Import Data​
Import data on an instance level to ZITADEL. It can be either directly in the request or you can point to a file on an S3 storage, from which the data should be loaded.
Request Body required
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
dataOrgs object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
domainPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages object[]
Possible values: <= 800 characters
verifyEmailOtpMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
dataOrgsv1 object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
iamPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
dataOrgsLocal object
dataOrgsv1Local object
dataOrgsS3 object
dataOrgsv1S3 object
dataOrgsGcs object
dataOrgsv1Gcs object
Request Body required
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
dataOrgs object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
domainPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages object[]
Possible values: <= 800 characters
verifyEmailOtpMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
dataOrgsv1 object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
iamPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
dataOrgsLocal object
dataOrgsv1Local object
dataOrgsS3 object
dataOrgsv1S3 object
dataOrgsGcs object
dataOrgsv1Gcs object
Request Body required
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
- Array [
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- IDP_OWNER_TYPE_SYSTEM: system is managed by the ZITADEL administrators
- IDP_OWNER_TYPE_ORG: org is managed by de organization administrators
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
dataOrgs object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
domainPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
defines if organization domains should be validated org count as validated automatically
defines if the SMTP sender address domain should match an existing domain on the instance
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
verifySmsOtpMessages object[]
Possible values: <= 800 characters
verifyEmailOtpMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
dataOrgsv1 object
orgs object[]
org object
Possible values: non-empty
and <= 200 characters
iamPolicy object
Possible values: non-empty
and <= 200 characters
the username has to end with the domain of its organization
labelPolicy object
Possible values: <= 50 characters
Represents a color scheme
hides the org suffix on the login form if the scope "urn:zitadel:iam:org:domain:primary:{domainname}" is set
Possible values: <= 50 characters
hex value for warn color
Possible values: <= 50 characters
hex value for background color
Possible values: <= 50 characters
hex value for font color
Possible values: <= 50 characters
hex value for the primary color dark theme
Possible values: <= 50 characters
hex value for background color dark theme
Possible values: <= 50 characters
hex value for warning color dark theme
Possible values: <= 50 characters
hex value for font color dark theme
Possible values: [THEME_MODE_UNSPECIFIED
, THEME_MODE_AUTO
, THEME_MODE_DARK
, THEME_MODE_LIGHT
]
Default value: THEME_MODE_UNSPECIFIED
setting if there should be a restriction on which themes are available
lockoutPolicy object
When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked.
loginPolicy object
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
passwordComplexityPolicy object
Defines if the password MUST contain an upper case letter
Defines if the password MUST contain a lowercase letter
Defines if the password MUST contain a number
Defines if the password MUST contain a symbol. E.g. "$"
privacyPolicy object
If registration is enabled, the user has to accept the TOS. Variable {{.Lang}} can be set to have different links based on the language.
If registration is enabled, the user has to accept the privacy terms. Variable {{.Lang}} can be set to have different links based on the language.
Variable {{.Lang}} can be set to have different links based on the language.
help / support email address.
Link to documentation to be shown in the console.
Link to an external resource that will be available to users in the console.
The button text that would be shown in console pointing to custom link.
projects object[]
project object
Possible values: non-empty
and <= 200 characters
Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.
When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.
Possible values: [PRIVATE_LABELING_SETTING_UNSPECIFIED
, PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY
, PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY
]
Default value: PRIVATE_LABELING_SETTING_UNSPECIFIED
Define which private labeling/branding should trigger when getting to a login of this project.
projectRoles object[]
Possible values: non-empty
and <= 200 characters
The key is the only relevant attribute for ZITADEL regarding the authorization checks.
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
The group is only used for display purposes. That you have better handling, like giving all the roles from a group to a user.
apiApps object[]
app object
Possible values: non-empty
and <= 200 characters
Possible values: [API_AUTH_METHOD_TYPE_BASIC
, API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: API_AUTH_METHOD_TYPE_BASIC
oidcApps object[]
app object
Possible values: non-empty
and <= 200 characters
Callback URI of the authorization request where the code or tokens will be sent to
Possible values: [OIDC_RESPONSE_TYPE_CODE
, OIDC_RESPONSE_TYPE_ID_TOKEN
, OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
]
Determines whether a code, id_token token or just id_token will be returned
Possible values: [OIDC_GRANT_TYPE_AUTHORIZATION_CODE
, OIDC_GRANT_TYPE_IMPLICIT
, OIDC_GRANT_TYPE_REFRESH_TOKEN
, OIDC_GRANT_TYPE_DEVICE_CODE
, OIDC_GRANT_TYPE_TOKEN_EXCHANGE
]
The flow type the application uses to gain access
Possible values: [OIDC_APP_TYPE_WEB
, OIDC_APP_TYPE_USER_AGENT
, OIDC_APP_TYPE_NATIVE
]
Default value: OIDC_APP_TYPE_WEB
Determines the paradigm of the application
Possible values: [OIDC_AUTH_METHOD_TYPE_BASIC
, OIDC_AUTH_METHOD_TYPE_POST
, OIDC_AUTH_METHOD_TYPE_NONE
, OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
]
Default value: OIDC_AUTH_METHOD_TYPE_BASIC
Defines how the application passes login credentials
ZITADEL will redirect to this link after a successful logout
Possible values: [OIDC_VERSION_1_0
]
Default value: OIDC_VERSION_1_0
Used for development, some checks of the OIDC specification will not be checked.
Possible values: [OIDC_TOKEN_TYPE_BEARER
, OIDC_TOKEN_TYPE_JWT
]
Default value: OIDC_TOKEN_TYPE_BEARER
Type of the access token returned from ZITADEL
Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes
Adds roles to the claims of the id token even if they are not requested by scopes
Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification
Used to compensate time difference of servers. Duration added to the "exp" claim and subtracted from "iat", "auth_time" and "nbf" claims
Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment
Skip the successful login page on native apps and directly redirect the user to the callback.
humanUsers object[]
user object
profile object required
Profile includes the basic information of a user, like first name, last name, etc.
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Possible values: <= 200 characters
Possible values: <= 10 characters
Possible values: [GENDER_UNSPECIFIED
, GENDER_FEMALE
, GENDER_MALE
, GENDER_DIVERSE
]
Default value: GENDER_UNSPECIFIED
email object required
Object that contains the email address and a verified flag.
If email verified is set to true, the email will be added as verified and the user doesn't have to verify.
phone object
Object that contains the number and a verified flag
Possible values: non-empty
and <= 50 characters
mobile phone number of the user. (use global pattern of spec https://tools.ietf.org/html/rfc3966)
hashedPassword object
Use this to import hashed passwords from another system.
Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets
If this is set to true, the user has to change the password on the next login.
If this is set to true, you will get a link for the passwordless/passkey registration in the response.
idps object[]
To link your user directly with an external identity provider (Identity brokering)
Possible values: non-empty
and <= 200 characters
The internal ID of the identity provider configured in ZITADEL.
Possible values: non-empty
and <= 200 characters
The id of the user in the external identity provider
Possible values: <= 200 characters
A display name ZITADEL can show on the linked provider.
machineUsers object[]
user object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: <= 500 characters
Possible values: [ACCESS_TOKEN_TYPE_BEARER
, ACCESS_TOKEN_TYPE_JWT
]
Default value: ACCESS_TOKEN_TYPE_BEARER
triggerActions object[]
Possible values: [FLOW_TYPE_UNSPECIFIED
, FLOW_TYPE_EXTERNAL_AUTHENTICATION
]
Default value: FLOW_TYPE_UNSPECIFIED
Possible values: [TRIGGER_TYPE_UNSPECIFIED
, TRIGGER_TYPE_POST_AUTHENTICATION
, TRIGGER_TYPE_PRE_CREATION
, TRIGGER_TYPE_POST_CREATION
]
Default value: TRIGGER_TYPE_UNSPECIFIED
actions object[]
action object
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 10000 characters
Javascript code that should be executed
after which time the action will be terminated if not finished
when true, the next action will be called even if this action fails
projectGrants object[]
projectGrant object
userGrants object[]
Possible values: non-empty
Possible values: non-empty
and <= 200 characters
Possible values: <= 200 characters
Make sure to fill in the project grant id if the user grant is for a granted project and the organization is not the owner of the project.
orgMembers object[]
If no roles are provided the user won't have any rights
projectMembers object[]
If no roles are provided the user won't have any rights
projectGrantMembers object[]
Possible values: non-empty
and <= 200 characters
If no roles are provided the user won't have any rights
userMetadata object[]
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 500000 characters
The value has to be base64 encoded.
loginTexts object[]
selectAccountText object
loginText object
passwordText object
usernameChangeText object
usernameChangeDoneText object
initPasswordText object
initPasswordDoneText object
emailVerificationText object
emailVerificationDoneText object
initializeUserText object
initializeDoneText object
initMfaPromptText object
initMfaOtpText object
initMfaU2fText object
initMfaDoneText object
mfaProvidersText object
verifyMfaOtpText object
verifyMfaU2fText object
passwordlessText object
passwordChangeText object
passwordChangeDoneText object
passwordResetDoneText object
registrationOptionText object
registrationUserText object
registrationOrgText object
linkingUserDoneText object
externalUserNotFoundText object
successLoginText object
logoutText object
footerText object
passwordlessPromptText object
passwordlessRegistrationText object
passwordlessRegistrationDoneText object
externalRegistrationUserOverviewText object
linkingUserPromptText object
initMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordResetMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyEmailMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
verifyPhoneMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 800 characters
Possible values: <= 1000 characters
domainClaimedMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 1000 characters
passwordlessRegistrationMessages object[]
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 500 characters
Possible values: <= 1000 characters
Possible values: <= 10000 characters
Possible values: <= 500 characters
oidcIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
client id generated by the identity provider
Possible values: non-empty
and <= 200 characters
client secret generated by the identity provider
the OIDC issuer of the identity provider
the scopes requested by ZITADEL during the request on the identity provider
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the display name of the user
Possible values: [OIDC_MAPPING_FIELD_UNSPECIFIED
, OIDC_MAPPING_FIELD_PREFERRED_USERNAME
, OIDC_MAPPING_FIELD_EMAIL
]
Default value: OIDC_MAPPING_FIELD_UNSPECIFIED
definition which field is mapped to the email of the user
jwtIdps object[]
idp object
Possible values: non-empty
and <= 200 characters
Possible values: [STYLING_TYPE_UNSPECIFIED
, STYLING_TYPE_GOOGLE
]
Default value: STYLING_TYPE_UNSPECIFIED
some identity providers specify the styling of the button to their login
Possible values: non-empty
and <= 200 characters
the endpoint where the JWT can be extracted
Possible values: non-empty
and <= 200 characters
the issuer of the JWT (for validation)
Possible values: non-empty
and <= 200 characters
the endpoint to the key (JWK) which is used to sign the JWT with
Possible values: non-empty
and <= 200 characters
the name of the header where the JWT is sent in, default is authorization
secondFactors object[]
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Default value: SECOND_FACTOR_TYPE_UNSPECIFIED
multiFactors object[]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
Default value: MULTI_FACTOR_TYPE_UNSPECIFIED
idps object[]
Possible values: [IDP_OWNER_TYPE_UNSPECIFIED
, IDP_OWNER_TYPE_SYSTEM
, IDP_OWNER_TYPE_ORG
]
Default value: IDP_OWNER_TYPE_UNSPECIFIED
the owner of the identity provider.
userLinks object[]
the id of the user
the id of the identity provider
the name of the identity provider
the id of the user provided by the identity provider
the id of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
domains object[]
details object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if the domain is verified
defines if the domain is the primary domain
Possible values: [DOMAIN_VALIDATION_TYPE_UNSPECIFIED
, DOMAIN_VALIDATION_TYPE_HTTP
, DOMAIN_VALIDATION_TYPE_DNS
]
Default value: DOMAIN_VALIDATION_TYPE_UNSPECIFIED
defines the protocol the domain was validated with
appKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
machineKeys object[]
Possible values: [KEY_TYPE_UNSPECIFIED
, KEY_TYPE_JSON
]
Default value: KEY_TYPE_UNSPECIFIED
dataOrgsLocal object
dataOrgsv1Local object
dataOrgsS3 object
dataOrgsv1S3 object
dataOrgsGcs object
dataOrgsv1Gcs object
- 200
- 403
- 404
- default
A successful response.
Schema
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
errors object[]
success object
orgs object[]
triggerActions object[]
projectGrants object[]
userGrants object[]
projectMembers object[]
projectGrantMembers object[]
userLinks object[]
userMetadata object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
Schema
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
errors object[]
success object
orgs object[]
triggerActions object[]
projectGrants object[]
userGrants object[]
projectMembers object[]
projectGrantMembers object[]
userLinks object[]
userMetadata object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
Schema
- Array [
- ]
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
errors object[]
success object
orgs object[]
triggerActions object[]
projectGrants object[]
userGrants object[]
projectMembers object[]
projectGrantMembers object[]
userLinks object[]
userMetadata object[]
{
"errors": [
{
"type": "string",
"id": "string",
"message": "string"
}
],
"success": {
"orgs": [
{
"orgId": "string",
"projectIds": [
"string"
],
"projectRoles": [
"string"
],
"oidcAppIds": [
"string"
],
"apiAppIds": [
"string"
],
"humanUserIds": [
"string"
],
"machineUserIds": [
"string"
],
"actionIds": [
"string"
],
"triggerActions": [
{
"flowType": "1",
"triggerType": "1",
"actionIds": [
"string"
]
}
],
"projectGrants": [
{
"grantId": "string",
"projectId": "string",
"orgId": "string"
}
],
"userGrants": [
{
"projectId": "string",
"userId": "string"
}
],
"orgMembers": [
"string"
],
"projectMembers": [
{
"projectId": "string",
"userId": "string"
}
],
"projectGrantMembers": [
{
"projectId": "string",
"grantId": "string",
"userId": "string"
}
],
"oidcIpds": [
"string"
],
"jwtIdps": [
"string"
],
"idpLinks": [
"string"
],
"userLinks": [
{
"userId": "string",
"externalUserId": "string",
"displayName": "string",
"idpId": "string"
}
],
"userMetadata": [
{
"userId": "string",
"key": "string"
}
],
"domains": [
"string"
],
"appKeys": [
"string"
],
"machineKeys": [
"string"
]
}
]
}
}
Returned when the user does not have permission to access the resource.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource does not exist.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Schema
- Array [
- ]
details object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}