diff --git a/cmd/influxd/launcher/launcher.go b/cmd/influxd/launcher/launcher.go
index b582eb0b19..6164027cf4 100644
--- a/cmd/influxd/launcher/launcher.go
+++ b/cmd/influxd/launcher/launcher.go
@@ -46,6 +46,7 @@ import (
 	"github.com/influxdata/influxdb/v2/query/control"
 	"github.com/influxdata/influxdb/v2/query/fluxlang"
 	"github.com/influxdata/influxdb/v2/query/stdlib/influxdata/influxdb"
+	"github.com/influxdata/influxdb/v2/secret"
 	"github.com/influxdata/influxdb/v2/session"
 	"github.com/influxdata/influxdb/v2/snowflake"
 	"github.com/influxdata/influxdb/v2/source"
@@ -594,7 +595,6 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 		orgLogSvc                 platform.OrganizationOperationLogService = m.kvService
 		scraperTargetSvc          platform.ScraperTargetStoreService       = m.kvService
 		telegrafSvc               platform.TelegrafConfigStore             = m.kvService
-		secretSvc                 platform.SecretService                   = m.kvService
 		lookupSvc                 platform.LookupService                   = m.kvService
 		notificationEndpointStore platform.NotificationEndpointService     = m.kvService
 	)
@@ -614,6 +614,14 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 		passwdsSvc      platform.PasswordsService           = tenant.NewPasswordLogger(m.log.With(zap.String("store", "new")), tenant.NewPasswordMetrics(m.reg, ts, metric.WithSuffix("new")))
 	)
 
+	secretStore, err := secret.NewStore(m.kvStore)
+	if err != nil {
+		m.log.Error("Failed creating new meta store", zap.Error(err))
+		return err
+	}
+
+	var secretSvc platform.SecretService = secret.NewMetricService(m.reg, secret.NewLogger(m.log.With(zap.String("service", "secret")), secret.NewService(secretStore)))
+
 	switch m.secretStore {
 	case "bolt":
 		// If it is bolt, then we already set it above.
@@ -983,18 +991,17 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 	}
 
 	// feature flagging for new labels service
-	var labelsHTTPServer *kithttp.FeatureHandler
+	var oldLabelHandler nethttp.Handler
+	var labelHandler *label.LabelHandler
 	{
 		b := m.apibackend
 		labelSvcWithOrg := authorizer.NewLabelServiceWithOrg(labelSvc, b.OrgLookupService)
-		oldHandler := http.NewLabelHandler(m.log.With(zap.String("handler", "labels")), labelSvcWithOrg, kithttp.ErrorHandler(0))
+		oldLabelHandler = http.NewLabelHandler(m.log.With(zap.String("handler", "labels")), labelSvcWithOrg, kithttp.ErrorHandler(0))
 
 		labelSvc = label.NewAuthedLabelService(labelSvc, b.OrgLookupService)
 		labelSvc = label.NewLabelLogger(m.log.With(zap.String("handler", "labels")), labelSvc)
 		labelSvc = label.NewLabelMetrics(m.reg, labelSvc)
-		newHandler := label.NewHTTPLabelHandler(m.log, labelSvc)
-
-		labelsHTTPServer = kithttp.NewFeatureHandler(feature.NewLabelPackage(), m.flagger, oldHandler, newHandler, newHandler.Prefix())
+		labelHandler = label.NewHTTPLabelHandler(m.log, labelSvc)
 	}
 
 	// feature flagging for new authorization service
@@ -1028,16 +1035,24 @@ func (m *Launcher) run(ctx context.Context) (err error) {
 		sessionHTTPServer = session.NewSessionHandler(m.log.With(zap.String("handler", "session")), sessionSvc, userSvc, passwdsSvc)
 	}
 
+	var orgHTTPServer *tenant.OrgHandler
+	{
+		secretHandler := secret.NewHandler(m.log, "id", secret.NewAuthedService(secretSvc))
+		urmHandler := tenant.NewURMHandler(m.log.With(zap.String("handler", "urm")), platform.OrgsResourceType, "id", userSvc, tenant.NewAuthedURMService(orgSvc, userResourceSvc))
+		orgHTTPServer = tenant.NewHTTPOrgHandler(m.log.With(zap.String("handler", "org")), orgSvc, urmHandler, labelHandler, secretHandler)
+	}
+
 	{
 		platformHandler := http.NewPlatformHandler(m.apibackend,
 			http.WithResourceHandler(pkgHTTPServer),
 			http.WithResourceHandler(onboardHTTPServer),
 			http.WithResourceHandler(authHTTPServer),
-			http.WithResourceHandler(labelsHTTPServer),
+			http.WithResourceHandler(kithttp.NewFeatureHandler(feature.NewLabelPackage(), m.flagger, oldLabelHandler, labelHandler, labelHandler.Prefix())),
 			http.WithResourceHandler(kithttp.NewFeatureHandler(feature.SessionService(), m.flagger, oldSessionHandler, sessionHTTPServer.SignInResourceHandler(), sessionHTTPServer.SignInResourceHandler().Prefix())),
 			http.WithResourceHandler(kithttp.NewFeatureHandler(feature.SessionService(), m.flagger, oldSessionHandler, sessionHTTPServer.SignOutResourceHandler(), sessionHTTPServer.SignOutResourceHandler().Prefix())),
 			http.WithResourceHandler(userHTTPServer.MeResourceHandler()),
 			http.WithResourceHandler(userHTTPServer.UserResourceHandler()),
+			http.WithResourceHandler(orgHTTPServer),
 		)
 
 		httpLogger := m.log.With(zap.String("service", "http"))
diff --git a/http/api_handler.go b/http/api_handler.go
index 32aea46077..f3d4f98105 100644
--- a/http/api_handler.go
+++ b/http/api_handler.go
@@ -164,11 +164,6 @@ func NewAPIHandler(b *APIBackend, opts ...APIHandlerOptFn) *APIHandler {
 		b.UserResourceMappingService, b.OrganizationService)
 	h.Mount(prefixNotificationRules, NewNotificationRuleHandler(b.Logger, notificationRuleBackend))
 
-	orgBackend := NewOrgBackend(b.Logger.With(zap.String("handler", "org")), b)
-	orgBackend.OrganizationService = authorizer.NewOrgService(b.OrganizationService)
-	orgBackend.SecretService = authorizer.NewSecretService(b.SecretService)
-	h.Mount(prefixOrganizations, NewOrgHandler(b.Logger, orgBackend))
-
 	scraperBackend := NewScraperBackend(b.Logger.With(zap.String("handler", "scraper")), b)
 	scraperBackend.ScraperStorageService = authorizer.NewScraperTargetStoreService(b.ScraperTargetStoreService,
 		b.UserResourceMappingService,
diff --git a/tenant/http_server_org.go b/tenant/http_server_org.go
index f33618766a..4ab6612232 100644
--- a/tenant/http_server_org.go
+++ b/tenant/http_server_org.go
@@ -60,7 +60,6 @@ func NewHTTPOrgHandler(log *zap.Logger, orgService influxdb.OrganizationService,
 			mountableRouter.Mount("/secrets", secretHandler)
 		})
 	})
-
 	svr.Router = r
 	return svr
 }
@@ -72,6 +71,17 @@ type orgResponse struct {
 
 func newOrgResponse(o influxdb.Organization) orgResponse {
 	return orgResponse{
+		Links: map[string]string{
+			"self":       fmt.Sprintf("/api/v2/orgs/%s", o.ID),
+			"logs":       fmt.Sprintf("/api/v2/orgs/%s/logs", o.ID),
+			"members":    fmt.Sprintf("/api/v2/orgs/%s/members", o.ID),
+			"owners":     fmt.Sprintf("/api/v2/orgs/%s/owners", o.ID),
+			"secrets":    fmt.Sprintf("/api/v2/orgs/%s/secrets", o.ID),
+			"labels":     fmt.Sprintf("/api/v2/orgs/%s/labels", o.ID),
+			"buckets":    fmt.Sprintf("/api/v2/buckets?org=%s", o.Name),
+			"tasks":      fmt.Sprintf("/api/v2/tasks?org=%s", o.Name),
+			"dashboards": fmt.Sprintf("/api/v2/dashboards?org=%s", o.Name),
+		},
 		Organization: o,
 	}
 }
@@ -83,6 +93,9 @@ type orgsResponse struct {
 
 func newOrgsResponse(orgs []*influxdb.Organization) *orgsResponse {
 	res := orgsResponse{
+		Links: map[string]string{
+			"self": "/api/v2/orgs",
+		},
 		Organizations: []orgResponse{},
 	}
 	for _, org := range orgs {