Export Data
Export data on an instance level to ZITADEL. It can be either directly exported in the response or you can point to a file on an S3 storage, where the data should be written.
- application/json
- application/grpc
- application/grpc-web+proto
Request Body required
- orgIds string[]
- excludedOrgIds string[]
- withPasswords boolean
- withOtp boolean
- responseOutput boolean
localOutput object
path strings3Output object
path stringendpoint stringaccessKeyId stringsecretAccessKey stringssl booleanbucket stringgcsOutput object
bucket stringserviceaccountJson stringpath string- timeout string
Request Body required
- orgIds string[]
- excludedOrgIds string[]
- withPasswords boolean
- withOtp boolean
- responseOutput boolean
localOutput object
path strings3Output object
path stringendpoint stringaccessKeyId stringsecretAccessKey stringssl booleanbucket stringgcsOutput object
bucket stringserviceaccountJson stringpath string- timeout string
Request Body required
- orgIds string[]
- excludedOrgIds string[]
- withPasswords boolean
- withOtp boolean
- responseOutput boolean
localOutput object
path strings3Output object
path stringendpoint stringaccessKeyId stringsecretAccessKey stringssl booleanbucket stringgcsOutput object
bucket stringserviceaccountJson stringpath string- timeout string
- 200
- 403
- 404
- default
A successful response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
orgs object[]
Array [orgId stringorg object
name stringPossible values:
non-empty
and<= 200 characters
domainPolicy object
orgId stringPossible values:
non-empty
and<= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)the username has to end with the domain of its organization
validateOrgDomains booleandefines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain booleandefines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor stringPossible values:
<= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is sethides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor stringPossible values:
<= 50 characters
hex value for warn color
backgroundColor stringPossible values:
<= 50 characters
hex value for background color
fontColor stringPossible values:
<= 50 characters
hex value for font color
primaryColorDark stringPossible values:
<= 50 characters
hex value for the primary color dark theme
backgroundColorDark stringPossible values:
<= 50 characters
hex value for background color dark theme
warnColorDark stringPossible values:
<= 50 characters
hex value for warning color dark theme
fontColorDark stringPossible values:
<= 50 characters
hex value for font color dark theme
disableWatermark booleanlockoutPolicy object
maxPasswordAttempts int64When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword booleanallowRegister booleanallowExternalIdp booleanforceMfa booleanpasswordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERTPossible values: [
PASSWORDLESS_TYPE_NOT_ALLOWED
,PASSWORDLESS_TYPE_ALLOWED
]Default value:
PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset booleanignoreUnknownUsernames booleandefines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri stringdefines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]Possible values: [
SECOND_FACTOR_TYPE_UNSPECIFIED
,SECOND_FACTOR_TYPE_OTP
,SECOND_FACTOR_TYPE_U2F
]multiFactors string[]Possible values: [
MULTI_FACTOR_TYPE_UNSPECIFIED
,MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]idps object[]
Array [idpId stringownerType stringPossible values: [
IDP_OWNER_TYPE_UNSPECIFIED
,IDP_OWNER_TYPE_SYSTEM
,IDP_OWNER_TYPE_ORG
]Default value:
IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]allowDomainDiscovery booleanIf set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail booleandefines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone booleandefines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64hasUppercase booleanDefines if the password MUST contain an upper case letter
hasLowercase booleanDefines if the password MUST contain a lowercase letter
hasNumber booleanDefines if the password MUST contain a number
hasSymbol booleanDefines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink stringIf registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink stringIf registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink stringVariable {{.Lang}} can be set to have different links based on the language.
supportEmail stringhelp / support email address.
projects object[]
Array [projectId stringproject object
name stringPossible values:
non-empty
and<= 200 characters
projectRoleAssertion booleanEnable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck booleanWhen enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck booleanWhen enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting stringPossible values: [
PRIVATE_LABELING_SETTING_UNSPECIFIED
,PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
,PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]Default value:
PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]projectRoles object[]
Array [projectId stringroleKey stringPossible values:
non-empty
and<= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName stringPossible values:
non-empty
and<= 200 characters
group stringPossible values:
<= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]apiApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
authMethodType stringPossible values: [
API_AUTH_METHOD_TYPE_BASIC
,API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
API_AUTH_METHOD_TYPE_BASIC
]oidcApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
redirectUris string[]Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]Possible values: [
OIDC_RESPONSE_TYPE_CODE
,OIDC_RESPONSE_TYPE_ID_TOKEN
,OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]Possible values: [
OIDC_GRANT_TYPE_AUTHORIZATION_CODE
,OIDC_GRANT_TYPE_IMPLICIT
,OIDC_GRANT_TYPE_REFRESH_TOKEN
,OIDC_GRANT_TYPE_DEVICE_CODE
]The flow type the application uses to gain access
appType stringPossible values: [
OIDC_APP_TYPE_WEB
,OIDC_APP_TYPE_USER_AGENT
,OIDC_APP_TYPE_NATIVE
]Default value:
OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType stringPossible values: [
OIDC_AUTH_METHOD_TYPE_BASIC
,OIDC_AUTH_METHOD_TYPE_POST
,OIDC_AUTH_METHOD_TYPE_NONE
,OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]ZITADEL will redirect to this link after a successful logout
version stringPossible values: [
OIDC_VERSION_1_0
]Default value:
OIDC_VERSION_1_0
devMode booleanUsed for development, some checks of the OIDC specification will not be checked.
accessTokenType stringPossible values: [
OIDC_TOKEN_TYPE_BEARER
,OIDC_TOKEN_TYPE_JWT
]Default value:
OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion booleanAdds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion booleanAdds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion booleanClaims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew stringUsed to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage booleanSkip the successful login page on native apps and directly redirect the user to the callback.
]humanUsers object[]
Array [userId stringuser object
userName stringprofile object
Profile includes the basic information of a user, like first name, last name, etc.
firstName stringPossible values:
non-empty
and<= 200 characters
lastName stringPossible values:
non-empty
and<= 200 characters
nickName stringPossible values:
<= 200 characters
displayName stringPossible values:
<= 200 characters
preferredLanguage stringPossible values:
<= 10 characters
gender stringPossible values: [
GENDER_UNSPECIFIED
,GENDER_FEMALE
,GENDER_MALE
,GENDER_DIVERSE
]Default value:
GENDER_UNSPECIFIED
email object
email stringObject that contains the email address and a verified flag.
isEmailVerified booleanIf email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone stringPossible values:
non-empty
and<= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified booleanpassword stringhashedPassword object
Use this to import hashed passwords from another system.
value stringalgorithm stringpasswordChangeRequired booleanIf this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration booleanIf this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode stringidps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [configId stringPossible values:
non-empty
and<= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId stringPossible values:
non-empty
and<= 200 characters
The id of the user in the external identity provider
displayName stringPossible values:
<= 200 characters
A display name ZITADEL can show on the linked provider.
]]machineUsers object[]
Array [userId stringuser object
userName stringPossible values:
non-empty
and<= 200 characters
name stringPossible values:
non-empty
and<= 200 characters
description stringPossible values:
<= 500 characters
accessTokenType stringPossible values: [
ACCESS_TOKEN_TYPE_BEARER
,ACCESS_TOKEN_TYPE_JWT
]Default value:
ACCESS_TOKEN_TYPE_BEARER
]triggerActions object[]
Array [flowType id of the flow typeAt the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger typeAt the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]]actions object[]
Array [actionId stringaction object
name stringPossible values:
non-empty
and<= 200 characters
script stringPossible values:
non-empty
and<= 2000 characters
Javascript code that should be executed
timeout stringafter which time the action will be terminated if not finished
allowedToFail booleanwhen true, the next action will be called even if this action fails
]projectGrants object[]
Array [grantId stringprojectGrant object
projectId stringgrantedOrgId stringroleKeys string[]]userGrants object[]
Array [userId stringPossible values:
non-empty
projectId stringPossible values:
non-empty
and<= 200 characters
projectGrantId stringPossible values:
<= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]]orgMembers object[]
Array [userId stringroles string[]If no roles are provided the user won't have any rights
]projectMembers object[]
Array [projectId stringuserId stringroles string[]If no roles are provided the user won't have any rights
]projectGrantMembers object[]
Array [projectId stringgrantId stringuserId stringPossible values:
non-empty
and<= 200 characters
roles string[]If no roles are provided the user won't have any rights
]userMetadata object[]
Array [id stringPossible values:
non-empty
and<= 200 characters
key stringPossible values:
non-empty
and<= 200 characters
value bytePossible values:
non-empty
and<= 500000 characters
The value has to be base64 encoded.
]loginTexts object[]
Array [language stringselectAccountText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringotherUser stringsessionStateActive stringsessionStateInactive stringuserMustBeMemberOfOrg stringloginText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringuserMustBeMemberOfOrg stringloginNameLabel stringregisterButtonText stringnextButtonText stringexternalUserDescription stringuserNamePlaceholder stringloginNamePlaceholder stringpasswordText object
title stringdescription stringpasswordLabel stringresetLinkText stringbackButtonText stringnextButtonText stringminLength stringhasUppercase stringhasLowercase stringhasNumber stringhasSymbol stringconfirmation stringusernameChangeText object
title stringdescription stringusernameLabel stringcancelButtonText stringnextButtonText stringusernameChangeDoneText object
title stringdescription stringnextButtonText stringinitPasswordText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringnextButtonText stringresendButtonText stringinitPasswordDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringemailVerificationText object
title stringdescription stringcodeLabel stringnextButtonText stringresendButtonText stringemailVerificationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringloginButtonText stringinitializeUserText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringresendButtonText stringnextButtonText stringinitializeDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringinitMfaPromptText object
title stringdescription stringotpOption stringu2fOption stringskipButtonText stringnextButtonText stringinitMfaOtpText object
title stringdescription stringdescriptionOtp stringsecretLabel stringcodeLabel stringnextButtonText stringcancelButtonText stringinitMfaU2fText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringinitMfaDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringmfaProvidersText object
chooseOther stringotp stringu2f stringverifyMfaOtpText object
title stringdescription stringcodeLabel stringnextButtonText stringverifyMfaU2fText object
title stringdescription stringvalidateTokenText stringnotSupported stringerrorRetry stringpasswordlessText object
title stringdescription stringloginWithPwButtonText stringvalidateTokenButtonText stringnotSupported stringerrorRetry stringpasswordChangeText object
title stringdescription stringoldPasswordLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringcancelButtonText stringnextButtonText stringpasswordChangeDoneText object
title stringdescription stringnextButtonText stringpasswordResetDoneText object
title stringdescription stringnextButtonText stringregistrationOptionText object
title stringdescription stringuserNameButtonText stringexternalLoginDescription stringloginButtonText stringregistrationUserText object
title stringdescription stringdescriptionOrgRegister stringfirstnameLabel stringlastnameLabel stringemailLabel stringusernameLabel stringlanguageLabel stringgenderLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringnextButtonText stringbackButtonText stringregistrationOrgText object
title stringdescription stringorgnameLabel stringfirstnameLabel stringlastnameLabel stringusernameLabel stringemailLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringsaveButtonText stringlinkingUserDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringexternalUserNotFoundText object
title stringdescription stringlinkButtonText stringautoRegisterButtonText stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringprivacyConfirm stringsuccessLoginText object
title stringautoRedirectDescription Text to describe that auto-redirect should happen after successful loginredirectedDescription Text to describe that the window can be closed after redirectnextButtonText stringlogoutText object
title stringdescription stringloginButtonText stringfooterText object
tos stringprivacyPolicy stringhelp stringsupportEmail stringpasswordlessPromptText object
title stringdescription stringdescriptionInit stringpasswordlessButtonText stringnextButtonText stringskipButtonText stringpasswordlessRegistrationText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringpasswordlessRegistrationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringdescriptionClose stringexternalRegistrationUserOverviewText object
title stringdescription stringemailLabel stringusernameLabel stringfirstnameLabel stringlastnameLabel stringnicknameLabel stringlanguageLabel stringphoneLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringbackButtonText stringnextButtonText stringprivacyConfirm string]initMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordResetMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyEmailMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyPhoneMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]domainClaimedMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordlessRegistrationMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]oidcIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId stringPossible values:
non-empty
and<= 200 characters
client id generated by the identity provider
clientSecret stringPossible values:
non-empty
and<= 200 characters
client secret generated by the identity provider
issuer stringthe OIDC issuer of the identity provider
scopes string[]the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean]jwtIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint where the JWT can be extracted
issuer stringPossible values:
non-empty
and<= 200 characters
the issuer of the JWT (for validation)
keysEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName stringPossible values:
non-empty
and<= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean]userLinks object[]
Array [userId stringthe id of the user
idpId stringthe id of the identity provider
idpName stringthe name of the identity provider
providedUserId stringthe id of the user provided by the identity provider
providedUserName stringthe id of the identity provider
idpType authorization framework of the identity providerPossible values: [
IDP_TYPE_UNSPECIFIED
,IDP_TYPE_OIDC
,IDP_TYPE_JWT
]Default value:
IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]domains object[]
Array [orgId stringdetails object
sequence uint64on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-timeon read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-timeon read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs todomainName stringisVerified booleandefines if the domain is verified
isPrimary booleandefines if the domain is the primary domain
validationType stringPossible values: [
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
,DOMAIN_VALIDATION_TYPE_HTTP
,DOMAIN_VALIDATION_TYPE_DNS
]Default value:
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]appKeys object[]
Array [id stringprojectId stringappId stringclientId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]machineKeys object[]
Array [keyId stringuserId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]]
{
"orgs": [
{
"orgId": "string",
"org": {
"name": "Customer A"
},
"domainPolicy": {
"orgId": "#69629023906488334",
"userLoginMustBeDomain": true,
"validateOrgDomains": true,
"smtpSenderAddressMatchesInstanceDomain": true
},
"labelPolicy": {
"primaryColor": "#353535",
"hideLoginNameSuffix": true,
"warnColor": "#CD3D56",
"backgroundColor": "#FAFAFA",
"fontColor": "#000000",
"primaryColorDark": "#BBBAFA",
"backgroundColorDark": "#111827",
"warnColorDark": "#FF3B5B",
"fontColorDark": "#FFFFFF",
"disableWatermark": true
},
"lockoutPolicy": {
"maxPasswordAttempts": 0
},
"loginPolicy": {
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "string",
"passwordCheckLifetime": "string",
"externalLoginCheckLifetime": "string",
"mfaInitSkipLifetime": "string",
"secondFactorCheckLifetime": "string",
"multiFactorCheckLifetime": "string",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "string",
"ownerType": "IDP_OWNER_TYPE_UNSPECIFIED"
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true
},
"passwordComplexityPolicy": {
"minLength": "8",
"hasUppercase": true,
"hasLowercase": true,
"hasNumber": true,
"hasSymbol": true
},
"privacyPolicy": {
"tosLink": "https://zitadel.com/docs/legal/terms-of-service",
"privacyLink": "https://zitadel.com/docs/legal/privacy-policy",
"helpLink": "https://zitadel.com/docs/manuals/introduction",
"supportEmail": "support-email@test.com"
},
"projects": [
{
"projectId": "string",
"project": {
"name": "MyProject",
"projectRoleAssertion": true,
"projectRoleCheck": true,
"hasProjectCheck": true,
"privateLabelingSetting": "PRIVATE_LABELING_SETTING_UNSPECIFIED"
}
}
],
"projectRoles": [
{
"projectId": "string",
"roleKey": "ADMIN",
"displayName": "Administrator",
"group": "Admins"
}
],
"apiApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyAPIApp",
"authMethodType": "API_AUTH_METHOD_TYPE_BASIC"
}
}
],
"oidcApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyOIDCApp",
"redirectUris": [
"http://localhost:4200/auth/callback"
],
"responseTypes": [
"OIDC_RESPONSE_TYPE_CODE"
],
"grantTypes": [
"OIDC_GRANT_TYPE_AUTHORIZATION_CODE"
],
"appType": "OIDC_APP_TYPE_WEB",
"authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
"postLogoutRedirectUris": [
"http://localhost:4200/signedout"
],
"version": "OIDC_VERSION_1_0",
"devMode": true,
"accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
"accessTokenRoleAssertion": true,
"idTokenRoleAssertion": true,
"idTokenUserinfoAssertion": true,
"clockSkew": "1s",
"additionalOrigins": [
"https://console.zitadel.ch/auth/callback"
],
"skipNativeAppSuccessPage": true
}
}
],
"humanUsers": [
{
"userId": "string",
"user": {
"userName": "minnie-mouse",
"profile": {
"firstName": "Minnie",
"lastName": "Mouse",
"nickName": "Mini",
"displayName": "Minnie Mouse",
"preferredLanguage": "en",
"gender": "GENDER_FEMALE"
},
"email": {
"email": "minnie@mouse.com",
"isEmailVerified": true
},
"phone": {
"phone": "+41 71 000 00 00",
"isPhoneVerified": true
},
"password": "string",
"hashedPassword": {
"value": "string",
"algorithm": "string"
},
"passwordChangeRequired": true,
"requestPasswordlessRegistration": true,
"otpCode": "string",
"idps": [
{
"configId": "idp-config-id",
"externalUserId": "idp-config-id",
"displayName": "minnie.mouse@gmail.com"
}
]
}
}
],
"machineUsers": [
{
"userId": "string",
"user": {
"userName": "robot",
"name": "My Machine Account",
"description": "First machine account used for API XY.",
"accessTokenType": "ACCESS_TOKEN_TYPE_BEARER"
}
}
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"actions": [
{
"actionId": "string",
"action": {
"name": "log context",
"script": "function log(context, calls){console.log(context)}",
"timeout": "string",
"allowedToFail": true
}
}
],
"projectGrants": [
{
"grantId": "string",
"projectGrant": {
"projectId": "string",
"grantedOrgId": "28746028909593987",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
}
],
"userGrants": [
{
"userId": "69629026806489455",
"projectId": "58949026806489455",
"projectGrantId": "9847026806489455",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
],
"orgMembers": [
{
"userId": "string",
"roles": [
"IAM_OWNER"
]
}
],
"projectMembers": [
{
"projectId": "string",
"userId": "string",
"roles": [
"PROJECT_OWNER"
]
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "69629012906488334",
"roles": [
"PROJECT_GRANT_OWNER"
]
}
],
"userMetadata": [
{
"id": "my-user-id",
"key": "my-key",
"value": "VGhpcyBpcyBteSB0ZXN0IHZhbHVl"
}
],
"loginTexts": [
{
"language": "de",
"selectAccountText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"otherUser": "string",
"sessionStateActive": "string",
"sessionStateInactive": "string",
"userMustBeMemberOfOrg": "string"
},
"loginText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"userMustBeMemberOfOrg": "string",
"loginNameLabel": "string",
"registerButtonText": "string",
"nextButtonText": "string",
"externalUserDescription": "string",
"userNamePlaceholder": "string",
"loginNamePlaceholder": "string"
},
"passwordText": {
"title": "string",
"description": "string",
"passwordLabel": "string",
"resetLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"minLength": "string",
"hasUppercase": "string",
"hasLowercase": "string",
"hasNumber": "string",
"hasSymbol": "string",
"confirmation": "string"
},
"usernameChangeText": {
"title": "string",
"description": "string",
"usernameLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"usernameChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"initPasswordText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"initPasswordDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"emailVerificationText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"emailVerificationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"loginButtonText": "string"
},
"initializeUserText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"resendButtonText": "string",
"nextButtonText": "string"
},
"initializeDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"initMfaPromptText": {
"title": "string",
"description": "string",
"otpOption": "string",
"u2fOption": "string",
"skipButtonText": "string",
"nextButtonText": "string"
},
"initMfaOtpText": {
"title": "string",
"description": "string",
"descriptionOtp": "string",
"secretLabel": "string",
"codeLabel": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"initMfaU2fText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"initMfaDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"mfaProvidersText": {
"chooseOther": "string",
"otp": "string",
"u2f": "string"
},
"verifyMfaOtpText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string"
},
"verifyMfaU2fText": {
"title": "string",
"description": "string",
"validateTokenText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordlessText": {
"title": "string",
"description": "string",
"loginWithPwButtonText": "string",
"validateTokenButtonText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordChangeText": {
"title": "string",
"description": "string",
"oldPasswordLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"passwordChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"passwordResetDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"registrationOptionText": {
"title": "string",
"description": "string",
"userNameButtonText": "string",
"externalLoginDescription": "string",
"loginButtonText": "string"
},
"registrationUserText": {
"title": "string",
"description": "string",
"descriptionOrgRegister": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"emailLabel": "string",
"usernameLabel": "string",
"languageLabel": "string",
"genderLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"nextButtonText": "string",
"backButtonText": "string"
},
"registrationOrgText": {
"title": "string",
"description": "string",
"orgnameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"usernameLabel": "string",
"emailLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"saveButtonText": "string"
},
"linkingUserDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"externalUserNotFoundText": {
"title": "string",
"description": "string",
"linkButtonText": "string",
"autoRegisterButtonText": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"privacyConfirm": "string"
},
"successLoginText": {
"title": "string",
"autoRedirectDescription": "string",
"redirectedDescription": "string",
"nextButtonText": "string"
},
"logoutText": {
"title": "string",
"description": "string",
"loginButtonText": "string"
},
"footerText": {
"tos": "string",
"privacyPolicy": "string",
"help": "string",
"supportEmail": "string"
},
"passwordlessPromptText": {
"title": "string",
"description": "string",
"descriptionInit": "string",
"passwordlessButtonText": "string",
"nextButtonText": "string",
"skipButtonText": "string"
},
"passwordlessRegistrationText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"passwordlessRegistrationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"descriptionClose": "string"
},
"externalRegistrationUserOverviewText": {
"title": "string",
"description": "string",
"emailLabel": "string",
"usernameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"nicknameLabel": "string",
"languageLabel": "string",
"phoneLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"privacyConfirm": "string"
}
}
],
"initMessages": [
{
"language": "de",
"title": "ZITADEL - Initialize User",
"preHeader": "Initialize User",
"subject": "Initialize User",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "This user was created in Zitadel. Use the username {{.PreferredLoginName}} to log in. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Finish initialization",
"footerText": "string"
}
],
"passwordResetMessages": [
{
"language": "de",
"title": "ZITADEL - Reset Password",
"preHeader": "Reset Password",
"subject": "Reset Password",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Reset Password",
"footerText": "string"
}
],
"verifyEmailMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Email",
"preHeader": "Verify Email",
"subject": "Verify Email",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you didn't add a new email, please ignore this email.",
"buttonText": "Verify Email",
"footerText": "string"
}
],
"verifyPhoneMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Phone",
"preHeader": "Verify Phone",
"subject": "Verify Phone",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new phone number has been added. Please use the following code to verify it {{.Code}}.",
"buttonText": "Verify Phone",
"footerText": "string"
}
],
"domainClaimedMessages": [
{
"language": "de",
"title": "ZITADEL - Domain has been claimed",
"preHeader": "Change email / username",
"subject": "Domain has been claimed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The domain {{.Domain}} has been claimed by an organization. Your current user {{.UserName}} is not part of this organization. Therefore you'll have to change your email when you log in. We have created a temporary username ({{.TempUsername}}) for this login.",
"buttonText": "Login",
"footerText": "string"
}
],
"passwordlessRegistrationMessages": [
{
"language": "de",
"title": "ZITADEL - Password of the user has changed",
"preHeader": "Password Changed",
"subject": "Password of user has changed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The password of your user has changed, if this change was not done by you, please be advised to immediately reset your password.",
"buttonText": "Login",
"footerText": "string"
}
],
"oidcIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"clientId": "string",
"clientSecret": "string",
"issuer": "https://accounts.google.com",
"scopes": [
"openid",
"profile",
"email"
],
"displayNameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"usernameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"autoRegister": true
}
}
],
"jwtIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token",
"autoRegister": true
}
}
],
"userLinks": [
{
"userId": "69629023906488334",
"idpId": "69629023906488334",
"idpName": "google",
"providedUserId": "as-12-df-89",
"providedUserName": "gigi.long-neck@gmail.com",
"idpType": "IDP_TYPE_UNSPECIFIED"
}
],
"domains": [
{
"orgId": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2023-05-02",
"changeDate": "2023-05-02",
"resourceOwner": "69629023906488334"
},
"domainName": "zitadel.com",
"isVerified": true,
"isPrimary": true,
"validationType": "DOMAIN_VALIDATION_TYPE_UNSPECIFIED"
}
],
"appKeys": [
{
"id": "string",
"projectId": "string",
"appId": "string",
"clientId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
],
"machineKeys": [
{
"keyId": "string",
"userId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
]
}
]
}
- Schema
- Example (from schema)
Schema
orgs object[]
Array [orgId stringorg object
name stringPossible values:
non-empty
and<= 200 characters
domainPolicy object
orgId stringPossible values:
non-empty
and<= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)the username has to end with the domain of its organization
validateOrgDomains booleandefines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain booleandefines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor stringPossible values:
<= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is sethides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor stringPossible values:
<= 50 characters
hex value for warn color
backgroundColor stringPossible values:
<= 50 characters
hex value for background color
fontColor stringPossible values:
<= 50 characters
hex value for font color
primaryColorDark stringPossible values:
<= 50 characters
hex value for the primary color dark theme
backgroundColorDark stringPossible values:
<= 50 characters
hex value for background color dark theme
warnColorDark stringPossible values:
<= 50 characters
hex value for warning color dark theme
fontColorDark stringPossible values:
<= 50 characters
hex value for font color dark theme
disableWatermark booleanlockoutPolicy object
maxPasswordAttempts int64When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword booleanallowRegister booleanallowExternalIdp booleanforceMfa booleanpasswordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERTPossible values: [
PASSWORDLESS_TYPE_NOT_ALLOWED
,PASSWORDLESS_TYPE_ALLOWED
]Default value:
PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset booleanignoreUnknownUsernames booleandefines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri stringdefines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]Possible values: [
SECOND_FACTOR_TYPE_UNSPECIFIED
,SECOND_FACTOR_TYPE_OTP
,SECOND_FACTOR_TYPE_U2F
]multiFactors string[]Possible values: [
MULTI_FACTOR_TYPE_UNSPECIFIED
,MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]idps object[]
Array [idpId stringownerType stringPossible values: [
IDP_OWNER_TYPE_UNSPECIFIED
,IDP_OWNER_TYPE_SYSTEM
,IDP_OWNER_TYPE_ORG
]Default value:
IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]allowDomainDiscovery booleanIf set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail booleandefines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone booleandefines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64hasUppercase booleanDefines if the password MUST contain an upper case letter
hasLowercase booleanDefines if the password MUST contain a lowercase letter
hasNumber booleanDefines if the password MUST contain a number
hasSymbol booleanDefines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink stringIf registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink stringIf registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink stringVariable {{.Lang}} can be set to have different links based on the language.
supportEmail stringhelp / support email address.
projects object[]
Array [projectId stringproject object
name stringPossible values:
non-empty
and<= 200 characters
projectRoleAssertion booleanEnable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck booleanWhen enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck booleanWhen enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting stringPossible values: [
PRIVATE_LABELING_SETTING_UNSPECIFIED
,PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
,PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]Default value:
PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]projectRoles object[]
Array [projectId stringroleKey stringPossible values:
non-empty
and<= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName stringPossible values:
non-empty
and<= 200 characters
group stringPossible values:
<= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]apiApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
authMethodType stringPossible values: [
API_AUTH_METHOD_TYPE_BASIC
,API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
API_AUTH_METHOD_TYPE_BASIC
]oidcApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
redirectUris string[]Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]Possible values: [
OIDC_RESPONSE_TYPE_CODE
,OIDC_RESPONSE_TYPE_ID_TOKEN
,OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]Possible values: [
OIDC_GRANT_TYPE_AUTHORIZATION_CODE
,OIDC_GRANT_TYPE_IMPLICIT
,OIDC_GRANT_TYPE_REFRESH_TOKEN
,OIDC_GRANT_TYPE_DEVICE_CODE
]The flow type the application uses to gain access
appType stringPossible values: [
OIDC_APP_TYPE_WEB
,OIDC_APP_TYPE_USER_AGENT
,OIDC_APP_TYPE_NATIVE
]Default value:
OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType stringPossible values: [
OIDC_AUTH_METHOD_TYPE_BASIC
,OIDC_AUTH_METHOD_TYPE_POST
,OIDC_AUTH_METHOD_TYPE_NONE
,OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]ZITADEL will redirect to this link after a successful logout
version stringPossible values: [
OIDC_VERSION_1_0
]Default value:
OIDC_VERSION_1_0
devMode booleanUsed for development, some checks of the OIDC specification will not be checked.
accessTokenType stringPossible values: [
OIDC_TOKEN_TYPE_BEARER
,OIDC_TOKEN_TYPE_JWT
]Default value:
OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion booleanAdds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion booleanAdds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion booleanClaims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew stringUsed to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage booleanSkip the successful login page on native apps and directly redirect the user to the callback.
]humanUsers object[]
Array [userId stringuser object
userName stringprofile object
Profile includes the basic information of a user, like first name, last name, etc.
firstName stringPossible values:
non-empty
and<= 200 characters
lastName stringPossible values:
non-empty
and<= 200 characters
nickName stringPossible values:
<= 200 characters
displayName stringPossible values:
<= 200 characters
preferredLanguage stringPossible values:
<= 10 characters
gender stringPossible values: [
GENDER_UNSPECIFIED
,GENDER_FEMALE
,GENDER_MALE
,GENDER_DIVERSE
]Default value:
GENDER_UNSPECIFIED
email object
email stringObject that contains the email address and a verified flag.
isEmailVerified booleanIf email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone stringPossible values:
non-empty
and<= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified booleanpassword stringhashedPassword object
Use this to import hashed passwords from another system.
value stringalgorithm stringpasswordChangeRequired booleanIf this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration booleanIf this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode stringidps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [configId stringPossible values:
non-empty
and<= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId stringPossible values:
non-empty
and<= 200 characters
The id of the user in the external identity provider
displayName stringPossible values:
<= 200 characters
A display name ZITADEL can show on the linked provider.
]]machineUsers object[]
Array [userId stringuser object
userName stringPossible values:
non-empty
and<= 200 characters
name stringPossible values:
non-empty
and<= 200 characters
description stringPossible values:
<= 500 characters
accessTokenType stringPossible values: [
ACCESS_TOKEN_TYPE_BEARER
,ACCESS_TOKEN_TYPE_JWT
]Default value:
ACCESS_TOKEN_TYPE_BEARER
]triggerActions object[]
Array [flowType id of the flow typeAt the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger typeAt the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]]actions object[]
Array [actionId stringaction object
name stringPossible values:
non-empty
and<= 200 characters
script stringPossible values:
non-empty
and<= 2000 characters
Javascript code that should be executed
timeout stringafter which time the action will be terminated if not finished
allowedToFail booleanwhen true, the next action will be called even if this action fails
]projectGrants object[]
Array [grantId stringprojectGrant object
projectId stringgrantedOrgId stringroleKeys string[]]userGrants object[]
Array [userId stringPossible values:
non-empty
projectId stringPossible values:
non-empty
and<= 200 characters
projectGrantId stringPossible values:
<= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]]orgMembers object[]
Array [userId stringroles string[]If no roles are provided the user won't have any rights
]projectMembers object[]
Array [projectId stringuserId stringroles string[]If no roles are provided the user won't have any rights
]projectGrantMembers object[]
Array [projectId stringgrantId stringuserId stringPossible values:
non-empty
and<= 200 characters
roles string[]If no roles are provided the user won't have any rights
]userMetadata object[]
Array [id stringPossible values:
non-empty
and<= 200 characters
key stringPossible values:
non-empty
and<= 200 characters
value bytePossible values:
non-empty
and<= 500000 characters
The value has to be base64 encoded.
]loginTexts object[]
Array [language stringselectAccountText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringotherUser stringsessionStateActive stringsessionStateInactive stringuserMustBeMemberOfOrg stringloginText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringuserMustBeMemberOfOrg stringloginNameLabel stringregisterButtonText stringnextButtonText stringexternalUserDescription stringuserNamePlaceholder stringloginNamePlaceholder stringpasswordText object
title stringdescription stringpasswordLabel stringresetLinkText stringbackButtonText stringnextButtonText stringminLength stringhasUppercase stringhasLowercase stringhasNumber stringhasSymbol stringconfirmation stringusernameChangeText object
title stringdescription stringusernameLabel stringcancelButtonText stringnextButtonText stringusernameChangeDoneText object
title stringdescription stringnextButtonText stringinitPasswordText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringnextButtonText stringresendButtonText stringinitPasswordDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringemailVerificationText object
title stringdescription stringcodeLabel stringnextButtonText stringresendButtonText stringemailVerificationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringloginButtonText stringinitializeUserText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringresendButtonText stringnextButtonText stringinitializeDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringinitMfaPromptText object
title stringdescription stringotpOption stringu2fOption stringskipButtonText stringnextButtonText stringinitMfaOtpText object
title stringdescription stringdescriptionOtp stringsecretLabel stringcodeLabel stringnextButtonText stringcancelButtonText stringinitMfaU2fText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringinitMfaDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringmfaProvidersText object
chooseOther stringotp stringu2f stringverifyMfaOtpText object
title stringdescription stringcodeLabel stringnextButtonText stringverifyMfaU2fText object
title stringdescription stringvalidateTokenText stringnotSupported stringerrorRetry stringpasswordlessText object
title stringdescription stringloginWithPwButtonText stringvalidateTokenButtonText stringnotSupported stringerrorRetry stringpasswordChangeText object
title stringdescription stringoldPasswordLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringcancelButtonText stringnextButtonText stringpasswordChangeDoneText object
title stringdescription stringnextButtonText stringpasswordResetDoneText object
title stringdescription stringnextButtonText stringregistrationOptionText object
title stringdescription stringuserNameButtonText stringexternalLoginDescription stringloginButtonText stringregistrationUserText object
title stringdescription stringdescriptionOrgRegister stringfirstnameLabel stringlastnameLabel stringemailLabel stringusernameLabel stringlanguageLabel stringgenderLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringnextButtonText stringbackButtonText stringregistrationOrgText object
title stringdescription stringorgnameLabel stringfirstnameLabel stringlastnameLabel stringusernameLabel stringemailLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringsaveButtonText stringlinkingUserDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringexternalUserNotFoundText object
title stringdescription stringlinkButtonText stringautoRegisterButtonText stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringprivacyConfirm stringsuccessLoginText object
title stringautoRedirectDescription Text to describe that auto-redirect should happen after successful loginredirectedDescription Text to describe that the window can be closed after redirectnextButtonText stringlogoutText object
title stringdescription stringloginButtonText stringfooterText object
tos stringprivacyPolicy stringhelp stringsupportEmail stringpasswordlessPromptText object
title stringdescription stringdescriptionInit stringpasswordlessButtonText stringnextButtonText stringskipButtonText stringpasswordlessRegistrationText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringpasswordlessRegistrationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringdescriptionClose stringexternalRegistrationUserOverviewText object
title stringdescription stringemailLabel stringusernameLabel stringfirstnameLabel stringlastnameLabel stringnicknameLabel stringlanguageLabel stringphoneLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringbackButtonText stringnextButtonText stringprivacyConfirm string]initMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordResetMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyEmailMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyPhoneMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]domainClaimedMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordlessRegistrationMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]oidcIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId stringPossible values:
non-empty
and<= 200 characters
client id generated by the identity provider
clientSecret stringPossible values:
non-empty
and<= 200 characters
client secret generated by the identity provider
issuer stringthe OIDC issuer of the identity provider
scopes string[]the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean]jwtIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint where the JWT can be extracted
issuer stringPossible values:
non-empty
and<= 200 characters
the issuer of the JWT (for validation)
keysEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName stringPossible values:
non-empty
and<= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean]userLinks object[]
Array [userId stringthe id of the user
idpId stringthe id of the identity provider
idpName stringthe name of the identity provider
providedUserId stringthe id of the user provided by the identity provider
providedUserName stringthe id of the identity provider
idpType authorization framework of the identity providerPossible values: [
IDP_TYPE_UNSPECIFIED
,IDP_TYPE_OIDC
,IDP_TYPE_JWT
]Default value:
IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]domains object[]
Array [orgId stringdetails object
sequence uint64on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-timeon read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-timeon read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs todomainName stringisVerified booleandefines if the domain is verified
isPrimary booleandefines if the domain is the primary domain
validationType stringPossible values: [
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
,DOMAIN_VALIDATION_TYPE_HTTP
,DOMAIN_VALIDATION_TYPE_DNS
]Default value:
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]appKeys object[]
Array [id stringprojectId stringappId stringclientId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]machineKeys object[]
Array [keyId stringuserId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]]
{
"orgs": [
{
"orgId": "string",
"org": {
"name": "Customer A"
},
"domainPolicy": {
"orgId": "#69629023906488334",
"userLoginMustBeDomain": true,
"validateOrgDomains": true,
"smtpSenderAddressMatchesInstanceDomain": true
},
"labelPolicy": {
"primaryColor": "#353535",
"hideLoginNameSuffix": true,
"warnColor": "#CD3D56",
"backgroundColor": "#FAFAFA",
"fontColor": "#000000",
"primaryColorDark": "#BBBAFA",
"backgroundColorDark": "#111827",
"warnColorDark": "#FF3B5B",
"fontColorDark": "#FFFFFF",
"disableWatermark": true
},
"lockoutPolicy": {
"maxPasswordAttempts": 0
},
"loginPolicy": {
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "string",
"passwordCheckLifetime": "string",
"externalLoginCheckLifetime": "string",
"mfaInitSkipLifetime": "string",
"secondFactorCheckLifetime": "string",
"multiFactorCheckLifetime": "string",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "string",
"ownerType": "IDP_OWNER_TYPE_UNSPECIFIED"
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true
},
"passwordComplexityPolicy": {
"minLength": "8",
"hasUppercase": true,
"hasLowercase": true,
"hasNumber": true,
"hasSymbol": true
},
"privacyPolicy": {
"tosLink": "https://zitadel.com/docs/legal/terms-of-service",
"privacyLink": "https://zitadel.com/docs/legal/privacy-policy",
"helpLink": "https://zitadel.com/docs/manuals/introduction",
"supportEmail": "support-email@test.com"
},
"projects": [
{
"projectId": "string",
"project": {
"name": "MyProject",
"projectRoleAssertion": true,
"projectRoleCheck": true,
"hasProjectCheck": true,
"privateLabelingSetting": "PRIVATE_LABELING_SETTING_UNSPECIFIED"
}
}
],
"projectRoles": [
{
"projectId": "string",
"roleKey": "ADMIN",
"displayName": "Administrator",
"group": "Admins"
}
],
"apiApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyAPIApp",
"authMethodType": "API_AUTH_METHOD_TYPE_BASIC"
}
}
],
"oidcApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyOIDCApp",
"redirectUris": [
"http://localhost:4200/auth/callback"
],
"responseTypes": [
"OIDC_RESPONSE_TYPE_CODE"
],
"grantTypes": [
"OIDC_GRANT_TYPE_AUTHORIZATION_CODE"
],
"appType": "OIDC_APP_TYPE_WEB",
"authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
"postLogoutRedirectUris": [
"http://localhost:4200/signedout"
],
"version": "OIDC_VERSION_1_0",
"devMode": true,
"accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
"accessTokenRoleAssertion": true,
"idTokenRoleAssertion": true,
"idTokenUserinfoAssertion": true,
"clockSkew": "1s",
"additionalOrigins": [
"https://console.zitadel.ch/auth/callback"
],
"skipNativeAppSuccessPage": true
}
}
],
"humanUsers": [
{
"userId": "string",
"user": {
"userName": "minnie-mouse",
"profile": {
"firstName": "Minnie",
"lastName": "Mouse",
"nickName": "Mini",
"displayName": "Minnie Mouse",
"preferredLanguage": "en",
"gender": "GENDER_FEMALE"
},
"email": {
"email": "minnie@mouse.com",
"isEmailVerified": true
},
"phone": {
"phone": "+41 71 000 00 00",
"isPhoneVerified": true
},
"password": "string",
"hashedPassword": {
"value": "string",
"algorithm": "string"
},
"passwordChangeRequired": true,
"requestPasswordlessRegistration": true,
"otpCode": "string",
"idps": [
{
"configId": "idp-config-id",
"externalUserId": "idp-config-id",
"displayName": "minnie.mouse@gmail.com"
}
]
}
}
],
"machineUsers": [
{
"userId": "string",
"user": {
"userName": "robot",
"name": "My Machine Account",
"description": "First machine account used for API XY.",
"accessTokenType": "ACCESS_TOKEN_TYPE_BEARER"
}
}
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"actions": [
{
"actionId": "string",
"action": {
"name": "log context",
"script": "function log(context, calls){console.log(context)}",
"timeout": "string",
"allowedToFail": true
}
}
],
"projectGrants": [
{
"grantId": "string",
"projectGrant": {
"projectId": "string",
"grantedOrgId": "28746028909593987",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
}
],
"userGrants": [
{
"userId": "69629026806489455",
"projectId": "58949026806489455",
"projectGrantId": "9847026806489455",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
],
"orgMembers": [
{
"userId": "string",
"roles": [
"IAM_OWNER"
]
}
],
"projectMembers": [
{
"projectId": "string",
"userId": "string",
"roles": [
"PROJECT_OWNER"
]
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "69629012906488334",
"roles": [
"PROJECT_GRANT_OWNER"
]
}
],
"userMetadata": [
{
"id": "my-user-id",
"key": "my-key",
"value": "VGhpcyBpcyBteSB0ZXN0IHZhbHVl"
}
],
"loginTexts": [
{
"language": "de",
"selectAccountText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"otherUser": "string",
"sessionStateActive": "string",
"sessionStateInactive": "string",
"userMustBeMemberOfOrg": "string"
},
"loginText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"userMustBeMemberOfOrg": "string",
"loginNameLabel": "string",
"registerButtonText": "string",
"nextButtonText": "string",
"externalUserDescription": "string",
"userNamePlaceholder": "string",
"loginNamePlaceholder": "string"
},
"passwordText": {
"title": "string",
"description": "string",
"passwordLabel": "string",
"resetLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"minLength": "string",
"hasUppercase": "string",
"hasLowercase": "string",
"hasNumber": "string",
"hasSymbol": "string",
"confirmation": "string"
},
"usernameChangeText": {
"title": "string",
"description": "string",
"usernameLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"usernameChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"initPasswordText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"initPasswordDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"emailVerificationText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"emailVerificationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"loginButtonText": "string"
},
"initializeUserText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"resendButtonText": "string",
"nextButtonText": "string"
},
"initializeDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"initMfaPromptText": {
"title": "string",
"description": "string",
"otpOption": "string",
"u2fOption": "string",
"skipButtonText": "string",
"nextButtonText": "string"
},
"initMfaOtpText": {
"title": "string",
"description": "string",
"descriptionOtp": "string",
"secretLabel": "string",
"codeLabel": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"initMfaU2fText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"initMfaDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"mfaProvidersText": {
"chooseOther": "string",
"otp": "string",
"u2f": "string"
},
"verifyMfaOtpText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string"
},
"verifyMfaU2fText": {
"title": "string",
"description": "string",
"validateTokenText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordlessText": {
"title": "string",
"description": "string",
"loginWithPwButtonText": "string",
"validateTokenButtonText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordChangeText": {
"title": "string",
"description": "string",
"oldPasswordLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"passwordChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"passwordResetDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"registrationOptionText": {
"title": "string",
"description": "string",
"userNameButtonText": "string",
"externalLoginDescription": "string",
"loginButtonText": "string"
},
"registrationUserText": {
"title": "string",
"description": "string",
"descriptionOrgRegister": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"emailLabel": "string",
"usernameLabel": "string",
"languageLabel": "string",
"genderLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"nextButtonText": "string",
"backButtonText": "string"
},
"registrationOrgText": {
"title": "string",
"description": "string",
"orgnameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"usernameLabel": "string",
"emailLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"saveButtonText": "string"
},
"linkingUserDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"externalUserNotFoundText": {
"title": "string",
"description": "string",
"linkButtonText": "string",
"autoRegisterButtonText": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"privacyConfirm": "string"
},
"successLoginText": {
"title": "string",
"autoRedirectDescription": "string",
"redirectedDescription": "string",
"nextButtonText": "string"
},
"logoutText": {
"title": "string",
"description": "string",
"loginButtonText": "string"
},
"footerText": {
"tos": "string",
"privacyPolicy": "string",
"help": "string",
"supportEmail": "string"
},
"passwordlessPromptText": {
"title": "string",
"description": "string",
"descriptionInit": "string",
"passwordlessButtonText": "string",
"nextButtonText": "string",
"skipButtonText": "string"
},
"passwordlessRegistrationText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"passwordlessRegistrationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"descriptionClose": "string"
},
"externalRegistrationUserOverviewText": {
"title": "string",
"description": "string",
"emailLabel": "string",
"usernameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"nicknameLabel": "string",
"languageLabel": "string",
"phoneLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"privacyConfirm": "string"
}
}
],
"initMessages": [
{
"language": "de",
"title": "ZITADEL - Initialize User",
"preHeader": "Initialize User",
"subject": "Initialize User",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "This user was created in Zitadel. Use the username {{.PreferredLoginName}} to log in. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Finish initialization",
"footerText": "string"
}
],
"passwordResetMessages": [
{
"language": "de",
"title": "ZITADEL - Reset Password",
"preHeader": "Reset Password",
"subject": "Reset Password",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Reset Password",
"footerText": "string"
}
],
"verifyEmailMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Email",
"preHeader": "Verify Email",
"subject": "Verify Email",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you didn't add a new email, please ignore this email.",
"buttonText": "Verify Email",
"footerText": "string"
}
],
"verifyPhoneMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Phone",
"preHeader": "Verify Phone",
"subject": "Verify Phone",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new phone number has been added. Please use the following code to verify it {{.Code}}.",
"buttonText": "Verify Phone",
"footerText": "string"
}
],
"domainClaimedMessages": [
{
"language": "de",
"title": "ZITADEL - Domain has been claimed",
"preHeader": "Change email / username",
"subject": "Domain has been claimed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The domain {{.Domain}} has been claimed by an organization. Your current user {{.UserName}} is not part of this organization. Therefore you'll have to change your email when you log in. We have created a temporary username ({{.TempUsername}}) for this login.",
"buttonText": "Login",
"footerText": "string"
}
],
"passwordlessRegistrationMessages": [
{
"language": "de",
"title": "ZITADEL - Password of the user has changed",
"preHeader": "Password Changed",
"subject": "Password of user has changed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The password of your user has changed, if this change was not done by you, please be advised to immediately reset your password.",
"buttonText": "Login",
"footerText": "string"
}
],
"oidcIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"clientId": "string",
"clientSecret": "string",
"issuer": "https://accounts.google.com",
"scopes": [
"openid",
"profile",
"email"
],
"displayNameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"usernameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"autoRegister": true
}
}
],
"jwtIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token",
"autoRegister": true
}
}
],
"userLinks": [
{
"userId": "69629023906488334",
"idpId": "69629023906488334",
"idpName": "google",
"providedUserId": "as-12-df-89",
"providedUserName": "gigi.long-neck@gmail.com",
"idpType": "IDP_TYPE_UNSPECIFIED"
}
],
"domains": [
{
"orgId": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2023-05-02",
"changeDate": "2023-05-02",
"resourceOwner": "69629023906488334"
},
"domainName": "zitadel.com",
"isVerified": true,
"isPrimary": true,
"validationType": "DOMAIN_VALIDATION_TYPE_UNSPECIFIED"
}
],
"appKeys": [
{
"id": "string",
"projectId": "string",
"appId": "string",
"clientId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
],
"machineKeys": [
{
"keyId": "string",
"userId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
]
}
]
}
- Schema
- Example (from schema)
Schema
orgs object[]
Array [orgId stringorg object
name stringPossible values:
non-empty
and<= 200 characters
domainPolicy object
orgId stringPossible values:
non-empty
and<= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)the username has to end with the domain of its organization
validateOrgDomains booleandefines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain booleandefines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor stringPossible values:
<= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is sethides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor stringPossible values:
<= 50 characters
hex value for warn color
backgroundColor stringPossible values:
<= 50 characters
hex value for background color
fontColor stringPossible values:
<= 50 characters
hex value for font color
primaryColorDark stringPossible values:
<= 50 characters
hex value for the primary color dark theme
backgroundColorDark stringPossible values:
<= 50 characters
hex value for background color dark theme
warnColorDark stringPossible values:
<= 50 characters
hex value for warning color dark theme
fontColorDark stringPossible values:
<= 50 characters
hex value for font color dark theme
disableWatermark booleanlockoutPolicy object
maxPasswordAttempts int64When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword booleanallowRegister booleanallowExternalIdp booleanforceMfa booleanpasswordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERTPossible values: [
PASSWORDLESS_TYPE_NOT_ALLOWED
,PASSWORDLESS_TYPE_ALLOWED
]Default value:
PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset booleanignoreUnknownUsernames booleandefines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri stringdefines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]Possible values: [
SECOND_FACTOR_TYPE_UNSPECIFIED
,SECOND_FACTOR_TYPE_OTP
,SECOND_FACTOR_TYPE_U2F
]multiFactors string[]Possible values: [
MULTI_FACTOR_TYPE_UNSPECIFIED
,MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]idps object[]
Array [idpId stringownerType stringPossible values: [
IDP_OWNER_TYPE_UNSPECIFIED
,IDP_OWNER_TYPE_SYSTEM
,IDP_OWNER_TYPE_ORG
]Default value:
IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]allowDomainDiscovery booleanIf set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail booleandefines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone booleandefines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64hasUppercase booleanDefines if the password MUST contain an upper case letter
hasLowercase booleanDefines if the password MUST contain a lowercase letter
hasNumber booleanDefines if the password MUST contain a number
hasSymbol booleanDefines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink stringIf registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink stringIf registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink stringVariable {{.Lang}} can be set to have different links based on the language.
supportEmail stringhelp / support email address.
projects object[]
Array [projectId stringproject object
name stringPossible values:
non-empty
and<= 200 characters
projectRoleAssertion booleanEnable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck booleanWhen enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck booleanWhen enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting stringPossible values: [
PRIVATE_LABELING_SETTING_UNSPECIFIED
,PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
,PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]Default value:
PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]projectRoles object[]
Array [projectId stringroleKey stringPossible values:
non-empty
and<= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName stringPossible values:
non-empty
and<= 200 characters
group stringPossible values:
<= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]apiApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
authMethodType stringPossible values: [
API_AUTH_METHOD_TYPE_BASIC
,API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
API_AUTH_METHOD_TYPE_BASIC
]oidcApps object[]
Array [appId stringapp object
projectId stringname stringPossible values:
non-empty
and<= 200 characters
redirectUris string[]Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]Possible values: [
OIDC_RESPONSE_TYPE_CODE
,OIDC_RESPONSE_TYPE_ID_TOKEN
,OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]Possible values: [
OIDC_GRANT_TYPE_AUTHORIZATION_CODE
,OIDC_GRANT_TYPE_IMPLICIT
,OIDC_GRANT_TYPE_REFRESH_TOKEN
,OIDC_GRANT_TYPE_DEVICE_CODE
]The flow type the application uses to gain access
appType stringPossible values: [
OIDC_APP_TYPE_WEB
,OIDC_APP_TYPE_USER_AGENT
,OIDC_APP_TYPE_NATIVE
]Default value:
OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType stringPossible values: [
OIDC_AUTH_METHOD_TYPE_BASIC
,OIDC_AUTH_METHOD_TYPE_POST
,OIDC_AUTH_METHOD_TYPE_NONE
,OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]Default value:
OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]ZITADEL will redirect to this link after a successful logout
version stringPossible values: [
OIDC_VERSION_1_0
]Default value:
OIDC_VERSION_1_0
devMode booleanUsed for development, some checks of the OIDC specification will not be checked.
accessTokenType stringPossible values: [
OIDC_TOKEN_TYPE_BEARER
,OIDC_TOKEN_TYPE_JWT
]Default value:
OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion booleanAdds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion booleanAdds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion booleanClaims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew stringUsed to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage booleanSkip the successful login page on native apps and directly redirect the user to the callback.
]humanUsers object[]
Array [userId stringuser object
userName stringprofile object
Profile includes the basic information of a user, like first name, last name, etc.
firstName stringPossible values:
non-empty
and<= 200 characters
lastName stringPossible values:
non-empty
and<= 200 characters
nickName stringPossible values:
<= 200 characters
displayName stringPossible values:
<= 200 characters
preferredLanguage stringPossible values:
<= 10 characters
gender stringPossible values: [
GENDER_UNSPECIFIED
,GENDER_FEMALE
,GENDER_MALE
,GENDER_DIVERSE
]Default value:
GENDER_UNSPECIFIED
email object
email stringObject that contains the email address and a verified flag.
isEmailVerified booleanIf email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone stringPossible values:
non-empty
and<= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified booleanpassword stringhashedPassword object
Use this to import hashed passwords from another system.
value stringalgorithm stringpasswordChangeRequired booleanIf this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration booleanIf this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode stringidps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [configId stringPossible values:
non-empty
and<= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId stringPossible values:
non-empty
and<= 200 characters
The id of the user in the external identity provider
displayName stringPossible values:
<= 200 characters
A display name ZITADEL can show on the linked provider.
]]machineUsers object[]
Array [userId stringuser object
userName stringPossible values:
non-empty
and<= 200 characters
name stringPossible values:
non-empty
and<= 200 characters
description stringPossible values:
<= 500 characters
accessTokenType stringPossible values: [
ACCESS_TOKEN_TYPE_BEARER
,ACCESS_TOKEN_TYPE_JWT
]Default value:
ACCESS_TOKEN_TYPE_BEARER
]triggerActions object[]
Array [flowType id of the flow typeAt the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger typeAt the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]]actions object[]
Array [actionId stringaction object
name stringPossible values:
non-empty
and<= 200 characters
script stringPossible values:
non-empty
and<= 2000 characters
Javascript code that should be executed
timeout stringafter which time the action will be terminated if not finished
allowedToFail booleanwhen true, the next action will be called even if this action fails
]projectGrants object[]
Array [grantId stringprojectGrant object
projectId stringgrantedOrgId stringroleKeys string[]]userGrants object[]
Array [userId stringPossible values:
non-empty
projectId stringPossible values:
non-empty
and<= 200 characters
projectGrantId stringPossible values:
<= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]]orgMembers object[]
Array [userId stringroles string[]If no roles are provided the user won't have any rights
]projectMembers object[]
Array [projectId stringuserId stringroles string[]If no roles are provided the user won't have any rights
]projectGrantMembers object[]
Array [projectId stringgrantId stringuserId stringPossible values:
non-empty
and<= 200 characters
roles string[]If no roles are provided the user won't have any rights
]userMetadata object[]
Array [id stringPossible values:
non-empty
and<= 200 characters
key stringPossible values:
non-empty
and<= 200 characters
value bytePossible values:
non-empty
and<= 500000 characters
The value has to be base64 encoded.
]loginTexts object[]
Array [language stringselectAccountText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringotherUser stringsessionStateActive stringsessionStateInactive stringuserMustBeMemberOfOrg stringloginText object
title stringdescription stringtitleLinkingProcess stringdescriptionLinkingProcess stringuserMustBeMemberOfOrg stringloginNameLabel stringregisterButtonText stringnextButtonText stringexternalUserDescription stringuserNamePlaceholder stringloginNamePlaceholder stringpasswordText object
title stringdescription stringpasswordLabel stringresetLinkText stringbackButtonText stringnextButtonText stringminLength stringhasUppercase stringhasLowercase stringhasNumber stringhasSymbol stringconfirmation stringusernameChangeText object
title stringdescription stringusernameLabel stringcancelButtonText stringnextButtonText stringusernameChangeDoneText object
title stringdescription stringnextButtonText stringinitPasswordText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringnextButtonText stringresendButtonText stringinitPasswordDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringemailVerificationText object
title stringdescription stringcodeLabel stringnextButtonText stringresendButtonText stringemailVerificationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringloginButtonText stringinitializeUserText object
title stringdescription stringcodeLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringresendButtonText stringnextButtonText stringinitializeDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringinitMfaPromptText object
title stringdescription stringotpOption stringu2fOption stringskipButtonText stringnextButtonText stringinitMfaOtpText object
title stringdescription stringdescriptionOtp stringsecretLabel stringcodeLabel stringnextButtonText stringcancelButtonText stringinitMfaU2fText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringinitMfaDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringmfaProvidersText object
chooseOther stringotp stringu2f stringverifyMfaOtpText object
title stringdescription stringcodeLabel stringnextButtonText stringverifyMfaU2fText object
title stringdescription stringvalidateTokenText stringnotSupported stringerrorRetry stringpasswordlessText object
title stringdescription stringloginWithPwButtonText stringvalidateTokenButtonText stringnotSupported stringerrorRetry stringpasswordChangeText object
title stringdescription stringoldPasswordLabel stringnewPasswordLabel stringnewPasswordConfirmLabel stringcancelButtonText stringnextButtonText stringpasswordChangeDoneText object
title stringdescription stringnextButtonText stringpasswordResetDoneText object
title stringdescription stringnextButtonText stringregistrationOptionText object
title stringdescription stringuserNameButtonText stringexternalLoginDescription stringloginButtonText stringregistrationUserText object
title stringdescription stringdescriptionOrgRegister stringfirstnameLabel stringlastnameLabel stringemailLabel stringusernameLabel stringlanguageLabel stringgenderLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringnextButtonText stringbackButtonText stringregistrationOrgText object
title stringdescription stringorgnameLabel stringfirstnameLabel stringlastnameLabel stringusernameLabel stringemailLabel stringpasswordLabel stringpasswordConfirmLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyConfirm stringprivacyLinkText stringsaveButtonText stringlinkingUserDoneText object
title stringdescription stringcancelButtonText stringnextButtonText stringexternalUserNotFoundText object
title stringdescription stringlinkButtonText stringautoRegisterButtonText stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringprivacyConfirm stringsuccessLoginText object
title stringautoRedirectDescription Text to describe that auto-redirect should happen after successful loginredirectedDescription Text to describe that the window can be closed after redirectnextButtonText stringlogoutText object
title stringdescription stringloginButtonText stringfooterText object
tos stringprivacyPolicy stringhelp stringsupportEmail stringpasswordlessPromptText object
title stringdescription stringdescriptionInit stringpasswordlessButtonText stringnextButtonText stringskipButtonText stringpasswordlessRegistrationText object
title stringdescription stringtokenNameLabel stringnotSupported stringregisterTokenButtonText stringerrorRetry stringpasswordlessRegistrationDoneText object
title stringdescription stringnextButtonText stringcancelButtonText stringdescriptionClose stringexternalRegistrationUserOverviewText object
title stringdescription stringemailLabel stringusernameLabel stringfirstnameLabel stringlastnameLabel stringnicknameLabel stringlanguageLabel stringphoneLabel stringtosAndPrivacyLabel stringtosConfirm stringtosLinkText stringprivacyLinkText stringbackButtonText stringnextButtonText stringprivacyConfirm string]initMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordResetMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyEmailMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]verifyPhoneMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]domainClaimedMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]passwordlessRegistrationMessages object[]
Array [language stringtitle stringPossible values:
<= 200 characters
preHeader stringPossible values:
<= 200 characters
subject stringPossible values:
<= 200 characters
greeting stringPossible values:
<= 200 characters
text stringPossible values:
<= 800 characters
buttonText stringPossible values:
<= 200 characters
footerText string]oidcIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId stringPossible values:
non-empty
and<= 200 characters
client id generated by the identity provider
clientSecret stringPossible values:
non-empty
and<= 200 characters
client secret generated by the identity provider
issuer stringthe OIDC issuer of the identity provider
scopes string[]the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping stringPossible values: [
OIDC_MAPPING_FIELD_UNSPECIFIED
,OIDC_MAPPING_FIELD_PREFERRED_USERNAME
,OIDC_MAPPING_FIELD_EMAIL
]Default value:
OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean]jwtIdps object[]
Array [idpId stringidp object
name stringPossible values:
non-empty
and<= 200 characters
stylingType stringPossible values: [
STYLING_TYPE_UNSPECIFIED
,STYLING_TYPE_GOOGLE
]Default value:
STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint where the JWT can be extracted
issuer stringPossible values:
non-empty
and<= 200 characters
the issuer of the JWT (for validation)
keysEndpoint stringPossible values:
non-empty
and<= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName stringPossible values:
non-empty
and<= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean]userLinks object[]
Array [userId stringthe id of the user
idpId stringthe id of the identity provider
idpName stringthe name of the identity provider
providedUserId stringthe id of the user provided by the identity provider
providedUserName stringthe id of the identity provider
idpType authorization framework of the identity providerPossible values: [
IDP_TYPE_UNSPECIFIED
,IDP_TYPE_OIDC
,IDP_TYPE_JWT
]Default value:
IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]domains object[]
Array [orgId stringdetails object
sequence uint64on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-timeon read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-timeon read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs todomainName stringisVerified booleandefines if the domain is verified
isPrimary booleandefines if the domain is the primary domain
validationType stringPossible values: [
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
,DOMAIN_VALIDATION_TYPE_HTTP
,DOMAIN_VALIDATION_TYPE_DNS
]Default value:
DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]appKeys object[]
Array [id stringprojectId stringappId stringclientId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]machineKeys object[]
Array [keyId stringuserId stringtype stringPossible values: [
KEY_TYPE_UNSPECIFIED
,KEY_TYPE_JSON
]Default value:
KEY_TYPE_UNSPECIFIED
expirationDate date-timepublicKey byte]]
{
"orgs": [
{
"orgId": "string",
"org": {
"name": "Customer A"
},
"domainPolicy": {
"orgId": "#69629023906488334",
"userLoginMustBeDomain": true,
"validateOrgDomains": true,
"smtpSenderAddressMatchesInstanceDomain": true
},
"labelPolicy": {
"primaryColor": "#353535",
"hideLoginNameSuffix": true,
"warnColor": "#CD3D56",
"backgroundColor": "#FAFAFA",
"fontColor": "#000000",
"primaryColorDark": "#BBBAFA",
"backgroundColorDark": "#111827",
"warnColorDark": "#FF3B5B",
"fontColorDark": "#FFFFFF",
"disableWatermark": true
},
"lockoutPolicy": {
"maxPasswordAttempts": 0
},
"loginPolicy": {
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "string",
"passwordCheckLifetime": "string",
"externalLoginCheckLifetime": "string",
"mfaInitSkipLifetime": "string",
"secondFactorCheckLifetime": "string",
"multiFactorCheckLifetime": "string",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "string",
"ownerType": "IDP_OWNER_TYPE_UNSPECIFIED"
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true
},
"passwordComplexityPolicy": {
"minLength": "8",
"hasUppercase": true,
"hasLowercase": true,
"hasNumber": true,
"hasSymbol": true
},
"privacyPolicy": {
"tosLink": "https://zitadel.com/docs/legal/terms-of-service",
"privacyLink": "https://zitadel.com/docs/legal/privacy-policy",
"helpLink": "https://zitadel.com/docs/manuals/introduction",
"supportEmail": "support-email@test.com"
},
"projects": [
{
"projectId": "string",
"project": {
"name": "MyProject",
"projectRoleAssertion": true,
"projectRoleCheck": true,
"hasProjectCheck": true,
"privateLabelingSetting": "PRIVATE_LABELING_SETTING_UNSPECIFIED"
}
}
],
"projectRoles": [
{
"projectId": "string",
"roleKey": "ADMIN",
"displayName": "Administrator",
"group": "Admins"
}
],
"apiApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyAPIApp",
"authMethodType": "API_AUTH_METHOD_TYPE_BASIC"
}
}
],
"oidcApps": [
{
"appId": "string",
"app": {
"projectId": "string",
"name": "MyOIDCApp",
"redirectUris": [
"http://localhost:4200/auth/callback"
],
"responseTypes": [
"OIDC_RESPONSE_TYPE_CODE"
],
"grantTypes": [
"OIDC_GRANT_TYPE_AUTHORIZATION_CODE"
],
"appType": "OIDC_APP_TYPE_WEB",
"authMethodType": "OIDC_AUTH_METHOD_TYPE_BASIC",
"postLogoutRedirectUris": [
"http://localhost:4200/signedout"
],
"version": "OIDC_VERSION_1_0",
"devMode": true,
"accessTokenType": "OIDC_TOKEN_TYPE_BEARER",
"accessTokenRoleAssertion": true,
"idTokenRoleAssertion": true,
"idTokenUserinfoAssertion": true,
"clockSkew": "1s",
"additionalOrigins": [
"https://console.zitadel.ch/auth/callback"
],
"skipNativeAppSuccessPage": true
}
}
],
"humanUsers": [
{
"userId": "string",
"user": {
"userName": "minnie-mouse",
"profile": {
"firstName": "Minnie",
"lastName": "Mouse",
"nickName": "Mini",
"displayName": "Minnie Mouse",
"preferredLanguage": "en",
"gender": "GENDER_FEMALE"
},
"email": {
"email": "minnie@mouse.com",
"isEmailVerified": true
},
"phone": {
"phone": "+41 71 000 00 00",
"isPhoneVerified": true
},
"password": "string",
"hashedPassword": {
"value": "string",
"algorithm": "string"
},
"passwordChangeRequired": true,
"requestPasswordlessRegistration": true,
"otpCode": "string",
"idps": [
{
"configId": "idp-config-id",
"externalUserId": "idp-config-id",
"displayName": "minnie.mouse@gmail.com"
}
]
}
}
],
"machineUsers": [
{
"userId": "string",
"user": {
"userName": "robot",
"name": "My Machine Account",
"description": "First machine account used for API XY.",
"accessTokenType": "ACCESS_TOKEN_TYPE_BEARER"
}
}
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"actions": [
{
"actionId": "string",
"action": {
"name": "log context",
"script": "function log(context, calls){console.log(context)}",
"timeout": "string",
"allowedToFail": true
}
}
],
"projectGrants": [
{
"grantId": "string",
"projectGrant": {
"projectId": "string",
"grantedOrgId": "28746028909593987",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
}
],
"userGrants": [
{
"userId": "69629026806489455",
"projectId": "58949026806489455",
"projectGrantId": "9847026806489455",
"roleKeys": [
"RoleKey1",
"RoleKey2"
]
}
],
"orgMembers": [
{
"userId": "string",
"roles": [
"IAM_OWNER"
]
}
],
"projectMembers": [
{
"projectId": "string",
"userId": "string",
"roles": [
"PROJECT_OWNER"
]
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "69629012906488334",
"roles": [
"PROJECT_GRANT_OWNER"
]
}
],
"userMetadata": [
{
"id": "my-user-id",
"key": "my-key",
"value": "VGhpcyBpcyBteSB0ZXN0IHZhbHVl"
}
],
"loginTexts": [
{
"language": "de",
"selectAccountText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"otherUser": "string",
"sessionStateActive": "string",
"sessionStateInactive": "string",
"userMustBeMemberOfOrg": "string"
},
"loginText": {
"title": "string",
"description": "string",
"titleLinkingProcess": "string",
"descriptionLinkingProcess": "string",
"userMustBeMemberOfOrg": "string",
"loginNameLabel": "string",
"registerButtonText": "string",
"nextButtonText": "string",
"externalUserDescription": "string",
"userNamePlaceholder": "string",
"loginNamePlaceholder": "string"
},
"passwordText": {
"title": "string",
"description": "string",
"passwordLabel": "string",
"resetLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"minLength": "string",
"hasUppercase": "string",
"hasLowercase": "string",
"hasNumber": "string",
"hasSymbol": "string",
"confirmation": "string"
},
"usernameChangeText": {
"title": "string",
"description": "string",
"usernameLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"usernameChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"initPasswordText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"initPasswordDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"emailVerificationText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string",
"resendButtonText": "string"
},
"emailVerificationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"loginButtonText": "string"
},
"initializeUserText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"resendButtonText": "string",
"nextButtonText": "string"
},
"initializeDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"initMfaPromptText": {
"title": "string",
"description": "string",
"otpOption": "string",
"u2fOption": "string",
"skipButtonText": "string",
"nextButtonText": "string"
},
"initMfaOtpText": {
"title": "string",
"description": "string",
"descriptionOtp": "string",
"secretLabel": "string",
"codeLabel": "string",
"nextButtonText": "string",
"cancelButtonText": "string"
},
"initMfaU2fText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"initMfaDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"mfaProvidersText": {
"chooseOther": "string",
"otp": "string",
"u2f": "string"
},
"verifyMfaOtpText": {
"title": "string",
"description": "string",
"codeLabel": "string",
"nextButtonText": "string"
},
"verifyMfaU2fText": {
"title": "string",
"description": "string",
"validateTokenText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordlessText": {
"title": "string",
"description": "string",
"loginWithPwButtonText": "string",
"validateTokenButtonText": "string",
"notSupported": "string",
"errorRetry": "string"
},
"passwordChangeText": {
"title": "string",
"description": "string",
"oldPasswordLabel": "string",
"newPasswordLabel": "string",
"newPasswordConfirmLabel": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"passwordChangeDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"passwordResetDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string"
},
"registrationOptionText": {
"title": "string",
"description": "string",
"userNameButtonText": "string",
"externalLoginDescription": "string",
"loginButtonText": "string"
},
"registrationUserText": {
"title": "string",
"description": "string",
"descriptionOrgRegister": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"emailLabel": "string",
"usernameLabel": "string",
"languageLabel": "string",
"genderLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"nextButtonText": "string",
"backButtonText": "string"
},
"registrationOrgText": {
"title": "string",
"description": "string",
"orgnameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"usernameLabel": "string",
"emailLabel": "string",
"passwordLabel": "string",
"passwordConfirmLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyConfirm": "string",
"privacyLinkText": "string",
"saveButtonText": "string"
},
"linkingUserDoneText": {
"title": "string",
"description": "string",
"cancelButtonText": "string",
"nextButtonText": "string"
},
"externalUserNotFoundText": {
"title": "string",
"description": "string",
"linkButtonText": "string",
"autoRegisterButtonText": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"privacyConfirm": "string"
},
"successLoginText": {
"title": "string",
"autoRedirectDescription": "string",
"redirectedDescription": "string",
"nextButtonText": "string"
},
"logoutText": {
"title": "string",
"description": "string",
"loginButtonText": "string"
},
"footerText": {
"tos": "string",
"privacyPolicy": "string",
"help": "string",
"supportEmail": "string"
},
"passwordlessPromptText": {
"title": "string",
"description": "string",
"descriptionInit": "string",
"passwordlessButtonText": "string",
"nextButtonText": "string",
"skipButtonText": "string"
},
"passwordlessRegistrationText": {
"title": "string",
"description": "string",
"tokenNameLabel": "string",
"notSupported": "string",
"registerTokenButtonText": "string",
"errorRetry": "string"
},
"passwordlessRegistrationDoneText": {
"title": "string",
"description": "string",
"nextButtonText": "string",
"cancelButtonText": "string",
"descriptionClose": "string"
},
"externalRegistrationUserOverviewText": {
"title": "string",
"description": "string",
"emailLabel": "string",
"usernameLabel": "string",
"firstnameLabel": "string",
"lastnameLabel": "string",
"nicknameLabel": "string",
"languageLabel": "string",
"phoneLabel": "string",
"tosAndPrivacyLabel": "string",
"tosConfirm": "string",
"tosLinkText": "string",
"privacyLinkText": "string",
"backButtonText": "string",
"nextButtonText": "string",
"privacyConfirm": "string"
}
}
],
"initMessages": [
{
"language": "de",
"title": "ZITADEL - Initialize User",
"preHeader": "Initialize User",
"subject": "Initialize User",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "This user was created in Zitadel. Use the username {{.PreferredLoginName}} to log in. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Finish initialization",
"footerText": "string"
}
],
"passwordResetMessages": [
{
"language": "de",
"title": "ZITADEL - Reset Password",
"preHeader": "Reset Password",
"subject": "Reset Password",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.",
"buttonText": "Reset Password",
"footerText": "string"
}
],
"verifyEmailMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Email",
"preHeader": "Verify Email",
"subject": "Verify Email",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you didn't add a new email, please ignore this email.",
"buttonText": "Verify Email",
"footerText": "string"
}
],
"verifyPhoneMessages": [
{
"language": "de",
"title": "ZITADEL - Verify Phone",
"preHeader": "Verify Phone",
"subject": "Verify Phone",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "A new phone number has been added. Please use the following code to verify it {{.Code}}.",
"buttonText": "Verify Phone",
"footerText": "string"
}
],
"domainClaimedMessages": [
{
"language": "de",
"title": "ZITADEL - Domain has been claimed",
"preHeader": "Change email / username",
"subject": "Domain has been claimed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The domain {{.Domain}} has been claimed by an organization. Your current user {{.UserName}} is not part of this organization. Therefore you'll have to change your email when you log in. We have created a temporary username ({{.TempUsername}}) for this login.",
"buttonText": "Login",
"footerText": "string"
}
],
"passwordlessRegistrationMessages": [
{
"language": "de",
"title": "ZITADEL - Password of the user has changed",
"preHeader": "Password Changed",
"subject": "Password of user has changed",
"greeting": "Hello {{.FirstName}} {{.LastName}},",
"text": "The password of your user has changed, if this change was not done by you, please be advised to immediately reset your password.",
"buttonText": "Login",
"footerText": "string"
}
],
"oidcIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"clientId": "string",
"clientSecret": "string",
"issuer": "https://accounts.google.com",
"scopes": [
"openid",
"profile",
"email"
],
"displayNameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"usernameMapping": "OIDC_MAPPING_FIELD_UNSPECIFIED",
"autoRegister": true
}
}
],
"jwtIdps": [
{
"idpId": "string",
"idp": {
"name": "google",
"stylingType": "STYLING_TYPE_UNSPECIFIED",
"jwtEndpoint": "https://accounts.google.com",
"issuer": "https://accounts.google.com",
"keysEndpoint": "https://accounts.google.com/keys",
"headerName": "x-auth-token",
"autoRegister": true
}
}
],
"userLinks": [
{
"userId": "69629023906488334",
"idpId": "69629023906488334",
"idpName": "google",
"providedUserId": "as-12-df-89",
"providedUserName": "gigi.long-neck@gmail.com",
"idpType": "IDP_TYPE_UNSPECIFIED"
}
],
"domains": [
{
"orgId": "69629023906488334",
"details": {
"sequence": "2",
"creationDate": "2023-05-02",
"changeDate": "2023-05-02",
"resourceOwner": "69629023906488334"
},
"domainName": "zitadel.com",
"isVerified": true,
"isPrimary": true,
"validationType": "DOMAIN_VALIDATION_TYPE_UNSPECIFIED"
}
],
"appKeys": [
{
"id": "string",
"projectId": "string",
"appId": "string",
"clientId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
],
"machineKeys": [
{
"keyId": "string",
"userId": "string",
"type": "KEY_TYPE_UNSPECIFIED",
"expirationDate": "2023-05-02",
"publicKey": "string"
}
]
}
]
}
Returned when the user does not have permission to access the resource.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource does not exist.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
details object[]
Array [@type string]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}