Import Data

Import data on an instance level to ZITADEL. It can be either directly in the request or you can point to a file on an S3 storage, from which the data should be loaded.

application/json
application/grpc
application/grpc-web+proto

Request Body required

dataOrgs object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
domainPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
validateOrgDomains boolean
defines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain boolean
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsv1 object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
iamPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType string
Possible values: [FLOW_TYPE_UNSPECIFIED, FLOW_TYPE_EXTERNAL_AUTHENTICATION]
Default value: FLOW_TYPE_UNSPECIFIED
triggerType string
Possible values: [TRIGGER_TYPE_UNSPECIFIED, TRIGGER_TYPE_POST_AUTHENTICATION, TRIGGER_TYPE_PRE_CREATION, TRIGGER_TYPE_POST_CREATION]
Default value: TRIGGER_TYPE_UNSPECIFIED
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
secondFactors object[]
Array [
type string
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
]
multiFactors object[]
Array [
type string
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsLocal object
path string
dataOrgsv1Local object
path string
dataOrgsS3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsv1S3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsGcs object
bucket string
serviceaccountJson string
path string
dataOrgsv1Gcs object
bucket string
serviceaccountJson string
path string
timeout string

Request Body required

dataOrgs object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
domainPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
validateOrgDomains boolean
defines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain boolean
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsv1 object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
iamPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType string
Possible values: [FLOW_TYPE_UNSPECIFIED, FLOW_TYPE_EXTERNAL_AUTHENTICATION]
Default value: FLOW_TYPE_UNSPECIFIED
triggerType string
Possible values: [TRIGGER_TYPE_UNSPECIFIED, TRIGGER_TYPE_POST_AUTHENTICATION, TRIGGER_TYPE_PRE_CREATION, TRIGGER_TYPE_POST_CREATION]
Default value: TRIGGER_TYPE_UNSPECIFIED
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
secondFactors object[]
Array [
type string
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
]
multiFactors object[]
Array [
type string
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsLocal object
path string
dataOrgsv1Local object
path string
dataOrgsS3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsv1S3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsGcs object
bucket string
serviceaccountJson string
path string
dataOrgsv1Gcs object
bucket string
serviceaccountJson string
path string
timeout string

Request Body required

dataOrgs object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
domainPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
validateOrgDomains boolean
defines if organization domains should be validated org count as validated automatically
smtpSenderAddressMatchesInstanceDomain boolean
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsv1 object
orgs object[]
Array [
orgId string
org object
name string required
Possible values: non-empty and <= 200 characters
iamPolicy object
orgId string required
Possible values: non-empty and <= 200 characters
userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)
the username has to end with the domain of its organization
labelPolicy object
primaryColor string
Possible values: <= 50 characters
Represents a color scheme
hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
warnColor string
Possible values: <= 50 characters
hex value for warn color
backgroundColor string
Possible values: <= 50 characters
hex value for background color
fontColor string
Possible values: <= 50 characters
hex value for font color
primaryColorDark string
Possible values: <= 50 characters
hex value for the primary color dark theme
backgroundColorDark string
Possible values: <= 50 characters
hex value for background color dark theme
warnColorDark string
Possible values: <= 50 characters
hex value for warning color dark theme
fontColorDark string
Possible values: <= 50 characters
hex value for font color dark theme
disableWatermark boolean
lockoutPolicy object
maxPasswordAttempts int64
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
loginPolicy object
allowUsernamePassword boolean
allowRegister boolean
allowExternalIdp boolean
forceMfa boolean
passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
hidePasswordReset boolean
ignoreUnknownUsernames boolean
defines if unknown username on login screen directly returns an error or always displays the password screen
defaultRedirectUri string
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
passwordCheckLifetime string
externalLoginCheckLifetime string
mfaInitSkipLifetime string
secondFactorCheckLifetime string
multiFactorCheckLifetime string
secondFactors string[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
multiFactors string[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
allowDomainDiscovery boolean
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
disableLoginWithEmail boolean
defines if the user can additionally (to the login name) be identified by their verified email address
disableLoginWithPhone boolean
defines if the user can additionally (to the login name) be identified by their verified phone number
passwordComplexityPolicy object
minLength uint64
hasUppercase boolean
Defines if the password MUST contain an upper case letter
hasLowercase boolean
Defines if the password MUST contain a lowercase letter
hasNumber boolean
Defines if the password MUST contain a number
hasSymbol boolean
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
tosLink string
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
privacyLink string
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
helpLink string
Variable {{.Lang}} can be set to have different links based on the language.
supportEmail string
help / support email address.
projects object[]
Array [
projectId string
project object
name string required
Possible values: non-empty and <= 200 characters
projectRoleAssertion boolean
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
projectRoleCheck boolean
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
hasProjectCheck boolean
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
privateLabelingSetting string
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
]
projectRoles object[]
Array [
projectId string
roleKey string required
Possible values: non-empty and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
displayName string required
Possible values: non-empty and <= 200 characters
group string
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
]
apiApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
authMethodType string
Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: API_AUTH_METHOD_TYPE_BASIC
]
oidcApps object[]
Array [
appId string
app object
projectId string
name string required
Possible values: non-empty and <= 200 characters
redirectUris string[]
Callback URI of the authorization request where the code or tokens will be sent to
responseTypes string[]
Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]
Determines whether a code, id_token token or just id_token will be returned
grantTypes string[]
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE]
The flow type the application uses to gain access
appType string
Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
authMethodType string
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
postLogoutRedirectUris string[]
ZITADEL will redirect to this link after a successful logout
version string
Possible values: [OIDC_VERSION_1_0]
Default value: OIDC_VERSION_1_0
devMode boolean
Used for development, some checks of the OIDC specification will not be checked.
accessTokenType string
Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
accessTokenRoleAssertion boolean
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
idTokenRoleAssertion boolean
Adds roles to the claims of the id token even if they are not requested by scopes
idTokenUserinfoAssertion boolean
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
clockSkew string
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
additionalOrigins string[]
Additional origins (other than the redirect_uris) from where the API can be used
skipNativeAppSuccessPage boolean
Skip the successful login page on native apps and directly redirect the user to the callback.
]
humanUsers object[]
Array [
userId string
user object
userName string required
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
firstName string required
Possible values: non-empty and <= 200 characters
lastName string required
Possible values: non-empty and <= 200 characters
nickName string
Possible values: <= 200 characters
displayName string
Possible values: <= 200 characters
preferredLanguage string
Possible values: <= 10 characters
gender string
Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]
Default value: GENDER_UNSPECIFIED
email object required
email string required
Object that contains the email address and a verified flag.
isEmailVerified boolean
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
phone string
Possible values: non-empty and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
isPhoneVerified boolean
password string
hashedPassword object
Use this to import hashed passwords from another system.
value string
algorithm string
passwordChangeRequired boolean
If this is set to true, the user has to change the password on the next login.
requestPasswordlessRegistration boolean
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
otpCode string
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Array [
configId string
Possible values: non-empty and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
externalUserId string
Possible values: non-empty and <= 200 characters
The id of the user in the external identity provider
displayName string
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
]
]
machineUsers object[]
Array [
userId string
user object
userName string required
Possible values: non-empty and <= 200 characters
name string required
Possible values: non-empty and <= 200 characters
description string
Possible values: <= 500 characters
accessTokenType string
Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]
Default value: ACCESS_TOKEN_TYPE_BEARER
]
triggerActions object[]
Array [
flowType string
Possible values: [FLOW_TYPE_UNSPECIFIED, FLOW_TYPE_EXTERNAL_AUTHENTICATION]
Default value: FLOW_TYPE_UNSPECIFIED
triggerType string
Possible values: [TRIGGER_TYPE_UNSPECIFIED, TRIGGER_TYPE_POST_AUTHENTICATION, TRIGGER_TYPE_PRE_CREATION, TRIGGER_TYPE_POST_CREATION]
Default value: TRIGGER_TYPE_UNSPECIFIED
actionIds string[]
]
actions object[]
Array [
actionId string
action object
name string required
Possible values: non-empty and <= 200 characters
script string required
Possible values: non-empty and <= 2000 characters
Javascript code that should be executed
timeout string
after which time the action will be terminated if not finished
allowedToFail boolean
when true, the next action will be called even if this action fails
]
projectGrants object[]
Array [
grantId string
projectGrant object
projectId string
grantedOrgId string
roleKeys string[]
]
userGrants object[]
Array [
userId string required
Possible values: non-empty
projectId string required
Possible values: non-empty and <= 200 characters
projectGrantId string
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
roleKeys string[]
]
orgMembers object[]
Array [
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectMembers object[]
Array [
projectId string
userId string
roles string[]
If no roles are provided the user won't have any rights
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string required
Possible values: non-empty and <= 200 characters
roles string[]
If no roles are provided the user won't have any rights
]
userMetadata object[]
Array [
id string
Possible values: non-empty and <= 200 characters
key string
Possible values: non-empty and <= 200 characters
value byte
Possible values: non-empty and <= 500000 characters
The value has to be base64 encoded.
]
loginTexts object[]
Array [
language string
selectAccountText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
otherUser string
sessionStateActive string
sessionStateInactive string
userMustBeMemberOfOrg string
loginText object
title string
description string
titleLinkingProcess string
descriptionLinkingProcess string
userMustBeMemberOfOrg string
loginNameLabel string
registerButtonText string
nextButtonText string
externalUserDescription string
userNamePlaceholder string
loginNamePlaceholder string
passwordText object
title string
description string
passwordLabel string
resetLinkText string
backButtonText string
nextButtonText string
minLength string
hasUppercase string
hasLowercase string
hasNumber string
hasSymbol string
confirmation string
usernameChangeText object
title string
description string
usernameLabel string
cancelButtonText string
nextButtonText string
usernameChangeDoneText object
title string
description string
nextButtonText string
initPasswordText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
nextButtonText string
resendButtonText string
initPasswordDoneText object
title string
description string
nextButtonText string
cancelButtonText string
emailVerificationText object
title string
description string
codeLabel string
nextButtonText string
resendButtonText string
emailVerificationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
loginButtonText string
initializeUserText object
title string
description string
codeLabel string
newPasswordLabel string
newPasswordConfirmLabel string
resendButtonText string
nextButtonText string
initializeDoneText object
title string
description string
cancelButtonText string
nextButtonText string
initMfaPromptText object
title string
description string
otpOption string
u2fOption string
skipButtonText string
nextButtonText string
initMfaOtpText object
title string
description string
descriptionOtp string
secretLabel string
codeLabel string
nextButtonText string
cancelButtonText string
initMfaU2fText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
initMfaDoneText object
title string
description string
cancelButtonText string
nextButtonText string
mfaProvidersText object
chooseOther string
otp string
u2f string
verifyMfaOtpText object
title string
description string
codeLabel string
nextButtonText string
verifyMfaU2fText object
title string
description string
validateTokenText string
notSupported string
errorRetry string
passwordlessText object
title string
description string
loginWithPwButtonText string
validateTokenButtonText string
notSupported string
errorRetry string
passwordChangeText object
title string
description string
oldPasswordLabel string
newPasswordLabel string
newPasswordConfirmLabel string
cancelButtonText string
nextButtonText string
passwordChangeDoneText object
title string
description string
nextButtonText string
passwordResetDoneText object
title string
description string
nextButtonText string
registrationOptionText object
title string
description string
userNameButtonText string
externalLoginDescription string
loginButtonText string
registrationUserText object
title string
description string
descriptionOrgRegister string
firstnameLabel string
lastnameLabel string
emailLabel string
usernameLabel string
languageLabel string
genderLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
nextButtonText string
backButtonText string
registrationOrgText object
title string
description string
orgnameLabel string
firstnameLabel string
lastnameLabel string
usernameLabel string
emailLabel string
passwordLabel string
passwordConfirmLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyConfirm string
privacyLinkText string
saveButtonText string
linkingUserDoneText object
title string
description string
cancelButtonText string
nextButtonText string
externalUserNotFoundText object
title string
description string
linkButtonText string
autoRegisterButtonText string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
privacyConfirm string
successLoginText object
title string
autoRedirectDescription Text to describe that auto-redirect should happen after successful login
redirectedDescription Text to describe that the window can be closed after redirect
nextButtonText string
logoutText object
title string
description string
loginButtonText string
footerText object
tos string
privacyPolicy string
help string
supportEmail string
passwordlessPromptText object
title string
description string
descriptionInit string
passwordlessButtonText string
nextButtonText string
skipButtonText string
passwordlessRegistrationText object
title string
description string
tokenNameLabel string
notSupported string
registerTokenButtonText string
errorRetry string
passwordlessRegistrationDoneText object
title string
description string
nextButtonText string
cancelButtonText string
descriptionClose string
externalRegistrationUserOverviewText object
title string
description string
emailLabel string
usernameLabel string
firstnameLabel string
lastnameLabel string
nicknameLabel string
languageLabel string
phoneLabel string
tosAndPrivacyLabel string
tosConfirm string
tosLinkText string
privacyLinkText string
backButtonText string
nextButtonText string
privacyConfirm string
]
initMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordResetMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyEmailMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
verifyPhoneMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
domainClaimedMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
passwordlessRegistrationMessages object[]
Array [
language string
title string
Possible values: <= 200 characters
preHeader string
Possible values: <= 200 characters
subject string
Possible values: <= 200 characters
greeting string
Possible values: <= 200 characters
text string
Possible values: <= 800 characters
buttonText string
Possible values: <= 200 characters
footerText string
]
oidcIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
clientId string required
Possible values: non-empty and <= 200 characters
client id generated by the identity provider
clientSecret string required
Possible values: non-empty and <= 200 characters
client secret generated by the identity provider
issuer string required
the OIDC issuer of the identity provider
scopes string[]
the scopes requested by ZITADEL during the request on the identity provider
displayNameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
usernameMapping string
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
autoRegister boolean
]
jwtIdps object[]
Array [
idpId string
idp object
name string required
Possible values: non-empty and <= 200 characters
stylingType string
Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
jwtEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint where the JWT can be extracted
issuer string required
Possible values: non-empty and <= 200 characters
the issuer of the JWT (for validation)
keysEndpoint string required
Possible values: non-empty and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
headerName string required
Possible values: non-empty and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
autoRegister boolean
]
secondFactors object[]
Array [
type string
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
]
multiFactors object[]
Array [
type string
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
]
idps object[]
Array [
idpId string
ownerType string
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.

IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators

IDP_OWNER_TYPE_ORG: org is managed by de organization administrators

]
userLinks object[]
Array [
userId string
the id of the user
idpId string
the id of the identity provider
idpName string
the name of the identity provider
providedUserId string
the id of the user provided by the identity provider
providedUserName string
the id of the identity provider
idpType authorization framework of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
]
domains object[]
Array [
orgId string
details object
sequence uint64
on read: the sequence of the last event reduced by the projection

on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object

on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection

on manipulation: the
resourceOwner resource_owner is the organization an object belongs to
domainName string
isVerified boolean
defines if the domain is verified
isPrimary boolean
defines if the domain is the primary domain
validationType string
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
]
appKeys object[]
Array [
id string
projectId string
appId string
clientId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
machineKeys object[]
Array [
keyId string
userId string
type string
Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]
Default value: KEY_TYPE_UNSPECIFIED
expirationDate date-time
publicKey byte
]
]
dataOrgsLocal object
path string
dataOrgsv1Local object
path string
dataOrgsS3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsv1S3 object
path string
endpoint string
accessKeyId string
secretAccessKey string
ssl boolean
bucket string
dataOrgsGcs object
bucket string
serviceaccountJson string
path string
dataOrgsv1Gcs object
bucket string
serviceaccountJson string
path string
timeout string

Responses

200
403
404
default

A successful response.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

errors object[]
Array [
type string
id string
message string
]
success object
orgs object[]
Array [
orgId string
projectIds string[]
projectRoles string[]
oidcAppIds string[]
apiAppIds string[]
humanUserIds string[]
machineUserIds string[]
actionIds string[]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
projectGrants object[]
Array [
grantId string
projectId string
orgId string
]
userGrants object[]
Array [
projectId string
userId string
]
orgMembers string[]
projectMembers object[]
Array [
projectId string
userId string
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string
]
oidcIpds string[]
jwtIdps string[]
idpLinks string[]
userLinks object[]
Array [
userId string
externalUserId string
displayName string
idpId string
]
userMetadata object[]
Array [
userId string
key string
]
domains string[]
appKeys string[]
machineKeys string[]
]

{
  "errors": [
    {
      "type": "string",
      "id": "string",
      "message": "string"
    }
  ],
  "success": {
    "orgs": [
      {
        "orgId": "string",
        "projectIds": [
          "string"
        ],
        "projectRoles": [
          "string"
        ],
        "oidcAppIds": [
          "string"
        ],
        "apiAppIds": [
          "string"
        ],
        "humanUserIds": [
          "string"
        ],
        "machineUserIds": [
          "string"
        ],
        "actionIds": [
          "string"
        ],
        "triggerActions": [
          {
            "flowType": "1",
            "triggerType": "1",
            "actionIds": [
              "string"
            ]
          }
        ],
        "projectGrants": [
          {
            "grantId": "string",
            "projectId": "string",
            "orgId": "string"
          }
        ],
        "userGrants": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "orgMembers": [
          "string"
        ],
        "projectMembers": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "projectGrantMembers": [
          {
            "projectId": "string",
            "grantId": "string",
            "userId": "string"
          }
        ],
        "oidcIpds": [
          "string"
        ],
        "jwtIdps": [
          "string"
        ],
        "idpLinks": [
          "string"
        ],
        "userLinks": [
          {
            "userId": "string",
            "externalUserId": "string",
            "displayName": "string",
            "idpId": "string"
          }
        ],
        "userMetadata": [
          {
            "userId": "string",
            "key": "string"
          }
        ],
        "domains": [
          "string"
        ],
        "appKeys": [
          "string"
        ],
        "machineKeys": [
          "string"
        ]
      }
    ]
  }
}

Schema
Example (from schema)

Schema

errors object[]
Array [
type string
id string
message string
]
success object
orgs object[]
Array [
orgId string
projectIds string[]
projectRoles string[]
oidcAppIds string[]
apiAppIds string[]
humanUserIds string[]
machineUserIds string[]
actionIds string[]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
projectGrants object[]
Array [
grantId string
projectId string
orgId string
]
userGrants object[]
Array [
projectId string
userId string
]
orgMembers string[]
projectMembers object[]
Array [
projectId string
userId string
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string
]
oidcIpds string[]
jwtIdps string[]
idpLinks string[]
userLinks object[]
Array [
userId string
externalUserId string
displayName string
idpId string
]
userMetadata object[]
Array [
userId string
key string
]
domains string[]
appKeys string[]
machineKeys string[]
]

{
  "errors": [
    {
      "type": "string",
      "id": "string",
      "message": "string"
    }
  ],
  "success": {
    "orgs": [
      {
        "orgId": "string",
        "projectIds": [
          "string"
        ],
        "projectRoles": [
          "string"
        ],
        "oidcAppIds": [
          "string"
        ],
        "apiAppIds": [
          "string"
        ],
        "humanUserIds": [
          "string"
        ],
        "machineUserIds": [
          "string"
        ],
        "actionIds": [
          "string"
        ],
        "triggerActions": [
          {
            "flowType": "1",
            "triggerType": "1",
            "actionIds": [
              "string"
            ]
          }
        ],
        "projectGrants": [
          {
            "grantId": "string",
            "projectId": "string",
            "orgId": "string"
          }
        ],
        "userGrants": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "orgMembers": [
          "string"
        ],
        "projectMembers": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "projectGrantMembers": [
          {
            "projectId": "string",
            "grantId": "string",
            "userId": "string"
          }
        ],
        "oidcIpds": [
          "string"
        ],
        "jwtIdps": [
          "string"
        ],
        "idpLinks": [
          "string"
        ],
        "userLinks": [
          {
            "userId": "string",
            "externalUserId": "string",
            "displayName": "string",
            "idpId": "string"
          }
        ],
        "userMetadata": [
          {
            "userId": "string",
            "key": "string"
          }
        ],
        "domains": [
          "string"
        ],
        "appKeys": [
          "string"
        ],
        "machineKeys": [
          "string"
        ]
      }
    ]
  }
}

Schema
Example (from schema)

Schema

errors object[]
Array [
type string
id string
message string
]
success object
orgs object[]
Array [
orgId string
projectIds string[]
projectRoles string[]
oidcAppIds string[]
apiAppIds string[]
humanUserIds string[]
machineUserIds string[]
actionIds string[]
triggerActions object[]
Array [
flowType id of the flow type
At the moment you have to send the ID of the Flow Type: ExternalAuthentication=1, CustomiseToken=2, InternalAuthentication=3, PreUserinfoCreation=3
triggerType id of the trigger type
At the moment you have to send the ID of the Trigger Type: PostAuthentication=1, PreCreation=2, PostCreation=3, PreUserinfoCreation=4, PreAccessTokenCreation=5
actionIds string[]
]
projectGrants object[]
Array [
grantId string
projectId string
orgId string
]
userGrants object[]
Array [
projectId string
userId string
]
orgMembers string[]
projectMembers object[]
Array [
projectId string
userId string
]
projectGrantMembers object[]
Array [
projectId string
grantId string
userId string
]
oidcIpds string[]
jwtIdps string[]
idpLinks string[]
userLinks object[]
Array [
userId string
externalUserId string
displayName string
idpId string
]
userMetadata object[]
Array [
userId string
key string
]
domains string[]
appKeys string[]
machineKeys string[]
]

{
  "errors": [
    {
      "type": "string",
      "id": "string",
      "message": "string"
    }
  ],
  "success": {
    "orgs": [
      {
        "orgId": "string",
        "projectIds": [
          "string"
        ],
        "projectRoles": [
          "string"
        ],
        "oidcAppIds": [
          "string"
        ],
        "apiAppIds": [
          "string"
        ],
        "humanUserIds": [
          "string"
        ],
        "machineUserIds": [
          "string"
        ],
        "actionIds": [
          "string"
        ],
        "triggerActions": [
          {
            "flowType": "1",
            "triggerType": "1",
            "actionIds": [
              "string"
            ]
          }
        ],
        "projectGrants": [
          {
            "grantId": "string",
            "projectId": "string",
            "orgId": "string"
          }
        ],
        "userGrants": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "orgMembers": [
          "string"
        ],
        "projectMembers": [
          {
            "projectId": "string",
            "userId": "string"
          }
        ],
        "projectGrantMembers": [
          {
            "projectId": "string",
            "grantId": "string",
            "userId": "string"
          }
        ],
        "oidcIpds": [
          "string"
        ],
        "jwtIdps": [
          "string"
        ],
        "idpLinks": [
          "string"
        ],
        "userLinks": [
          {
            "userId": "string",
            "externalUserId": "string",
            "displayName": "string",
            "idpId": "string"
          }
        ],
        "userMetadata": [
          {
            "userId": "string",
            "key": "string"
          }
        ],
        "domains": [
          "string"
        ],
        "appKeys": [
          "string"
        ],
        "machineKeys": [
          "string"
        ]
      }
    ]
  }
}

Returned when the user does not have permission to access the resource.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the resource does not exist.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

An unexpected error response.

application/json
application/grpc
application/grpc-web+proto

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema
Example (from schema)

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Import Data​

Import Data