Merge branch 'main' into next-rc

# Conflicts:
#	cmd/defaults.yaml
#	cmd/setup/config.go
#	cmd/setup/setup.go
#	cmd/start/start.go
#	docs/yarn.lock
#	go.mod
#	go.sum
#	internal/api/grpc/action/v2beta/execution.go
#	internal/api/grpc/action/v2beta/query.go
#	internal/api/grpc/action/v2beta/server.go
#	internal/api/grpc/action/v2beta/target.go
#	internal/api/grpc/feature/v2/converter.go
#	internal/api/grpc/feature/v2/converter_test.go
#	internal/api/grpc/feature/v2/integration_test/feature_test.go
#	internal/api/grpc/feature/v2beta/converter.go
#	internal/api/grpc/feature/v2beta/converter_test.go
#	internal/api/grpc/feature/v2beta/integration_test/feature_test.go
#	internal/api/oidc/key.go
#	internal/api/oidc/op.go
#	internal/command/idp_intent_test.go
#	internal/command/instance_features.go
#	internal/command/instance_features_test.go
#	internal/command/system_features.go
#	internal/command/system_features_test.go
#	internal/feature/feature.go
#	internal/feature/key_enumer.go
#	internal/integration/client.go
#	internal/query/instance_features.go
#	internal/query/system_features.go
#	internal/repository/feature/feature_v2/feature.go
#	proto/zitadel/feature/v2/instance.proto
#	proto/zitadel/feature/v2/system.proto
#	proto/zitadel/feature/v2beta/instance.proto
#	proto/zitadel/feature/v2beta/system.proto

internal/api/grpc/user/v2/integration_test/email_test.go

@@ -10,13 +10,13 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/timestamppb"
-
+ 
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
 )
 
-func TestServer_SetEmail(t *testing.T) {
+func TestServer_Deprecated_SetEmail(t *testing.T) {
 	userID := Instance.CreateHumanUser(CTX).GetUserId()
 
 	tests := []struct {

internal/api/grpc/user/v2/integration_test/key_test.go

@@ -0,0 +1,659 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"testing"
+	"time"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/testing/protocmp"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/filter/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
+)
+
+func TestServer_AddKey(t *testing.T) {
+	resp := Instance.CreateUserTypeMachine(IamCTX)
+	userId := resp.GetId()
+	expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
+	type args struct {
+		req     *user.AddKeyRequest
+		prepare func(request *user.AddKeyRequest) error
+	}
+	tests := []struct {
+		name         string
+		args         args
+		wantErr      bool
+		wantEmtpyKey bool
+	}{
+		{
+			name: "add key, user not existing",
+			args: args{
+				&user.AddKeyRequest{
+					UserId:         "notexisting",
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddKeyRequest) error { return nil },
+			},
+			wantErr: true,
+		},
+		{
+			name: "generate key pair, ok",
+			args: args{
+				&user.AddKeyRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddKeyRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+		},
+		{
+			name: "add valid public key, ok",
+			args: args{
+				&user.AddKeyRequest{
+					ExpirationDate: expirationDate,
+					// This is the public key of the tester system user. This must be valid.
+					PublicKey: []byte(`
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzi+FFSJL7f5yw4KTwzgM
+P34ePGycm/M+kT0M7V4Cgx5V3EaDIvTQKTLfBaEB45zb9LtjIXzDw0rXRoS2hO6t
+h+CYQCz3KCvh09C0IzxZiB2IS3H/aT+5Bx9EFY+vnAkZjccbyG5YNRvmtOlnvIeI
+H7qZ0tEwkPfF5GEZNPJPtmy3UGV7iofdVQS1xRj73+aMw5rvH4D8IdyiAC3VekIb
+pt0Vj0SUX3DwKtog337BzTiPk3aXRF0sbFhQoqdJRI8NqgZjCwjq9yfI5tyxYswn
++JGzHGdHvW3idODlmwEt5K2pasiRIWK2OGfq+w0EcltQHabuqEPgZlmhCkRdNfix
+BwIDAQAB
+-----END PUBLIC KEY-----
+`),
+				},
+				func(request *user.AddKeyRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+			wantEmtpyKey: true,
+		},
+		{
+			name: "add invalid public key, error",
+			args: args{
+				&user.AddKeyRequest{
+					ExpirationDate: expirationDate,
+					PublicKey: []byte(`
+-----BEGIN PUBLIC KEY-----
+abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
+-----END PUBLIC KEY-----
+`),
+				},
+				func(request *user.AddKeyRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "add key human, error",
+			args: args{
+				&user.AddKeyRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddKeyRequest) error {
+					resp := Instance.CreateUserTypeHuman(IamCTX)
+					request.UserId = resp.Id
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "add another key, ok",
+			args: args{
+				&user.AddKeyRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddKeyRequest) error {
+					request.UserId = userId
+					_, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.AddKey(CTX, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.KeyId, "key id is empty")
+			if tt.wantEmtpyKey {
+				assert.Empty(t, got.KeyContent, "key content is not empty")
+			} else {
+				assert.NotEmpty(t, got.KeyContent, "key content is empty")
+			}
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_AddKey_Permission(t *testing.T) {
+	OrgCTX := CTX
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddKey-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+	request := &user.AddKeyRequest{
+		ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
+		UserId:         otherOrgUser.GetId(),
+	}
+	type args struct {
+		ctx context.Context
+		req *user.AddKeyRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{SystemCTX, request},
+		},
+		{
+			name: "instance, ok",
+			args: args{IamCTX, request},
+		},
+		{
+			name:    "org, error",
+			args:    args{OrgCTX, request},
+			wantErr: true,
+		},
+		{
+			name:    "user, error",
+			args:    args{UserCTX, request},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, err)
+			got, err := Client.AddKey(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.KeyId, "key id is empty")
+			assert.NotEmpty(t, got.KeyContent, "key content is empty")
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemoveKey(t *testing.T) {
+	resp := Instance.CreateUserTypeMachine(IamCTX)
+	userId := resp.GetId()
+	expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
+	type args struct {
+		req     *user.RemoveKeyRequest
+		prepare func(request *user.RemoveKeyRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "remove key, user not existing",
+			args: args{
+				&user.RemoveKeyRequest{
+					UserId: "notexisting",
+				},
+				func(request *user.RemoveKeyRequest) error {
+					key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					request.KeyId = key.GetKeyId()
+					return err
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove key, not existing",
+			args: args{
+				&user.RemoveKeyRequest{
+					KeyId: "notexisting",
+				},
+				func(request *user.RemoveKeyRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove key, ok",
+			args: args{
+				&user.RemoveKeyRequest{},
+				func(request *user.RemoveKeyRequest) error {
+					key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					request.KeyId = key.GetKeyId()
+					request.UserId = userId
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.RemoveKey(CTX, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			deletionDate := got.DeletionDate.AsTime()
+			assert.Greater(t, deletionDate, now, "creation date is before the test started")
+			assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemoveKey_Permission(t *testing.T) {
+	OrgCTX := CTX
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveKey-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	request := &user.RemoveKeyRequest{
+		UserId: otherOrgUser.GetId(),
+	}
+	prepare := func(request *user.RemoveKeyRequest) error {
+		key, err := Client.AddKey(IamCTX, &user.AddKeyRequest{
+			ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
+			UserId:         otherOrgUser.GetId(),
+		})
+		request.KeyId = key.GetKeyId()
+		return err
+	}
+	require.NoError(t, err)
+	type args struct {
+		ctx     context.Context
+		req     *user.RemoveKeyRequest
+		prepare func(request *user.RemoveKeyRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{SystemCTX, request, prepare},
+		},
+		{
+			name: "instance, ok",
+			args: args{IamCTX, request, prepare},
+		},
+		{
+			name:    "org, error",
+			args:    args{OrgCTX, request, prepare},
+			wantErr: true,
+		},
+		{
+			name:    "user, error",
+			args:    args{UserCTX, request, prepare},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, tt.args.prepare(tt.args.req))
+			got, err := Client.RemoveKey(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.DeletionDate, "client key is empty")
+			creationDate := got.DeletionDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_ListKeys(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *user.ListKeysRequest
+	}
+	type testCase struct {
+		name string
+		args args
+		want *user.ListKeysResponse
+	}
+	OrgCTX := CTX
+	otherOrg := Instance.CreateOrganization(SystemCTX, fmt.Sprintf("ListKeys-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(SystemCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+	otherOrgUserId := otherOrgUser.GetId()
+	otherUserId := Instance.CreateUserTypeMachine(SystemCTX).GetId()
+	onlySinceTestStartFilter := &user.KeysSearchFilter{Filter: &user.KeysSearchFilter_CreatedDateFilter{CreatedDateFilter: &filter.TimestampFilter{
+		Timestamp: timestamppb.Now(),
+		Method:    filter.TimestampFilterMethod_TIMESTAMP_FILTER_METHOD_AFTER_OR_EQUALS,
+	}}}
+	myOrgId := Instance.DefaultOrg.GetId()
+	myUserId := Instance.Users.Get(integration.UserTypeNoPermission).ID
+	expiresInADay := time.Now().Truncate(time.Hour).Add(time.Hour * 24)
+	myDataPoint := setupKeyDataPoint(t, myUserId, myOrgId, expiresInADay)
+	otherUserDataPoint := setupKeyDataPoint(t, otherUserId, myOrgId, expiresInADay)
+	otherOrgDataPointExpiringSoon := setupKeyDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, time.Now().Truncate(time.Hour).Add(time.Hour))
+	otherOrgDataPointExpiringLate := setupKeyDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, expiresInADay.Add(time.Hour*24*30))
+	sortingColumnExpirationDate := user.KeyFieldName_KEY_FIELD_NAME_KEY_EXPIRATION_DATE
+	awaitKeys(t, onlySinceTestStartFilter,
+		otherOrgDataPointExpiringSoon.GetId(),
+		otherOrgDataPointExpiringLate.GetId(),
+		otherUserDataPoint.GetId(),
+		myDataPoint.GetId(),
+	)
+	tests := []testCase{
+		{
+			name: "list all, instance",
+			args: args{
+				IamCTX,
+				&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherOrgDataPointExpiringLate,
+					otherOrgDataPointExpiringSoon,
+					otherUserDataPoint,
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  4,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all, org",
+			args: args{
+				OrgCTX,
+				&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherUserDataPoint,
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all, user",
+			args: args{
+				UserCTX,
+				&user.ListKeysRequest{Filters: []*user.KeysSearchFilter{onlySinceTestStartFilter}},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  1,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list by id",
+			args: args{
+				IamCTX,
+				&user.ListKeysRequest{
+					Filters: []*user.KeysSearchFilter{
+						onlySinceTestStartFilter,
+						{
+							Filter: &user.KeysSearchFilter_KeyIdFilter{
+								KeyIdFilter: &filter.IDFilter{Id: otherOrgDataPointExpiringSoon.Id},
+							},
+						},
+					},
+				},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherOrgDataPointExpiringSoon,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  1,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all from other org",
+			args: args{
+				IamCTX,
+				&user.ListKeysRequest{
+					Filters: []*user.KeysSearchFilter{
+						onlySinceTestStartFilter,
+						{
+							Filter: &user.KeysSearchFilter_OrganizationIdFilter{
+								OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId},
+							},
+						},
+					},
+				},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherOrgDataPointExpiringLate,
+					otherOrgDataPointExpiringSoon,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "sort by next expiration dates",
+			args: args{
+				IamCTX,
+				&user.ListKeysRequest{
+					Pagination: &filter.PaginationRequest{
+						Asc: true,
+					},
+					SortingColumn: &sortingColumnExpirationDate,
+					Filters: []*user.KeysSearchFilter{
+						onlySinceTestStartFilter,
+						{Filter: &user.KeysSearchFilter_OrganizationIdFilter{OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId}}},
+					},
+				},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherOrgDataPointExpiringSoon,
+					otherOrgDataPointExpiringLate,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "get page",
+			args: args{
+				IamCTX,
+				&user.ListKeysRequest{
+					Pagination: &filter.PaginationRequest{
+						Offset: 2,
+						Limit:  2,
+						Asc:    true,
+					},
+					Filters: []*user.KeysSearchFilter{
+						onlySinceTestStartFilter,
+					},
+				},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{
+					otherOrgDataPointExpiringSoon,
+					otherOrgDataPointExpiringLate,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  4,
+					AppliedLimit: 2,
+				},
+			},
+		},
+		{
+			name: "empty list",
+			args: args{
+				UserCTX,
+				&user.ListKeysRequest{
+					Filters: []*user.KeysSearchFilter{
+						{
+							Filter: &user.KeysSearchFilter_KeyIdFilter{
+								KeyIdFilter: &filter.IDFilter{Id: otherUserDataPoint.Id},
+							},
+						},
+					},
+				},
+			},
+			want: &user.ListKeysResponse{
+				Result: []*user.Key{},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  0,
+					AppliedLimit: 100,
+				},
+			},
+		},
+	}
+	t.Run("with permission flag v2", func(t *testing.T) {
+		setPermissionCheckV2Flag(t, true)
+		defer setPermissionCheckV2Flag(t, false)
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				got, err := Client.ListKeys(tt.args.ctx, tt.args.req)
+				require.NoError(t, err)
+				assert.Len(t, got.Result, len(tt.want.Result))
+				if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
+					t.Errorf("ListKeys() mismatch (-want +got):\n%s", diff)
+				}
+			})
+		}
+	})
+	t.Run("without permission flag v2", func(t *testing.T) {
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				got, err := Client.ListKeys(tt.args.ctx, tt.args.req)
+				require.NoError(t, err)
+				assert.Len(t, got.Result, len(tt.want.Result))
+				// ignore the total result, as this is a known bug with the in-memory permission checks.
+				// The command can't know how many keys exist in the system if the SQL statement has a limit.
+				// This is fixed, once the in-memory permission checks are removed with https://github.com/zitadel/zitadel/issues/9188
+				tt.want.Pagination.TotalResult = got.Pagination.TotalResult
+				if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
+					t.Errorf("ListKeys() mismatch (-want +got):\n%s", diff)
+				}
+			})
+		}
+	})
+}
+
+func setupKeyDataPoint(t *testing.T, userId, orgId string, expirationDate time.Time) *user.Key {
+	expirationDatePb := timestamppb.New(expirationDate)
+	newKey, err := Client.AddKey(SystemCTX, &user.AddKeyRequest{
+		UserId:         userId,
+		ExpirationDate: expirationDatePb,
+		PublicKey:      nil,
+	})
+	require.NoError(t, err)
+	return &user.Key{
+		CreationDate:   newKey.CreationDate,
+		ChangeDate:     newKey.CreationDate,
+		Id:             newKey.GetKeyId(),
+		UserId:         userId,
+		OrganizationId: orgId,
+		ExpirationDate: expirationDatePb,
+	}
+}
+
+func awaitKeys(t *testing.T, sinceTestStartFilter *user.KeysSearchFilter, keyIds ...string) {
+	sortingColumn := user.KeyFieldName_KEY_FIELD_NAME_ID
+	slices.Sort(keyIds)
+	require.EventuallyWithT(t, func(collect *assert.CollectT) {
+		result, err := Client.ListKeys(SystemCTX, &user.ListKeysRequest{
+			Filters:       []*user.KeysSearchFilter{sinceTestStartFilter},
+			SortingColumn: &sortingColumn,
+			Pagination: &filter.PaginationRequest{
+				Asc: true,
+			},
+		})
+		require.NoError(t, err)
+		if !assert.Len(collect, result.Result, len(keyIds)) {
+			return
+		}
+		for i := range keyIds {
+			keyId := keyIds[i]
+			require.Equal(collect, keyId, result.Result[i].GetId())
+		}
+	}, 5*time.Second, time.Second, "key not created in time")
+}

internal/api/grpc/user/v2/integration_test/password_test.go

@@ -104,7 +104,7 @@ func TestServer_RequestPasswordReset(t *testing.T) {
 	}
 }
 
-func TestServer_SetPassword(t *testing.T) {
+func TestServer_Deprecated_SetPassword(t *testing.T) {
 	type args struct {
 		ctx context.Context
 		req *user.SetPasswordRequest

internal/api/grpc/user/v2/integration_test/pat_test.go

@@ -0,0 +1,615 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"fmt"
+	"slices"
+	"testing"
+	"time"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/testing/protocmp"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/filter/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
+)
+
+func TestServer_AddPersonalAccessToken(t *testing.T) {
+	resp := Instance.CreateUserTypeMachine(IamCTX)
+	userId := resp.GetId()
+	expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
+	type args struct {
+		req     *user.AddPersonalAccessTokenRequest
+		prepare func(request *user.AddPersonalAccessTokenRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "add pat, user not existing",
+			args: args{
+				&user.AddPersonalAccessTokenRequest{
+					UserId:         "notexisting",
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddPersonalAccessTokenRequest) error { return nil },
+			},
+			wantErr: true,
+		},
+		{
+			name: "add pat, ok",
+			args: args{
+				&user.AddPersonalAccessTokenRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddPersonalAccessTokenRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+		},
+		{
+			name: "add pat human, not ok",
+			args: args{
+				&user.AddPersonalAccessTokenRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddPersonalAccessTokenRequest) error {
+					resp := Instance.CreateUserTypeHuman(IamCTX)
+					request.UserId = resp.Id
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "add another pat, ok",
+			args: args{
+				&user.AddPersonalAccessTokenRequest{
+					ExpirationDate: expirationDate,
+				},
+				func(request *user.AddPersonalAccessTokenRequest) error {
+					request.UserId = userId
+					_, err := Client.AddPersonalAccessToken(IamCTX, &user.AddPersonalAccessTokenRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.AddPersonalAccessToken(CTX, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.TokenId, "id is empty")
+			assert.NotEmpty(t, got.Token, "token is empty")
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_AddPersonalAccessToken_Permission(t *testing.T) {
+	OrgCTX := CTX
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddPersonalAccessToken-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+	request := &user.AddPersonalAccessTokenRequest{
+		ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
+		UserId:         otherOrgUser.GetId(),
+	}
+	type args struct {
+		ctx context.Context
+		req *user.AddPersonalAccessTokenRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{SystemCTX, request},
+		},
+		{
+			name: "instance, ok",
+			args: args{IamCTX, request},
+		},
+		{
+			name:    "org, error",
+			args:    args{OrgCTX, request},
+			wantErr: true,
+		},
+		{
+			name:    "user, error",
+			args:    args{UserCTX, request},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, err)
+			got, err := Client.AddPersonalAccessToken(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.TokenId, "id is empty")
+			assert.NotEmpty(t, got.Token, "token is empty")
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemovePersonalAccessToken(t *testing.T) {
+	resp := Instance.CreateUserTypeMachine(IamCTX)
+	userId := resp.GetId()
+	expirationDate := timestamppb.New(time.Now().Add(time.Hour * 24))
+	type args struct {
+		req     *user.RemovePersonalAccessTokenRequest
+		prepare func(request *user.RemovePersonalAccessTokenRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "remove pat, user not existing",
+			args: args{
+				&user.RemovePersonalAccessTokenRequest{
+					UserId: "notexisting",
+				},
+				func(request *user.RemovePersonalAccessTokenRequest) error {
+					pat, err := Client.AddPersonalAccessToken(CTX, &user.AddPersonalAccessTokenRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					request.TokenId = pat.GetTokenId()
+					return err
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove pat, not existing",
+			args: args{
+				&user.RemovePersonalAccessTokenRequest{
+					TokenId: "notexisting",
+				},
+				func(request *user.RemovePersonalAccessTokenRequest) error {
+					request.UserId = userId
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove pat, ok",
+			args: args{
+				&user.RemovePersonalAccessTokenRequest{},
+				func(request *user.RemovePersonalAccessTokenRequest) error {
+					pat, err := Client.AddPersonalAccessToken(CTX, &user.AddPersonalAccessTokenRequest{
+						ExpirationDate: expirationDate,
+						UserId:         userId,
+					})
+					request.TokenId = pat.GetTokenId()
+					request.UserId = userId
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.RemovePersonalAccessToken(CTX, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			deletionDate := got.DeletionDate.AsTime()
+			assert.Greater(t, deletionDate, now, "creation date is before the test started")
+			assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemovePersonalAccessToken_Permission(t *testing.T) {
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemovePersonalAccessToken-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	request := &user.RemovePersonalAccessTokenRequest{
+		UserId: otherOrgUser.GetId(),
+	}
+	prepare := func(request *user.RemovePersonalAccessTokenRequest) error {
+		pat, err := Client.AddPersonalAccessToken(IamCTX, &user.AddPersonalAccessTokenRequest{
+			ExpirationDate: timestamppb.New(time.Now().Add(time.Hour * 24)),
+			UserId:         otherOrgUser.GetId(),
+		})
+		request.TokenId = pat.GetTokenId()
+		return err
+	}
+	require.NoError(t, err)
+	type args struct {
+		ctx     context.Context
+		req     *user.RemovePersonalAccessTokenRequest
+		prepare func(request *user.RemovePersonalAccessTokenRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{SystemCTX, request, prepare},
+		},
+		{
+			name: "instance, ok",
+			args: args{IamCTX, request, prepare},
+		},
+		{
+			name:    "org, error",
+			args:    args{CTX, request, prepare},
+			wantErr: true,
+		},
+		{
+			name:    "user, error",
+			args:    args{UserCTX, request, prepare},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, tt.args.prepare(tt.args.req))
+			got, err := Client.RemovePersonalAccessToken(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.DeletionDate, "client pat is empty")
+			creationDate := got.DeletionDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_ListPersonalAccessTokens(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *user.ListPersonalAccessTokensRequest
+	}
+	type testCase struct {
+		name string
+		args args
+		want *user.ListPersonalAccessTokensResponse
+	}
+	OrgCTX := CTX
+	otherOrg := Instance.CreateOrganization(SystemCTX, fmt.Sprintf("ListPersonalAccessTokens-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Client.CreateUser(SystemCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+	otherOrgUserId := otherOrgUser.GetId()
+	otherUserId := Instance.CreateUserTypeMachine(SystemCTX).GetId()
+	onlySinceTestStartFilter := &user.PersonalAccessTokensSearchFilter{Filter: &user.PersonalAccessTokensSearchFilter_CreatedDateFilter{CreatedDateFilter: &filter.TimestampFilter{
+		Timestamp: timestamppb.Now(),
+		Method:    filter.TimestampFilterMethod_TIMESTAMP_FILTER_METHOD_AFTER_OR_EQUALS,
+	}}}
+	myOrgId := Instance.DefaultOrg.GetId()
+	myUserId := Instance.Users.Get(integration.UserTypeNoPermission).ID
+	expiresInADay := time.Now().Truncate(time.Hour).Add(time.Hour * 24)
+	myDataPoint := setupPATDataPoint(t, myUserId, myOrgId, expiresInADay)
+	otherUserDataPoint := setupPATDataPoint(t, otherUserId, myOrgId, expiresInADay)
+	otherOrgDataPointExpiringSoon := setupPATDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, time.Now().Truncate(time.Hour).Add(time.Hour))
+	otherOrgDataPointExpiringLate := setupPATDataPoint(t, otherOrgUserId, otherOrg.OrganizationId, expiresInADay.Add(time.Hour*24*30))
+	sortingColumnExpirationDate := user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_EXPIRATION_DATE
+	awaitPersonalAccessTokens(t,
+		onlySinceTestStartFilter,
+		otherOrgDataPointExpiringSoon.GetId(),
+		otherOrgDataPointExpiringLate.GetId(),
+		otherUserDataPoint.GetId(),
+		myDataPoint.GetId(),
+	)
+	tests := []testCase{
+		{
+			name: "list all, instance",
+			args: args{
+				IamCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherOrgDataPointExpiringLate,
+					otherOrgDataPointExpiringSoon,
+					otherUserDataPoint,
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  4,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all, org",
+			args: args{
+				OrgCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherUserDataPoint,
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all, user",
+			args: args{
+				UserCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{onlySinceTestStartFilter},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					myDataPoint,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  1,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list by id",
+			args: args{
+				IamCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{
+						onlySinceTestStartFilter,
+						{
+							Filter: &user.PersonalAccessTokensSearchFilter_TokenIdFilter{
+								TokenIdFilter: &filter.IDFilter{Id: otherOrgDataPointExpiringSoon.Id},
+							},
+						},
+					},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherOrgDataPointExpiringSoon,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  1,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "list all from other org",
+			args: args{
+				IamCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{
+						onlySinceTestStartFilter,
+						{
+							Filter: &user.PersonalAccessTokensSearchFilter_OrganizationIdFilter{
+								OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId},
+							},
+						}},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherOrgDataPointExpiringLate,
+					otherOrgDataPointExpiringSoon,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "sort by next expiration dates",
+			args: args{
+				IamCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Pagination: &filter.PaginationRequest{
+						Asc: true,
+					},
+					SortingColumn: &sortingColumnExpirationDate,
+					Filters: []*user.PersonalAccessTokensSearchFilter{
+						onlySinceTestStartFilter,
+						{Filter: &user.PersonalAccessTokensSearchFilter_OrganizationIdFilter{OrganizationIdFilter: &filter.IDFilter{Id: otherOrg.OrganizationId}}},
+					},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherOrgDataPointExpiringSoon,
+					otherOrgDataPointExpiringLate,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  2,
+					AppliedLimit: 100,
+				},
+			},
+		},
+		{
+			name: "get page",
+			args: args{
+				IamCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Pagination: &filter.PaginationRequest{
+						Offset: 2,
+						Limit:  2,
+						Asc:    true,
+					},
+					Filters: []*user.PersonalAccessTokensSearchFilter{
+						onlySinceTestStartFilter,
+					},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{
+					otherOrgDataPointExpiringSoon,
+					otherOrgDataPointExpiringLate,
+				},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  4,
+					AppliedLimit: 2,
+				},
+			},
+		},
+		{
+			name: "empty list",
+			args: args{
+				UserCTX,
+				&user.ListPersonalAccessTokensRequest{
+					Filters: []*user.PersonalAccessTokensSearchFilter{
+						{
+							Filter: &user.PersonalAccessTokensSearchFilter_TokenIdFilter{
+								TokenIdFilter: &filter.IDFilter{Id: otherUserDataPoint.Id},
+							},
+						},
+					},
+				},
+			},
+			want: &user.ListPersonalAccessTokensResponse{
+				Result: []*user.PersonalAccessToken{},
+				Pagination: &filter.PaginationResponse{
+					TotalResult:  0,
+					AppliedLimit: 100,
+				},
+			},
+		},
+	}
+	t.Run("with permission flag v2", func(t *testing.T) {
+		setPermissionCheckV2Flag(t, true)
+		defer setPermissionCheckV2Flag(t, false)
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				got, err := Client.ListPersonalAccessTokens(tt.args.ctx, tt.args.req)
+				require.NoError(t, err)
+				assert.Len(t, got.Result, len(tt.want.Result))
+				if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
+					t.Errorf("ListPersonalAccessTokens() mismatch (-want +got):\n%s", diff)
+				}
+			})
+		}
+	})
+	t.Run("without permission flag v2", func(t *testing.T) {
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				got, err := Client.ListPersonalAccessTokens(tt.args.ctx, tt.args.req)
+				require.NoError(t, err)
+				assert.Len(t, got.Result, len(tt.want.Result))
+				// ignore the total result, as this is a known bug with the in-memory permission checks.
+				// The command can't know how many keys exist in the system if the SQL statement has a limit.
+				// This is fixed, once the in-memory permission checks are removed with https://github.com/zitadel/zitadel/issues/9188
+				tt.want.Pagination.TotalResult = got.Pagination.TotalResult
+				if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" {
+					t.Errorf("ListPersonalAccessTokens() mismatch (-want +got):\n%s", diff)
+				}
+			})
+		}
+	})
+}
+
+func setupPATDataPoint(t *testing.T, userId, orgId string, expirationDate time.Time) *user.PersonalAccessToken {
+	expirationDatePb := timestamppb.New(expirationDate)
+	newPersonalAccessToken, err := Client.AddPersonalAccessToken(SystemCTX, &user.AddPersonalAccessTokenRequest{
+		UserId:         userId,
+		ExpirationDate: expirationDatePb,
+	})
+	require.NoError(t, err)
+	return &user.PersonalAccessToken{
+		CreationDate:   newPersonalAccessToken.CreationDate,
+		ChangeDate:     newPersonalAccessToken.CreationDate,
+		Id:             newPersonalAccessToken.GetTokenId(),
+		UserId:         userId,
+		OrganizationId: orgId,
+		ExpirationDate: expirationDatePb,
+	}
+}
+
+func awaitPersonalAccessTokens(t *testing.T, sinceTestStartFilter *user.PersonalAccessTokensSearchFilter, patIds ...string) {
+	sortingColumn := user.PersonalAccessTokenFieldName_PERSONAL_ACCESS_TOKEN_FIELD_NAME_ID
+	slices.Sort(patIds)
+	require.EventuallyWithT(t, func(collect *assert.CollectT) {
+		result, err := Client.ListPersonalAccessTokens(SystemCTX, &user.ListPersonalAccessTokensRequest{
+			Filters:       []*user.PersonalAccessTokensSearchFilter{sinceTestStartFilter},
+			SortingColumn: &sortingColumn,
+			Pagination: &filter.PaginationRequest{
+				Asc: true,
+			},
+		})
+		require.NoError(t, err)
+		if !assert.Len(collect, result.Result, len(patIds)) {
+			return
+		}
+		for i := range patIds {
+			patId := patIds[i]
+			require.Equal(collect, patId, result.Result[i].GetId())
+		}
+	}, 5*time.Second, time.Second, "pat not created in time")
+}

internal/api/grpc/user/v2/integration_test/phone_test.go

@@ -17,7 +17,7 @@ import (
 	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
 )
 
-func TestServer_SetPhone(t *testing.T) {
+func TestServer_Deprecated_SetPhone(t *testing.T) {
 	userID := Instance.CreateHumanUser(CTX).GetUserId()
 
 	tests := []struct {
@@ -249,7 +249,7 @@ func TestServer_VerifyPhone(t *testing.T) {
 	}
 }
 
-func TestServer_RemovePhone(t *testing.T) {
+func TestServer_Deprecated_RemovePhone(t *testing.T) {
 	userResp := Instance.CreateHumanUser(CTX)
 	failResp := Instance.CreateHumanUserNoPhone(CTX)
 	otherUser := Instance.CreateHumanUser(CTX).GetUserId()

internal/api/grpc/user/v2/integration_test/secret_test.go

@@ -0,0 +1,347 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
+)
+
+func TestServer_AddSecret(t *testing.T) {
+	type args struct {
+		ctx     context.Context
+		req     *user.AddSecretRequest
+		prepare func(request *user.AddSecretRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "add secret, user not existing",
+			args: args{
+				CTX,
+				&user.AddSecretRequest{
+					UserId: "notexisting",
+				},
+				func(request *user.AddSecretRequest) error { return nil },
+			},
+			wantErr: true,
+		},
+		{
+			name: "add secret, ok",
+			args: args{
+				CTX,
+				&user.AddSecretRequest{},
+				func(request *user.AddSecretRequest) error {
+					resp := Instance.CreateUserTypeMachine(CTX)
+					request.UserId = resp.GetId()
+					return nil
+				},
+			},
+		},
+		{
+			name: "add secret human, not ok",
+			args: args{
+				CTX,
+				&user.AddSecretRequest{},
+				func(request *user.AddSecretRequest) error {
+					resp := Instance.CreateUserTypeMachine(CTX)
+					request.UserId = resp.GetId()
+					return nil
+				},
+			},
+		},
+		{
+			name: "overwrite secret, ok",
+			args: args{
+				CTX,
+				&user.AddSecretRequest{},
+				func(request *user.AddSecretRequest) error {
+					resp := Instance.CreateUserTypeMachine(CTX)
+					request.UserId = resp.GetId()
+					_, err := Client.AddSecret(CTX, &user.AddSecretRequest{
+						UserId: resp.GetId(),
+					})
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_AddSecret_Permission(t *testing.T) {
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddSecret-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx context.Context
+		req *user.AddSecretRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{
+				SystemCTX,
+				&user.AddSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+			},
+		},
+		{
+			name: "instance, ok",
+			args: args{
+				IamCTX,
+				&user.AddSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+			},
+		},
+		{
+			name: "org, error",
+			args: args{
+				CTX,
+				&user.AddSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user, error",
+			args: args{
+				UserCTX,
+				&user.AddSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, err)
+			got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
+			creationDate := got.CreationDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemoveSecret(t *testing.T) {
+	type args struct {
+		ctx     context.Context
+		req     *user.RemoveSecretRequest
+		prepare func(request *user.RemoveSecretRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "remove secret, user not existing",
+			args: args{
+				CTX,
+				&user.RemoveSecretRequest{
+					UserId: "notexisting",
+				},
+				func(request *user.RemoveSecretRequest) error { return nil },
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove secret, not existing",
+			args: args{
+				CTX,
+				&user.RemoveSecretRequest{},
+				func(request *user.RemoveSecretRequest) error {
+					resp := Instance.CreateUserTypeMachine(CTX)
+					request.UserId = resp.GetId()
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "remove secret, ok",
+			args: args{
+				CTX,
+				&user.RemoveSecretRequest{},
+				func(request *user.RemoveSecretRequest) error {
+					resp := Instance.CreateUserTypeMachine(CTX)
+					request.UserId = resp.GetId()
+					_, err := Instance.Client.UserV2.AddSecret(CTX, &user.AddSecretRequest{
+						UserId: resp.GetId(),
+					})
+					return err
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			err := tt.args.prepare(tt.args.req)
+			require.NoError(t, err)
+			got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			deletionDate := got.DeletionDate.AsTime()
+			assert.Greater(t, deletionDate, now, "creation date is before the test started")
+			assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
+		})
+	}
+}
+
+func TestServer_RemoveSecret_Permission(t *testing.T) {
+	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveSecret-%s", gofakeit.AppName()), gofakeit.Email())
+	otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
+		OrganizationId: otherOrg.OrganizationId,
+		UserType: &user.CreateUserRequest_Machine_{
+			Machine: &user.CreateUserRequest_Machine{
+				Name: gofakeit.Name(),
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx     context.Context
+		req     *user.RemoveSecretRequest
+		prepare func(request *user.RemoveSecretRequest) error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "system, ok",
+			args: args{
+				SystemCTX,
+				&user.RemoveSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+				func(request *user.RemoveSecretRequest) error {
+					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
+						UserId: otherOrgUser.GetId(),
+					})
+					return err
+				},
+			},
+		},
+		{
+			name: "instance, ok",
+			args: args{
+				IamCTX,
+				&user.RemoveSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+				func(request *user.RemoveSecretRequest) error {
+					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
+						UserId: otherOrgUser.GetId(),
+					})
+					return err
+				},
+			},
+		},
+		{
+			name: "org, error",
+			args: args{
+				CTX,
+				&user.RemoveSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+				func(request *user.RemoveSecretRequest) error {
+					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
+						UserId: otherOrgUser.GetId(),
+					})
+					return err
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user, error",
+			args: args{
+				UserCTX,
+				&user.RemoveSecretRequest{
+					UserId: otherOrgUser.GetId(),
+				},
+				func(request *user.RemoveSecretRequest) error {
+					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
+						UserId: otherOrgUser.GetId(),
+					})
+					return err
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			now := time.Now()
+			require.NoError(t, tt.args.prepare(tt.args.req))
+			got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.NotEmpty(t, got.DeletionDate, "client secret is empty")
+			creationDate := got.DeletionDate.AsTime()
+			assert.Greater(t, creationDate, now, "creation date is before the test started")
+			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
+		})
+	}
+}