Skip to main content

Import Data​

Import data on an instance level to ZITADEL. It can be either directly in the request or you can point to a file on an S3 storage, from which the data should be loaded.

Request Body required
    dataOrgs object
    orgs object[]
  • Array [
    • orgId string
    org object
    name string required

    Possible values: non-empty and <= 200 characters

    domainPolicy object
    orgId string required

    Possible values: non-empty and <= 200 characters

    userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)

    the username has to end with the domain of its organization

    validateOrgDomains boolean

    defines if organization domains should be validated org count as validated automatically

    smtpSenderAddressMatchesInstanceDomain boolean

    defines if the SMTP sender address domain should match an existing domain on the instance

    labelPolicy object
    primaryColor string

    Possible values: <= 50 characters

    Represents a color scheme

    hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set

    hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set

    warnColor string

    Possible values: <= 50 characters

    hex value for warn color

    backgroundColor string

    Possible values: <= 50 characters

    hex value for background color

    fontColor string

    Possible values: <= 50 characters

    hex value for font color

    primaryColorDark string

    Possible values: <= 50 characters

    hex value for the primary color dark theme

    backgroundColorDark string

    Possible values: <= 50 characters

    hex value for background color dark theme

    warnColorDark string

    Possible values: <= 50 characters

    hex value for warning color dark theme

    fontColorDark string

    Possible values: <= 50 characters

    hex value for font color dark theme

    disableWatermark boolean
    themeMode string

    Possible values: [THEME_MODE_UNSPECIFIED, THEME_MODE_AUTO, THEME_MODE_DARK, THEME_MODE_LIGHT]

    Default value: THEME_MODE_UNSPECIFIED

    setting if there should be a restriction on which themes are available

    lockoutPolicy object
    maxPasswordAttempts int64

    When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.

    maxOtpAttempts int64

    Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.

    loginPolicy object
    allowUsernamePassword boolean
    allowRegister boolean
    allowExternalIdp boolean
    forceMfa boolean
    passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT

    Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]

    Default value: PASSWORDLESS_TYPE_NOT_ALLOWED

    hidePasswordReset boolean
    ignoreUnknownUsernames boolean

    defines if unknown username on login screen directly returns an error or always displays the password screen

    defaultRedirectUri string

    defines where the user will be redirected to if the login is started without app context (e.g. from mail)

    passwordCheckLifetime string
    externalLoginCheckLifetime string
    mfaInitSkipLifetime string
    secondFactorCheckLifetime string
    multiFactorCheckLifetime string
    secondFactors - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP[]

    Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

    multiFactors string[]

    Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]

    idps object[]
  • Array [
    • idpId string
    ownerType string

    Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]

    Default value: IDP_OWNER_TYPE_UNSPECIFIED

    the owner of the identity provider.

    • IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
    • IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
  • ]
    • allowDomainDiscovery boolean

    If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.

    disableLoginWithEmail boolean

    defines if the user can additionally (to the login name) be identified by their verified email address

    disableLoginWithPhone boolean

    defines if the user can additionally (to the login name) be identified by their verified phone number

    forceMfaLocalOnly boolean

    if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.

    passwordComplexityPolicy object
    minLength uint64
    hasUppercase boolean

    Defines if the password MUST contain an upper case letter

    hasLowercase boolean

    Defines if the password MUST contain a lowercase letter

    hasNumber boolean

    Defines if the password MUST contain a number

    hasSymbol boolean

    Defines if the password MUST contain a symbol. E.g. "$"

    privacyPolicy object
    tosLink string

    If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.

    privacyLink string

    If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.

    helpLink string

    Variable {{.Lang}} can be set to have different links based on the language.

    supportEmail string

    help / support email address.

    projects object[]
  • Array [
    • projectId string
    project object
    name string required

    Possible values: non-empty and <= 200 characters

    projectRoleAssertion boolean

    Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.

    projectRoleCheck boolean

    When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.

    hasProjectCheck boolean

    When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.

    privateLabelingSetting string

    Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]

    Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED

    Define which private labeling/branding should trigger when getting to a login of this project.

  • ]
    • projectRoles object[]
  • Array [
    • projectId string
    roleKey string required

    Possible values: non-empty and <= 200 characters

    The key is the only relevant attribute for ZITADEL regarding the authorization checks.

    displayName string required

    Possible values: non-empty and <= 200 characters

    group string

    Possible values: <= 200 characters

    The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.

  • ]
    • apiApps object[]
  • Array [
    • appId string
    app object
    projectId string
    name string required

    Possible values: non-empty and <= 200 characters

    authMethodType string

    Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]

    Default value: API_AUTH_METHOD_TYPE_BASIC

  • ]
    • oidcApps object[]
  • Array [
    • appId string
    app object
    projectId string
    name string required

    Possible values: non-empty and <= 200 characters

    redirectUris string[]

    Callback URI of the authorization request where the code or tokens will be sent to

    responseTypes string[]

    Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]

    Determines whether a code, id_token token or just id_token will be returned

    grantTypes string[]

    Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE, OIDC_GRANT_TYPE_TOKEN_EXCHANGE]

    The flow type the application uses to gain access

    appType string

    Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]

    Default value: OIDC_APP_TYPE_WEB

    Determines the paradigm of the application

    authMethodType string

    Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]

    Default value: OIDC_AUTH_METHOD_TYPE_BASIC

    Defines how the application passes login credentials

    postLogoutRedirectUris string[]

    ZITADEL will redirect to this link after a successful logout

    version string

    Possible values: [OIDC_VERSION_1_0]

    Default value: OIDC_VERSION_1_0

    devMode boolean

    Used for development, some checks of the OIDC specification will not be checked.

    accessTokenType string

    Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]

    Default value: OIDC_TOKEN_TYPE_BEARER

    Type of the access token returned from ZITADEL

    accessTokenRoleAssertion boolean

    Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes

    idTokenRoleAssertion boolean

    Adds roles to the claims of the id token even if they are not requested by scopes

    idTokenUserinfoAssertion boolean

    Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification

    clockSkew string

    Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims

    additionalOrigins string[]

    Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment

    skipNativeAppSuccessPage boolean

    Skip the successful login page on native apps and directly redirect the user to the callback.

  • ]
    • humanUsers object[]
  • Array [
    • userId string
    user object
    userName string required
    profile object required

    Profile includes the basic information of a user, like first name, last name, etc.

    firstName string required

    Possible values: non-empty and <= 200 characters

    lastName string required

    Possible values: non-empty and <= 200 characters

    nickName string

    Possible values: <= 200 characters

    displayName string

    Possible values: <= 200 characters

    preferredLanguage string

    Possible values: <= 10 characters

    gender string

    Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]

    Default value: GENDER_UNSPECIFIED

    email object required
    email string required

    Object that contains the email address and a verified flag.

    isEmailVerified boolean

    If email verified is set to true, the email will be added as verified and the user doesn't have to verify.

    phone object

    Object that contains the number and a verified flag

    phone string

    Possible values: non-empty and <= 50 characters

    mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)

    isPhoneVerified boolean
    password string
    hashedPassword object

    Use this to import hashed passwords from another system.

    value string

    Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets

    passwordChangeRequired boolean

    If this is set to true, the user has to change the password on the next login.

    requestPasswordlessRegistration boolean

    If this is set to true, you will get a link for the passwordless/passkey registration in the response.

    otpCode string
    idps object[]

    To link your user directly with an external identity provider (Identity brokering)

  • Array [
    • configId string

    Possible values: non-empty and <= 200 characters

    The internal ID of the identity provider configured in ZITADEL.

    externalUserId string

    Possible values: non-empty and <= 200 characters

    The id of the user in the external identity provider

    displayName string

    Possible values: <= 200 characters

    A display name ZITADEL can show on the linked provider.

  • ]
  • ]
    • machineUsers object[]
  • Array [
    • userId string
    user object
    userName string required

    Possible values: non-empty and <= 200 characters

    name string required

    Possible values: non-empty and <= 200 characters

    description string

    Possible values: <= 500 characters

    accessTokenType string

    Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]

    Default value: ACCESS_TOKEN_TYPE_BEARER

  • ]
    • triggerActions object[]
  • Array [
    • flowType id of the flow type. Following flows are currently allowed: - External Authentication: FLOW_TYPE_EXTERNAL_AUTHENTICATION or 1 - Internal Authentication: 3 - Complement Token: 2 - Complement SAML Response: 4
    triggerType id of the trigger type. Following triggers are currently allowed: - External Authentication: - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1 - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2 - Post Creation: TRIGGER_TYPE_POST_CREATION or 3 - Internal Authentication: - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1 - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2 - Post Creation: TRIGGER_TYPE_POST_CREATION or 3 - Complement Token: - Pre Userinfo Creation: 4 - Pre Access Token Creation: 5 - Complement SAML Response: - Pre SAML Response Creation: 6
    actionIds string[]
  • ]
    • actions object[]
  • Array [
    • actionId string
    action object
    name string required

    Possible values: non-empty and <= 200 characters

    script string required

    Possible values: non-empty and <= 10000 characters

    Javascript code that should be executed

    timeout string

    after which time the action will be terminated if not finished

    allowedToFail boolean

    when true, the next action will be called even if this action fails

  • ]
    • projectGrants object[]
  • Array [
    • grantId string
    projectGrant object
    projectId string
    grantedOrgId string
    roleKeys string[]
  • ]
    • userGrants object[]
  • Array [
    • userId string required

    Possible values: non-empty

    projectId string required

    Possible values: non-empty and <= 200 characters

    projectGrantId string

    Possible values: <= 200 characters

    Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.

    roleKeys string[]
  • ]
    • orgMembers object[]
  • Array [
    • userId string
    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • projectMembers object[]
  • Array [
    • projectId string
    userId string
    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • projectGrantMembers object[]
  • Array [
    • projectId string
    grantId string
    userId string required

    Possible values: non-empty and <= 200 characters

    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • userMetadata object[]
  • Array [
    • id string

    Possible values: non-empty and <= 200 characters

    key string

    Possible values: non-empty and <= 200 characters

    value byte

    Possible values: non-empty and <= 500000 characters

    The value has to be base64 encoded.

  • ]
    • loginTexts object[]
  • Array [
    • language string
    selectAccountText object
    title string
    description string
    titleLinkingProcess string
    descriptionLinkingProcess string
    otherUser string
    sessionStateActive string
    sessionStateInactive string
    userMustBeMemberOfOrg string
    loginText object
    title string
    description string
    titleLinkingProcess string
    descriptionLinkingProcess string
    userMustBeMemberOfOrg string
    loginNameLabel string
    registerButtonText string
    nextButtonText string
    externalUserDescription string
    userNamePlaceholder string
    loginNamePlaceholder string
    passwordText object
    title string
    description string
    passwordLabel string
    resetLinkText string
    backButtonText string
    nextButtonText string
    minLength string
    hasUppercase string
    hasLowercase string
    hasNumber string
    hasSymbol string
    confirmation string
    usernameChangeText object
    title string
    description string
    usernameLabel string
    cancelButtonText string
    nextButtonText string
    usernameChangeDoneText object
    title string
    description string
    nextButtonText string
    initPasswordText object
    title string
    description string
    codeLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    nextButtonText string
    resendButtonText string
    initPasswordDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    emailVerificationText object
    title string
    description string
    codeLabel string
    nextButtonText string
    resendButtonText string
    emailVerificationDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    loginButtonText string
    initializeUserText object
    title string
    description string
    codeLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    resendButtonText string
    nextButtonText string
    initializeDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    initMfaPromptText object
    title string
    description string
    otpOption string
    u2fOption string
    skipButtonText string
    nextButtonText string
    initMfaOtpText object
    title string
    description string
    descriptionOtp string
    secretLabel string
    codeLabel string
    nextButtonText string
    cancelButtonText string
    initMfaU2fText object
    title string
    description string
    tokenNameLabel string
    notSupported string
    registerTokenButtonText string
    errorRetry string
    initMfaDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    mfaProvidersText object
    chooseOther string
    otp string
    u2f string
    verifyMfaOtpText object
    title string
    description string
    codeLabel string
    nextButtonText string
    verifyMfaU2fText object
    title string
    description string
    validateTokenText string
    notSupported string
    errorRetry string
    passwordlessText object
    title string
    description string
    loginWithPwButtonText string
    validateTokenButtonText string
    notSupported string
    errorRetry string
    passwordChangeText object
    title string
    description string
    oldPasswordLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    cancelButtonText string
    nextButtonText string
    passwordChangeDoneText object
    title string
    description string
    nextButtonText string
    passwordResetDoneText object
    title string
    description string
    nextButtonText string
    registrationOptionText object
    title string
    description string
    userNameButtonText string
    externalLoginDescription string
    loginButtonText string
    registrationUserText object
    title string
    description string
    descriptionOrgRegister string
    firstnameLabel string
    lastnameLabel string
    emailLabel string
    usernameLabel string
    languageLabel string
    genderLabel string
    passwordLabel string
    passwordConfirmLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyConfirm string
    privacyLinkText string
    nextButtonText string
    backButtonText string
    registrationOrgText object
    title string
    description string
    orgnameLabel string
    firstnameLabel string
    lastnameLabel string
    usernameLabel string
    emailLabel string
    passwordLabel string
    passwordConfirmLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyConfirm string
    privacyLinkText string
    saveButtonText string
    linkingUserDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    externalUserNotFoundText object
    title string
    description string
    linkButtonText string
    autoRegisterButtonText string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyLinkText string
    privacyConfirm string
    successLoginText object
    title string
    autoRedirectDescription Text to describe that auto-redirect should happen after successful login
    redirectedDescription Text to describe that the window can be closed after redirect
    nextButtonText string
    logoutText object
    title string
    description string
    loginButtonText string
    footerText object
    tos string
    privacyPolicy string
    help string
    supportEmail string
    passwordlessPromptText object
    title string
    description string
    descriptionInit string
    passwordlessButtonText string
    nextButtonText string
    skipButtonText string
    passwordlessRegistrationText object
    title string
    description string
    tokenNameLabel string
    notSupported string
    registerTokenButtonText string
    errorRetry string
    passwordlessRegistrationDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    descriptionClose string
    externalRegistrationUserOverviewText object
    title string
    description string
    emailLabel string
    usernameLabel string
    firstnameLabel string
    lastnameLabel string
    nicknameLabel string
    languageLabel string
    phoneLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyLinkText string
    backButtonText string
    nextButtonText string
    privacyConfirm string
    linkingUserPromptText object
    title string
    description string
    linkButtonText string
    otherButtonText string
  • ]
    • initMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • passwordResetMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • verifyEmailMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • verifyPhoneMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 800 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • domainClaimedMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • passwordlessRegistrationMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 500 characters

    footerText string
  • ]
    • oidcIdps object[]
  • Array [
    • idpId string
    idp object
    name string required

    Possible values: non-empty and <= 200 characters

    stylingType string

    Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]

    Default value: STYLING_TYPE_UNSPECIFIED

    some identity providers specify the styling of the button to their login

    clientId string required

    Possible values: non-empty and <= 200 characters

    client id generated by the identity provider

    clientSecret string required

    Possible values: non-empty and <= 200 characters

    client secret generated by the identity provider

    issuer string required

    the OIDC issuer of the identity provider

    scopes string[]

    the scopes requested by ZITADEL during the request on the identity provider

    displayNameMapping string

    Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]

    Default value: OIDC_MAPPING_FIELD_UNSPECIFIED

    definition which field is mapped to the display name of the user

    usernameMapping string

    Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]

    Default value: OIDC_MAPPING_FIELD_UNSPECIFIED

    definition which field is mapped to the email of the user

    autoRegister boolean
  • ]
    • jwtIdps object[]
  • Array [
    • idpId string
    idp object
    name string required

    Possible values: non-empty and <= 200 characters

    stylingType string

    Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]

    Default value: STYLING_TYPE_UNSPECIFIED

    some identity providers specify the styling of the button to their login

    jwtEndpoint string required

    Possible values: non-empty and <= 200 characters

    the endpoint where the JWT can be extracted

    issuer string required

    Possible values: non-empty and <= 200 characters

    the issuer of the JWT (for validation)

    keysEndpoint string required

    Possible values: non-empty and <= 200 characters

    the endpoint to the key (JWK) which is used to sign the JWT with

    headerName string required

    Possible values: non-empty and <= 200 characters

    the name of the header where the JWT is sent in, default is authorization

    autoRegister boolean
  • ]
    • userLinks object[]
  • Array [
    • userId string

    the id of the user

    idpId string

    the id of the identity provider

    idpName string

    the name of the identity provider

    providedUserId string

    the id of the user provided by the identity provider

    providedUserName string

    the id of the identity provider

    idpType authorization framework of the identity provider

    Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]

    Default value: IDP_TYPE_UNSPECIFIED

    the authorization framework of the identity provider

  • ]
    • domains object[]
  • Array [
    • orgId string
    details object
    sequence uint64

    on read: the sequence of the last event reduced by the projection

    on manipulation: the timestamp of the event(s) added by the manipulation

    creationDate date-time

    on read: the timestamp of the first event of the object

    on create: the timestamp of the event(s) added by the manipulation

    changeDate date-time

    on read: the timestamp of the last event reduced by the projection

    on manipulation: the

    resourceOwner resource_owner is the organization an object belongs to
    domainName string
    isVerified boolean

    defines if the domain is verified

    isPrimary boolean

    defines if the domain is the primary domain

    validationType string

    Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]

    Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED

    defines the protocol the domain was validated with

  • ]
    • appKeys object[]
  • Array [
    • id string
    projectId string
    appId string
    clientId string
    type string

    Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]

    Default value: KEY_TYPE_UNSPECIFIED

    expirationDate date-time
    publicKey byte
  • ]
    • machineKeys object[]
  • Array [
    • keyId string
    userId string
    type string

    Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]

    Default value: KEY_TYPE_UNSPECIFIED

    expirationDate date-time
    publicKey byte
  • ]
    • verifySmsOtpMessages object[]
  • Array [
    • language string
    text string

    Possible values: <= 800 characters

  • ]
    • verifyEmailOtpMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
  • ]
    • dataOrgsv1 object
    orgs object[]
  • Array [
    • orgId string
    org object
    name string required

    Possible values: non-empty and <= 200 characters

    iamPolicy object
    orgId string required

    Possible values: non-empty and <= 200 characters

    userLoginMustBeDomain the username has to end with the domain of its organization (uniqueness is organization based)

    the username has to end with the domain of its organization

    labelPolicy object
    primaryColor string

    Possible values: <= 50 characters

    Represents a color scheme

    hideLoginNameSuffix hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set

    hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set

    warnColor string

    Possible values: <= 50 characters

    hex value for warn color

    backgroundColor string

    Possible values: <= 50 characters

    hex value for background color

    fontColor string

    Possible values: <= 50 characters

    hex value for font color

    primaryColorDark string

    Possible values: <= 50 characters

    hex value for the primary color dark theme

    backgroundColorDark string

    Possible values: <= 50 characters

    hex value for background color dark theme

    warnColorDark string

    Possible values: <= 50 characters

    hex value for warning color dark theme

    fontColorDark string

    Possible values: <= 50 characters

    hex value for font color dark theme

    disableWatermark boolean
    themeMode string

    Possible values: [THEME_MODE_UNSPECIFIED, THEME_MODE_AUTO, THEME_MODE_DARK, THEME_MODE_LIGHT]

    Default value: THEME_MODE_UNSPECIFIED

    setting if there should be a restriction on which themes are available

    lockoutPolicy object
    maxPasswordAttempts int64

    When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.

    maxOtpAttempts int64

    Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.

    loginPolicy object
    allowUsernamePassword boolean
    allowRegister boolean
    allowExternalIdp boolean
    forceMfa boolean
    passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT

    Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]

    Default value: PASSWORDLESS_TYPE_NOT_ALLOWED

    hidePasswordReset boolean
    ignoreUnknownUsernames boolean

    defines if unknown username on login screen directly returns an error or always displays the password screen

    defaultRedirectUri string

    defines where the user will be redirected to if the login is started without app context (e.g. from mail)

    passwordCheckLifetime string
    externalLoginCheckLifetime string
    mfaInitSkipLifetime string
    secondFactorCheckLifetime string
    multiFactorCheckLifetime string
    secondFactors - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP[]

    Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

    multiFactors string[]

    Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]

    idps object[]
  • Array [
    • idpId string
    ownerType string

    Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]

    Default value: IDP_OWNER_TYPE_UNSPECIFIED

    the owner of the identity provider.

    • IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
    • IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
  • ]
    • allowDomainDiscovery boolean

    If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.

    disableLoginWithEmail boolean

    defines if the user can additionally (to the login name) be identified by their verified email address

    disableLoginWithPhone boolean

    defines if the user can additionally (to the login name) be identified by their verified phone number

    forceMfaLocalOnly boolean

    if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.

    passwordComplexityPolicy object
    minLength uint64
    hasUppercase boolean

    Defines if the password MUST contain an upper case letter

    hasLowercase boolean

    Defines if the password MUST contain a lowercase letter

    hasNumber boolean

    Defines if the password MUST contain a number

    hasSymbol boolean

    Defines if the password MUST contain a symbol. E.g. "$"

    privacyPolicy object
    tosLink string

    If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.

    privacyLink string

    If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.

    helpLink string

    Variable {{.Lang}} can be set to have different links based on the language.

    supportEmail string

    help / support email address.

    projects object[]
  • Array [
    • projectId string
    project object
    name string required

    Possible values: non-empty and <= 200 characters

    projectRoleAssertion boolean

    Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.

    projectRoleCheck boolean

    When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.

    hasProjectCheck boolean

    When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.

    privateLabelingSetting string

    Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY]

    Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED

    Define which private labeling/branding should trigger when getting to a login of this project.

  • ]
    • projectRoles object[]
  • Array [
    • projectId string
    roleKey string required

    Possible values: non-empty and <= 200 characters

    The key is the only relevant attribute for ZITADEL regarding the authorization checks.

    displayName string required

    Possible values: non-empty and <= 200 characters

    group string

    Possible values: <= 200 characters

    The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.

  • ]
    • apiApps object[]
  • Array [
    • appId string
    app object
    projectId string
    name string required

    Possible values: non-empty and <= 200 characters

    authMethodType string

    Possible values: [API_AUTH_METHOD_TYPE_BASIC, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]

    Default value: API_AUTH_METHOD_TYPE_BASIC

  • ]
    • oidcApps object[]
  • Array [
    • appId string
    app object
    projectId string
    name string required

    Possible values: non-empty and <= 200 characters

    redirectUris string[]

    Callback URI of the authorization request where the code or tokens will be sent to

    responseTypes string[]

    Possible values: [OIDC_RESPONSE_TYPE_CODE, OIDC_RESPONSE_TYPE_ID_TOKEN, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN]

    Determines whether a code, id_token token or just id_token will be returned

    grantTypes string[]

    Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE, OIDC_GRANT_TYPE_IMPLICIT, OIDC_GRANT_TYPE_REFRESH_TOKEN, OIDC_GRANT_TYPE_DEVICE_CODE, OIDC_GRANT_TYPE_TOKEN_EXCHANGE]

    The flow type the application uses to gain access

    appType string

    Possible values: [OIDC_APP_TYPE_WEB, OIDC_APP_TYPE_USER_AGENT, OIDC_APP_TYPE_NATIVE]

    Default value: OIDC_APP_TYPE_WEB

    Determines the paradigm of the application

    authMethodType string

    Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC, OIDC_AUTH_METHOD_TYPE_POST, OIDC_AUTH_METHOD_TYPE_NONE, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT]

    Default value: OIDC_AUTH_METHOD_TYPE_BASIC

    Defines how the application passes login credentials

    postLogoutRedirectUris string[]

    ZITADEL will redirect to this link after a successful logout

    version string

    Possible values: [OIDC_VERSION_1_0]

    Default value: OIDC_VERSION_1_0

    devMode boolean

    Used for development, some checks of the OIDC specification will not be checked.

    accessTokenType string

    Possible values: [OIDC_TOKEN_TYPE_BEARER, OIDC_TOKEN_TYPE_JWT]

    Default value: OIDC_TOKEN_TYPE_BEARER

    Type of the access token returned from ZITADEL

    accessTokenRoleAssertion boolean

    Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes

    idTokenRoleAssertion boolean

    Adds roles to the claims of the id token even if they are not requested by scopes

    idTokenUserinfoAssertion boolean

    Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification

    clockSkew string

    Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims

    additionalOrigins string[]

    Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment

    skipNativeAppSuccessPage boolean

    Skip the successful login page on native apps and directly redirect the user to the callback.

  • ]
    • humanUsers object[]
  • Array [
    • userId string
    user object
    userName string required
    profile object required

    Profile includes the basic information of a user, like first name, last name, etc.

    firstName string required

    Possible values: non-empty and <= 200 characters

    lastName string required

    Possible values: non-empty and <= 200 characters

    nickName string

    Possible values: <= 200 characters

    displayName string

    Possible values: <= 200 characters

    preferredLanguage string

    Possible values: <= 10 characters

    gender string

    Possible values: [GENDER_UNSPECIFIED, GENDER_FEMALE, GENDER_MALE, GENDER_DIVERSE]

    Default value: GENDER_UNSPECIFIED

    email object required
    email string required

    Object that contains the email address and a verified flag.

    isEmailVerified boolean

    If email verified is set to true, the email will be added as verified and the user doesn't have to verify.

    phone object

    Object that contains the number and a verified flag

    phone string

    Possible values: non-empty and <= 50 characters

    mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)

    isPhoneVerified boolean
    password string
    hashedPassword object

    Use this to import hashed passwords from another system.

    value string

    Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets

    passwordChangeRequired boolean

    If this is set to true, the user has to change the password on the next login.

    requestPasswordlessRegistration boolean

    If this is set to true, you will get a link for the passwordless/passkey registration in the response.

    otpCode string
    idps object[]

    To link your user directly with an external identity provider (Identity brokering)

  • Array [
    • configId string

    Possible values: non-empty and <= 200 characters

    The internal ID of the identity provider configured in ZITADEL.

    externalUserId string

    Possible values: non-empty and <= 200 characters

    The id of the user in the external identity provider

    displayName string

    Possible values: <= 200 characters

    A display name ZITADEL can show on the linked provider.

  • ]
  • ]
    • machineUsers object[]
  • Array [
    • userId string
    user object
    userName string required

    Possible values: non-empty and <= 200 characters

    name string required

    Possible values: non-empty and <= 200 characters

    description string

    Possible values: <= 500 characters

    accessTokenType string

    Possible values: [ACCESS_TOKEN_TYPE_BEARER, ACCESS_TOKEN_TYPE_JWT]

    Default value: ACCESS_TOKEN_TYPE_BEARER

  • ]
    • triggerActions object[]
  • Array [
    • flowType string

    Possible values: [FLOW_TYPE_UNSPECIFIED, FLOW_TYPE_EXTERNAL_AUTHENTICATION]

    Default value: FLOW_TYPE_UNSPECIFIED

    triggerType string

    Possible values: [TRIGGER_TYPE_UNSPECIFIED, TRIGGER_TYPE_POST_AUTHENTICATION, TRIGGER_TYPE_PRE_CREATION, TRIGGER_TYPE_POST_CREATION]

    Default value: TRIGGER_TYPE_UNSPECIFIED

    actionIds string[]
  • ]
    • actions object[]
  • Array [
    • actionId string
    action object
    name string required

    Possible values: non-empty and <= 200 characters

    script string required

    Possible values: non-empty and <= 10000 characters

    Javascript code that should be executed

    timeout string

    after which time the action will be terminated if not finished

    allowedToFail boolean

    when true, the next action will be called even if this action fails

  • ]
    • projectGrants object[]
  • Array [
    • grantId string
    projectGrant object
    projectId string
    grantedOrgId string
    roleKeys string[]
  • ]
    • userGrants object[]
  • Array [
    • userId string required

    Possible values: non-empty

    projectId string required

    Possible values: non-empty and <= 200 characters

    projectGrantId string

    Possible values: <= 200 characters

    Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.

    roleKeys string[]
  • ]
    • orgMembers object[]
  • Array [
    • userId string
    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • projectMembers object[]
  • Array [
    • projectId string
    userId string
    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • projectGrantMembers object[]
  • Array [
    • projectId string
    grantId string
    userId string required

    Possible values: non-empty and <= 200 characters

    roles string[]

    If no roles are provided the user won't have any rights

  • ]
    • userMetadata object[]
  • Array [
    • id string

    Possible values: non-empty and <= 200 characters

    key string

    Possible values: non-empty and <= 200 characters

    value byte

    Possible values: non-empty and <= 500000 characters

    The value has to be base64 encoded.

  • ]
    • loginTexts object[]
  • Array [
    • language string
    selectAccountText object
    title string
    description string
    titleLinkingProcess string
    descriptionLinkingProcess string
    otherUser string
    sessionStateActive string
    sessionStateInactive string
    userMustBeMemberOfOrg string
    loginText object
    title string
    description string
    titleLinkingProcess string
    descriptionLinkingProcess string
    userMustBeMemberOfOrg string
    loginNameLabel string
    registerButtonText string
    nextButtonText string
    externalUserDescription string
    userNamePlaceholder string
    loginNamePlaceholder string
    passwordText object
    title string
    description string
    passwordLabel string
    resetLinkText string
    backButtonText string
    nextButtonText string
    minLength string
    hasUppercase string
    hasLowercase string
    hasNumber string
    hasSymbol string
    confirmation string
    usernameChangeText object
    title string
    description string
    usernameLabel string
    cancelButtonText string
    nextButtonText string
    usernameChangeDoneText object
    title string
    description string
    nextButtonText string
    initPasswordText object
    title string
    description string
    codeLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    nextButtonText string
    resendButtonText string
    initPasswordDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    emailVerificationText object
    title string
    description string
    codeLabel string
    nextButtonText string
    resendButtonText string
    emailVerificationDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    loginButtonText string
    initializeUserText object
    title string
    description string
    codeLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    resendButtonText string
    nextButtonText string
    initializeDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    initMfaPromptText object
    title string
    description string
    otpOption string
    u2fOption string
    skipButtonText string
    nextButtonText string
    initMfaOtpText object
    title string
    description string
    descriptionOtp string
    secretLabel string
    codeLabel string
    nextButtonText string
    cancelButtonText string
    initMfaU2fText object
    title string
    description string
    tokenNameLabel string
    notSupported string
    registerTokenButtonText string
    errorRetry string
    initMfaDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    mfaProvidersText object
    chooseOther string
    otp string
    u2f string
    verifyMfaOtpText object
    title string
    description string
    codeLabel string
    nextButtonText string
    verifyMfaU2fText object
    title string
    description string
    validateTokenText string
    notSupported string
    errorRetry string
    passwordlessText object
    title string
    description string
    loginWithPwButtonText string
    validateTokenButtonText string
    notSupported string
    errorRetry string
    passwordChangeText object
    title string
    description string
    oldPasswordLabel string
    newPasswordLabel string
    newPasswordConfirmLabel string
    cancelButtonText string
    nextButtonText string
    passwordChangeDoneText object
    title string
    description string
    nextButtonText string
    passwordResetDoneText object
    title string
    description string
    nextButtonText string
    registrationOptionText object
    title string
    description string
    userNameButtonText string
    externalLoginDescription string
    loginButtonText string
    registrationUserText object
    title string
    description string
    descriptionOrgRegister string
    firstnameLabel string
    lastnameLabel string
    emailLabel string
    usernameLabel string
    languageLabel string
    genderLabel string
    passwordLabel string
    passwordConfirmLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyConfirm string
    privacyLinkText string
    nextButtonText string
    backButtonText string
    registrationOrgText object
    title string
    description string
    orgnameLabel string
    firstnameLabel string
    lastnameLabel string
    usernameLabel string
    emailLabel string
    passwordLabel string
    passwordConfirmLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyConfirm string
    privacyLinkText string
    saveButtonText string
    linkingUserDoneText object
    title string
    description string
    cancelButtonText string
    nextButtonText string
    externalUserNotFoundText object
    title string
    description string
    linkButtonText string
    autoRegisterButtonText string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyLinkText string
    privacyConfirm string
    successLoginText object
    title string
    autoRedirectDescription Text to describe that auto-redirect should happen after successful login
    redirectedDescription Text to describe that the window can be closed after redirect
    nextButtonText string
    logoutText object
    title string
    description string
    loginButtonText string
    footerText object
    tos string
    privacyPolicy string
    help string
    supportEmail string
    passwordlessPromptText object
    title string
    description string
    descriptionInit string
    passwordlessButtonText string
    nextButtonText string
    skipButtonText string
    passwordlessRegistrationText object
    title string
    description string
    tokenNameLabel string
    notSupported string
    registerTokenButtonText string
    errorRetry string
    passwordlessRegistrationDoneText object
    title string
    description string
    nextButtonText string
    cancelButtonText string
    descriptionClose string
    externalRegistrationUserOverviewText object
    title string
    description string
    emailLabel string
    usernameLabel string
    firstnameLabel string
    lastnameLabel string
    nicknameLabel string
    languageLabel string
    phoneLabel string
    tosAndPrivacyLabel string
    tosConfirm string
    tosLinkText string
    privacyLinkText string
    backButtonText string
    nextButtonText string
    privacyConfirm string
    linkingUserPromptText object
    title string
    description string
    linkButtonText string
    otherButtonText string
  • ]
    • initMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • passwordResetMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • verifyEmailMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • verifyPhoneMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 800 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • domainClaimedMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 1000 characters

    footerText string
  • ]
    • passwordlessRegistrationMessages object[]
  • Array [
    • language string
    title string

    Possible values: <= 500 characters

    preHeader string

    Possible values: <= 500 characters

    subject string

    Possible values: <= 500 characters

    greeting string

    Possible values: <= 1000 characters

    text string

    Possible values: <= 10000 characters

    buttonText string

    Possible values: <= 500 characters

    footerText string
  • ]
    • oidcIdps object[]
  • Array [
    • idpId string
    idp object
    name string required

    Possible values: non-empty and <= 200 characters

    stylingType string

    Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]

    Default value: STYLING_TYPE_UNSPECIFIED

    some identity providers specify the styling of the button to their login

    clientId string required

    Possible values: non-empty and <= 200 characters

    client id generated by the identity provider

    clientSecret string required

    Possible values: non-empty and <= 200 characters

    client secret generated by the identity provider

    issuer string required

    the OIDC issuer of the identity provider

    scopes string[]

    the scopes requested by ZITADEL during the request on the identity provider

    displayNameMapping string

    Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]

    Default value: OIDC_MAPPING_FIELD_UNSPECIFIED

    definition which field is mapped to the display name of the user

    usernameMapping string

    Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED, OIDC_MAPPING_FIELD_PREFERRED_USERNAME, OIDC_MAPPING_FIELD_EMAIL]

    Default value: OIDC_MAPPING_FIELD_UNSPECIFIED

    definition which field is mapped to the email of the user

    autoRegister boolean
  • ]
    • jwtIdps object[]
  • Array [
    • idpId string
    idp object
    name string required

    Possible values: non-empty and <= 200 characters

    stylingType string

    Possible values: [STYLING_TYPE_UNSPECIFIED, STYLING_TYPE_GOOGLE]

    Default value: STYLING_TYPE_UNSPECIFIED

    some identity providers specify the styling of the button to their login

    jwtEndpoint string required

    Possible values: non-empty and <= 200 characters

    the endpoint where the JWT can be extracted

    issuer string required

    Possible values: non-empty and <= 200 characters

    the issuer of the JWT (for validation)

    keysEndpoint string required

    Possible values: non-empty and <= 200 characters

    the endpoint to the key (JWK) which is used to sign the JWT with

    headerName string required

    Possible values: non-empty and <= 200 characters

    the name of the header where the JWT is sent in, default is authorization

    autoRegister boolean
  • ]
    • secondFactors object[]
  • Array [
    • type - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP

    Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

    Default value: SECOND_FACTOR_TYPE_UNSPECIFIED

  • ]
    • multiFactors object[]
  • Array [
    • type string

    Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]

    Default value: MULTI_FACTOR_TYPE_UNSPECIFIED

  • ]
    • idps object[]
  • Array [
    • idpId string
    ownerType string

    Possible values: [IDP_OWNER_TYPE_UNSPECIFIED, IDP_OWNER_TYPE_SYSTEM, IDP_OWNER_TYPE_ORG]

    Default value: IDP_OWNER_TYPE_UNSPECIFIED

    the owner of the identity provider.

    • IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
    • IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
  • ]
    • userLinks object[]
  • Array [
    • userId string

    the id of the user

    idpId string

    the id of the identity provider

    idpName string

    the name of the identity provider

    providedUserId string

    the id of the user provided by the identity provider

    providedUserName string

    the id of the identity provider

    idpType authorization framework of the identity provider

    Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]

    Default value: IDP_TYPE_UNSPECIFIED

    the authorization framework of the identity provider

  • ]
    • domains object[]
  • Array [
    • orgId string
    details object
    sequence uint64

    on read: the sequence of the last event reduced by the projection

    on manipulation: the timestamp of the event(s) added by the manipulation

    creationDate date-time

    on read: the timestamp of the first event of the object

    on create: the timestamp of the event(s) added by the manipulation

    changeDate date-time

    on read: the timestamp of the last event reduced by the projection

    on manipulation: the

    resourceOwner resource_owner is the organization an object belongs to
    domainName string
    isVerified boolean

    defines if the domain is verified

    isPrimary boolean

    defines if the domain is the primary domain

    validationType string

    Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED, DOMAIN_VALIDATION_TYPE_HTTP, DOMAIN_VALIDATION_TYPE_DNS]

    Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED

    defines the protocol the domain was validated with

  • ]
    • appKeys object[]
  • Array [
    • id string
    projectId string
    appId string
    clientId string
    type string

    Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]

    Default value: KEY_TYPE_UNSPECIFIED

    expirationDate date-time
    publicKey byte
  • ]
    • machineKeys object[]
  • Array [
    • keyId string
    userId string
    type string

    Possible values: [KEY_TYPE_UNSPECIFIED, KEY_TYPE_JSON]

    Default value: KEY_TYPE_UNSPECIFIED

    expirationDate date-time
    publicKey byte
  • ]
  • ]
    • dataOrgsLocal object
    path string
    dataOrgsv1Local object
    path string
    dataOrgsS3 object
    path string
    endpoint string
    accessKeyId string
    secretAccessKey string
    ssl boolean
    bucket string
    dataOrgsv1S3 object
    path string
    endpoint string
    accessKeyId string
    secretAccessKey string
    ssl boolean
    bucket string
    dataOrgsGcs object
    bucket string
    serviceaccountJson string
    path string
    dataOrgsv1Gcs object
    bucket string
    serviceaccountJson string
    path string
    timeout string
Responses

A successful response.

Schema
    errors object[]
  • Array [
    • type string
    id string
    message string
  • ]
    • success object
    orgs object[]
  • Array [
    • orgId string
    projectIds string[]
    projectRoles string[]
    oidcAppIds string[]
    apiAppIds string[]
    humanUserIds string[]
    machineUserIds string[]
    actionIds string[]
    triggerActions object[]
  • Array [
    • flowType id of the flow type. Following flows are currently allowed: - External Authentication: FLOW_TYPE_EXTERNAL_AUTHENTICATION or 1 - Internal Authentication: 3 - Complement Token: 2 - Complement SAML Response: 4
    triggerType id of the trigger type. Following triggers are currently allowed: - External Authentication: - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1 - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2 - Post Creation: TRIGGER_TYPE_POST_CREATION or 3 - Internal Authentication: - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1 - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2 - Post Creation: TRIGGER_TYPE_POST_CREATION or 3 - Complement Token: - Pre Userinfo Creation: 4 - Pre Access Token Creation: 5 - Complement SAML Response: - Pre SAML Response Creation: 6
    actionIds string[]
  • ]
    • projectGrants object[]
  • Array [
    • grantId string
    projectId string
    orgId string
  • ]
    • userGrants object[]
  • Array [
    • projectId string
    userId string
  • ]
    • orgMembers string[]
    projectMembers object[]
  • Array [
    • projectId string
    userId string
  • ]
    • projectGrantMembers object[]
  • Array [
    • projectId string
    grantId string
    userId string
  • ]
    • oidcIpds string[]
    jwtIdps string[]
    idpLinks string[]
    userLinks object[]
  • Array [
    • userId string
    externalUserId string
    displayName string
    idpId string
  • ]
    • userMetadata object[]
  • Array [
    • userId string
    key string
  • ]
    • domains string[]
    appKeys string[]
    machineKeys string[]
  • ]
Loading...