registry.model.console.UserRoles;
  * values.
  */
 @Immutable
-public record AuthSettings(
-    ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
-
-  static AuthSettings create(
-      ImmutableList<AuthMethod> methods, AuthLevel minimumLevel, UserPolicy userPolicy) {
-    return new AuthSettings(methods, minimumLevel, userPolicy);
-  }
-
-  /** Available methods for authentication. */
-  public enum AuthMethod {
-
-    /**
-     * Authentication methods suitable for API-style access, such as {@link
-     * OidcTokenAuthenticationMechanism}.
-     */
-    API,
-
-    /** Legacy authentication using cookie-based App Engine Users API. Must come last if present. */
-    LEGACY
-  }
+public record AuthSettings(AuthLevel minimumLevel, UserPolicy userPolicy) {
 
   /**
    * Authentication level.
@@ -90,16 +70,7 @@ public record AuthSettings(
     /** No user policy is enforced; anyone can access this action. */
     PUBLIC,
 
-    /**
-     * If there is a user, it must be an admin, as determined by {@link UserAuthInfo#isUserAdmin()}.
-     *
-     * <p>Note that, if the user returned is an App Engine {@link
-     * com.google.appengine.api.users.User} , anybody with access to the app in the GCP Console,
-     * including editors and viewers, is an admin.
-     *
-     * <p>On the other hand, if the user is a {@link google.registry.model.console.User}, the admin
-     * role is explicitly defined in that object via the {@link UserRoles#isAdmin()} method.
-     */
+    /** If there is a user, it must be an admin, as determined by {@link UserRoles#isAdmin()}. */
     ADMIN
   }
 }
diff --git a/core/src/main/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java b/core/src/main/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
index 9d6aa143b..d228fae98 100644
--- a/core/src/main/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
+++ b/core/src/main/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
@@ -18,18 +18,16 @@ import static com.google.common.base.MoreObjects.toStringHelper;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 
-import com.google.appengine.api.users.User;
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.flogger.FluentLogger;
 import dagger.Lazy;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.groups.GroupsConnection;
+import google.registry.model.console.User;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarBase.State;
-import google.registry.model.registrar.RegistrarPoc;
 import java.util.Optional;
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;
@@ -37,24 +35,23 @@ import javax.inject.Inject;
 /**
  * Allows access only to {@link Registrar}s the current user has access to.
  *
- * <p>A user has OWNER role on a Registrar if there exists a {@link RegistrarPoc} with that user's
- * gaeId and the registrar as a parent.
+ * <p>A user has OWNER role on a Registrar if there exists a mapping to the registrar in its {@link
+ * google.registry.model.console.UserRoles} map, regardless of the role.
  *
- * <p>An "admin" has in addition OWNER role on {@code #registryAdminRegistrarId} and to all
+ * <p>An "admin" has, in addition, OWNER role on {@code #registryAdminRegistrarId} and to all
  * non-{@code REAL} registrars (see {@link Registrar#getType}).
  *
  * <p>An "admin" also has ADMIN role on ALL registrars.
  *
- * <p>A user is an "admin" if they are a GAE-admin, or if their email is in the "Support" G Suite
- * group.
+ * <p>A user is an "admin" if it has global admin permission, or if their email is in the "Support"
+ * G Suite group.
  *
  * <p>NOTE: to check whether the user is in the "Support" G Suite group, we need a connection to G
- * Suite. This in turn requires we have valid JsonCredentials, which not all environments have set
- * up. This connection will be created lazily (only if needed).
+ * Suite. This, in turn, requires us to have valid JsonCredentials, which not all environments have
+ * set up. This connection will be created lazily (only if needed).
  *
  * <p>Specifically, we don't instantiate the connection if: (a) gSuiteSupportGroupEmailAddress isn't
- * defined, or (b) the user is logged out, or (c) the user is a GAE-admin, or (d) bypassAdminCheck
- * is true.
+ * defined, or (b) the user is logged out, or (c) the user is an admin.
  */
 @Immutable
 public class AuthenticatedRegistrarAccessor {
@@ -70,8 +67,8 @@ public class AuthenticatedRegistrarAccessor {
   private final String userIdForLogging;
 
   /**
-   * Whether this user is an Admin, meaning either a GAE-admin or a member of the Support G Suite
-   * group.
+   * Whether this user is an admin, meaning either they have global admin permission or a member of
+   * the Support G Suite group.
    */
   private final boolean isAdmin;
 
@@ -84,26 +81,6 @@ public class AuthenticatedRegistrarAccessor {
    */
   private final ImmutableSetMultimap<String, Role> roleMap;
 
-  /**
-   * Bypass the "isAdmin" check making all users NOT admins.
-   *
-   * <p>Currently our test server doesn't let you change the user after the test server was created.
-   * This means we'd need multiple test files to test the same actions as both a "regular" user and
-   * an admin.
-   *
-   * <p>To overcome this - we add a flag that lets you dynamically choose whether a user is an admin
-   * or not by creating a fake "GAE-admin" user and then bypassing the admin check if they want to
-   * fake a "regular" user.
-   *
-   * <p>The reason we don't do it the other way around (have a flag that makes anyone an admin) is
-   * that such a flag would be a security risk, especially since VisibleForTesting is unenforced
-   * (and you could set it with reflection anyway).
-   *
-   * <p>Instead of having a test flag that elevates permissions (which has security concerns) we add
-   * this flag that reduces permissions.
-   */
-  @VisibleForTesting public static boolean bypassAdminCheck = false;
-
   @Inject
   public AuthenticatedRegistrarAccessor(
       AuthResult authResult,
@@ -140,9 +117,7 @@ public class AuthenticatedRegistrarAccessor {
     return new AuthenticatedRegistrarAccessor("TestUserId", isAdmin, roleMap);
   }
 
-  /**
-   * Returns whether this user is allowed to create new Registrars and TLDs.
-   */
+  /** Returns whether this user is allowed to create new Registrars and TLDs. */
   public boolean isAdmin() {
     return isAdmin;
   }
@@ -282,53 +257,39 @@ public class AuthenticatedRegistrarAccessor {
       AuthResult authResult,
       Optional<String> gSuiteSupportGroupEmailAddress,
       Lazy<GroupsConnection> lazyGroupsConnection) {
-    if (authResult.userAuthInfo().isEmpty()) {
+    if (authResult.user().isEmpty()) {
       return false;
     }
 
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
-    // both GAE project admin and members of the gSuiteSupportGroupEmailAddress are considered
-    // admins for the RegistrarConsole.
-    return !bypassAdminCheck
-        && (userAuthInfo.isUserAdmin()
-            || checkIsSupport(
-                lazyGroupsConnection,
-                userAuthInfo.getEmailAddress(),
-                gSuiteSupportGroupEmailAddress));
+    User user = authResult.user().get();
+    // both user object with admin permission and members of the gSuiteSupportGroupEmailAddress are
+    // considered admins for the RegistrarConsole.
+    return user.getUserRoles().isAdmin()
+        || checkIsSupport(
+            lazyGroupsConnection, user.getEmailAddress(), gSuiteSupportGroupEmailAddress);
   }
 
   /** Returns a map of registrar IDs to roles for all registrars that the user has access to. */
   private static ImmutableSetMultimap<String, Role> createRoleMap(
       AuthResult authResult, boolean isAdmin, String registryAdminRegistrarId) {
-    if (authResult.userAuthInfo().isEmpty()) {
+    if (authResult.user().isEmpty()) {
       return ImmutableSetMultimap.of();
     }
     ImmutableSetMultimap.Builder<String, Role> builder = new ImmutableSetMultimap.Builder<>();
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
-    if (userAuthInfo.appEngineUser().isPresent()) {
-      User user = userAuthInfo.appEngineUser().get();
-      logger.atInfo().log("Checking registrar contacts for user ID %s.", user.getEmail());
-
-      // Find all registrars that have a registrar contact with this user's ID.
-      tm().transact(
-              () ->
-                  tm().query(
-                          "SELECT r FROM Registrar r INNER JOIN RegistrarPoc rp ON r.registrarId ="
-                              + " rp.registrarId WHERE lower(rp.loginEmailAddress) = :email AND"
-                              + " r.state != :state",
-                          Registrar.class)
-                      .setParameter("email", Ascii.toLowerCase(user.getEmail()))
-                      .setParameter("state", State.DISABLED)
-                      .getResultStream()
-                      .forEach(registrar -> builder.put(registrar.getRegistrarId(), Role.OWNER)));
-    } else {
-      userAuthInfo
-          .consoleUser()
-          .get()
-          .getUserRoles()
-          .getRegistrarRoles()
-          .forEach((k, v) -> builder.put(k, Role.OWNER));
-    }
+    authResult
+        .user()
+        .get()
+        .getUserRoles()
+        .getRegistrarRoles()
+        .forEach(
+            (k, v) ->
+                Registrar.loadByRegistrarId(k)
+                    .ifPresent(
+                        registrar -> {
+                          if (registrar.getState() != State.DISABLED) {
+                            builder.put(k, Role.OWNER);
+                          }
+                        }));
 
     // Admins have ADMIN access to all registrars, and also OWNER access to the registry registrar
     // and all non-REAL or non-live registrars.
diff --git a/core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java b/core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
deleted file mode 100644
index 1c826a09a..000000000
--- a/core/src/main/java/google/registry/request/auth/LegacyAuthenticationMechanism.java
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import static com.google.common.base.Strings.emptyToNull;
-import static com.google.common.base.Strings.nullToEmpty;
-import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
-import static google.registry.security.XsrfTokenManager.P_CSRF_TOKEN;
-import static google.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
-
-import com.google.appengine.api.users.UserService;
-import com.google.common.collect.ImmutableSet;
-import google.registry.security.XsrfTokenManager;
-import jakarta.servlet.http.HttpServletRequest;
-import javax.inject.Inject;
-
-/**
- * Authentication mechanism for legacy cookie-based App Engine authentication.
- *
- * <p>Just use the values returned by UserService.
- */
-public class LegacyAuthenticationMechanism implements AuthenticationMechanism {
-
-  private final UserService userService;
-  private final XsrfTokenManager xsrfTokenManager;
-
-  /** HTTP methods which are considered safe, and do not require XSRF protection. */
-  private static final ImmutableSet<String> SAFE_METHODS = ImmutableSet.of("GET", "HEAD");
-
-  @Inject
-  public LegacyAuthenticationMechanism(UserService userService, XsrfTokenManager xsrfTokenManager) {
-    this.userService = userService;
-    this.xsrfTokenManager = xsrfTokenManager;
-  }
-
-  @Override
-  public AuthResult authenticate(HttpServletRequest request) {
-    if (!userService.isUserLoggedIn()) {
-      return NOT_AUTHENTICATED;
-    }
-
-    if (!SAFE_METHODS.contains(request.getMethod()) && !validateXsrf(request)) {
-      return NOT_AUTHENTICATED;
-    }
-
-    return AuthResult.createUser(
-        UserAuthInfo.create(userService.getCurrentUser(), userService.isUserAdmin()));
-  }
-
-  private boolean validateXsrf(HttpServletRequest request) {
-    String headerToken = emptyToNull(request.getHeader(X_CSRF_TOKEN));
-    if (headerToken != null) {
-      return xsrfTokenManager.validateToken(headerToken);
-    }
-    // If we got here - the header didn't have the token.
-    // It might be in the POST data - however even checking whether the POST data has this entry
-    // could break the Action!
-    //
-    // Reason: if we do request.getParameter, any Action that injects @Payload or @JsonPayload
-    // would break since it uses request.getReader - and it's an error to call both getReader and
-    // getParameter!
-    //
-    // However, in this case it's acceptable since if we got here - the POST request didn't even
-    // have the XSRF header meaning if it doesn't have POST data - it's not from a valid source at
-    // all (a valid but outdated source would have a bad header value, but getting here means we had
-    // no value at all)
-    //
-    // TODO(b/120201577): Once we know from the @Action whether we can use getParameter or not -
-    // only check getParameter if that's how this @Action uses getParameters.
-    return xsrfTokenManager.validateToken(nullToEmpty(request.getParameter(P_CSRF_TOKEN)));
-  }
-}
diff --git a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
index 286cc7ec2..5f04a5fba 100644
--- a/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
+++ b/core/src/main/java/google/registry/request/auth/OidcTokenAuthenticationMechanism.java
@@ -14,6 +14,8 @@
 
 package google.registry.request.auth;
 
+import static com.google.common.base.Preconditions.checkState;
+
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.annotations.VisibleForTesting;
@@ -117,7 +119,7 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
     }
     Optional<User> maybeUser = UserDao.loadUser(email);
     if (maybeUser.isPresent()) {
-      return AuthResult.createUser(UserAuthInfo.create(maybeUser.get()));
+      return AuthResult.createUser(maybeUser.get());
     }
     logger.atInfo().log("No end user found for email address %s", email);
     if (serviceAccountEmails.stream().anyMatch(e -> e.equals(email))) {
@@ -131,11 +133,17 @@ public abstract class OidcTokenAuthenticationMechanism implements Authentication
 
   @VisibleForTesting
   public static void setAuthResultForTesting(@Nullable AuthResult authResult) {
+    checkState(
+        RegistryEnvironment.get() == RegistryEnvironment.UNITTEST,
+        "Explicitly setting auth result is only supported in tests");
     authResultForTesting = authResult;
   }
 
   @VisibleForTesting
   public static void unsetAuthResultForTesting() {
+    checkState(
+        RegistryEnvironment.get() == RegistryEnvironment.UNITTEST,
+        "Explicitly unsetting auth result is only supported in tests");
     authResultForTesting = null;
   }
 
diff --git a/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java b/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java
index b1a62c0c6..d2879d34d 100644
--- a/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java
+++ b/core/src/main/java/google/registry/request/auth/RequestAuthenticator.java
@@ -21,9 +21,7 @@ import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
 import static google.registry.request.auth.AuthSettings.UserPolicy.ADMIN;
 
 import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Ordering;
 import com.google.common.flogger.FluentLogger;
-import google.registry.request.auth.AuthSettings.AuthMethod;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
 import javax.inject.Inject;
@@ -32,16 +30,12 @@ import javax.inject.Inject;
 public class RequestAuthenticator {
 
   private final ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms;
-  private final LegacyAuthenticationMechanism legacyAuthenticationMechanism;
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   @Inject
-  public RequestAuthenticator(
-      ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms,
-      LegacyAuthenticationMechanism legacyAuthenticationMechanism) {
+  public RequestAuthenticator(ImmutableList<AuthenticationMechanism> apiAuthenticationMechanisms) {
     this.apiAuthenticationMechanisms = apiAuthenticationMechanisms;
-    this.legacyAuthenticationMechanism = legacyAuthenticationMechanism;
   }
 
   /**
@@ -66,8 +60,8 @@ public class RequestAuthenticator {
       return Optional.empty();
     }
     if (auth.userPolicy() == ADMIN
-        && authResult.userAuthInfo().isPresent()
-        && !authResult.userAuthInfo().get().isUserAdmin()) {
+        && authResult.user().isPresent()
+        && !authResult.user().get().getUserRoles().isAdmin()) {
       logger.atWarning().log(
           "Not authorized; user policy is ADMIN, but the user was not an admin.");
       return Optional.empty();
@@ -84,28 +78,13 @@ public class RequestAuthenticator {
    */
   AuthResult authenticate(AuthSettings auth, HttpServletRequest req) {
     checkAuthConfig(auth);
-    for (AuthMethod authMethod : auth.methods()) {
-      AuthResult authResult;
-      switch (authMethod) {
-          // API-based user authentication mechanisms, such as OIDC.
-        case API -> {
-          for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) {
-            authResult = authMechanism.authenticate(req);
-            if (authResult.isAuthenticated()) {
-              logger.atInfo().log(
-                  "Authenticated via %s: %s", authMechanism.getClass().getSimpleName(), authResult);
-              return authResult;
-            }
-          }
-        }
-          // Legacy authentication via UserService
-        case LEGACY -> {
-          authResult = legacyAuthenticationMechanism.authenticate(req);
-          if (authResult.isAuthenticated()) {
-            logger.atInfo().log("Authenticated via legacy auth: %s", authResult);
-            return authResult;
-          }
-        }
+    AuthResult authResult;
+    for (AuthenticationMechanism authMechanism : apiAuthenticationMechanisms) {
+      authResult = authMechanism.authenticate(req);
+      if (authResult.isAuthenticated()) {
+        logger.atInfo().log(
+            "Authenticated via %s: %s", authMechanism.getClass().getSimpleName(), authResult);
+        return authResult;
       }
     }
     logger.atInfo().log("No authentication found.");
@@ -114,10 +93,6 @@ public class RequestAuthenticator {
 
   /** Validates an AuthSettings object, checking for invalid setting combinations. */
   static void checkAuthConfig(AuthSettings auth) {
-    checkArgument(!auth.methods().isEmpty(), "Must specify at least one auth method");
-    checkArgument(
-        Ordering.explicit(AuthMethod.API, AuthMethod.LEGACY).isStrictlyOrdered(auth.methods()),
-        "Auth methods must be unique and strictly in order - API, LEGACY");
     checkArgument(
         (auth.minimumLevel() != NONE) || (auth.userPolicy() != ADMIN),
         "Actions with minimal auth level at NONE should not specify ADMIN user policy");
diff --git a/core/src/main/java/google/registry/request/auth/UserAuthInfo.java b/core/src/main/java/google/registry/request/auth/UserAuthInfo.java
deleted file mode 100644
index 6d1ec0206..000000000
--- a/core/src/main/java/google/registry/request/auth/UserAuthInfo.java
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import com.google.appengine.api.users.User;
-import java.util.Optional;
-
-/**
- * Extra information provided by the authentication mechanism about the user.
- *
- * @param appEngineUser User object from the AppEngine Users API.
- * @param isUserAdmin Whether the user is an admin.
- *     <p>Note that, in App Engine parlance, an admin is any user who is a project owner, editor, OR
- *     viewer (as well as the specific role App Engine Admin). So even users with read-only access
- *     to the App Engine product qualify as an "admin".
- */
-public record UserAuthInfo(
-    Optional<google.registry.model.console.User> consoleUser,
-    Optional<User> appEngineUser,
-    boolean isUserAdmin) {
-
-  public String getEmailAddress() {
-    return appEngineUser()
-        .map(User::getEmail)
-        .orElseGet(() -> consoleUser().get().getEmailAddress());
-  }
-
-  public String getUsername() {
-    return appEngineUser()
-        .map(User::getNickname)
-        .orElseGet(() -> consoleUser().get().getEmailAddress());
-  }
-
-  public static UserAuthInfo create(User user, boolean isUserAdmin) {
-    return new UserAuthInfo(Optional.empty(), Optional.of(user), isUserAdmin);
-  }
-
-  public static UserAuthInfo create(google.registry.model.console.User user) {
-    return new UserAuthInfo(Optional.of(user), Optional.empty(), user.getUserRoles().isAdmin());
-  }
-}
diff --git a/core/src/main/java/google/registry/security/XsrfTokenManager.java b/core/src/main/java/google/registry/security/XsrfTokenManager.java
index 40ddab314..af446b8f6 100644
--- a/core/src/main/java/google/registry/security/XsrfTokenManager.java
+++ b/core/src/main/java/google/registry/security/XsrfTokenManager.java
@@ -19,7 +19,6 @@ import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.joda.time.DateTimeZone.UTC;
 
-import com.google.appengine.api.users.UserService;
 import com.google.common.base.Joiner;
 import com.google.common.base.Splitter;
 import com.google.common.flogger.FluentLogger;
@@ -49,12 +48,10 @@ public final class XsrfTokenManager {
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
 
   private final Clock clock;
-  private final UserService userService;
 
   @Inject
-  public XsrfTokenManager(Clock clock, UserService userService) {
+  public XsrfTokenManager(Clock clock) {
     this.clock = clock;
-    this.userService = userService;
   }
 
   /** Generates an XSRF token for a given user based on email address. */
@@ -81,7 +78,7 @@ public final class XsrfTokenManager {
   }
 
   /** Validates an XSRF token against the current logged-in user. */
-  public boolean validateToken(String token) {
+  public boolean validateToken(String email, String token) {
     checkArgumentNotNull(token);
     List<String> tokenParts = Splitter.on(':').splitToList(token);
     if (tokenParts.size() != 3) {
@@ -104,12 +101,8 @@ public final class XsrfTokenManager {
       logger.atInfo().log("Expired timestamp in XSRF token: %s", token);
       return false;
     }
-    String currentUserEmail =
-        userService.isUserLoggedIn() ? userService.getCurrentUser().getEmail() : "";
-
     // Reconstruct the token to verify validity.
-    String reconstructedToken =
-        encodeToken(ServerSecret.get().asBytes(), currentUserEmail, timestampMillis);
+    String reconstructedToken = encodeToken(ServerSecret.get().asBytes(), email, timestampMillis);
     if (!token.equals(reconstructedToken)) {
       logger.atWarning().log(
           "Reconstructed XSRF mismatch (got != expected): %s != %s", token, reconstructedToken);
diff --git a/core/src/main/java/google/registry/tmch/NordnUploadAction.java b/core/src/main/java/google/registry/tmch/NordnUploadAction.java
index 3d3a72e9c..371b98ef2 100644
--- a/core/src/main/java/google/registry/tmch/NordnUploadAction.java
+++ b/core/src/main/java/google/registry/tmch/NordnUploadAction.java
@@ -70,7 +70,7 @@ import org.joda.time.Duration;
     path = NordnUploadAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class NordnUploadAction implements Runnable {
 
   static final String PATH = "/_dr/task/nordnUpload";
diff --git a/core/src/main/java/google/registry/tmch/NordnVerifyAction.java b/core/src/main/java/google/registry/tmch/NordnVerifyAction.java
index ee4b065ec..6233fb0cb 100644
--- a/core/src/main/java/google/registry/tmch/NordnVerifyAction.java
+++ b/core/src/main/java/google/registry/tmch/NordnVerifyAction.java
@@ -54,7 +54,7 @@ import javax.inject.Inject;
     path = NordnVerifyAction.PATH,
     method = Action.Method.POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class NordnVerifyAction implements Runnable {
 
   static final String PATH = "/_dr/task/nordnVerify";
diff --git a/core/src/main/java/google/registry/tmch/TmchCrlAction.java b/core/src/main/java/google/registry/tmch/TmchCrlAction.java
index 666a97d45..13b1b00ae 100644
--- a/core/src/main/java/google/registry/tmch/TmchCrlAction.java
+++ b/core/src/main/java/google/registry/tmch/TmchCrlAction.java
@@ -32,7 +32,7 @@ import javax.inject.Inject;
     path = "/_dr/task/tmchCrl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class TmchCrlAction implements Runnable {
 
   @Inject Marksdb marksdb;
diff --git a/core/src/main/java/google/registry/tmch/TmchDnlAction.java b/core/src/main/java/google/registry/tmch/TmchDnlAction.java
index ae0353008..03e77acae 100644
--- a/core/src/main/java/google/registry/tmch/TmchDnlAction.java
+++ b/core/src/main/java/google/registry/tmch/TmchDnlAction.java
@@ -35,7 +35,7 @@ import org.bouncycastle.openpgp.PGPException;
     path = "/_dr/task/tmchDnl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class TmchDnlAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java b/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java
index 7644e3736..a478832d9 100644
--- a/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java
+++ b/core/src/main/java/google/registry/tmch/TmchSmdrlAction.java
@@ -34,7 +34,7 @@ import org.bouncycastle.openpgp.PGPException;
     path = "/_dr/task/tmchSmdrl",
     method = POST,
     automaticallyPrintOk = true,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class TmchSmdrlAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/tools/RegistryToolComponent.java b/core/src/main/java/google/registry/tools/RegistryToolComponent.java
index 4be0ce512..83aaadda1 100644
--- a/core/src/main/java/google/registry/tools/RegistryToolComponent.java
+++ b/core/src/main/java/google/registry/tools/RegistryToolComponent.java
@@ -39,7 +39,6 @@ import google.registry.privileges.secretmanager.SecretManagerModule;
 import google.registry.rde.RdeModule;
 import google.registry.request.Modules.GsonModule;
 import google.registry.request.Modules.UrlConnectionServiceModule;
-import google.registry.request.Modules.UserServiceModule;
 import google.registry.tools.AuthModule.LocalCredentialModule;
 import google.registry.util.UtilsModule;
 import google.registry.whois.NonCachingWhoisModule;
@@ -75,7 +74,6 @@ import javax.inject.Singleton;
       SecretManagerKeyringModule.class,
       SecretManagerModule.class,
       UrlConnectionServiceModule.class,
-      UserServiceModule.class,
       UtilsModule.class,
       VoidDnsWriterModule.class,
       NonCachingWhoisModule.class
diff --git a/core/src/main/java/google/registry/tools/server/CreateGroupsAction.java b/core/src/main/java/google/registry/tools/server/CreateGroupsAction.java
index 30b160393..2f1d6ca54 100644
--- a/core/src/main/java/google/registry/tools/server/CreateGroupsAction.java
+++ b/core/src/main/java/google/registry/tools/server/CreateGroupsAction.java
@@ -43,7 +43,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = CreateGroupsAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class CreateGroupsAction implements Runnable {
 
   public static final String PATH = "/_dr/admin/createGroups";
diff --git a/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java b/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java
index 071ce620b..a40acf000 100644
--- a/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java
+++ b/core/src/main/java/google/registry/tools/server/GenerateZoneFilesAction.java
@@ -65,7 +65,7 @@ import org.joda.time.Duration;
     service = Action.Service.TOOLS,
     path = GenerateZoneFilesAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class GenerateZoneFilesAction implements Runnable, JsonActionRunner.JsonAction {
 
   private static final FluentLogger log = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/tools/server/ListDomainsAction.java b/core/src/main/java/google/registry/tools/server/ListDomainsAction.java
index 51994b8bf..dc1e742c3 100644
--- a/core/src/main/java/google/registry/tools/server/ListDomainsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListDomainsAction.java
@@ -39,7 +39,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListDomainsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListDomainsAction extends ListObjectsAction<Domain> {
 
   /** An App Engine limitation on how many subqueries can be used in a single query. */
diff --git a/core/src/main/java/google/registry/tools/server/ListHostsAction.java b/core/src/main/java/google/registry/tools/server/ListHostsAction.java
index 64d046672..0ae68c8a2 100644
--- a/core/src/main/java/google/registry/tools/server/ListHostsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListHostsAction.java
@@ -34,7 +34,7 @@ import org.joda.time.DateTime;
     service = Action.Service.TOOLS,
     path = ListHostsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListHostsAction extends ListObjectsAction<Host> {
 
   public static final String PATH = "/_dr/admin/list/hosts";
diff --git a/core/src/main/java/google/registry/tools/server/ListPremiumListsAction.java b/core/src/main/java/google/registry/tools/server/ListPremiumListsAction.java
index f2fa31c2c..e8e16ad8e 100644
--- a/core/src/main/java/google/registry/tools/server/ListPremiumListsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListPremiumListsAction.java
@@ -35,7 +35,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListPremiumListsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListPremiumListsAction extends ListObjectsAction<PremiumList> {
 
   public static final String PATH = "/_dr/admin/list/premiumLists";
diff --git a/core/src/main/java/google/registry/tools/server/ListRegistrarsAction.java b/core/src/main/java/google/registry/tools/server/ListRegistrarsAction.java
index ca43d6685..1fc2d4046 100644
--- a/core/src/main/java/google/registry/tools/server/ListRegistrarsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListRegistrarsAction.java
@@ -30,7 +30,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListRegistrarsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListRegistrarsAction extends ListObjectsAction<Registrar> {
 
   public static final String PATH = "/_dr/admin/list/registrars";
diff --git a/core/src/main/java/google/registry/tools/server/ListReservedListsAction.java b/core/src/main/java/google/registry/tools/server/ListReservedListsAction.java
index 0c6846e7a..7fd2d239d 100644
--- a/core/src/main/java/google/registry/tools/server/ListReservedListsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListReservedListsAction.java
@@ -33,7 +33,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = ListReservedListsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListReservedListsAction extends ListObjectsAction<ReservedList> {
 
   public static final String PATH = "/_dr/admin/list/reservedLists";
diff --git a/core/src/main/java/google/registry/tools/server/ListTldsAction.java b/core/src/main/java/google/registry/tools/server/ListTldsAction.java
index ce8d5fe78..351a20659 100644
--- a/core/src/main/java/google/registry/tools/server/ListTldsAction.java
+++ b/core/src/main/java/google/registry/tools/server/ListTldsAction.java
@@ -34,7 +34,7 @@ import org.joda.time.DateTime;
     service = Action.Service.TOOLS,
     path = ListTldsAction.PATH,
     method = {GET, POST},
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public final class ListTldsAction extends ListObjectsAction<Tld> {
 
   public static final String PATH = "/_dr/admin/list/tlds";
diff --git a/core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java b/core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java
index 2fcfc00f7..5bc2f5936 100644
--- a/core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java
+++ b/core/src/main/java/google/registry/tools/server/RefreshDnsForAllDomainsAction.java
@@ -54,7 +54,7 @@ import org.joda.time.Duration;
 @Action(
     service = Action.Service.TOOLS,
     path = "/_dr/task/refreshDnsForAllDomains",
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class RefreshDnsForAllDomainsAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/tools/server/UpdateUserGroupAction.java b/core/src/main/java/google/registry/tools/server/UpdateUserGroupAction.java
index 834ddc49c..38ffb6df2 100644
--- a/core/src/main/java/google/registry/tools/server/UpdateUserGroupAction.java
+++ b/core/src/main/java/google/registry/tools/server/UpdateUserGroupAction.java
@@ -30,7 +30,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = UpdateUserGroupAction.PATH,
     method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class UpdateUserGroupAction implements Runnable {
 
   public static final String PATH = "/_dr/admin/updateUserGroup";
diff --git a/core/src/main/java/google/registry/tools/server/VerifyOteAction.java b/core/src/main/java/google/registry/tools/server/VerifyOteAction.java
index 6aafde4de..61cbac4ce 100644
--- a/core/src/main/java/google/registry/tools/server/VerifyOteAction.java
+++ b/core/src/main/java/google/registry/tools/server/VerifyOteAction.java
@@ -37,7 +37,7 @@ import javax.inject.Inject;
     service = Action.Service.TOOLS,
     path = VerifyOteAction.PATH,
     method = Action.Method.POST,
-    auth = Auth.AUTH_API_ADMIN)
+    auth = Auth.AUTH_ADMIN)
 public class VerifyOteAction implements Runnable, JsonAction {
 
   public static final String PATH = "/_dr/admin/verifyOte";
diff --git a/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java b/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
index 1007b164e..54e0a4bc5 100644
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
@@ -26,7 +26,6 @@ import google.registry.model.console.ConsolePermission;
 import google.registry.model.console.GlobalRole;
 import google.registry.model.console.User;
 import google.registry.request.HttpException;
-import google.registry.request.auth.AuthResult;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.ConsoleUiAction;
@@ -50,13 +49,11 @@ public abstract class ConsoleApiAction implements Runnable {
   @Override
   public final void run() {
     // Shouldn't be even possible because of Auth annotations on the various implementing classes
-    AuthResult authResult = consoleApiParams.authResult();
-    if (authResult.userAuthInfo().isEmpty()
-        || authResult.userAuthInfo().get().consoleUser().isEmpty()) {
+    if (consoleApiParams.authResult().user().isEmpty()) {
       consoleApiParams.response().setStatus(SC_UNAUTHORIZED);
       return;
     }
-    User user = consoleApiParams.authResult().userAuthInfo().get().consoleUser().get();
+    User user = consoleApiParams.authResult().user().get();
 
     // This allows us to enable console to a selected cohort of users with release
     // We can ignore it in tests
@@ -74,7 +71,7 @@ public abstract class ConsoleApiAction implements Runnable {
       if (consoleApiParams.request().getMethod().equals(GET.toString())) {
         getHandler(user);
       } else {
-        if (verifyXSRF()) {
+        if (verifyXSRF(user)) {
           postHandler(user);
         }
       }
@@ -112,13 +109,15 @@ public abstract class ConsoleApiAction implements Runnable {
     consoleApiParams.response().setPayload(message);
   }
 
-  private boolean verifyXSRF() {
+  private boolean verifyXSRF(User user) {
     Optional<Cookie> maybeCookie =
         Arrays.stream(consoleApiParams.request().getCookies())
             .filter(c -> XsrfTokenManager.X_CSRF_TOKEN.equals(c.getName()))
             .findFirst();
     if (maybeCookie.isEmpty()
-        || !consoleApiParams.xsrfTokenManager().validateToken(maybeCookie.get().getValue())) {
+        || !consoleApiParams
+            .xsrfTokenManager()
+            .validateToken(user.getEmailAddress(), maybeCookie.get().getValue())) {
       consoleApiParams.response().setStatus(SC_UNAUTHORIZED);
       return false;
     }
diff --git a/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java b/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
index 712fa355d..f2cfe77ad 100644
--- a/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
+++ b/core/src/main/java/google/registry/ui/server/console/ConsoleUserDataAction.java
@@ -58,7 +58,7 @@ public class ConsoleUserDataAction extends ConsoleApiAction {
 
   @Override
   protected void getHandler(User user) {
-    // As this is a first GET request we use it as an opportunity to set a XSRF cookie
+    // As this is the first GET request, we use it as an opportunity to set a XSRF cookie
     // for angular to read - https://angular.io/guide/http-security-xsrf-protection
     Cookie xsrfCookie =
         new Cookie(
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
index 10cdac2af..af36acae5 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleOteSetupAction.java
@@ -54,7 +54,7 @@ import javax.inject.Named;
     service = Action.Service.DEFAULT,
     path = ConsoleOteSetupAction.PATH,
     method = {Method.POST, Method.GET},
-    auth = Auth.AUTH_PUBLIC_LEGACY)
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public final class ConsoleOteSetupAction extends HtmlAction {
 
   public static final String PATH = "/registrar-ote-setup";
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
index e0097488e..7122b94c9 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorAction.java
@@ -64,7 +64,7 @@ import org.joda.money.CurrencyUnit;
     service = Service.DEFAULT,
     path = ConsoleRegistrarCreatorAction.PATH,
     method = {Method.POST, Method.GET},
-    auth = Auth.AUTH_PUBLIC_LEGACY)
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public final class ConsoleRegistrarCreatorAction extends HtmlAction {
 
   private static final int PASSWORD_LENGTH = 16;
diff --git a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
index 9ee4fda19..6543fa020 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@@ -43,7 +43,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.DEFAULT,
     path = ConsoleUiAction.PATH,
-    auth = Auth.AUTH_PUBLIC_LEGACY)
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public final class ConsoleUiAction extends HtmlAction {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/main/java/google/registry/ui/server/registrar/HtmlAction.java b/core/src/main/java/google/registry/ui/server/registrar/HtmlAction.java
index b14efa327..c5867f9a8 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/HtmlAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/HtmlAction.java
@@ -14,19 +14,17 @@
 
 package google.registry.ui.server.registrar;
 
-import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.net.HttpHeaders.X_FRAME_OPTIONS;
-import static jakarta.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
+import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 
-import com.google.appengine.api.users.UserService;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import google.registry.config.RegistryConfig.Config;
+import google.registry.model.console.User;
 import google.registry.request.Action;
 import google.registry.request.RequestMethod;
 import google.registry.request.Response;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.HashMap;
@@ -45,7 +43,6 @@ public abstract class HtmlAction implements Runnable {
 
   @Inject HttpServletRequest req;
   @Inject Response response;
-  @Inject UserService userService;
   @Inject XsrfTokenManager xsrfTokenManager;
   @Inject AuthResult authResult;
   @Inject @RequestMethod Action.Method method;
@@ -67,34 +64,21 @@ public abstract class HtmlAction implements Runnable {
     response.setHeader(X_FRAME_OPTIONS, "SAMEORIGIN"); // Disallow iframing.
     response.setHeader("X-Ui-Compatible", "IE=edge"); // Ask IE not to be silly.
 
-    if (authResult.userAuthInfo().isEmpty()) {
-      response.setStatus(SC_MOVED_TEMPORARILY);
-      String location;
-      try {
-        location = userService.createLoginURL(req.getRequestURI());
-      } catch (IllegalArgumentException e) {
-        // UserServiceImpl.createLoginURL() throws IllegalArgumentException if underlying API call
-        // returns an error code of NOT_ALLOWED. createLoginURL() assumes that the error is caused
-        // by an invalid URL. But in fact, the error can also occur if UserService doesn't have any
-        // user information, which happens when the request has been authenticated as internal. In
-        // this case, we want to avoid dying before we can send the redirect, so just redirect to
-        // the root path.
-        location = "/";
-      }
-      response.setHeader(LOCATION, location);
+    if (authResult.user().isEmpty()) {
+      response.setStatus(SC_UNAUTHORIZED);
       return;
     }
     response.setContentType(MediaType.HTML_UTF_8);
 
-    UserAuthInfo authInfo = authResult.userAuthInfo().get();
+    User user = authResult.user().get();
     // Using HashMap to allow null values
     HashMap<String, Object> data = new HashMap<>();
     data.put("logoFilename", logoFilename);
     data.put("productName", productName);
-    data.put("username", authInfo.getUsername());
-    data.put("logoutUrl", userService.createLogoutURL(getPath()));
+    data.put("username", user.getEmailAddress());
+    data.put("logoutUrl", "/registrar?gcp-iap-mode=CLEAR_LOGIN_COOKIE");
     data.put("analyticsConfig", analyticsConfig);
-    data.put("xsrfToken", xsrfTokenManager.generateToken(authInfo.getEmailAddress()));
+    data.put("xsrfToken", xsrfTokenManager.generateToken(user.getEmailAddress()));
 
     logger.atInfo().log(
         "User %s is accessing %s with method %s.",
diff --git a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
index a110d6e8f..900802910 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockGetAction.java
@@ -22,18 +22,16 @@ import static google.registry.ui.server.registrar.RegistrarConsoleModule.PARAM_C
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 
-import com.google.appengine.api.users.User;
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Ascii;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.flogger.FluentLogger;
 import com.google.common.net.MediaType;
 import com.google.gson.Gson;
 import google.registry.model.console.ConsolePermission;
+import google.registry.model.console.User;
 import google.registry.model.domain.RegistryLock;
 import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.tld.RegistryLockDao;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
@@ -44,9 +42,7 @@ import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.JsonResponseHelper;
-import java.util.Objects;
 import java.util.Optional;
 import javax.inject.Inject;
 import org.joda.time.DateTime;
@@ -101,7 +97,7 @@ public final class RegistryLockGetAction implements JsonGetAction {
   @Override
   public void run() {
     checkArgument(Method.GET.equals(method), "Only GET requests allowed");
-    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
+    checkArgument(authResult.user().isPresent(), "User must be present");
     checkArgument(paramClientId.isPresent(), "clientId must be present");
     response.setContentType(MediaType.JSON_UTF_8);
 
@@ -121,29 +117,7 @@ public final class RegistryLockGetAction implements JsonGetAction {
     }
   }
 
-  static Optional<RegistrarPoc> getContactMatchingLogin(User user, Registrar registrar) {
-    ImmutableList<RegistrarPoc> matchingContacts =
-        registrar.getContacts().stream()
-            .filter(contact -> contact.getLoginEmailAddress() != null)
-            .filter(
-                contact ->
-                    Objects.equals(
-                        Ascii.toLowerCase(contact.getLoginEmailAddress()),
-                        Ascii.toLowerCase(user.getEmail())))
-            .collect(toImmutableList());
-    if (matchingContacts.size() > 1) {
-      ImmutableList<String> matchingEmails =
-          matchingContacts.stream().map(RegistrarPoc::getEmailAddress).collect(toImmutableList());
-      throw new IllegalArgumentException(
-          String.format(
-              "User with login email %s had multiple matching contacts with contact email addresses"
-                  + " %s",
-              user.getEmail(), matchingEmails));
-    }
-    return matchingContacts.stream().findFirst();
-  }
-
-  static Registrar getRegistrarAndVerifyLockAccess(
+  static void verifyLockAccess(
       AuthenticatedRegistrarAccessor registrarAccessor, String clientId, boolean isAdmin)
       throws RegistrarAccessDeniedException {
     Registrar registrar = registrarAccessor.getRegistrar(clientId);
@@ -151,37 +125,22 @@ public final class RegistryLockGetAction implements JsonGetAction {
         isAdmin || registrar.isRegistryLockAllowed(),
         "Registry lock not allowed for registrar %s",
         clientId);
-    return registrar;
   }
 
   private ImmutableMap<String, ?> getLockedDomainsMap(String registrarId)
       throws RegistrarAccessDeniedException {
     // Note: admins always have access to the locks page
-    checkArgument(authResult.userAuthInfo().isPresent(), "User auth info must be present");
+    checkArgument(authResult.user().isPresent(), "User must be present");
 
     boolean isAdmin = registrarAccessor.isAdmin();
-    Registrar registrar = getRegistrarAndVerifyLockAccess(registrarAccessor, registrarId, isAdmin);
+    verifyLockAccess(registrarAccessor, registrarId, isAdmin);
 
-    UserAuthInfo userAuthInfo = authResult.userAuthInfo().get();
+    User user = authResult.user().get();
     // Split logic depending on whether we are using the old auth system or the new one
     boolean isRegistryLockAllowed;
-    String relevantEmail;
-    if (userAuthInfo.appEngineUser().isPresent()) {
-      User user = userAuthInfo.appEngineUser().get();
-      Optional<RegistrarPoc> contactOptional = getContactMatchingLogin(user, registrar);
-      isRegistryLockAllowed =
-          isAdmin || contactOptional.map(RegistrarPoc::isRegistryLockAllowed).orElse(false);
-      relevantEmail =
-          isAdmin
-              ? user.getEmail()
-              // if the contact isn't present, we shouldn't display the email anyway
-              : contactOptional.flatMap(RegistrarPoc::getRegistryLockEmailAddress).orElse("");
-    } else {
-      google.registry.model.console.User user = userAuthInfo.consoleUser().get();
-      isRegistryLockAllowed =
-          user.getUserRoles().hasPermission(registrarId, ConsolePermission.REGISTRY_LOCK);
-      relevantEmail = user.getEmailAddress();
-    }
+    isRegistryLockAllowed =
+        user.getUserRoles().hasPermission(registrarId, ConsolePermission.REGISTRY_LOCK);
+    String relevantEmail = user.getRegistryLockEmailAddress().orElse(user.getEmailAddress());
     // Use the contact's registry lock email if it's present, else use the login email (for admins)
     return ImmutableMap.of(
         LOCK_ENABLED_FOR_CONTACT_PARAM,
diff --git a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
index f984cfe1e..ab39c8a40 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockPostAction.java
@@ -19,11 +19,9 @@ import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
 import static google.registry.security.JsonResponseHelper.Status.ERROR;
 import static google.registry.security.JsonResponseHelper.Status.SUCCESS;
-import static google.registry.ui.server.registrar.RegistryLockGetAction.getContactMatchingLogin;
-import static google.registry.ui.server.registrar.RegistryLockGetAction.getRegistrarAndVerifyLockAccess;
+import static google.registry.ui.server.registrar.RegistryLockGetAction.verifyLockAccess;
 import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
 
-import com.google.appengine.api.users.User;
 import com.google.common.base.Strings;
 import com.google.common.base.Throwables;
 import com.google.common.collect.ImmutableList;
@@ -31,9 +29,8 @@ import com.google.common.flogger.FluentLogger;
 import com.google.gson.Gson;
 import google.registry.flows.domain.DomainFlowUtils;
 import google.registry.groups.GmailClient;
+import google.registry.model.console.User;
 import google.registry.model.domain.RegistryLock;
-import google.registry.model.registrar.Registrar;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.request.Action;
 import google.registry.request.Action.Method;
 import google.registry.request.HttpException.ForbiddenException;
@@ -42,7 +39,6 @@ import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.JsonResponseHelper;
 import google.registry.tools.DomainLockUtils;
 import google.registry.util.EmailMessage;
@@ -119,13 +115,11 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
       checkArgument(!Strings.isNullOrEmpty(postInput.domainName), "Missing key for domainName");
       DomainFlowUtils.validateDomainName(postInput.domainName);
       checkNotNull(postInput.isLock, "Missing key for isLock");
-      UserAuthInfo userAuthInfo =
-          authResult
-              .userAuthInfo()
-              .orElseThrow(() -> new ForbiddenException("User is not logged in"));
+      User user =
+          authResult.user().orElseThrow(() -> new ForbiddenException("User is not logged in"));
 
       // TODO: Move this line to the transaction below during nested transaction refactoring.
-      String userEmail = verifyPasswordAndGetEmail(userAuthInfo, postInput);
+      String userEmail = verifyPasswordAndGetEmail(user, postInput);
       tm().transact(
               () -> {
                 RegistryLock registryLock =
@@ -177,24 +171,13 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
     }
   }
 
-  private String verifyPasswordAndGetEmail(
-      UserAuthInfo userAuthInfo, RegistryLockPostInput postInput)
+  private String verifyPasswordAndGetEmail(User user, RegistryLockPostInput postInput)
       throws RegistrarAccessDeniedException {
     if (registrarAccessor.isAdmin()) {
-      return userAuthInfo.getEmailAddress();
+      return user.getEmailAddress();
     }
-    if (userAuthInfo.appEngineUser().isPresent()) {
-      return verifyPasswordAndGetEmailLegacyUser(userAuthInfo.appEngineUser().get(), postInput);
-    } else {
-      return verifyPasswordAndGetEmailConsoleUser(userAuthInfo.consoleUser().get(), postInput);
-    }
-  }
-
-  private String verifyPasswordAndGetEmailConsoleUser(
-      google.registry.model.console.User user, RegistryLockPostInput postInput)
-      throws RegistrarAccessDeniedException {
     // Verify that the registrar has locking enabled
-    getRegistrarAndVerifyLockAccess(registrarAccessor, postInput.registrarId, false);
+    verifyLockAccess(registrarAccessor, postInput.registrarId, false);
     checkArgument(
         user.verifyRegistryLockPassword(postInput.password),
         "Incorrect registry lock password for user");
@@ -202,33 +185,6 @@ public class RegistryLockPostAction implements Runnable, JsonActionRunner.JsonAc
         .orElseThrow(() -> new IllegalArgumentException("User has no registry lock email address"));
   }
 
-  private String verifyPasswordAndGetEmailLegacyUser(User user, RegistryLockPostInput postInput)
-      throws RegistrarAccessDeniedException {
-    // Verify that the user can access the registrar, that the user has
-    // registry lock enabled, and that the user provided a correct password
-
-    Registrar registrar =
-        getRegistrarAndVerifyLockAccess(registrarAccessor, postInput.registrarId, false);
-    RegistrarPoc registrarPoc =
-        getContactMatchingLogin(user, registrar)
-            .orElseThrow(
-                () ->
-                    new IllegalArgumentException(
-                        String.format(
-                            "Cannot match user %s to registrar contact", user.getUserId())));
-    checkArgument(
-        registrarPoc.verifyRegistryLockPassword(postInput.password),
-        "Incorrect registry lock password for contact");
-    return registrarPoc
-        .getRegistryLockEmailAddress()
-        .orElseThrow(
-            () ->
-                new IllegalStateException(
-                    String.format(
-                        "Contact %s had no registry lock email address",
-                        registrarPoc.getEmailAddress())));
-  }
-
   /** Value class that represents the expected input body from the UI request. */
   private static class RegistryLockPostInput {
     private String registrarId;
diff --git a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
index 496d98c7c..866cc8cfb 100644
--- a/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
+++ b/core/src/main/java/google/registry/ui/server/registrar/RegistryLockVerifyAction.java
@@ -34,7 +34,7 @@ import javax.inject.Inject;
 @Action(
     service = Action.Service.DEFAULT,
     path = RegistryLockVerifyAction.PATH,
-    auth = Auth.AUTH_PUBLIC_LEGACY)
+    auth = Auth.AUTH_PUBLIC_LOGGED_IN)
 public final class RegistryLockVerifyAction extends HtmlAction {
 
   public static final String PATH = "/registry-lock-verify";
@@ -62,7 +62,7 @@ public final class RegistryLockVerifyAction extends HtmlAction {
   @Override
   public void runAfterLogin(Map<String, Object> data) {
     try {
-      boolean isAdmin = authResult.userAuthInfo().get().isUserAdmin();
+      boolean isAdmin = authResult.user().get().getUserRoles().isAdmin();
       RegistryLock resultLock =
           domainLockUtils.verifyVerificationCode(lockVerificationCode, isAdmin);
       data.put("isLock", resultLock.getUnlockCompletionTime().isEmpty());
diff --git a/core/src/main/java/google/registry/whois/WhoisAction.java b/core/src/main/java/google/registry/whois/WhoisAction.java
index 114d7459d..b5ba2b3ef 100644
--- a/core/src/main/java/google/registry/whois/WhoisAction.java
+++ b/core/src/main/java/google/registry/whois/WhoisAction.java
@@ -47,11 +47,7 @@ import org.joda.time.DateTime;
  * @see WhoisHttpAction
  * @see <a href="http://www.ietf.org/rfc/rfc3912.txt">RFC 3912: WHOIS Protocol Specification</a>
  */
-@Action(
-    service = Action.Service.PUBAPI,
-    path = "/_dr/whois",
-    method = POST,
-    auth = Auth.AUTH_API_ADMIN)
+@Action(service = Action.Service.PUBAPI, path = "/_dr/whois", method = POST, auth = Auth.AUTH_ADMIN)
 public class WhoisAction implements Runnable {
 
   private static final FluentLogger logger = FluentLogger.forEnclosingClass();
diff --git a/core/src/test/java/google/registry/module/RequestComponentTest.java b/core/src/test/java/google/registry/module/RequestComponentTest.java
index 99ab6e735..f2b8b7fb3 100644
--- a/core/src/test/java/google/registry/module/RequestComponentTest.java
+++ b/core/src/test/java/google/registry/module/RequestComponentTest.java
@@ -67,26 +67,14 @@ public class RequestComponentTest {
   }
 
   private record Route(
-      String path,
-      String clazz,
-      String methods,
-      String ok,
-      String authMethods,
-      String min,
-      String userPolicy) {
+      String path, String clazz, String methods, String ok, String min, String userPolicy) {
     private static final Splitter splitter = Splitter.on(' ').omitEmptyStrings().trimResults();
 
     static Route create(String line) {
       ImmutableList<String> parts = ImmutableList.copyOf(splitter.split(line));
-      assertThat(parts.size()).isEqualTo(7);
+      assertThat(parts.size()).isEqualTo(6);
       return new Route(
-          parts.get(0),
-          parts.get(1),
-          parts.get(2),
-          parts.get(3),
-          parts.get(4),
-          parts.get(5),
-          parts.get(6));
+          parts.get(0), parts.get(1), parts.get(2), parts.get(3), parts.get(4), parts.get(5));
     }
   }
 }
diff --git a/core/src/test/java/google/registry/rdap/RdapActionBaseTestCase.java b/core/src/test/java/google/registry/rdap/RdapActionBaseTestCase.java
index 245e1c095..72d896ba6 100644
--- a/core/src/test/java/google/registry/rdap/RdapActionBaseTestCase.java
+++ b/core/src/test/java/google/registry/rdap/RdapActionBaseTestCase.java
@@ -22,13 +22,13 @@ import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.HEAD;
 import static org.mockito.Mockito.mock;
 
-import com.google.appengine.api.users.User;
 import com.google.gson.JsonObject;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.request.Actions;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.util.Idn;
@@ -48,11 +48,17 @@ abstract class RdapActionBaseTestCase<A extends RdapActionBase> {
 
   protected static final AuthResult AUTH_RESULT =
       AuthResult.createUser(
-          UserAuthInfo.create(new User("rdap.user@user.com", "gmail.com", "12345"), false));
+          new User.Builder()
+              .setEmailAddress("rdap.user@user.com")
+              .setUserRoles(new UserRoles.Builder().setIsAdmin(false).build())
+              .build());
 
   protected static final AuthResult AUTH_RESULT_ADMIN =
       AuthResult.createUser(
-          UserAuthInfo.create(new User("rdap.admin@google.com", "gmail.com", "12345"), true));
+          new User.Builder()
+              .setEmailAddress("rdap.admin@google.com")
+              .setUserRoles(new UserRoles.Builder().setIsAdmin(true).build())
+              .build());
 
   protected FakeResponse response = new FakeResponse();
   protected final FakeClock clock = new FakeClock(DateTime.parse("2000-01-01TZ"));
diff --git a/core/src/test/java/google/registry/request/RequestHandlerTest.java b/core/src/test/java/google/registry/request/RequestHandlerTest.java
index 46fb584ac..188804a00 100644
--- a/core/src/test/java/google/registry/request/RequestHandlerTest.java
+++ b/core/src/test/java/google/registry/request/RequestHandlerTest.java
@@ -17,7 +17,7 @@ package google.registry.request;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.request.Action.Method.GET;
 import static google.registry.request.Action.Method.POST;
-import static google.registry.request.auth.Auth.AUTH_API_ADMIN;
+import static google.registry.request.auth.Auth.AUTH_ADMIN;
 import static google.registry.request.auth.Auth.AUTH_PUBLIC;
 import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
 import static org.mockito.ArgumentMatchers.any;
@@ -28,13 +28,13 @@ import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
 import com.google.common.testing.NullPointerTester;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.request.HttpException.ServiceUnavailableException;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthSettings.AuthLevel;
 import google.registry.request.auth.RequestAuthenticator;
-import google.registry.request.auth.UserAuthInfo;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.PrintWriter;
@@ -122,7 +122,7 @@ public final class RequestHandlerTest {
   @Action(
       service = Action.Service.DEFAULT,
       path = "/auth/adminUser",
-      auth = AUTH_API_ADMIN,
+      auth = AUTH_ADMIN,
       method = GET)
   public class AuthAdminUserAction extends AuthBase {
     AuthAdminUserAction(AuthResult authResult) {
@@ -192,7 +192,11 @@ public final class RequestHandlerTest {
   private final StringWriter httpOutput = new StringWriter();
   private RequestHandler<Component> handler;
   private AuthResult providedAuthResult = null;
-  private final User testUser = new User("test@example.com", "test@example.com");
+  private final User testUser =
+      new User.Builder()
+          .setEmailAddress("test@example.com")
+          .setUserRoles(new UserRoles.Builder().setIsAdmin(true).build())
+          .build();
 
   @BeforeEach
   void beforeEach() throws Exception {
@@ -418,7 +422,7 @@ public final class RequestHandlerTest {
 
     assertThat(providedAuthResult).isNotNull();
     assertThat(providedAuthResult.authLevel()).isEqualTo(AuthLevel.NONE);
-    assertThat(providedAuthResult.userAuthInfo()).isEmpty();
+    assertThat(providedAuthResult.user()).isEmpty();
     assertMetric("/auth/none", GET, AuthLevel.NONE, true);
   }
 
@@ -426,7 +430,7 @@ public final class RequestHandlerTest {
   void testAuthNeeded_failure() throws Exception {
     when(req.getMethod()).thenReturn("GET");
     when(req.getRequestURI()).thenReturn("/auth/adminUser");
-    when(requestAuthenticator.authorize(AUTH_API_ADMIN.authSettings(), req))
+    when(requestAuthenticator.authorize(AUTH_ADMIN.authSettings(), req))
         .thenReturn(Optional.empty());
 
     handler.handleRequest(req, rsp);
@@ -439,15 +443,15 @@ public final class RequestHandlerTest {
   void testAuthNeeded_success() throws Exception {
     when(req.getMethod()).thenReturn("GET");
     when(req.getRequestURI()).thenReturn("/auth/adminUser");
-    when(requestAuthenticator.authorize(AUTH_API_ADMIN.authSettings(), req))
-        .thenReturn(Optional.of(AuthResult.createUser(UserAuthInfo.create(testUser, true))));
+    when(requestAuthenticator.authorize(AUTH_ADMIN.authSettings(), req))
+        .thenReturn(Optional.of(AuthResult.createUser(testUser)));
 
     handler.handleRequest(req, rsp);
 
     assertThat(providedAuthResult).isNotNull();
     assertThat(providedAuthResult.authLevel()).isEqualTo(AuthLevel.USER);
-    assertThat(providedAuthResult.userAuthInfo()).isPresent();
-    assertThat(providedAuthResult.userAuthInfo().get().appEngineUser()).hasValue(testUser);
+    assertThat(providedAuthResult.user()).isPresent();
+    assertThat(providedAuthResult.user()).hasValue(testUser);
     assertMetric("/auth/adminUser", GET, AuthLevel.USER, true);
   }
 }
diff --git a/core/src/test/java/google/registry/request/RouterTest.java b/core/src/test/java/google/registry/request/RouterTest.java
index 400fac6eb..6aa1ea205 100644
--- a/core/src/test/java/google/registry/request/RouterTest.java
+++ b/core/src/test/java/google/registry/request/RouterTest.java
@@ -15,7 +15,7 @@
 package google.registry.request;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.request.auth.Auth.AUTH_API_ADMIN;
+import static google.registry.request.auth.Auth.AUTH_ADMIN;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.util.Optional;
@@ -41,7 +41,7 @@ public final class RouterTest {
 
   ////////////////////////////////////////////////////////////////////////////////////////////////
 
-  @Action(service = Action.Service.DEFAULT, path = "/sloth", auth = AUTH_API_ADMIN)
+  @Action(service = Action.Service.DEFAULT, path = "/sloth", auth = AUTH_ADMIN)
   public static final class SlothTask implements Runnable {
     @Override
     public void run() {}
@@ -71,11 +71,7 @@ public final class RouterTest {
 
   ////////////////////////////////////////////////////////////////////////////////////////////////
 
-  @Action(
-      service = Action.Service.DEFAULT,
-      path = "/prefix",
-      isPrefix = true,
-      auth = AUTH_API_ADMIN)
+  @Action(service = Action.Service.DEFAULT, path = "/prefix", isPrefix = true, auth = AUTH_ADMIN)
   public static final class PrefixTask implements Runnable {
     @Override
     public void run() {}
@@ -105,7 +101,7 @@ public final class RouterTest {
       service = Action.Service.DEFAULT,
       path = "/prefix/long",
       isPrefix = true,
-      auth = AUTH_API_ADMIN)
+      auth = AUTH_ADMIN)
   public static final class LongTask implements Runnable {
     @Override
     public void run() {}
@@ -157,13 +153,13 @@ public final class RouterTest {
 
   ////////////////////////////////////////////////////////////////////////////////////////////////
 
-  @Action(service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", auth = AUTH_API_ADMIN)
+  @Action(service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", auth = AUTH_ADMIN)
   public static final class DuplicateTask1 implements Runnable {
     @Override
     public void run() {}
   }
 
-  @Action(service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", auth = AUTH_API_ADMIN)
+  @Action(service = Action.Service.DEFAULT, path = "/samePathAsOtherTask", auth = AUTH_ADMIN)
   public static final class DuplicateTask2 implements Runnable {
     @Override
     public void run() {}
diff --git a/core/src/test/java/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java b/core/src/test/java/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java
index e3e2491f0..153533def 100644
--- a/core/src/test/java/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java
+++ b/core/src/test/java/google/registry/request/auth/AuthenticatedRegistrarAccessorTest.java
@@ -15,6 +15,7 @@
 package google.registry.request.auth;
 
 import static com.google.common.truth.Truth.assertThat;
+import static google.registry.model.console.RegistrarRole.ACCOUNT_MANAGER;
 import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.ADMIN;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.OWNER;
@@ -27,7 +28,6 @@ import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.testing.NullPointerTester;
@@ -35,7 +35,7 @@ import com.google.common.testing.TestLogHandler;
 import dagger.Lazy;
 import google.registry.groups.GroupsConnection;
 import google.registry.model.console.GlobalRole;
-import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarBase.State;
@@ -74,28 +74,37 @@ class AuthenticatedRegistrarAccessorTest {
   private final TestLogHandler testLogHandler = new TestLogHandler();
 
   private static final AuthResult USER = createAuthResult(false);
-  private static final AuthResult GAE_ADMIN = createAuthResult(true);
+  private static final AuthResult ADMIN_USER = createAuthResult(true);
   private static final AuthResult NO_USER = NOT_AUTHENTICATED;
   private static final Optional<String> SUPPORT_GROUP = Optional.of("support@registry.example");
-  /** Registrar ID of a REAL registrar with a RegistrarContact for USER and GAE_ADMIN. */
-  private static final String REGISTRAR_ID_WITH_CONTACT = "TheRegistrar";
-  /** Registrar ID of a REAL registrar without a RegistrarContact. */
-  private static final String REAL_REGISTRAR_ID_WITHOUT_CONTACT = "NewRegistrar";
+
+  /** Registrar ID of a REAL registrar which the {@link USER} has access to. */
+  private static final String REGISTRAR_ID_WITH_ACCESS = "TheRegistrar";
+
+  /** Registrar ID of a REAL registrar which the {@link USER} has no access to. */
+  private static final String REAL_REGISTRAR_ID_WITHOUT_ACCESS = "NewRegistrar";
+
   /** Registrar ID of an OTE registrar without a RegistrarContact. */
   private static final String OTE_REGISTRAR_ID_WITHOUT_CONTACT = "OteRegistrar";
+
   /** Registrar ID of the Admin registrar without a RegistrarContact. */
   private static final String ADMIN_REGISTRAR_ID = "AdminRegistrar";
 
   /**
    * Creates an AuthResult for a fake user.
    *
-   * <p>The user will be a RegistrarContact for "TheRegistrar", but not for "NewRegistrar".
-   *
-   * @param isAdmin if true, the user is an administrator for the app-engine project.
+   * <p>The user will have access to TheRegistrar", but not "NewRegistrar".
    */
   private static AuthResult createAuthResult(boolean isAdmin) {
     return AuthResult.createUser(
-        UserAuthInfo.create(new User("johndoe@theregistrar.com", "theregistrar.com"), isAdmin));
+        new User.Builder()
+            .setEmailAddress("johndoe@theregistrar.com")
+            .setUserRoles(
+                new UserRoles.Builder()
+                    .setIsAdmin(isAdmin)
+                    .setRegistrarRoles(ImmutableMap.of(REGISTRAR_ID_WITH_ACCESS, ACCOUNT_MANAGER))
+                    .build())
+            .build());
   }
 
   @BeforeEach
@@ -103,14 +112,14 @@ class AuthenticatedRegistrarAccessorTest {
     when(lazyGroupsConnection.get()).thenReturn(groupsConnection);
     JdkLoggerConfig.getConfig(AuthenticatedRegistrarAccessor.class).addHandler(testLogHandler);
     persistResource(
-        loadRegistrar(REAL_REGISTRAR_ID_WITHOUT_CONTACT)
+        loadRegistrar(REAL_REGISTRAR_ID_WITHOUT_ACCESS)
             .asBuilder()
             .setRegistrarId(OTE_REGISTRAR_ID_WITHOUT_CONTACT)
             .setType(Registrar.Type.OTE)
             .setIanaIdentifier(null)
             .build());
     persistResource(
-        loadRegistrar(REAL_REGISTRAR_ID_WITHOUT_CONTACT)
+        loadRegistrar(REAL_REGISTRAR_ID_WITHOUT_ACCESS)
             .asBuilder()
             .setRegistrarId(ADMIN_REGISTRAR_ID)
             .setType(Registrar.Type.OTE)
@@ -132,7 +141,7 @@ class AuthenticatedRegistrarAccessorTest {
             USER, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
 
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
-        .containsExactly(REGISTRAR_ID_WITH_CONTACT, OWNER);
+        .containsExactly(REGISTRAR_ID_WITH_ACCESS, OWNER);
     verify(lazyGroupsConnection).get();
   }
 
@@ -147,35 +156,6 @@ class AuthenticatedRegistrarAccessorTest {
     verifyNoInteractions(lazyGroupsConnection);
   }
 
-  /**
-   * GAE admins have admin access to everything.
-   *
-   * <p>They also have OWNER access if they are in the RegistrarContacts.
-   *
-   * <p>They also have OWNER access to the Admin Registrar.
-   *
-   * <p>They also have OWNER access to non-REAL Registrars.
-   *
-   * <p>(in other words - they don't have OWNER access only to REAL registrars owned by others)
-   */
-  @Test
-  void getAllRegistrarIdWithAccess_gaeAdmin() {
-    AuthenticatedRegistrarAccessor registrarAccessor =
-        new AuthenticatedRegistrarAccessor(
-            GAE_ADMIN, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
-
-    assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
-        .containsExactly(
-            REGISTRAR_ID_WITH_CONTACT, ADMIN,
-            REGISTRAR_ID_WITH_CONTACT, OWNER,
-            REAL_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
-            OTE_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
-            OTE_REGISTRAR_ID_WITHOUT_CONTACT, OWNER,
-            ADMIN_REGISTRAR_ID, ADMIN,
-            ADMIN_REGISTRAR_ID, OWNER);
-    verifyNoInteractions(lazyGroupsConnection);
-  }
-
   /**
    * Users in support group have admin access to everything.
    *
@@ -197,9 +177,9 @@ class AuthenticatedRegistrarAccessorTest {
 
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
         .containsExactly(
-            REGISTRAR_ID_WITH_CONTACT, ADMIN,
-            REGISTRAR_ID_WITH_CONTACT, OWNER,
-            REAL_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
+            REGISTRAR_ID_WITH_ACCESS, ADMIN,
+            REGISTRAR_ID_WITH_ACCESS, OWNER,
+            REAL_REGISTRAR_ID_WITHOUT_ACCESS, ADMIN,
             OTE_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
             OTE_REGISTRAR_ID_WITHOUT_CONTACT, OWNER,
             ADMIN_REGISTRAR_ID, ADMIN,
@@ -215,7 +195,7 @@ class AuthenticatedRegistrarAccessorTest {
             USER, ADMIN_REGISTRAR_ID, Optional.empty(), lazyGroupsConnection);
 
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
-        .containsExactly(REGISTRAR_ID_WITH_CONTACT, OWNER);
+        .containsExactly(REGISTRAR_ID_WITH_ACCESS, OWNER);
     // Make sure we didn't instantiate the lazyGroupsConnection
     verifyNoInteractions(lazyGroupsConnection);
   }
@@ -230,7 +210,7 @@ class AuthenticatedRegistrarAccessorTest {
 
     verify(groupsConnection).isMemberOfGroup("johndoe@theregistrar.com", SUPPORT_GROUP.get());
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
-        .containsExactly(REGISTRAR_ID_WITH_CONTACT, OWNER);
+        .containsExactly(REGISTRAR_ID_WITH_ACCESS, OWNER);
     verify(lazyGroupsConnection).get();
   }
 
@@ -238,7 +218,7 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_noAccess_isNotAdmin() {
     expectGetRegistrarFailure(
-        REAL_REGISTRAR_ID_WITHOUT_CONTACT,
+        REAL_REGISTRAR_ID_WITHOUT_ACCESS,
         USER,
         "user johndoe@theregistrar.com doesn't have access to registrar NewRegistrar");
     verify(lazyGroupsConnection).get();
@@ -247,13 +227,13 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_registrarIsDisabled_isNotAdmin() {
     persistResource(
-        Registrar.loadByRegistrarId("TheRegistrar")
+        Registrar.loadByRegistrarId(REGISTRAR_ID_WITH_ACCESS)
             .get()
             .asBuilder()
             .setState(State.DISABLED)
             .build());
     expectGetRegistrarFailure(
-        REGISTRAR_ID_WITH_CONTACT,
+        REGISTRAR_ID_WITH_ACCESS,
         USER,
         "user johndoe@theregistrar.com doesn't have access to registrar TheRegistrar");
     verify(lazyGroupsConnection).get();
@@ -273,7 +253,7 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_noUser() {
     expectGetRegistrarFailure(
-        REGISTRAR_ID_WITH_CONTACT,
+        REGISTRAR_ID_WITH_ACCESS,
         NO_USER,
         "<logged-out user> doesn't have access to registrar TheRegistrar");
     verifyNoInteractions(lazyGroupsConnection);
@@ -283,29 +263,18 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_inContacts_isNotAdmin() throws Exception {
     expectGetRegistrarSuccess(
-        REGISTRAR_ID_WITH_CONTACT,
+        REGISTRAR_ID_WITH_ACCESS,
         USER,
         "user johndoe@theregistrar.com has [OWNER] access to registrar TheRegistrar");
     verify(lazyGroupsConnection).get();
   }
 
-  /** Succeed loading registrar if user has access to it. Email address is case-insensitive */
-  @Test
-  void testGetRegistrarForUser_inContacts_isNotAdmin_caseInsensitive() throws Exception {
-    expectGetRegistrarSuccess(
-        REGISTRAR_ID_WITH_CONTACT,
-        AuthResult.createUser(
-            UserAuthInfo.create(new User("JohnDoe@theregistrar.com", "theregistrar.com"), false)),
-        "user JohnDoe@theregistrar.com has [OWNER] access to registrar TheRegistrar");
-    verify(lazyGroupsConnection).get();
-  }
-
   /** Succeed loading registrar if admin with access. */
   @Test
   void testGetRegistrarForUser_inContacts_isAdmin() throws Exception {
     expectGetRegistrarSuccess(
-        REGISTRAR_ID_WITH_CONTACT,
-        GAE_ADMIN,
+        REGISTRAR_ID_WITH_ACCESS,
+        ADMIN_USER,
         "admin johndoe@theregistrar.com has [OWNER, ADMIN] access to registrar TheRegistrar");
     verifyNoInteractions(lazyGroupsConnection);
   }
@@ -314,8 +283,8 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_notInContacts_isAdmin() throws Exception {
     expectGetRegistrarSuccess(
-        REAL_REGISTRAR_ID_WITHOUT_CONTACT,
-        GAE_ADMIN,
+        REAL_REGISTRAR_ID_WITHOUT_ACCESS,
+        ADMIN_USER,
         "admin johndoe@theregistrar.com has [ADMIN] access to registrar NewRegistrar.");
     verifyNoInteractions(lazyGroupsConnection);
   }
@@ -329,8 +298,8 @@ class AuthenticatedRegistrarAccessorTest {
             .setState(State.DISABLED)
             .build());
     expectGetRegistrarSuccess(
-        REAL_REGISTRAR_ID_WITHOUT_CONTACT,
-        GAE_ADMIN,
+        REAL_REGISTRAR_ID_WITHOUT_ACCESS,
+        ADMIN_USER,
         "admin johndoe@theregistrar.com has [OWNER, ADMIN] access to registrar NewRegistrar.");
     verifyNoInteractions(lazyGroupsConnection);
   }
@@ -340,7 +309,7 @@ class AuthenticatedRegistrarAccessorTest {
   void testGetRegistrarForUser_notInContacts_isAdmin_notReal() throws Exception {
     expectGetRegistrarSuccess(
         OTE_REGISTRAR_ID_WITHOUT_CONTACT,
-        GAE_ADMIN,
+        ADMIN_USER,
         "admin johndoe@theregistrar.com has [OWNER, ADMIN] access to registrar OteRegistrar.");
     verifyNoInteractions(lazyGroupsConnection);
   }
@@ -349,7 +318,7 @@ class AuthenticatedRegistrarAccessorTest {
   @Test
   void testGetRegistrarForUser_doesntExist_isAdmin() {
     expectGetRegistrarFailure(
-        "BadRegistrarId", GAE_ADMIN, "Registrar BadRegistrarId does not exist");
+        "BadRegistrarId", ADMIN_USER, "Registrar BadRegistrarId does not exist");
     verifyNoInteractions(lazyGroupsConnection);
   }
 
@@ -419,7 +388,7 @@ class AuthenticatedRegistrarAccessorTest {
             .setUserRoles(
                 new UserRoles.Builder().setIsAdmin(true).setGlobalRole(GlobalRole.FTE).build())
             .build();
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult authResult = AuthResult.createUser(consoleUser);
     AuthenticatedRegistrarAccessor registrarAccessor =
         new AuthenticatedRegistrarAccessor(
             authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
@@ -427,8 +396,8 @@ class AuthenticatedRegistrarAccessorTest {
     // Admin access to all, and owner access to the non-real registrar and the admin registrar
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
         .containsExactly(
-            REGISTRAR_ID_WITH_CONTACT, ADMIN,
-            REAL_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
+            REGISTRAR_ID_WITH_ACCESS, ADMIN,
+            REAL_REGISTRAR_ID_WITHOUT_ACCESS, ADMIN,
             OTE_REGISTRAR_ID_WITHOUT_CONTACT, ADMIN,
             OTE_REGISTRAR_ID_WITHOUT_CONTACT, OWNER,
             ADMIN_REGISTRAR_ID, ADMIN,
@@ -444,7 +413,7 @@ class AuthenticatedRegistrarAccessorTest {
             .setEmailAddress("email@email.com")
             .setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_AGENT).build())
             .build();
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult authResult = AuthResult.createUser(consoleUser);
     AuthenticatedRegistrarAccessor registrarAccessor =
         new AuthenticatedRegistrarAccessor(
             authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
@@ -463,19 +432,19 @@ class AuthenticatedRegistrarAccessorTest {
                 new UserRoles.Builder()
                     .setRegistrarRoles(
                         ImmutableMap.of(
-                            REGISTRAR_ID_WITH_CONTACT,
-                            RegistrarRole.ACCOUNT_MANAGER,
-                            REAL_REGISTRAR_ID_WITHOUT_CONTACT,
-                            RegistrarRole.ACCOUNT_MANAGER))
+                            REGISTRAR_ID_WITH_ACCESS,
+                            ACCOUNT_MANAGER,
+                            REAL_REGISTRAR_ID_WITHOUT_ACCESS,
+                            ACCOUNT_MANAGER))
                     .build())
             .build();
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult authResult = AuthResult.createUser(consoleUser);
     AuthenticatedRegistrarAccessor registrarAccessor =
         new AuthenticatedRegistrarAccessor(
             authResult, ADMIN_REGISTRAR_ID, SUPPORT_GROUP, lazyGroupsConnection);
     assertThat(registrarAccessor.getAllRegistrarIdsWithRoles())
         .containsExactly(
-            REGISTRAR_ID_WITH_CONTACT, OWNER,
-            REAL_REGISTRAR_ID_WITHOUT_CONTACT, OWNER);
+            REGISTRAR_ID_WITH_ACCESS, OWNER,
+            REAL_REGISTRAR_ID_WITHOUT_ACCESS, OWNER);
   }
 }
diff --git a/core/src/test/java/google/registry/request/auth/LegacyAuthenticationMechanismTest.java b/core/src/test/java/google/registry/request/auth/LegacyAuthenticationMechanismTest.java
deleted file mode 100644
index a08dce4a1..000000000
--- a/core/src/test/java/google/registry/request/auth/LegacyAuthenticationMechanismTest.java
+++ /dev/null
@@ -1,177 +0,0 @@
-// Copyright 2018 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.request.auth;
-
-import static com.google.common.truth.Truth.assertThat;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.atLeast;
-import static org.mockito.Mockito.times;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyNoMoreInteractions;
-import static org.mockito.Mockito.when;
-
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserService;
-import google.registry.persistence.transaction.JpaTestExtensions;
-import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
-import google.registry.request.auth.AuthSettings.AuthLevel;
-import google.registry.security.XsrfTokenManager;
-import google.registry.testing.FakeClock;
-import jakarta.servlet.http.HttpServletRequest;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.ExtendWith;
-import org.junit.jupiter.api.extension.RegisterExtension;
-import org.mockito.Mock;
-import org.mockito.junit.jupiter.MockitoExtension;
-import org.mockito.junit.jupiter.MockitoSettings;
-import org.mockito.quality.Strictness;
-
-/** Unit tests for {@link LegacyAuthenticationMechanism}. */
-@ExtendWith(MockitoExtension.class)
-final class LegacyAuthenticationMechanismTest {
-
-  @RegisterExtension
-  final JpaIntegrationTestExtension jpa =
-      new JpaTestExtensions.Builder().buildIntegrationTestExtension();
-
-  @Mock private UserService userService;
-  @Mock private HttpServletRequest req;
-
-  private final FakeClock clock = new FakeClock();
-  private XsrfTokenManager xsrfTokenManager;
-  private LegacyAuthenticationMechanism legacyAuthenticationMechanism;
-  private String goodToken;
-
-  @BeforeEach
-  void beforeEach() {
-    xsrfTokenManager = new XsrfTokenManager(clock, userService);
-    legacyAuthenticationMechanism =
-        new LegacyAuthenticationMechanism(userService, xsrfTokenManager);
-    when(userService.getCurrentUser()).thenReturn(new User("email@example.com", "example.com"));
-    when(userService.isUserAdmin()).thenReturn(false);
-    goodToken = xsrfTokenManager.generateToken("email@example.com");
-  }
-
-  @AfterEach
-  void afterEach() {
-    // Make sure we didn't use getParameter or getInputStream or any of the other "with side
-    // effects" getters unexpectedly. But allow "no side effect" getters.
-    //
-    // Unfortunately HttpServletRequest doesn't document well which getters "have side effects". It
-    // does explicitly state getReader and getInputStream, and that getParameter can also interfere
-    // with them, but it doesn't say anything about getParameterNames, getParameterValues,
-    // getParameterMap - even though I'm pretty sure they are similar to getParameter in that
-    // effect.
-    //
-    // Feel free to add other "no side effect" functions with atLeast(0) to exempt them from the
-    // verifyNoMoreInteractions
-    verify(req, atLeast(0)).getMethod();
-    verify(req, atLeast(0)).getHeader(any());
-    verifyNoMoreInteractions(req);
-  }
-
-  @Test
-  @MockitoSettings(strictness = Strictness.LENIENT)
-  void testAuthenticate_notLoggedIn() {
-    when(userService.isUserLoggedIn()).thenReturn(false);
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.NONE);
-  }
-
-  @Test
-  void testAuthenticate_loggedInSafeMethod_get() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("GET");
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.USER);
-  }
-
-  @Test
-  void testAuthenticate_loggedInSafeMethod_head() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("HEAD");
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.USER);
-  }
-
-  @Test
-  @MockitoSettings(strictness = Strictness.LENIENT)
-  void testAuthenticate_loggedInUnsafeMethod_post_noXsrfToken() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("POST");
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.NONE);
-
-    // Make sure we looked for the token in all relevant places before giving up
-    verify(req).getHeader("X-CSRF-Token");
-    verify(req).getParameter("xsrfToken");
-  }
-
-  @Test
-  void testAuthenticate_loggedInUnsafeMethod_post_goodTokenInHeader() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getHeader("X-CSRF-Token")).thenReturn(goodToken);
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.USER);
-
-    // Make sure we didn't call getParameter (we already verify it in the @After, but we're doing it
-    // here explicitly as well for clarity, since this is important in this test)
-    verify(req, times(0)).getParameter(any());
-  }
-
-  @Test
-  @MockitoSettings(strictness = Strictness.LENIENT)
-  void testAuthenticate_loggedInUnsafeMethod_post_badTokenInHeader() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getHeader("X-CSRF-Token")).thenReturn("bad");
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.NONE);
-
-    // Make sure we didn't call getParameter (we already verify it in the @After, but we're doing it
-    // here explicitly as well for clarity, since this is important in this test)
-    verify(req, times(0)).getParameter(any());
-  }
-
-  @Test
-  void testAuthenticate_loggedInUnsafeMethod_post_goodTokenInParam() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getParameter("xsrfToken")).thenReturn(goodToken);
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.USER);
-
-    // we allow getParameter to be called in this case (we verify it so it's not caught in the
-    // @After's verifyNoMoreInteractions)
-    verify(req).getParameter("xsrfToken");
-  }
-
-  @Test
-  @MockitoSettings(strictness = Strictness.LENIENT)
-  void testAuthenticate_loggedInUnsafeMethod_post_badTokenInParam() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(req.getMethod()).thenReturn("POST");
-    when(req.getParameter("xsrfToken")).thenReturn("bad");
-    assertThat(legacyAuthenticationMechanism.authenticate(req).authLevel())
-        .isEqualTo(AuthLevel.NONE);
-
-    // we allow getParameter to be called in this case (we verify it so it's not caught in the
-    // @After's verifyNoMoreInteractions)
-    verify(req).getParameter("xsrfToken");
-  }
-}
diff --git a/core/src/test/java/google/registry/request/auth/OidcTokenAuthenticationMechanismTest.java b/core/src/test/java/google/registry/request/auth/OidcTokenAuthenticationMechanismTest.java
index 6104e5902..2b61c4c20 100644
--- a/core/src/test/java/google/registry/request/auth/OidcTokenAuthenticationMechanismTest.java
+++ b/core/src/test/java/google/registry/request/auth/OidcTokenAuthenticationMechanismTest.java
@@ -129,7 +129,7 @@ public class OidcTokenAuthenticationMechanismTest {
     authResult = authenticationMechanism.authenticate(request);
     assertThat(authResult.isAuthenticated()).isTrue();
     assertThat(authResult.authLevel()).isEqualTo(AuthLevel.USER);
-    assertThat(authResult.userAuthInfo().get().consoleUser().get()).isEqualTo(user);
+    assertThat(authResult.user().get()).isEqualTo(user);
   }
 
   @Test
@@ -153,7 +153,7 @@ public class OidcTokenAuthenticationMechanismTest {
     authResult = authenticationMechanism.authenticate(request);
     assertThat(authResult.isAuthenticated()).isTrue();
     assertThat(authResult.authLevel()).isEqualTo(AuthLevel.USER);
-    assertThat(authResult.userAuthInfo().get().consoleUser().get()).isEqualTo(serviceUser);
+    assertThat(authResult.user().get()).isEqualTo(serviceUser);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java b/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java
index f89247292..3fec1bde2 100644
--- a/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java
+++ b/core/src/test/java/google/registry/request/auth/RequestAuthenticatorTest.java
@@ -19,8 +19,6 @@ import static google.registry.request.auth.AuthResult.NOT_AUTHENTICATED;
 import static google.registry.request.auth.AuthSettings.AuthLevel.APP;
 import static google.registry.request.auth.AuthSettings.AuthLevel.NONE;
 import static google.registry.request.auth.AuthSettings.AuthLevel.USER;
-import static google.registry.request.auth.AuthSettings.AuthMethod.API;
-import static google.registry.request.auth.AuthSettings.AuthMethod.LEGACY;
 import static google.registry.request.auth.AuthSettings.UserPolicy.ADMIN;
 import static google.registry.request.auth.AuthSettings.UserPolicy.PUBLIC;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -34,7 +32,6 @@ import google.registry.model.console.GlobalRole;
 import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.request.auth.AuthSettings.AuthLevel;
-import google.registry.request.auth.AuthSettings.AuthMethod;
 import google.registry.request.auth.AuthSettings.UserPolicy;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
@@ -48,27 +45,18 @@ class RequestAuthenticatorTest {
 
   private static final AuthResult USER_PUBLIC_AUTH =
       AuthResult.createUser(
-          UserAuthInfo.create(
-              new User.Builder()
-                  .setEmailAddress("user@registry.example")
-                  .setUserRoles(
-                      new UserRoles.Builder()
-                          .setIsAdmin(false)
-                          .setGlobalRole(GlobalRole.NONE)
-                          .build())
-                  .build()));
+          new User.Builder()
+              .setEmailAddress("user@registry.example")
+              .setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.NONE).build())
+              .build());
 
   private static final AuthResult USER_ADMIN_AUTH =
       AuthResult.createUser(
-          UserAuthInfo.create(
-              new User.Builder()
-                  .setEmailAddress("admin@registry.example")
-                  .setUserRoles(
-                      new UserRoles.Builder()
-                          .setIsAdmin(true)
-                          .setGlobalRole(GlobalRole.FTE)
-                          .build())
-                  .build()));
+          new User.Builder()
+              .setEmailAddress("admin@registry.example")
+              .setUserRoles(
+                  new UserRoles.Builder().setIsAdmin(true).setGlobalRole(GlobalRole.FTE).build())
+              .build());
 
   private final HttpServletRequest req = mock(HttpServletRequest.class);
 
@@ -76,28 +64,23 @@ class RequestAuthenticatorTest {
       mock(AuthenticationMechanism.class);
   private final AuthenticationMechanism apiAuthenticationMechanism2 =
       mock(AuthenticationMechanism.class);
-  private final LegacyAuthenticationMechanism legacyAuthenticationMechanism =
-      mock(LegacyAuthenticationMechanism.class);
 
   private Optional<AuthResult> authorize(AuthLevel authLevel, UserPolicy userPolicy) {
     return new RequestAuthenticator(
-            ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2),
-            legacyAuthenticationMechanism)
-        .authorize(AuthSettings.create(ImmutableList.of(API, LEGACY), authLevel, userPolicy), req);
+            ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2))
+        .authorize(new AuthSettings(authLevel, userPolicy), req);
   }
 
-  private AuthResult authenticate(AuthMethod... methods) {
+  private AuthResult authenticate() {
     return new RequestAuthenticator(
-            ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2),
-            legacyAuthenticationMechanism)
-        .authenticate(AuthSettings.create(ImmutableList.copyOf(methods), NONE, PUBLIC), req);
+            ImmutableList.of(apiAuthenticationMechanism1, apiAuthenticationMechanism2))
+        .authenticate(new AuthSettings(NONE, PUBLIC), req);
   }
 
   @BeforeEach
   void beforeEach() {
     when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
     when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
-    when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(NOT_AUTHENTICATED);
   }
 
   @Test
@@ -160,117 +143,29 @@ class RequestAuthenticatorTest {
   @Test
   void testAuthenticate_apiFirst() {
     when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(APP_AUTH);
-    assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
+    assertThat(authenticate()).isEqualTo(APP_AUTH);
     verify(apiAuthenticationMechanism1).authenticate(req);
     verifyNoMoreInteractions(apiAuthenticationMechanism1);
     verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
   }
 
   @Test
   void testAuthenticate_apiSecond() {
     when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(APP_AUTH);
-    assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
+    assertThat(authenticate()).isEqualTo(APP_AUTH);
     verify(apiAuthenticationMechanism1).authenticate(req);
     verify(apiAuthenticationMechanism2).authenticate(req);
     verifyNoMoreInteractions(apiAuthenticationMechanism1);
     verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
-  }
-
-  @Test
-  void testAuthenticate_legacy() {
-    when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(APP_AUTH);
-    assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
-    verify(apiAuthenticationMechanism1).authenticate(req);
-    verify(apiAuthenticationMechanism2).authenticate(req);
-    verify(legacyAuthenticationMechanism).authenticate(req);
-    verifyNoMoreInteractions(apiAuthenticationMechanism1);
-    verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
-  }
-
-  @Test
-  void testAuthenticate_returnFirstResult() {
-    // API auth 2 returns an authenticted auth result, so we don't bother trying the next auth
-    // (legacy auth).
-    when(apiAuthenticationMechanism2.authenticate(req)).thenReturn(APP_AUTH);
-    when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
-    assertThat(authenticate(API, LEGACY)).isEqualTo(APP_AUTH);
-    verify(apiAuthenticationMechanism1).authenticate(req);
-    verify(apiAuthenticationMechanism2).authenticate(req);
-    verifyNoMoreInteractions(apiAuthenticationMechanism1);
-    verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
   }
 
   @Test
   void testAuthenticate_notAuthenticated() {
-    assertThat(authenticate(API, LEGACY)).isEqualTo(NOT_AUTHENTICATED);
-    verify(apiAuthenticationMechanism1).authenticate(req);
-    verify(apiAuthenticationMechanism2).authenticate(req);
-    verify(legacyAuthenticationMechanism).authenticate(req);
-    verifyNoMoreInteractions(apiAuthenticationMechanism1);
-    verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
-  }
-
-  @Test
-  void testAuthenticate_apiOnly() {
-    when(legacyAuthenticationMechanism.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
-    assertThat(authenticate(API)).isEqualTo(NOT_AUTHENTICATED);
+    assertThat(authenticate()).isEqualTo(NOT_AUTHENTICATED);
     verify(apiAuthenticationMechanism1).authenticate(req);
     verify(apiAuthenticationMechanism2).authenticate(req);
     verifyNoMoreInteractions(apiAuthenticationMechanism1);
     verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
-  }
-
-  @Test
-  void testAuthenticate_legacyOnly() {
-    when(apiAuthenticationMechanism1.authenticate(req)).thenReturn(USER_PUBLIC_AUTH);
-    assertThat(authenticate(LEGACY)).isEqualTo(NOT_AUTHENTICATED);
-    verify(legacyAuthenticationMechanism).authenticate(req);
-    verifyNoMoreInteractions(apiAuthenticationMechanism1);
-    verifyNoMoreInteractions(apiAuthenticationMechanism2);
-    verifyNoMoreInteractions(legacyAuthenticationMechanism);
-  }
-
-  @Test
-  void testFailure_checkAuthConfig_noMethods() {
-    IllegalArgumentException thrown =
-        assertThrows(
-            IllegalArgumentException.class,
-            () ->
-                RequestAuthenticator.checkAuthConfig(
-                    AuthSettings.create(ImmutableList.of(), NONE, PUBLIC)));
-    assertThat(thrown).hasMessageThat().contains("Must specify at least one auth method");
-  }
-
-  @Test
-  void testFailure_checkAuthConfig_wrongMethodOrder() {
-    IllegalArgumentException thrown =
-        assertThrows(
-            IllegalArgumentException.class,
-            () ->
-                RequestAuthenticator.checkAuthConfig(
-                    AuthSettings.create(ImmutableList.of(LEGACY, API), NONE, PUBLIC)));
-    assertThat(thrown)
-        .hasMessageThat()
-        .contains("Auth methods must be unique and strictly in order - API, LEGACY");
-  }
-
-  @Test
-  void testFailure_CheckAuthConfig_duplicateMethods() {
-    IllegalArgumentException thrown =
-        assertThrows(
-            IllegalArgumentException.class,
-            () ->
-                RequestAuthenticator.checkAuthConfig(
-                    AuthSettings.create(ImmutableList.of(API, API), NONE, PUBLIC)));
-    assertThat(thrown)
-        .hasMessageThat()
-        .contains("Auth methods must be unique and strictly in order - API, LEGACY");
   }
 
   @Test
@@ -278,9 +173,7 @@ class RequestAuthenticatorTest {
     IllegalArgumentException thrown =
         assertThrows(
             IllegalArgumentException.class,
-            () ->
-                RequestAuthenticator.checkAuthConfig(
-                    AuthSettings.create(ImmutableList.of(API, LEGACY), NONE, ADMIN)));
+            () -> RequestAuthenticator.checkAuthConfig(new AuthSettings(NONE, ADMIN)));
     assertThat(thrown)
         .hasMessageThat()
         .contains("Actions with minimal auth level at NONE should not specify ADMIN user policy");
diff --git a/core/src/test/java/google/registry/request/lock/LockHandlerImplTest.java b/core/src/test/java/google/registry/request/lock/LockHandlerImplTest.java
index 2712d7b29..ee4f58012 100644
--- a/core/src/test/java/google/registry/request/lock/LockHandlerImplTest.java
+++ b/core/src/test/java/google/registry/request/lock/LockHandlerImplTest.java
@@ -22,7 +22,6 @@ import static org.mockito.Mockito.verify;
 
 import google.registry.model.server.Lock;
 import google.registry.testing.FakeClock;
-import google.registry.testing.UserServiceExtension;
 import java.util.Optional;
 import java.util.concurrent.Callable;
 import java.util.concurrent.TimeoutException;
@@ -30,7 +29,6 @@ import javax.annotation.Nullable;
 import org.joda.time.DateTime;
 import org.joda.time.Duration;
 import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.extension.RegisterExtension;
 
 /** Unit tests for {@link LockHandler}. */
 final class LockHandlerImplTest {
@@ -39,10 +37,6 @@ final class LockHandlerImplTest {
 
   private final FakeClock clock = new FakeClock(DateTime.parse("2001-08-29T12:20:00Z"));
 
-  // We do not actually need to set up user service, rather, we just need this extension to set up
-  // App Engine environment so the status checker can make an App Engine API call.
-  @RegisterExtension UserServiceExtension userService = new UserServiceExtension("");
-
   private static class CountingCallable implements Callable<Void> {
     int numCalled;
 
diff --git a/core/src/test/java/google/registry/security/XsrfTokenManagerTest.java b/core/src/test/java/google/registry/security/XsrfTokenManagerTest.java
index 363293db7..1576202de 100644
--- a/core/src/test/java/google/registry/security/XsrfTokenManagerTest.java
+++ b/core/src/test/java/google/registry/security/XsrfTokenManagerTest.java
@@ -16,11 +16,7 @@ package google.registry.security;
 
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserService;
 import com.google.common.base.Splitter;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
@@ -37,59 +33,56 @@ class XsrfTokenManagerTest {
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
-  private final User testUser = new User("test@example.com", "test@example.com");
+  private final String email = "test@example.com";
   private final FakeClock clock = new FakeClock(START_OF_TIME);
-  private final UserService userService = mock(UserService.class);
-  private final XsrfTokenManager xsrfTokenManager = new XsrfTokenManager(clock, userService);
+  private final XsrfTokenManager xsrfTokenManager = new XsrfTokenManager(clock);
 
   private String token;
 
   @BeforeEach
   void beforeEach() {
-    when(userService.isUserLoggedIn()).thenReturn(true);
-    when(userService.getCurrentUser()).thenReturn(testUser);
-    when(userService.isUserAdmin()).thenReturn(false);
-    token = xsrfTokenManager.generateToken(testUser.getEmail());
+    token = xsrfTokenManager.generateToken(email);
   }
 
   @Test
   void testValidate_validToken() {
-    assertThat(xsrfTokenManager.validateToken(token)).isTrue();
+    assertThat(xsrfTokenManager.validateToken(email, token)).isTrue();
   }
 
   @Test
   void testValidate_tokenWithMissingParts() {
-    assertThat(xsrfTokenManager.validateToken("1:123")).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, "1:123")).isFalse();
   }
 
   @Test
   void testValidate_tokenWithBadVersion() {
-    assertThat(xsrfTokenManager.validateToken("2:123:base64")).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, "2:123:base64")).isFalse();
   }
 
   @Test
   void testValidate_tokenWithBadNumberTimestamp() {
-    assertThat(xsrfTokenManager.validateToken("1:notanumber:base64")).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, "1:notanumber:base64")).isFalse();
   }
 
   @Test
   void testValidate_tokenExpiresAfterOneDay() {
     clock.advanceBy(Duration.standardDays(1));
-    assertThat(xsrfTokenManager.validateToken(token)).isTrue();
+    assertThat(xsrfTokenManager.validateToken(email, token)).isTrue();
     clock.advanceOneMilli();
-    assertThat(xsrfTokenManager.validateToken(token)).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, token)).isFalse();
   }
 
   @Test
   void testValidate_tokenTimestampTamperedWith() {
     String encodedPart = Splitter.on(':').splitToList(token).get(2);
     long fakeTimestamp = clock.nowUtc().plusMillis(1).getMillis();
-    assertThat(xsrfTokenManager.validateToken("1:" + fakeTimestamp + ':' + encodedPart)).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, "1:" + fakeTimestamp + ':' + encodedPart))
+        .isFalse();
   }
 
   @Test
   void testValidate_tokenForDifferentUser() {
     String otherToken = xsrfTokenManager.generateToken("eve@example.com");
-    assertThat(xsrfTokenManager.validateToken(otherToken)).isFalse();
+    assertThat(xsrfTokenManager.validateToken(email, otherToken)).isFalse();
   }
 }
diff --git a/core/src/test/java/google/registry/server/RegistryTestServerMain.java b/core/src/test/java/google/registry/server/RegistryTestServerMain.java
index c9549ab0e..4c862d39b 100644
--- a/core/src/test/java/google/registry/server/RegistryTestServerMain.java
+++ b/core/src/test/java/google/registry/server/RegistryTestServerMain.java
@@ -26,9 +26,6 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTransactionManagerExtension;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.OidcTokenAuthenticationMechanism;
-import google.registry.request.auth.UserAuthInfo;
-import google.registry.testing.UserInfo;
-import google.registry.testing.UserServiceExtension;
 import google.registry.tools.params.HostAndPortParameter;
 import google.registry.ui.ConsoleDebug;
 import java.util.List;
@@ -139,9 +136,6 @@ public final class RegistryTestServerMain {
     final RegistryTestServer server = new RegistryTestServer(address);
 
     System.out.printf("%sLoading SQL fixtures and User service...%s\n", BLUE, RESET);
-    new UserServiceExtension(
-            loginIsAdmin ? UserInfo.createAdmin(loginEmail) : UserInfo.create(loginEmail))
-        .beforeEach(null);
     UserRoles userRoles =
         new UserRoles.Builder().setIsAdmin(loginIsAdmin).setGlobalRole(GlobalRole.FTE).build();
     User user =
@@ -150,8 +144,7 @@ public final class RegistryTestServerMain {
             .setUserRoles(userRoles)
             .setRegistryLockPassword("registryLockPassword")
             .build();
-    OidcTokenAuthenticationMechanism.setAuthResultForTesting(
-        AuthResult.createUser(UserAuthInfo.create(user)));
+    OidcTokenAuthenticationMechanism.setAuthResultForTesting(AuthResult.createUser(user));
     new JpaTestExtensions.Builder().buildIntegrationTestExtension().beforeEach(null);
     JpaTransactionManagerExtension.loadInitialData();
     System.out.printf("%sLoading fixtures...%s\n", BLUE, RESET);
diff --git a/core/src/test/java/google/registry/testing/FakeConsoleApiParams.java b/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java
similarity index 62%
rename from core/src/test/java/google/registry/testing/FakeConsoleApiParams.java
rename to core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java
index d8cf867c8..0ecf6c8cc 100644
--- a/core/src/test/java/google/registry/testing/FakeConsoleApiParams.java
+++ b/core/src/test/java/google/registry/testing/ConsoleApiParamsUtils.java
@@ -17,35 +17,27 @@ package google.registry.testing;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.UserService;
+import google.registry.model.console.User;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import jakarta.servlet.http.Cookie;
 import jakarta.servlet.http.HttpServletRequest;
-import java.util.Optional;
 import org.joda.time.DateTime;
 
-public final class FakeConsoleApiParams {
+public final class ConsoleApiParamsUtils {
 
-  public static ConsoleApiParams get(Optional<AuthResult> maybeAuthResult) {
-    AuthResult authResult =
-        maybeAuthResult.orElseGet(
-            () ->
-                AuthResult.createUser(
-                    UserAuthInfo.create(
-                        new com.google.appengine.api.users.User(
-                            "JohnDoe@theregistrar.com", "theregistrar.com"),
-                        false)));
+  public static ConsoleApiParams createFake(AuthResult authResult) {
     HttpServletRequest request = mock(HttpServletRequest.class);
     XsrfTokenManager xsrfTokenManager =
-        new XsrfTokenManager(
-            new FakeClock(DateTime.parse("2020-02-02T01:23:45Z")), mock(UserService.class));
+        new XsrfTokenManager(new FakeClock(DateTime.parse("2020-02-02T01:23:45Z")));
     when(request.getCookies())
         .thenReturn(
             new Cookie[] {
-              new Cookie(XsrfTokenManager.X_CSRF_TOKEN, xsrfTokenManager.generateToken(""))
+              new Cookie(
+                  XsrfTokenManager.X_CSRF_TOKEN,
+                  xsrfTokenManager.generateToken(
+                      authResult.user().map(User::getEmailAddress).orElse("")))
             });
     return ConsoleApiParams.create(request, new FakeResponse(), authResult, xsrfTokenManager);
   }
diff --git a/core/src/test/java/google/registry/testing/UserInfo.java b/core/src/test/java/google/registry/testing/UserInfo.java
deleted file mode 100644
index 29ef3dae8..000000000
--- a/core/src/test/java/google/registry/testing/UserInfo.java
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright 2017 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.testing;
-
-/**
- * Container for values passed to {@link UserServiceExtension} to set the logged-in user for tests.
- */
-public record UserInfo(String email, String authDomain, boolean isAdmin, boolean isLoggedIn) {
-
-  /** Creates a new logged-in non-admin user instance. */
-  public static UserInfo create(String email) {
-    String authDomain = email.substring(email.indexOf('@') + 1);
-    return new UserInfo(email, authDomain, false, true);
-  }
-
-  /** Creates a new logged-in admin user instance. */
-  public static UserInfo createAdmin(String email) {
-    String authDomain = email.substring(email.indexOf('@') + 1);
-    return new UserInfo(email, authDomain, true, true);
-  }
-
-  /** Returns a logged-out user instance. */
-  public static UserInfo loggedOut() {
-    return new UserInfo("", "", false, false);
-  }
-}
diff --git a/core/src/test/java/google/registry/testing/UserServiceExtension.java b/core/src/test/java/google/registry/testing/UserServiceExtension.java
deleted file mode 100644
index be1ece14d..000000000
--- a/core/src/test/java/google/registry/testing/UserServiceExtension.java
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2023 The Nomulus Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package google.registry.testing;
-
-import com.google.appengine.tools.development.testing.LocalServiceTestHelper;
-import com.google.appengine.tools.development.testing.LocalUserServiceTestConfig;
-import com.google.apphosting.api.ApiProxy;
-import google.registry.model.annotations.DeleteAfterMigration;
-import org.junit.jupiter.api.extension.AfterEachCallback;
-import org.junit.jupiter.api.extension.BeforeEachCallback;
-import org.junit.jupiter.api.extension.ExtensionContext;
-
-/** JUnit extension that sets up App Engine User service environment. */
-@DeleteAfterMigration
-public final class UserServiceExtension implements BeforeEachCallback, AfterEachCallback {
-
-  private final LocalServiceTestHelper helper =
-      new LocalServiceTestHelper(new LocalUserServiceTestConfig());
-  private final UserInfo userInfo;
-
-  public UserServiceExtension(String email) {
-    this.userInfo = UserInfo.create(email);
-  }
-
-  public UserServiceExtension(UserInfo userInfo) {
-    this.userInfo = userInfo;
-  }
-
-  @Override
-  public void beforeEach(ExtensionContext context) throws Exception {
-    // Set top-level properties on LocalServiceTestConfig for user login.
-    helper
-        .setEnvIsLoggedIn(userInfo.isLoggedIn())
-        .setEnvAuthDomain(userInfo.authDomain())
-        .setEnvEmail(userInfo.email())
-        .setEnvIsAdmin(userInfo.isAdmin());
-    helper.setUp();
-  }
-
-  @Override
-  public void afterEach(ExtensionContext context) throws Exception {
-    helper.tearDown();
-    ApiProxy.setEnvironmentForCurrentThread(null);
-  }
-}
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java
index dd3353425..97d85c2d8 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainGetActionTest.java
@@ -19,7 +19,6 @@ import static google.registry.testing.DatabaseHelper.createTld;
 import static jakarta.servlet.http.HttpServletResponse.SC_NOT_FOUND;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 import com.google.common.collect.ImmutableMap;
@@ -31,12 +30,10 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
-import java.util.Optional;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
@@ -62,12 +59,11 @@ public class ConsoleDomainGetActionTest {
     ConsoleDomainGetAction action =
         createAction(
             AuthResult.createUser(
-                UserAuthInfo.create(
-                    createUser(
-                        new UserRoles.Builder()
-                            .setRegistrarRoles(
-                                ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER))
-                            .build()))),
+                createUser(
+                    new UserRoles.Builder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER))
+                        .build())),
             "exists.tld");
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
@@ -100,23 +96,11 @@ public class ConsoleDomainGetActionTest {
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_UNAUTHORIZED);
   }
 
-  @Test
-  void testFailure_wrongTypeOfUser() {
-    ConsoleDomainGetAction action =
-        createAction(
-            AuthResult.createUser(
-                UserAuthInfo.create(mock(com.google.appengine.api.users.User.class), false)),
-            "exists.tld");
-    action.run();
-    assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_UNAUTHORIZED);
-  }
-
   @Test
   void testFailure_noAccessToRegistrar() {
     ConsoleDomainGetAction action =
         createAction(
-            AuthResult.createUser(UserAuthInfo.create(createUser(new UserRoles.Builder().build()))),
-            "exists.tld");
+            AuthResult.createUser(createUser(new UserRoles.Builder().build())), "exists.tld");
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_NOT_FOUND);
   }
@@ -125,8 +109,7 @@ public class ConsoleDomainGetActionTest {
   void testFailure_nonexistentDomain() {
     ConsoleDomainGetAction action =
         createAction(
-            AuthResult.createUser(
-                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))),
+            AuthResult.createUser(createUser(new UserRoles.Builder().setIsAdmin(true).build())),
             "nonexistent.tld");
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_NOT_FOUND);
@@ -140,7 +123,7 @@ public class ConsoleDomainGetActionTest {
   }
 
   private ConsoleDomainGetAction createAction(AuthResult authResult, String domain) {
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.GET.toString());
     return new ConsoleDomainGetAction(consoleApiParams, GSON, domain);
   }
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java
index c03e97aa0..12013aa65 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleDomainListActionTest.java
@@ -30,10 +30,9 @@ import google.registry.model.domain.Domain;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.console.ConsoleDomainListAction.DomainListResult;
@@ -261,9 +260,8 @@ public class ConsoleDomainListActionTest {
       @Nullable Integer resultsPerPage,
       @Nullable Long totalResults,
       @Nullable String searchTerm) {
-    AuthResult authResult =
-        AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.example")));
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(createAdminUser("email@email.example"));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.GET.toString());
     return new ConsoleDomainListAction(
         consoleApiParams,
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleDumDownloadActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleDumDownloadActionTest.java
index 4bdf206ee..924b29de5 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleDumDownloadActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleDumDownloadActionTest.java
@@ -28,15 +28,13 @@ import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import java.io.IOException;
-import java.util.Optional;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -73,8 +71,8 @@ class ConsoleDumDownloadActionTest {
             .setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build())
             .build();
 
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
-    ConsoleDumDownloadAction action = createAction(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(user);
+    ConsoleDumDownloadAction action = createAction(authResult);
     action.run();
     ImmutableList<String> expected =
         ImmutableList.of(
@@ -97,14 +95,14 @@ class ConsoleDumDownloadActionTest {
     User user =
         new User.Builder().setEmailAddress("email@email.com").setUserRoles(userRoles).build();
 
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
-    ConsoleDumDownloadAction action = createAction(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(user);
+    ConsoleDumDownloadAction action = createAction(authResult);
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_FORBIDDEN);
   }
 
-  private ConsoleDumDownloadAction createAction(Optional<AuthResult> maybeAuthResult) {
-    consoleApiParams = FakeConsoleApiParams.get(maybeAuthResult);
+  private ConsoleDumDownloadAction createAction(AuthResult authResult) {
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.GET.toString());
     return new ConsoleDumDownloadAction(clock, consoleApiParams, "TheRegistrar", "test_name");
   }
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java
index 7f459fda9..b1f1e394d 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleEppPasswordActionTest.java
@@ -42,8 +42,7 @@ import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
-import google.registry.testing.FakeConsoleApiParams;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.GsonUtils;
 import google.registry.ui.server.console.ConsoleEppPasswordAction.EppPasswordData;
@@ -154,8 +153,8 @@ class ConsoleEppPasswordActionTest {
             .setUserRoles(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build())
             .build();
 
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(user);
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     AuthenticatedRegistrarAccessor authenticatedRegistrarAccessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             ImmutableSetMultimap.of("registrarId", OWNER));
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockActionTest.java
index ec062600c..fd7e1108f 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleRegistryLockActionTest.java
@@ -45,11 +45,10 @@ import google.registry.model.eppcommon.StatusValue;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.CloudTasksHelper;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.tools.DomainLockUtils;
 import google.registry.ui.server.registrar.ConsoleApiParams;
@@ -529,8 +528,8 @@ public class ConsoleRegistryLockActionTest {
   }
 
   private ConsoleApiParams createParams() {
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
-    return FakeConsoleApiParams.get(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(user);
+    return ConsoleApiParamsUtils.createFake(authResult);
   }
 
   private RegistryLock.Builder createDefaultLockBuilder() {
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleUpdateRegistrarActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleUpdateRegistrarActionTest.java
index 73b93dbc8..c3662e7c4 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleUpdateRegistrarActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleUpdateRegistrarActionTest.java
@@ -40,8 +40,7 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
-import google.registry.testing.FakeConsoleApiParams;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.tools.GsonUtils;
@@ -161,8 +160,8 @@ class ConsoleUpdateRegistrarActionTest {
   }
 
   private ConsoleApiParams createParams() {
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
-    return FakeConsoleApiParams.get(Optional.of(authResult));
+    AuthResult authResult = AuthResult.createUser(user);
+    return ConsoleApiParamsUtils.createFake(authResult);
   }
 
   ConsoleUpdateRegistrarAction createAction(String requestData) throws IOException {
diff --git a/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java b/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java
index 34949214d..8ded41e8c 100644
--- a/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/ConsoleUserDataActionTest.java
@@ -25,9 +25,8 @@ import google.registry.model.console.User;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import jakarta.servlet.http.Cookie;
@@ -52,9 +51,9 @@ class ConsoleUserDataActionTest {
   @Test
   void testSuccess_hasXSRFCookie() throws IOException {
     User user = DatabaseHelper.createAdminUser("email@email.com");
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
+    AuthResult authResult = AuthResult.createUser(user);
     ConsoleUserDataAction action =
-        createAction(Optional.of(FakeConsoleApiParams.get(Optional.of(authResult))));
+        createAction(Optional.of(ConsoleApiParamsUtils.createFake(authResult)));
     action.run();
     List<Cookie> cookies = ((FakeResponse) consoleApiParams.response()).getCookies();
     assertThat(cookies.stream().map(cookie -> cookie.getName()).collect(toImmutableList()))
@@ -64,9 +63,9 @@ class ConsoleUserDataActionTest {
   @Test
   void testSuccess_getContactInfo() throws IOException {
     User user = DatabaseHelper.createAdminUser("email@email.com");
-    AuthResult authResult = AuthResult.createUser(UserAuthInfo.create(user));
+    AuthResult authResult = AuthResult.createUser(user);
     ConsoleUserDataAction action =
-        createAction(Optional.of(FakeConsoleApiParams.get(Optional.of(authResult))));
+        createAction(Optional.of(ConsoleApiParamsUtils.createFake(authResult)));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
     Map jsonObject =
@@ -88,7 +87,7 @@ class ConsoleUserDataActionTest {
   }
 
   @Test
-  void testFailure_notAConsoleUser() throws IOException {
+  void testFailure_notAuthenticated() throws IOException {
     ConsoleUserDataAction action = createAction(Optional.empty());
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_UNAUTHORIZED);
@@ -97,7 +96,8 @@ class ConsoleUserDataActionTest {
   private ConsoleUserDataAction createAction(Optional<ConsoleApiParams> maybeConsoleApiParams)
       throws IOException {
     consoleApiParams =
-        maybeConsoleApiParams.orElseGet(() -> FakeConsoleApiParams.get(Optional.empty()));
+        maybeConsoleApiParams.orElseGet(
+            () -> ConsoleApiParamsUtils.createFake(AuthResult.NOT_AUTHENTICATED));
     when(consoleApiParams.request().getMethod()).thenReturn("GET");
     return new ConsoleUserDataAction(
         consoleApiParams, "Nomulus", "support@example.com", "+1 (212) 867 5309", "test");
diff --git a/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java b/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
index f4bc039dd..430f2f906 100644
--- a/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/RegistrarsActionTest.java
@@ -39,9 +39,8 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DeterministicStringGenerator;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
@@ -114,9 +113,8 @@ class RegistrarsActionTest {
         createAction(
             Action.Method.GET,
             AuthResult.createUser(
-                UserAuthInfo.create(
-                    createUser(
-                        new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_LEAD).build()))));
+                createUser(
+                    new UserRoles.Builder().setGlobalRole(GlobalRole.SUPPORT_LEAD).build())));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
     String payload = ((FakeResponse) consoleApiParams.response()).getPayload();
@@ -136,8 +134,7 @@ class RegistrarsActionTest {
         createAction(
             Action.Method.GET,
             AuthResult.createUser(
-                UserAuthInfo.create(
-                    createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build()))));
+                createUser(new UserRoles.Builder().setGlobalRole(GlobalRole.FTE).build())));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
     String payload = ((FakeResponse) consoleApiParams.response()).getPayload();
@@ -156,8 +153,7 @@ class RegistrarsActionTest {
     RegistrarsAction action =
         createAction(
             Action.Method.POST,
-            AuthResult.createUser(
-                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
+            AuthResult.createUser(createUser(new UserRoles.Builder().setIsAdmin(true).build())));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
     Registrar r = loadRegistrar("regIdTest");
@@ -185,8 +181,7 @@ class RegistrarsActionTest {
                   createAction(
                       Action.Method.POST,
                       AuthResult.createUser(
-                          UserAuthInfo.create(
-                              createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
+                          createUser(new UserRoles.Builder().setIsAdmin(true).build())));
               action.run();
               assertThat(((FakeResponse) consoleApiParams.response()).getStatus())
                   .isEqualTo(SC_BAD_REQUEST);
@@ -203,8 +198,7 @@ class RegistrarsActionTest {
     RegistrarsAction action =
         createAction(
             Action.Method.POST,
-            AuthResult.createUser(
-                UserAuthInfo.create(createUser(new UserRoles.Builder().setIsAdmin(true).build()))));
+            AuthResult.createUser(createUser(new UserRoles.Builder().setIsAdmin(true).build())));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_BAD_REQUEST);
     assertThat(((FakeResponse) consoleApiParams.response()).getPayload())
@@ -218,14 +212,12 @@ class RegistrarsActionTest {
         createAction(
             Action.Method.GET,
             AuthResult.createUser(
-                UserAuthInfo.create(
-                    createUser(
-                        new UserRoles.Builder()
-                            .setRegistrarRoles(
-                                ImmutableMap.of(
-                                    "registrarId",
-                                    RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
-                            .build()))));
+                createUser(
+                    new UserRoles.Builder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of(
+                                "registrarId", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
+                        .build())));
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_FORBIDDEN);
   }
@@ -238,7 +230,7 @@ class RegistrarsActionTest {
   }
 
   private RegistrarsAction createAction(Action.Method method, AuthResult authResult) {
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(method.toString());
     if (method.equals(Action.Method.GET)) {
       return new RegistrarsAction(
diff --git a/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java b/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java
index 58adbe0a8..67bf53955 100644
--- a/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/ContactActionTest.java
@@ -38,8 +38,7 @@ import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
-import google.registry.testing.FakeConsoleApiParams;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
@@ -102,7 +101,7 @@ class ContactActionTest {
     ContactAction action =
         createAction(
             Action.Method.GET,
-            AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.com"))),
+            AuthResult.createUser(createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId(),
             null);
     action.run();
@@ -118,7 +117,7 @@ class ContactActionTest {
     ContactAction action =
         createAction(
             Action.Method.GET,
-            AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.com"))),
+            AuthResult.createUser(createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId(),
             null);
     action.run();
@@ -131,7 +130,7 @@ class ContactActionTest {
     ContactAction action =
         createAction(
             Action.Method.POST,
-            AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.com"))),
+            AuthResult.createUser(createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId(),
             "[" + jsonRegistrar1 + "," + jsonRegistrar2 + "]");
     action.run();
@@ -151,7 +150,7 @@ class ContactActionTest {
     ContactAction action =
         createAction(
             Action.Method.POST,
-            AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.com"))),
+            AuthResult.createUser(createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId(),
             "[" + jsonRegistrar1 + "," + jsonRegistrar2 + "]");
     action.run();
@@ -174,7 +173,7 @@ class ContactActionTest {
     ContactAction action =
         createAction(
             Action.Method.POST,
-            AuthResult.createUser(UserAuthInfo.create(createAdminUser("email@email.com"))),
+            AuthResult.createUser(createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId(),
             "[" + jsonRegistrar2 + "]");
     action.run();
@@ -194,17 +193,15 @@ class ContactActionTest {
         createAction(
             Action.Method.POST,
             AuthResult.createUser(
-                UserAuthInfo.create(
-                    new User.Builder()
-                        .setEmailAddress("email@email.com")
-                        .setUserRoles(
-                            new UserRoles.Builder()
-                                .setRegistrarRoles(
-                                    ImmutableMap.of(
-                                        testRegistrar.getRegistrarId(),
-                                        RegistrarRole.ACCOUNT_MANAGER))
-                                .build())
-                        .build())),
+                new User.Builder()
+                    .setEmailAddress("email@email.com")
+                    .setUserRoles(
+                        new UserRoles.Builder()
+                            .setRegistrarRoles(
+                                ImmutableMap.of(
+                                    testRegistrar.getRegistrarId(), RegistrarRole.ACCOUNT_MANAGER))
+                            .build())
+                    .build()),
             testRegistrar.getRegistrarId(),
             "[" + jsonRegistrar2 + "]");
     action.run();
@@ -214,7 +211,7 @@ class ContactActionTest {
   private ContactAction createAction(
       Action.Method method, AuthResult authResult, String registrarId, String contacts)
       throws IOException {
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(method.toString());
     if (method.equals(Action.Method.GET)) {
       return new ContactAction(consoleApiParams, GSON, registrarId, Optional.empty());
diff --git a/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java b/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java
index 7c753e7bb..99b22b886 100644
--- a/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/SecurityActionTest.java
@@ -34,10 +34,9 @@ import google.registry.request.Action;
 import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
@@ -90,8 +89,7 @@ class SecurityActionTest {
     clock.setTo(DateTime.parse("2020-11-01T00:00:00Z"));
     SecurityAction action =
         createAction(
-            AuthResult.createUser(
-                UserAuthInfo.create(DatabaseHelper.createAdminUser("email@email.com"))),
+            AuthResult.createUser(DatabaseHelper.createAdminUser("email@email.com")),
             testRegistrar.getRegistrarId());
     action.run();
     assertThat(((FakeResponse) consoleApiParams.response()).getStatus()).isEqualTo(SC_OK);
@@ -104,7 +102,7 @@ class SecurityActionTest {
 
   private SecurityAction createAction(AuthResult authResult, String registrarId)
       throws IOException {
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.POST.toString());
     doReturn(new BufferedReader(new StringReader(jsonRegistrar1)))
         .when(consoleApiParams.request())
diff --git a/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java b/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java
index b4ba43a0b..a21072a9a 100644
--- a/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/settings/WhoisRegistrarFieldsActionTest.java
@@ -36,10 +36,9 @@ import google.registry.request.RequestModule;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
-import google.registry.request.auth.UserAuthInfo;
+import google.registry.testing.ConsoleApiParamsUtils;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.FakeClock;
-import google.registry.testing.FakeConsoleApiParams;
 import google.registry.testing.FakeResponse;
 import google.registry.ui.server.registrar.ConsoleApiParams;
 import google.registry.ui.server.registrar.RegistrarConsoleModule;
@@ -47,7 +46,6 @@ import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.StringReader;
 import java.util.HashMap;
-import java.util.Optional;
 import org.joda.time.DateTime;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
@@ -136,15 +134,14 @@ public class WhoisRegistrarFieldsActionTest {
     Registrar newRegistrar = Registrar.loadByRegistrarIdCached("NewRegistrar").get();
     AuthResult onlyTheRegistrar =
         AuthResult.createUser(
-            UserAuthInfo.create(
-                new User.Builder()
-                    .setEmailAddress("email@email.example")
-                    .setUserRoles(
-                        new UserRoles.Builder()
-                            .setRegistrarRoles(
-                                ImmutableMap.of("TheRegistrar", RegistrarRole.PRIMARY_CONTACT))
-                            .build())
-                    .build()));
+            new User.Builder()
+                .setEmailAddress("email@email.example")
+                .setUserRoles(
+                    new UserRoles.Builder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of("TheRegistrar", RegistrarRole.PRIMARY_CONTACT))
+                        .build())
+                .build());
     uiRegistrarMap.put("registrarId", "NewRegistrar");
     WhoisRegistrarFieldsAction action = createAction(onlyTheRegistrar);
     action.run();
@@ -154,8 +151,7 @@ public class WhoisRegistrarFieldsActionTest {
   }
 
   private AuthResult defaultUserAuth() {
-    return AuthResult.createUser(
-        UserAuthInfo.create(DatabaseHelper.createAdminUser("email@email.example")));
+    return AuthResult.createUser(DatabaseHelper.createAdminUser("email@email.example"));
   }
 
   private WhoisRegistrarFieldsAction createAction() throws IOException {
@@ -163,7 +159,7 @@ public class WhoisRegistrarFieldsActionTest {
   }
 
   private WhoisRegistrarFieldsAction createAction(AuthResult authResult) throws IOException {
-    consoleApiParams = FakeConsoleApiParams.get(Optional.of(authResult));
+    consoleApiParams = ConsoleApiParamsUtils.createFake(authResult);
     when(consoleApiParams.request().getMethod()).thenReturn(Action.Method.POST.toString());
     doReturn(new BufferedReader(new StringReader(uiRegistrarMap.toString())))
         .when(consoleApiParams.request())
diff --git a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
index 838c42b83..ff4a28dac 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleOteSetupActionTest.java
@@ -14,35 +14,31 @@
 
 package google.registry.ui.server.registrar;
 
-import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.model.registrar.Registrar.loadByRegistrarId;
 import static google.registry.testing.DatabaseHelper.persistPremiumList;
-import static jakarta.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
+import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.joda.money.CurrencyUnit.USD;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
 import google.registry.groups.GmailClient;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.request.Action.Method;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.testing.SystemPropertyExtension;
-import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
 import google.registry.util.RegistryEnvironment;
@@ -65,15 +61,17 @@ public final class ConsoleOteSetupActionTest {
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
-  @RegisterExtension final UserServiceExtension userService = new UserServiceExtension("");
-
   @RegisterExtension
   @Order(value = Integer.MAX_VALUE)
   final SystemPropertyExtension systemPropertyExtension = new SystemPropertyExtension();
 
   private final FakeResponse response = new FakeResponse();
   private final ConsoleOteSetupAction action = new ConsoleOteSetupAction();
-  private final User user = new User("marla.singer@example.com", "gmail.com", "12345");
+  private final User user =
+      new User.Builder()
+          .setEmailAddress("marla.singer@example.com")
+          .setUserRoles(new UserRoles())
+          .build();
 
   @Mock HttpServletRequest request;
   @Mock GmailClient gmailClient;
@@ -88,9 +86,8 @@ public final class ConsoleOteSetupActionTest {
     action.registrarAccessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             ImmutableSetMultimap.of("unused", AuthenticatedRegistrarAccessor.Role.ADMIN));
-    action.userService = UserServiceFactory.getUserService();
-    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
-    action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
+    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock());
+    action.authResult = AuthResult.createUser(user);
     action.sendEmailUtils =
         new SendEmailUtils(
             ImmutableList.of("notification@test.example", "notification2@test.example"),
@@ -107,11 +104,9 @@ public final class ConsoleOteSetupActionTest {
 
   @Test
   void testNoUser_redirect() {
-    when(request.getRequestURI()).thenReturn("/test");
     action.authResult = AuthResult.NOT_AUTHENTICATED;
     action.run();
-    assertThat(response.getStatus()).isEqualTo(SC_MOVED_TEMPORARILY);
-    assertThat(response.getHeaders().get(LOCATION)).isEqualTo("/_ah/login?continue=%2Ftest");
+    assertThat(response.getStatus()).isEqualTo(SC_UNAUTHORIZED);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
index fa083ddf1..3709c093b 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleRegistrarCreatorActionTest.java
@@ -14,21 +14,19 @@
 
 package google.registry.ui.server.registrar;
 
-import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.model.registrar.Registrar.loadByRegistrarId;
 import static google.registry.testing.DatabaseHelper.persistPremiumList;
-import static jakarta.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
+import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.joda.money.CurrencyUnit.USD;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
 import google.registry.groups.GmailClient;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
@@ -37,13 +35,11 @@ import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationT
 import google.registry.request.Action.Method;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import google.registry.testing.SystemPropertyExtension;
-import google.registry.testing.UserServiceExtension;
 import google.registry.ui.server.SendEmailUtils;
 import google.registry.util.EmailMessage;
 import google.registry.util.RegistryEnvironment;
@@ -66,15 +62,17 @@ final class ConsoleRegistrarCreatorActionTest {
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
-  @RegisterExtension final UserServiceExtension userService = new UserServiceExtension("");
-
   @RegisterExtension
   @Order(Integer.MAX_VALUE)
   final SystemPropertyExtension systemPropertyExtension = new SystemPropertyExtension();
 
   private final FakeResponse response = new FakeResponse();
   private final ConsoleRegistrarCreatorAction action = new ConsoleRegistrarCreatorAction();
-  private final User user = new User("marla.singer@example.com", "gmail.com", "12345");
+  private final User user =
+      new User.Builder()
+          .setEmailAddress("marla.singer@example.com")
+          .setUserRoles(new UserRoles())
+          .build();
 
   @Mock HttpServletRequest request;
   @Mock GmailClient gmailClient;
@@ -89,9 +87,8 @@ final class ConsoleRegistrarCreatorActionTest {
     action.registrarAccessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             ImmutableSetMultimap.of("unused", AuthenticatedRegistrarAccessor.Role.ADMIN));
-    action.userService = UserServiceFactory.getUserService();
-    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
-    action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
+    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock());
+    action.authResult = AuthResult.createUser(user);
     action.sendEmailUtils =
         new SendEmailUtils(
             ImmutableList.of("notification@test.example", "notification2@test.example"),
@@ -125,12 +122,10 @@ final class ConsoleRegistrarCreatorActionTest {
   }
 
   @Test
-  void testNoUser_redirect() {
-    when(request.getRequestURI()).thenReturn("/test");
+  void testNoUser_unauthroized() {
     action.authResult = AuthResult.NOT_AUTHENTICATED;
     action.run();
-    assertThat(response.getStatus()).isEqualTo(SC_MOVED_TEMPORARILY);
-    assertThat(response.getHeaders().get(LOCATION)).isEqualTo("/_ah/login?continue=%2Ftest");
+    assertThat(response.getStatus()).isEqualTo(SC_UNAUTHORIZED);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/ui/server/registrar/ConsoleUiActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/ConsoleUiActionTest.java
index 53f251234..9646456d3 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/ConsoleUiActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/ConsoleUiActionTest.java
@@ -14,30 +14,26 @@
 
 package google.registry.ui.server.registrar;
 
-import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.truth.Truth.assertThat;
 import static com.google.monitoring.metrics.contrib.LongMetricSubject.assertThat;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.ADMIN;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.OWNER;
-import static jakarta.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
+import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.net.MediaType;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.request.Action.Method;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
-import google.registry.testing.UserServiceExtension;
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.Optional;
 import org.junit.jupiter.api.AfterEach;
@@ -52,13 +48,14 @@ class ConsoleUiActionTest {
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
 
-  @RegisterExtension
-  final UserServiceExtension userService = new UserServiceExtension("marla.singer@example.com");
-
   private final HttpServletRequest request = mock(HttpServletRequest.class);
   private final FakeResponse response = new FakeResponse();
   private final ConsoleUiAction action = new ConsoleUiAction();
-  private final User user = new User("marla.singer@example.com", "gmail.com", "12345");
+  private final User user =
+      new User.Builder()
+          .setEmailAddress("marla.singer@example.com")
+          .setUserRoles(new UserRoles())
+          .build();
 
   @BeforeEach
   void beforeEach() {
@@ -73,11 +70,10 @@ class ConsoleUiActionTest {
     action.req = request;
     action.response = response;
     action.registrarConsoleMetrics = new RegistrarConsoleMetrics();
-    action.userService = UserServiceFactory.getUserService();
-    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
+    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock());
     action.method = Method.GET;
     action.paramClientId = Optional.empty();
-    action.authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
+    action.authResult = AuthResult.createUser(user);
     action.analyticsConfig = ImmutableMap.of("googleAnalyticsId", "sampleId");
 
     action.registrarAccessor =
@@ -158,21 +154,10 @@ class ConsoleUiActionTest {
   }
 
   @Test
-  void testNoUser_redirect() {
-    when(request.getRequestURI()).thenReturn("/test");
+  void testNoUser_not_logged_in() {
     action.authResult = AuthResult.NOT_AUTHENTICATED;
     action.run();
-    assertThat(response.getStatus()).isEqualTo(SC_MOVED_TEMPORARILY);
-    assertThat(response.getHeaders().get(LOCATION)).isEqualTo("/_ah/login?continue=%2Ftest");
-  }
-
-  @Test
-  void testNoUserInformationAtAll_redirectToRoot() {
-    when(request.getRequestURI()).thenThrow(new IllegalArgumentException());
-    action.authResult = AuthResult.NOT_AUTHENTICATED;
-    action.run();
-    assertThat(response.getStatus()).isEqualTo(SC_MOVED_TEMPORARILY);
-    assertThat(response.getHeaders().get(LOCATION)).isEqualTo("/");
+    assertThat(response.getStatus()).isEqualTo(SC_UNAUTHORIZED);
   }
 
   @Test
diff --git a/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java b/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java
index 96112a39e..c63be7aa5 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistrarSettingsActionTestCase.java
@@ -27,7 +27,6 @@ import static google.registry.util.DateTimeUtils.START_OF_TIME;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
@@ -35,6 +34,8 @@ import com.google.common.collect.ImmutableSetMultimap;
 import com.google.common.collect.ImmutableSortedMap;
 import google.registry.flows.certs.CertificateChecker;
 import google.registry.groups.GmailClient;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.model.registrar.RegistrarPocBase;
 import google.registry.persistence.transaction.JpaTestExtensions;
@@ -44,7 +45,6 @@ import google.registry.request.JsonResponse;
 import google.registry.request.ResponseImpl;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.CloudTasksHelper;
 import google.registry.testing.FakeClock;
 import google.registry.ui.server.SendEmailUtils;
@@ -110,7 +110,10 @@ public abstract class RegistrarSettingsActionTestCase {
     action.registrarConsoleMetrics = new RegistrarConsoleMetrics();
     action.authResult =
         AuthResult.createUser(
-            UserAuthInfo.create(new User("user@email.com", "email.com", "12345"), false));
+            new User.Builder()
+                .setEmailAddress("user@email.com")
+                .setUserRoles(new UserRoles())
+                .build());
     action.certificateChecker =
         new CertificateChecker(
             ImmutableSortedMap.of(START_OF_TIME, 825, DateTime.parse("2020-09-01T00:00:00Z"), 398),
diff --git a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockGetActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockGetActionTest.java
index 8e34c9a88..755c48a72 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockGetActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockGetActionTest.java
@@ -15,33 +15,27 @@
 package google.registry.ui.server.registrar;
 
 import static com.google.common.truth.Truth.assertThat;
-import static google.registry.persistence.transaction.JpaTransactionManagerExtension.makeRegistrar2;
-import static google.registry.persistence.transaction.JpaTransactionManagerExtension.makeRegistrarContact2;
-import static google.registry.persistence.transaction.JpaTransactionManagerExtension.makeRegistrarContact3;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.ADMIN;
 import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.OWNER;
-import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.testing.SqlHelper.saveRegistryLock;
 import static jakarta.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static jakarta.servlet.http.HttpServletResponse.SC_INTERNAL_SERVER_ERROR;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-import com.google.appengine.api.users.User;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSetMultimap;
 import com.google.gson.Gson;
 import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.model.domain.RegistryLock;
-import google.registry.model.registrar.RegistrarPoc;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.request.Action.Method;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
 import java.util.Map;
@@ -72,17 +66,29 @@ final class RegistryLockGetActionTest {
 
   @BeforeEach
   void beforeEach() {
-    user = userFromRegistrarPoc(makeRegistrarContact3());
+    user =
+        new User.Builder()
+            .setEmailAddress("Marla.Singer@crr.com")
+            .setUserRoles(
+                new UserRoles.Builder()
+                    .setRegistrarRoles(
+                        ImmutableMap.of(
+                            "TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
+                    .build())
+            .build();
+    action = createAction(user);
+  }
+
+  private RegistryLockGetAction createAction(User user) {
     fakeClock.setTo(DateTime.parse("2000-06-08T22:00:00.0Z"));
-    authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
+    authResult = AuthResult.createUser(user);
     accessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             ImmutableSetMultimap.of(
                 "TheRegistrar", OWNER,
                 "NewRegistrar", OWNER));
-    action =
-        new RegistryLockGetAction(
-            Method.GET, response, accessor, authResult, Optional.of("TheRegistrar"));
+    return new RegistryLockGetAction(
+        Method.GET, response, accessor, authResult, Optional.of("TheRegistrar"));
   }
 
   @Test
@@ -108,7 +114,7 @@ final class RegistryLockGetActionTest {
                     .build())
             .build();
 
-    action.authResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    action.authResult = AuthResult.createUser(consoleUser);
     action.run();
     assertThat(response.getStatus()).isEqualTo(SC_OK);
     assertThat(GSON.fromJson(response.getPayload(), Map.class))
@@ -231,7 +237,7 @@ final class RegistryLockGetActionTest {
                         "lockEnabledForContact",
                         true,
                         "email",
-                        "Marla.Singer.RegistryLock@crr.com",
+                        "Marla.Singer@crr.com",
                         "clientId",
                         "TheRegistrar",
                         "locks",
@@ -286,10 +292,10 @@ final class RegistryLockGetActionTest {
   }
 
   @Test
-  void testFailure_noAuthInfo() {
+  void testFailure_noUser() {
     action.authResult = AuthResult.NOT_AUTHENTICATED;
     IllegalArgumentException thrown = assertThrows(IllegalArgumentException.class, action::run);
-    assertThat(thrown).hasMessageThat().isEqualTo("User auth info must be present");
+    assertThat(thrown).hasMessageThat().isEqualTo("User must be present");
   }
 
   @Test
@@ -312,8 +318,16 @@ final class RegistryLockGetActionTest {
   @Test
   void testSuccess_readOnlyAccessForOtherUsers() {
     // If lock is not enabled for a user, this should be read-only
-    persistResource(
-        makeRegistrarContact3().asBuilder().setAllowedToSetRegistryLockPassword(true).build());
+    action =
+        createAction(
+            user.asBuilder()
+                .setUserRoles(
+                    user.getUserRoles()
+                        .asBuilder()
+                        .setRegistrarRoles(
+                            ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER))
+                        .build())
+                .build());
     action.run();
     assertThat(GSON.fromJson(response.getPayload(), Map.class).get("results"))
         .isEqualTo(
@@ -322,7 +336,7 @@ final class RegistryLockGetActionTest {
                     "lockEnabledForContact",
                     false,
                     "email",
-                    "Marla.Singer.RegistryLock@crr.com",
+                    "Marla.Singer@crr.com",
                     "clientId",
                     "TheRegistrar",
                     "locks",
@@ -332,10 +346,11 @@ final class RegistryLockGetActionTest {
   @Test
   void testSuccess_lockAllowedForAdmin() {
     // Locks are allowed for admins even when they're not enabled for the registrar
-    persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(false).build());
-    // disallow the other user
-    persistResource(makeRegistrarContact2().asBuilder().setLoginEmailAddress(null).build());
-    authResult = AuthResult.createUser(UserAuthInfo.create(user, true));
+    authResult =
+        AuthResult.createUser(
+            user.asBuilder()
+                .setUserRoles(user.getUserRoles().asBuilder().setIsAdmin(true).build())
+                .build());
     accessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             ImmutableSetMultimap.of(
@@ -359,29 +374,6 @@ final class RegistryLockGetActionTest {
                     ImmutableList.of())));
   }
 
-  @Test
-  void testSuccess_linkedToLoginContactEmail() {
-    // Note that the email address is case-insensitive.
-    user = new User("marla.singer@crr.com", "crr.com", user.getUserId());
-    authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
-    action =
-        new RegistryLockGetAction(
-            Method.GET, response, accessor, authResult, Optional.of("TheRegistrar"));
-    action.run();
-    assertThat(GSON.fromJson(response.getPayload(), Map.class).get("results"))
-        .isEqualTo(
-            ImmutableList.of(
-                ImmutableMap.of(
-                    "lockEnabledForContact",
-                    true,
-                    "email",
-                    "Marla.Singer.RegistryLock@crr.com",
-                    "clientId",
-                    "TheRegistrar",
-                    "locks",
-                    ImmutableList.of())));
-  }
-
   @Test
   void testFailure_lockNotAllowedForRegistrar() {
     // The UI shouldn't be making requests where lock isn't enabled for this registrar
@@ -410,8 +402,4 @@ final class RegistryLockGetActionTest {
     action.run();
     assertThat(response.getStatus()).isEqualTo(SC_FORBIDDEN);
   }
-
-  static User userFromRegistrarPoc(RegistrarPoc registrarPoc) {
-    return new User(registrarPoc.getLoginEmailAddress(), "gmail.com");
-  }
 }
diff --git a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockPostActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockPostActionTest.java
index 85f408493..94755ae1e 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockPostActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockPostActionTest.java
@@ -24,30 +24,27 @@ import static google.registry.testing.SqlHelper.getMostRecentRegistryLockByRepoI
 import static google.registry.testing.SqlHelper.getRegistryLockByVerificationCode;
 import static google.registry.testing.SqlHelper.saveRegistryLock;
 import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
-import static google.registry.ui.server.registrar.RegistryLockGetActionTest.userFromRegistrarPoc;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import google.registry.groups.GmailClient;
 import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.RegistryLock;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
-import google.registry.persistence.transaction.JpaTransactionManagerExtension;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.JsonResponse;
 import google.registry.request.ResponseImpl;
 import google.registry.request.auth.AuthResult;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.testing.CloudTasksHelper;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.DeterministicStringGenerator;
@@ -103,16 +100,28 @@ final class RegistryLockPostActionTest {
   @BeforeEach
   void beforeEach() throws Exception {
     userWithLockPermission =
-        userFromRegistrarPoc(JpaTransactionManagerExtension.makeRegistrarContact3());
+        new User.Builder()
+            .setEmailAddress("Marla.Singer@crr.com")
+            .setUserRoles(
+                new UserRoles.Builder()
+                    .setRegistrarRoles(
+                        ImmutableMap.of(
+                            "TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK))
+                    .build())
+            .setRegistryLockPassword("hi")
+            .setRegistryLockEmailAddress("Marla.Singer.RegistryLock@crr.com")
+            .build();
     userWithoutPermission =
-        userFromRegistrarPoc(JpaTransactionManagerExtension.makeRegistrarContact2());
+        new User.Builder()
+            .setEmailAddress("johndoe@theregistrar.com")
+            .setUserRoles(new UserRoles())
+            .build();
     createTld("tld");
     domain = persistResource(DatabaseHelper.newDomain("example.tld"));
 
     when(mockRequest.getServerName()).thenReturn("registrarconsole.tld");
 
-    action =
-        createAction(AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false)));
+    action = createAction(AuthResult.createUser(userWithLockPermission));
   }
 
   @Test
@@ -150,21 +159,19 @@ final class RegistryLockPostActionTest {
     saveRegistryLock(
         createLock().asBuilder().isSuperuser(true).setLockCompletionTime(clock.nowUtc()).build());
     persistResource(domain.asBuilder().setStatusValues(REGISTRY_LOCK_STATUSES).build());
-    action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
+    action =
+        createAction(
+            AuthResult.createUser(
+                userWithoutPermission
+                    .asBuilder()
+                    .setUserRoles(
+                        userWithoutPermission.getUserRoles().asBuilder().setIsAdmin(true).build())
+                    .build()));
     Map<String, ?> response = action.handleJsonRequest(unlockRequest());
     // we should still email the admin user's email address
     assertSuccess(response, "unlock", "johndoe@theregistrar.com");
   }
 
-  @Test
-  void testSuccess_linkedToLoginEmail() throws Exception {
-    userWithLockPermission = new User("Marla.Singer@crr.com", "crr.com");
-    action =
-        createAction(AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false)));
-    Map<String, ?> response = action.handleJsonRequest(lockRequest());
-    assertSuccess(response, "lock", "Marla.Singer.RegistryLock@crr.com");
-  }
-
   @Test
   void testFailure_unlock_noLock() {
     persistResource(domain.asBuilder().setStatusValues(REGISTRY_LOCK_STATUSES).build());
@@ -198,14 +205,28 @@ final class RegistryLockPostActionTest {
   @Test
   void testSuccess_adminUser() throws Exception {
     // Admin user should be able to lock/unlock regardless -- and we use the admin user's email
-    action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
+    action =
+        createAction(
+            AuthResult.createUser(
+                userWithoutPermission
+                    .asBuilder()
+                    .setUserRoles(
+                        userWithoutPermission.getUserRoles().asBuilder().setIsAdmin(true).build())
+                    .build()));
     Map<String, ?> response = action.handleJsonRequest(lockRequest());
     assertSuccess(response, "lock", "johndoe@theregistrar.com");
   }
 
   @Test
   void testSuccess_adminUser_doesNotRequirePassword() throws Exception {
-    action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, true)));
+    action =
+        createAction(
+            AuthResult.createUser(
+                userWithoutPermission
+                    .asBuilder()
+                    .setUserRoles(
+                        userWithoutPermission.getUserRoles().asBuilder().setIsAdmin(true).build())
+                    .build()));
     Map<String, ?> response =
         action.handleJsonRequest(
             ImmutableMap.of(
@@ -229,7 +250,7 @@ final class RegistryLockPostActionTest {
                     .build())
             .setRegistryLockPassword("hi")
             .build();
-    AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult consoleAuthResult = AuthResult.createUser(consoleUser);
     action = createAction(consoleAuthResult);
     Map<String, ?> response = action.handleJsonRequest(lockRequest());
     assertSuccess(response, "lock", "johndoe.registrylock@theregistrar.com");
@@ -242,7 +263,7 @@ final class RegistryLockPostActionTest {
             .setEmailAddress("johndoe@theregistrar.com")
             .setUserRoles(new UserRoles.Builder().setIsAdmin(true).build())
             .build();
-    AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult consoleAuthResult = AuthResult.createUser(consoleUser);
     action = createAction(consoleAuthResult);
     Map<String, Object> requestMapWithoutPassword =
         ImmutableMap.of(
@@ -273,8 +294,7 @@ final class RegistryLockPostActionTest {
 
   @Test
   void testFailure_unauthorizedRegistrarId() {
-    AuthResult authResult =
-        AuthResult.createUser(UserAuthInfo.create(userWithLockPermission, false));
+    AuthResult authResult = AuthResult.createUser(userWithLockPermission);
     action = createAction(authResult, ImmutableSet.of("TheRegistrar"));
     Map<String, ?> response =
         action.handleJsonRequest(
@@ -341,12 +361,12 @@ final class RegistryLockPostActionTest {
                 "registrarId", "TheRegistrar",
                 "domainName", "example.tld",
                 "isLock", true));
-    assertFailureWithMessage(response, "Incorrect registry lock password for contact");
+    assertFailureWithMessage(response, "Incorrect registry lock password for user");
   }
 
   @Test
   void testFailure_notEnabledForRegistrarPoc() {
-    action = createAction(AuthResult.createUser(UserAuthInfo.create(userWithoutPermission, false)));
+    action = createAction(AuthResult.createUser(userWithoutPermission));
     Map<String, ?> response =
         action.handleJsonRequest(
             ImmutableMap.of(
@@ -354,7 +374,7 @@ final class RegistryLockPostActionTest {
                 "domainName", "example.tld",
                 "isLock", true,
                 "password", "hi"));
-    assertFailureWithMessage(response, "Incorrect registry lock password for contact");
+    assertFailureWithMessage(response, "Incorrect registry lock password for user");
   }
 
   @Test
@@ -366,7 +386,7 @@ final class RegistryLockPostActionTest {
                 "domainName", "example.tld",
                 "isLock", true,
                 "password", "badPassword"));
-    assertFailureWithMessage(response, "Incorrect registry lock password for contact");
+    assertFailureWithMessage(response, "Incorrect registry lock password for user");
   }
 
   @Test
@@ -439,7 +459,7 @@ final class RegistryLockPostActionTest {
                     .build())
             .setRegistryLockPassword("hi")
             .build();
-    AuthResult consoleAuthResult = AuthResult.createUser(UserAuthInfo.create(consoleUser));
+    AuthResult consoleAuthResult = AuthResult.createUser(consoleUser);
     action = createAction(consoleAuthResult);
     Map<String, ?> response =
         action.handleJsonRequest(
@@ -510,7 +530,7 @@ final class RegistryLockPostActionTest {
 
   private RegistryLockPostAction createAction(
       AuthResult authResult, ImmutableSet<String> accessibleRegistrars) {
-    Role role = authResult.userAuthInfo().get().isUserAdmin() ? Role.ADMIN : Role.OWNER;
+    Role role = authResult.user().get().getUserRoles().isAdmin() ? Role.ADMIN : Role.OWNER;
     AuthenticatedRegistrarAccessor registrarAccessor =
         AuthenticatedRegistrarAccessor.createForTesting(
             accessibleRegistrars.stream().collect(toImmutableSetMultimap(r -> r, r -> role)));
diff --git a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockVerifyActionTest.java b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockVerifyActionTest.java
index f6931ce45..378e8e6e6 100644
--- a/core/src/test/java/google/registry/ui/server/registrar/RegistryLockVerifyActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/registrar/RegistryLockVerifyActionTest.java
@@ -23,17 +23,16 @@ import static google.registry.testing.DatabaseHelper.persistResource;
 import static google.registry.testing.SqlHelper.getRegistryLockByVerificationCode;
 import static google.registry.testing.SqlHelper.saveRegistryLock;
 import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STATUSES;
-import static jakarta.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
 import static jakarta.servlet.http.HttpServletResponse.SC_OK;
+import static jakarta.servlet.http.HttpServletResponse.SC_UNAUTHORIZED;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-import com.google.appengine.api.users.User;
-import com.google.appengine.api.users.UserService;
-import com.google.appengine.api.users.UserServiceFactory;
 import com.google.common.collect.ImmutableMap;
 import google.registry.model.billing.BillingBase.Reason;
 import google.registry.model.billing.BillingEvent;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.DomainHistory;
 import google.registry.model.domain.RegistryLock;
@@ -43,14 +42,12 @@ import google.registry.model.tld.Tld;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
 import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import google.registry.security.XsrfTokenManager;
 import google.registry.testing.CloudTasksHelper;
 import google.registry.testing.DatabaseHelper;
 import google.registry.testing.DeterministicStringGenerator;
 import google.registry.testing.FakeClock;
 import google.registry.testing.FakeResponse;
-import google.registry.testing.UserServiceExtension;
 import google.registry.tools.DomainLockUtils;
 import google.registry.util.StringGenerator;
 import google.registry.util.StringGenerator.Alphabets;
@@ -69,13 +66,12 @@ final class RegistryLockVerifyActionTest {
   final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().withClock(fakeClock).buildIntegrationTestExtension();
 
-  @RegisterExtension
-  final UserServiceExtension userServiceExtension =
-      new UserServiceExtension("marla.singer@example.com");
-
   private final HttpServletRequest request = mock(HttpServletRequest.class);
-  private final UserService userService = UserServiceFactory.getUserService();
-  private final User user = new User("marla.singer@example.com", "gmail.com", "12345");
+  private final User user =
+      new User.Builder()
+          .setEmailAddress("marla.singer@example.com")
+          .setUserRoles(new UserRoles())
+          .build();
   private final String lockId = "123456789ABCDEFGHJKLMNPQRSTUVWXY";
   private final StringGenerator stringGenerator =
       new DeterministicStringGenerator(Alphabets.BASE_58);
@@ -136,7 +132,11 @@ final class RegistryLockVerifyActionTest {
 
   @Test
   void testSuccess_adminLock_createsOnlyHistoryEntry() {
-    action.authResult = AuthResult.createUser(UserAuthInfo.create(user, true));
+    action.authResult =
+        AuthResult.createUser(
+            user.asBuilder()
+                .setUserRoles(user.getUserRoles().asBuilder().setIsAdmin(true).build())
+                .build());
     saveRegistryLock(createLock().asBuilder().isSuperuser(true).build());
 
     action.run();
@@ -211,8 +211,7 @@ final class RegistryLockVerifyActionTest {
   void testFailure_notLoggedIn() {
     action.authResult = AuthResult.NOT_AUTHENTICATED;
     action.run();
-    assertThat(response.getStatus()).isEqualTo(SC_MOVED_TEMPORARILY);
-    assertThat(response.getHeaders()).containsKey("Location");
+    assertThat(response.getStatus()).isEqualTo(SC_UNAUTHORIZED);
     assertNoDomainChanges();
   }
 
@@ -324,15 +323,14 @@ final class RegistryLockVerifyActionTest {
             new DomainLockUtils(
                 stringGenerator, "adminreg", cloudTasksHelper.getTestCloudTasksUtils()),
             lockVerificationCode);
-    authResult = AuthResult.createUser(UserAuthInfo.create(user, false));
+    authResult = AuthResult.createUser(user);
     action.req = request;
     action.response = response;
     action.authResult = authResult;
-    action.userService = userService;
     action.logoFilename = "logo.png";
     action.productName = "Nomulus";
     action.analyticsConfig = ImmutableMap.of("googleAnalyticsId", "sampleId");
-    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock(), action.userService);
+    action.xsrfTokenManager = new XsrfTokenManager(new FakeClock());
     return action;
   }
 }
diff --git a/core/src/test/java/google/registry/webdriver/OteSetupConsoleScreenshotTest.java b/core/src/test/java/google/registry/webdriver/OteSetupConsoleScreenshotTest.java
index 2b703e271..d1a298ec0 100644
--- a/core/src/test/java/google/registry/webdriver/OteSetupConsoleScreenshotTest.java
+++ b/core/src/test/java/google/registry/webdriver/OteSetupConsoleScreenshotTest.java
@@ -14,11 +14,14 @@
 
 package google.registry.webdriver;
 
+import static google.registry.model.console.RegistrarRole.ACCOUNT_MANAGER;
 import static google.registry.server.Fixture.BASIC;
 import static google.registry.server.Route.route;
 
+import com.google.common.collect.ImmutableMap;
 import google.registry.module.frontend.FrontendServlet;
 import google.registry.server.RegistryTestServer;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junitpioneer.jupiter.RetryingTest;
 import org.openqa.selenium.By;
@@ -33,8 +36,14 @@ public class OteSetupConsoleScreenshotTest extends WebDriverTestCase {
           .setRoutes(route("/registrar-ote-setup", FrontendServlet.class))
           .setFixtures(BASIC)
           .setEmail("Marla.Singer@google.com")
+          .setRegistryLockEmail("Marla.Singer.RegistryLock@google.com")
           .build();
 
+  @BeforeEach
+  void beforeEach() {
+    server.setRegistrarRoles(ImmutableMap.of("TheRegistrar", ACCOUNT_MANAGER));
+  }
+
   @RetryingTest(3)
   void get_owner_fails() throws Throwable {
     driver.get(server.getUrl("/registrar-ote-setup"));
diff --git a/core/src/test/java/google/registry/webdriver/RegistrarConsoleScreenshotTest.java b/core/src/test/java/google/registry/webdriver/RegistrarConsoleScreenshotTest.java
index cc64b1a34..440626ef6 100644
--- a/core/src/test/java/google/registry/webdriver/RegistrarConsoleScreenshotTest.java
+++ b/core/src/test/java/google/registry/webdriver/RegistrarConsoleScreenshotTest.java
@@ -29,6 +29,7 @@ import static google.registry.tools.LockOrUnlockDomainCommand.REGISTRY_LOCK_STAT
 import static google.registry.util.DateTimeUtils.START_OF_TIME;
 
 import com.google.common.collect.ImmutableMap;
+import google.registry.model.console.RegistrarRole;
 import google.registry.model.domain.Domain;
 import google.registry.model.domain.RegistryLock;
 import google.registry.model.registrar.RegistrarBase.State;
@@ -39,6 +40,7 @@ import google.registry.testing.CertificateSamples;
 import google.registry.testing.DatabaseHelper;
 import java.util.Optional;
 import java.util.UUID;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junitpioneer.jupiter.RetryingTest;
 import org.openqa.selenium.By;
@@ -59,8 +61,14 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
               route("/registry-lock-verify", FrontendServlet.class))
           .setFixtures(BASIC)
           .setEmail("Marla.Singer@crr.com") // from makeRegistrarContact3
+          .setRegistryLockEmail("Marla.Singer.RegistryLock@crr.com")
           .build();
 
+  @BeforeEach
+  void beforeEach() {
+    server.setRegistrarRoles(ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER));
+  }
+
   @RetryingTest(3)
   void index_owner() throws Throwable {
     driver.get(server.getUrl("/registrar"));
@@ -140,13 +148,13 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void settingsContactEdit_setRegistryLockPassword() throws Throwable {
-          persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(true).build());
-          persistResource(
-              makeRegistrarContact2()
-                  .asBuilder()
-                  .setRegistryLockEmailAddress("johndoe.registrylock@example.com")
-                  .setAllowedToSetRegistryLockPassword(true)
-                  .build());
+    persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(true).build());
+    persistResource(
+        makeRegistrarContact2()
+            .asBuilder()
+            .setRegistryLockEmailAddress("johndoe.registrylock@example.com")
+            .setAllowedToSetRegistryLockPassword(true)
+            .build());
     driver.manage().window().setSize(new Dimension(1050, 2000));
     driver.get(server.getUrl("/registrar#contact-settings/johndoe@theregistrar.com"));
     driver.waitForDisplayedElement(By.tagName("h1"));
@@ -176,20 +184,19 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
             .filter(c -> "johndoe@theregistrar.com".equals(c.getEmailAddress()))
             .findFirst()
             .get();
-          assertThat(contact.verifyRegistryLockPassword("password")).isTrue();
-          assertThat(contact.getRegistryLockEmailAddress())
-              .isEqualTo(Optional.of("johndoe.registrylock@example.com"));
+    assertThat(contact.verifyRegistryLockPassword("password")).isTrue();
+    assertThat(contact.getRegistryLockEmailAddress())
+        .isEqualTo(Optional.of("johndoe.registrylock@example.com"));
   }
 
   @RetryingTest(3)
   void settingsContactEdit_setRegistryLockPassword_alreadySet() throws Throwable {
-          persistResource(
-              makeRegistrarContact2()
-                  .asBuilder()
-                  .setAllowedToSetRegistryLockPassword(true)
-                  .setRegistryLockPassword("hi")
-                  .build());
-          persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(true).build());
+    persistResource(
+        makeRegistrarContact2()
+            .asBuilder()
+            .setAllowedToSetRegistryLockPassword(true)
+            .setRegistryLockPassword("hi")
+            .build());
     driver.manage().window().setSize(new Dimension(1050, 2000));
     driver.get(server.getUrl("/registrar#contact-settings/johndoe@theregistrar.com"));
     driver.waitForDisplayedElement(By.tagName("h1"));
@@ -306,12 +313,12 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void settingsSecurityWithCerts() throws Throwable {
-          persistResource(
-              loadRegistrar("TheRegistrar")
-                  .asBuilder()
-                  .setClientCertificate(CertificateSamples.SAMPLE_CERT, START_OF_TIME)
-                  .setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, START_OF_TIME)
-                  .build());
+    persistResource(
+        loadRegistrar("TheRegistrar")
+            .asBuilder()
+            .setClientCertificate(CertificateSamples.SAMPLE_CERT, START_OF_TIME)
+            .setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, START_OF_TIME)
+            .build());
     driver.manage().window().setSize(new Dimension(1050, 2000));
     driver.get(server.getUrl("/registrar#security-settings"));
     driver.waitForDisplayedElement(By.tagName("h1"));
@@ -371,17 +378,17 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
   @RetryingTest(3)
   void registryLockVerify_success() throws Throwable {
     String lockVerificationCode = "f1be78a2-2d61-458c-80f0-9dd8f2f8625f";
-          createTld("tld");
-          persistResource(DatabaseHelper.newDomain("example-lock.tld"));
-          saveRegistryLock(
-              new RegistryLock.Builder()
-                  .setRegistrarPocId("johndoe@theregistrar.com")
-                  .setRepoId("repoId")
-                  .setRegistrarId("TheRegistrar")
-                  .setVerificationCode("f1be78a2-2d61-458c-80f0-9dd8f2f8625f")
-                  .isSuperuser(false)
-                  .setDomainName("example-lock.tld")
-                  .build());
+    createTld("tld");
+    persistResource(DatabaseHelper.newDomain("example-lock.tld"));
+    saveRegistryLock(
+        new RegistryLock.Builder()
+            .setRegistrarPocId("johndoe@theregistrar.com")
+            .setRepoId("repoId")
+            .setRegistrarId("TheRegistrar")
+            .setVerificationCode("f1be78a2-2d61-458c-80f0-9dd8f2f8625f")
+            .isSuperuser(false)
+            .setDomainName("example-lock.tld")
+            .build());
     driver.get(
         server.getUrl(
             "/registry-lock-verify?isLock=true&lockVerificationCode=" + lockVerificationCode));
@@ -398,6 +405,8 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void registryLock_empty() throws Throwable {
+    server.setRegistrarRoles(
+        ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK));
     driver.get(server.getUrl("/registrar?clientId=TheRegistrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.diffPage("page");
@@ -405,7 +414,7 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void registryLock_notAllowed() throws Throwable {
-          persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(false).build());
+    persistResource(makeRegistrar2().asBuilder().setRegistryLockAllowed(false).build());
     driver.get(server.getUrl("/registrar?clientId=TheRegistrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.diffPage("page");
@@ -413,7 +422,9 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void registryLock_nonEmpty() throws Throwable {
-          createDomainAndSaveLock();
+    createDomainAndSaveLock();
+    server.setRegistrarRoles(
+        ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK));
     driver.get(server.getUrl("/registrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.diffPage("page");
@@ -421,48 +432,50 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void registryLock_nonEmpty_admin() throws Throwable {
-          createTld("tld");
-          // expired unlock request
-          Domain expiredUnlockRequestDomain = persistActiveDomain("expiredunlock.tld");
-          saveRegistryLock(
-              createRegistryLock(expiredUnlockRequestDomain)
-                  .asBuilder()
-                  .setLockCompletionTime(START_OF_TIME.minusDays(1))
-                  .setUnlockRequestTime(START_OF_TIME.minusDays(1))
-                  .build());
-          Domain domain = persistActiveDomain("example.tld");
-          saveRegistryLock(createRegistryLock(domain).asBuilder().isSuperuser(true).build());
-          Domain otherDomain = persistActiveDomain("otherexample.tld");
-          saveRegistryLock(createRegistryLock(otherDomain));
-          // include one pending-lock domain
-          Domain pendingDomain = persistActiveDomain("pending.tld");
-          saveRegistryLock(
-              new RegistryLock.Builder()
-                  .setVerificationCode(UUID.randomUUID().toString())
-                  .isSuperuser(false)
-                  .setRegistrarId("TheRegistrar")
-                  .setRegistrarPocId("Marla.Singer@crr.com")
-                  .setDomainName("pending.tld")
-                  .setRepoId(pendingDomain.getRepoId())
-                  .build());
-          // and one pending-unlock domain
-          Domain pendingUnlockDomain =
-              persistResource(
-                  DatabaseHelper.newDomain("pendingunlock.tld")
-                      .asBuilder()
-                      .setStatusValues(REGISTRY_LOCK_STATUSES)
-                      .build());
-          saveRegistryLock(
-              new RegistryLock.Builder()
-                  .setVerificationCode(UUID.randomUUID().toString())
-                  .isSuperuser(false)
-                  .setRegistrarId("TheRegistrar")
-                  .setRegistrarPocId("Marla.Singer@crr.com")
-                  .setDomainName(pendingUnlockDomain.getDomainName())
-                  .setRepoId(pendingUnlockDomain.getRepoId())
-                  .setLockCompletionTime(START_OF_TIME)
-                  .setUnlockRequestTime(START_OF_TIME)
-                  .build());
+    createTld("tld");
+    // expired unlock request
+    Domain expiredUnlockRequestDomain = persistActiveDomain("expiredunlock.tld");
+    saveRegistryLock(
+        createRegistryLock(expiredUnlockRequestDomain)
+            .asBuilder()
+            .setLockCompletionTime(START_OF_TIME.minusDays(1))
+            .setUnlockRequestTime(START_OF_TIME.minusDays(1))
+            .build());
+    server.setRegistrarRoles(
+        ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK));
+    Domain domain = persistActiveDomain("example.tld");
+    saveRegistryLock(createRegistryLock(domain).asBuilder().isSuperuser(true).build());
+    Domain otherDomain = persistActiveDomain("otherexample.tld");
+    saveRegistryLock(createRegistryLock(otherDomain));
+    // include one pending-lock domain
+    Domain pendingDomain = persistActiveDomain("pending.tld");
+    saveRegistryLock(
+        new RegistryLock.Builder()
+            .setVerificationCode(UUID.randomUUID().toString())
+            .isSuperuser(false)
+            .setRegistrarId("TheRegistrar")
+            .setRegistrarPocId("Marla.Singer@crr.com")
+            .setDomainName("pending.tld")
+            .setRepoId(pendingDomain.getRepoId())
+            .build());
+    // and one pending-unlock domain
+    Domain pendingUnlockDomain =
+        persistResource(
+            DatabaseHelper.newDomain("pendingunlock.tld")
+                .asBuilder()
+                .setStatusValues(REGISTRY_LOCK_STATUSES)
+                .build());
+    saveRegistryLock(
+        new RegistryLock.Builder()
+            .setVerificationCode(UUID.randomUUID().toString())
+            .isSuperuser(false)
+            .setRegistrarId("TheRegistrar")
+            .setRegistrarPocId("Marla.Singer@crr.com")
+            .setDomainName(pendingUnlockDomain.getDomainName())
+            .setRepoId(pendingUnlockDomain.getRepoId())
+            .setLockCompletionTime(START_OF_TIME)
+            .setUnlockRequestTime(START_OF_TIME)
+            .build());
     driver.get(server.getUrl("/registrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.diffPage("page");
@@ -470,7 +483,9 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
 
   @RetryingTest(3)
   void registryLock_unlockModal() throws Throwable {
-          createDomainAndSaveLock();
+    createDomainAndSaveLock();
+    server.setRegistrarRoles(
+        ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK));
     driver.get(server.getUrl("/registrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.findElement(By.id("button-unlock-example.tld")).click();
@@ -482,8 +497,10 @@ class RegistrarConsoleScreenshotTest extends WebDriverTestCase {
   @RetryingTest(3)
   void registryLock_lockModal() throws Throwable {
     server.setIsAdmin(true);
-          createTld("tld");
-          persistActiveDomain("example.tld");
+    createTld("tld");
+    persistActiveDomain("example.tld");
+    server.setRegistrarRoles(
+        ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER_WITH_REGISTRY_LOCK));
     driver.get(server.getUrl("/registrar#registry-lock"));
     driver.waitForDisplayedElement(By.tagName("h2"));
     driver.findElement(By.id("button-lock-domain")).click();
diff --git a/core/src/test/java/google/registry/webdriver/RegistrarConsoleWebTest.java b/core/src/test/java/google/registry/webdriver/RegistrarConsoleWebTest.java
index d0db419a2..cbd4caf32 100644
--- a/core/src/test/java/google/registry/webdriver/RegistrarConsoleWebTest.java
+++ b/core/src/test/java/google/registry/webdriver/RegistrarConsoleWebTest.java
@@ -21,11 +21,13 @@ import static google.registry.testing.DatabaseHelper.loadRegistrar;
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
+import google.registry.model.console.RegistrarRole;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarAddress;
 import google.registry.model.registrar.RegistrarPoc;
 import google.registry.module.frontend.FrontendServlet;
 import google.registry.server.RegistryTestServer;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junitpioneer.jupiter.RetryingTest;
 import org.openqa.selenium.By;
@@ -43,8 +45,14 @@ public class RegistrarConsoleWebTest extends WebDriverTestCase {
               route("/registrar-settings", FrontendServlet.class))
           .setFixtures(BASIC)
           .setEmail("Marla.Singer@crr.com")
+          .setRegistryLockEmail("Marla.Singer.RegistryLock@crr.com")
           .build();
 
+  @BeforeEach
+  void beforeEach() {
+    server.setRegistrarRoles(ImmutableMap.of("TheRegistrar", RegistrarRole.ACCOUNT_MANAGER));
+  }
+
   /** Checks the identified element has the given text content. */
   void assertEltText(String eltId, String eltValue) {
     assertThat(driver.findElement(By.id(eltId)).getText()).isEqualTo(eltValue);
@@ -112,8 +120,8 @@ public class RegistrarConsoleWebTest extends WebDriverTestCase {
   @RetryingTest(3)
   void testEditButtonsVisibility_adminOnly() throws Throwable {
     server.setIsAdmin(true);
-    // To make sure we're only ADMIN (and not also "OWNER"), we switch to the NewRegistrar we
-    // aren't in the contacts of
+    // To make sure we're only ADMIN (and not also "OWNER"), we switch to the NewRegistrar for
+    // which we don't have a role.
     driver.get(server.getUrl("/registrar?clientId=NewRegistrar#whois-settings"));
     assertEltInvisible("reg-app-btns-edit");
     assertEltInvisible("reg-app-btn-add");
diff --git a/core/src/test/java/google/registry/webdriver/RegistrarCreateConsoleScreenshotTest.java b/core/src/test/java/google/registry/webdriver/RegistrarCreateConsoleScreenshotTest.java
index 9b5e29d80..5e80f36fe 100644
--- a/core/src/test/java/google/registry/webdriver/RegistrarCreateConsoleScreenshotTest.java
+++ b/core/src/test/java/google/registry/webdriver/RegistrarCreateConsoleScreenshotTest.java
@@ -14,11 +14,14 @@
 
 package google.registry.webdriver;
 
+import static google.registry.model.console.RegistrarRole.ACCOUNT_MANAGER;
 import static google.registry.server.Fixture.BASIC;
 import static google.registry.server.Route.route;
 
+import com.google.common.collect.ImmutableMap;
 import google.registry.module.frontend.FrontendServlet;
 import google.registry.server.RegistryTestServer;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junitpioneer.jupiter.RetryingTest;
 import org.openqa.selenium.By;
@@ -33,8 +36,14 @@ class RegistrarCreateConsoleScreenshotTest extends WebDriverTestCase {
           .setRoutes(route("/registrar-create", FrontendServlet.class))
           .setFixtures(BASIC)
           .setEmail("Marla.Singer@google.com")
+          .setRegistryLockEmail("Marla.Singer.RegistryLock@google.com")
           .build();
 
+  @BeforeEach
+  void beforeEach() {
+    server.setRegistrarRoles(ImmutableMap.of("TheRegistrar", ACCOUNT_MANAGER));
+  }
+
   @RetryingTest(3)
   void get_owner_fails() throws Throwable {
     driver.get(server.getUrl("/registrar-create"));
diff --git a/core/src/test/java/google/registry/webdriver/TestServerExtension.java b/core/src/test/java/google/registry/webdriver/TestServerExtension.java
index 503bf0a93..4272f8074 100644
--- a/core/src/test/java/google/registry/webdriver/TestServerExtension.java
+++ b/core/src/test/java/google/registry/webdriver/TestServerExtension.java
@@ -22,21 +22,25 @@ import static google.registry.util.NetworkUtils.pickUnusedPort;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.net.HostAndPort;
+import google.registry.model.console.RegistrarRole;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
 import google.registry.persistence.transaction.JpaTestExtensions.JpaIntegrationTestExtension;
-import google.registry.request.auth.AuthenticatedRegistrarAccessor;
+import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.OidcTokenAuthenticationMechanism;
 import google.registry.server.Fixture;
 import google.registry.server.Route;
 import google.registry.server.TestServer;
-import google.registry.testing.UserInfo;
-import google.registry.testing.UserServiceExtension;
 import java.net.URL;
 import java.net.UnknownHostException;
 import java.nio.file.Path;
 import java.time.Duration;
+import java.util.Map;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.FutureTask;
 import java.util.concurrent.LinkedBlockingDeque;
+import javax.annotation.Nullable;
 import org.junit.jupiter.api.extension.AfterEachCallback;
 import org.junit.jupiter.api.extension.BeforeEachCallback;
 import org.junit.jupiter.api.extension.ExtensionContext;
@@ -49,10 +53,10 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
   private final ImmutableList<Fixture> fixtures;
   private final JpaIntegrationTestExtension jpa =
       new JpaTestExtensions.Builder().buildIntegrationTestExtension();
-  private final UserServiceExtension userService;
   private final BlockingQueue<FutureTask<?>> jobs = new LinkedBlockingDeque<>();
   private final ImmutableMap<String, Path> runfiles;
   private final ImmutableList<Route> routes;
+  private User user;
 
   private TestServer testServer;
   private Thread serverThread;
@@ -61,13 +65,18 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
       ImmutableMap<String, Path> runfiles,
       ImmutableList<Route> routes,
       ImmutableList<Fixture> fixtures,
-      String email) {
+      String email,
+      @Nullable String registryLockEmail) {
     this.runfiles = runfiles;
     this.routes = routes;
     this.fixtures = fixtures;
-    // We create an GAE-Admin user, and then use AuthenticatedRegistrarAccessor.bypassAdminCheck to
-    // choose whether the user is an admin or not.
-    this.userService = new UserServiceExtension(UserInfo.createAdmin(email));
+    // We create a user, and then use setIsAdmin to override this setting if necessary
+    this.user =
+        new User.Builder()
+            .setEmailAddress(email)
+            .setRegistryLockEmailAddress(registryLockEmail)
+            .setUserRoles(new UserRoles.Builder().build())
+            .build();
   }
 
   @Override
@@ -84,7 +93,6 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
     } catch (UnknownHostException e) {
       throw new IllegalStateException(e);
     }
-    setIsAdmin(false);
     Server server = new Server(context);
     serverThread = new Thread(server);
     synchronized (this) {
@@ -100,10 +108,8 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
 
   @Override
   public void afterEach(ExtensionContext context) {
-    // Reset the global state AuthenticatedRegistrarAccessor.bypassAdminCheck
-    // to the default value, so it doesn't interfere with other tests
-    AuthenticatedRegistrarAccessor.bypassAdminCheck = false;
     serverThread.interrupt();
+    OidcTokenAuthenticationMechanism.unsetAuthResultForTesting();
     try {
       serverThread.join();
     } catch (InterruptedException e) {
@@ -115,22 +121,27 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
     }
   }
 
-  /**
-   * Set the current user's Admin status.
-   *
-   * <p>This is sort of a hack because we can't actually change the user itself, nor that user's GAE
-   * roles. Instead, we created a GAE-admin user in the constructor and we "bypass the admin check"
-   * if we want that user to not be an admin.
-   *
-   * <p>A better implementation would be to replace the AuthenticatedRegistrarAccessor - that way we
-   * can fully control the Roles the user has without relying on the implementation. But right now
-   * we don't have the ability to change injected values like that :/
-   */
+  /** Set the current user's admin status. */
   public void setIsAdmin(boolean isAdmin) {
-    AuthenticatedRegistrarAccessor.bypassAdminCheck = !isAdmin;
+    user =
+        user.asBuilder()
+            .setUserRoles(user.getUserRoles().asBuilder().setIsAdmin(isAdmin).build())
+            .build();
+    OidcTokenAuthenticationMechanism.setAuthResultForTesting(AuthResult.createUser(user));
   }
 
-  /** @see TestServer#getUrl(String) */
+  /** Set the current user's registrar role map. */
+  public void setRegistrarRoles(Map<String, RegistrarRole> registrarRoles) {
+    user =
+        user.asBuilder()
+            .setUserRoles(user.getUserRoles().asBuilder().setRegistrarRoles(registrarRoles).build())
+            .build();
+    OidcTokenAuthenticationMechanism.setAuthResultForTesting(AuthResult.createUser(user));
+  }
+
+  /**
+   * @see TestServer#getUrl(String)
+   */
   public URL getUrl(String path) {
     return testServer.getUrl(path);
   }
@@ -156,12 +167,10 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
       try {
         try {
           jpa.beforeEach(context);
-          userService.beforeEach(context);
           this.runInner();
         } catch (InterruptedException e) {
           // This is what we expect to happen.
         } finally {
-          userService.afterEach(context);
           jpa.afterEach(context);
         }
       } catch (Throwable e) {
@@ -214,6 +223,7 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
     private ImmutableList<Route> routes;
     private ImmutableList<Fixture> fixtures = ImmutableList.of();
     private String email;
+    @Nullable private String registryLockEmail;
 
     /** Sets the directories containing the static files for {@link TestServer}. */
     Builder setRunfiles(ImmutableMap<String, Path> runfiles) {
@@ -234,23 +244,26 @@ public final class TestServerExtension implements BeforeEachCallback, AfterEachC
       return this;
     }
 
-    /**
-     * Sets information about the logged-in user.
-     *
-     * <p>This unfortunately cannot be changed by test methods.
-     */
+    /** Sets the login email of the user. */
     public Builder setEmail(String email) {
       this.email = email;
       return this;
     }
 
+    /** Set the registry lock email of the user, if any. */
+    public Builder setRegistryLockEmail(@Nullable String email) {
+      this.registryLockEmail = email;
+      return this;
+    }
+
     /** Returns a new {@link TestServerExtension} instance. */
     public TestServerExtension build() {
       return new TestServerExtension(
           checkNotNull(this.runfiles),
           checkNotNull(this.routes),
           checkNotNull(this.fixtures),
-          checkNotNull(this.email));
+          checkNotNull(this.email),
+          this.registryLockEmail);
     }
   }
 }
diff --git a/core/src/test/resources/google/registry/module/backend/backend_routing.txt b/core/src/test/resources/google/registry/module/backend/backend_routing.txt
index 6c0344bfc..a34df814d 100644
--- a/core/src/test/resources/google/registry/module/backend/backend_routing.txt
+++ b/core/src/test/resources/google/registry/module/backend/backend_routing.txt
@@ -1,38 +1,38 @@
-PATH                                               CLASS                                          METHODS  OK AUTH_METHODS MIN USER_POLICY
-/_dr/cron/fanout                                   TldFanoutAction                                GET      y  API          APP ADMIN
-/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  API          APP ADMIN
-/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  API          APP ADMIN
-/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  API          APP ADMIN
-/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  API          APP ADMIN
-/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  API          APP ADMIN
-/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  API          APP ADMIN
-/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  API          APP ADMIN
-/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  API          APP ADMIN
-/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  API          APP ADMIN
-/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  API          APP ADMIN
-/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  API          APP ADMIN
-/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  API          APP ADMIN
-/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  API          APP ADMIN
-/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  API          APP ADMIN
-/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  API          APP ADMIN
-/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  API          APP ADMIN
-/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  API          APP ADMIN
-/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  API          APP ADMIN
-/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  API          APP ADMIN
-/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  API          APP ADMIN
-/_dr/task/rdeReport                                RdeReportAction                                POST     n  API          APP ADMIN
-/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  API          APP ADMIN
-/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  API          APP ADMIN
-/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  API          APP ADMIN
-/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  API          APP ADMIN
-/_dr/task/relockDomain                             RelockDomainAction                             POST     y  API          APP ADMIN
-/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  API          APP ADMIN
-/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  API          APP ADMIN
-/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  API          APP ADMIN
-/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  API          APP ADMIN
-/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  API          APP ADMIN
-/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  API          APP ADMIN
-/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  API          APP ADMIN
-/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  API          APP ADMIN
-/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  API          APP ADMIN
-/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  API          APP ADMIN
+PATH                                               CLASS                                          METHODS  OK MIN USER_POLICY
+/_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP ADMIN
+/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  APP ADMIN
+/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP ADMIN
+/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP ADMIN
+/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP ADMIN
+/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP ADMIN
+/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP ADMIN
+/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP ADMIN
+/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP ADMIN
+/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP ADMIN
+/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP ADMIN
+/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP ADMIN
+/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP ADMIN
+/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP ADMIN
+/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP ADMIN
+/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP ADMIN
+/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP ADMIN
+/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP ADMIN
+/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP ADMIN
+/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP ADMIN
+/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP ADMIN
+/_dr/task/rdeReport                                RdeReportAction                                POST     n  APP ADMIN
+/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP ADMIN
+/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP ADMIN
+/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP ADMIN
+/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP ADMIN
+/_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP ADMIN
+/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP ADMIN
+/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP ADMIN
+/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP ADMIN
+/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP ADMIN
+/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP ADMIN
+/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP ADMIN
+/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP ADMIN
+/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP ADMIN
+/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP ADMIN
+/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP ADMIN
diff --git a/core/src/test/resources/google/registry/module/bsa/bsa_routing.txt b/core/src/test/resources/google/registry/module/bsa/bsa_routing.txt
index dc52e63e9..e0242e4be 100644
--- a/core/src/test/resources/google/registry/module/bsa/bsa_routing.txt
+++ b/core/src/test/resources/google/registry/module/bsa/bsa_routing.txt
@@ -1,5 +1,5 @@
-PATH                                CLASS                             METHODS  OK AUTH_METHODS MIN USER_POLICY
-/_dr/task/bsaDownload               BsaDownloadAction                 GET,POST n  API          APP ADMIN
-/_dr/task/bsaRefresh                BsaRefreshAction                  GET,POST n  API          APP ADMIN
-/_dr/task/bsaValidate               BsaValidateAction                 GET,POST n  API          APP ADMIN
-/_dr/task/uploadBsaUnavailableNames UploadBsaUnavailableDomainsAction GET,POST n  API          APP ADMIN
+PATH                                CLASS                             METHODS  OK MIN USER_POLICY
+/_dr/task/bsaDownload               BsaDownloadAction                 GET,POST n  APP ADMIN
+/_dr/task/bsaRefresh                BsaRefreshAction                  GET,POST n  APP ADMIN
+/_dr/task/bsaValidate               BsaValidateAction                 GET,POST n  APP ADMIN
+/_dr/task/uploadBsaUnavailableNames UploadBsaUnavailableDomainsAction GET,POST n  APP ADMIN
diff --git a/core/src/test/resources/google/registry/module/frontend/frontend_routing.txt b/core/src/test/resources/google/registry/module/frontend/frontend_routing.txt
index 911d56fcf..0033f8154 100644
--- a/core/src/test/resources/google/registry/module/frontend/frontend_routing.txt
+++ b/core/src/test/resources/google/registry/module/frontend/frontend_routing.txt
@@ -1,20 +1,20 @@
-PATH                               CLASS                         METHODS  OK AUTH_METHODS MIN  USER_POLICY
-/_dr/epp                           EppTlsAction                  POST     n  API          APP  ADMIN
-/console-api/domain                ConsoleDomainGetAction        GET      n  API,LEGACY   USER PUBLIC
-/console-api/domain-list           ConsoleDomainListAction       GET      n  API,LEGACY   USER PUBLIC
-/console-api/dum-download          ConsoleDumDownloadAction      GET      n  API,LEGACY   USER PUBLIC
-/console-api/eppPassword           ConsoleEppPasswordAction      POST     n  API,LEGACY   USER PUBLIC
-/console-api/registrars            RegistrarsAction              GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/registry-lock         ConsoleRegistryLockAction     GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/settings/contacts     ContactAction                 GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/settings/security     SecurityAction                POST     n  API,LEGACY   USER PUBLIC
-/console-api/settings/whois-fields WhoisRegistrarFieldsAction    POST     n  API,LEGACY   USER PUBLIC
-/console-api/userdata              ConsoleUserDataAction         GET      n  API,LEGACY   USER PUBLIC
-/registrar                         ConsoleUiAction               GET      n  API,LEGACY   NONE PUBLIC
-/registrar-create                  ConsoleRegistrarCreatorAction POST,GET n  API,LEGACY   NONE PUBLIC
-/registrar-ote-setup               ConsoleOteSetupAction         POST,GET n  API,LEGACY   NONE PUBLIC
-/registrar-ote-status              OteStatusAction               POST     n  API,LEGACY   USER PUBLIC
-/registrar-settings                RegistrarSettingsAction       POST     n  API,LEGACY   USER PUBLIC
-/registry-lock-get                 RegistryLockGetAction         GET      n  API,LEGACY   USER PUBLIC
-/registry-lock-post                RegistryLockPostAction        POST     n  API,LEGACY   USER PUBLIC
-/registry-lock-verify              RegistryLockVerifyAction      GET      n  API,LEGACY   NONE PUBLIC
+PATH                               CLASS                         METHODS  OK MIN  USER_POLICY
+/_dr/epp                           EppTlsAction                  POST     n  APP  ADMIN
+/console-api/domain                ConsoleDomainGetAction        GET      n  USER PUBLIC
+/console-api/domain-list           ConsoleDomainListAction       GET      n  USER PUBLIC
+/console-api/dum-download          ConsoleDumDownloadAction      GET      n  USER PUBLIC
+/console-api/eppPassword           ConsoleEppPasswordAction      POST     n  USER PUBLIC
+/console-api/registrars            RegistrarsAction              GET,POST n  USER PUBLIC
+/console-api/registry-lock         ConsoleRegistryLockAction     GET,POST n  USER PUBLIC
+/console-api/settings/contacts     ContactAction                 GET,POST n  USER PUBLIC
+/console-api/settings/security     SecurityAction                POST     n  USER PUBLIC
+/console-api/settings/whois-fields WhoisRegistrarFieldsAction    POST     n  USER PUBLIC
+/console-api/userdata              ConsoleUserDataAction         GET      n  USER PUBLIC
+/registrar                         ConsoleUiAction               GET      n  USER PUBLIC
+/registrar-create                  ConsoleRegistrarCreatorAction POST,GET n  USER PUBLIC
+/registrar-ote-setup               ConsoleOteSetupAction         POST,GET n  USER PUBLIC
+/registrar-ote-status              OteStatusAction               POST     n  USER PUBLIC
+/registrar-settings                RegistrarSettingsAction       POST     n  USER PUBLIC
+/registry-lock-get                 RegistryLockGetAction         GET      n  USER PUBLIC
+/registry-lock-post                RegistryLockPostAction        POST     n  USER PUBLIC
+/registry-lock-verify              RegistryLockVerifyAction      GET      n  USER PUBLIC
diff --git a/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt b/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
index b5a3a704d..27ed23c5e 100644
--- a/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
+++ b/core/src/test/resources/google/registry/module/pubapi/pubapi_routing.txt
@@ -1,13 +1,13 @@
-PATH                 CLASS                      METHODS  OK AUTH_METHODS MIN  USER_POLICY
-/_dr/whois           WhoisAction                POST     n  API          APP  ADMIN
-/check               CheckApiAction             GET      n  API          NONE PUBLIC
-/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  API          NONE PUBLIC
-/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  API          NONE PUBLIC
-/rdap/domains        RdapDomainSearchAction     GET,HEAD n  API          NONE PUBLIC
-/rdap/entities       RdapEntitySearchAction     GET,HEAD n  API          NONE PUBLIC
-/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  API          NONE PUBLIC
-/rdap/help(*)        RdapHelpAction             GET,HEAD n  API          NONE PUBLIC
-/rdap/ip/(*)         RdapIpAction               GET,HEAD n  API          NONE PUBLIC
-/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  API          NONE PUBLIC
-/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  API          NONE PUBLIC
-/whois/(*)           WhoisHttpAction            GET      n  API          NONE PUBLIC
+PATH                 CLASS                      METHODS  OK MIN  USER_POLICY
+/_dr/whois           WhoisAction                POST     n  APP  ADMIN
+/check               CheckApiAction             GET      n  NONE PUBLIC
+/rdap/autnum/(*)     RdapAutnumAction           GET,HEAD n  NONE PUBLIC
+/rdap/domain/(*)     RdapDomainAction           GET,HEAD n  NONE PUBLIC
+/rdap/domains        RdapDomainSearchAction     GET,HEAD n  NONE PUBLIC
+/rdap/entities       RdapEntitySearchAction     GET,HEAD n  NONE PUBLIC
+/rdap/entity/(*)     RdapEntityAction           GET,HEAD n  NONE PUBLIC
+/rdap/help(*)        RdapHelpAction             GET,HEAD n  NONE PUBLIC
+/rdap/ip/(*)         RdapIpAction               GET,HEAD n  NONE PUBLIC
+/rdap/nameserver/(*) RdapNameserverAction       GET,HEAD n  NONE PUBLIC
+/rdap/nameservers    RdapNameserverSearchAction GET,HEAD n  NONE PUBLIC
+/whois/(*)           WhoisHttpAction            GET      n  NONE PUBLIC
diff --git a/core/src/test/resources/google/registry/module/routing.txt b/core/src/test/resources/google/registry/module/routing.txt
index f75109abd..6f08df2b3 100644
--- a/core/src/test/resources/google/registry/module/routing.txt
+++ b/core/src/test/resources/google/registry/module/routing.txt
@@ -1,86 +1,86 @@
-PATH                                               CLASS                                          METHODS  OK AUTH_METHODS MIN  USER_POLICY
-/_dr/admin/createGroups                            CreateGroupsAction                             POST     n  API          APP  ADMIN
-/_dr/admin/list/domains                            ListDomainsAction                              GET,POST n  API          APP  ADMIN
-/_dr/admin/list/hosts                              ListHostsAction                                GET,POST n  API          APP  ADMIN
-/_dr/admin/list/premiumLists                       ListPremiumListsAction                         GET,POST n  API          APP  ADMIN
-/_dr/admin/list/registrars                         ListRegistrarsAction                           GET,POST n  API          APP  ADMIN
-/_dr/admin/list/reservedLists                      ListReservedListsAction                        GET,POST n  API          APP  ADMIN
-/_dr/admin/list/tlds                               ListTldsAction                                 GET,POST n  API          APP  ADMIN
-/_dr/admin/updateUserGroup                         UpdateUserGroupAction                          POST     n  API          APP  ADMIN
-/_dr/admin/verifyOte                               VerifyOteAction                                POST     n  API          APP  ADMIN
-/_dr/cron/fanout                                   TldFanoutAction                                GET      y  API          APP  ADMIN
-/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  API          APP  ADMIN
-/_dr/epp                                           EppTlsAction                                   POST     n  API          APP  ADMIN
-/_dr/epptool                                       EppToolAction                                  POST     n  API          APP  ADMIN
-/_dr/loadtest                                      LoadTestAction                                 POST     y  API          APP  ADMIN
-/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  API          APP  ADMIN
-/_dr/task/bsaDownload                              BsaDownloadAction                              GET,POST n  API          APP  ADMIN
-/_dr/task/bsaRefresh                               BsaRefreshAction                               GET,POST n  API          APP  ADMIN
-/_dr/task/bsaValidate                              BsaValidateAction                              GET,POST n  API          APP  ADMIN
-/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  API          APP  ADMIN
-/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  API          APP  ADMIN
-/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  API          APP  ADMIN
-/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  API          APP  ADMIN
-/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  API          APP  ADMIN
-/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  API          APP  ADMIN
-/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  API          APP  ADMIN
-/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  API          APP  ADMIN
-/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  API          APP  ADMIN
-/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  API          APP  ADMIN
-/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  API          APP  ADMIN
-/_dr/task/generateZoneFiles                        GenerateZoneFilesAction                        POST     n  API          APP  ADMIN
-/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  API          APP  ADMIN
-/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  API          APP  ADMIN
-/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  API          APP  ADMIN
-/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  API          APP  ADMIN
-/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  API          APP  ADMIN
-/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  API          APP  ADMIN
-/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  API          APP  ADMIN
-/_dr/task/rdeReport                                RdeReportAction                                POST     n  API          APP  ADMIN
-/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  API          APP  ADMIN
-/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  API          APP  ADMIN
-/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  API          APP  ADMIN
-/_dr/task/refreshDnsForAllDomains                  RefreshDnsForAllDomainsAction                  GET      n  API          APP  ADMIN
-/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  API          APP  ADMIN
-/_dr/task/relockDomain                             RelockDomainAction                             POST     y  API          APP  ADMIN
-/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  API          APP  ADMIN
-/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  API          APP  ADMIN
-/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  API          APP  ADMIN
-/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  API          APP  ADMIN
-/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  API          APP  ADMIN
-/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  API          APP  ADMIN
-/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  API          APP  ADMIN
-/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  API          APP  ADMIN
-/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  API          APP  ADMIN
-/_dr/task/uploadBsaUnavailableNames                UploadBsaUnavailableDomainsAction              GET,POST n  API          APP  ADMIN
-/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  API          APP  ADMIN
-/_dr/whois                                         WhoisAction                                    POST     n  API          APP  ADMIN
-/check                                             CheckApiAction                                 GET      n  API          NONE PUBLIC
-/console-api/domain                                ConsoleDomainGetAction                         GET      n  API,LEGACY   USER PUBLIC
-/console-api/domain-list                           ConsoleDomainListAction                        GET      n  API,LEGACY   USER PUBLIC
-/console-api/dum-download                          ConsoleDumDownloadAction                       GET      n  API,LEGACY   USER PUBLIC
-/console-api/eppPassword                           ConsoleEppPasswordAction                       POST     n  API,LEGACY   USER PUBLIC
-/console-api/registrars                            RegistrarsAction                               GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/registry-lock                         ConsoleRegistryLockAction                      GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/settings/contacts                     ContactAction                                  GET,POST n  API,LEGACY   USER PUBLIC
-/console-api/settings/security                     SecurityAction                                 POST     n  API,LEGACY   USER PUBLIC
-/console-api/settings/whois-fields                 WhoisRegistrarFieldsAction                     POST     n  API,LEGACY   USER PUBLIC
-/console-api/userdata                              ConsoleUserDataAction                          GET      n  API,LEGACY   USER PUBLIC
-/rdap/autnum/(*)                                   RdapAutnumAction                               GET,HEAD n  API          NONE PUBLIC
-/rdap/domain/(*)                                   RdapDomainAction                               GET,HEAD n  API          NONE PUBLIC
-/rdap/domains                                      RdapDomainSearchAction                         GET,HEAD n  API          NONE PUBLIC
-/rdap/entities                                     RdapEntitySearchAction                         GET,HEAD n  API          NONE PUBLIC
-/rdap/entity/(*)                                   RdapEntityAction                               GET,HEAD n  API          NONE PUBLIC
-/rdap/help(*)                                      RdapHelpAction                                 GET,HEAD n  API          NONE PUBLIC
-/rdap/ip/(*)                                       RdapIpAction                                   GET,HEAD n  API          NONE PUBLIC
-/rdap/nameserver/(*)                               RdapNameserverAction                           GET,HEAD n  API          NONE PUBLIC
-/rdap/nameservers                                  RdapNameserverSearchAction                     GET,HEAD n  API          NONE PUBLIC
-/registrar                                         ConsoleUiAction                                GET      n  API,LEGACY   NONE PUBLIC
-/registrar-create                                  ConsoleRegistrarCreatorAction                  POST,GET n  API,LEGACY   NONE PUBLIC
-/registrar-ote-setup                               ConsoleOteSetupAction                          POST,GET n  API,LEGACY   NONE PUBLIC
-/registrar-ote-status                              OteStatusAction                                POST     n  API,LEGACY   USER PUBLIC
-/registrar-settings                                RegistrarSettingsAction                        POST     n  API,LEGACY   USER PUBLIC
-/registry-lock-get                                 RegistryLockGetAction                          GET      n  API,LEGACY   USER PUBLIC
-/registry-lock-post                                RegistryLockPostAction                         POST     n  API,LEGACY   USER PUBLIC
-/registry-lock-verify                              RegistryLockVerifyAction                       GET      n  API,LEGACY   NONE PUBLIC
-/whois/(*)                                         WhoisHttpAction                                GET      n  API          NONE PUBLIC
+PATH                                               CLASS                                          METHODS  OK MIN  USER_POLICY
+/_dr/admin/createGroups                            CreateGroupsAction                             POST     n  APP  ADMIN
+/_dr/admin/list/domains                            ListDomainsAction                              GET,POST n  APP  ADMIN
+/_dr/admin/list/hosts                              ListHostsAction                                GET,POST n  APP  ADMIN
+/_dr/admin/list/premiumLists                       ListPremiumListsAction                         GET,POST n  APP  ADMIN
+/_dr/admin/list/registrars                         ListRegistrarsAction                           GET,POST n  APP  ADMIN
+/_dr/admin/list/reservedLists                      ListReservedListsAction                        GET,POST n  APP  ADMIN
+/_dr/admin/list/tlds                               ListTldsAction                                 GET,POST n  APP  ADMIN
+/_dr/admin/updateUserGroup                         UpdateUserGroupAction                          POST     n  APP  ADMIN
+/_dr/admin/verifyOte                               VerifyOteAction                                POST     n  APP  ADMIN
+/_dr/cron/fanout                                   TldFanoutAction                                GET      y  APP  ADMIN
+/_dr/dnsRefresh                                    RefreshDnsAction                               GET      y  APP  ADMIN
+/_dr/epp                                           EppTlsAction                                   POST     n  APP  ADMIN
+/_dr/epptool                                       EppToolAction                                  POST     n  APP  ADMIN
+/_dr/loadtest                                      LoadTestAction                                 POST     y  APP  ADMIN
+/_dr/task/brdaCopy                                 BrdaCopyAction                                 POST     y  APP  ADMIN
+/_dr/task/bsaDownload                              BsaDownloadAction                              GET,POST n  APP  ADMIN
+/_dr/task/bsaRefresh                               BsaRefreshAction                               GET,POST n  APP  ADMIN
+/_dr/task/bsaValidate                              BsaValidateAction                              GET,POST n  APP  ADMIN
+/_dr/task/copyDetailReports                        CopyDetailReportsAction                        POST     n  APP  ADMIN
+/_dr/task/deleteExpiredDomains                     DeleteExpiredDomainsAction                     GET      n  APP  ADMIN
+/_dr/task/deleteLoadTestData                       DeleteLoadTestDataAction                       POST     n  APP  ADMIN
+/_dr/task/deleteProberData                         DeleteProberDataAction                         POST     n  APP  ADMIN
+/_dr/task/executeCannedScript                      CannedScriptExecutionAction                    POST,GET y  APP  ADMIN
+/_dr/task/expandBillingRecurrences                 ExpandBillingRecurrencesAction                 GET      n  APP  ADMIN
+/_dr/task/exportDomainLists                        ExportDomainListsAction                        POST     n  APP  ADMIN
+/_dr/task/exportPremiumTerms                       ExportPremiumTermsAction                       POST     n  APP  ADMIN
+/_dr/task/exportReservedTerms                      ExportReservedTermsAction                      POST     n  APP  ADMIN
+/_dr/task/generateInvoices                         GenerateInvoicesAction                         POST     n  APP  ADMIN
+/_dr/task/generateSpec11                           GenerateSpec11ReportAction                     POST     n  APP  ADMIN
+/_dr/task/generateZoneFiles                        GenerateZoneFilesAction                        POST     n  APP  ADMIN
+/_dr/task/icannReportingStaging                    IcannReportingStagingAction                    POST     n  APP  ADMIN
+/_dr/task/icannReportingUpload                     IcannReportingUploadAction                     POST     n  APP  ADMIN
+/_dr/task/nordnUpload                              NordnUploadAction                              POST     y  APP  ADMIN
+/_dr/task/nordnVerify                              NordnVerifyAction                              POST     y  APP  ADMIN
+/_dr/task/publishDnsUpdates                        PublishDnsUpdatesAction                        POST     y  APP  ADMIN
+/_dr/task/publishInvoices                          PublishInvoicesAction                          POST     n  APP  ADMIN
+/_dr/task/publishSpec11                            PublishSpec11ReportAction                      POST     n  APP  ADMIN
+/_dr/task/rdeReport                                RdeReportAction                                POST     n  APP  ADMIN
+/_dr/task/rdeStaging                               RdeStagingAction                               GET,POST n  APP  ADMIN
+/_dr/task/rdeUpload                                RdeUploadAction                                POST     n  APP  ADMIN
+/_dr/task/readDnsRefreshRequests                   ReadDnsRefreshRequestsAction                   POST     y  APP  ADMIN
+/_dr/task/refreshDnsForAllDomains                  RefreshDnsForAllDomainsAction                  GET      n  APP  ADMIN
+/_dr/task/refreshDnsOnHostRename                   RefreshDnsOnHostRenameAction                   POST     n  APP  ADMIN
+/_dr/task/relockDomain                             RelockDomainAction                             POST     y  APP  ADMIN
+/_dr/task/resaveAllEppResourcesPipeline            ResaveAllEppResourcesPipelineAction            GET      n  APP  ADMIN
+/_dr/task/resaveEntity                             ResaveEntityAction                             POST     n  APP  ADMIN
+/_dr/task/sendExpiringCertificateNotificationEmail SendExpiringCertificateNotificationEmailAction GET      n  APP  ADMIN
+/_dr/task/syncGroupMembers                         SyncGroupMembersAction                         POST     n  APP  ADMIN
+/_dr/task/syncRegistrarsSheet                      SyncRegistrarsSheetAction                      POST     n  APP  ADMIN
+/_dr/task/tmchCrl                                  TmchCrlAction                                  POST     y  APP  ADMIN
+/_dr/task/tmchDnl                                  TmchDnlAction                                  POST     y  APP  ADMIN
+/_dr/task/tmchSmdrl                                TmchSmdrlAction                                POST     y  APP  ADMIN
+/_dr/task/updateRegistrarRdapBaseUrls              UpdateRegistrarRdapBaseUrlsAction              GET      y  APP  ADMIN
+/_dr/task/uploadBsaUnavailableNames                UploadBsaUnavailableDomainsAction              GET,POST n  APP  ADMIN
+/_dr/task/wipeOutContactHistoryPii                 WipeOutContactHistoryPiiAction                 GET      n  APP  ADMIN
+/_dr/whois                                         WhoisAction                                    POST     n  APP  ADMIN
+/check                                             CheckApiAction                                 GET      n  NONE PUBLIC
+/console-api/domain                                ConsoleDomainGetAction                         GET      n  USER PUBLIC
+/console-api/domain-list                           ConsoleDomainListAction                        GET      n  USER PUBLIC
+/console-api/dum-download                          ConsoleDumDownloadAction                       GET      n  USER PUBLIC
+/console-api/eppPassword                           ConsoleEppPasswordAction                       POST     n  USER PUBLIC
+/console-api/registrars                            RegistrarsAction                               GET,POST n  USER PUBLIC
+/console-api/registry-lock                         ConsoleRegistryLockAction                      GET,POST n  USER PUBLIC
+/console-api/settings/contacts                     ContactAction                                  GET,POST n  USER PUBLIC
+/console-api/settings/security                     SecurityAction                                 POST     n  USER PUBLIC
+/console-api/settings/whois-fields                 WhoisRegistrarFieldsAction                     POST     n  USER PUBLIC
+/console-api/userdata                              ConsoleUserDataAction                          GET      n  USER PUBLIC
+/rdap/autnum/(*)                                   RdapAutnumAction                               GET,HEAD n  NONE PUBLIC
+/rdap/domain/(*)                                   RdapDomainAction                               GET,HEAD n  NONE PUBLIC
+/rdap/domains                                      RdapDomainSearchAction                         GET,HEAD n  NONE PUBLIC
+/rdap/entities                                     RdapEntitySearchAction                         GET,HEAD n  NONE PUBLIC
+/rdap/entity/(*)                                   RdapEntityAction                               GET,HEAD n  NONE PUBLIC
+/rdap/help(*)                                      RdapHelpAction                                 GET,HEAD n  NONE PUBLIC
+/rdap/ip/(*)                                       RdapIpAction                                   GET,HEAD n  NONE PUBLIC
+/rdap/nameserver/(*)                               RdapNameserverAction                           GET,HEAD n  NONE PUBLIC
+/rdap/nameservers                                  RdapNameserverSearchAction                     GET,HEAD n  NONE PUBLIC
+/registrar                                         ConsoleUiAction                                GET      n  USER PUBLIC
+/registrar-create                                  ConsoleRegistrarCreatorAction                  POST,GET n  USER PUBLIC
+/registrar-ote-setup                               ConsoleOteSetupAction                          POST,GET n  USER PUBLIC
+/registrar-ote-status                              OteStatusAction                                POST     n  USER PUBLIC
+/registrar-settings                                RegistrarSettingsAction                        POST     n  USER PUBLIC
+/registry-lock-get                                 RegistryLockGetAction                          GET      n  USER PUBLIC
+/registry-lock-post                                RegistryLockPostAction                         POST     n  USER PUBLIC
+/registry-lock-verify                              RegistryLockVerifyAction                       GET      n  USER PUBLIC
+/whois/(*)                                         WhoisHttpAction                                GET      n  NONE PUBLIC
diff --git a/core/src/test/resources/google/registry/module/tools/tools_routing.txt b/core/src/test/resources/google/registry/module/tools/tools_routing.txt
index 5933ca190..43dde5fab 100644
--- a/core/src/test/resources/google/registry/module/tools/tools_routing.txt
+++ b/core/src/test/resources/google/registry/module/tools/tools_routing.txt
@@ -1,14 +1,14 @@
-PATH                              CLASS                         METHODS  OK AUTH_METHODS MIN USER_POLICY
-/_dr/admin/createGroups           CreateGroupsAction            POST     n  API          APP ADMIN
-/_dr/admin/list/domains           ListDomainsAction             GET,POST n  API          APP ADMIN
-/_dr/admin/list/hosts             ListHostsAction               GET,POST n  API          APP ADMIN
-/_dr/admin/list/premiumLists      ListPremiumListsAction        GET,POST n  API          APP ADMIN
-/_dr/admin/list/registrars        ListRegistrarsAction          GET,POST n  API          APP ADMIN
-/_dr/admin/list/reservedLists     ListReservedListsAction       GET,POST n  API          APP ADMIN
-/_dr/admin/list/tlds              ListTldsAction                GET,POST n  API          APP ADMIN
-/_dr/admin/updateUserGroup        UpdateUserGroupAction         POST     n  API          APP ADMIN
-/_dr/admin/verifyOte              VerifyOteAction               POST     n  API          APP ADMIN
-/_dr/epptool                      EppToolAction                 POST     n  API          APP ADMIN
-/_dr/loadtest                     LoadTestAction                POST     y  API          APP ADMIN
-/_dr/task/generateZoneFiles       GenerateZoneFilesAction       POST     n  API          APP ADMIN
-/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET      n  API          APP ADMIN
+PATH                              CLASS                         METHODS  OK MIN USER_POLICY
+/_dr/admin/createGroups           CreateGroupsAction            POST     n  APP ADMIN
+/_dr/admin/list/domains           ListDomainsAction             GET,POST n  APP ADMIN
+/_dr/admin/list/hosts             ListHostsAction               GET,POST n  APP ADMIN
+/_dr/admin/list/premiumLists      ListPremiumListsAction        GET,POST n  APP ADMIN
+/_dr/admin/list/registrars        ListRegistrarsAction          GET,POST n  APP ADMIN
+/_dr/admin/list/reservedLists     ListReservedListsAction       GET,POST n  APP ADMIN
+/_dr/admin/list/tlds              ListTldsAction                GET,POST n  APP ADMIN
+/_dr/admin/updateUserGroup        UpdateUserGroupAction         POST     n  APP ADMIN
+/_dr/admin/verifyOte              VerifyOteAction               POST     n  APP ADMIN
+/_dr/epptool                      EppToolAction                 POST     n  APP ADMIN
+/_dr/loadtest                     LoadTestAction                POST     y  APP ADMIN
+/_dr/task/generateZoneFiles       GenerateZoneFilesAction       POST     n  APP ADMIN
+/_dr/task/refreshDnsForAllDomains RefreshDnsForAllDomainsAction GET      n  APP ADMIN
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formEmpty.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formEmpty.png
index 15a2393a9..1d660f780 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formEmpty.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formEmpty.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formFilled.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formFilled.png
index 853b355f4..f3074f7b4 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formFilled.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_formFilled.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_oteResult.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_oteResult.png
index bcd1c4e15..c44133322 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_oteResult.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_admin_succeeds_oteResult.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_owner_fails_unauthorized.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_owner_fails_unauthorized.png
index 60d6cfdac..c8ced9e4f 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_owner_fails_unauthorized.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/OteSetupConsoleScreenshotTest_get_owner_fails_unauthorized.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_contactUs_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_contactUs_page.png
index 2ee6641d6..0e00629e6 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_contactUs_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_contactUs_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_before_click.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_before_click.png
index 9ef513d1e..de076d521 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_before_click.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_before_click.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_result.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_result.png
index 0c3999662..30def1a12 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_result.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_completed_result.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_noButtonWhenReal_result.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_noButtonWhenReal_result.png
index 958f8792a..c599c859d 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_noButtonWhenReal_result.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_noButtonWhenReal_result.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_notCompleted_result.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_notCompleted_result.png
index c65f46b1f..ebec7a68f 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_notCompleted_result.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_getOteStatus_notCompleted_result.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_indexPage_smallScrolledDown_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_indexPage_smallScrolledDown_page.png
index cb0449ec2..674857a59 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_indexPage_smallScrolledDown_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_indexPage_smallScrolledDown_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_adminAndOwner_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_adminAndOwner_page.png
index 23f8c5d79..890ec9aba 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_adminAndOwner_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_adminAndOwner_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_admin_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_admin_page.png
index dfbf1f419..512b5d322 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_admin_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_admin_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_owner_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_owner_page.png
index 6cf14c990..d6a295267 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_owner_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_owner_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_registrarDisabled_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_registrarDisabled_view.png
index 1daacf015..b35f89143 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_registrarDisabled_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_index_registrarDisabled_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_success_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_success_page.png
index 00fef9e05..b38e2b136 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_success_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_success_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_unknownLock_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_unknownLock_page.png
index 5b658d44a..765127351 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_unknownLock_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLockVerify_unknownLock_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_empty_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_empty_page.png
index 274bcfdb3..7edb58989 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_empty_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_empty_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_lockModal_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_lockModal_page.png
index 4796377b4..10f0da56e 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_lockModal_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_lockModal_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_admin_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_admin_page.png
index adc80f8f5..ee40ed47b 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_admin_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_admin_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_page.png
index c5c95ffdd..2fe2f344f 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_nonEmpty_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowedForUser_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowedForUser_page.png
index cb7c23669..442bfa533 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowedForUser_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowedForUser_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowed_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowed_page.png
index 570b4842b..e485b6a6e 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowed_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_notAllowed_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_unlockModal_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_unlockModal_page.png
index 3f72e1a6b..31a4b2a23 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_unlockModal_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_registryLock_unlockModal_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_edit.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_edit.png
index 00314a5cc..a2972d1cb 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_edit.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_edit.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_view.png
index 41ae9cc5b..7b1e1fb52 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenAdmin_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenNotAdmin_showsHome_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenNotAdmin_showsHome_view.png
index bcff7101e..ee1f41370 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenNotAdmin_showsHome_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsAdmin_whenNotAdmin_showsHome_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactAdd_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactAdd_page.png
index 1ce179560..81c2d4eee 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactAdd_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactAdd_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_page.png
index e86b559e7..4951fe2e4 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_alreadySet_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_alreadySet_page.png
index ecec9296c..4f626cbb9 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_alreadySet_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_alreadySet_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_contact_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_contact_view.png
index 01ff97062..8f26a2e40 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_contact_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_contact_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_notAllowedForContact_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_notAllowedForContact_page.png
index e86b559e7..4951fe2e4 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_notAllowedForContact_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_notAllowedForContact_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password.png
index b67543c8e..0bcd1ea7b 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password_after_hide.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password_after_hide.png
index 3ca719603..50e03a81a 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password_after_hide.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_password_after_hide.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_shown_password.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_shown_password.png
index 2bb8cea9f..ecac5841c 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_shown_password.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactEdit_setRegistryLockPassword_page_with_shown_password.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_asAdmin_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_asAdmin_page.png
index 161473e84..f49aa2f29 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_asAdmin_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_asAdmin_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_page.png
index 1cbfd12ae..285460122 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContactItem_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_asAdmin_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_asAdmin_page.png
index ae4e0cff2..a15b0d7ff 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_asAdmin_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_asAdmin_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_page.png
index 9f1d2fa18..192d05236 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsContact_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_edit.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_edit.png
index 2e7661955..24addcf01 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_edit.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_edit.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_view.png
index d569427f7..72d8fc6f4 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurityWithCerts_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_asAdmin_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_asAdmin_view.png
index f265f1579..2d985851d 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_asAdmin_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_asAdmin_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_edit.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_edit.png
index 022916b29..df3264004 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_edit.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_edit.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_view.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_view.png
index 8d29aa222..6fc75d52e 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_view.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsSecurity_view.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEditError_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEditError_page.png
index 1cbc68eb5..7623ed305 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEditError_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEditError_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEdit_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEdit_page.png
index 6d6348efc..61c12b1f8 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEdit_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhoisEdit_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhois_page.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhois_page.png
index e76f03b54..3c72e70e9 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhois_page.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarConsoleScreenshotTest_settingsWhois_page.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_createResult.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_createResult.png
index 6e5059d39..7ca2fb3d1 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_createResult.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_createResult.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formEmpty.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formEmpty.png
index 5d25cde36..0319908a2 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formEmpty.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formEmpty.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formFilled.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formFilled.png
index 63c94d607..f78f8f11c 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formFilled.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_admin_succeeds_formFilled.png differ
diff --git a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_owner_fails_unauthorized.png b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_owner_fails_unauthorized.png
index 60d6cfdac..c8ced9e4f 100644
Binary files a/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_owner_fails_unauthorized.png and b/core/src/test/resources/google/registry/webdriver/goldens/chrome-linux/RegistrarCreateConsoleScreenshotTest_get_owner_fails_unauthorized.png differ
diff --git a/dependencies.gradle b/dependencies.gradle
index a7e22b381..f5fa95d4f 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -125,9 +125,6 @@ ext {
       'com.google.apis:google-api-services-monitoring:[v3-rev540-1.25.0,)',
       'com.google.apis:google-api-services-sheets:[v4-rev612-1.25.0,)',
       'com.google.apis:google-api-services-storage:[v1-rev20210127-1.31.0,)',
-      'com.google.appengine:appengine-api-1.0-sdk:[1.9.86,)',
-      'com.google.appengine:appengine-api-stubs:[1.9.86,)',
-      'com.google.appengine:appengine-testing:[1.9.86,)',
       'com.google.auth:google-auth-library-credentials:[0.24.1,)',
       'com.google.auth:google-auth-library-oauth2-http:[0.24.1,)',
       'com.google.auto.service:auto-service-annotations:[1.0-rc7,)',
diff --git a/jetty/gradle.lockfile b/jetty/gradle.lockfile
index 4bfd6c889..e3699e6c9 100644
--- a/jetty/gradle.lockfile
+++ b/jetty/gradle.lockfile
@@ -89,11 +89,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=deploy_jar,runti
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor
diff --git a/networking/gradle.lockfile b/networking/gradle.lockfile
index a33340fdd..ac504f789 100644
--- a/networking/gradle.lockfile
+++ b/networking/gradle.lockfile
@@ -20,11 +20,6 @@ com.google.api:api-common:2.31.0=deploy_jar,runtimeClasspath,testRuntimeClasspat
 com.google.api:gax-grpc:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.api:gax-httpjson:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.api:gax:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor
diff --git a/prober/gradle.lockfile b/prober/gradle.lockfile
index 0aeefdeb6..6a440a6a7 100644
--- a/prober/gradle.lockfile
+++ b/prober/gradle.lockfile
@@ -20,11 +20,6 @@ com.google.api:api-common:2.31.0=deploy_jar,runtimeClasspath,testRuntimeClasspat
 com.google.api:gax-grpc:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.api:gax-httpjson:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.api:gax:2.48.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor
diff --git a/proxy/gradle.lockfile b/proxy/gradle.lockfile
index c56f42b2c..a15fdf669 100644
--- a/proxy/gradle.lockfile
+++ b/proxy/gradle.lockfile
@@ -28,11 +28,6 @@ com.google.api:gax:2.48.0=compileClasspath,deploy_jar,runtimeClasspath,testCompi
 com.google.apis:google-api-services-cloudkms:v1-rev20240502-2.0.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-monitoring:v3-rev20240427-2.0.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240319-2.0.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=deploy_jar,runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor
diff --git a/services/backend/gradle.lockfile b/services/backend/gradle.lockfile
index 349143b7d..6cdecb101 100644
--- a/services/backend/gradle.lockfile
+++ b/services/backend/gradle.lockfile
@@ -88,11 +88,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
diff --git a/services/bsa/gradle.lockfile b/services/bsa/gradle.lockfile
index 349143b7d..6cdecb101 100644
--- a/services/bsa/gradle.lockfile
+++ b/services/bsa/gradle.lockfile
@@ -88,11 +88,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
diff --git a/services/default/gradle.lockfile b/services/default/gradle.lockfile
index 349143b7d..6cdecb101 100644
--- a/services/default/gradle.lockfile
+++ b/services/default/gradle.lockfile
@@ -88,11 +88,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
diff --git a/services/pubapi/gradle.lockfile b/services/pubapi/gradle.lockfile
index 349143b7d..6cdecb101 100644
--- a/services/pubapi/gradle.lockfile
+++ b/services/pubapi/gradle.lockfile
@@ -88,11 +88,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
diff --git a/services/tools/gradle.lockfile b/services/tools/gradle.lockfile
index 349143b7d..6cdecb101 100644
--- a/services/tools/gradle.lockfile
+++ b/services/tools/gradle.lockfile
@@ -88,11 +88,6 @@ com.google.apis:google-api-services-pubsub:v1-rev20220904-2.0.0=compileClasspath
 com.google.apis:google-api-services-sheets:v4-rev20240423-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-sqladmin:v1beta4-rev20240324-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.apis:google-api-services-storage:v1-rev20240311-2.0.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=runtimeClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=runtimeClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.1.1=compileClasspath,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
diff --git a/util/build.gradle b/util/build.gradle
index c0b64555e..f057c98de 100644
--- a/util/build.gradle
+++ b/util/build.gradle
@@ -17,8 +17,6 @@ dependencies {
   implementation deps['com.google.api-client:google-api-client']
   implementation deps['com.google.api.grpc:proto-google-cloud-tasks-v2']
   implementation deps['com.google.api:gax']
-  implementation deps['com.google.appengine:appengine-api-1.0-sdk']
-  implementation deps['com.google.appengine:appengine-testing']
   implementation deps['com.google.auth:google-auth-library-credentials']
   implementation deps['com.google.auth:google-auth-library-oauth2-http']
   implementation deps['com.google.auto.value:auto-value-annotations']
@@ -44,7 +42,6 @@ dependencies {
   implementation deps['org.yaml:snakeyaml']
   implementation project(':common')
   runtimeOnly deps['com.google.auto.value:auto-value']
-  testImplementation deps['com.google.appengine:appengine-api-stubs']
   testImplementation deps['com.google.guava:guava-testlib']
   testImplementation deps['com.google.truth:truth']
   testImplementation deps['junit:junit']
diff --git a/util/gradle.lockfile b/util/gradle.lockfile
index 8a3a29f49..ab3c3fd09 100644
--- a/util/gradle.lockfile
+++ b/util/gradle.lockfile
@@ -20,11 +20,6 @@ com.google.api:api-common:2.31.0=compileClasspath,deploy_jar,runtimeClasspath,te
 com.google.api:gax-grpc:2.48.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api:gax-httpjson:2.48.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.api:gax:2.48.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-1.0-sdk:2.0.27=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-api-stubs:2.0.27=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-remote-api:2.0.27=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-testing:2.0.27=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
-com.google.appengine:appengine-tools-sdk:2.0.27=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-credentials:1.23.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auth:google-auth-library-oauth2-http:1.23.0=compileClasspath,deploy_jar,runtimeClasspath,testCompileClasspath,testRuntimeClasspath
 com.google.auto.service:auto-service-annotations:1.0.1=annotationProcessor,errorprone,testAnnotationProcessor