Merge branch 'main' into notification-links

2025-08-11 20:57:31 +00:00 · 2023-09-25 11:29:18 +02:00
parent c4197fef87 2823678eb6
commit 0b5cfbb653
244 changed files with 3748 additions and 1628 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -595,7 +595,7 @@ DefaultInstance:
    MaxAgeDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS
  DomainPolicy:
    UserLoginMustBeDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN
-    ValidateOrgDomains: true # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
+    ValidateOrgDomains: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
    SMTPSenderAddressMatchesInstanceDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN
  LoginPolicy:
    AllowUsernamePassword: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD
@@ -604,7 +604,7 @@ DefaultInstance:
    ForceMFA: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA
    HidePasswordReset: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET
    IgnoreUnknownUsernames: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES
-    AllowDomainDiscovery: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
+    AllowDomainDiscovery: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
    # 1 is allowed, 0 is not allowed
    PasswordlessType: 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE
    # DefaultRedirectURL is empty by default because we use the Console UI
--- a/cmd/setup/13.go
+++ b/cmd/setup/13.go
@@ -0,0 +1,26 @@
 package setup
 import (
 	"context"
 	_ "embed"
 	"github.com/zitadel/zitadel/internal/database"
 )
 var (
 	//go:embed 13/13_fix_quota_constraints.sql
 	fixQuotaConstraints string
 )
 type FixQuotaConstraints struct {
 	dbClient *database.DB
 }
 func (mig *FixQuotaConstraints) Execute(ctx context.Context) error {
 	_, err := mig.dbClient.ExecContext(ctx, fixQuotaConstraints)
 	return err
 }
 func (mig *FixQuotaConstraints) String() string {
 	return "13_fix_quota_constraints"
 }
--- a/cmd/setup/13/13_fix_quota_constraints.sql
+++ b/cmd/setup/13/13_fix_quota_constraints.sql
@@ -0,0 +1,4 @@
 ALTER TABLE IF EXISTS projections.quotas ALTER COLUMN from_anchor DROP NOT NULL;
 ALTER TABLE IF EXISTS projections.quotas ALTER COLUMN amount DROP NOT NULL;
 ALTER TABLE IF EXISTS projections.quotas ALTER COLUMN interval DROP NOT NULL;
 ALTER TABLE IF EXISTS projections.quotas ALTER COLUMN limit_usage DROP NOT NULL;
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -56,18 +56,19 @@ func MustNewConfig(v *viper.Viper) *Config {
 }
 type Steps struct {
-	s1ProjectionTable    *ProjectionTable
+	s1ProjectionTable     *ProjectionTable
-	s2AssetsTable        *AssetTable
+	s2AssetsTable         *AssetTable
-	FirstInstance        *FirstInstance
+	FirstInstance         *FirstInstance
-	s4EventstoreIndexes  *EventstoreIndexesNew
+	s4EventstoreIndexes   *EventstoreIndexesNew
-	s5LastFailed         *LastFailed
+	s5LastFailed          *LastFailed
-	s6OwnerRemoveColumns *OwnerRemoveColumns
+	s6OwnerRemoveColumns  *OwnerRemoveColumns
-	s7LogstoreTables     *LogstoreTables
+	s7LogstoreTables      *LogstoreTables
-	s8AuthTokens         *AuthTokenIndexes
+	s8AuthTokens          *AuthTokenIndexes
-	s9EventstoreIndexes2 *EventstoreIndexesNew
+	s9EventstoreIndexes2  *EventstoreIndexesNew
-	CorrectCreationDate  *CorrectCreationDate
+	CorrectCreationDate   *CorrectCreationDate
-	AddEventCreatedAt    *AddEventCreatedAt
+	AddEventCreatedAt     *AddEventCreatedAt
-	s12AddOTPColumns     *AddOTPColumns
+	s12AddOTPColumns      *AddOTPColumns
 	s13FixQuotaProjection *FixQuotaConstraints
 }
 type encryptionKeyConfig struct {
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -95,6 +95,7 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	steps.AddEventCreatedAt.dbClient = dbClient
 	steps.AddEventCreatedAt.step10 = steps.CorrectCreationDate
 	steps.s12AddOTPColumns = &AddOTPColumns{dbClient: dbClient}
 	steps.s13FixQuotaProjection = &FixQuotaConstraints{dbClient: dbClient}
 	err = projection.Create(ctx, dbClient, eventstoreClient, config.Projections, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -137,6 +138,8 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	logging.OnError(err).Fatal("unable to migrate step 11")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s12AddOTPColumns)
 	logging.OnError(err).Fatal("unable to migrate step 12")
 	err = migration.Migrate(ctx, eventstoreClient, steps.s13FixQuotaProjection)
 	logging.OnError(err).Fatal("unable to migrate step 13")
 	for _, repeatableStep := range repeatableSteps {
 		err = migration.Migrate(ctx, eventstoreClient, repeatableStep)
--- a/console/src/app/modules/header/header.component.html
+++ b/console/src/app/modules/header/header.component.html
@@ -195,7 +195,7 @@
      </a>
    </div>
-    <ng-container *ngIf="user">
+    <ng-container *ngIf="user && user.id">
      <div class="account-card-wrapper">
        <button
          cdkOverlayOrigin
--- a/console/src/app/modules/settings-list/settings-list.component.html
+++ b/console/src/app/modules/settings-list/settings-list.component.html
@@ -18,7 +18,7 @@
  <ng-container *ngIf="currentSetting === 'login'">
    <cnsl-login-policy [serviceType]="serviceType"></cnsl-login-policy>
  </ng-container>
-  <ng-container *ngIf="currentSetting === 'domain'">
+  <ng-container *ngIf="currentSetting === 'domain' && (['iam.policy.write'] | hasRole | async) === true">
    <cnsl-domain-policy [serviceType]="serviceType"></cnsl-domain-policy>
  </ng-container>
  <ng-container *ngIf="currentSetting === 'idp'">
--- a/console/src/app/modules/settings-list/settings.ts
+++ b/console/src/app/modules/settings-list/settings.ts
@@ -48,8 +48,8 @@ export const DOMAIN: SidenavSetting = {
  i18nKey: 'SETTINGS.LIST.DOMAIN',
  groupI18nKey: 'SETTINGS.GROUPS.DOMAIN',
  requiredRoles: {
-    [PolicyComponentServiceType.MGMT]: ['policy.read'],
+    [PolicyComponentServiceType.MGMT]: ['iam.policy.write'],
-    [PolicyComponentServiceType.ADMIN]: ['iam.policy.read'],
+    [PolicyComponentServiceType.ADMIN]: ['iam.policy.write'],
  },
 };
--- a/console/src/app/modules/sidenav/sidenav.component.html
+++ b/console/src/app/modules/sidenav/sidenav.component.html
@@ -28,11 +28,6 @@
          <button
            (click)="value = setting.id"
            *ngIf="
              !setting.requiredRoles ||
              (setting.requiredRoles.mgmt && (setting.requiredRoles.mgmt | hasRole | async)) ||
              (setting.requiredRoles.admin && (setting.requiredRoles.admin | hasRole | async))
            "
            class="sidenav-setting-list-element hide-on-mobile"
            [ngClass]="{ active: currentSetting === setting.id, show: currentSetting === undefined }"
            [attr.data-e2e]="'sidenav-element-' + setting.id"
--- a/console/src/app/pages/domains/domains.component.html
+++ b/console/src/app/pages/domains/domains.component.html
@@ -48,7 +48,7 @@
        <button
          mat-icon-button
          [disabled]="(canwrite$ | async) === false || domain.isVerified"
-          *ngIf="canwrite$ | async"
+          *ngIf="(canwrite$ | async) && verifyOrgDomains"
          (click)="verifyDomain(domain)"
        >
          <i class="las la-pen"></i>
--- a/console/src/app/pages/domains/domains.component.ts
+++ b/console/src/app/pages/domains/domains.component.ts
@@ -19,6 +19,7 @@ export class DomainsComponent implements OnInit {
  public domains: Domain.AsObject[] = [];
  public primaryDomain: string = '';
  public InfoSectionType: any = InfoSectionType;
  public verifyOrgDomains: boolean | undefined;
  constructor(
    private mgmtService: ManagementService,
@@ -38,6 +39,10 @@ export class DomainsComponent implements OnInit {
  }
  public loadDomains(): void {
    this.mgmtService.getDomainPolicy().then((result) => {
      this.verifyOrgDomains = result.policy?.validateOrgDomains;
    });
    this.mgmtService.listOrgDomains().then((result) => {
      this.domains = result.resultList;
      this.primaryDomain = this.domains.find((domain) => domain.isPrimary)?.domainName ?? '';
@@ -68,13 +73,14 @@ export class DomainsComponent implements OnInit {
          .addOrgDomain(domainName)
          .then(() => {
            this.toast.showInfo('ORG.TOAST.DOMAINADDED', true);
-            this.verifyDomain({
+            if (this.verifyOrgDomains) {
-              domainName: domainName,
+              this.verifyDomain({
-              validationType: DomainValidationType.DOMAIN_VALIDATION_TYPE_UNSPECIFIED,
+                domainName: domainName,
-            });
+                validationType: DomainValidationType.DOMAIN_VALIDATION_TYPE_UNSPECIFIED,
-            setTimeout(() => {
+              });
            } else {
              this.loadDomains();
-            }, 1000);
+            }
          })
          .catch((error) => {
            this.toast.showError(error);
@@ -120,10 +126,8 @@ export class DomainsComponent implements OnInit {
      width: '500px',
    });
-    dialogRef.afterClosed().subscribe((reload: boolean) => {
+    dialogRef.afterClosed().subscribe(() => {
-      if (reload) {
+      this.loadDomains();
        this.loadDomains();
      }
    });
  }
 }
--- a/console/src/app/pages/instance-settings/instance-settings.component.ts
+++ b/console/src/app/pages/instance-settings/instance-settings.component.ts
@@ -1,10 +1,11 @@
-import { Component, OnDestroy } from '@angular/core';
+import { Component, OnDestroy, OnInit } from '@angular/core';
 import { ActivatedRoute, Params } from '@angular/router';
 import { Subject, takeUntil } from 'rxjs';
 import { PolicyComponentServiceType } from 'src/app/modules/policies/policy-component-types.enum';
 import { SidenavSetting } from 'src/app/modules/sidenav/sidenav.component';
 import { Breadcrumb, BreadcrumbService, BreadcrumbType } from 'src/app/services/breadcrumb.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import {
  BRANDING,
  COMPLEXITY,
@@ -21,16 +22,17 @@ import {
  SECRETS,
  SECURITY,
 } from '../../modules/settings-list/settings';
 import { checkSettingsPermissions } from '../org-settings/org-settings.component';
@Component({
  selector: 'cnsl-instance-settings',
  templateUrl: './instance-settings.component.html',
  styleUrls: ['./instance-settings.component.scss'],
 })
-export class InstanceSettingsComponent implements OnDestroy {
+export class InstanceSettingsComponent implements OnInit, OnDestroy {
  public id: string = '';
  public PolicyComponentServiceType: any = PolicyComponentServiceType;
-  public settingsList: SidenavSetting[] = [
+  public defaultSettingsList: SidenavSetting[] = [
    GENERAL,
    // notifications
    // { showWarn: true, ...NOTIFICATIONS },
@@ -53,8 +55,10 @@ export class InstanceSettingsComponent implements OnDestroy {
    SECURITY,
  ];
  public settingsList: SidenavSetting[] = [];
  private destroy$: Subject<void> = new Subject();
-  constructor(breadcrumbService: BreadcrumbService, activatedRoute: ActivatedRoute) {
+  constructor(breadcrumbService: BreadcrumbService, activatedRoute: ActivatedRoute, public authService: GrpcAuthService) {
    const breadcrumbs = [
      new Breadcrumb({
        type: BreadcrumbType.INSTANCE,
@@ -72,6 +76,16 @@ export class InstanceSettingsComponent implements OnDestroy {
    });
  }
  ngOnInit(): void {
    checkSettingsPermissions(this.defaultSettingsList, PolicyComponentServiceType.ADMIN, this.authService).subscribe(
      (allowed) => {
        this.settingsList = this.defaultSettingsList.filter((setting, index) => {
          return allowed[index];
        });
      },
    );
  }
  ngOnDestroy(): void {
    this.destroy$.next();
    this.destroy$.complete();
--- a/console/src/app/pages/org-settings/org-settings.component.ts
+++ b/console/src/app/pages/org-settings/org-settings.component.ts
@@ -1,10 +1,11 @@
-import { Component } from '@angular/core';
+import { Component, OnInit } from '@angular/core';
 import { ActivatedRoute, Params } from '@angular/router';
-import { take } from 'rxjs';
+import { forkJoin, of, take } from 'rxjs';
 import { PolicyComponentServiceType } from 'src/app/modules/policies/policy-component-types.enum';
 import { SidenavSetting } from 'src/app/modules/sidenav/sidenav.component';
 import { Breadcrumb, BreadcrumbService, BreadcrumbType } from 'src/app/services/breadcrumb.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import {
  BRANDING,
  COMPLEXITY,
@@ -23,10 +24,11 @@ import {
  templateUrl: './org-settings.component.html',
  styleUrls: ['./org-settings.component.scss'],
 })
-export class OrgSettingsComponent {
+export class OrgSettingsComponent implements OnInit {
  public id: string = '';
  public PolicyComponentServiceType: any = PolicyComponentServiceType;
-  public settingsList: SidenavSetting[] = [
+
  private defaultSettingsList: SidenavSetting[] = [
    LOGIN,
    IDP,
    COMPLEXITY,
@@ -39,7 +41,9 @@ export class OrgSettingsComponent {
    PRIVACYPOLICY,
  ];
-  constructor(breadcrumbService: BreadcrumbService, activatedRoute: ActivatedRoute) {
+  public settingsList: SidenavSetting[] = [];
  constructor(breadcrumbService: BreadcrumbService, activatedRoute: ActivatedRoute, public authService: GrpcAuthService) {
    const breadcrumbs = [
      new Breadcrumb({
        type: BreadcrumbType.ORG,
@@ -55,4 +59,42 @@ export class OrgSettingsComponent {
      }
    });
  }
  ngOnInit(): void {
    checkSettingsPermissions(this.defaultSettingsList, PolicyComponentServiceType.MGMT, this.authService).subscribe(
      (allowed) => {
        this.settingsList = this.defaultSettingsList.filter((setting, index) => {
          return allowed[index];
        });
      },
    );
  }
 }
 // Return a Observables<boolean>[] that will wait till all service calls are finished to then check if user is allowed to see a setting
 export function checkSettingsPermissions(settings: SidenavSetting[], serviceType: string, authService: GrpcAuthService) {
  return forkJoin(
    settings
      .filter((setting) => {
        if (serviceType === PolicyComponentServiceType.ADMIN) {
          return setting.requiredRoles && setting.requiredRoles.admin;
        } else {
          return setting.requiredRoles && setting.requiredRoles.mgmt;
        }
      })
      .map((setting) => {
        if (!setting.requiredRoles) {
          return of(true);
        }
        if (!setting.requiredRoles.mgmt) {
          return of(true);
        }
        if (setting.requiredRoles.mgmt) {
          return authService.isAllowed(setting.requiredRoles.mgmt).pipe(take(1));
        }
        return of(false);
      }),
  );
 }
--- a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
+++ b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
@@ -78,7 +78,7 @@
        <ng-container *ngIf="currentSetting === 'general'">
          <ng-template cnslHasRole [hasRole]="['user.read$', 'user.read:' + user.id]">
-            <cnsl-card *ngIf="user.human" title="{{ 'USER.PROFILE.TITLE' | translate }}">
+            <cnsl-card *ngIf="user.human" title="{{ user.preferredLoginName }} - {{ 'USER.PROFILE.TITLE' | translate }}">
              <cnsl-detail-form
                [preferredLoginName]="user.preferredLoginName"
                [disabled]="(canWrite$ | async) === false"
--- a/console/src/app/pages/users/user-list/user-table/user-table.component.html
+++ b/console/src/app/pages/users/user-list/user-table/user-table.component.html
@@ -124,6 +124,20 @@
        </td>
      </ng-container>
      <ng-container matColumnDef="preferredLoginName">
        <th
          mat-header-cell
          *matHeaderCellDef
          mat-sort-header
          [ngClass]="{ 'search-active': this.userSearchKey === UserListSearchKey.DISPLAY_NAME }"
        >
          {{ 'USER.PROFILE.PREFERREDLOGINNAME' | translate }}
        </th>
        <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id] : null">
          <span *ngIf="user.human">{{ user.preferredLoginName }}</span>
        </td>
      </ng-container>
      <ng-container matColumnDef="username">
        <th
          mat-header-cell
--- a/console/src/app/pages/users/user-list/user-table/user-table.component.ts
+++ b/console/src/app/pages/users/user-list/user-table/user-table.component.ts
@@ -51,7 +51,7 @@ export class UserTableComponent implements OnInit {
  @Input() public displayedColumnsHuman: string[] = [
    'select',
    'displayName',
-    'username',
+    'preferredLoginName',
    'email',
    'state',
    'creationDate',
@@ -194,6 +194,10 @@ export class UserTableComponent implements OnInit {
        case 'username':
          sortingField = UserFieldName.USER_FIELD_NAME_USER_NAME;
          break;
        case 'preferredLoginName':
          // TODO: replace with preferred username sorting once implemented
          sortingField = UserFieldName.USER_FIELD_NAME_USER_NAME;
          break;
        case 'email':
          sortingField = UserFieldName.USER_FIELD_NAME_EMAIL;
          break;
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@@ -489,6 +489,7 @@
      "LASTNAME": "Фамилия",
      "NICKNAME": "Псевдоним",
      "DISPLAYNAME": "Екранно име",
      "PREFERREDLOGINNAME": "Предпочитано име за вход",
      "PREFERRED_LANGUAGE": "език",
      "GENDER": "Пол",
      "PASSWORD": "Парола",
@@ -789,7 +790,7 @@
    },
    "PAGES": {
      "STATE": "Статус",
-      "DOMAINLIST": "Домейни"
+      "DOMAINLIST": "Лични домейни"
    },
    "STATE": {
      "0": "Неуточнено",
@@ -1344,7 +1345,7 @@
      "MAXAGEDAYS": "Максимална възраст в дни",
      "USERLOGINMUSTBEDOMAIN": "Добавяне на домейн на организация като суфикс към имената за вход",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако активирате тази настройка, всички имена за вход ще имат суфикс с домейна на организацията. ",
-      "VALIDATEORGDOMAINS": "Валидиране на организационни домейни",
+      "VALIDATEORGDOMAINS": "Верификация на домейна на организацията е необходима (DNS или HTTP предизвикателство)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресът на изпращача съвпада с домейна на екземпляра",
      "ALLOWUSERNAMEPASSWORD": "Потребителско име Паролата е разрешена",
      "ALLOWEXTERNALIDP": "Допуска се външен IDP",
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@@ -495,6 +495,7 @@
      "LASTNAME": "Nachname",
      "NICKNAME": "Spitzname",
      "DISPLAYNAME": "Anzeigename",
      "PREFERREDLOGINNAME": "Bevorzugter Anmeldename",
      "PREFERRED_LANGUAGE": "Sprache",
      "GENDER": "Geschlecht",
      "PASSWORD": "Passwort",
@@ -795,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domains"
+      "DOMAINLIST": "Custom Domains"
    },
    "STATE": {
      "0": "Unspezifisch",
@@ -953,15 +954,15 @@
    "DOMAINS": {
      "NEW": "Domain hinzufügen",
      "TITLE": "Domänen",
-      "DESCRIPTION": "Konfiguriere die Domains, mit denen sich Deine Benutzer anmelden können.",
+      "DESCRIPTION": "Konfiguriere die Domains, die für Domain discovery und als Suffix für die Benutzer verwendet werden können.",
      "SETPRIMARY": "Primäre Domain setzen",
      "DELETE": {
        "TITLE": "Domain löschen?",
-        "DESCRIPTION": "Du bist im Begriff, eine Domain aus Deiner Organisation zu löschen. Deine Benutzer können diese nach dem Löschen nicht mehr für den Login nutzen."
+        "DESCRIPTION": "Du bist im Begriff, eine Domain aus deiner Organisation zu löschen."
      },
      "ADD": {
        "TITLE": "Domain hinzufügen",
-        "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Deine Benutzer können diese nach der erfolgreichen Ausführung für den Login nutzen."
+        "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Die Domain kann für Domain discovery genutzt werden und als Suffix für deine Benutzernamen."
      }
    },
    "STATE": {
@@ -1350,7 +1351,7 @@
      "MAXAGEDAYS": "Maximale Gültigkeit in Tagen",
      "USERLOGINMUSTBEDOMAIN": "Organisationsdomain dem Loginname hinzufügen",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
-      "VALIDATEORGDOMAINS": "Org Domains validieren",
+      "VALIDATEORGDOMAINS": "Verifizierung des Organisations Domain erforderlich (DNS- oder HTTP-Herausforderung)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Adresse entspricht Instanzdomain",
      "ALLOWUSERNAMEPASSWORD": "Benutzername Passwort erlaubt",
      "ALLOWEXTERNALIDP": "Externer IDP erlaubt",
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -496,6 +496,7 @@
      "LASTNAME": "Family Name",
      "NICKNAME": "Nickname",
      "DISPLAYNAME": "Display Name",
      "PREFERREDLOGINNAME": "Preferred login name",
      "PREFERRED_LANGUAGE": "Language",
      "GENDER": "Gender",
      "PASSWORD": "Password",
@@ -796,7 +797,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domains"
+      "DOMAINLIST": "Custom Domains"
    },
    "STATE": {
      "0": "Unspecified",
@@ -954,15 +955,15 @@
    "DOMAINS": {
      "NEW": "Add Domain",
      "TITLE": "Domains",
-      "DESCRIPTION": "Configure your domains. This domain can be used to log in with your users.",
+      "DESCRIPTION": "Configure your organization domains. This domain can be used for domain discovery and username suffixing.",
      "SETPRIMARY": "Set as Primary",
      "DELETE": {
        "TITLE": "Delete Domain",
-        "DESCRIPTION": "You are about to delete one of your domains. Note that your users can no longer use this domain for their login."
+        "DESCRIPTION": "You are about to delete one of your domains."
      },
      "ADD": {
        "TITLE": "Add Domain",
-        "DESCRIPTION": "You are about to add a domain for your organization. After successful process, you users will be able to use the domain for their login."
+        "DESCRIPTION": "You are about to add a domain for your organization. After successful process, the domain can be used for domain discovery and as suffix for your users."
      }
    },
    "STATE": {
@@ -1351,7 +1352,7 @@
      "MAXAGEDAYS": "Max Age in days",
      "USERLOGINMUSTBEDOMAIN": "Add organization domain as suffix to loginnames",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
-      "VALIDATEORGDOMAINS": "Validate Org domains",
+      "VALIDATEORGDOMAINS": "Organization domain verification required (DNS or HTTP challenge)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Address matches Instance Domain",
      "ALLOWUSERNAMEPASSWORD": "Username Password allowed",
      "ALLOWEXTERNALIDP": "External IDP allowed",
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@@ -496,6 +496,7 @@
      "LASTNAME": "Apellidos",
      "NICKNAME": "Apodo",
      "DISPLAYNAME": "Nombre mostrado",
      "PREFERREDLOGINNAME": "Nombre de inicio de sesión preferido",
      "PREFERRED_LANGUAGE": "Idioma",
      "GENDER": "Género",
      "PASSWORD": "Contraseña",
@@ -796,7 +797,7 @@
    },
    "PAGES": {
      "STATE": "Estado",
-      "DOMAINLIST": "Dominios"
+      "DOMAINLIST": "Dominios personalizados"
    },
    "STATE": {
      "0": "No especificado",
@@ -1351,7 +1352,7 @@
      "MAXAGEDAYS": "Antigüedad máxima en días",
      "USERLOGINMUSTBEDOMAIN": "Añadir el dominio de la organización como sufijo de los nombres de inicio de sesión",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si activas esta opción, todos los nombres de inicio de sesión tendrán como sufijo el dominio de esta organización. Si esta opción está desactivada, tendrás que asegurarte de que los nombres de usuario son únicos para todas las organizaciones.",
-      "VALIDATEORGDOMAINS": "Validar los dominios de la organización",
+      "VALIDATEORGDOMAINS": "Verificación de dominio de la organización requerida (desafío DNS o HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "La dirección del remitente SMTP coincide con el dominio de la instancia",
      "ALLOWUSERNAMEPASSWORD": "Nombre de usuario y contraseña permitido",
      "ALLOWEXTERNALIDP": "Permitido IDP externo",
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@@ -495,6 +495,7 @@
      "LASTNAME": "Nom de famille",
      "NICKNAME": "Surnom",
      "DISPLAYNAME": "Nom d'affichage",
      "PREFERREDLOGINNAME": "Nom de connexion préféré",
      "PREFERRED_LANGUAGE": "Langue",
      "GENDER": "Sexe",
      "PASSWORD": "Mot de passe",
@@ -795,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Statut",
-      "DOMAINLIST": "Domaines"
+      "DOMAINLIST": "Domaines personnalisés"
    },
    "STATE": {
      "0": "Inconnu",
@@ -1350,7 +1351,7 @@
      "MAXAGEDAYS": "Âge maximum en jours",
      "USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.",
-      "VALIDATEORGDOMAINS": "Valider les domaines d'Org",
+      "VALIDATEORGDOMAINS": "Vérification du domaine de l'organisation requise (challenge DNS ou HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'adresse de l'expéditeur SMTP correspond au domaine de l'instance",
      "ALLOWUSERNAMEPASSWORD": "Nom d'utilisateur Mot de passe autorisé",
      "ALLOWEXTERNALIDP": "IDP externe autorisé",
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@@ -494,6 +494,7 @@
      "LASTNAME": "Cognome",
      "NICKNAME": "Soprannome",
      "DISPLAYNAME": "DisplayName",
      "PREFERREDLOGINNAME": "Nome di accesso preferito",
      "PREFERRED_LANGUAGE": "Lingua",
      "GENDER": "Genere",
      "PASSWORD": "Password",
@@ -794,7 +795,7 @@
    },
    "PAGES": {
      "STATE": "Stato",
-      "DOMAINLIST": "Domini"
+      "DOMAINLIST": "Domini personalizzati"
    },
    "STATE": {
      "0": "Non specifico",
@@ -1350,7 +1351,7 @@
      "MAXAGEDAYS": "Lunghezza massima in giorni",
      "USERLOGINMUSTBEDOMAIN": "Nome utente deve contenere il dominio dell' organizzazione",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se abiliti questa impostazione, a tutti i nomi di accesso verrà aggiunto il suffisso del dominio dell'organizzazione. Se questa impostazione è disabilitata, devi assicurarti che i nomi utente siano univoci per tutte le organizzazioni.",
-      "VALIDATEORGDOMAINS": "Verifica domini dell' organizzazione",
+      "VALIDATEORGDOMAINS": "Verifica del dominio dell'organizzazione richiesta (challenge DNS o HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'indirizzo mittente SMTP corrisponde al dominio dell'istanza",
      "ALLOWUSERNAMEPASSWORD": "Autenticazione classica con password consentita",
      "ALLOWEXTERNALIDP": "IDP esterno consentito",
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@@ -496,6 +496,7 @@
      "LASTNAME": "姓",
      "NICKNAME": "ニックネーム",
      "DISPLAYNAME": "表示名",
      "PREFERREDLOGINNAME": "優先ログイン名",
      "PREFERRED_LANGUAGE": "言語",
      "GENDER": "性別",
      "PASSWORD": "パスワード",
@@ -796,7 +797,7 @@
    },
    "PAGES": {
      "STATE": "ステータス",
-      "DOMAINLIST": "ドメイン"
+      "DOMAINLIST": "カスタムドメイン"
    },
    "STATE": {
      "0": "未定義",
@@ -1346,7 +1347,7 @@
      "MAXAGEDAYS": "最大有効期限",
      "USERLOGINMUSTBEDOMAIN": "ログイン名の接尾辞として組織ドメインを追加する",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "この設定を有効にすると、すべてのログイン名が組織ドメインで接尾辞が付けられます。この設定が無効になっている場合、ユーザー名がすべての組織で一意であることを確認する必要があります。",
-      "VALIDATEORGDOMAINS": "組織ドメインを認証する",
+      "VALIDATEORGDOMAINS": "組織のドメイン検証が必要です (DNSまたはHTTPチャレンジ)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP送信者アドレスはインスタンスドメインに一致しています",
      "ALLOWUSERNAMEPASSWORD": "ユーザー名とパスワードを許可",
      "ALLOWEXTERNALIDP": "外部IDPを許可",
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@@ -496,6 +496,7 @@
      "LASTNAME": "Презиме",
      "NICKNAME": "Прекар",
      "DISPLAYNAME": "Име за приказ",
      "PREFERREDLOGINNAME": "Претпочитано име за најава",
      "PREFERRED_LANGUAGE": "Јазик",
      "GENDER": "Пол",
      "PASSWORD": "Лозинка",
@@ -796,7 +797,7 @@
    },
    "PAGES": {
      "STATE": "Статус",
-      "DOMAINLIST": "Домени"
+      "DOMAINLIST": "Прилагодени домени"
    },
    "STATE": {
      "0": "Ненаведено",
@@ -1352,7 +1353,7 @@
      "MAXAGEDAYS": "Максимална возраст во денови",
      "USERLOGINMUSTBEDOMAIN": "Додади организациски домен како суфикс на корисничките имиња",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако го овозможите ова подесување, сите кориснички имиња ќе имаат суфикс на организацискиот домен. Доколку ова подесување е оневозможено, морате да се осигурате дека корисничките имиња се уникатни низ сите организации.",
-      "VALIDATEORGDOMAINS": "Валидирај организациски домени",
+      "VALIDATEORGDOMAINS": "Потврда на доменот на организацијата е неопходна (DNS или HTTP предизвик)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресата на испраќачот се поклопува со доменот на инстанцата",
      "ALLOWUSERNAMEPASSWORD": "Дозволено корисничко име и лозинка",
      "ALLOWEXTERNALIDP": "Дозволен надворешен IDP",
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@@ -495,6 +495,7 @@
      "LASTNAME": "Nazwisko",
      "NICKNAME": "Przezwisko",
      "DISPLAYNAME": "Nazwa wyświetlana",
      "PREFERREDLOGINNAME": "Preferowana nazwa logowania",
      "PREFERRED_LANGUAGE": "Język",
      "GENDER": "Płeć",
      "PASSWORD": "Hasło",
@@ -795,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domeny"
+      "DOMAINLIST": "Własne domeny"
    },
    "STATE": {
      "0": "Nieokreślony",
@@ -1350,7 +1351,7 @@
      "MAXAGEDAYS": "Maksymalny wiek w dniach",
      "USERLOGINMUSTBEDOMAIN": "Dodaj domenę organizacji jako przyrostek do nazw logowania",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Jeśli włączysz to ustawienie, wszystkie nazwy logowania będą miały przyrostek z domeną organizacji. Jeśli to ustawienie jest wyłączone, musisz zapewnić unikalność nazw użytkowników we wszystkich organizacjach.",
-      "VALIDATEORGDOMAINS": "Sprawdzanie ważności domen organizacji",
+      "VALIDATEORGDOMAINS": "Weryfikacja domeny organizacji jest wymagana (wyzwanie DNS lub HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "Adres nadawcy SMTP pasuje do domeny instancji",
      "ALLOWUSERNAMEPASSWORD": "Zezwól na użycie nazwy użytkownika i hasła",
      "ALLOWEXTERNALIDP": "Zezwól na zewnętrznego dostawcę tożsamości",
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@@ -496,6 +496,7 @@
      "LASTNAME": "Sobrenome",
      "NICKNAME": "Apelido",
      "DISPLAYNAME": "Nome de Exibição",
      "PREFERREDLOGINNAME": "Nome de login preferido",
      "PREFERRED_LANGUAGE": "Idioma",
      "GENDER": "Gênero",
      "SENHA": "Senha",
@@ -796,7 +797,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domínios"
+      "DOMAINLIST": "Domínios personalizados"
    },
    "STATE": {
      "0": "Não especificado",
@@ -1352,7 +1353,7 @@
      "MAXAGEDAYS": "Idade máxima em dias",
      "USERLOGINMUSTBEDOMAIN": "Adicionar domínio da organização como sufixo aos nomes de login",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se você habilitar essa configuração, todos os nomes de login serão sufixados com o domínio da organização. Se essa configuração estiver desabilitada, você deve garantir que os nomes de usuário sejam exclusivos em todas as organizações.",
-      "VALIDATEORGDOMAINS": "Validar domínios da organização",
+      "VALIDATEORGDOMAINS": "Verificação de domínio da organização necessária (desafio DNS ou HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "O endereço do remetente do SMTP corresponde ao domínio da Instância",
      "ALLOWUSERNAMEPASSWORD": "Permitir usuário e senha",
      "ALLOWEXTERNALIDP": "Permitir provedor de ID externo",
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@@ -495,6 +495,7 @@
      "LASTNAME": "姓",
      "NICKNAME": "昵称",
      "DISPLAYNAME": "展示名称",
      "PREFERREDLOGINNAME": "首选登录名",
      "PREFERRED_LANGUAGE": "语言",
      "GENDER": "性别",
      "PASSWORD": "密码",
@@ -795,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "状态",
-      "DOMAINLIST": "域名"
+      "DOMAINLIST": "自定义域名"
    },
    "STATE": {
      "0": "未指定",
@@ -1349,7 +1350,7 @@
      "MAXAGEDAYS": "Max Age in days",
      "USERLOGINMUSTBEDOMAIN": "用户名必须包含组织域名",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "如果启用此设置，所有登录名都将以组织域为后缀。如果禁用此设置，您必须确保用户名在所有组织中都是唯一的。",
-      "VALIDATEORGDOMAINS": "验证组织域名",
+      "VALIDATEORGDOMAINS": "组织域名验证需要 (DNS 或 HTTP 挑战)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP 发件人地址与实例域名匹配",
      "ALLOWUSERNAMEPASSWORD": "允许用户名密码",
      "ALLOWEXTERNALIDP": "允许外部身份提供者",
--- a/docs/docs/apis/introduction.mdx
+++ b/docs/docs/apis/introduction.mdx
@@ -1,5 +1,5 @@
 ---
-title: API Reference Overview
+title: ZITADEL API Reference Overview
 sidebar_label: Overview
 ---
--- a/docs/docs/apis/observability/health.md
+++ b/docs/docs/apis/observability/health.md
@@ -1,5 +1,6 @@
 ---
-title: Ready / Healthy
+title: ZITADEL Ready and Health Enpoints
 sidebar_label: Ready and Health Enpoints
 ---
 ZITADEL exposes a `Ready`- and `Healthy` endpoint to allow external systems like load balancers, orchestration systems, uptime probes and others to check the status.
--- a/docs/docs/apis/observability/metrics.md
+++ b/docs/docs/apis/observability/metrics.md
@@ -1,5 +1,6 @@
 ---
-title: Metrics
+title: ZITADEL Metrics
 sidebar_label: Metrics
 ---
 ZITADEL provides a `metrics` endpoint with the help of the [opentelemetry-go](https://github.com/open-telemetry/opentelemetry-go) package.
--- a/docs/docs/apis/openidoauth/authn-methods.md
+++ b/docs/docs/apis/openidoauth/authn-methods.md
@@ -1,5 +1,6 @@
 ---
-title: Authentication Methods
+title: Authentication Methods in ZITADEL
 sidebar_label: Authentication Methods
 ---
 ## Client Secret Basic
@@ -45,7 +46,7 @@ JWT
 | Claim | Example                    | Description                                                                                                     |
 |:------|:---------------------------|:----------------------------------------------------------------------------------------------------------------|
-| aud   | `"https://{your_domain}"`  | String or Array of intended audiences MUST include ZITADEL's issuing domain                                     |
+| aud   | `"https://$CUSTOM-DOMAIN"`  | String or Array of intended audiences MUST include ZITADEL's issuing domain                                     |
 | exp   | `1605183582`               | Unix timestamp of the expiry                                                                                    |
 | iat   | `1605179982`               | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                               |
 | iss   | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file |
@@ -55,7 +56,7 @@ JWT
 {
 	"iss": "78366401571920522@acme",
 	"sub": "78366401571920522@acme",
-	"aud": "https://{your_domain}",
+	"aud": "https://$CUSTOM-DOMAIN",
 	"exp": 1605183582,
 	"iat": 1605179982
 }
--- a/docs/docs/apis/openidoauth/authrequest.mdx
+++ b/docs/docs/apis/openidoauth/authrequest.mdx
@@ -1,5 +1,5 @@
 ---
-title: OIDC Authentication Request Playground
+title: ZITADEL OIDC Authentication Request Playground
 sidebar_label: OIDC Playground
 ---
--- a/docs/docs/apis/openidoauth/claims.md
+++ b/docs/docs/apis/openidoauth/claims.md
@@ -1,5 +1,6 @@
 ---
-title: Claims
+title: Claims in ZITADEL
 sidebar_label: Claims
 ---
 ZITADEL asserts claims on different places according to the corresponding specifications or project and clients settings.
@@ -42,7 +43,7 @@ Please check below the matrix for an overview where which scope is asserted.
 | Claims             | Example                                  | Description                                                                                                                                            |
 |:-------------------|:-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
 | acr                | TBA                                      | TBA                                                                                                                                                    |
-| address            | `Lerchenfeldstrasse 3, 9014 St. Gallen`   | TBA                                                                                                                                                    |
+| address            | `Lerchenfeldstrasse 3, 9014 St. Gallen`  | TBA                                                                                                                                                    |
 | amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) <br/> `password` value is deprecated, please check `pwd` |
 | aud                | `69234237810729019`                      | The audience of the token, by default all client id's and the project id are included                                                                  |
 | auth_time          | `1311280969`                             | Unix time of the authentication                                                                                                                        |
@@ -54,7 +55,7 @@ Please check below the matrix for an overview where which scope is asserted.
 | gender             | `other`                                  | Gender of the subject                                                                                                                                  |
 | given_name         | `Road`                                   | Given name of the subject                                                                                                                              |
 | iat                | `1311280970`                             | Time of the token was issued at (as unix time)                                                                                                         |
-| iss                | `{your_domain}`                          | Issuing domain of a token                                                                                                                              |
+| iss                | `$CUSTOM-DOMAIN`                                      | Issuing domain of a token                                                                                                                              |
 | jti                | `69234237813329048`                      | Unique id of the token                                                                                                                                 |
 | locale             | `en`                                     | Language from the subject                                                                                                                              |
 | name               | `Road Runner`                            | The subjects full name                                                                                                                                 |
--- a/docs/docs/apis/openidoauth/endpoints.mdx
+++ b/docs/docs/apis/openidoauth/endpoints.mdx
@@ -1,5 +1,6 @@
 ---
-title: OpenID Connect Endpoints
+title: OpenID Connect Endpoints in ZITADEL
 sidebar_label: OpenID Connect Endpoints
 ---
 import Tabs from "@theme/Tabs";
--- a/docs/docs/apis/openidoauth/grant-types.md
+++ b/docs/docs/apis/openidoauth/grant-types.md
@@ -1,5 +1,6 @@
 ---
-title: Grant Types
+title: Grant Types in ZITADEL
 sidebar_label: Grant Types
 ---
 For a list of supported or unsupported `Grant Types` please have a look at the table below.
@@ -75,19 +76,19 @@ Key JSON
 JWT
-| Claim | Example                   | Description                                                                                                   |
+| Claim | Example                  | Description                                                                                                   |
-|:------|:--------------------------|:--------------------------------------------------------------------------------------------------------------|
+|:------|:-------------------------|:--------------------------------------------------------------------------------------------------------------|
-| aud   | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain                                   |
+| aud   | `"https://$CUSTOM-DOMAIN"`            | String or Array of intended audiences MUST include ZITADEL's issuing domain                                   |
-| exp   | `1605183582`              | Unix timestamp of the expiry                                                                                  |
+| exp   | `1605183582`             | Unix timestamp of the expiry                                                                                  |
-| iat   | `1605179982`              | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                             |
+| iat   | `1605179982`             | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                             |
-| iss   | `"77479219772321307"`     | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
+| iss   | `"77479219772321307"`    | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
-| sub   | `"77479219772321307"`     | The subject ID of the service user, normally the `userId` from the json key file                              |
+| sub   | `"77479219772321307"`    | The subject ID of the service user, normally the `userId` from the json key file                              |
 ```JSON
 {
 	"iss": "77479219772321307",
 	"sub": "77479219772321307",
-	"aud": "https://{your_domain}",
+	"aud": "https://$CUSTOM-DOMAIN",
 	"exp": 1605183582,
 	"iat": 1605179982
 }
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@@ -1,5 +1,6 @@
 ---
-title: Scopes
+title: Scopes in ZITADEL
 sidebar_label: Scopes
 ---
 ZITADEL supports the usage of scopes as way of requesting information from the IAM and also instruct ZITADEL to do certain operations.
--- a/docs/docs/apis/saml/endpoints.md
+++ b/docs/docs/apis/saml/endpoints.md
@@ -1,10 +1,10 @@
 ---
-title: SAML endpoints
+title: SAML Endpoints in ZITADEL
 ---
 ## SAML 2.0 metadata
-The SAML Metadata is located within the issuer domain. This would give us {your_domain}/saml/v2/metadata.
+The SAML Metadata is located within the issuer domain. This would give us $CUSTOM-DOMAIN/saml/v2/metadata.
 This metadata contains all the information defined in the spec.
@@ -13,14 +13,14 @@ spec.** [Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0
 ## Certificate endpoint
-{your_domain}/saml/v2/certificate
+$CUSTOM-DOMAIN/saml/v2/certificate
 The certificate endpoint provides the certificate which is used to sign the responses for download, for easier use with
 different service providers which want the certificate separately instead of inside the metadata.
 ## SSO endpoint
-{your_domain}/saml/v2/SSO
+$CUSTOM-DOMAIN/saml/v2/SSO
 The SSO endpoint is the starting point for all initial user authentications. The user agent (browser) will be redirected
 to this endpoint to authenticate the user.
--- a/docs/docs/apis/statuscodes.mdx
+++ b/docs/docs/apis/statuscodes.mdx
@@ -1,5 +1,6 @@
 ---
-title: GRPC Status Codes
+title: GRPC Status Codes in ZITADEL
 sidebar_label: GRPC Status Codes
 ---
 | GRPC Number    | GRPC Code                 | HTTP Status Code | HTTP Status Text             |Description                                                                                                                           |
--- a/docs/docs/concepts/architecture/secrets.md
+++ b/docs/docs/concepts/architecture/secrets.md
@@ -1,5 +1,6 @@
 ---
-title: Secrets
+title: How ZITADEL Processes and Stores Secrets
 sidebar_label: Secrets
 ---
 In this chapter you can find information of how ZITADEL processes and stores secrets and credentials in a secure fashion. 
--- a/docs/docs/concepts/architecture/software.md
+++ b/docs/docs/concepts/architecture/software.md
@@ -1,5 +1,6 @@
 ---
-title: Software
+title: ZITADEL's Software Architecture
 sidebar_label: Software Architecture
 ---
 ZITADEL is built with two essential patterns. Event Sourcing (ES) and Command and Query Responsibility Segregation (CQRS). 
@@ -14,7 +15,7 @@ Each ZITADEL binary contains all components necessary to serve traffic
 From serving the API, rendering GUI's, background processing of events and task.
 This All in One (AiO) approach makes operating ZITADEL simple. 
-## Software Structure
+## The Architecture
 ZITADELs software architecture is built around multiple components at different levels.
 This chapter should give you an idea of the components as well as the different layers.
--- a/docs/docs/concepts/architecture/solution.md
+++ b/docs/docs/concepts/architecture/solution.md
@@ -1,5 +1,6 @@
 ---
-title: Deployment
+title: ZITADEL's Deployment Architecture
 sidebar_label: Deployment Architecture
 ---
 ## High Availability
--- a/docs/docs/concepts/eventstore/implementation.md
+++ b/docs/docs/concepts/eventstore/implementation.md
@@ -1,5 +1,6 @@
 ---
-title: Implementation
+title: ZITADEL Database Structure
 sidebar_label: Database Structure
 ---
 This documentation gives you an insight into the structure of the ZITADEL database.
--- a/docs/docs/concepts/eventstore/overview.md
+++ b/docs/docs/concepts/eventstore/overview.md
@@ -1,5 +1,5 @@
 ---
-title: Eventstore
+title: ZITADEL Event Store
 sidebar_label: Overview
 ---
--- a/docs/docs/concepts/features/actions.md
+++ b/docs/docs/concepts/features/actions.md
@@ -1,5 +1,6 @@
 ---
-title: Actions
+title: ZITADEL Actions
 sidebar_label: Actions
 ---
 By using ZITADEL actions, you can manipulate ZITADELs behavior on specific Events.
--- a/docs/docs/concepts/features/audit-trail.md
+++ b/docs/docs/concepts/features/audit-trail.md
@@ -1,5 +1,6 @@
 ---
-title: Audit Trail
+title: ZITADEL's In-built Audit Trail
 sidebar_label: Audit Trail
 ---
 ZITADEL provides you with an built-in audit trail to track all changes and events over an unlimited period of time.
@@ -26,7 +27,7 @@ The same view is available on several other objects such as organization or proj
 ### Event View
 Administrators can see all events across an instance and filter them directly in [Console](/docs/guides/manage/console/overview).
-Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $YOUR_DOMAIN/ui/console/events  
+Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $CUSTOM-DOMAIN/ui/console/events  
 ![Event viewer](/img/concepts/audit-trail/event-viewer.png)
--- a/docs/docs/concepts/features/identity-brokering.md
+++ b/docs/docs/concepts/features/identity-brokering.md
@@ -1,5 +1,6 @@
 ---
-title: Identity Brokering
+title: Identity Brokering in ZITADEL
 sidebar_label: Identity Brokering
 ---
 ## What are Identity Brokering and Federated Identities?
--- a/docs/docs/concepts/features/selfservice.md
+++ b/docs/docs/concepts/features/selfservice.md
@@ -1,5 +1,6 @@
 ---
-title: Self-Service
+title: Self Service in ZITADEL
 sidebar_label: Self Service
 ---
 ZITADEL allows users to perform many tasks themselves.
@@ -138,7 +139,7 @@ A client can also implement this, by calling the [specific endpoint](/apis/openi
 ## Profile
 These actions are available for authenticated users only.
-ZITADEL provides a self-service UI for the user profile out-of-the box under the path _{your_domain}/ui/console/users/me_.
+ZITADEL provides a self-service UI for the user profile out-of-the box under the path _$CUSTOM-DOMAIN/ui/console/users/me_.
 You can also implement your own version in your application by using our APIs.
 ### Change password
--- a/docs/docs/concepts/structure/applications.md
+++ b/docs/docs/concepts/structure/applications.md
@@ -1,5 +1,6 @@
 ---
-title: Applications
+title: ZITADEL Applications
 sidebar_label: Applications
 ---
 # Applications
--- a/docs/docs/concepts/structure/granted_projects.md
+++ b/docs/docs/concepts/structure/granted_projects.md
@@ -1,5 +1,6 @@
 ---
-title: Granted Projects
+title: ZITADEL's Granted Projects
 sidebar_label: Granted Projects
 ---
 # Granted Project
--- a/docs/docs/concepts/structure/instance.mdx
+++ b/docs/docs/concepts/structure/instance.mdx
@@ -1,5 +1,6 @@
 ---
-title: Instance
+title: ZITADEL Instances
 sidebar_label: Instances
 ---
 ## Instance Structure
--- a/docs/docs/concepts/structure/managers.mdx
+++ b/docs/docs/concepts/structure/managers.mdx
@@ -1,5 +1,6 @@
 ---
-title: Managers
+title: ZITADEL Managers
 sidebar_label: Managers
 ---
 import ManagerDescription from "./_manager_description.mdx";
--- a/docs/docs/concepts/structure/organizations.md
+++ b/docs/docs/concepts/structure/organizations.md
@@ -1,5 +1,6 @@
 ---
-title: Organizations
+title: ZITADEL Organizations
 sidebar_label: Organizations
 ---
 import OrgDescription from './_org_description.mdx';
--- a/docs/docs/concepts/structure/policies.md
+++ b/docs/docs/concepts/structure/policies.md
@@ -1,8 +1,9 @@
 ---
-title: Settings/Policies
+title: ZITADEL Settings and Policies
 sidebar_label: Setting and Policies
 ---
-Settings and policies are configurations of all the different parts of the Instance or an organization. For all parts we have a suitable default in the Instance.
+Settings and policies are configurations of all the different parts of the instance or an organization. For all parts we have a suitable default in the instance.
 The default configuration can be overridden for each organization, some policies are currently only available on the instance level. Learn more about our different policies [here](/guides/manage/console/instance-settings.mdx).
 API wise, settings are often called policies. You can read the proto and swagger definitions [here](../../apis/introduction.mdx).
--- a/docs/docs/concepts/structure/projects.md
+++ b/docs/docs/concepts/structure/projects.md
@@ -1,5 +1,6 @@
 ---
-title: Projects
+title: ZITADEL Projects
 sidebar_label: Projects
 ---
 # Project
--- a/docs/docs/concepts/structure/users.md
+++ b/docs/docs/concepts/structure/users.md
@@ -1,5 +1,6 @@
 ---
-title: Users
+title: ZITADEL Users
 sidebar_label: Users
 ---
 ## Types of users
--- a/docs/docs/examples/call-zitadel-api/dot-net.md
+++ b/docs/docs/examples/call-zitadel-api/dot-net.md
@@ -1,5 +1,6 @@
 ---
-title: .NET
+title: Integrate ZITADEL into a .NET Application
 sidebar_label: .NET
 ---
 This integration guide shows you how to integrate **ZITADEL** into your .NET application.
--- a/docs/docs/examples/call-zitadel-api/go.md
+++ b/docs/docs/examples/call-zitadel-api/go.md
@@ -1,5 +1,6 @@
 ---
-title: Go
+title: Integrate ZITADEL into a Go Application
 sidebar_label: Go
 ---
 This integration guide shows you how to integrate **ZITADEL** into your Go application.
--- a/docs/docs/examples/identity-proxy/oauth2-proxy.md
+++ b/docs/docs/examples/identity-proxy/oauth2-proxy.md
@@ -43,7 +43,7 @@ provider = "oidc"
 user_id_claim = "sub" #uses the subject as ID instead of the email
 provider_display_name = "ZITADEL"
 redirect_url = "http://127.0.0.1:4180/oauth2/callback"
-oidc_issuer_url = "https://{your_domain}.zitadel.cloud"
+oidc_issuer_url = "https://$CUSTOM-DOMAIN"
 upstreams = [
    "https://example.corp.com"
 ]
--- a/docs/docs/examples/introduction.mdx
+++ b/docs/docs/examples/introduction.mdx
@@ -1,5 +1,5 @@
 ---
-title: Overview of examples, quickstarts, and SDKs
+title: Overview of ZITADEL Examples, Quickstarts, and SDKs
 sidebar_label: Overview
 ---
--- a/docs/docs/examples/login/angular.md
+++ b/docs/docs/examples/login/angular.md
@@ -1,5 +1,6 @@
 ---
-title: Angular
+title: ZITADEL with Angular
 sidebar_label: Angular
 ---
 This integration guide demonstrates the recommended way to incorporate ZITADEL into your Angular application. 
--- a/docs/docs/examples/login/flutter.md
+++ b/docs/docs/examples/login/flutter.md
@@ -1,5 +1,7 @@
 ---
-title: Flutter
+title: ZITADEL with Flutter
 sidebar_label: Flutter
 ---
 This guide demonstrates how you integrate **ZITADEL** into a Flutter app. It refers to our example on [GitHub](https://github.com/zitadel/zitadel_flutter)
--- a/docs/docs/examples/login/nextjs-b2b.md
+++ b/docs/docs/examples/login/nextjs-b2b.md
@@ -1,8 +1,9 @@
 ---
-title: Next.js B2B Scenario
+title: ZITADEL with Next.js - A B2B Scenario
 sidebar_label: Next.js - B2B
 ---
-This is our Zitadel [Next.js](https://nextjs.org/) B2B template. It shows how to authenticate as a user with multiple organizations. The application shows your users roles on the selected organizations, other projects your organization is allowed to use and other users having a grant to use the application.
+This is our ZITADEL [Next.js](https://nextjs.org/) B2B template. It shows how to authenticate as a user with multiple organizations. The application shows your users roles on the selected organizations, other projects your organization is allowed to use and other users having a grant to use the application.
 If you need more info on B2B use cases consider reading our guide for the [B2B solution scenario](/guides/solution-scenarios/b2b.mdx).
--- a/docs/docs/examples/login/nextjs.md
+++ b/docs/docs/examples/login/nextjs.md
@@ -1,5 +1,6 @@
 ---
-title: Next.js
+title: ZITADEL with Next.js
 sidebar_label: Next.js
 ---
 This is our Zitadel [Next.js](https://nextjs.org/) template. It shows how to authenticate as a user and retrieve user information from the OIDC endpoint.
--- a/docs/docs/examples/login/react.mdx
+++ b/docs/docs/examples/login/react.mdx
@@ -1,5 +1,6 @@
 ---
-title: React
+title: ZITADEL with React
 sidebar_label: React
 ---
 This Integration guide shows you the recommended way to integrate **ZITADEL** into your React Application.
--- a/docs/docs/examples/sdks.md
+++ b/docs/docs/examples/sdks.md
@@ -1,5 +1,6 @@
 ---
-title: SDKs
+title: ZITADEL SDKs
 sidebar_label: SDKs
 ---
 On this page you find our official SDKs, links to supporting frameworks and providers, and resources to help with SDKs.
--- a/docs/docs/examples/secure-api/dot-net.md
+++ b/docs/docs/examples/secure-api/dot-net.md
@@ -1,4 +1,5 @@
 ---
-title: .NET
+title: ZITADEL with .NET
 sidebar_label: .NET
 ---
 Coming soon
--- a/docs/docs/examples/secure-api/go.md
+++ b/docs/docs/examples/secure-api/go.md
@@ -1,5 +1,6 @@
 ---
-title: Go
+title: ZITADEL with Go
 sidebar_label: Go
 ---
 This integration guide shows you how to integrate **ZITADEL** into your Go API. It demonstrates how to secure your API using
--- a/docs/docs/examples/secure-api/python-flask.mdx
+++ b/docs/docs/examples/secure-api/python-flask.mdx
@@ -1,5 +1,6 @@
 ---
-title: Python 
+title: ZITADEL with Python 
 sidebar_label: Python
 ---
 This example shows you how to secure a Python3 Flask API with both authentication and authorization using ZITADEL.
--- a/docs/docs/guides/integrate/access-zitadel-apis.md
+++ b/docs/docs/guides/integrate/access-zitadel-apis.md
@@ -44,7 +44,7 @@ Use the scope `urn:zitadel:iam:org:project:id:zitadel:aud` to include the ZITADE
 ```bash
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url $CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
--- a/docs/docs/guides/integrate/access-zitadel-system-api.md
+++ b/docs/docs/guides/integrate/access-zitadel-system-api.md
@@ -59,7 +59,7 @@ The JWT payload will need to contain the following claims:
 {
  "iss": "<userid>",
  "sub": "<userid>",
-  "aud": "<https://your_domain>",
+  "aud": "<https://$CUSTOM-DOMAIN>",
  "exp": <now+1h>,
  "iat": <now>
 }
@@ -95,7 +95,7 @@ Now that you configured ZITADEL and created a JWT, you can call the System API a
 ```bash
 curl --request POST \
-  --url {your_domain}/system/v1/instances/_search \
+  --url $CUSTOM-DOMAIN/system/v1/instances/_search \
  --header 'Authorization: Bearer {token}' \
  --header 'Content-Type: application/json'
 ```
--- a/docs/docs/guides/integrate/authenticated-mongodb-charts.md
+++ b/docs/docs/guides/integrate/authenticated-mongodb-charts.md
@@ -1,5 +1,6 @@
 ---
-title: Authenticated MongoDB Charts
+title: Embed Authenticated MongoDB Charts Using ZITADEL
 sidebar_label: Authenticated MongoDB Charts
 ---
 This integration guide shows how you can embed authenticated MongoDB Charts in your web application using ZITADEL as authentication provider.
@@ -28,7 +29,7 @@ Configure ZITADEL as your _Custom JWT Provider_ following the [MongoDB docs](htt
 Configure the following values:
 - Signing Algorithm: RS256
 - Signing Key: JWK or JWKS URL
- JWKS: https://{your_domain}.zitadel.cloud/oauth/v2/keys
+- JWKS: https://$CUSTOM-DOMAIN/oauth/v2/keys
 - Audience: Your app's client ID which you copied when you created the ZITADEL app
 Your configuration should look similar to this:
--- a/docs/docs/guides/integrate/client-credentials.md
+++ b/docs/docs/guides/integrate/client-credentials.md
@@ -41,7 +41,7 @@ You will need to craft a POST request to ZITADEL's token endpoint:
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+  --url https://$CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
@@ -72,7 +72,7 @@ In this example we read the organization of the service user.
 ```bash
 curl --request GET \
-  --url {your-domain}/management/v1/orgs/me \
+  --url $CUSTOM-DOMAIN/management/v1/orgs/me \
  --header 'Authorization: Bearer ${TOKEN}' 
 ```
--- a/docs/docs/guides/integrate/event-api.md
+++ b/docs/docs/guides/integrate/event-api.md
@@ -1,5 +1,6 @@
 ---
-title: Get events from ZITADEL
+title: Get Events from ZITADEL
 sidebar_label: Events
 ---
 ZITADEL leverages the power of eventsourcing, meaning every action and change within the system generates a corresponding event that is stored in the database. 
@@ -23,7 +24,7 @@ To further restrict your result you can add the following filters:
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN"
 ```
@@ -33,7 +34,7 @@ To be able to filter for the different event types ZITADEL knows, you can reques
 ```bash
 curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/types/_search \
+--url $CUSTOM-DOMAIN/admin/v1/events/types/_search \
 --header "Authorization: Bearer $TOKEN" \
 --header 'Content-Type: application/json' \
 '
@@ -69,7 +70,7 @@ To be able to filter for the different aggregate types (resources) ZITADEL knows
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/aggregates/types/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/aggregates/types/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json'
 ```
@@ -100,7 +101,7 @@ This example shows you how to get all events from users, filtered with the creat
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
@@ -120,7 +121,7 @@ Also we include the refresh tokens in this example to know when the user has bec
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
@@ -146,7 +147,7 @@ In this case this are the following events:
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
--- a/docs/docs/guides/integrate/identity-providers/apple.mdx
+++ b/docs/docs/guides/integrate/identity-providers/apple.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure Apple as Identity Provider
+title: Configure Apple as an Identity Provider in ZITADEL
 sidebar_label: Apple
 ---
--- a/docs/docs/guides/integrate/identity-providers/azure-ad.mdx
+++ b/docs/docs/guides/integrate/identity-providers/azure-ad.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure Azure AD as Identity Provider
+title: Configure Azure AD as an Identity Provider in ZITADEL
 sidebar_label: Azure AD
 ---
--- a/docs/docs/guides/integrate/identity-providers/github.mdx
+++ b/docs/docs/guides/integrate/identity-providers/github.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure GitHub as Identity Provider
+title: Configure GitHub as an Identity Provider in ZITADEL
 sidebar_label: GitHub
 ---
--- a/docs/docs/guides/integrate/identity-providers/gitlab.mdx
+++ b/docs/docs/guides/integrate/identity-providers/gitlab.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure GitLab as Identity Provider
+title: Configure GitLab as an Identity Provider in ZITADEL
 sidebar_label: GitLab
 ---
--- a/docs/docs/guides/integrate/identity-providers/google.mdx
+++ b/docs/docs/guides/integrate/identity-providers/google.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure Google as Identity Provider
+title: Configure Google as an Identity Provider in ZITADEL
 sidebar_label: Google
 ---
--- a/docs/docs/guides/integrate/identity-providers/ldap.mdx
+++ b/docs/docs/guides/integrate/identity-providers/ldap.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure LDAP as Identity Provider
+title: Configure LDAP as an Identity Provider in ZITADEL
 sidebar_label: LDAP
 ---
--- a/docs/docs/guides/integrate/identity-providers/okta.mdx
+++ b/docs/docs/guides/integrate/identity-providers/okta.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure OKTA as Identity Provider
+title: Configure OKTA as an Identity Provider in ZITADEL
 sidebar_label: OKTA generic OIDC
 id: okta
 ---
--- a/docs/docs/guides/integrate/identity-providers/openldap.mdx
+++ b/docs/docs/guides/integrate/identity-providers/openldap.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure local OpenLDAP as Identity Provider
+title: Configure Local OpenLDAP as an Identity Provider in ZITADEL
 sidebar_label: Local OpenLDAP
 ---
--- a/docs/docs/guides/integrate/login-ui/external-login.mdx
+++ b/docs/docs/guides/integrate/login-ui/external-login.mdx
@@ -1,5 +1,5 @@
 ---
-title: Handle External Login
+title: Handle External Logins in ZITADEL
 sidebar_label: External Identity Provider
 ---
--- a/docs/docs/guides/integrate/login-ui/logout.mdx
+++ b/docs/docs/guides/integrate/login-ui/logout.mdx
@@ -1,5 +1,6 @@
 ---
-title: Logout
+title: Logging Out via ZITADEL
 sidebar_label: Logout
 ---
 import Logout from './_logout.mdx';
--- a/docs/docs/guides/integrate/login-ui/mfa.mdx
+++ b/docs/docs/guides/integrate/login-ui/mfa.mdx
@@ -1,6 +1,6 @@
 ---
-title: Multi-Factor (MFA)
+title: Multi-Factor Authentication(MFA) in ZITADEL
-sidebar_label: Multi-Factor (MFA)
+sidebar_label: Multi-Factor Authentication(MFA)
 ---
 import MfaOptions from './_list-mfa-options.mdx';
--- a/docs/docs/guides/integrate/login-ui/oidc-standard.mdx
+++ b/docs/docs/guides/integrate/login-ui/oidc-standard.mdx
@@ -1,5 +1,6 @@
 ---
-title: OIDC Standard
+title: Support for the OpenID Connect(OIDC) Standard in ZITADEL
 sidebar_label: OIDC Standard
 ---
 To build your own login ui for your own application it is not necessary to have the OIDC standard included or any additional work that has to be done.
--- a/docs/docs/guides/integrate/login-ui/passkey.mdx
+++ b/docs/docs/guides/integrate/login-ui/passkey.mdx
@@ -1,5 +1,5 @@
 ---
-title: Passkeys
+title: Passkeys in ZITADEL
 sidebar_label: Passkeys
 ---
--- a/docs/docs/guides/integrate/login-ui/password-reset.mdx
+++ b/docs/docs/guides/integrate/login-ui/password-reset.mdx
@@ -1,5 +1,6 @@
 ---
-title: Password Reset/Change
+title: Password Reset/Change in ZITADEL
 sidebar_label: Password Reset/Change 
 ---
 When your user is on the password screen and has forgotten his password you will probably want him to be able to reset by himself.
--- a/docs/docs/guides/integrate/login-ui/username-password.mdx
+++ b/docs/docs/guides/integrate/login-ui/username-password.mdx
@@ -1,5 +1,5 @@
 ---
-title: Register and Login User with Password
+title: Register and Login User with Password in ZITADEL
 sidebar_label: Username and Password
 ---
--- a/docs/docs/guides/integrate/login-users.mdx
+++ b/docs/docs/guides/integrate/login-users.mdx
@@ -1,5 +1,6 @@
 ---
-title: Login Users into your Application
+title: Login Users into your Application with ZITADEL
 sidebar_label: Login
 ---
 import Tabs from "@theme/Tabs";
--- a/docs/docs/guides/integrate/logout.md
+++ b/docs/docs/guides/integrate/logout.md
@@ -1,5 +1,6 @@
 ---
-title: Logout
+title: Log Out Users from an Application with ZITADEL
 sidebar_label: Logout
 ---
 This guide shows you the different concepts and use cases of the logout process and how to use it in ZITADEL.
@@ -36,7 +37,7 @@ If you have specified some post_logout_redirect_uris on your client you have to
 So ZITADEL is able to read the configured redirect uris.
 ```
-GET {your_domain}/oidc/v1/end_session
+GET $CUSTOM-DOMAIN/oidc/v1/end_session
    ?id_token_hint={id_token}
    &post_logout_redirect_uri=https://rp.example.com/logged_out
    &state=random_string
--- a/docs/docs/guides/integrate/oauth-recommended-flows.md
+++ b/docs/docs/guides/integrate/oauth-recommended-flows.md
@@ -1,5 +1,5 @@
 ---
-title: Recommended authorization flows
+title: Recommended Authorization Flows
 ---
 <table className="table-wrapper">
--- a/docs/docs/guides/integrate/pat.md
+++ b/docs/docs/guides/integrate/pat.md
@@ -1,5 +1,6 @@
 ---
-title: PAT (Personal Access Token)
+title: ZITADEL's Personal Access Tokens(PATs)
 sidebar_label: Personal Access Tokens(PATs)
 ---
@@ -40,6 +41,6 @@ In this example we read the organization of the service user.
 ```bash
 curl --request GET \
-  --url {your-domain}/management/v1/orgs/me \
+  --url $CUSTOM-DOMAIN/management/v1/orgs/me \
  --header 'Authorization: Bearer {PAT}' 
 ```
--- a/docs/docs/guides/integrate/private-key-jwt.md
+++ b/docs/docs/guides/integrate/private-key-jwt.md
@@ -1,5 +1,6 @@
 ---
-title: Private Key JWT
+title: Service Users in ZITADEL
 sidebar_label: Service Users
 ---
 This is a guide on how to create service users in ZITADEL. You can read more about users [here](/concepts/structure/users.md).
@@ -67,7 +68,7 @@ Payload
 {
    "iss": "100507859606888466",
    "sub": "100507859606888466",
-    "aud": "https://{your_domain}.zitadel.cloud",
+    "aud": "https://$CUSTOM-DOMAIN",
    "iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
    "exp": [UTC timestamp, e.g. 1605183582]
 }
@@ -89,7 +90,7 @@ With the encoded JWT from the prior step, you will need to craft a POST request
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+  --url https:/$CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid profile email' \
@@ -121,7 +122,7 @@ For this example let's call the userinfo endpoint to verify that our access toke
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oidc/v1/userinfo \
+  --url $CUSTOM-DOMAIN/oidc/v1/userinfo \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Bearer MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
 ```
@@ -134,7 +135,7 @@ Content-Type: application/json
 {
  "name": "MyServiceUser",
-  "preferred_username": "service_user@{your_domain}.zitadel.cloud",
+  "preferred_username": "service_user@$CUSTOM-DOMAIN",
  "updated_at": 1616417938
 }
 ```
--- a/docs/docs/guides/integrate/retrieve-user-roles.md
+++ b/docs/docs/guides/integrate/retrieve-user-roles.md
@@ -1,5 +1,6 @@
 ---
-title: Retrieve user roles
+title: Retrieve User Roles in ZITADEL
 sidebar_label: Retrieve User Roles
 ---
 This guide explains all the possible ways of retrieving user roles across different organizations and projects using ZITADEL's APIs. 
@@ -82,7 +83,7 @@ Alternatively, you can include the claims `urn:iam:org:project:roles` or/and `ur
 ### Retrieve roles from the userinfo endpoint
-The user info endpoint is  **ZITADEL_DOMAIN/oidc/v1/userinfo**.
+The user info endpoint is  **$CUSTOM-DOMAIN/oidc/v1/userinfo**.
 This endpoint will return information about the authenticated user.
 Send the access token of the user as `Bearer Token` in the `Authorization` header:
@@ -90,7 +91,7 @@ Send the access token of the user as `Bearer Token` in the `Authorization` heade
 **cURL Request:**
 ```bash
 curl --request GET \
- --url $ZITADEL_DOMAIN/oidc/v1/userinfo
+ --url $CUSTOM-DOMAIN/oidc/v1/userinfo
 --header 'Authorization: Bearer <TOKEN>'
 ```
@@ -205,11 +206,11 @@ Let’s start with a user who has multiple roles in different organizations in a
 Returns a list of roles for the authenticated user and for the requesting project (based on the token).
-**URL: https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search**
 **cURL request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>'
 ```
@@ -230,12 +231,12 @@ Returns a list of permissions the authenticated user has in ZITADEL based on the
 This request can be used if you are building a management UI. For instance, if the UI is managing users, you can show the management functionality based on the permissions the user has. Here’s an example: if the user has `user.read` and `user.write` permission you can show the edit buttons, if the user only has `user.read` permission, you can hide the edit buttons.
-**URL: https://ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search**
 **cURL Request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>'
 ```
@@ -276,12 +277,12 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search'
 Returns a list of user grants the authenticated user has. User grants consist of an organization, a project and roles.
-**URL: https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search**
 **cURL request:**
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search' \
 -H 'Content-Type: application/json' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>' \
@@ -378,7 +379,7 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
 ### Retrieve roles using the management API
 Now we will use the management API to retrieve user roles under an admin user. 
-The base URL is: **https://$ZITADEL_DOMAIN/management/v1**
+The base URL is: **https://$CUSTOM-DOMAIN/management/v1**
 In [APIs listed under user grants in the management API](/docs/category/apis/resources/mgmt/user-grants), you will see that you can use the management API to retrieve and modify user grants. The two API paths that we are interested in to fetch user roles are given below.
@@ -388,12 +389,12 @@ In [APIs listed under user grants in the management API](/docs/category/apis/res
 Returns a list of user roles that match the search queries. A user with manager permissions will call this API and will also have to reside in the same organization as the user. 
-**URL: https://$ZITADEL_DOMAIN/management/v1/users/grants/_search**
+**URL: https://$CUSTOM-DOMAIN/management/v1/users/grants/_search**
 **cURL request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/management/v1/users/grants/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/users/grants/_search' \
 -H 'Content-Type: application/json' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>' \
--- a/docs/docs/guides/integrate/services/atlassian-saml.md
+++ b/docs/docs/guides/integrate/services/atlassian-saml.md
@@ -1,5 +1,5 @@
 ---
-title: Connect with Atlassian through SAML 2.0
+title: Log in with ZITADEL on Atlassian through SAML 2.0
 sidebar_label: Atlassian
 ---
--- a/docs/docs/guides/integrate/services/auth0-oidc.mdx
+++ b/docs/docs/guides/integrate/services/auth0-oidc.mdx
@@ -1,5 +1,5 @@
 ---
-title: Connect with Auth0 through OIDC
+title: Log in with ZITADEL on Auth0 through OIDC
 sidebar_label: Auth0 (OIDC)
 ---
--- a/docs/docs/guides/integrate/services/auth0-saml.md
+++ b/docs/docs/guides/integrate/services/auth0-saml.md
@@ -1,5 +1,5 @@
 ---
-title: Connect with Auth0 through SAML 2.0
+title: Log in with ZITADEL on Auth0 through SAML 2.0
 sidebar_label: Auth0 (SAML)
 ---
--- a/docs/docs/guides/integrate/services/aws-saml.md
+++ b/docs/docs/guides/integrate/services/aws-saml.md
@@ -1,5 +1,5 @@
 ---
-title: Connect with AWS through SAML 2.0
+title: Log in with ZITADEL on AWS through SAML 2.0
 sidebar_label: Amazon Web Services
 ---
--- a/docs/docs/guides/integrate/services/cloudflare-oidc.mdx
+++ b/docs/docs/guides/integrate/services/cloudflare-oidc.mdx
@@ -1,5 +1,5 @@
 ---
-title: Configure as OIDC Identity Provider for Cloudflare Zero Trust
+title: Configure ZITADEL as an OIDC Identity Provider on Cloudflare Zero Trust
 sidebar_label: Cloudflare Zero Trust
 ---
--- a/docs/docs/guides/integrate/services/gitlab-saml.md
+++ b/docs/docs/guides/integrate/services/gitlab-saml.md
@@ -1,5 +1,5 @@
 ---
-title: Connect with Gitlab through SAML 2.0 
+title: Log in with ZITADEL on Gitlab through SAML 2.0 
 sidebar_label: Gitlab
 ---
@@ -51,7 +51,7 @@ Check your application, if everything is correct, press "Create".
 Complete the configuration as follows:
- `Identity provider single sign-on URL`: {your_instance_domain}/saml/v2/SSO
+- `Identity provider single sign-on URL`: $CUSTOM-DOMAIN/saml/v2/SSO
 - `Certificate fingerprint`: You need to download the certificate from {your_instance_domain}/saml/v2/certificate and create a SHA1 fingerprint
 Save the changes.
--- a/Show More
+++ b/Show More