zitadel/pkg/grpc/management/proto/management.proto

syntax = "proto3";

import "google/api/annotations.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-swagger/options/annotations.proto";
import "validate/validate.proto";
import "authoption/options.proto";
import "proto/message.proto";

package caos.zitadel.management.api.v1;

option go_package = "github.com/caos/zitadel/pkg/grpc/management";

option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
  info: {
    title: "Management API";
    version: "0.1";
    contact:{
      url: "https://github.com/caos/zitadel/pkg/management"
    };
  };

  schemes: HTTPS;

  consumes: "application/json";
  consumes: "application/grpc";

  produces: "application/json";
  produces: "application/grpc";
};

// All requests are based on your context if nothing other is specified
// Requests which have /me in the url get the parameter from the context
service ManagementService {

  //READINESS
  rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      get: "/healthz"
    };
  }

  rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      get: "/ready"
    };
  }

  rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) {
    option (google.api.http) = {
      get: "/validate"
    };
  }

  rpc GetZitadelDocs(google.protobuf.Empty) returns (ZitadelDocs) {
    option (google.api.http) = {
      get: "/zitadel/docs"
    };
  }

  // GetIam returns some needed settings of the iam (Global Organisation ID, Zitadel Project ID)
  rpc GetIam(google.protobuf.Empty) returns (Iam) {
    option (google.api.http) = {
      get: "/iam"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "authenticated"
    };
  }

  rpc IsUserUnique(UniqueUserRequest) returns (UniqueUserResponse) {
    option (google.api.http) = {
      get: "/users/_isunique"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

rpc GetUserByID(UserID) returns (UserView) {
    option (google.api.http) = {
      get: "/users/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  // GetUserByLoginNameGlobal returns User, global search is overall organisations
  rpc GetUserByLoginNameGlobal(LoginName) returns (UserView) {
    option (google.api.http) = {
      get: "/global/users/_byloginname"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.global.read"
    };
  }

  // Limit should always be set, there is a default limit set by the service
  rpc SearchUsers(UserSearchRequest) returns (UserSearchResponse) {
    option (google.api.http) = {
      post: "/users/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc CreateUser(CreateUserRequest) returns (UserResponse) {
    option (google.api.http) = {
      post: "/users"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc DeactivateUser(UserID) returns (UserResponse) {
    option (google.api.http) = {
      put: "/users/{id}/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc ReactivateUser(UserID) returns (UserResponse) {
    option (google.api.http) = {
      put: "/users/{id}/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc LockUser(UserID) returns (UserResponse) {
    option (google.api.http) = {
      put: "/users/{id}/_lock"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc UnlockUser(UserID) returns (UserResponse) {
    option (google.api.http) = {
      put: "/users/{id}/_unlock"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc DeleteUser(UserID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/users/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.delete"
    };
  }

  // UserChanges returns the event stream of the user object
  rpc UserChanges(ChangeRequest) returns (Changes) {
    option (google.api.http) = {
      get: "/users/{id}/changes"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc AddMachineKey(AddMachineKeyRequest) returns (AddMachineKeyResponse) {
    option (google.api.http) = {
      post: "/users/{user_id}/keys"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc DeleteMachineKey(MachineKeyIDRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/users/{user_id}/keys/{key_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc SearchMachineKeys(MachineKeySearchRequest) returns (MachineKeySearchResponse) {
    option (google.api.http) = {
      post: "/users/{user_id}/keys/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc GetMachineKey(MachineKeyIDRequest) returns (MachineKeyView) {
    option (google.api.http) = {
      get: "/users/{user_id}/keys/{key_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc GetUserProfile(UserID) returns (UserProfileView) {
    option (google.api.http) = {
      get: "/users/{id}/profile"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc UpdateUserProfile(UpdateUserProfileRequest) returns (UserProfile) {
    option (google.api.http) = {
      put: "/users/{id}/profile"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc GetUserEmail(UserID) returns (UserEmailView) {
    option (google.api.http) = {
      get: "/users/{id}/email"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc ChangeUserUserName(UpdateUserUserNameRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      get: "/users/{id}/username"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc ChangeUserEmail(UpdateUserEmailRequest) returns (UserEmail) {
    option (google.api.http) = {
      put: "/users/{id}/email"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc ResendEmailVerificationMail(UserID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/users/{id}/email/_resendverification"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc GetUserPhone(UserID) returns (UserPhoneView) {
    option (google.api.http) = {
      get: "/users/{id}/phone"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc ChangeUserPhone(UpdateUserPhoneRequest) returns (UserPhone) {
    option (google.api.http) = {
      put: "/users/{id}/phone"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc RemoveUserPhone(UserID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/users/{id}/phone"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc ResendPhoneVerificationCode(UserID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/users/{id}/phone/_resendverification"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc GetUserAddress(UserID) returns (UserAddressView) {
    option (google.api.http) = {
      get: "/users/{id}/address"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc UpdateUserAddress(UpdateUserAddressRequest) returns (UserAddress) {
    option (google.api.http) = {
      put: "/users/{id}/address"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc UpdateUserMachine(UpdateMachineRequest) returns (MachineResponse) {
    option (google.api.http) = {
      put: "/users/{id}/machine"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc SearchUserExternalIDPs(ExternalIDPSearchRequest) returns (ExternalIDPSearchResponse) {
    option (google.api.http) = {
      post: "/users/{user_id}/externalidps/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  rpc RemoveExternalIDP(ExternalIDPRemoveRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/users/{user_id}/externalidps/{idp_config_id}/{external_user_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc GetUserMfas(UserID) returns (MultiFactors) {
    option (google.api.http) = {
      get: "/users/{id}/mfas"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.read"
    };
  }

  // Sends an Notification (Email/SMS) with a password reset Link
  rpc SendSetPasswordNotification(SetPasswordNotificationRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/users/{id}/password/_sendsetnotification"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  // A Manager is only allowed to set an initial password, on the next login the user has to change his password
  rpc SetInitialPassword(PasswordRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/users/{id}/password/_initialize"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.write"
    };
  }

  rpc SearchUserMemberships(UserMembershipSearchRequest) returns (UserMembershipSearchResponse) {
    option (google.api.http) = {
      post: "/users/{user_id}/memberships/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.membership.read"
    };
  }

  rpc CreateOrg(OrgCreateRequest) returns (Org) {
    option (google.api.http) = {
      post: "/orgs"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.create"
    };
  }

  // OrgChanges returns the event stream of the org object
  rpc OrgChanges(ChangeRequest) returns (Changes) {
    option (google.api.http) = {
      get: "/orgs/{id}/changes"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.read"
    };
  }

  rpc GetMyOrg(google.protobuf.Empty) returns (OrgView) {
    option (google.api.http) = {
      get: "/orgs/me"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.read"
    };
  }

  // search a organisation by its domain overall organisations
  rpc GetOrgByDomainGlobal(Domain) returns (OrgView) {
    option (google.api.http) = {
      get: "/global/orgs/_bydomain"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.global.read"
    };
  }

  rpc DeactivateMyOrg(google.protobuf.Empty) returns (Org) {
    option (google.api.http) = {
      put: "/orgs/me/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc ReactivateMyOrg(google.protobuf.Empty) returns (Org) {
    option (google.api.http) = {
      put: "/orgs/me/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc SearchMyOrgDomains(OrgDomainSearchRequest) returns (OrgDomainSearchResponse) {
    option (google.api.http) = {
      post: "/orgs/me/domains/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.read"
    };
  }

  rpc AddMyOrgDomain(AddOrgDomainRequest) returns (OrgDomain) {
    option (google.api.http) = {
      post: "/orgs/me/domains"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc GenerateMyOrgDomainValidation(OrgDomainValidationRequest) returns (OrgDomainValidationResponse) {
    option (google.api.http) = {
      post: "/orgs/me/domains/{domain}/validation/create"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc ValidateMyOrgDomain(ValidateOrgDomainRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/orgs/me/domains/{domain}/validation/check"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc SetMyPrimaryOrgDomain(PrimaryOrgDomainRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/orgs/me/domains/{domain}/_primary"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc RemoveMyOrgDomain(RemoveOrgDomainRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/domains/{domain}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.write"
    };
  }

  rpc GetMyOrgIamPolicy(google.protobuf.Empty) returns (OrgIamPolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/iampolicy"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "authenticated"
    };
  }

  rpc GetOrgMemberRoles(google.protobuf.Empty) returns (OrgMemberRoles) {
    option (google.api.http) = {
      get: "/orgs/members/roles"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.member.read"
    };
  }

  rpc AddMyOrgMember(AddOrgMemberRequest) returns (OrgMember) {
    option (google.api.http) = {
      post: "/orgs/me/members"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.member.write"
    };
  }

  rpc ChangeMyOrgMember(ChangeOrgMemberRequest) returns (OrgMember) {
    option (google.api.http) = {
      put: "/orgs/me/members/{user_id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.member.write"
    };
  }

  rpc RemoveMyOrgMember(RemoveOrgMemberRequest) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/members/{user_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.member.delete"
    };
  }

  rpc SearchMyOrgMembers(OrgMemberSearchRequest) returns (OrgMemberSearchResponse) {
    option (google.api.http) = {
      post: "/orgs/me/members/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "org.member.read"
    };
  }

  // ProjectChanges returns the event stream of the project object
  rpc ProjectChanges(ChangeRequest) returns (Changes) {
    option (google.api.http) = {
      get: "/projects/{id}/changes"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
    };
  }

  rpc SearchProjects(ProjectSearchRequest) returns (ProjectSearchResponse) {
    option (google.api.http) = {
      post: "/projects/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
    };
  }

  rpc ProjectByID(ProjectID) returns (ProjectView) {
    option (google.api.http) = {
      get: "/projects/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
      check_field_name: "Id"
    };
  }

  rpc CreateProject(ProjectCreateRequest) returns (Project) {
    option (google.api.http) = {
      post: "/projects"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.create"
    };
  }

  rpc UpdateProject(ProjectUpdateRequest) returns (Project) {
    option (google.api.http) = {
      put: "/projects/{id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.write"
      check_field_name: "Id"
    };
  }

  rpc DeactivateProject(ProjectID) returns (Project) {
    option (google.api.http) = {
      put: "/projects/{id}/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.write"
      check_field_name: "Id"
    };
  }

  rpc ReactivateProject(ProjectID) returns (Project) {
    option (google.api.http) = {
      put: "/projects/{id}/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.write"
      check_field_name: "Id"
    };
  }

  rpc RemoveProject(ProjectID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.delete"
      check_field_name: "Id"
    };
  }

  // returns all projects my organisation got granted from another organisation
  rpc SearchGrantedProjects(GrantedProjectSearchRequest) returns (ProjectGrantSearchResponse) {
    option (google.api.http) = {
      post: "/grantedprojects/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
    };
  }

  // returns a project my organisation got granted from another organisation
  rpc GetGrantedProjectByID(ProjectGrantID) returns (ProjectGrantView) {
    option (google.api.http) = {
      get: "/grantedprojects/{project_id}/grants/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.read"
    };
  }

  rpc GetProjectMemberRoles(google.protobuf.Empty) returns (ProjectMemberRoles) {
    option (google.api.http) = {
      get: "/projects/members/roles"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.member.read"
    };
  }

  rpc SearchProjectMembers(ProjectMemberSearchRequest) returns (ProjectMemberSearchResponse) {
    option (google.api.http) = {
      post: "/projects/{project_id}/members/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.member.read"
      check_field_name: "ProjectId"
    };
  }

  rpc AddProjectMember(ProjectMemberAdd) returns (ProjectMember) {
    option (google.api.http) = {
      post: "/projects/{id}/members"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.member.write"
      check_field_name: "Id"
    };
  }

  rpc ChangeProjectMember(ProjectMemberChange) returns (ProjectMember) {
    option (google.api.http) = {
      put: "/projects/{id}/members/{user_id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.member.write"
      check_field_name: "Id"
    };
  }

  rpc RemoveProjectMember(ProjectMemberRemove) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{id}/members/{user_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.member.delete"
      check_field_name: "Id"
    };
  }

  rpc SearchProjectRoles(ProjectRoleSearchRequest) returns (ProjectRoleSearchResponse) {
    option (google.api.http) = {
      post: "/projects/{project_id}/roles/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.role.read"
      check_field_name: "ProjectId"
    };
  }

  rpc AddProjectRole(ProjectRoleAdd) returns (ProjectRole) {
    option (google.api.http) = {
      post: "/projects/{id}/roles"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.role.write"
      check_field_name: "Id"
    };
  }

  // add a list of project roles in one request
  rpc BulkAddProjectRole(ProjectRoleAddBulk) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      post: "/projects/{id}/roles/_bulk"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.role.write"
      check_field_name: "Id"
    };
  }

  rpc ChangeProjectRole(ProjectRoleChange) returns (ProjectRole) {
    option (google.api.http) = {
      put: "/projects/{id}/roles/{key}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.role.write"
      check_field_name: "Id"
    };
  }

  // RemoveProjectRole removes role from UserGrants, ProjectGrants and from Project
  rpc RemoveProjectRole(ProjectRoleRemove) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{id}/roles/{key}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.role.delete"
      check_field_name: "Id"
    };
  }

  rpc SearchApplications(ApplicationSearchRequest) returns (ApplicationSearchResponse) {
    option (google.api.http) = {
      post: "/projects/{project_id}/applications/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.read"
      check_field_name: "ProjectId"
    };
  }

  rpc ApplicationByID(ApplicationID) returns (ApplicationView) {
    option (google.api.http) = {
      get: "/projects/{project_id}/applications/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.read"
      check_field_name: "ProjectId"
    };
  }

  // ApplicationChanges returns the event stream of the application object
  rpc ApplicationChanges(ChangeRequest) returns (Changes) {
    option (google.api.http) = {
      get: "/projects/{id}/applications/{sec_id}/changes"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.read"
    };
  }

  rpc CreateOIDCApplication(OIDCApplicationCreate) returns (Application) {
    option (google.api.http) = {
      post: "/projects/{project_id}/applications/oidc"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc UpdateApplication(ApplicationUpdate) returns (Application) {
    option (google.api.http) = {
      put: "/projects/{project_id}/applications/{id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc DeactivateApplication(ApplicationID) returns (Application) {
    option (google.api.http) = {
      put: "/projects/{project_id}/applications/{id}/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc ReactivateApplication(ApplicationID) returns (Application) {
    option (google.api.http) = {
      put: "/projects/{project_id}/applications/{id}/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc RemoveApplication(ApplicationID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{project_id}/applications/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.delete"
      check_field_name: "ProjectId"
    };
  }

  rpc UpdateApplicationOIDCConfig(OIDCConfigUpdate) returns (OIDCConfig) {
    option (google.api.http) = {
      put: "/projects/{project_id}/applications/{application_id}/oidcconfig"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc RegenerateOIDCClientSecret(ApplicationID) returns (ClientSecret) {
    option (google.api.http) = {
      put: "/projects/{project_id}/applications/{id}/oidcconfig/_changeclientsecret"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.app.write"
      check_field_name: "ProjectId"
    };
  }

  rpc SearchProjectGrants(ProjectGrantSearchRequest) returns (ProjectGrantSearchResponse) {
    option (google.api.http) = {
      post: "/projects/{project_id}/grants/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.read"
      check_field_name: "ProjectId"
    };
  }

  rpc ProjectGrantByID(ProjectGrantID) returns (ProjectGrantView) {
    option (google.api.http) = {
      get: "/projects/{project_id}/grants/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.read"
    };
  }

  rpc CreateProjectGrant(ProjectGrantCreate) returns (ProjectGrant) {
    option (google.api.http) = {
      post: "/projects/{project_id}/grants"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.write"
    };
  }

  rpc UpdateProjectGrant(ProjectGrantUpdate) returns (ProjectGrant) {
    option (google.api.http) = {
      put: "/projects/{project_id}/grants/{id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.write"
    };
  }

  rpc DeactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) {
    option (google.api.http) = {
      put: "/projects/{project_id}/grants/{id}/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.write"
    };
  }

  rpc ReactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) {
    option (google.api.http) = {
      put: "/projects/{project_id}/grants/{id}/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.write"
    };
  }

  // RemoveProjectGrant removes project grant and all user grants for this project grant
  rpc RemoveProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{project_id}/grants/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.delete"
    };
  }

  rpc GetProjectGrantMemberRoles(google.protobuf.Empty) returns (ProjectGrantMemberRoles) {
    option (google.api.http) = {
      get: "/projects/grants/members/roles"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.member.read"
    };
  }

  rpc SearchProjectGrantMembers(ProjectGrantMemberSearchRequest) returns (ProjectGrantMemberSearchResponse) {
    option (google.api.http) = {
      post: "/projects/{project_id}/grants/{grant_id}/members/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.member.read"
    };
  }

  rpc AddProjectGrantMember(ProjectGrantMemberAdd) returns (ProjectGrantMember) {
    option (google.api.http) = {
      post: "/projects/{project_id}/grants/{grant_id}/members"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.member.write"
    };
  }

  rpc ChangeProjectGrantMember(ProjectGrantMemberChange) returns (ProjectGrantMember) {
    option (google.api.http) = {
      put: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.member.write"
    };
  }

  rpc RemoveProjectGrantMember(ProjectGrantMemberRemove) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "project.grant.member.delete"
    };
  }

  rpc SearchUserGrants(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
    option (google.api.http) = {
      post: "/users/grants/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.read"
    };
  }

  rpc UserGrantByID(UserGrantID) returns (UserGrantView) {
    option (google.api.http) = {
      get: "/users/{user_id}/grants/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.read"
    };
  }

  rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
    option (google.api.http) = {
      post: "/users/{user_id}/grants"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.write"
    };
  }

  rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
    option (google.api.http) = {
      put: "/users/{user_id}/grants/{id}"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.write"
    };
  }

  rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) {
    option (google.api.http) = {
      put: "/users/{user_id}/grants/{id}/_deactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.write"
    };
  }

  rpc ReactivateUserGrant(UserGrantID) returns (UserGrant) {
    option (google.api.http) = {
      put: "/users/{user_id}/grants/{id}/_reactivate"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.write"
    };
  }

  rpc RemoveUserGrant(UserGrantID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/users/{user_id}/grants/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "user.grant.delete"
    };
  }

  // remove a list of user grants in one request
  rpc BulkRemoveUserGrant(UserGrantRemoveBulk) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/usersgrants/_bulk"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "user.grant.delete"
    };
  }

  rpc IdpByID(IdpID) returns (IdpView) {
    option (google.api.http) = {
        get: "/orgs/me/idps/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.read"
    };
  }

  rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
    option (google.api.http) = {
        post: "/orgs/me/idps/oidc"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
    option (google.api.http) = {
        put: "/orgs/me/idps/{id}"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc DeactivateIdpConfig(IdpID) returns (Idp) {
    option (google.api.http) = {
        put: "/orgs/me/idps/{id}/_deactivate"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc ReactivateIdpConfig(IdpID) returns (Idp) {
    option (google.api.http) = {
        put: "/orgs/me/idps/{id}/_reactivate"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
        delete: "/orgs/me/idps/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
    option (google.api.http) = {
        put: "/orgs/me/idps/{idp_id}/oidcconfig"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.write"
    };
  }

  rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
    option (google.api.http) = {
        post: "/orgs/me/idps/_search"
        body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
        permission: "org.idp.read"
    };
  }

  rpc GetLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/policies/login"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) {
    option (google.api.http) = {
      get: "/orgs/default/policies/login"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc CreateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) {
    option (google.api.http) = {
      post: "/orgs/me/policies/login"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc UpdateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) {
    option (google.api.http) = {
      put: "/orgs/me/policies/login"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc RemoveLoginPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/policies/login"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.delete"
    };
  }

  rpc GetLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
    option (google.api.http) = {
      post: "/orgs/me/policies/login/idpproviders/_search"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc AddIdpProviderToLoginPolicy(IdpProviderAdd) returns (IdpProvider) {
    option (google.api.http) = {
      post: "/orgs/me/policies/login/idpproviders"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc RemoveIdpProviderFromLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/policies/login/idpproviders/{idp_config_id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/policies/password/complexity"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
    option (google.api.http) = {
      get: "/orgs/default/policies/password/complexity"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc CreatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) {
    option (google.api.http) = {
      post: "/orgs/me/policies/password/complexity"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc UpdatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) {
    option (google.api.http) = {
      put: "/orgs/me/policies/password/complexity"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc RemovePasswordComplexityPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/policies/password/complexity"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.delete"
    };
  }

  rpc GetPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/policies/password/age"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc GetDefaultPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) {
    option (google.api.http) = {
      get: "/orgs/default/policies/password/age"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc CreatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) {
    option (google.api.http) = {
      post: "/orgs/me/policies/password/age"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc UpdatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) {
    option (google.api.http) = {
      put: "/orgs/me/policies/password/age"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc RemovePasswordAgePolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/policies/password/age"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.delete"
    };
  }

  rpc GetPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) {
    option (google.api.http) = {
      get: "/orgs/me/policies/password/lockout"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc GetDefaultPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) {
    option (google.api.http) = {
      get: "/orgs/default/policies/password/lockout"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.read"
    };
  }

  rpc CreatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) {
    option (google.api.http) = {
      post: "/orgs/me/policies/password/lockout"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc UpdatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) {
    option (google.api.http) = {
      put: "/orgs/me/policies/password/lockout"
      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.write"
    };
  }

  rpc RemovePasswordLockoutPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
    option (google.api.http) = {
      delete: "/orgs/me/policies/password/lockout"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
      permission: "policy.delete"
    };
  }
}

message ZitadelDocs {
  string issuer = 1;
  string discovery_endpoint = 2;
}

message Iam {
  string global_org_id = 1;
  string iam_project_id = 2;
  IamSetupStep set_up_done = 3;
  IamSetupStep set_up_started = 4;
}

enum IamSetupStep {
  iam_setup_step_UNDEFINED = 0;
  iam_setup_step_1 = 1;
  iam_setup_step_2 = 2;
}

message ChangeRequest {
  string id = 1;
  string sec_id = 2;
  uint64 limit = 3;
  uint64 sequence_offset = 4;
  bool asc = 5;
}

message Changes {
  repeated Change changes = 1;
  uint64 offset = 2;
  uint64 limit = 3;
}

message Change {
  google.protobuf.Timestamp change_date = 1;
  caos.zitadel.api.v1.LocalizedMessage event_type = 2;
  uint64 sequence = 3;
  string editor_id = 4;
  string editor = 5;
  google.protobuf.Struct data = 6;
}

message ApplicationID {
  string id = 1 [(validate.rules).string.min_len = 1];
  string project_id = 2 [(validate.rules).string.min_len = 1];
}

message ProjectID {
  string id = 1 [(validate.rules).string.min_len = 1];
}

message UserID {
  string id = 1 [(validate.rules).string.min_len = 1];
}

message LoginName {
  string login_name = 1 [(validate.rules).string.min_len = 1];
}

message UniqueUserRequest {
  string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
  string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message UniqueUserResponse {
  bool is_unique = 1;
}

message CreateUserRequest {
  string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];

  oneof user {
    option (validate.required) = true;

    CreateHumanRequest human = 2;
    CreateMachineRequest machine = 3;
  }
}

message CreateHumanRequest {
  string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
  string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
  string nick_name = 3 [(validate.rules).string = {max_len: 200}];
  string preferred_language = 4 [(validate.rules).string = {max_len: 200}];
  Gender gender = 5;
  string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}];
  bool is_email_verified = 7;
  string phone = 8 [(validate.rules).string = {max_len: 20}];
  bool is_phone_verified = 9;
  string country = 10 [(validate.rules).string = {max_len: 200}];
  string locality = 11 [(validate.rules).string = {max_len: 200}];
  string postal_code = 12 [(validate.rules).string = {max_len: 200}];
  string region = 13 [(validate.rules).string = {max_len: 200}];
  string street_address = 14 [(validate.rules).string = {max_len: 200}];
  string password = 15 [(validate.rules).string = {max_len: 72}];
}

message CreateMachineRequest {
  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
  string description = 2 [(validate.rules).string.max_len = 500];
}

message UserResponse {
  string id = 1;
  UserState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  uint64 sequence = 5;
  string user_name = 6;

  oneof user {
    option (validate.required) = true;

    HumanResponse human = 7;
    MachineResponse machine = 8;
  }
}

enum UserState {
  USERSTATE_UNSPECIFIED = 0;
  USERSTATE_ACTIVE = 1;
  USERSTATE_INACTIVE = 2;
  USERSTATE_DELETED = 3;
  USERSTATE_LOCKED = 4;
  USERSTATE_SUSPEND = 5;
  USERSTATE_INITIAL = 6;
}

enum Gender {
  GENDER_UNSPECIFIED = 0;
  GENDER_FEMALE = 1;
  GENDER_MALE = 2;
  GENDER_DIVERSE = 3;
}

message UserView {
  string id = 1;
  UserState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  uint64 sequence = 5;
  repeated string login_names = 6;
  string preferred_login_name = 7;
  google.protobuf.Timestamp last_login = 8;
  string resource_owner = 9;
  string user_name = 10;

  oneof user {
    option (validate.required) = true;

    HumanView human = 11;
    MachineView machine = 12;
  }
}

message HumanResponse {
  string first_name = 1;
  string last_name = 2;
  string display_name = 3;
  string nick_name = 4;
  string preferred_language = 5;
  Gender gender = 6;
  string email = 7;
  bool is_email_verified = 8;
  string phone = 9;
  bool is_phone_verified = 10;
  string country = 11;
  string locality = 12;
  string postal_code = 13;
  string region = 14;
  string street_address = 15;
}

message HumanView {
  google.protobuf.Timestamp password_changed = 1;
  string first_name = 2;
  string last_name = 3;
  string display_name = 4;
  string nick_name = 5;
  string preferred_language = 6;
  Gender gender = 7;
  string email = 8;
  bool is_email_verified = 9;
  string phone = 10;
  bool is_phone_verified = 11;
  string country = 12;
  string locality = 13;
  string postal_code = 14;
  string region = 15;
  string street_address = 16;
}

message MachineResponse {
  string name = 1;
  string description = 2;
}

message MachineView {
  google.protobuf.Timestamp last_key_added = 1;
  string name = 2;
  string description = 3;
}

message UpdateMachineRequest {
  string id = 1 [(validate.rules).string.min_len = 1];
  string description = 2 [(validate.rules).string.max_len = 500];
}

message AddMachineKeyRequest {
  string user_id = 1 [(validate.rules).string.min_len = 1];
  MachineKeyType type = 2 [(validate.rules).enum = {not_in: [0]}];
  google.protobuf.Timestamp expiration_date = 3;
}

message AddMachineKeyResponse {
  string id = 1;
  google.protobuf.Timestamp creation_date = 2;
  uint64 sequence = 3;

  MachineKeyType type = 4;
  google.protobuf.Timestamp expiration_date = 5;
  bytes key_details = 6;
}

message MachineKeyIDRequest {
  string user_id = 1 [(validate.rules).string.min_len = 1];
  string key_id = 2 [(validate.rules).string.min_len = 1];
}

message MachineKeyView {
  string id = 1;
  MachineKeyType type = 2;
  uint64 sequence = 3;

  google.protobuf.Timestamp creation_date = 4;
  google.protobuf.Timestamp expiration_date = 5;
}

enum MachineKeyType {
  MACHINEKEY_UNSPECIFIED = 0;
  MACHINEKEY_JSON = 1;
}

message MachineKeySearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  bool asc = 3;
  string user_id = 4 [(validate.rules).string.min_len = 1];
}

message MachineKeySearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated MachineKeyView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message UserSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  UserSearchKey sorting_column = 3;
  bool asc = 4;
  repeated UserSearchQuery queries = 5;
}

message UserSearchQuery {
  UserSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum UserSearchKey {
  USERSEARCHKEY_UNSPECIFIED = 0;
  USERSEARCHKEY_USER_NAME = 1;
  USERSEARCHKEY_FIRST_NAME = 2;
  USERSEARCHKEY_LAST_NAME = 3;
  USERSEARCHKEY_NICK_NAME = 4;
  USERSEARCHKEY_DISPLAY_NAME = 5;
  USERSEARCHKEY_EMAIL = 6;
  USERSEARCHKEY_STATE = 7;
  USERSEARCHKEY_TYPE = 8;
}

message UserSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated UserView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

enum SearchMethod {
  SEARCHMETHOD_EQUALS = 0;
  SEARCHMETHOD_STARTS_WITH = 1;
  SEARCHMETHOD_CONTAINS = 2;
  SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
  SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
  SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
  SEARCHMETHOD_NOT_EQUALS = 6;
  SEARCHMETHOD_GREATER_THAN = 7;
  SEARCHMETHOD_LESS_THAN = 8;
  SEARCHMETHOD_IS_ONE_OF = 9;
  SEARCHMETHOD_LIST_CONTAINS = 10;
}

message UserProfile {
  string id = 1;
  string first_name = 2;
  string last_name = 3;
  string nick_name = 4;
  string display_name = 5;
  string preferred_language = 6;
  Gender gender = 7;
  uint64 sequence = 8;
  google.protobuf.Timestamp creation_date = 9;
  google.protobuf.Timestamp change_date = 10;
}

message UserProfileView {
  string id = 1;
  string first_name = 2;
  string last_name = 3;
  string nick_name = 4;
  string display_name = 5;
  string preferred_language = 6;
  Gender gender = 7;
  uint64 sequence = 8;
  google.protobuf.Timestamp creation_date = 9;
  google.protobuf.Timestamp change_date = 10;
  repeated string login_names = 11;
  string preferred_login_name = 12;
}

message UpdateUserProfileRequest {
  string id = 1;
  string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
  string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
  string nick_name = 4 [(validate.rules).string = {max_len: 200}];
  string preferred_language = 5 [(validate.rules).string = {max_len: 200}];
  Gender gender = 6;
}

message UpdateUserUserNameRequest {
  string id = 1;
  string user_name = 2 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
}

message UserEmail {
  string id = 1;
  string email = 2;
  bool is_email_verified = 3;
  uint64 sequence = 4;
  google.protobuf.Timestamp creation_date = 5;
  google.protobuf.Timestamp change_date = 6;
}

message UserEmailView {
  string id = 1;
  string email = 2;
  bool is_email_verified = 3;
  uint64 sequence = 4;
  google.protobuf.Timestamp creation_date = 5;
  google.protobuf.Timestamp change_date = 6;
}

message UpdateUserEmailRequest {
  string id = 1;
  string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
  bool is_email_verified = 3;
}

message UserPhone {
  string id = 1;
  string phone = 2;
  bool is_phone_verified = 3;
  uint64 sequence = 5;
  google.protobuf.Timestamp creation_date = 6;
  google.protobuf.Timestamp change_date = 7;
}

message UserPhoneView {
  string id = 1;
  string phone = 2;
  bool is_phone_verified = 3;
  uint64 sequence = 5;
  google.protobuf.Timestamp creation_date = 6;
  google.protobuf.Timestamp change_date = 7;
}

message UpdateUserPhoneRequest {
  string id = 1 [(validate.rules).string.min_len = 1];
  string phone = 2 [(validate.rules).string = {min_len: 1, max_len: 20}];
  bool is_phone_verified = 3;
}

message UserAddress {
  string id = 1;
  string country = 2;
  string locality = 3;
  string postal_code = 4;
  string region = 5;
  string street_address = 6;
  uint64 sequence = 7;
  google.protobuf.Timestamp creation_date = 8;
  google.protobuf.Timestamp change_date = 9;
}

message UserAddressView { 
  string id = 1;
  string country = 2;
  string locality = 3;
  string postal_code = 4;
  string region = 5;
  string street_address = 6;
  uint64 sequence = 7;
  google.protobuf.Timestamp creation_date = 8;
  google.protobuf.Timestamp change_date = 9;
}

message UpdateUserAddressRequest {
  string id = 1 [(validate.rules).string.min_len = 1];
  string country = 2 [(validate.rules).string = {max_len: 200}];
  string locality = 3 [(validate.rules).string = {max_len: 200}];
  string postal_code = 4 [(validate.rules).string = {max_len: 200}];
  string region = 5 [(validate.rules).string = {max_len: 200}];
  string street_address = 6 [(validate.rules).string = {max_len: 200}];
}

message MultiFactors {
  repeated MultiFactor mfas = 1;
}

message MultiFactor {
  MfaType type = 1;
  MFAState state = 2;
}

enum MfaType {
  MFATYPE_UNSPECIFIED = 0;
  MFATYPE_SMS = 1;
  MFATYPE_OTP = 2;
}

enum MFAState {
  MFASTATE_UNSPECIFIED = 0;
  MFASTATE_NOT_READY = 1;
  MFASTATE_READY = 2;
  MFASTATE_REMOVED = 3;
}

message PasswordRequest {
  string id = 1 [(validate.rules).string.min_len = 1];
  string password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}];
}

message SetPasswordNotificationRequest {
  string id = 1 [(validate.rules).string.min_len = 1];
  NotificationType type = 2;
}

enum NotificationType {
  NOTIFICATIONTYPE_EMAIL = 0;
  NOTIFICATIONTYPE_SMS = 1;
}

enum PolicyState {
  POLICYSTATE_UNSPECIFIED = 0;
  POLICYSTATE_ACTIVE = 1;
  POLICYSTATE_INACTIVE = 2;
  POLICYSTATE_DELETED = 3;
}

message OrgIamPolicyView {
  bool user_login_must_be_domain = 1;
  bool default = 2;
}

message OrgCreateRequest {
  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message Org {
  string id = 1;
  OrgState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  string name = 5;
  uint64 sequence = 6;
}

message OrgView {
  string id = 1;
  OrgState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  string name = 5;
  uint64 sequence = 6;
}

enum OrgState {
  ORGSTATE_UNSPECIFIED = 0;
  ORGSTATE_ACTIVE = 1;
  ORGSTATE_INACTIVE = 2;
}

message Domain {
  string domain = 1 [(validate.rules).string = {min_len: 1}];
}

message OrgDomain {
  string org_id = 1;
  google.protobuf.Timestamp creation_date = 2;
  google.protobuf.Timestamp change_date = 3;
  string domain = 4;
  bool verified = 5;
  bool primary = 6;
  uint64 sequence = 7;
}

message OrgDomainView {
  string org_id = 1;
  google.protobuf.Timestamp creation_date = 2;
  google.protobuf.Timestamp change_date = 3;
  string domain = 4;
  bool verified = 5;
  bool primary = 6;
  uint64 sequence = 7;
  OrgDomainValidationType validation_type = 8;
}

message AddOrgDomainRequest {
  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message OrgDomainValidationRequest {
  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
  OrgDomainValidationType type = 2 [(validate.rules).enum = {not_in: [0]}];
}

enum OrgDomainValidationType {
  ORGDOMAINVALIDATIONTYPE_UNSPECIFIED = 0;
  ORGDOMAINVALIDATIONTYPE_HTTP = 1;
  ORGDOMAINVALIDATIONTYPE_DNS = 2;
}

message OrgDomainValidationResponse {
  string token = 1;
  string url = 2;
}

message ValidateOrgDomainRequest {
  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message PrimaryOrgDomainRequest {
  string domain = 1 [(validate.rules).string = {min_len: 1}];
}

message RemoveOrgDomainRequest {
  string domain = 1 [(validate.rules).string = {min_len: 1}];
}

message OrgDomainSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated OrgDomainView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message OrgDomainSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  repeated OrgDomainSearchQuery queries = 3;
}

message OrgDomainSearchQuery {
  OrgDomainSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum OrgDomainSearchKey {
  ORGDOMAINSEARCHKEY_UNSPECIFIED = 0;
  ORGDOMAINSEARCHKEY_DOMAIN = 1;
}

message OrgMemberRoles {
  repeated string roles = 1;
}

message OrgMember {
  string user_id = 1;
  repeated string roles = 2;
  google.protobuf.Timestamp change_date = 3;
  google.protobuf.Timestamp creation_date = 4;
  uint64 sequence = 5;
}

message AddOrgMemberRequest {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 2;
}

message ChangeOrgMemberRequest {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 2;
}

message RemoveOrgMemberRequest {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
}

message OrgMemberSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated OrgMemberView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message OrgMemberView {
  string user_id = 1;
  repeated string roles = 2;
  google.protobuf.Timestamp change_date = 3;
  google.protobuf.Timestamp creation_date = 4;
  uint64 sequence = 5;
  string user_name = 6;
  string email = 7;
  string first_name = 8;
  string last_name = 9;
  string display_name = 10;
}

message OrgMemberSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  repeated OrgMemberSearchQuery queries = 3;
}

message OrgMemberSearchQuery {
  OrgMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum OrgMemberSearchKey {
  ORGMEMBERSEARCHKEY_UNSPECIFIED = 0;
  ORGMEMBERSEARCHKEY_FIRST_NAME = 1;
  ORGMEMBERSEARCHKEY_LAST_NAME = 2;
  ORGMEMBERSEARCHKEY_EMAIL = 3;
  ORGMEMBERSEARCHKEY_USER_ID = 4;
}

message ProjectCreateRequest {
  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message ProjectUpdateRequest {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message ProjectSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ProjectView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ProjectView {
  string project_id = 1;
  string name = 2;
  ProjectState state = 3;
  google.protobuf.Timestamp change_date = 4;
  google.protobuf.Timestamp creation_date = 5;
  string resource_owner = 6;
  uint64 sequence = 7;
}

message ProjectSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  repeated ProjectSearchQuery queries = 3;
}

message ProjectSearchQuery {
  ProjectSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ProjectSearchKey {
  PROJECTSEARCHKEY_UNSPECIFIED = 0;
  PROJECTSEARCHKEY_PROJECT_NAME = 1;
}

message Projects {
  repeated Project projects = 1;
}

message Project {
  string id = 1;
  string name = 2;
  ProjectState state = 3;
  google.protobuf.Timestamp change_date = 4;
  google.protobuf.Timestamp creation_date = 5;
  uint64 sequence = 6;
}

enum ProjectState {
  PROJECTSTATE_UNSPECIFIED = 0;
  PROJECTSTATE_ACTIVE = 1;
  PROJECTSTATE_INACTIVE = 2;
}

message ProjectMemberRoles {
  repeated string roles = 1;
}

message ProjectMember {
  string user_id = 1;
  repeated string roles = 2;
  google.protobuf.Timestamp change_date = 3;
  google.protobuf.Timestamp creation_date = 4;
  uint64 sequence = 5;
}

message ProjectMemberAdd {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string user_id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 3;
}

message ProjectMemberChange {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string user_id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 3;
}

message ProjectMemberRemove {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string user_id = 2 [(validate.rules).string = {min_len: 1}];
}

message ProjectRoleAdd {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string key = 2;
  string display_name = 3;
  string group = 4;
}

message ProjectRoleAddBulk {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  repeated ProjectRoleAdd project_roles = 2;
}

message ProjectRoleChange {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string key = 2 [(validate.rules).string = {min_len: 1}];
  string display_name = 3;
  string group = 4;
}

message ProjectRole {
  string project_id = 1;
  string key = 2;
  string display_name = 3;
  google.protobuf.Timestamp creation_date = 4;
  google.protobuf.Timestamp change_date = 5;
  string group = 6;
  uint64 sequence = 7;
}

message ProjectRoleView {
  string project_id = 1;
  string key = 2;
  string display_name = 3;
  google.protobuf.Timestamp creation_date = 4;
  string group = 6;
  uint64 sequence = 7;
}

message ProjectRoleRemove {
  string id = 1 [(validate.rules).string = {min_len: 1}];
  string key = 2 [(validate.rules).string = {min_len: 1}];
}

message ProjectRoleSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ProjectRoleView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ProjectRoleSearchRequest {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 2;
  uint64 limit = 3;
  repeated ProjectRoleSearchQuery queries = 4;
}

message ProjectRoleSearchQuery {
  ProjectRoleSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ProjectRoleSearchKey {
  PROJECTROLESEARCHKEY_UNSPECIFIED = 0;
  PROJECTROLESEARCHKEY_KEY = 1;
  PROJECTROLESEARCHKEY_DISPLAY_NAME = 2;
}

message ProjectMemberView {
  string user_id = 1;
  string user_name = 2;
  string email = 3;
  string first_name = 4;
  string last_name = 5;
  repeated string roles = 6;
  google.protobuf.Timestamp change_date = 7;
  google.protobuf.Timestamp creation_date = 8;
  uint64 sequence = 10;
  string display_name = 11;
}

message ProjectMemberSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ProjectMemberView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ProjectMemberSearchRequest {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 2;
  uint64 limit = 3;
  repeated ProjectMemberSearchQuery queries = 4;
}

message ProjectMemberSearchQuery {
  ProjectMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ProjectMemberSearchKey {
  PROJECTMEMBERSEARCHKEY_UNSPECIFIED = 0;
  PROJECTMEMBERSEARCHKEY_FIRST_NAME = 1;
  PROJECTMEMBERSEARCHKEY_LAST_NAME = 2;
  PROJECTMEMBERSEARCHKEY_EMAIL = 3;
  PROJECTMEMBERSEARCHKEY_USER_ID = 4;
  PROJECTMEMBERSEARCHKEY_USER_NAME = 5;
}

enum AppState {
  APPSTATE_UNSPECIFIED = 0;
  APPSTATE_ACTIVE = 1;
  APPSTATE_INACTIVE = 2;
}

message Application {
  string id = 1;
  AppState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  string name = 5;
  oneof app_config {
    OIDCConfig oidc_config = 8;
  }
  uint64 sequence = 9;
}

message ApplicationUpdate {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string id = 2 [(validate.rules).string = {min_len: 1}];
  string name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
}

message OIDCConfig {
  repeated string redirect_uris = 1;
  repeated OIDCResponseType response_types = 2;
  repeated OIDCGrantType grant_types = 3;
  OIDCApplicationType application_type = 4;
  string client_id = 5;
  string client_secret = 6;
  OIDCAuthMethodType auth_method_type = 7;
  repeated string post_logout_redirect_uris = 8;
  OIDCVersion version = 9;
  bool none_compliant = 10;
  repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
  bool dev_mode = 12;
}

message OIDCApplicationCreate {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
  repeated string redirect_uris = 3;
  repeated OIDCResponseType response_types = 4;
  repeated OIDCGrantType grant_types = 5;
  OIDCApplicationType application_type = 6;
  OIDCAuthMethodType auth_method_type = 7;
  repeated string post_logout_redirect_uris = 8;
  OIDCVersion version = 9;
  bool dev_mode = 10;
}

enum OIDCVersion {
  OIDCV1_0 = 0;
}

message OIDCConfigUpdate {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string application_id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string redirect_uris = 3;
  repeated OIDCResponseType response_types = 4;
  repeated OIDCGrantType grant_types = 5;
  OIDCApplicationType application_type = 6;
  OIDCAuthMethodType auth_method_type = 7;
  repeated string post_logout_redirect_uris = 8;
  bool dev_mode = 9;
}

enum OIDCResponseType {
  OIDCRESPONSETYPE_CODE = 0;
  OIDCRESPONSETYPE_ID_TOKEN = 1;
  OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2;
}

enum OIDCGrantType {
  OIDCGRANTTYPE_AUTHORIZATION_CODE = 0;
  OIDCGRANTTYPE_IMPLICIT = 1;
  OIDCGRANTTYPE_REFRESH_TOKEN = 2;
}

enum OIDCApplicationType {
  OIDCAPPLICATIONTYPE_WEB = 0;
  OIDCAPPLICATIONTYPE_USER_AGENT = 1;
  OIDCAPPLICATIONTYPE_NATIVE = 2;
}

enum OIDCAuthMethodType {
  OIDCAUTHMETHODTYPE_BASIC = 0;
  OIDCAUTHMETHODTYPE_POST = 1;
  OIDCAUTHMETHODTYPE_NONE = 2;
}

message ClientSecret {
  string client_secret = 1;
}

message ApplicationView {
  string id = 1;
  AppState state = 2;
  google.protobuf.Timestamp creation_date = 3;
  google.protobuf.Timestamp change_date = 4;
  string name = 5;
  oneof app_config {
    OIDCConfig oidc_config = 8;
  }

  uint64 sequence = 9;
}

message ApplicationSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ApplicationView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ApplicationSearchRequest {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 2;
  uint64 limit = 3;
  repeated ApplicationSearchQuery queries = 4;
}

message ApplicationSearchQuery {
  ApplicationSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ApplicationSearchKey {
  APPLICATIONSERACHKEY_UNSPECIFIED = 0;
  APPLICATIONSEARCHKEY_APP_NAME = 1;
}

message ProjectGrant {
  string id = 1;
  string project_id = 2;
  string granted_org_id = 3;
  repeated string role_keys = 4;
  ProjectGrantState state = 5;
  google.protobuf.Timestamp creation_date = 6;
  google.protobuf.Timestamp change_date = 7;
  uint64 sequence = 9;
}

message ProjectGrantCreate {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string granted_org_id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string role_keys = 3;
}

message ProjectGrantUpdate {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string role_keys = 3;
}

message ProjectGrantID {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string id = 2 [(validate.rules).string = {min_len: 1}];
}

enum ProjectGrantState {
  PROJECTGRANTSTATE_UNSPECIFIED = 0;
  PROJECTGRANTSTATE_ACTIVE = 1;
  PROJECTGRANTSTATE_INACTIVE = 2;
}

message ProjectGrantView {
  string id = 1;
  string project_id = 2;
  string granted_org_id = 3;
  string granted_org_name = 4;
  repeated string role_keys = 5;
  ProjectGrantState state = 6;
  google.protobuf.Timestamp creation_date = 7;
  google.protobuf.Timestamp change_date = 8;
  string project_name = 9;
  uint64 sequence = 10;
  string resource_owner = 11;
  string resource_owner_name = 12;
}

message ProjectGrantSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ProjectGrantView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message GrantedProjectSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  repeated ProjectSearchQuery queries = 3;
}

message ProjectGrantSearchRequest {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 2;
  uint64 limit = 3;
  repeated ProjectGrantSearchQuery queries = 4;
}

message ProjectGrantSearchQuery {
  ProjectGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ProjectGrantSearchKey {
  PROJECTGRANTSEARCHKEY_UNSPECIFIED = 0;
  PROJECTGRANTSEARCHKEY_PROJECT_NAME = 1;
  PROJECTGRANTSEARCHKEY_ROLE_KEY = 2;
}

message ProjectGrantMemberRoles {
  repeated string roles = 1;
}

message ProjectGrantMember {
  string user_id = 1;
  repeated string roles = 2;
  google.protobuf.Timestamp change_date = 3;
  google.protobuf.Timestamp creation_date = 4;
  uint64 sequence = 5;
}

message ProjectGrantMemberAdd {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
  string user_id = 3 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 4;
}

message ProjectGrantMemberChange {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
  string user_id = 3 [(validate.rules).string = {min_len: 1}];
  repeated string roles = 4;
}

message ProjectGrantMemberRemove {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
  string user_id = 3 [(validate.rules).string = {min_len: 1}];
}

message ProjectGrantMemberView {
  string user_id = 1;
  string user_name = 2;
  string email = 3;
  string first_name = 4;
  string last_name = 5;
  repeated string roles = 6;
  google.protobuf.Timestamp change_date = 7;
  google.protobuf.Timestamp creation_date = 8;
  uint64 sequence = 9;
  string display_name = 10;
}

message ProjectGrantMemberSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ProjectGrantMemberView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ProjectGrantMemberSearchRequest {
  string project_id = 1 [(validate.rules).string = {min_len: 1}];
  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 3;
  uint64 limit = 4;
  repeated ProjectGrantMemberSearchQuery queries = 5;
}

message ProjectGrantMemberSearchQuery {
  ProjectGrantMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2;
  string value = 3;
}

enum ProjectGrantMemberSearchKey {
  PROJECTGRANTMEMBERSEARCHKEY_UNSPECIFIED = 0;
  PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME = 1;
  PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME = 2;
  PROJECTGRANTMEMBERSEARCHKEY_EMAIL = 3;
  PROJECTGRANTMEMBERSEARCHKEY_USER_ID = 4;
  PROJECTGRANTMEMBERSEARCHKEY_USER_NAME = 5;
}

message UserGrant {
  string id = 1;
  string user_id = 2;
  string org_id = 3;
  string project_id = 4;
  repeated string role_keys = 5;
  UserGrantState state = 6;
  google.protobuf.Timestamp creation_date = 7;
  google.protobuf.Timestamp change_date = 8;
  uint64 sequence = 9;
  string grant_id = 10;
}

message UserGrantCreate {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  string project_id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string role_keys = 3;
  string grant_id = 4;
}

message UserGrantUpdate {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  string id = 2 [(validate.rules).string = {min_len: 1}];
  repeated string role_keys = 3;
}

message UserGrantRemoveBulk {
  repeated string ids = 1 [(validate.rules).repeated.min_items = 1];
}

message UserGrantID {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  string id = 2 [(validate.rules).string = {min_len: 1}];
}

enum UserGrantState {
  USERGRANTSTATE_UNSPECIFIED = 0;
  USERGRANTSTATE_ACTIVE = 1;
  USERGRANTSTATE_INACTIVE = 2;
}

message UserGrantView {
  string id = 1;
  string user_id = 2;
  string org_id = 3;
  string project_id = 4;
  repeated string role_keys = 5;
  UserGrantState state = 6;
  google.protobuf.Timestamp creation_date = 7;
  google.protobuf.Timestamp change_date = 8;
  string user_name = 9;
  string first_name = 10;
  string last_name = 11;
  string email = 12;
  string org_name = 13;
  string org_domain = 14;
  string project_name = 15;
  uint64 sequence = 16;
  string resource_owner = 17;
  string display_name = 18;
  string grant_id = 19;
}


message UserGrantSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated UserGrantView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message UserGrantSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  repeated UserGrantSearchQuery queries = 3;
}

message UserGrantSearchQuery {
  UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2 [(validate.rules).enum = {in: [0]}];
  string value = 3;
}

enum UserGrantSearchKey {
  USERGRANTSEARCHKEY_UNSPECIFIED = 0;
  USERGRANTSEARCHKEY_PROJECT_ID = 1;
  USERGRANTSEARCHKEY_USER_ID = 2;
  USERGRANTSEARCHKEY_ORG_ID = 3;
  USERGRANTSEARCHKEY_ROLE_KEY = 4;
  USERGRANTSEARCHKEY_GRANT_ID = 5;
}

message UserMembershipSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated UserMembershipView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message UserMembershipSearchRequest {
  string user_id = 1 [(validate.rules).string = {min_len: 1}];
  uint64 offset = 2;
  uint64 limit = 3;
  repeated UserMembershipSearchQuery queries = 4;
}

message UserMembershipSearchQuery {
  UserMembershipSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
  SearchMethod method = 2 [(validate.rules).enum = {in: [0]}];
  string value = 3;
}

enum UserMembershipSearchKey {
  USERMEMBERSHIPSEARCHKEY_UNSPECIFIED = 0;
  USERMEMBERSHIPSEARCHKEY_TYPE = 1;
  USERMEMBERSHIPSEARCHKEY_OBJECT_ID = 2;
}

message UserMembershipView {
  string user_id = 1;
  MemberType member_type = 2;
  string aggregate_id = 3;
  string object_id = 4;
  repeated string roles = 5;
  string display_name = 6;
  google.protobuf.Timestamp creation_date = 7;
  google.protobuf.Timestamp change_date = 8;
  uint64 sequence = 9;
  string resource_owner = 10;
}

enum MemberType {
  MEMBERTYPE_UNSPECIFIED = 0;
  MEMBERTYPE_ORGANISATION = 1;
  MEMBERTYPE_PROJECT = 2;
  MEMBERTYPE_PROJECT_GRANT = 3;
}

message IdpID {
    string id = 1 [(validate.rules).string = {min_len: 1}];
}

message Idp {
    string id = 1;
    IdpState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    string name = 5;
    bytes logo_src = 6;
    oneof idp_config {
        OidcIdpConfig oidc_config = 7;
    }
    uint64 sequence = 8;
}

message IdpUpdate {
    string id = 1 [(validate.rules).string = {min_len: 1}];
    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
    bytes logo_src = 3;
}

message OidcIdpConfig {
    string client_id = 1;
    string client_secret = 2;
    string issuer = 3;
    repeated string scopes = 4;
    OIDCMappingField idp_display_name_mapping = 5;
    OIDCMappingField username_mapping = 6;
}

enum IdpState {
    IDPCONFIGSTATE_UNSPECIFIED = 0;
    IDPCONFIGSTATE_ACTIVE = 1;
    IDPCONFIGSTATE_INACTIVE = 2;
}

enum OIDCMappingField {
  OIDCMAPPINGFIELD_UNSPECIFIED = 0;
  OIDCMAPPINGFIELD_PREFERRED_USERNAME = 1;
  OIDCMAPPINGFIELD_EMAIL = 2;
}

message OidcIdpConfigCreate {
    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    bytes logo_src = 2;
    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
    repeated string scopes = 6;
    OIDCMappingField idp_display_name_mapping = 7;
    OIDCMappingField username_mapping = 8;
}

message OidcIdpConfigUpdate {
    string idp_id = 1 [(validate.rules).string = {min_len: 1}];
    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string client_secret = 3;
    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
    repeated string scopes = 5;
    OIDCMappingField idp_display_name_mapping = 6;
    OIDCMappingField username_mapping = 7;
}

message IdpSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated IdpView result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

message IdpView {
    string id = 1;
    IdpState state = 2;
    google.protobuf.Timestamp creation_date = 3;
    google.protobuf.Timestamp change_date = 4;
    string name = 5;
    bytes logo_src = 6;
    IdpProviderType provider_type = 7;
    oneof idp_config_view {
        OidcIdpConfigView oidc_config = 8;
    }
    uint64 sequence = 9;
}

message OidcIdpConfigView {
    string client_id = 1;
    string issuer = 2;
    repeated string scopes = 3;
    OIDCMappingField idp_display_name_mapping = 4;
    OIDCMappingField username_mapping = 5;
}

message IdpSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
    repeated IdpSearchQuery queries = 3;
}

message IdpSearchQuery {
    IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
    SearchMethod method = 2;
    string value = 3;
}

enum IdpSearchKey {
    IDPSEARCHKEY_UNSPECIFIED = 0;
    IDPSEARCHKEY_IDP_CONFIG_ID = 1;
    IDPSEARCHKEY_NAME = 2;
    IDPSEARCHKEY_PROVIDER_TYPE = 3;
}

message LoginPolicy {
    bool allow_username_password = 1;
    bool allow_register = 2;
    bool allow_external_idp = 3;
    google.protobuf.Timestamp creation_date = 4;
    google.protobuf.Timestamp change_date = 5;
}

message LoginPolicyRequest {
  bool allow_username_password = 1;
  bool allow_register = 2;
  bool allow_external_idp = 3;
}

message IdpProviderID {
    string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
}

message IdpProviderAdd {
  string idp_config_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
  IdpProviderType idp_provider_type = 2 [(validate.rules).enum = {not_in: [0]}];
}

message IdpProvider {
  string idp_config_id = 1;
  IdpProviderType idp_provider_Type = 2;
}

message LoginPolicyView {
    bool default = 1;
    bool allow_username_password = 2;
    bool allow_register = 3;
    bool allow_external_idp = 4;
    google.protobuf.Timestamp creation_date = 5;
    google.protobuf.Timestamp change_date = 6;
}

message IdpProviderView {
    string idp_config_id = 1;
    string name = 2;
    IdpType type = 3;
}

enum IdpType {
    IDPTYPE_UNSPECIFIED = 0;
    IDPTYPE_OIDC = 1;
    IDPTYPE_SAML = 2;
}

enum IdpProviderType {
  IDPPROVIDERTYPE_UNSPECIFIED = 0;
  IDPPROVIDERTYPE_SYSTEM = 1;
  IDPPROVIDERTYPE_ORG = 2;
}

message IdpProviderSearchResponse {
    uint64 offset = 1;
    uint64 limit = 2;
    uint64 total_result = 3;
    repeated IdpProviderView result = 4;
    uint64 processed_sequence = 5;
    google.protobuf.Timestamp view_timestamp = 6;
}

message IdpProviderSearchRequest {
    uint64 offset = 1;
    uint64 limit = 2;
}

//ProjectType is deprecated, remove as soon as console is ready 
enum ProjectType {
  PROJECTTYPE_UNSPECIFIED = 0;
  PROJECTTYPE_OWNED = 1;
  PROJECTTYPE_GRANTED = 2;
}

message ExternalIDPSearchRequest {
  uint64 offset = 1;
  uint64 limit = 2;
  string user_id = 3;
}

message ExternalIDPSearchResponse {
  uint64 offset = 1;
  uint64 limit = 2;
  uint64 total_result = 3;
  repeated ExternalIDPView result = 4;
  uint64 processed_sequence = 5;
  google.protobuf.Timestamp view_timestamp = 6;
}

message ExternalIDPView {
  string user_id = 1;
  string idp_config_id = 2;
  string external_user_id = 3;
  string idp_name = 4;
  string external_user_display_name = 5;
  google.protobuf.Timestamp creation_date = 6;
  google.protobuf.Timestamp change_date = 7;
}

message ExternalIDPRemoveRequest {
  string user_id = 1;
  string idp_config_id = 2;
  string external_user_id = 3;
}

message PasswordComplexityPolicy {
  uint64 min_length = 1;
  bool has_lowercase = 2;
  bool has_uppercase = 3;
  bool has_number = 4;
  bool has_symbol = 5;
  uint64 sequence = 6;
  google.protobuf.Timestamp creation_date = 7;
  google.protobuf.Timestamp change_date = 8;
}

message PasswordComplexityPolicyRequest {
  uint64 min_length = 1;
  bool has_lowercase = 2;
  bool has_uppercase = 3;
  bool has_number = 4;
  bool has_symbol = 5;
}

message PasswordComplexityPolicyView {
  bool default = 1;
  uint64 min_length = 2;
  bool has_lowercase = 3;
  bool has_uppercase = 4;
  bool has_number = 5;
  bool has_symbol = 6;
  uint64 sequence = 7;
  google.protobuf.Timestamp creation_date = 8;
  google.protobuf.Timestamp change_date = 9;
}

message PasswordAgePolicy {
  uint64 max_age_days = 1;
  uint64 expire_warn_days = 2;
  uint64 sequence = 3;
  google.protobuf.Timestamp creation_date = 4;
  google.protobuf.Timestamp change_date = 5;
}

message PasswordAgePolicyRequest {
  uint64 max_age_days = 1;
  uint64 expire_warn_days = 2;
}

message PasswordAgePolicyView {
  bool default = 1;
  uint64 max_age_days = 2;
  uint64 expire_warn_days = 3;
  uint64 sequence = 4;
  google.protobuf.Timestamp creation_date = 5;
  google.protobuf.Timestamp change_date = 6;
}

message PasswordLockoutPolicy {
  uint64 max_attempts = 1;
  bool show_lockout_failure = 2;
  uint64 sequence = 3;
  google.protobuf.Timestamp creation_date = 4;
  google.protobuf.Timestamp change_date = 5;
}

message PasswordLockoutPolicyRequest {
  uint64 max_attempts = 1;
  bool show_lockout_failure = 2;
}

message PasswordLockoutPolicyView {
  bool default = 1;
  uint64 max_attempts = 2;
  bool show_lockout_failure = 3;
  uint64 sequence = 4;
  google.protobuf.Timestamp creation_date = 5;
  google.protobuf.Timestamp change_date = 6;
}