Import Data
POST/import
Import data on an instance level to ZITADEL. It can be either directly in the request or you can point to a file on an S3 storage, from which the data should be loaded.
Request​
- application/json
- application/grpc
- application/grpc-web+proto
Body
required
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
dataOrgs
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
domainPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages
object[]
Possible values: <= 800 characters
verifyEmailOtpMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsv1
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
iamPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors
object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors
object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsLocal
object
dataOrgsv1Local
object
dataOrgsS3
object
dataOrgsv1S3
object
dataOrgsGcs
object
dataOrgsv1Gcs
object
Body
required
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
dataOrgs
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
domainPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages
object[]
Possible values: <= 800 characters
verifyEmailOtpMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsv1
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
iamPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors
object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors
object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsLocal
object
dataOrgsv1Local
object
dataOrgsS3
object
dataOrgsv1S3
object
dataOrgsGcs
object
dataOrgsv1Gcs
object
Body
required
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
Array [
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
Array [
]
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
dataOrgs
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
domainPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages
object[]
Possible values: <= 800 characters
verifyEmailOtpMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsv1
object
orgs
object[]
org
object
Possible values: non-empty
and <= 200 characters
iamPolicy
object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy
object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy
object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy
object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy
object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy
object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects
object[]
project
object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles
object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps
object[]
app
object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)
humanUsers
object[]
user
object
profile
object
required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email
object
required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone
object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword
object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps
object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers
object[]
user
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
Possible values: <= 200 characters
optionally set your own id unique for the user.
triggerActions
object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions
object[]
action
object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants
object[]
projectGrant
object
userGrants
object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers
object[]
If no roles are provided the user won't have any rights
projectMembers
object[]
If no roles are provided the user won't have any rights
projectGrantMembers
object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata
object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts
object[]
selectAccountText
object
loginText
object
passwordText
object
usernameChangeText
object
usernameChangeDoneText
object
initPasswordText
object
initPasswordDoneText
object
emailVerificationText
object
emailVerificationDoneText
object
initializeUserText
object
initializeDoneText
object
initMfaPromptText
object
initMfaOtpText
object
initMfaU2fText
object
initMfaDoneText
object
mfaProvidersText
object
verifyMfaOtpText
object
verifyMfaU2fText
object
passwordlessText
object
passwordChangeText
object
passwordChangeDoneText
object
passwordResetDoneText
object
registrationOptionText
object
registrationUserText
object
registrationOrgText
object
linkingUserDoneText
object
externalUserNotFoundText
object
successLoginText
object
logoutText
object
footerText
object
passwordlessPromptText
object
passwordlessRegistrationText
object
passwordlessRegistrationDoneText
object
externalRegistrationUserOverviewText
object
linkingUserPromptText
object
initMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps
object[]
idp
object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors
object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors
object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps
object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks
object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains
object[]
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys
object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
inviteUserMessages
object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
dataOrgsLocal
object
dataOrgsv1Local
object
dataOrgsS3
object
dataOrgsv1S3
object
dataOrgsGcs
object
dataOrgsv1Gcs
object
Responses​
- 200
- 403
- 404
- default
A successful response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
Array [
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
errors
object[]
success
object
orgs
object[]
triggerActions
object[]
projectGrants
object[]
userGrants
object[]
projectMembers
object[]
projectGrantMembers
object[]
userLinks
object[]
userMetadata
object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
- Schema
- Example (from schema)
Schema
Array [
]
Array [
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
errors
object[]
success
object
orgs
object[]
triggerActions
object[]
projectGrants
object[]
userGrants
object[]
projectMembers
object[]
projectGrantMembers
object[]
userLinks
object[]
userMetadata
object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
- Schema
- Example (from schema)
Schema
Array [
]
Array [
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
Array [
]
]
errors
object[]
success
object
orgs
object[]
triggerActions
object[]
projectGrants
object[]
userGrants
object[]
projectMembers
object[]
projectGrantMembers
object[]
userLinks
object[]
userMetadata
object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
Returned when the user does not have permission to access the resource.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource does not exist.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}