diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0c40f47b651..e1158be3ca4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Cromwell Change Log
 
+## 84 Release Notes
+
+### CromIAM enabled user checks
+
+For Cromwell instances utilizing the optional CromIAM identity and access management component, the following endpoints now verify that the calling user is enabled before forwarding the request.
+* `/api/workflows/v1/backends`
+* `/api/womtool/v1/describe`
+
+This change makes the above endpoints consistent with the existing behavior of all the other endpoints in the `/api/` path of CromIAM. 
+
+## 83 Release Notes
+
+* Changes the type of several primary key columns in call caching tables from int to bigint. The database migration may be lengthy if your database contains a large amount of call caching data.
+
 ## 82 Release Notes
 
  * Restored missing example configuration file
diff --git a/CromIAM/src/main/resources/application.conf b/CromIAM/src/main/resources/application.conf
index c809d0daafb..ff1006ab91b 100644
--- a/CromIAM/src/main/resources/application.conf
+++ b/CromIAM/src/main/resources/application.conf
@@ -24,7 +24,7 @@ swagger_oauth {
 
 akka {
   log-dead-letters = "off"
-  loggers = ["akka.event.slf4j.Slf4jLogger"]
+  loggers = ["cromwell.core.logging.EnhancedSlf4jLogger"]
 
   http {
     server {
diff --git a/CromIAM/src/main/resources/logback.xml b/CromIAM/src/main/resources/logback.xml
index 030868d3259..e9e2b753466 100644
--- a/CromIAM/src/main/resources/logback.xml
+++ b/CromIAM/src/main/resources/logback.xml
@@ -1,5 +1,15 @@
 <configuration>
 
+    <!-- Enhanced thread and date reporting. -->
+    <conversionRule
+            conversionWord="et"
+            converterClass="cromwell.core.logging.EnhancedThreadConverter"
+    />
+    <conversionRule
+            conversionWord="ed"
+            converterClass="cromwell.core.logging.EnhancedDateConverter"
+    />
+
     <!-- default properties for FILEROLLER need to be set upfront -->
 
     <if condition='property("FILEROLLER_DIR").equals("")'>
@@ -18,7 +28,7 @@
         <then>
             <appender name="STANDARD_APPENDER" class="ch.qos.logback.core.ConsoleAppender">
                 <encoder>
-                    <pattern>%date %X{sourceThread} %-5level - %msg%n</pattern>
+                    <pattern>%ed{yyyy-MM-dd HH:mm:ss,SSS} %et %-5level - %msg%n</pattern>
                 </encoder>
             </appender>
         </then>
@@ -68,7 +78,7 @@
 
                 </rollingPolicy>
                 <encoder>
-                    <pattern>%d{yyyy-MM-dd HH:mm:ss,SSS} [%thread] %-5level %logger{35} - %msg%n</pattern>
+                    <pattern>%ed{yyyy-MM-dd HH:mm:ss,SSS} [%et] %-5level %logger{35} - %msg%n</pattern>
                 </encoder>
             </appender>
         </then>
diff --git a/CromIAM/src/main/scala/cromiam/instrumentation/CromIamInstrumentation.scala b/CromIAM/src/main/scala/cromiam/instrumentation/CromIamInstrumentation.scala
index 63f48073146..65b164f00f6 100644
--- a/CromIAM/src/main/scala/cromiam/instrumentation/CromIamInstrumentation.scala
+++ b/CromIAM/src/main/scala/cromiam/instrumentation/CromIamInstrumentation.scala
@@ -20,6 +20,7 @@ trait CromIamInstrumentation extends CromwellInstrumentation {
 
   val samPrefix: NonEmptyList[String] = NonEmptyList.one("sam")
   val getWhitelistPrefix = NonEmptyList.one("get-whitelist")
+  val getUserEnabledPrefix = NonEmptyList.one("get-user-enabled")
   val userCollectionPrefix = NonEmptyList.one("user-collection")
   val authCollectionPrefix = NonEmptyList.one("auth-collection")
   val registerCollectionPrefix = NonEmptyList.one("register-collection")
diff --git a/CromIAM/src/main/scala/cromiam/sam/SamClient.scala b/CromIAM/src/main/scala/cromiam/sam/SamClient.scala
index f289251a2fb..d6a315f8241 100644
--- a/CromIAM/src/main/scala/cromiam/sam/SamClient.scala
+++ b/CromIAM/src/main/scala/cromiam/sam/SamClient.scala
@@ -18,6 +18,7 @@ import cromiam.sam.SamResourceJsonSupport._
 import cromiam.server.status.StatusCheckedSubsystem
 import cromwell.api.model._
 import mouse.boolean._
+import spray.json.RootJsonFormat
 
 import scala.concurrent.ExecutionContextExecutor
 
@@ -73,6 +74,33 @@ class SamClient(scheme: String,
     } yield whitelisted
   }
 
+  def isUserEnabledSam(user: User, cromIamRequest: HttpRequest): FailureResponseOrT[Boolean] = {
+    val request = HttpRequest(
+      method = HttpMethods.GET,
+      uri = samUserStatusUri,
+      headers = List[HttpHeader](user.authorization)
+    )
+
+    for {
+      response <- instrumentRequest(
+        () => Http().singleRequest(request).asFailureResponseOrT,
+        cromIamRequest,
+        instrumentationPrefixForSam(getUserEnabledPrefix)
+      )
+      userEnabled <- response.status match {
+        case StatusCodes.OK =>
+          val unmarshal: IO[UserStatusInfo] = IO.fromFuture(IO(Unmarshal(response.entity).to[UserStatusInfo]))
+          FailureResponseOrT.right[HttpResponse](unmarshal).map { userInfo =>
+            if (!userInfo.enabled) log.info("Access denied for user {}", user.userId)
+            userInfo.enabled
+          }
+        case _ =>
+          log.error("Could not verify access with Sam for user {}, error was {} {}", user.userId, response.status, response.toString().take(100))
+          FailureResponseOrT.pure[IO, HttpResponse](false)
+      }
+    } yield userEnabled
+  }
+
   def collectionsForUser(user: User, cromIamRequest: HttpRequest): FailureResponseOrT[List[Collection]] = {
     val request = HttpRequest(method = HttpMethods.GET, uri = samBaseCollectionUri, headers = List[HttpHeader](user.authorization))
 
@@ -170,6 +198,7 @@ class SamClient(scheme: String,
   private lazy val samBaseResourceUri = s"$samBaseUri/api/resource"
   private lazy val samBaseCollectionUri = s"$samBaseResourceUri/workflow-collection"
   private lazy val samSubmitWhitelistUri = s"$samBaseResourceUri/caas/submit/action/get_whitelist"
+  private lazy val samUserStatusUri = s"$samBaseUri/register/user/v2/self/info"
 
 }
 
@@ -188,4 +217,8 @@ object SamClient {
 
   def SamRegisterCollectionExceptionResp(statusCode: StatusCode) = HttpResponse(status = statusCode, entity = SamRegisterCollectionException(statusCode).getMessage)
 
+  case class UserStatusInfo(adminEnabled: Boolean, enabled: Boolean, userEmail: String, userSubjectId: String)
+
+  implicit val UserStatusInfoFormat: RootJsonFormat[UserStatusInfo] = jsonFormat4(UserStatusInfo)
+
 }
diff --git a/CromIAM/src/main/scala/cromiam/webservice/CromIamApiService.scala b/CromIAM/src/main/scala/cromiam/webservice/CromIamApiService.scala
index 63694599476..7a16e5ea797 100644
--- a/CromIAM/src/main/scala/cromiam/webservice/CromIamApiService.scala
+++ b/CromIAM/src/main/scala/cromiam/webservice/CromIamApiService.scala
@@ -81,7 +81,7 @@ trait CromIamApiService extends RequestSupport
 
   def abortRoute: Route = path("api" / "workflows" / Segment / Segment / Abort) { (_, workflowId) =>
     post {
-      extractUserAndRequest { (user, req) =>
+      extractUserAndStrictRequest { (user, req) =>
         logUserWorkflowAction(user, workflowId, Abort)
         complete {
           authorizeAbortThenForwardToCromwell(user, workflowId, req).asHttpResponse
@@ -93,7 +93,7 @@ trait CromIamApiService extends RequestSupport
   //noinspection MutatorLikeMethodIsParameterless
   def releaseHoldRoute: Route =  path("api" / "workflows" / Segment / Segment / ReleaseHold) { (_, workflowId) =>
     post {
-      extractUserAndRequest { (user, req) =>
+      extractUserAndStrictRequest { (user, req) =>
         logUserWorkflowAction(user, workflowId, ReleaseHold)
         complete {
           authorizeUpdateThenForwardToCromwell(user, workflowId, req).asHttpResponse
@@ -112,7 +112,7 @@ trait CromIamApiService extends RequestSupport
   def labelPatchRoute: Route = {
     path("api" / "workflows" / Segment / Segment / Labels) { (_, workflowId) =>
       patch {
-        extractUserAndRequest { (user, req) =>
+        extractUserAndStrictRequest { (user, req) =>
           entity(as[String]) { labels =>
             logUserWorkflowAction(user, workflowId, Labels)
             validateLabels(Option(labels)) { _ => // Not using the labels, just using this to verify they didn't specify labels we don't want them to
@@ -130,7 +130,7 @@ trait CromIamApiService extends RequestSupport
 
   def callCacheDiffRoute: Route = path("api" / "workflows" / Segment / "callcaching" / "diff") { _ =>
     get {
-      extractUserAndRequest { (user, req) =>
+      extractUserAndStrictRequest { (user, req) =>
         logUserAction(user, "call caching diff")
         parameterSeq { parameters =>
           val paramMap = parameters.toMap
@@ -150,11 +150,9 @@ trait CromIamApiService extends RequestSupport
     */
   private def workflowGetRoute(urlSuffix: String): Route = path("api" / "workflows" / Segment / urlSuffix) { _ =>
     get {
-      extractUserAndRequest { (user, req) =>
+      extractUserAndStrictRequest { (user, req) =>
         logUserAction(user, urlSuffix)
-        complete {
-          cromwellClient.forwardToCromwell(req).asHttpResponse
-        }
+        forwardIfUserEnabled(user, req, cromwellClient, samClient)
       }
     }
   }
@@ -166,7 +164,7 @@ trait CromIamApiService extends RequestSupport
 
   private def workflowRoute(urlSuffix: String, method: Directive0): Route = path("api" / "workflows" / Segment / Segment / urlSuffix) { (_, workflowId) =>
     method {
-      extractUserAndRequest { (user, req) =>
+      extractUserAndStrictRequest { (user, req) =>
         logUserWorkflowAction(user, workflowId, urlSuffix)
         complete {
           authorizeReadThenForwardToCromwell(user, List(workflowId), req).asHttpResponse
diff --git a/CromIAM/src/main/scala/cromiam/webservice/QuerySupport.scala b/CromIAM/src/main/scala/cromiam/webservice/QuerySupport.scala
index cddabe74a57..e9397605c6a 100644
--- a/CromIAM/src/main/scala/cromiam/webservice/QuerySupport.scala
+++ b/CromIAM/src/main/scala/cromiam/webservice/QuerySupport.scala
@@ -55,7 +55,7 @@ trait QuerySupport extends RequestSupport {
     * directive
     */
   private def preprocessQuery: Directive[(User, List[Collection], HttpRequest)] = {
-    extractUserAndRequest tflatMap { case (user, cromIamRequest) =>
+    extractUserAndStrictRequest tflatMap { case (user, cromIamRequest) =>
       log.info("Received query " + cromIamRequest.method.value + " request for user " + user.userId)
 
       onComplete(samClient.collectionsForUser(user, cromIamRequest).value.unsafeToFuture()) flatMap {
diff --git a/CromIAM/src/main/scala/cromiam/webservice/RequestSupport.scala b/CromIAM/src/main/scala/cromiam/webservice/RequestSupport.scala
index 12b231485f7..c9b6a196368 100644
--- a/CromIAM/src/main/scala/cromiam/webservice/RequestSupport.scala
+++ b/CromIAM/src/main/scala/cromiam/webservice/RequestSupport.scala
@@ -6,6 +6,13 @@ import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server._
 import cromiam.auth.User
 import org.broadinstitute.dsde.workbench.model.WorkbenchUserId
+import akka.http.scaladsl.model.HttpResponse
+import akka.http.scaladsl.server.Directives.{authorize, complete, onComplete}
+import akka.http.scaladsl.server.Route
+import cromiam.cromwell.CromwellClient
+import cromiam.sam.SamClient
+
+import scala.util.{Failure, Success}
 
 trait RequestSupport {
   def extractStrictRequest: Directive1[HttpRequest] = {
@@ -26,10 +33,27 @@ trait RequestSupport {
     }
   }
 
-  def extractUserAndRequest: Directive[(User, HttpRequest)] = {
+  def extractUserAndStrictRequest: Directive[(User, HttpRequest)] = {
     for {
       user <- extractUser
       request <- extractStrictRequest
     } yield (user, request)
   }
+
+  def forwardIfUserEnabled(user: User, req: HttpRequest, cromwellClient: CromwellClient, samClient: SamClient): Route = {
+    import cromwell.api.model.EnhancedFailureResponseOrHttpResponseT
+
+    onComplete(samClient.isUserEnabledSam(user, req).value.unsafeToFuture()) {
+      case Success(Left(httpResponse: HttpResponse)) => complete(httpResponse)
+      case Success(Right(isEnabled: Boolean)) =>
+        authorize(isEnabled) {
+          complete {
+            cromwellClient.forwardToCromwell(req).asHttpResponse
+          }
+        }
+      case Failure(e) =>
+        val message = s"Unable to look up enablement status for user ${user.userId}: ${e.getMessage}. Please try again later."
+        throw new RuntimeException(message, e)
+    }
+  }
 }
diff --git a/CromIAM/src/main/scala/cromiam/webservice/SubmissionSupport.scala b/CromIAM/src/main/scala/cromiam/webservice/SubmissionSupport.scala
index c1f5477475b..52a05d1cdc7 100644
--- a/CromIAM/src/main/scala/cromiam/webservice/SubmissionSupport.scala
+++ b/CromIAM/src/main/scala/cromiam/webservice/SubmissionSupport.scala
@@ -31,7 +31,7 @@ trait SubmissionSupport extends RequestSupport {
   // FIXME - getting pathPrefix to shrink this keeps hosing up, there's gotta be some way to do this
   def submitRoute: Route = (path("api" / "workflows" / Segment) | path("api" / "workflows" / Segment / "batch")) { _ =>
     post {
-      extractUserAndRequest { (user, request) =>
+      extractUserAndStrictRequest { (user, request) =>
         log.info("Received submission request from user " + user.userId)
         onComplete(samClient.isSubmitWhitelisted(user, request).value.unsafeToFuture()) {
           case Success(Left(httpResponse)) => complete(httpResponse)
diff --git a/CromIAM/src/main/scala/cromiam/webservice/WomtoolRouteSupport.scala b/CromIAM/src/main/scala/cromiam/webservice/WomtoolRouteSupport.scala
index 671d4a76543..a6098b1fae0 100644
--- a/CromIAM/src/main/scala/cromiam/webservice/WomtoolRouteSupport.scala
+++ b/CromIAM/src/main/scala/cromiam/webservice/WomtoolRouteSupport.scala
@@ -2,20 +2,18 @@ package cromiam.webservice
 
 import akka.http.scaladsl.server.Directives._
 import cromiam.cromwell.CromwellClient
-import cromwell.api.model._
+import cromiam.sam.SamClient
 
 trait WomtoolRouteSupport extends RequestSupport {
   // When this trait is mixed into `CromIamApiService` the value of `cromwellClient` is the reader (non-abort) address
   val cromwellClient: CromwellClient
+  val samClient: SamClient
 
   val womtoolRoutes =
     path("api" / "womtool" / Segment / "describe") { _ =>
       post {
-        extractStrictRequest { req =>
-          complete {
-            // This endpoint requires authn which it gets for free from the proxy, does not care about authz
-            cromwellClient.forwardToCromwell(req).asHttpResponse
-          }
+        extractUserAndStrictRequest { (user, req) =>
+          forwardIfUserEnabled(user, req, cromwellClient, samClient)
         }
       }
     }
diff --git a/CromIAM/src/test/scala/cromiam/webservice/CromIamApiServiceSpec.scala b/CromIAM/src/test/scala/cromiam/webservice/CromIamApiServiceSpec.scala
index 5ad6a976204..89945c5bfcb 100644
--- a/CromIAM/src/test/scala/cromiam/webservice/CromIamApiServiceSpec.scala
+++ b/CromIAM/src/test/scala/cromiam/webservice/CromIamApiServiceSpec.scala
@@ -4,7 +4,8 @@ import akka.event.NoLogging
 import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.model.headers.{Authorization, OAuth2BearerToken, RawHeader}
 import akka.http.scaladsl.model.{ContentTypes, HttpEntity, HttpHeader}
-import akka.http.scaladsl.server.MissingHeaderRejection
+import akka.http.scaladsl.server.Route.seal
+import akka.http.scaladsl.server.{AuthorizationFailedRejection, MissingHeaderRejection}
 import akka.http.scaladsl.testkit.ScalatestRouteTest
 import com.typesafe.config.Config
 import common.assertion.CromwellTimeoutSpec
@@ -303,12 +304,45 @@ class CromIamApiServiceSpec extends AnyFlatSpec with CromwellTimeoutSpec with Ma
     }
   }
 
-  it should "reject request if it doesn't contain OIDC_CLAIM_user_id in header" in {
+  it should "reject request if it doesn't contain OIDC_CLAIM_user_id or token" in {
     Get(s"/api/workflows/$version/backends") ~> allRoutes ~> check {
       rejection shouldEqual MissingHeaderRejection("OIDC_CLAIM_user_id")
     }
   }
 
+  it should "return 403 when we request with a disabled user" in {
+    Get(
+      s"/api/workflows/$version/backends"
+    ).withHeaders(
+      List(Authorization(OAuth2BearerToken("my-token")), RawHeader("OIDC_CLAIM_user_id", "disabled@example.com"))
+    ) ~> allRoutes ~> check {
+      rejection shouldEqual AuthorizationFailedRejection
+    }
+  }
+
+  it should "reject request if it contains a token and no OIDC_CLAIM_user_id in header" in {
+    Get(
+      s"/api/workflows/$version/backends"
+    ).withHeaders(
+      List(Authorization(OAuth2BearerToken("my-token")))
+    ) ~> allRoutes ~> check {
+      rejection shouldEqual MissingHeaderRejection("OIDC_CLAIM_user_id")
+    }
+  }
+
+  it should "return 404 when no auth token provided" in {
+    Get(
+      s"/api/workflows/$version/backends"
+    ).withHeaders(
+      List(RawHeader("OIDC_CLAIM_user_id", "enabled@example.com"))
+      // "[An] explicit call on the Route.seal method is needed in test code, but in your application code it is not necessary."
+      // https://doc.akka.io/docs/akka-http/current/routing-dsl/testkit.html#testing-sealed-routes
+      // https://doc.akka.io/docs/akka-http/current/routing-dsl/routes.html#sealing-a-route
+    ) ~> seal(allRoutes) ~> check {
+      responseAs[String] shouldEqual "The requested resource could not be found."
+      status shouldBe NotFound
+    }
+  }
 
   behavior of "ReleaseHold endpoint"
   it should "return 200 for authorized user who has collection associated with root workflow" in {
diff --git a/CromIAM/src/test/scala/cromiam/webservice/MockClients.scala b/CromIAM/src/test/scala/cromiam/webservice/MockClients.scala
index 3fb9689e5cc..59e75347159 100644
--- a/CromIAM/src/test/scala/cromiam/webservice/MockClients.scala
+++ b/CromIAM/src/test/scala/cromiam/webservice/MockClients.scala
@@ -141,6 +141,15 @@ class MockSamClient(checkSubmitWhitelist: Boolean = true)
     FailureResponseOrT.pure(!user.userId.value.equalsIgnoreCase(NotWhitelistedUser))
   }
 
+  override def isUserEnabledSam(user: User, cromIamRequest: HttpRequest): FailureResponseOrT[Boolean] = {
+    if (user.userId.value == "enabled@example.com" || user.userId.value == MockSamClient.AuthorizedUserCollectionStr)
+      FailureResponseOrT.pure(true)
+    else if (user.userId.value == "disabled@example.com")
+      FailureResponseOrT.pure(false)
+    else
+      throw new Exception("Misconfigured test")
+  }
+
   override def requestAuth(authorizationRequest: CollectionAuthorizationRequest,
                            cromIamRequest: HttpRequest): FailureResponseOrT[Unit] = {
     authorizationRequest.user.userId.value match {
diff --git a/CromIAM/src/test/scala/cromiam/webservice/WomtoolRouteSupportSpec.scala b/CromIAM/src/test/scala/cromiam/webservice/WomtoolRouteSupportSpec.scala
index 7ba1c495f23..785c887c374 100644
--- a/CromIAM/src/test/scala/cromiam/webservice/WomtoolRouteSupportSpec.scala
+++ b/CromIAM/src/test/scala/cromiam/webservice/WomtoolRouteSupportSpec.scala
@@ -2,6 +2,9 @@ package cromiam.webservice
 
 import akka.http.scaladsl.model.ContentTypes
 import akka.http.scaladsl.model.StatusCodes._
+import akka.http.scaladsl.model.headers.{Authorization, OAuth2BearerToken, RawHeader}
+import akka.http.scaladsl.server.Route.seal
+import akka.http.scaladsl.server.{AuthorizationFailedRejection, MissingHeaderRejection}
 import akka.http.scaladsl.testkit.ScalatestRouteTest
 import common.assertion.CromwellTimeoutSpec
 import org.scalatest.flatspec.AnyFlatSpec
@@ -11,15 +14,64 @@ import org.scalatest.matchers.should.Matchers
 class WomtoolRouteSupportSpec extends AnyFlatSpec with CromwellTimeoutSpec with Matchers with WomtoolRouteSupport with ScalatestRouteTest {
 
   override lazy val cromwellClient = new MockCromwellClient()
+  override lazy val samClient = new MockSamClient()
 
   behavior of "Womtool endpoint routes"
 
   it should "return 200 when we request to the right path" in {
-    Post(s"/api/womtool/v1/describe") ~> womtoolRoutes ~> check {
+    Post(
+      s"/api/womtool/v1/describe"
+    ).withHeaders(
+      List(Authorization(OAuth2BearerToken("my-token")), RawHeader("OIDC_CLAIM_user_id", "enabled@example.com"))
+    ) ~> womtoolRoutes ~> check {
       status shouldBe OK
       responseAs[String] shouldBe "Hey there, workflow describer"
       contentType should be(ContentTypes.`text/plain(UTF-8)`)
     }
   }
 
+  it should "return 403 when we request with a disabled user" in {
+    Post(
+      s"/api/womtool/v1/describe"
+    ).withHeaders(
+      List(Authorization(OAuth2BearerToken("my-token")), RawHeader("OIDC_CLAIM_user_id", "disabled@example.com"))
+    ) ~> womtoolRoutes ~> check {
+      rejection shouldEqual AuthorizationFailedRejection
+    }
+  }
+
+  it should "bail out with no user ID" in {
+    Post(
+      s"/api/womtool/v1/describe"
+    ).withHeaders(
+      List(Authorization(OAuth2BearerToken("my-token")))
+    ) ~> womtoolRoutes ~> check {
+      rejection shouldEqual MissingHeaderRejection("OIDC_CLAIM_user_id")
+    }
+  }
+
+  it should "return 404 when no auth token provided" in {
+    Post(
+      s"/api/womtool/v1/describe"
+    ).withHeaders(
+      List(RawHeader("OIDC_CLAIM_user_id", "enabled@example.com"))
+      // "[An] explicit call on the Route.seal method is needed in test code, but in your application code it is not necessary."
+      // https://doc.akka.io/docs/akka-http/current/routing-dsl/testkit.html#testing-sealed-routes
+      // https://doc.akka.io/docs/akka-http/current/routing-dsl/routes.html#sealing-a-route
+    ) ~> seal(womtoolRoutes) ~> check {
+      responseAs[String] shouldEqual "The requested resource could not be found."
+      status shouldBe NotFound
+    }
+  }
+
+  it should "bail out with no headers" in {
+    Post(
+      s"/api/womtool/v1/describe"
+    ).withHeaders(
+      List.empty
+    ) ~> womtoolRoutes ~> check {
+      rejection shouldEqual MissingHeaderRejection("OIDC_CLAIM_user_id")
+    }
+  }
+
 }
diff --git a/core/src/main/scala/cromwell/core/logging/EnhancedDateConverter.scala b/core/src/main/scala/cromwell/core/logging/EnhancedDateConverter.scala
new file mode 100644
index 00000000000..dcf62bc0b28
--- /dev/null
+++ b/core/src/main/scala/cromwell/core/logging/EnhancedDateConverter.scala
@@ -0,0 +1,70 @@
+package cromwell.core.logging
+
+import ch.qos.logback.classic.pattern.DateConverter
+import ch.qos.logback.classic.spi.ILoggingEvent
+import ch.qos.logback.core.CoreConstants
+import ch.qos.logback.core.util.CachingDateFormatter
+
+import java.util.TimeZone
+import scala.jdk.CollectionConverters._
+
+/**
+  * Log the Akka akkaTimestamp if found in the MDC, otherwise log the original event timestamp.
+  *
+  *   - https://doc.akka.io/docs/akka/current/logging.html#more-accurate-timestamps-for-log-output-in-mdc
+  *   - https://logback.qos.ch/manual/layouts.html#customConversionSpecifier
+  *
+  * NOTE: For proper configuration both this EnhancedDateConverter should be configured into the logback.xml AND the
+  * configuration file should set akka.loggers = ["cromwell.core.logging.EnhancedSlf4jLogger"].
+  */
+class EnhancedDateConverter extends DateConverter {
+  protected var cachingDateFormatterProtected: CachingDateFormatter = _
+
+  /* Duplicated from ch.qos.logback.classic.pattern.DateConverter as cachingDateFormatter is package private. */
+  override def start(): Unit = {
+    cachingDateFormatterProtected = Option(getFirstOption) match {
+      case Some(CoreConstants.ISO8601_STR) | None => new CachingDateFormatter(CoreConstants.ISO8601_PATTERN)
+      case Some(datePattern) =>
+        try {
+          new CachingDateFormatter(datePattern)
+        } catch {
+          case e: IllegalArgumentException =>
+            addWarn("Could not instantiate SimpleDateFormat with pattern " + datePattern, e)
+            // default to the ISO8601 format
+            new CachingDateFormatter(CoreConstants.ISO8601_PATTERN)
+        }
+    }
+    // if the option list contains a TZ option, then set it.
+    Option(getOptionList)
+      .toList
+      .flatMap(_.asScala)
+      .drop(1)
+      .headOption
+      .map(TimeZone.getTimeZone)
+      .foreach(cachingDateFormatterProtected.setTimeZone)
+
+    // Allow the parent class to start/initialize its private members.
+    super.start()
+  }
+
+  /**
+    * Look for the Akka timestamp and use that to format the date.
+    *
+    * Until this (currently 6+ year) issue is resolved, formatting the date as a Long requires using the
+    * [[EnhancedSlf4jLogger]] versus Akka's basic Slf4jLogger.
+    *
+    *   - https://github.com/akka/akka/issues/18079#issuecomment-125175884
+    */
+  override def convert(event: ILoggingEvent): String = {
+    val mdc = event.getMDCPropertyMap
+    if (mdc.containsKey("akkaTimestamp")) {
+      val timestamp = mdc.get("akkaTimestamp")
+      timestamp.toLongOption match {
+        case Some(value) => cachingDateFormatterProtected.format(value)
+        case None => timestamp // Return the original timestamp string.
+      }
+    } else {
+      super.convert(event)
+    }
+  }
+}
diff --git a/core/src/main/scala/cromwell/core/logging/EnhancedSlf4jLogger.scala b/core/src/main/scala/cromwell/core/logging/EnhancedSlf4jLogger.scala
new file mode 100644
index 00000000000..0999ec18055
--- /dev/null
+++ b/core/src/main/scala/cromwell/core/logging/EnhancedSlf4jLogger.scala
@@ -0,0 +1,16 @@
+package cromwell.core.logging
+
+import akka.event.slf4j.Slf4jLogger
+
+class EnhancedSlf4jLogger extends Slf4jLogger {
+  /**
+    * Format the timestamp as a simple long. Allows the akkaTimestamp to be retrieved later from the MDC by custom
+    * converters.
+    *
+    * NOTE: Should not be necessary once this issue is resolved: 
+    *   - https://github.com/akka/akka/issues/18079#issuecomment-125175884
+    *
+    * @see [[EnhancedDateConverter.convert()]]
+    */
+  override protected def formatTimestamp(timestamp: Long): String = String.valueOf(timestamp)
+}
diff --git a/core/src/main/scala/cromwell/core/logging/EnhancedThreadConverter.scala b/core/src/main/scala/cromwell/core/logging/EnhancedThreadConverter.scala
new file mode 100644
index 00000000000..73f5876597b
--- /dev/null
+++ b/core/src/main/scala/cromwell/core/logging/EnhancedThreadConverter.scala
@@ -0,0 +1,21 @@
+package cromwell.core.logging
+
+import ch.qos.logback.classic.pattern.ThreadConverter
+import ch.qos.logback.classic.spi.ILoggingEvent
+
+/**
+  * Log the Akka sourceThread if found, otherwise log the event thread.
+  * 
+  *   - https://doc.akka.io/docs/akka/current/logging.html#logging-thread-akka-source-and-actor-system-in-mdc
+  *   - https://logback.qos.ch/manual/layouts.html#customConversionSpecifier
+  */
+class EnhancedThreadConverter extends ThreadConverter {
+  override def convert(event: ILoggingEvent): String = {
+    val mdc = event.getMDCPropertyMap
+    if (mdc.containsKey("sourceThread")) {
+      mdc.get("sourceThread")
+    } else {
+      super.convert(event)
+    }
+  }
+}
diff --git a/core/src/main/scala/cromwell/core/logging/JavaLoggingBridge.scala b/core/src/main/scala/cromwell/core/logging/JavaLoggingBridge.scala
new file mode 100644
index 00000000000..1dc10fab46d
--- /dev/null
+++ b/core/src/main/scala/cromwell/core/logging/JavaLoggingBridge.scala
@@ -0,0 +1,39 @@
+package cromwell.core.logging
+
+import ch.qos.logback.classic.LoggerContext
+import ch.qos.logback.classic.jul.LevelChangePropagator
+import org.slf4j.LoggerFactory
+import org.slf4j.bridge.SLF4JBridgeHandler
+
+import scala.jdk.CollectionConverters._
+
+object JavaLoggingBridge {
+  /**
+    * Replace java.util.logging with SLF4J while ensuring Logback is configured with a LevelChangePropogator.
+    *
+    * One likely won't need to do this but just in case: note that any libraries using JUL running BEFORE this
+    * initialization which require increasing or decreasing verbosity must be configured via JUL not Logback.
+    *
+    * See also:
+    *   - https://www.slf4j.org/api/org/slf4j/bridge/SLF4JBridgeHandler.html
+    *   - https://docs.oracle.com/en/java/javase/11/docs/api/java.logging/java/util/logging/LogManager.html
+    */
+  def init(): Unit = {
+    // Retrieve the Logback context, and as a side effect initialize Logback.
+    val ctx = LoggerFactory.getILoggerFactory.asInstanceOf[LoggerContext]
+
+    // Ensure that Logback has a LevelChangePropagator, either here or via a logback.xml.
+    val listeners = ctx.getCopyOfListenerList.asScala
+    if (!listeners.exists(_.isInstanceOf[LevelChangePropagator])) {
+      val propagator = new LevelChangePropagator()
+      propagator.setContext(ctx)
+      propagator.start()
+    }
+
+    // Remove all the JUL logging handlers.
+    SLF4JBridgeHandler.removeHandlersForRootLogger()
+
+    // Send all JUL logging to SLF4J.
+    SLF4JBridgeHandler.install()
+  }
+}
diff --git a/database/migration/src/main/scala/cromwell/database/migration/liquibase/LiquibaseUtils.scala b/database/migration/src/main/scala/cromwell/database/migration/liquibase/LiquibaseUtils.scala
index 20a77f58c02..e4823b8b0ac 100644
--- a/database/migration/src/main/scala/cromwell/database/migration/liquibase/LiquibaseUtils.scala
+++ b/database/migration/src/main/scala/cromwell/database/migration/liquibase/LiquibaseUtils.scala
@@ -1,7 +1,5 @@
 package cromwell.database.migration.liquibase
 
-import java.sql.Connection
-
 import liquibase.changelog.{ChangeLogParameters, ChangeSet, DatabaseChangeLog}
 import liquibase.database.jvm.{HsqlConnection, JdbcConnection}
 import liquibase.database.{Database, DatabaseConnection, DatabaseFactory, ObjectQuotingStrategy}
@@ -10,12 +8,21 @@ import liquibase.diff.{DiffGeneratorFactory, DiffResult}
 import liquibase.parser.ChangeLogParserFactory
 import liquibase.resource.ClassLoaderResourceAccessor
 import liquibase.snapshot.{DatabaseSnapshot, SnapshotControl, SnapshotGeneratorFactory}
-import liquibase.{Contexts, LabelExpression, Liquibase}
+import liquibase.ui.LoggerUIService
+import liquibase.{Contexts, LabelExpression, Liquibase, Scope}
 import org.hsqldb.persist.HsqlDatabaseProperties
 
+import java.sql.Connection
 import scala.jdk.CollectionConverters._
 
 object LiquibaseUtils {
+
+  /*
+  Move liquibase calls to System.out.println to a logger.
+  Workaround for issue: https://github.com/liquibase/liquibase/issues/1741#issuecomment-853742652
+   */
+  Scope.enter(Map(Scope.Attr.ui.name -> new LoggerUIService().asInstanceOf[AnyRef]).asJava)
+
   // Paranoia: Create our own mutex. https://stackoverflow.com/questions/442564/avoid-synchronizedthis-in-java
   private val mutex = new Object
   private val DefaultContexts = new Contexts()
diff --git a/docs/api/RESTAPI.md b/docs/api/RESTAPI.md
index b15072f6407..f1713bc831a 100644
--- a/docs/api/RESTAPI.md
+++ b/docs/api/RESTAPI.md
@@ -1,5 +1,5 @@
 <!--
-This file was generated by `sbt generateRestApiDocs` on Thu, 9 Jun 2022 13:29:46 -0400
+This file was generated by `sbt generateRestApiDocs` on Thu, 4 Aug 2022 13:39:32 -0400
 
 !!! DO NOT CHANGE THIS FILE DIRECTLY !!!
 
@@ -32,6 +32,63 @@ Describes the REST API provided by a Cromwell server
 
 
 
+<a name="runworkflow"></a>
+## Run workflow
+```
+POST /api/ga4gh/wes/v1/runs
+```
+
+
+#### Description
+This endpoint creates a new workflow run and returns a `RunId` to monitor its progress.
+
+The `workflow_attachment` array may be used to upload files that are required to execute the workflow, including the primary workflow, tools imported by the workflow, other files referenced by the workflow, or files which are part of the input.  The implementation should stage these files to a temporary directory and execute the workflow from there. These parts must have a Content-Disposition header with a "filename" provided for each part.  Filenames may include subdirectories, but must not include references to parent directories with '..' -- implementations should guard against maliciously constructed filenames.
+
+The `workflow_url` is either an absolute URL to a workflow file that is accessible by the WES endpoint, or a relative URL corresponding to one of the files attached using `workflow_attachment`.
+
+The `workflow_params` JSON object specifies input parameters, such as input files.  The exact format of the JSON object depends on the conventions of the workflow language being used.  Input files should either be absolute URLs, or relative URLs corresponding to files uploaded using `workflow_attachment`.  The WES endpoint must understand and be able to access URLs supplied in the input.  This is implementation specific.
+
+The `workflow_type` is the type of workflow language and must be "CWL" or "WDL" currently (or another alternative  supported by this WES instance).
+
+The `workflow_type_version` is the version of the workflow language submitted and must be one supported by this WES instance.
+
+See the `RunRequest` documentation for details about other fields.
+
+
+#### Parameters
+
+|Type|Name|Schema|
+|---|---|---|
+|**FormData**|**tags**  <br>*optional*|string|
+|**FormData**|**workflow_attachment**  <br>*optional*|< file (binary) > array|
+|**FormData**|**workflow_engine_parameters**  <br>*optional*|string|
+|**FormData**|**workflow_params**  <br>*optional*|string|
+|**FormData**|**workflow_type**  <br>*optional*|string|
+|**FormData**|**workflow_type_version**  <br>*optional*|string|
+|**FormData**|**workflow_url**  <br>*optional*|string|
+
+
+#### Responses
+
+|HTTP Code|Description|Schema|
+|---|---|---|
+|**201**|Successful Request|[RunId](#runid)|
+|**400**|Malformed Workflow ID|No Content|
+|**401**|Invalid submission request|No Content|
+|**403**|Workflow in terminal status|No Content|
+|**500**|Internal Error|No Content|
+
+
+#### Consumes
+
+* `multipart/form-data`
+
+
+#### Tags
+
+* GA4GH Workflow Execution Service (WES) - Alpha preview
+
+
 <a name="listruns"></a>
 ## List runs
 ```
@@ -1267,7 +1324,8 @@ Result for an individual workflow returned by a workflow query
 |---|---|---|
 |**end**  <br>*optional*|Workflow end datetime|string (date-time)|
 |**id**  <br>*required*|Workflow ID|string|
-|**name**  <br>*required*|Workflow name|string|
+|**metadataArchiveStatus**  <br>*optional*|Status in metadata archives|string|
+|**name**  <br>*optional*|Workflow name|string|
 |**start**  <br>*optional*|Workflow start datetime|string (date-time)|
 |**status**  <br>*required*|Workflow status|string|
 |**submission**  <br>*optional*|Workflow submission datetime|string (date-time)|
diff --git a/engine/src/main/resources/swagger/cromwell.yaml b/engine/src/main/resources/swagger/cromwell.yaml
index 69fe3df4a71..e992f4c5e15 100644
--- a/engine/src/main/resources/swagger/cromwell.yaml
+++ b/engine/src/main/resources/swagger/cromwell.yaml
@@ -753,6 +753,110 @@ paths:
         '500':
           description: An unexpected error occurred.
           $ref: '#/responses/ServerError'
+    post:
+      tags:
+        - GA4GH Workflow Execution Service (WES) - Alpha preview
+      summary: Run workflow
+      description: >-
+        This endpoint creates a new workflow run and returns a `RunId` to
+        monitor its progress.
+        
+        
+        The `workflow_attachment` array may be used to upload files that are
+        required to execute the workflow, including the primary workflow, tools
+        imported by the workflow, other files referenced by the workflow, or
+        files which are part of the input.  The implementation should stage
+        these files to a temporary directory and execute the workflow from
+        there. These parts must have a Content-Disposition header with a
+        "filename" provided for each part.  Filenames may include
+        subdirectories, but must not include references to parent directories
+        with '..' -- implementations should guard against maliciously
+        constructed filenames.
+        
+        
+        The `workflow_url` is either an absolute URL to a workflow file that is
+        accessible by the WES endpoint, or a relative URL corresponding to one
+        of the files attached using `workflow_attachment`.
+        
+        
+        The `workflow_params` JSON object specifies input parameters, such as
+        input files.  The exact format of the JSON object depends on the
+        conventions of the workflow language being used.  Input files should
+        either be absolute URLs, or relative URLs corresponding to files
+        uploaded using `workflow_attachment`.  The WES endpoint must understand
+        and be able to access URLs supplied in the input.  This is
+        implementation specific.
+        
+        
+        The `workflow_type` is the type of workflow language and must be "CWL"
+        or "WDL" currently (or another alternative  supported by this WES
+        instance).
+        
+        
+        The `workflow_type_version` is the version of the workflow language
+        submitted and must be one supported by this WES instance.
+        
+        
+        See the `RunRequest` documentation for details about other fields.
+      operationId: RunWorkflow
+      consumes:
+        - multipart/form-data
+      parameters:
+        - name: workflow_params
+          description: ""
+          required: false
+          type: string
+          in: formData
+        - name: workflow_type
+          description: ""
+          required: false
+          type: string
+          in: formData
+        - name: workflow_type_version
+          description: ""
+          required: false
+          type: string
+          in: formData
+        - name: tags
+          description: ''
+          required: false
+          type: string
+          in: formData
+        - name: workflow_engine_parameters
+          description: ''
+          required: false
+          type: string
+          in: formData
+        - name: workflow_url
+          description: ''
+          required: false
+          type: string
+          in: formData
+        - name: workflow_attachment
+          description: ''
+          required: false
+          type: array
+          items:
+            type: file
+            format: binary
+          in: formData
+      responses:
+        '201':
+          description: Successful Request
+          schema:
+            $ref: '#/definitions/RunId'
+        '400':
+          description: The request is malformed.
+          $ref: '#/responses/BadRequest'
+        '401':
+          description: The request is unauthorized.
+          $ref: '#/responses/InvalidSubmission'
+        '403':
+          description: The requester is not authorized to perform this action.
+          $ref: '#/responses/Forbidden'
+        '500':
+          description: An unexpected error occurred.
+          $ref: '#/responses/ServerError'
   '/api/ga4gh/wes/v1/runs/{run_id}':
     get:
       tags:
@@ -1374,7 +1478,6 @@ definitions:
     description: Result for an individual workflow returned by a workflow query
     required:
       - id
-      - name
       - status
     properties:
       id:
@@ -1390,6 +1493,9 @@ definitions:
         type: string
         format: date-time
         description: Workflow submission datetime
+      metadataArchiveStatus:
+        type: string
+        description: Status in metadata archives
       start:
         type: string
         format: date-time
diff --git a/engine/src/main/scala/cromwell/server/CromwellServer.scala b/engine/src/main/scala/cromwell/server/CromwellServer.scala
index b5705b91dae..76f784875fc 100644
--- a/engine/src/main/scala/cromwell/server/CromwellServer.scala
+++ b/engine/src/main/scala/cromwell/server/CromwellServer.scala
@@ -11,7 +11,6 @@ import cromwell.services.instrumentation.CromwellInstrumentationActor
 import cromwell.webservice.SwaggerService
 import cromwell.webservice.routes.CromwellApiService
 import cromwell.webservice.routes.wes.WesRouteSupport
-import cromwell.webservice.routes.wes.WesRunRoutes
 
 import scala.concurrent.Future
 import scala.util.{Failure, Success}
@@ -37,7 +36,6 @@ class CromwellServerActor(cromwellSystem: CromwellSystem, gracefulShutdown: Bool
     with CromwellApiService
     with CromwellInstrumentationActor
     with WesRouteSupport
-    with WesRunRoutes
     with SwaggerService
     with ActorLogging {
   implicit val actorSystem = context.system
@@ -53,7 +51,7 @@ class CromwellServerActor(cromwellSystem: CromwellSystem, gracefulShutdown: Bool
     * cromwell.yaml is broken unless the swagger index.html is patched. Copy/paste the code from rawls or cromiam if
     * actual cromwell+swagger+oauth+/api support is needed.
     */
-  val apiRoutes: Route = pathPrefix("api")(concat(workflowRoutes, womtoolRoutes, wesRoutes, runRoutes))
+  val apiRoutes: Route = pathPrefix("api")(concat(workflowRoutes, womtoolRoutes, wesRoutes))
   val nonApiRoutes: Route = concat(engineRoutes, swaggerUiResourceRoute)
   val allRoutes: Route = concat(apiRoutes, nonApiRoutes)
 
diff --git a/engine/src/main/scala/cromwell/webservice/routes/CromwellApiService.scala b/engine/src/main/scala/cromwell/webservice/routes/CromwellApiService.scala
index 9b23ec62311..a1c4f023135 100644
--- a/engine/src/main/scala/cromwell/webservice/routes/CromwellApiService.scala
+++ b/engine/src/main/scala/cromwell/webservice/routes/CromwellApiService.scala
@@ -81,81 +81,81 @@ trait CromwellApiService extends HttpInstrumentation with MetadataRouteSupport w
     path("workflows" / Segment / "backends") { _ =>
       get { instrumentRequest { complete(ToResponseMarshallable(backendResponse)) } }
     } ~
-    path("workflows" / Segment / "callcaching" / "diff") { _ =>
-      parameterSeq { parameters =>
-        get {
-          instrumentRequest {
-            CallCacheDiffQueryParameter.fromParameters(parameters) match {
-              case Valid(queryParameter) =>
-                val diffActor = actorRefFactory.actorOf(CallCacheDiffActor.props(serviceRegistryActor), "CallCacheDiffActor-" + UUID.randomUUID())
-                onComplete(diffActor.ask(queryParameter).mapTo[CallCacheDiffActorResponse]) {
-                  case Success(r: SuccessfulCallCacheDiffResponse) => complete(r)
-                  case Success(r: FailedCallCacheDiffResponse) => r.reason.errorRequest(StatusCodes.InternalServerError)
-                  case Failure(_: AskTimeoutException) if CromwellShutdown.shutdownInProgress() => serviceShuttingDownResponse
-                  case Failure(e: CachedCallNotFoundException) => e.errorRequest(StatusCodes.NotFound)
-                  case Failure(e: TimeoutException) => e.failRequest(StatusCodes.ServiceUnavailable)
-                  case Failure(e) => e.errorRequest(StatusCodes.InternalServerError)
-                }
-              case Invalid(errors) =>
-                val e = AggregatedMessageException("Wrong parameters for call cache diff query", errors.toList)
-                e.errorRequest(StatusCodes.BadRequest)
+      path("workflows" / Segment / "callcaching" / "diff") { _ =>
+        parameterSeq { parameters =>
+          get {
+            instrumentRequest {
+              CallCacheDiffQueryParameter.fromParameters(parameters) match {
+                case Valid(queryParameter) =>
+                  val diffActor = actorRefFactory.actorOf(CallCacheDiffActor.props(serviceRegistryActor), "CallCacheDiffActor-" + UUID.randomUUID())
+                  onComplete(diffActor.ask(queryParameter).mapTo[CallCacheDiffActorResponse]) {
+                    case Success(r: SuccessfulCallCacheDiffResponse) => complete(r)
+                    case Success(r: FailedCallCacheDiffResponse) => r.reason.errorRequest(StatusCodes.InternalServerError)
+                    case Failure(_: AskTimeoutException) if CromwellShutdown.shutdownInProgress() => serviceShuttingDownResponse
+                    case Failure(e: CachedCallNotFoundException) => e.errorRequest(StatusCodes.NotFound)
+                    case Failure(e: TimeoutException) => e.failRequest(StatusCodes.ServiceUnavailable)
+                    case Failure(e) => e.errorRequest(StatusCodes.InternalServerError)
+                  }
+                case Invalid(errors) =>
+                  val e = AggregatedMessageException("Wrong parameters for call cache diff query", errors.toList)
+                  e.errorRequest(StatusCodes.BadRequest)
+              }
             }
           }
         }
-      }
-    } ~
-    path("workflows" / Segment / Segment / "timing") { (_, possibleWorkflowId) =>
-      instrumentRequest {
-        onComplete(validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor)) {
-          case Success(workflowId) => completeTimingRouteResponse(metadataLookupForTimingRoute(workflowId))
-          case Failure(e: UnrecognizedWorkflowException) => e.failRequest(StatusCodes.NotFound)
-          case Failure(e: InvalidWorkflowException) => e.failRequest(StatusCodes.BadRequest)
-          case Failure(e) => e.failRequest(StatusCodes.InternalServerError)
-        }
-      }
-    } ~
-    path("workflows" / Segment / Segment / "abort") { (_, possibleWorkflowId) =>
-      post {
+      } ~
+      path("workflows" / Segment / Segment / "timing") { (_, possibleWorkflowId) =>
         instrumentRequest {
-          abortWorkflow(possibleWorkflowId, workflowStoreActor, workflowManagerActor)
+          onComplete(validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor)) {
+            case Success(workflowId) => completeTimingRouteResponse(metadataLookupForTimingRoute(workflowId))
+            case Failure(e: UnrecognizedWorkflowException) => e.failRequest(StatusCodes.NotFound)
+            case Failure(e: InvalidWorkflowException) => e.failRequest(StatusCodes.BadRequest)
+            case Failure(e) => e.failRequest(StatusCodes.InternalServerError)
+          }
         }
-      }
-    } ~
-  path("workflows" / Segment) { _ =>
-      post {
-        instrumentRequest {
-          entity(as[Multipart.FormData]) { formData =>
-            submitRequest(formData, isSingleSubmission = true)
+      } ~
+      path("workflows" / Segment / Segment / "abort") { (_, possibleWorkflowId) =>
+        post {
+          instrumentRequest {
+            abortWorkflow(possibleWorkflowId, workflowStoreActor, workflowManagerActor)
           }
         }
-      }
-    } ~
-  path("workflows" / Segment / "batch") { _ =>
-    post {
-      instrumentRequest {
-        entity(as[Multipart.FormData]) { formData =>
-          submitRequest(formData, isSingleSubmission = false)
+      } ~
+      path("workflows" / Segment) { _ =>
+        post {
+          instrumentRequest {
+            entity(as[Multipart.FormData]) { formData =>
+              submitRequest(formData, isSingleSubmission = true)
+            }
+          }
         }
-      }
-    }
-  } ~
-  path("workflows" / Segment / Segment / "releaseHold") { (_, possibleWorkflowId) =>
-    post {
-      instrumentRequest {
-        val response = validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor) flatMap { workflowId =>
-          workflowStoreActor.ask(WorkflowStoreActor.WorkflowOnHoldToSubmittedCommand(workflowId)).mapTo[WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedResponse]
+      } ~
+      path("workflows" / Segment / "batch") { _ =>
+        post {
+          instrumentRequest {
+            entity(as[Multipart.FormData]) { formData =>
+              submitRequest(formData, isSingleSubmission = false)
+            }
+          }
         }
-        onComplete(response){
-          case Success(WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedFailure(_, e: NotInOnHoldStateException)) => e.errorRequest(StatusCodes.Forbidden)
-          case Success(WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedFailure(_, e)) => e.errorRequest(StatusCodes.InternalServerError)
-          case Success(r: WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedSuccess) => completeResponse(StatusCodes.OK, toResponse(r.workflowId, WorkflowSubmitted), Seq.empty)
-          case Failure(e: UnrecognizedWorkflowException) => e.failRequest(StatusCodes.NotFound)
-          case Failure(e: InvalidWorkflowException) => e.failRequest(StatusCodes.BadRequest)
-          case Failure(e) => e.errorRequest(StatusCodes.InternalServerError)
+      } ~
+      path("workflows" / Segment / Segment / "releaseHold") { (_, possibleWorkflowId) =>
+        post {
+          instrumentRequest {
+            val response = validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor) flatMap { workflowId =>
+              workflowStoreActor.ask(WorkflowStoreActor.WorkflowOnHoldToSubmittedCommand(workflowId)).mapTo[WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedResponse]
+            }
+            onComplete(response){
+              case Success(WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedFailure(_, e: NotInOnHoldStateException)) => e.errorRequest(StatusCodes.Forbidden)
+              case Success(WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedFailure(_, e)) => e.errorRequest(StatusCodes.InternalServerError)
+              case Success(r: WorkflowStoreEngineActor.WorkflowOnHoldToSubmittedSuccess) => completeResponse(StatusCodes.OK, toResponse(r.workflowId, WorkflowSubmitted), Seq.empty)
+              case Failure(e: UnrecognizedWorkflowException) => e.failRequest(StatusCodes.NotFound)
+              case Failure(e: InvalidWorkflowException) => e.failRequest(StatusCodes.BadRequest)
+              case Failure(e) => e.errorRequest(StatusCodes.InternalServerError)
+            }
+          }
         }
-      }
-    }
-  } ~ metadataRoutes
+      } ~ metadataRoutes
 
 
   private def metadataLookupForTimingRoute(workflowId: WorkflowId): Future[MetadataJsonResponse] = {
diff --git a/engine/src/main/scala/cromwell/webservice/routes/wes/WesRouteSupport.scala b/engine/src/main/scala/cromwell/webservice/routes/wes/WesRouteSupport.scala
index e4969702460..ba6546fb3e3 100644
--- a/engine/src/main/scala/cromwell/webservice/routes/wes/WesRouteSupport.scala
+++ b/engine/src/main/scala/cromwell/webservice/routes/wes/WesRouteSupport.scala
@@ -1,34 +1,47 @@
 package cromwell.webservice.routes.wes
 
 import akka.actor.ActorRef
+import akka.http.scaladsl.model.{Multipart, StatusCode, StatusCodes}
 import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server.Route
+import akka.http.scaladsl.server.directives.RouteDirectives.complete
+import akka.http.scaladsl.server.{Directive1, Route}
 import akka.pattern.{AskTimeoutException, ask}
+import akka.stream.ActorMaterializer
 import akka.util.Timeout
-import cromwell.engine.instrumentation.HttpInstrumentation
-import cromwell.services.metadata.MetadataService.{GetStatus, MetadataServiceResponse, StatusLookupFailed}
-import cromwell.webservice.routes.CromwellApiService.{UnrecognizedWorkflowException, validateWorkflowIdInMetadata}
-import cromwell.webservice.WebServiceUtils.EnhancedThrowable
-
-import scala.concurrent.ExecutionContext
-import scala.util.{Failure, Success}
-import WesResponseJsonSupport._
-import akka.http.scaladsl.model.{StatusCode, StatusCodes}
-import akka.http.scaladsl.server.directives.RouteDirectives.complete
-import WesRouteSupport._
+import cats.data.NonEmptyList
+import com.typesafe.config.ConfigFactory
 import cromwell.core.abort.SuccessfulAbortResponse
+import cromwell.core.{WorkflowId, WorkflowOnHold, WorkflowState, WorkflowSubmitted}
+import cromwell.engine.instrumentation.HttpInstrumentation
 import cromwell.engine.workflow.WorkflowManagerActor.WorkflowNotFoundException
+import cromwell.engine.workflow.workflowstore.{WorkflowStoreActor, WorkflowStoreSubmitActor}
 import cromwell.server.CromwellShutdown
-import cromwell.services.SuccessfulMetadataJsonResponse
+import cromwell.services.metadata.MetadataService.{BuildMetadataJsonAction, GetSingleWorkflowMetadataAction, GetStatus, MetadataServiceResponse, StatusLookupFailed}
+import cromwell.services.{FailedMetadataJsonResponse, SuccessfulMetadataJsonResponse}
+import cromwell.webservice.PartialWorkflowSources
+import cromwell.webservice.WebServiceUtils.{EnhancedThrowable, completeResponse, materializeFormData}
 import cromwell.webservice.routes.CromwellApiService
+import cromwell.webservice.routes.CromwellApiService.{UnrecognizedWorkflowException, validateWorkflowIdInMetadata}
+import cromwell.webservice.routes.MetadataRouteSupport.{metadataBuilderActorRequest, metadataQueryRequest}
+import cromwell.webservice.routes.wes.WesResponseJsonSupport._
+import cromwell.webservice.routes.wes.WesRouteSupport.{respondWithWesError, _}
+import net.ceedubs.ficus.Ficus._
+
+import scala.concurrent.duration.FiniteDuration
+import scala.concurrent.{ExecutionContext, Future, TimeoutException}
+import scala.util.{Failure, Success}
+
+
 
 trait WesRouteSupport extends HttpInstrumentation {
+
   val serviceRegistryActor: ActorRef
   val workflowManagerActor: ActorRef
   val workflowStoreActor: ActorRef
 
   implicit val ec: ExecutionContext
   implicit val timeout: Timeout
+  implicit val materializer: ActorMaterializer
 
   /*
     Defines routes intended to sit alongside the primary Cromwell REST endpoints. For instance, we'll now have:
@@ -49,44 +62,125 @@ trait WesRouteSupport extends HttpInstrumentation {
         pathPrefix("ga4gh" / "wes" / "v1") {
           concat(
             path("service-info") {
-              complete(ServiceInfo.toWesResponse(workflowStoreActor))
+              get {
+                complete(ServiceInfo.toWesResponse(workflowStoreActor))
+              }
             },
-            pathPrefix("runs") {
-              concat(
-                path(Segment / "status") { possibleWorkflowId =>
-                  val response = validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor).flatMap(w => serviceRegistryActor.ask(GetStatus(w)).mapTo[MetadataServiceResponse])
-                  // WES can also return a 401 or a 403 but that requires user auth knowledge which Cromwell doesn't currently have
-                  onComplete(response) {
-                    case Success(SuccessfulMetadataJsonResponse(_, jsObject)) =>
-                      val wesState = WesState.fromCromwellStatusJson(jsObject)
-                      complete(WesRunStatus(possibleWorkflowId, wesState))
-                    case Success(r: StatusLookupFailed) => r.reason.errorRequest(StatusCodes.InternalServerError)
-                    case Success(m: MetadataServiceResponse) =>
-                      // This should never happen, but ....
-                      val error = new IllegalStateException("Unexpected response from Metadata service: " + m)
-                      error.errorRequest(StatusCodes.InternalServerError)
-                    case Failure(_: UnrecognizedWorkflowException) => complete(NotFoundError)
-                    case Failure(e) => complete(WesErrorResponse(e.getMessage, StatusCodes.InternalServerError.intValue))
-                  }
-                },
-                path(Segment / "cancel") { possibleWorkflowId =>
-                  post {
-                    CromwellApiService.abortWorkflow(possibleWorkflowId,
-                      workflowStoreActor,
-                      workflowManagerActor,
-                      successHandler = WesAbortSuccessHandler,
-                      errorHandler = WesAbortErrorHandler)
+            path("runs") {
+              get {
+                parameters(("page_size".as[Int].?, "page_token".?)) { (pageSize, pageToken) =>
+                  completeCromwellResponse(listRuns(pageSize, pageToken, serviceRegistryActor))
+                }
+              } ~
+                post {
+                  extractSubmission() { submission =>
+                    wesSubmitRequest(submission.entity,
+                      isSingleSubmission = true)
                   }
                 }
-              )
+            },
+            path("runs" / Segment) { workflowId =>
+              get {
+                // this is what it was like in code found in the project… it perhaps isn’t ideal but doesn’t seem to hurt, so leaving it like this for now.
+                completeCromwellResponse(runLog(workflowId, (w: WorkflowId) => GetSingleWorkflowMetadataAction(w, None, None, expandSubWorkflows = false), serviceRegistryActor))
+              }
+            },
+            path("runs" / Segment / "status") { possibleWorkflowId =>
+              val response = validateWorkflowIdInMetadata(possibleWorkflowId, serviceRegistryActor).flatMap(w => serviceRegistryActor.ask(GetStatus(w)).mapTo[MetadataServiceResponse])
+              // WES can also return a 401 or a 403 but that requires user auth knowledge which Cromwell doesn't currently have
+              onComplete(response) {
+                case Success(SuccessfulMetadataJsonResponse(_, jsObject)) =>
+                  val wesState = WesState.fromCromwellStatusJson(jsObject)
+                  complete(WesRunStatus(possibleWorkflowId, wesState))
+                case Success(r: StatusLookupFailed) => r.reason.errorRequest(StatusCodes.InternalServerError)
+                case Success(m: MetadataServiceResponse) =>
+                  // This should never happen, but ....
+                  val error = new IllegalStateException("Unexpected response from Metadata service: " + m)
+                  error.errorRequest(StatusCodes.InternalServerError)
+                case Failure(_: UnrecognizedWorkflowException) => complete(NotFoundError)
+                case Failure(e) => complete(WesErrorResponse(e.getMessage, StatusCodes.InternalServerError.intValue))
+              }
+            },
+            path("runs" / Segment / "cancel") { possibleWorkflowId =>
+              post {
+                CromwellApiService.abortWorkflow(possibleWorkflowId,
+                  workflowStoreActor,
+                  workflowManagerActor,
+                  successHandler = WesAbortSuccessHandler,
+                  errorHandler = WesAbortErrorHandler)
+              }
             }
           )
         }
       )
     }
+
+  def toWesResponse(workflowId: WorkflowId, workflowState: WorkflowState):  WesRunStatus = {
+    WesRunStatus(workflowId.toString, WesState.fromCromwellStatus(workflowState))
+  }
+
+  def toWesResponseId(workflowId: WorkflowId): WesRunId ={
+    WesRunId(workflowId.toString)
+  }
+
+  def wesSubmitRequest(formData: Multipart.FormData, isSingleSubmission: Boolean): Route = {
+    def getWorkflowState(workflowOnHold: Boolean): WorkflowState = {
+      if (workflowOnHold)
+        WorkflowOnHold
+      else WorkflowSubmitted
+    }
+
+    def sendToWorkflowStore(command: WorkflowStoreActor.WorkflowStoreActorSubmitCommand, warnings: Seq[String], workflowState: WorkflowState): Route = {
+      // NOTE: Do not blindly copy the akka-http -to- ask-actor pattern below without knowing the pros and cons.
+      onComplete(workflowStoreActor.ask(command).mapTo[WorkflowStoreSubmitActor.WorkflowStoreSubmitActorResponse]) {
+        case Success(w) =>
+          w match {
+            case WorkflowStoreSubmitActor.WorkflowSubmittedToStore(workflowId, _) =>
+              completeResponse(StatusCodes.Created, toWesResponseId(workflowId), warnings)
+            case WorkflowStoreSubmitActor.WorkflowsBatchSubmittedToStore(workflowIds, _) =>
+              completeResponse(StatusCodes.Created, workflowIds.toList.map(toWesResponse(_, workflowState)), warnings)
+            case WorkflowStoreSubmitActor.WorkflowSubmitFailed(throwable) =>
+              respondWithWesError(throwable.getLocalizedMessage, StatusCodes.BadRequest)
+          }
+        case Failure(_: AskTimeoutException) if CromwellShutdown.shutdownInProgress() => respondWithWesError("Cromwell service is shutting down", StatusCodes.InternalServerError)
+        case Failure(e: TimeoutException) => e.failRequest(StatusCodes.ServiceUnavailable)
+        case Failure(e) => e.failRequest(StatusCodes.InternalServerError, warnings)
+      }
+    }
+
+    onComplete(materializeFormData(formData)) {
+      case Success(data) =>
+        PartialWorkflowSources.fromSubmitRoute(data, allowNoInputs = isSingleSubmission) match {
+          case Success(workflowSourceFiles) if isSingleSubmission && workflowSourceFiles.size == 1 =>
+            val warnings = workflowSourceFiles.flatMap(_.warnings)
+            sendToWorkflowStore(WorkflowStoreActor.SubmitWorkflow(workflowSourceFiles.head), warnings, getWorkflowState(workflowSourceFiles.head.workflowOnHold))
+          // Catches the case where someone has gone through the single submission endpoint w/ more than one workflow
+          case Success(workflowSourceFiles) if isSingleSubmission =>
+            val warnings = workflowSourceFiles.flatMap(_.warnings)
+            val e = new IllegalArgumentException("To submit more than one workflow at a time, use the batch endpoint.")
+            e.failRequest(StatusCodes.BadRequest, warnings)
+          case Success(workflowSourceFiles) =>
+            val warnings = workflowSourceFiles.flatMap(_.warnings)
+            sendToWorkflowStore(
+              WorkflowStoreActor.BatchSubmitWorkflows(NonEmptyList.fromListUnsafe(workflowSourceFiles.toList)),
+              warnings, getWorkflowState(workflowSourceFiles.head.workflowOnHold))
+          case Failure(t) => t.failRequest(StatusCodes.BadRequest)
+        }
+      case Failure(e: TimeoutException) => e.failRequest(StatusCodes.ServiceUnavailable)
+      case Failure(e) => respondWithWesError(e.getLocalizedMessage, StatusCodes.InternalServerError)
+    }
+  }
 }
 
+
+
 object WesRouteSupport {
+  import WesResponseJsonSupport._
+
+  implicit lazy val duration: FiniteDuration = ConfigFactory.load().as[FiniteDuration]("akka.http.server.request-timeout")
+  implicit lazy val timeout: Timeout = duration
+  import scala.concurrent.ExecutionContext.Implicits.global
+
   val NotFoundError = WesErrorResponse("The requested workflow run wasn't found", StatusCodes.NotFound.intValue)
 
   def WesAbortSuccessHandler: PartialFunction[SuccessfulAbortResponse, Route] = {
@@ -104,4 +198,38 @@ object WesRouteSupport {
   private def respondWithWesError(errorMsg: String, status: StatusCode): Route = {
     complete((status, WesErrorResponse(errorMsg, status.intValue)))
   }
-}
+
+  def extractSubmission(): Directive1[WesSubmission] = {
+    formFields((
+      "workflow_params".?,
+      "workflow_type".?,
+      "workflow_type_version".?,
+      "tags".?,
+      "workflow_engine_parameters".?,
+      "workflow_url".?,
+      "workflow_attachment".as[String].*
+    )).as(WesSubmission)
+  }
+
+  def completeCromwellResponse(future: => Future[WesResponse]): Route = {
+    onComplete(future) {
+      case Success(response: WesResponse) => complete(response)
+      case Failure(e) => complete(WesErrorResponse(e.getMessage, StatusCodes.InternalServerError.intValue))
+    }
+  }
+
+  def listRuns(pageSize: Option[Int], pageToken: Option[String], serviceRegistryActor: ActorRef): Future[WesResponse] = {
+    // FIXME: to handle - page_size, page_token
+    // FIXME: How to handle next_page_token in response?
+    metadataQueryRequest(Seq.empty[(String, String)], serviceRegistryActor).map(RunListResponse.fromMetadataQueryResponse)
+  }
+
+  def runLog(workflowId: String, request: WorkflowId => BuildMetadataJsonAction, serviceRegistryActor: ActorRef): Future[WesResponse] = {
+    val metadataJsonResponse = metadataBuilderActorRequest(workflowId, request, serviceRegistryActor)
+
+    metadataJsonResponse.map {
+      case SuccessfulMetadataJsonResponse(_, responseJson) => WesResponseWorkflowMetadata(WesRunLog.fromJson(responseJson.toString()))
+      case FailedMetadataJsonResponse(_, reason) => WesErrorResponse(reason.getMessage, StatusCodes.InternalServerError.intValue)
+    }
+  }
+}
\ No newline at end of file
diff --git a/engine/src/main/scala/cromwell/webservice/routes/wes/WesRunRoutes.scala b/engine/src/main/scala/cromwell/webservice/routes/wes/WesRunRoutes.scala
deleted file mode 100644
index ce4d60fe78e..00000000000
--- a/engine/src/main/scala/cromwell/webservice/routes/wes/WesRunRoutes.scala
+++ /dev/null
@@ -1,74 +0,0 @@
-package cromwell.webservice.routes.wes
-
-import akka.actor.ActorRef
-import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
-import akka.http.scaladsl.model.StatusCodes
-import akka.http.scaladsl.server.Directives._
-import akka.http.scaladsl.server.Route
-import akka.http.scaladsl.server.directives.RouteDirectives.complete
-import akka.util.Timeout
-import com.typesafe.config.ConfigFactory
-import cromwell.core.WorkflowId
-import cromwell.services.metadata.MetadataService.{BuildMetadataJsonAction, GetSingleWorkflowMetadataAction}
-import cromwell.services.{FailedMetadataJsonResponse, SuccessfulMetadataJsonResponse}
-import cromwell.webservice.routes.MetadataRouteSupport.{metadataBuilderActorRequest, metadataQueryRequest}
-import cromwell.webservice.routes.wes.WesResponseJsonSupport.{WesResponseErrorFormat, WesResponseFormat}
-import cromwell.webservice.routes.wes.WesRunRoutes.{completeCromwellResponse, runLog}
-import net.ceedubs.ficus.Ficus._
-
-import scala.concurrent.ExecutionContext.Implicits.global
-import scala.concurrent.Future
-import scala.concurrent.duration.FiniteDuration
-import scala.util.{Failure, Success}
-
-trait WesRunRoutes {
-
-  val serviceRegistryActor: ActorRef
-
-  lazy val runRoutes: Route =
-    pathPrefix("ga4gh" / "wes" / "v1") {
-      concat(
-        pathPrefix("runs") {
-          get {
-            parameters(("page_size".as[Int].?, "page_token".?)) { (pageSize, pageToken) =>
-              WesRunRoutes.completeCromwellResponse(WesRunRoutes.listRuns(pageSize, pageToken, serviceRegistryActor))
-            }
-          }
-          path(Segment) { workflowId =>
-            get {
-              // this is what it was like in code found in the project… it perhaps isn’t ideal but doesn’t seem to hurt, so leaving it like this for now.
-              completeCromwellResponse(runLog(workflowId, (w: WorkflowId) => GetSingleWorkflowMetadataAction(w, None, None, expandSubWorkflows = false), serviceRegistryActor))
-            }
-          }
-        }
-      )
-    }
-}
-
-object WesRunRoutes {
-
-  implicit lazy val duration: FiniteDuration = ConfigFactory.load().as[FiniteDuration]("akka.http.server.request-timeout")
-  implicit lazy val timeout: Timeout = duration
-
-  def completeCromwellResponse(future: => Future[WesResponse]): Route = {
-    onComplete(future) {
-      case Success(response: WesResponse) => complete(response)
-      case Failure(e) => complete(WesErrorResponse(e.getMessage, StatusCodes.InternalServerError.intValue))
-    }
-  }
-
-  def listRuns(pageSize: Option[Int], pageToken: Option[String], serviceRegistryActor: ActorRef): Future[WesResponse] = {
-    // FIXME: to handle - page_size, page_token
-    // FIXME: How to handle next_page_token in response?
-    metadataQueryRequest(Seq.empty[(String, String)], serviceRegistryActor).map(RunListResponse.fromMetadataQueryResponse)
-  }
-
-  def runLog(workflowId: String, request: WorkflowId => BuildMetadataJsonAction, serviceRegistryActor: ActorRef): Future[WesResponse] = {
-    val metadataJsonResponse = metadataBuilderActorRequest(workflowId, request, serviceRegistryActor)
-
-    metadataJsonResponse.map {
-      case SuccessfulMetadataJsonResponse(_, responseJson) => WesResponseWorkflowMetadata(WesRunLog.fromJson(responseJson.toString()))
-      case FailedMetadataJsonResponse(_, reason) => WesErrorResponse(reason.getMessage, StatusCodes.InternalServerError.intValue)
-    }
-  }
-}
diff --git a/engine/src/main/scala/cromwell/webservice/routes/wes/WesSubmission.scala b/engine/src/main/scala/cromwell/webservice/routes/wes/WesSubmission.scala
new file mode 100644
index 00000000000..1db2cd801b8
--- /dev/null
+++ b/engine/src/main/scala/cromwell/webservice/routes/wes/WesSubmission.scala
@@ -0,0 +1,44 @@
+package cromwell.webservice.routes.wes
+
+import akka.http.scaladsl.model.{HttpEntity, MediaTypes, Multipart}
+import cromwell.webservice.PartialWorkflowSources._
+
+final case class WesSubmission(workflowParams: Option[String],
+                               workflowType: Option[String],
+                               workflowTypeVersion: Option[String],
+                               tags: Option[String],
+                               workflowEngineParameters: Option[String],
+                               workflowUrl: Option[String],
+                               workflowAttachment: Iterable[String]
+                              ) {
+  val entity: Multipart.FormData = {
+    /*
+      FIXME:
+
+      Super oversimplification going on here as Cromwell's API is expected to normalize w/ WES a bit over the course
+      of the quarter and it's not worth doing it here and throwing it out later (there's close to a 0% chance this will
+      be used between now and then)
+
+      At the moment, just taking the head of workflowAttachment (if it exists) and dropping that into the workflow source,
+      and we're ignoring the possible existence of a zip bundle. Eventually the way this will work is that there'll be
+      an Iterable of workflow files and workflowUrl will point to which one is the source and the rest goes into the bundle.
+
+      NB: I think we've already lost too much information for the above to happen as there's an optional use of
+      Content-Disposition headers on each of these files which can be used to describe directory structure and such
+      for relative import resolution
+     */
+    val sourcePart = workflowAttachment.headOption map { a => Multipart.FormData.BodyPart(WorkflowSourceKey, HttpEntity(MediaTypes.`application/json`, a)) }
+
+    val urlPart = workflowUrl map { u => Multipart.FormData.BodyPart(WorkflowUrlKey, HttpEntity(MediaTypes.`application/json`, u)) }
+
+    val typePart = workflowType map { w => Multipart.FormData.BodyPart(WorkflowTypeKey, HttpEntity(MediaTypes.`application/json`, w)) }
+    val typeVersionPart = workflowTypeVersion map { v => Multipart.FormData.BodyPart(WorkflowTypeVersionKey, HttpEntity(MediaTypes.`application/json`, v)) }
+    val inputsPart = workflowParams map { p => Multipart.FormData.BodyPart(WorkflowInputsKey, HttpEntity(MediaTypes.`application/json`, p)) }
+    val optionsPart = workflowEngineParameters map { o => Multipart.FormData.BodyPart(WorkflowOptionsKey, HttpEntity(MediaTypes.`application/json`, o)) }
+    val labelsPart = tags map { t => Multipart.FormData.BodyPart(labelsKey, HttpEntity(MediaTypes.`application/json`, t)) }
+
+    val parts = List(sourcePart, urlPart, typePart, typeVersionPart, inputsPart, optionsPart, labelsPart).flatten
+
+    Multipart.FormData(parts: _*)
+  }
+}
diff --git a/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala b/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
index 2a3b11a41c5..c40c84397f7 100644
--- a/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
+++ b/engine/src/test/scala/cromwell/webservice/routes/CromwellApiServiceSpec.scala
@@ -1,7 +1,5 @@
 package cromwell.webservice.routes
 
-import java.time.OffsetDateTime
-
 import akka.actor.{Actor, ActorLogging, ActorSystem, Props}
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport._
 import akka.http.scaladsl.model.ContentTypes._
@@ -17,13 +15,13 @@ import cromwell.engine.workflow.WorkflowManagerActor.WorkflowNotFoundException
 import cromwell.engine.workflow.workflowstore.WorkflowStoreActor._
 import cromwell.engine.workflow.workflowstore.WorkflowStoreEngineActor.{WorkflowOnHoldToSubmittedFailure, WorkflowOnHoldToSubmittedSuccess}
 import cromwell.engine.workflow.workflowstore.WorkflowStoreSubmitActor.{WorkflowSubmittedToStore, WorkflowsBatchSubmittedToStore}
+import cromwell.services._
 import cromwell.services.healthmonitor.ProtoHealthMonitorServiceActor.{GetCurrentStatus, StatusCheckResponse, SubsystemStatus}
 import cromwell.services.instrumentation.InstrumentationService.InstrumentationServiceMessage
 import cromwell.services.metadata.MetadataArchiveStatus._
 import cromwell.services.metadata.MetadataService._
 import cromwell.services.metadata._
 import cromwell.services.metadata.impl.builder.MetadataBuilderActor
-import cromwell.services._
 import cromwell.services.womtool.WomtoolServiceMessages.{DescribeFailure, DescribeRequest, DescribeSuccess}
 import cromwell.services.womtool.models.WorkflowDescription
 import cromwell.util.SampleWdl.HelloWorld
@@ -34,6 +32,7 @@ import org.scalatest.flatspec.AsyncFlatSpec
 import org.scalatest.matchers.should.Matchers
 import spray.json._
 
+import java.time.OffsetDateTime
 import scala.concurrent.duration._
 
 class CromwellApiServiceSpec extends AsyncFlatSpec with ScalatestRouteTest with Matchers {
@@ -529,6 +528,7 @@ object CromwellApiServiceSpec {
   val WorkflowIdExistingOnlyInSummaryTable = WorkflowId.fromString("f0000000-0000-0000-0000-000000000011")
   val ArchivedWorkflowId = WorkflowId.fromString("c4c6339c-2145-47fb-acc5-b5cb8d2809f5")
   val ArchivedAndDeletedWorkflowId = WorkflowId.fromString("abc1234d-2145-47fb-acc5-b5cb8d2809f5")
+  val wesWorkflowId = WorkflowId.randomId()
   val SummarizedWorkflowIds = Set(
     SummarizedWorkflowId,
     WorkflowIdExistingOnlyInSummaryTable,
@@ -545,7 +545,8 @@ object CromwellApiServiceSpec {
     FailedWorkflowId,
     SummarizedWorkflowId,
     ArchivedWorkflowId,
-    ArchivedAndDeletedWorkflowId
+    ArchivedAndDeletedWorkflowId,
+    wesWorkflowId
   )
 
   class MockApiService()(implicit val system: ActorSystem) extends CromwellApiService {
@@ -564,13 +565,21 @@ object CromwellApiServiceSpec {
       List(
         MetadataEvent(MetadataKey(workflowId, None, "testKey1a"), MetadataValue("myValue1a", MetadataString)),
         MetadataEvent(MetadataKey(workflowId, None, "testKey1b"), MetadataValue("myValue1b", MetadataString)),
-        MetadataEvent(MetadataKey(workflowId, None, "testKey2a"), MetadataValue("myValue2a", MetadataString))
+        MetadataEvent(MetadataKey(workflowId, None, "testKey2a"), MetadataValue("myValue2a", MetadataString)),
+      )
+    }
+    private def wesFullMetadataResponse(workflowId: WorkflowId) = {
+      List(
+        MetadataEvent(MetadataKey(workflowId, None, "status"), MetadataValue("Running", MetadataString)),
+        MetadataEvent(MetadataKey(workflowId, None, "submittedFiles:workflow"), MetadataValue("myValue2a", MetadataString)),
+
       )
     }
 
     def responseMetadataValues(workflowId: WorkflowId, withKeys: List[String], withoutKeys: List[String]): JsObject = {
       def keyFilter(keys: List[String])(m: MetadataEvent) = keys.exists(k => m.key.key.startsWith(k))
-      val events = fullMetadataResponse(workflowId)
+      val metadataEvents = if (workflowId == wesWorkflowId) wesFullMetadataResponse(workflowId) else fullMetadataResponse(workflowId)
+      val events = metadataEvents
         .filter(m => withKeys.isEmpty || keyFilter(withKeys)(m))
         .filter(m => withoutKeys.isEmpty || !keyFilter(withoutKeys)(m))
 
diff --git a/engine/src/test/scala/cromwell/webservice/routes/wes/WesRouteSupportSpec.scala b/engine/src/test/scala/cromwell/webservice/routes/wes/WesRouteSupportSpec.scala
index 0c0fe1c8054..6e9a390ad4a 100644
--- a/engine/src/test/scala/cromwell/webservice/routes/wes/WesRouteSupportSpec.scala
+++ b/engine/src/test/scala/cromwell/webservice/routes/wes/WesRouteSupportSpec.scala
@@ -1,22 +1,27 @@
 package cromwell.webservice.routes.wes
 
 import akka.actor.Props
-import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.HttpMethods.POST
-import akka.http.scaladsl.testkit.ScalatestRouteTest
+import akka.http.scaladsl.model._
+import akka.http.scaladsl.server.MethodRejection
+import akka.http.scaladsl.testkit.{RouteTestTimeout, ScalatestRouteTest}
+import cromwell.util.SampleWdl.HelloWorld
 import cromwell.webservice.routes.CromwellApiServiceSpec
-
-import scala.concurrent.duration._
 import cromwell.webservice.routes.CromwellApiServiceSpec.{MockServiceRegistryActor, MockWorkflowManagerActor, MockWorkflowStoreActor}
+import cromwell.webservice.routes.wes.WesResponseJsonSupport._
 import org.scalatest.flatspec.AsyncFlatSpec
 import org.scalatest.matchers.should.Matchers
-import WesResponseJsonSupport._
-import akka.http.scaladsl.server.MethodRejection
+import spray.json._
+
+import scala.concurrent.duration._
 
 class WesRouteSupportSpec extends AsyncFlatSpec with ScalatestRouteTest with Matchers with WesRouteSupport {
+
   val actorRefFactory = system
   override implicit val ec = system.dispatcher
-  override implicit val timeout = 5.seconds
+  override val timeout = routeTestTimeout.duration
+  implicit def routeTestTimeout = RouteTestTimeout(5.seconds)
+
 
   override val workflowStoreActor = actorRefFactory.actorOf(Props(new MockWorkflowStoreActor()))
   override val serviceRegistryActor = actorRefFactory.actorOf(Props(new MockServiceRegistryActor()))
@@ -149,4 +154,52 @@ class WesRouteSupportSpec extends AsyncFlatSpec with ScalatestRouteTest with Mat
         rejection shouldEqual MethodRejection(POST)
       }
   }
-}
+
+  behavior of "WES API /runs POST endpoint"
+  it should "return 201 for a successful workflow submission" in {
+    val workflowSource = Multipart.FormData.BodyPart("workflow_url", HttpEntity(MediaTypes.`application/json`, "https://raw.githubusercontent.com/broadinstitute/cromwell/develop/womtool/src/test/resources/validate/wdl_draft3/valid/callable_imports/my_workflow.wdl"))
+    val workflowInputs = Multipart.FormData.BodyPart("workflow_params", HttpEntity(MediaTypes.`application/json`, HelloWorld.rawInputs.toJson.toString()))
+    val formData = Multipart.FormData(workflowSource, workflowInputs).toEntity()
+    Post(s"/ga4gh/wes/$version/runs", formData) ~>
+      wesRoutes ~>
+      check {
+        assertResult(
+          s"""{
+             |  "run_id": "${CromwellApiServiceSpec.ExistingWorkflowId.toString}"
+             |}""".stripMargin) {
+          responseAs[String].parseJson.prettyPrint
+        }
+        assertResult(StatusCodes.Created) {
+          status
+        }
+        headers should be(Seq.empty)
+      }
+  }
+
+
+  behavior of "WES API /runs GET endpoint"
+  it should "return results for a good query" in {
+    Get(s"/ga4gh/wes/v1/runs") ~>
+      wesRoutes ~>
+      check {
+        status should be(StatusCodes.OK)
+        contentType should be(ContentTypes.`application/json`)
+        val results = responseAs[JsObject].fields("runs").convertTo[Seq[JsObject]]
+        results.head.fields("run_id") should be(JsString(CromwellApiServiceSpec.ExistingWorkflowId.toString))
+        results.head.fields("state") should be(JsString("COMPLETE"))
+      }
+  }
+
+  behavior of "WES API /runs/{run_id} endpoint"
+  it should "return valid metadata when supplied a run_id" in {
+    Get(s"/ga4gh/wes/v1/runs/${CromwellApiServiceSpec.wesWorkflowId}") ~>
+      wesRoutes ~>
+      check {
+        status should be(StatusCodes.OK)
+        val result = responseAs[JsObject].fields("workflowLog").asJsObject()
+        result.fields.keys should contain allOf("request", "run_id", "state")
+        result.fields("state") should be(JsString("RUNNING"))
+        result.fields("run_id") should be(JsString(CromwellApiServiceSpec.wesWorkflowId.toString))
+      }
+  }
+}
\ No newline at end of file
diff --git a/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilder.scala b/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilder.scala
index 038936ec46e..69a21c90eda 100644
--- a/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilder.scala
+++ b/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilder.scala
@@ -3,18 +3,14 @@ package cromwell.filesystems.blob
 import com.azure.core.credential.AzureSasCredential
 import com.azure.storage.blob.nio.AzureFileSystem
 import com.google.common.net.UrlEscapers
-import cromwell.core.path.NioPath
-import cromwell.core.path.Path
-import cromwell.core.path.PathBuilder
+import cromwell.core.path.{NioPath, Path, PathBuilder}
 import cromwell.filesystems.blob.BlobPathBuilder._
 
-import java.net.MalformedURLException
-import java.net.URI
-import java.nio.file.FileSystems
+import java.net.{MalformedURLException, URI}
+import java.nio.file.{FileSystem, FileSystemNotFoundException, FileSystems}
 import scala.jdk.CollectionConverters._
 import scala.language.postfixOps
-import scala.util.Failure
-import scala.util.Try
+import scala.util.{Failure, Try}
 
 object BlobPathBuilder {
 
@@ -59,19 +55,27 @@ object BlobPathBuilder {
   }
 }
 
-class BlobPathBuilder(credential: AzureSasCredential, container: String, endpoint: String) extends PathBuilder {
+class BlobPathBuilder(blobTokenGenerator: BlobTokenGenerator, container: String, endpoint: String) extends PathBuilder {
 
+  val credential: AzureSasCredential = new AzureSasCredential(blobTokenGenerator.getAccessToken)
   val fileSystemConfig: Map[String, Object] = Map((AzureFileSystem.AZURE_STORAGE_SAS_TOKEN_CREDENTIAL, credential),
-                                                  (AzureFileSystem.AZURE_STORAGE_FILE_STORES, container))
+                                                  (AzureFileSystem.AZURE_STORAGE_FILE_STORES, container),
+                                                  (AzureFileSystem.AZURE_STORAGE_SKIP_INITIAL_CONTAINER_CHECK, java.lang.Boolean.TRUE))
+
+  def retrieveFilesystem(uri: URI): Try[FileSystem] = {
+    Try(FileSystems.getFileSystem(uri)) recover {
+      // If no filesystem already exists, this will create a new connection, with the provided configs
+      case _: FileSystemNotFoundException => FileSystems.newFileSystem(uri, fileSystemConfig.asJava)
+    }
+  }
 
   def build(string: String): Try[BlobPath] = {
     validateBlobPath(string, container, endpoint) match {
-      case ValidBlobPath(path) =>
-        Try {
-          val fileSystem = FileSystems.newFileSystem(new URI("azb://?endpoint=" + endpoint), fileSystemConfig.asJava)
-          val blobStoragePath = fileSystem.getPath(path)
-          BlobPath(blobStoragePath, endpoint, container)
-        }
+      case ValidBlobPath(path) => for {
+            fileSystem <- retrieveFilesystem(new URI("azb://?endpoint=" + endpoint))
+            nioPath <- Try(fileSystem.getPath(path))
+            blobPath = BlobPath(nioPath, endpoint, container)
+          } yield blobPath
       case UnparsableBlobPath(errorMessage: Throwable) => Failure(errorMessage)
     }
   }
diff --git a/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilderFactory.scala b/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilderFactory.scala
index ca5e24fe3d7..b12abf5cc34 100644
--- a/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilderFactory.scala
+++ b/filesystems/blob/src/main/scala/cromwell/filesystems/blob/BlobPathBuilderFactory.scala
@@ -1,22 +1,114 @@
 package cromwell.filesystems.blob
 
 import akka.actor.ActorSystem
-import com.azure.core.credential.AzureSasCredential
+import com.azure.core.management.AzureEnvironment
+import com.azure.core.management.profile.AzureProfile
+import com.azure.identity.DefaultAzureCredentialBuilder
+import com.azure.resourcemanager.AzureResourceManager
+import com.azure.storage.blob.BlobContainerClientBuilder
+import com.azure.storage.blob.sas.{BlobContainerSasPermission, BlobServiceSasSignatureValues}
+import com.azure.storage.common.StorageSharedKeyCredential
 import com.typesafe.config.Config
 import cromwell.core.WorkflowOptions
 import cromwell.core.path.PathBuilderFactory
-import cromwell.filesystems.blob.BlobPathBuilder
+import net.ceedubs.ficus.Ficus._
 
+import java.time.OffsetDateTime
 import scala.concurrent.ExecutionContext
 import scala.concurrent.Future
+import scala.jdk.CollectionConverters._
+
+final case class BlobFileSystemConfig(config: Config)
+final case class BlobPathBuilderFactory(globalConfig: Config, instanceConfig: Config, singletonConfig: BlobFileSystemConfig) extends PathBuilderFactory {
+  val container: String = instanceConfig.as[String]("store")
+  val endpoint: String = instanceConfig.as[String]("endpoint")
+  val workspaceId: Option[String] = instanceConfig.as[Option[String]]("workspace-id")
+  val workspaceManagerURL: Option[String] = singletonConfig.config.as[Option[String]]("workspace-manager-url")
+
+  val blobTokenGenerator: BlobTokenGenerator = BlobTokenGenerator.createBlobTokenGenerator(
+    container, endpoint, workspaceId, workspaceManagerURL)
 
-final case class BlobPathBuilderFactory(globalConfig: Config, instanceConfig: Config) extends PathBuilderFactory {
   override def withOptions(options: WorkflowOptions)(implicit as: ActorSystem, ec: ExecutionContext): Future[BlobPathBuilder] = {
-    val sasToken: String = instanceConfig.getString("sasToken")
-    val container: String = instanceConfig.getString("store")
-    val endpoint: String = instanceConfig.getString("endpoint")
     Future {
-      new BlobPathBuilder(new AzureSasCredential(sasToken), container, endpoint)
+      new BlobPathBuilder(blobTokenGenerator, container, endpoint)
+    }
+  }
+}
+
+sealed trait BlobTokenGenerator {
+  def getAccessToken: String
+}
+
+object BlobTokenGenerator {
+  def createBlobTokenGenerator(container: String, endpoint: String): BlobTokenGenerator = {
+    createBlobTokenGenerator(container, endpoint, None, None)
+  }
+  def createBlobTokenGenerator(container: String, endpoint: String, workspaceId: Option[String], workspaceManagerURL: Option[String]): BlobTokenGenerator = {
+     (container: String, endpoint: String, workspaceId, workspaceManagerURL) match {
+       case (container, endpoint, None, None) =>
+         NativeBlobTokenGenerator(container, endpoint)
+       case (container, endpoint, Some(workspaceId), Some(workspaceManagerURL)) =>
+         WSMBlobTokenGenerator(container, endpoint, workspaceId, workspaceManagerURL)
+       case _ =>
+         throw new Exception("Arguments provided do not match any available BlobTokenGenerator implementation.")
+     }
+  }
+}
+
+case class WSMBlobTokenGenerator(container: String, endpoint: String, workspaceId: String, workspaceManagerURL: String) extends BlobTokenGenerator {
+  def getAccessToken: String = {
+    throw new NotImplementedError
+  }
+}
+
+case class NativeBlobTokenGenerator(container: String, endpoint: String) extends BlobTokenGenerator {
+  def getAccessToken: String = {
+    val storageAccountName = BlobPathBuilder.parseStorageAccount(BlobPathBuilder.parseURI(endpoint)) match {
+      case Some(storageAccountName) => storageAccountName
+      case _ => throw new Exception("Storage account could not be parsed from endpoint")
+    }
+
+    val profile = new AzureProfile(AzureEnvironment.AZURE)
+    val azureCredential = new DefaultAzureCredentialBuilder()
+      .authorityHost(profile.getEnvironment.getActiveDirectoryEndpoint)
+      .build
+    val azure = AzureResourceManager.authenticate(azureCredential, profile).withDefaultSubscription
+
+    val storageAccounts = azure.storageAccounts()
+    val storageAccount = storageAccounts
+      .list()
+      .asScala
+      .find(_.name == storageAccountName)
+
+    val storageAccountKeys = storageAccount match {
+      case Some(value) => value.getKeys.asScala.map(_.value())
+      case _ => throw new Exception("Storage Account not found")
+    }
+
+    val storageAccountKey = storageAccountKeys.headOption match {
+      case Some(value) => value
+      case _ => throw new Exception("Storage Account has no keys")
     }
+
+    val keyCredential = new StorageSharedKeyCredential(
+      storageAccountName,
+      storageAccountKey
+    )
+    val blobContainerClient = new BlobContainerClientBuilder()
+      .credential(keyCredential)
+      .endpoint(endpoint)
+      .containerName(container)
+      .buildClient()
+
+    val blobContainerSasPermission = new BlobContainerSasPermission()
+      .setReadPermission(true)
+      .setCreatePermission(true)
+      .setListPermission(true)
+    val blobServiceSasSignatureValues = new BlobServiceSasSignatureValues(
+      OffsetDateTime.now.plusDays(1),
+      blobContainerSasPermission
+    )
+
+    blobContainerClient.generateSas(blobServiceSasSignatureValues)
   }
 }
diff --git a/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderFactorySpec.scala b/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderFactorySpec.scala
new file mode 100644
index 00000000000..08efd534056
--- /dev/null
+++ b/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderFactorySpec.scala
@@ -0,0 +1,28 @@
+package cromwell.filesystems.blob
+
+import com.typesafe.config.ConfigFactory
+import org.scalatest.flatspec.AnyFlatSpec
+import org.scalatest.matchers.should.Matchers
+
+class BlobPathBuilderFactorySpec extends AnyFlatSpec with Matchers {
+
+  it should "parse configs for a functioning factory" in {
+    val endpoint = BlobPathBuilderSpec.buildEndpoint("coaexternalstorage")
+    val store = "inputs"
+    val workspaceId = "mockWorkspaceId"
+    val workspaceManagerURL = "https://test.ws.org"
+    val instanceConfig = ConfigFactory.parseString(
+      s"""
+      |store = "$store"
+      |endpoint = "$endpoint"
+      |workspace-id = "$workspaceId"
+      """.stripMargin)
+    val singletonConfig = ConfigFactory.parseString(s"""workspace-manager-url = "$workspaceManagerURL" """)
+    val globalConfig = ConfigFactory.parseString("""""")
+    val factory = BlobPathBuilderFactory(globalConfig, instanceConfig, new BlobFileSystemConfig(singletonConfig))
+    factory.container should equal(store)
+    factory.endpoint should equal(endpoint)
+    factory.workspaceId should equal(Some(workspaceId))
+    factory.workspaceManagerURL should equal(Some(workspaceManagerURL))
+  }
+}
diff --git a/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderSpec.scala b/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderSpec.scala
index 454b8f5adaf..69cec235aff 100644
--- a/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderSpec.scala
+++ b/filesystems/blob/src/test/scala/cromwell/filesystems/blob/BlobPathBuilderSpec.scala
@@ -1,10 +1,6 @@
 package cromwell.filesystems.blob
-
-import com.azure.core.credential.AzureSasCredential
-import cromwell.filesystems.blob.BlobPathBuilder
 import org.scalatest.flatspec.AnyFlatSpec
 import org.scalatest.matchers.should.Matchers
-
 import java.nio.file.Files
 
 object BlobPathBuilderSpec {
@@ -51,15 +47,28 @@ class BlobPathBuilderSpec extends AnyFlatSpec with Matchers{
     val endpointHost = BlobPathBuilder.parseURI(endpoint).getHost
     val store = "inputs"
     val evalPath = "/test/inputFile.txt"
-    val sas = "{SAS TOKEN HERE}"
+    val blobTokenGenerator: BlobTokenGenerator = BlobTokenGenerator.createBlobTokenGenerator(store, endpoint)
     val testString = endpoint + "/" + store + evalPath
-    val blobPath: BlobPath = new BlobPathBuilder(new AzureSasCredential(sas), store, endpoint) build testString getOrElse fail()
+    val blobPath: BlobPath = new BlobPathBuilder(blobTokenGenerator, store, endpoint) build testString getOrElse fail()
+
     blobPath.container should equal(store)
     blobPath.endpoint should equal(endpoint)
     blobPath.pathAsString should equal(testString)
     blobPath.pathWithoutScheme should equal(endpointHost + "/" + store + evalPath)
+
     val is = Files.newInputStream(blobPath.nioPath)
     val fileText = (is.readAllBytes.map(_.toChar)).mkString
     fileText should include ("This is my test file!!!! Did it work?")
   }
+
+  ignore should "build duplicate blob paths in the same filesystem" in {
+    val endpoint = BlobPathBuilderSpec.buildEndpoint("coaexternalstorage")
+    val store = "inputs"
+    val evalPath = "/test/inputFile.txt"
+    val blobTokenGenerator: BlobTokenGenerator = BlobTokenGenerator.createBlobTokenGenerator(store, endpoint)
+    val testString = endpoint + "/" + store + evalPath
+    val blobPath1: BlobPath = new BlobPathBuilder(blobTokenGenerator, store, endpoint) build testString getOrElse fail()
+    val blobPath2: BlobPath = new BlobPathBuilder(blobTokenGenerator, store, endpoint) build testString getOrElse fail()
+    blobPath1 should equal(blobPath2)
+  }
 }
diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index 0988ae8c44f..a6cc50eb351 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -6,7 +6,7 @@ object Dependencies {
   private val akkaV = "2.5.32" // scala-steward:off (CROM-6637)
   private val ammoniteOpsV = "2.4.1"
   private val apacheHttpClientV = "4.5.13"
-  private val awsSdkV = "2.17.152"
+  private val awsSdkV = "2.17.194"
   // We would like to use the BOM to manage Azure SDK versions, but SBT doesn't support it.
   // https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/boms/azure-sdk-bom
   // https://github.com/sbt/sbt/issues/4531
@@ -190,7 +190,9 @@ object Dependencies {
       exclude("jakarta.activation", "jakarta.activation-api"),
     "com.azure" % "azure-security-keyvault-secrets" % azureKeyVaultSdkV
       exclude("jakarta.xml.bind", "jakarta.xml.bind-api")
-      exclude("jakarta.activation", "jakarta.activation-api")
+      exclude("jakarta.activation", "jakarta.activation-api"),
+    "com.azure" % "azure-core-management" % "1.7.0",
+    "com.azure.resourcemanager" % "azure-resourcemanager" % "2.17.0"
   )
 
   val implFtpDependencies = List(
@@ -236,7 +238,13 @@ object Dependencies {
     "org.codehaus.janino" % "janino" % janinoV,
     // Replace all log4j usage with slf4j
     // https://www.slf4j.org/legacy.html#log4j-over-slf4j
-    "org.slf4j" % "log4j-over-slf4j" % slf4jV
+    "org.slf4j" % "log4j-over-slf4j" % slf4jV,
+    // Replace all commons-logging usage with slf4j
+    // https://www.slf4j.org/legacy.html#jcl-over-slf4j
+    "org.slf4j" % "jcl-over-slf4j" % slf4jV,
+    // Enable runtime replacing of java.util.logging usage with slf4j
+    // https://www.slf4j.org/legacy.html#jul-to-slf4j
+    "org.slf4j" % "jul-to-slf4j" % slf4jV,
   ) ++ slf4jFacadeDependencies
 
   private val slickDependencies = List(
@@ -716,4 +724,12 @@ object Dependencies {
       nimbusdsOverrides ++
       bouncyCastleOverrides ++
       protobufJavaOverrides
+
+  /*
+  Libraries that should be globally excluded.
+   */
+  val cromwellExcludeDependencies: List[ExclusionRule] = List(
+    // Replaced with jcl-over-slf4j
+    ExclusionRule("commons-logging", "commons-logging"),
+  )
 }
diff --git a/project/Settings.scala b/project/Settings.scala
index 79242733583..951b1fc8fe6 100644
--- a/project/Settings.scala
+++ b/project/Settings.scala
@@ -86,6 +86,7 @@ object Settings {
       Tags.limit(Tags.Test, 1)
     ),
     dependencyOverrides ++= cromwellDependencyOverrides,
+    excludeDependencies ++= cromwellExcludeDependencies,
     scalacOptions ++= baseSettings ++ warningSettings ++ consoleHostileSettings,
     // http://stackoverflow.com/questions/31488335/scaladoc-2-11-6-fails-on-throws-tag-with-unable-to-find-any-member-to-link#31497874
     Compile / doc / scalacOptions ++= baseSettings ++ List("-no-link-warnings"),
diff --git a/project/Version.scala b/project/Version.scala
index 80f74d66d3f..1d21894dfb0 100644
--- a/project/Version.scala
+++ b/project/Version.scala
@@ -5,7 +5,7 @@ import sbt._
 
 object Version {
   // Upcoming release, or current if we're on a master / hotfix branch
-  val cromwellVersion = "83"
+  val cromwellVersion = "84"
 
   /**
     * Returns true if this project should be considered a snapshot.
diff --git a/server/src/main/resources/application.conf b/server/src/main/resources/application.conf
index e0769277a6b..e80cd716b4e 100644
--- a/server/src/main/resources/application.conf
+++ b/server/src/main/resources/application.conf
@@ -1,6 +1,6 @@
 akka {
   log-dead-letters = "off"
-  loggers = ["akka.event.slf4j.Slf4jLogger"]
+  loggers = ["cromwell.core.logging.EnhancedSlf4jLogger"]
   logging-filter = "cromwell.server.CromwellAkkaLogFilter"
   actor.guardian-supervisor-strategy = "cromwell.core.CromwellUserGuardianStrategy"
 
diff --git a/server/src/main/resources/logback.xml b/server/src/main/resources/logback.xml
index 4868962f994..b4d4ac4a335 100644
--- a/server/src/main/resources/logback.xml
+++ b/server/src/main/resources/logback.xml
@@ -1,5 +1,15 @@
 <configuration>
 
+    <!-- Enhanced thread and date reporting. -->
+    <conversionRule
+            conversionWord="et"
+            converterClass="cromwell.core.logging.EnhancedThreadConverter"
+    />
+    <conversionRule
+            conversionWord="ed"
+            converterClass="cromwell.core.logging.EnhancedDateConverter"
+    />
+
     <!-- default properties for FILEROLLER need to be set upfront -->
 
     <if condition='property("FILEROLLER_DIR").equals("")'>
@@ -18,7 +28,7 @@
         <then>
             <appender name="STANDARD_APPENDER" class="ch.qos.logback.core.ConsoleAppender">
                 <encoder>
-                    <pattern>%date %X{sourceThread} %-5level - %msg%n</pattern>
+                    <pattern>%ed{yyyy-MM-dd HH:mm:ss,SSS} %et %-5level - %msg%n</pattern>
                 </encoder>
             </appender>
         </then>
@@ -68,7 +78,7 @@
 
                 </rollingPolicy>
                 <encoder>
-                    <pattern>%d{yyyy-MM-dd HH:mm:ss,SSS} [%thread] %-5level %logger{35} - %msg%n</pattern>
+                    <pattern>%ed{yyyy-MM-dd HH:mm:ss,SSS} [%et] %-5level %logger{35} - %msg%n</pattern>
                 </encoder>
             </appender>
         </then>
diff --git a/server/src/main/scala/cromwell/CromwellEntryPoint.scala b/server/src/main/scala/cromwell/CromwellEntryPoint.scala
index 5acddd75ce9..a1707db6488 100644
--- a/server/src/main/scala/cromwell/CromwellEntryPoint.scala
+++ b/server/src/main/scala/cromwell/CromwellEntryPoint.scala
@@ -16,6 +16,7 @@ import cromwell.CommandLineArguments.{ValidSubmission, WorkflowSourceOrUrl}
 import cromwell.CromwellApp._
 import cromwell.api.CromwellClient
 import cromwell.api.model.{Label, LabelsJsonFormatter, WorkflowSingleSubmission}
+import cromwell.core.logging.JavaLoggingBridge
 import cromwell.core.path.{DefaultPathBuilder, Path}
 import cromwell.core.{WorkflowSourceFilesCollection, WorkflowSourceFilesWithDependenciesZip, WorkflowSourceFilesWithoutImports}
 import cromwell.engine.workflow.SingleWorkflowRunnerActor
@@ -166,6 +167,13 @@ object CromwellEntryPoint extends GracefulStopSupport {
     Make sure that the next time one uses the ConfigFactory that our updated system properties are loaded.
      */
     ConfigFactory.invalidateCaches()
+
+    /*
+    Replace java.util.logging with SLF4J.
+    https://www.slf4j.org/api/org/slf4j/bridge/SLF4JBridgeHandler.html
+     */
+    JavaLoggingBridge.init()
+
     ()
   }