From 5fdad7b8f4218d925cf4d8c799c94d5697d216d5 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Tue, 17 Sep 2024 10:27:48 +0200
Subject: [PATCH 01/19] feat: user v3 api update  (#8582)

# Which Problems Are Solved

Users are not yet able to update their information an status in user API
v3.

# How the Problems Are Solved

Add endpoints and functionality to update users and their status in user
API v3.

# Additional Changes

Aggregate_type and event_types are updated with "userschema" to avoid
conflicts with old events.

# Additional Context

closes #7898
---
 .../integration_test/execution_target_test.go |   26 +-
 .../resources/object/v3alpha/converter.go     |   15 +
 .../v3alpha/integration_test/server_test.go   |   25 +-
 .../v3alpha/integration_test/user_test.go     | 1344 ++++++++++-
 .../api/grpc/resources/user/v3alpha/user.go   |  146 +-
 .../v3alpha/integration_test/query_test.go    |   42 +-
 .../v3alpha/integration_test/server_test.go   |   24 +-
 .../integration_test/userschema_test.go       |  151 +-
 internal/command/user_schema.go               |    2 +-
 internal/command/user_schema_model.go         |   15 +-
 internal/command/user_v3.go                   |  264 ++-
 internal/command/user_v3_model.go             |   66 +-
 internal/command/user_v3_test.go              | 2029 ++++++++++++++++-
 internal/integration/client.go                |   54 +-
 .../repository/user/schemauser/aggregate.go   |    4 +-
 internal/repository/user/schemauser/email.go  |   87 +-
 .../repository/user/schemauser/eventstore.go  |   14 +
 internal/repository/user/schemauser/phone.go  |   91 +-
 internal/repository/user/schemauser/user.go   |  136 +-
 .../resources/user/v3alpha/user_service.proto |  142 +-
 20 files changed, 4265 insertions(+), 412 deletions(-)

diff --git a/internal/api/grpc/resources/action/v3alpha/integration_test/execution_target_test.go b/internal/api/grpc/resources/action/v3alpha/integration_test/execution_target_test.go
index 2bdbdee066..169ee0e5d2 100644
--- a/internal/api/grpc/resources/action/v3alpha/integration_test/execution_target_test.go
+++ b/internal/api/grpc/resources/action/v3alpha/integration_test/execution_target_test.go
@@ -250,16 +250,26 @@ func TestServer_ExecutionTarget(t *testing.T) {
 				require.NoError(t, err)
 				defer close()
 			}
-
-			got, err := instance.Client.ActionV3Alpha.GetTarget(tt.ctx, tt.req)
-			if tt.wantErr {
-				require.Error(t, err)
-				return
+			retryDuration := 5 * time.Second
+			if ctxDeadline, ok := isolatedIAMOwnerCTX.Deadline(); ok {
+				retryDuration = time.Until(ctxDeadline)
 			}
-			require.NoError(t, err)
 
-			integration.AssertResourceDetails(t, tt.want.GetTarget().GetDetails(), got.GetTarget().GetDetails())
-			assert.Equal(t, tt.want.GetTarget().GetConfig(), got.GetTarget().GetConfig())
+			require.EventuallyWithT(t, func(ttt *assert.CollectT) {
+				got, err := instance.Client.ActionV3Alpha.GetTarget(tt.ctx, tt.req)
+				if tt.wantErr {
+					assert.Error(ttt, err, "Error: "+err.Error())
+				} else {
+					assert.NoError(ttt, err)
+				}
+				if err != nil {
+					return
+				}
+
+				integration.AssertResourceDetails(t, tt.want.GetTarget().GetDetails(), got.GetTarget().GetDetails())
+				assert.Equal(t, tt.want.GetTarget().GetConfig(), got.GetTarget().GetConfig())
+			}, retryDuration, time.Millisecond*100, "timeout waiting for expected execution result")
+
 			if tt.clean != nil {
 				tt.clean(tt.ctx)
 			}
diff --git a/internal/api/grpc/resources/object/v3alpha/converter.go b/internal/api/grpc/resources/object/v3alpha/converter.go
index c2dc7bcc6d..869311b921 100644
--- a/internal/api/grpc/resources/object/v3alpha/converter.go
+++ b/internal/api/grpc/resources/object/v3alpha/converter.go
@@ -75,3 +75,18 @@ func SearchQueryPbToQuery(defaults systemdefaults.SystemDefaults, query *resourc
 	}
 	return offset, limit, asc, nil
 }
+
+func ResourceOwnerFromOrganization(organization *object.Organization) string {
+	if organization == nil {
+		return ""
+	}
+
+	if organization.GetOrgId() != "" {
+		return organization.GetOrgId()
+	}
+	if organization.GetOrgDomain() != "" {
+		// TODO get org from domain
+		return ""
+	}
+	return ""
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
index fa82005eb9..b2b11fd510 100644
--- a/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
@@ -14,50 +14,41 @@ import (
 
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
-	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
 )
 
 var (
-	IAMOwnerCTX, SystemCTX context.Context
-	UserCTX                context.Context
-	Instance               *integration.Instance
-	Client                 user.ZITADELUsersClient
+	CTX context.Context
 )
 
 func TestMain(m *testing.M) {
 	os.Exit(func() int {
 		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
 		defer cancel()
-
-		Instance = integration.NewInstance(ctx)
-
-		IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
-		SystemCTX = integration.WithSystemAuthorization(ctx)
-		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
-		Client = Instance.Client.UserV3Alpha
+		CTX = ctx
 		return m.Run()
 	}())
 }
 
-func ensureFeatureEnabled(t *testing.T, iamOwnerCTX context.Context) {
-	f, err := Instance.Client.FeatureV2.GetInstanceFeatures(iamOwnerCTX, &feature.GetInstanceFeaturesRequest{
+func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
+	ctx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 		Inheritance: true,
 	})
 	require.NoError(t, err)
 	if f.UserSchema.GetEnabled() {
 		return
 	}
-	_, err = Instance.Client.FeatureV2.SetInstanceFeatures(iamOwnerCTX, &feature.SetInstanceFeaturesRequest{
+	_, err = instance.Client.FeatureV2.SetInstanceFeatures(ctx, &feature.SetInstanceFeaturesRequest{
 		UserSchema: gu.Ptr(true),
 	})
 	require.NoError(t, err)
 	retryDuration := time.Minute
-	if ctxDeadline, ok := iamOwnerCTX.Deadline(); ok {
+	if ctxDeadline, ok := ctx.Deadline(); ok {
 		retryDuration = time.Until(ctxDeadline)
 	}
 	require.EventuallyWithT(t,
 		func(ttt *assert.CollectT) {
-			f, err := Instance.Client.FeatureV2.GetInstanceFeatures(iamOwnerCTX, &feature.GetInstanceFeaturesRequest{
+			f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 				Inheritance: true,
 			})
 			require.NoError(ttt, err)
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
index 7f15a2c562..c8db0f7f6a 100644
--- a/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/brianvoe/gofakeit/v6"
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/logging"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -19,7 +20,11 @@ import (
 )
 
 func TestServer_CreateUser(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
 	schema := []byte(`{
 		"$schema": "urn:zitadel:schema:v1",
 			"type": "object",
@@ -29,7 +34,7 @@ func TestServer_CreateUser(t *testing.T) {
 			}
 		}
 	}`)
-	schemaResp := Instance.CreateUserSchema(IAMOwnerCTX, schema)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
 	permissionSchema := []byte(`{
 		"$schema": "urn:zitadel:schema:v1",
 			"type": "object",
@@ -43,8 +48,8 @@ func TestServer_CreateUser(t *testing.T) {
 			}
 		}
 	}`)
-	permissionSchemaResp := Instance.CreateUserSchema(IAMOwnerCTX, permissionSchema)
-	orgResp := Instance.CreateOrganization(IAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+	permissionSchemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, permissionSchema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
 
 	type res struct {
 		want            *resource_object.Details
@@ -60,7 +65,7 @@ func TestServer_CreateUser(t *testing.T) {
 	}{
 		{
 			name: "user create, no schemaID",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -89,7 +94,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, no permission",
-			ctx:  UserCTX,
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -105,7 +110,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, invalid schema permission, owner",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -121,7 +126,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, no user data",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -144,7 +149,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, ok",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -165,9 +170,10 @@ func TestServer_CreateUser(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			name: "user create, full contact, ok",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -204,7 +210,423 @@ func TestServer_CreateUser(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Instance.Client.UserV3Alpha.CreateUser(tt.ctx, tt.req)
+			got, err := instance.Client.UserV3Alpha.CreateUser(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+			if tt.res.returnCodeEmail {
+				require.NotNil(t, got.EmailCode)
+			}
+			if tt.res.returnCodePhone {
+				require.NotNil(t, got.PhoneCode)
+			}
+		})
+	}
+}
+
+func TestServer_PatchUser(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	permissionSchema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"urn:zitadel:schema:permission": {
+					"owner": "r",
+					"self": "r"
+				},
+				"type": "string"
+			}
+		}
+	}`)
+	permissionSchemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, permissionSchema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want            *resource_object.Details
+		returnCodeEmail bool
+		returnCodePhone bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.PatchUserRequest) error
+		req     *user.PatchUserRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "user patch, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"user\"}"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user patch, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"user\"}"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user patch, invalid schema permission, owner",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					SchemaId: gu.Ptr(permissionSchemaResp.GetDetails().GetId()),
+					Data:     unmarshalJSON("{\"name\": \"user\"}"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user patch, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"user\"}"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user patch, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"user\"}"),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user patch, no change",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				req.User.Data = unmarshalJSON(data)
+				req.User.SchemaId = gu.Ptr(schemaID)
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "user patch, schema, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				changedSchemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+				req.User.SchemaId = gu.Ptr(changedSchemaResp.Details.Id)
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "user patch, schema and data, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				changedSchemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+				req.User.SchemaId = gu.Ptr(changedSchemaResp.Details.Id)
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"changed\"}"),
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "user patch, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"changed\"}"),
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "user patch, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"changed\"}"),
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "user patch, contact email, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Contact: &user.SetContact{
+						Email: &user.SetEmail{
+							Address:      gofakeit.Email(),
+							Verification: &user.SetEmail_ReturnCode{ReturnCode: &user.ReturnEmailVerificationCode{}},
+						},
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCodeEmail: true,
+			},
+		},
+		{
+			name: "user patch, contact phone, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Contact: &user.SetContact{
+						Phone: &user.SetPhone{
+							Number:       gofakeit.Phone(),
+							Verification: &user.SetPhone_ReturnCode{ReturnCode: &user.ReturnPhoneVerificationCode{}},
+						},
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCodePhone: true,
+			},
+		},
+		{
+			name: "user patch, full contact, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.PatchUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.PatchUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				User: &user.PatchUser{
+					Data: unmarshalJSON("{\"name\": \"changed\"}"),
+					Contact: &user.SetContact{
+						Email: &user.SetEmail{
+							Address:      gofakeit.Email(),
+							Verification: &user.SetEmail_ReturnCode{ReturnCode: &user.ReturnEmailVerificationCode{}},
+						},
+						Phone: &user.SetPhone{
+							Number:       gofakeit.Phone(),
+							Verification: &user.SetPhone_ReturnCode{ReturnCode: &user.ReturnPhoneVerificationCode{}},
+						},
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCodePhone: true,
+				returnCodeEmail: true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.PatchUser(tt.ctx, tt.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -222,7 +644,11 @@ func TestServer_CreateUser(t *testing.T) {
 }
 
 func TestServer_DeleteUser(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
 	schema := []byte(`{
 		"$schema": "urn:zitadel:schema:v1",
 			"type": "object",
@@ -232,49 +658,66 @@ func TestServer_DeleteUser(t *testing.T) {
 			}
 		}
 	}`)
-	schemaResp := Instance.CreateUserSchema(IAMOwnerCTX, schema)
-	orgResp := Instance.CreateOrganization(IAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
 
 	tests := []struct {
 		name    string
 		ctx     context.Context
-		dep     func(ctx context.Context, req *user.DeleteUserRequest) error
+		dep     func(req *user.DeleteUserRequest) error
 		req     *user.DeleteUserRequest
 		want    *resource_object.Details
 		wantErr bool
 	}{
 		{
 			name: "user delete, no userID",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.DeleteUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
 						OrgId: orgResp.GetOrganizationId(),
 					},
 				},
-				UserId: "",
+				Id: "",
 			},
 			wantErr: true,
 		},
 		{
 			name: "user delete, not existing",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &user.DeleteUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
 						OrgId: orgResp.GetOrganizationId(),
 					},
 				},
-				UserId: "notexisting",
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user delete, not existing, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeleteUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
 			},
 			wantErr: true,
 		},
 		{
 			name: "user delete, no context",
 			ctx:  context.Background(),
-			dep: func(ctx context.Context, req *user.DeleteUserRequest) error {
-				userResp := Instance.CreateSchemaUser(IAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
-				req.UserId = userResp.GetDetails().GetId()
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
 				return nil
 			},
 			req: &user.DeleteUserRequest{
@@ -288,10 +731,10 @@ func TestServer_DeleteUser(t *testing.T) {
 		},
 		{
 			name: "user delete, no permission",
-			ctx:  UserCTX,
-			dep: func(ctx context.Context, req *user.DeleteUserRequest) error {
-				userResp := Instance.CreateSchemaUser(IAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
-				req.UserId = userResp.GetDetails().GetId()
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
 				return nil
 			},
 			req: &user.DeleteUserRequest{
@@ -305,10 +748,75 @@ func TestServer_DeleteUser(t *testing.T) {
 		},
 		{
 			name: "user delete, ok",
-			ctx:  IAMOwnerCTX,
-			dep: func(ctx context.Context, req *user.DeleteUserRequest) error {
-				userResp := Instance.CreateSchemaUser(ctx, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
-				req.UserId = userResp.GetDetails().GetId()
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeleteUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user delete, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeleteUserRequest{},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user delete, locked, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.DeleteUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user delete, deactivated, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeleteUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
 				return nil
 			},
 			req: &user.DeleteUserRequest{
@@ -330,10 +838,10 @@ func TestServer_DeleteUser(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.dep != nil {
-				err := tt.dep(tt.ctx, tt.req)
+				err := tt.dep(tt.req)
 				require.NoError(t, err)
 			}
-			got, err := Instance.Client.UserV3Alpha.DeleteUser(tt.ctx, tt.req)
+			got, err := instance.Client.UserV3Alpha.DeleteUser(tt.ctx, tt.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -352,3 +860,773 @@ func unmarshalJSON(data string) *structpb.Struct {
 	}
 	return user
 }
+
+func TestServer_LockUser(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.LockUserRequest) error
+		req     *user.LockUserRequest
+		want    *resource_object.Details
+		wantErr bool
+	}{
+		{
+			name: "user lock, no userID",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user lock, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.LockUserRequest{},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user lock, already locked",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user lock, deactivated",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.LockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.LockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.LockUser(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.want, got.Details)
+		})
+	}
+}
+
+func TestServer_UnlockUser(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.UnlockUserRequest) error
+		req     *user.UnlockUserRequest
+		want    *resource_object.Details
+		wantErr bool
+	}{
+		{
+			name: "user unlock, no userID",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user unlock, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user unlock, not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user unlock, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user unlock, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user unlock, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user unlock,no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.UnlockUserRequest{},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user unlock, already unlocked",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.UnlockUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				instance.UnlockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.UnlockUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.UnlockUser(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.want, got.Details)
+		})
+	}
+}
+
+func TestServer_DeactivateUser(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.DeactivateUserRequest) error
+		req     *user.DeactivateUserRequest
+		want    *resource_object.Details
+		wantErr bool
+	}{
+		{
+			name: "user deactivate, no userID",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user deactivate, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.DeactivateUserRequest{},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user deactivate, already deactivated",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user deactivate, locked",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.DeactivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.LockSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.DeactivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.DeactivateUser(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.want, got.Details)
+		})
+	}
+}
+
+func TestServer_ActivateUser(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.ActivateUserRequest) error
+		req     *user.ActivateUserRequest
+		want    *resource_object.Details
+		wantErr bool
+	}{
+		{
+			name: "user activate, no userID",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user activate, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "user activate, not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user activate, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user activate, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "user activate, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user activate, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.ActivateUserRequest{},
+			want: &resource_object.Details{
+				Changed: timestamppb.Now(),
+				Owner: &object.Owner{
+					Type: object.OwnerType_OWNER_TYPE_ORG,
+					Id:   orgResp.GetOrganizationId(),
+				},
+			},
+		},
+		{
+			name: "user activate, already activated",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ActivateUserRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.DeactivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				instance.ActivateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id)
+				return nil
+			},
+			req: &user.ActivateUserRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.ActivateUser(tt.ctx, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.want, got.Details)
+		})
+	}
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/user.go b/internal/api/grpc/resources/user/v3alpha/user.go
index ede2f122aa..7c3f2a750e 100644
--- a/internal/api/grpc/resources/user/v3alpha/user.go
+++ b/internal/api/grpc/resources/user/v3alpha/user.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
 	"github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
@@ -26,7 +27,7 @@ func (s *Server) CreateUser(ctx context.Context, req *user.CreateUserRequest) (_
 		return nil, err
 	}
 	return &user.CreateUserResponse{
-		Details:   resource_object.DomainToDetailsPb(schemauser.Details, object.OwnerType_OWNER_TYPE_ORG, schemauser.ResourceOwner),
+		Details:   resource_object.DomainToDetailsPb(schemauser.Details, object.OwnerType_OWNER_TYPE_ORG, schemauser.Details.ResourceOwner),
 		EmailCode: gu.Ptr(schemauser.ReturnCodeEmail),
 		PhoneCode: gu.Ptr(schemauser.ReturnCodePhone),
 	}, nil
@@ -37,19 +38,35 @@ func createUserRequestToCreateSchemaUser(ctx context.Context, req *user.CreateUs
 	if err != nil {
 		return nil, err
 	}
+
 	return &command.CreateSchemaUser{
-		ResourceOwner: authz.GetCtxData(ctx).OrgID,
+		ResourceOwner: organizationToCreateResourceOwner(ctx, req.Organization),
 		SchemaID:      req.GetUser().GetSchemaId(),
 		ID:            req.GetUser().GetUserId(),
 		Data:          data,
 	}, nil
 }
 
+func organizationToCreateResourceOwner(ctx context.Context, org *object.Organization) string {
+	resourceOwner := authz.GetCtxData(ctx).OrgID
+	if resourceOwnerReq := resource_object.ResourceOwnerFromOrganization(org); resourceOwnerReq != "" {
+		return resourceOwnerReq
+	}
+	return resourceOwner
+}
+
+func organizationToUpdateResourceOwner(org *object.Organization) string {
+	if resourceOwnerReq := resource_object.ResourceOwnerFromOrganization(org); resourceOwnerReq != "" {
+		return resourceOwnerReq
+	}
+	return ""
+}
+
 func (s *Server) DeleteUser(ctx context.Context, req *user.DeleteUserRequest) (_ *user.DeleteUserResponse, err error) {
 	if err := checkUserSchemaEnabled(ctx); err != nil {
 		return nil, err
 	}
-	details, err := s.command.DeleteSchemaUser(ctx, req.GetUserId())
+	details, err := s.command.DeleteSchemaUser(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId())
 	if err != nil {
 		return nil, err
 	}
@@ -64,3 +81,126 @@ func checkUserSchemaEnabled(ctx context.Context) error {
 	}
 	return zerrors.ThrowPreconditionFailed(nil, "TODO", "Errors.UserSchema.NotEnabled")
 }
+
+func (s *Server) PatchUser(ctx context.Context, req *user.PatchUserRequest) (_ *user.PatchUserResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	schemauser, err := patchUserRequestToChangeSchemaUser(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.command.ChangeSchemaUser(ctx, schemauser, s.userCodeAlg); err != nil {
+		return nil, err
+	}
+	return &user.PatchUserResponse{
+		Details:   resource_object.DomainToDetailsPb(schemauser.Details, object.OwnerType_OWNER_TYPE_ORG, schemauser.Details.ResourceOwner),
+		EmailCode: gu.Ptr(schemauser.ReturnCodeEmail),
+		PhoneCode: gu.Ptr(schemauser.ReturnCodePhone),
+	}, nil
+}
+
+func patchUserRequestToChangeSchemaUser(req *user.PatchUserRequest) (_ *command.ChangeSchemaUser, err error) {
+	var data []byte
+	if req.GetUser().Data != nil {
+		data, err = req.GetUser().GetData().MarshalJSON()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var email *command.Email
+	var phone *command.Phone
+	if req.GetUser().GetContact() != nil {
+		if req.GetUser().GetContact().GetEmail() != nil {
+			email = &command.Email{
+				Address: domain.EmailAddress(req.GetUser().GetContact().Email.Address),
+			}
+			if req.GetUser().GetContact().Email.GetIsVerified() {
+				email.Verified = true
+			}
+			if req.GetUser().GetContact().Email.GetReturnCode() != nil {
+				email.ReturnCode = true
+			}
+			if req.GetUser().GetContact().Email.GetSendCode() != nil {
+				email.URLTemplate = req.GetUser().GetContact().Email.GetSendCode().GetUrlTemplate()
+			}
+		}
+		if req.GetUser().GetContact().Phone != nil {
+			phone = &command.Phone{
+				Number: domain.PhoneNumber(req.GetUser().GetContact().Phone.Number),
+			}
+			if req.GetUser().GetContact().Phone.GetIsVerified() {
+				phone.Verified = true
+			}
+			if req.GetUser().GetContact().Phone.GetReturnCode() != nil {
+				phone.ReturnCode = true
+			}
+		}
+	}
+	return &command.ChangeSchemaUser{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		SchemaID:      req.GetUser().SchemaId,
+		Data:          data,
+		Email:         email,
+		Phone:         phone,
+	}, nil
+}
+
+func (s *Server) DeactivateUser(ctx context.Context, req *user.DeactivateUserRequest) (_ *user.DeactivateUserResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+
+	details, err := s.command.DeactivateSchemaUser(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.DeactivateUserResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
+
+func (s *Server) ActivateUser(ctx context.Context, req *user.ActivateUserRequest) (_ *user.ActivateUserResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+
+	details, err := s.command.ActivateSchemaUser(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.ActivateUserResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
+
+func (s *Server) LockUser(ctx context.Context, req *user.LockUserRequest) (_ *user.LockUserResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+
+	details, err := s.command.LockSchemaUser(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.LockUserResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
+
+func (s *Server) UnlockUser(ctx context.Context, req *user.UnlockUserRequest) (_ *user.UnlockUserResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+
+	details, err := s.command.UnlockSchemaUser(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.UnlockUserResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
diff --git a/internal/api/grpc/resources/userschema/v3alpha/integration_test/query_test.go b/internal/api/grpc/resources/userschema/v3alpha/integration_test/query_test.go
index e7aaf081ed..36cf032660 100644
--- a/internal/api/grpc/resources/userschema/v3alpha/integration_test/query_test.go
+++ b/internal/api/grpc/resources/userschema/v3alpha/integration_test/query_test.go
@@ -20,7 +20,10 @@ import (
 )
 
 func TestServer_ListUserSchemas(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	userSchema := new(structpb.Struct)
 	err := userSchema.UnmarshalJSON([]byte(`{
@@ -43,7 +46,7 @@ func TestServer_ListUserSchemas(t *testing.T) {
 		{
 			name: "missing permission",
 			args: args{
-				ctx: Instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
+				ctx: instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
 				req: &schema.SearchUserSchemasRequest{},
 			},
 			wantErr: true,
@@ -51,7 +54,7 @@ func TestServer_ListUserSchemas(t *testing.T) {
 		{
 			name: "not found, error",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.SearchUserSchemasRequest{
 					Filters: []*schema.SearchFilter{
 						{
@@ -75,11 +78,11 @@ func TestServer_ListUserSchemas(t *testing.T) {
 		{
 			name: "single (id), ok",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.SearchUserSchemasRequest{},
 				prepare: func(request *schema.SearchUserSchemasRequest, resp *schema.SearchUserSchemasResponse) error {
 					schemaType := gofakeit.Name()
-					createResp := Instance.CreateUserSchemaEmptyWithType(IAMOwnerCTX, schemaType)
+					createResp := instance.CreateUserSchemaEmptyWithType(isolatedIAMOwnerCTX, schemaType)
 					request.Filters = []*schema.SearchFilter{
 						{
 							Filter: &schema.SearchFilter_IdFilter{
@@ -121,14 +124,14 @@ func TestServer_ListUserSchemas(t *testing.T) {
 		{
 			name: "multiple (type), ok",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.SearchUserSchemasRequest{},
 				prepare: func(request *schema.SearchUserSchemasRequest, resp *schema.SearchUserSchemasResponse) error {
 					schemaType := gofakeit.Name()
 					schemaType1 := schemaType + "_1"
 					schemaType2 := schemaType + "_2"
-					createResp := Instance.CreateUserSchemaEmptyWithType(IAMOwnerCTX, schemaType1)
-					createResp2 := Instance.CreateUserSchemaEmptyWithType(IAMOwnerCTX, schemaType2)
+					createResp := instance.CreateUserSchemaEmptyWithType(isolatedIAMOwnerCTX, schemaType1)
+					createResp2 := instance.CreateUserSchemaEmptyWithType(isolatedIAMOwnerCTX, schemaType2)
 
 					request.SortingColumn = gu.Ptr(schema.FieldName_FIELD_NAME_TYPE)
 					request.Query = &object.SearchQuery{Desc: false}
@@ -186,12 +189,12 @@ func TestServer_ListUserSchemas(t *testing.T) {
 			}
 
 			retryDuration := 20 * time.Second
-			if ctxDeadline, ok := IAMOwnerCTX.Deadline(); ok {
+			if ctxDeadline, ok := isolatedIAMOwnerCTX.Deadline(); ok {
 				retryDuration = time.Until(ctxDeadline)
 			}
 
 			require.EventuallyWithT(t, func(ttt *assert.CollectT) {
-				got, err := Client.SearchUserSchemas(tt.args.ctx, tt.args.req)
+				got, err := instance.Client.UserSchemaV3.SearchUserSchemas(tt.args.ctx, tt.args.req)
 				if tt.wantErr {
 					require.Error(ttt, err)
 					return
@@ -215,7 +218,10 @@ func TestServer_ListUserSchemas(t *testing.T) {
 }
 
 func TestServer_GetUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	userSchema := new(structpb.Struct)
 	err := userSchema.UnmarshalJSON([]byte(`{
@@ -238,11 +244,11 @@ func TestServer_GetUserSchema(t *testing.T) {
 		{
 			name: "missing permission",
 			args: args{
-				ctx: Instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
+				ctx: instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
 				req: &schema.GetUserSchemaRequest{},
 				prepare: func(request *schema.GetUserSchemaRequest, resp *schema.GetUserSchemaResponse) error {
 					schemaType := gofakeit.Name()
-					createResp := Instance.CreateUserSchemaEmptyWithType(IAMOwnerCTX, schemaType)
+					createResp := instance.CreateUserSchemaEmptyWithType(isolatedIAMOwnerCTX, schemaType)
 					request.Id = createResp.GetDetails().GetId()
 					return nil
 				},
@@ -252,7 +258,7 @@ func TestServer_GetUserSchema(t *testing.T) {
 		{
 			name: "not existing, error",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.GetUserSchemaRequest{
 					Id: "notexisting",
 				},
@@ -262,11 +268,11 @@ func TestServer_GetUserSchema(t *testing.T) {
 		{
 			name: "get, ok",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.GetUserSchemaRequest{},
 				prepare: func(request *schema.GetUserSchemaRequest, resp *schema.GetUserSchemaResponse) error {
 					schemaType := gofakeit.Name()
-					createResp := Instance.CreateUserSchemaEmptyWithType(IAMOwnerCTX, schemaType)
+					createResp := instance.CreateUserSchemaEmptyWithType(isolatedIAMOwnerCTX, schemaType)
 					request.Id = createResp.GetDetails().GetId()
 
 					resp.UserSchema.Config.Type = schemaType
@@ -295,12 +301,12 @@ func TestServer_GetUserSchema(t *testing.T) {
 			}
 
 			retryDuration := 5 * time.Second
-			if ctxDeadline, ok := IAMOwnerCTX.Deadline(); ok {
+			if ctxDeadline, ok := isolatedIAMOwnerCTX.Deadline(); ok {
 				retryDuration = time.Until(ctxDeadline)
 			}
 
 			require.EventuallyWithT(t, func(ttt *assert.CollectT) {
-				got, err := Client.GetUserSchema(tt.args.ctx, tt.args.req)
+				got, err := instance.Client.UserSchemaV3.GetUserSchema(tt.args.ctx, tt.args.req)
 				if tt.wantErr {
 					assert.Error(t, err, "Error: "+err.Error())
 				} else {
diff --git a/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go b/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
index fbdef9bee8..f779a98d87 100644
--- a/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
+++ b/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
@@ -14,49 +14,41 @@ import (
 
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
-	schema "github.com/zitadel/zitadel/pkg/grpc/resources/userschema/v3alpha"
 )
 
 var (
-	IAMOwnerCTX, SystemCTX context.Context
-	Instance               *integration.Instance
-	Client                 schema.ZITADELUserSchemasClient
+	CTX context.Context
 )
 
 func TestMain(m *testing.M) {
 	os.Exit(func() int {
 		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
 		defer cancel()
-
-		Instance = integration.NewInstance(ctx)
-
-		IAMOwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
-		SystemCTX = integration.WithSystemAuthorization(ctx)
-		Client = Instance.Client.UserSchemaV3
-
+		CTX = ctx
 		return m.Run()
 	}())
 }
 
-func ensureFeatureEnabled(t *testing.T, iamOwnerCTX context.Context) {
-	f, err := Instance.Client.FeatureV2.GetInstanceFeatures(iamOwnerCTX, &feature.GetInstanceFeaturesRequest{
+func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
+	ctx := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+	f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 		Inheritance: true,
 	})
 	require.NoError(t, err)
 	if f.UserSchema.GetEnabled() {
 		return
 	}
-	_, err = Instance.Client.FeatureV2.SetInstanceFeatures(iamOwnerCTX, &feature.SetInstanceFeaturesRequest{
+	_, err = instance.Client.FeatureV2.SetInstanceFeatures(ctx, &feature.SetInstanceFeaturesRequest{
 		UserSchema: gu.Ptr(true),
 	})
 	require.NoError(t, err)
 	retryDuration := time.Minute
-	if ctxDeadline, ok := iamOwnerCTX.Deadline(); ok {
+	if ctxDeadline, ok := ctx.Deadline(); ok {
 		retryDuration = time.Until(ctxDeadline)
 	}
 	require.EventuallyWithT(t,
 		func(ttt *assert.CollectT) {
-			f, err := Instance.Client.FeatureV2.GetInstanceFeatures(iamOwnerCTX, &feature.GetInstanceFeaturesRequest{
+			f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 				Inheritance: true,
 			})
 			require.NoError(ttt, err)
diff --git a/internal/api/grpc/resources/userschema/v3alpha/integration_test/userschema_test.go b/internal/api/grpc/resources/userschema/v3alpha/integration_test/userschema_test.go
index f7216f8426..a264b163eb 100644
--- a/internal/api/grpc/resources/userschema/v3alpha/integration_test/userschema_test.go
+++ b/internal/api/grpc/resources/userschema/v3alpha/integration_test/userschema_test.go
@@ -19,7 +19,10 @@ import (
 )
 
 func TestServer_CreateUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	tests := []struct {
 		name    string
@@ -30,7 +33,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 	}{
 		{
 			name: "missing permission, error",
-			ctx:  Instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
+			ctx:  instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -40,7 +43,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "empty type",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: "",
@@ -50,7 +53,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "empty schema, error",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -60,7 +63,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "invalid schema, error",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -91,7 +94,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "no authenticators, ok",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -123,14 +126,14 @@ func TestServer_CreateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
 		},
 		{
 			name: "invalid authenticator, error",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -164,7 +167,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "with authenticator, ok",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -199,14 +202,14 @@ func TestServer_CreateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
 		},
 		{
 			name: "with invalid permission, error",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -241,7 +244,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 		},
 		{
 			name: "with valid permission, ok",
-			ctx:  IAMOwnerCTX,
+			ctx:  isolatedIAMOwnerCTX,
 			req: &schema.CreateUserSchemaRequest{
 				UserSchema: &schema.UserSchema{
 					Type: gofakeit.Name(),
@@ -280,7 +283,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -288,7 +291,7 @@ func TestServer_CreateUserSchema(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Client.CreateUserSchema(tt.ctx, tt.req)
+			got, err := instance.Client.UserSchemaV3.CreateUserSchema(tt.ctx, tt.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -301,7 +304,10 @@ func TestServer_CreateUserSchema(t *testing.T) {
 }
 
 func TestServer_UpdateUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	type args struct {
 		ctx context.Context
@@ -317,12 +323,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "missing permission, error",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: Instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
+				ctx: instance.WithAuthorization(context.Background(), integration.UserTypeOrgOwner),
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						Type: gu.Ptr(gofakeit.Name()),
@@ -337,7 +343,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{},
 			},
 			wantErr: true,
@@ -349,7 +355,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{},
 			},
 			wantErr: true,
@@ -357,12 +363,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "empty type, error",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						Type: gu.Ptr(""),
@@ -374,12 +380,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "update type, ok",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						Type: gu.Ptr(gofakeit.Name()),
@@ -391,7 +397,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -399,12 +405,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "empty schema, ok",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						DataType: &schema.PatchUserSchema_Schema{},
@@ -416,7 +422,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -424,12 +430,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "invalid schema, error",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						DataType: &schema.PatchUserSchema_Schema{
@@ -462,12 +468,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "update schema, ok",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						DataType: &schema.PatchUserSchema_Schema{
@@ -500,7 +506,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -508,12 +514,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "invalid authenticator, error",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						PossibleAuthenticators: []schema.AuthenticatorType{
@@ -527,12 +533,12 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "update authenticator, ok",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 				request.Id = schemaID
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						PossibleAuthenticators: []schema.AuthenticatorType{
@@ -546,7 +552,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -554,8 +560,8 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 		{
 			name: "inactive, error",
 			prepare: func(request *schema.PatchUserSchemaRequest) error {
-				schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
-				_, err := Client.DeactivateUserSchema(IAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
+				schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
+				_, err := instance.Client.UserSchemaV3.DeactivateUserSchema(isolatedIAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
 					Id: schemaID,
 				})
 				require.NoError(t, err)
@@ -563,7 +569,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 				return nil
 			},
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.PatchUserSchemaRequest{
 					UserSchema: &schema.PatchUserSchema{
 						Type: gu.Ptr(gofakeit.Name()),
@@ -578,7 +584,7 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 			err := tt.prepare(tt.args.req)
 			require.NoError(t, err)
 
-			got, err := Client.PatchUserSchema(tt.args.ctx, tt.args.req)
+			got, err := instance.Client.UserSchemaV3.PatchUserSchema(tt.args.ctx, tt.args.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -590,7 +596,10 @@ func TestServer_UpdateUserSchema(t *testing.T) {
 }
 
 func TestServer_DeactivateUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	type args struct {
 		ctx     context.Context
@@ -606,7 +615,7 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 		{
 			name: "not existing, error",
 			args: args{
-				IAMOwnerCTX,
+				isolatedIAMOwnerCTX,
 				&schema.DeactivateUserSchemaRequest{
 					Id: "notexisting",
 				},
@@ -617,10 +626,10 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 		{
 			name: "active, ok",
 			args: args{
-				IAMOwnerCTX,
+				isolatedIAMOwnerCTX,
 				&schema.DeactivateUserSchemaRequest{},
 				func(request *schema.DeactivateUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
 					return nil
 				},
@@ -630,7 +639,7 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -638,12 +647,12 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 		{
 			name: "inactive, error",
 			args: args{
-				IAMOwnerCTX,
+				isolatedIAMOwnerCTX,
 				&schema.DeactivateUserSchemaRequest{},
 				func(request *schema.DeactivateUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
-					_, err := Client.DeactivateUserSchema(IAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
+					_, err := instance.Client.UserSchemaV3.DeactivateUserSchema(isolatedIAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
 						Id: schemaID,
 					})
 					return err
@@ -657,7 +666,7 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 			err := tt.args.prepare(tt.args.req)
 			require.NoError(t, err)
 
-			got, err := Client.DeactivateUserSchema(tt.args.ctx, tt.args.req)
+			got, err := instance.Client.UserSchemaV3.DeactivateUserSchema(tt.args.ctx, tt.args.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -669,7 +678,10 @@ func TestServer_DeactivateUserSchema(t *testing.T) {
 }
 
 func TestServer_ReactivateUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	type args struct {
 		ctx     context.Context
@@ -685,7 +697,7 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 		{
 			name: "not existing, error",
 			args: args{
-				IAMOwnerCTX,
+				isolatedIAMOwnerCTX,
 				&schema.ReactivateUserSchemaRequest{
 					Id: "notexisting",
 				},
@@ -696,10 +708,10 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 		{
 			name: "active, error",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.ReactivateUserSchemaRequest{},
 				prepare: func(request *schema.ReactivateUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
 					return nil
 				},
@@ -709,12 +721,12 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 		{
 			name: "inactive, ok",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.ReactivateUserSchemaRequest{},
 				prepare: func(request *schema.ReactivateUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
-					_, err := Client.DeactivateUserSchema(IAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
+					_, err := instance.Client.UserSchemaV3.DeactivateUserSchema(isolatedIAMOwnerCTX, &schema.DeactivateUserSchemaRequest{
 						Id: schemaID,
 					})
 					return err
@@ -725,7 +737,7 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -736,7 +748,7 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 			err := tt.args.prepare(tt.args.req)
 			require.NoError(t, err)
 
-			got, err := Client.ReactivateUserSchema(tt.args.ctx, tt.args.req)
+			got, err := instance.Client.UserSchemaV3.ReactivateUserSchema(tt.args.ctx, tt.args.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -748,7 +760,10 @@ func TestServer_ReactivateUserSchema(t *testing.T) {
 }
 
 func TestServer_DeleteUserSchema(t *testing.T) {
-	ensureFeatureEnabled(t, IAMOwnerCTX)
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
 
 	type args struct {
 		ctx     context.Context
@@ -764,7 +779,7 @@ func TestServer_DeleteUserSchema(t *testing.T) {
 		{
 			name: "not existing, error",
 			args: args{
-				IAMOwnerCTX,
+				isolatedIAMOwnerCTX,
 				&schema.DeleteUserSchemaRequest{
 					Id: "notexisting",
 				},
@@ -775,10 +790,10 @@ func TestServer_DeleteUserSchema(t *testing.T) {
 		{
 			name: "delete, ok",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.DeleteUserSchemaRequest{},
 				prepare: func(request *schema.DeleteUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
 					return nil
 				},
@@ -788,7 +803,7 @@ func TestServer_DeleteUserSchema(t *testing.T) {
 					Changed: timestamppb.Now(),
 					Owner: &object.Owner{
 						Type: object.OwnerType_OWNER_TYPE_INSTANCE,
-						Id:   Instance.ID(),
+						Id:   instance.ID(),
 					},
 				},
 			},
@@ -796,12 +811,12 @@ func TestServer_DeleteUserSchema(t *testing.T) {
 		{
 			name: "deleted, error",
 			args: args{
-				ctx: IAMOwnerCTX,
+				ctx: isolatedIAMOwnerCTX,
 				req: &schema.DeleteUserSchemaRequest{},
 				prepare: func(request *schema.DeleteUserSchemaRequest) error {
-					schemaID := Instance.CreateUserSchemaEmpty(IAMOwnerCTX).GetDetails().GetId()
+					schemaID := instance.CreateUserSchemaEmpty(isolatedIAMOwnerCTX).GetDetails().GetId()
 					request.Id = schemaID
-					_, err := Client.DeleteUserSchema(IAMOwnerCTX, &schema.DeleteUserSchemaRequest{
+					_, err := instance.Client.UserSchemaV3.DeleteUserSchema(isolatedIAMOwnerCTX, &schema.DeleteUserSchemaRequest{
 						Id: schemaID,
 					})
 					return err
@@ -815,7 +830,7 @@ func TestServer_DeleteUserSchema(t *testing.T) {
 			err := tt.args.prepare(tt.args.req)
 			require.NoError(t, err)
 
-			got, err := Client.DeleteUserSchema(tt.args.ctx, tt.args.req)
+			got, err := instance.Client.UserSchemaV3.DeleteUserSchema(tt.args.ctx, tt.args.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return
diff --git a/internal/command/user_schema.go b/internal/command/user_schema.go
index 7b53c9e165..3120071d55 100644
--- a/internal/command/user_schema.go
+++ b/internal/command/user_schema.go
@@ -186,7 +186,7 @@ func validateUserSchema(userSchema json.RawMessage) error {
 }
 
 func (c *Commands) getSchemaWriteModelByID(ctx context.Context, resourceOwner, id string) (*UserSchemaWriteModel, error) {
-	writeModel := NewUserSchemaWriteModel(resourceOwner, id, "")
+	writeModel := NewUserSchemaWriteModel(resourceOwner, id)
 	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
 		return nil, err
 	}
diff --git a/internal/command/user_schema_model.go b/internal/command/user_schema_model.go
index e8df80479a..08352e6d57 100644
--- a/internal/command/user_schema_model.go
+++ b/internal/command/user_schema_model.go
@@ -19,16 +19,15 @@ type UserSchemaWriteModel struct {
 	Schema                 json.RawMessage
 	PossibleAuthenticators []domain.AuthenticatorType
 	State                  domain.UserSchemaState
-	Revision               uint64
+	SchemaRevision         uint64
 }
 
-func NewUserSchemaWriteModel(resourceOwner, schemaID, ty string) *UserSchemaWriteModel {
+func NewUserSchemaWriteModel(resourceOwner, schemaID string) *UserSchemaWriteModel {
 	return &UserSchemaWriteModel{
 		WriteModel: eventstore.WriteModel{
 			AggregateID:   schemaID,
 			ResourceOwner: resourceOwner,
 		},
-		SchemaType: ty,
 	}
 }
 
@@ -40,13 +39,13 @@ func (wm *UserSchemaWriteModel) Reduce() error {
 			wm.Schema = e.Schema
 			wm.PossibleAuthenticators = e.PossibleAuthenticators
 			wm.State = domain.UserSchemaStateActive
-			wm.Revision = 1
+			wm.SchemaRevision = 1
 		case *schema.UpdatedEvent:
 			if e.SchemaType != nil {
 				wm.SchemaType = *e.SchemaType
 			}
 			if e.SchemaRevision != nil {
-				wm.Revision = *e.SchemaRevision
+				wm.SchemaRevision = *e.SchemaRevision
 			}
 			if len(e.Schema) > 0 {
 				wm.Schema = e.Schema
@@ -79,10 +78,6 @@ func (wm *UserSchemaWriteModel) Query() *eventstore.SearchQueryBuilder {
 			schema.DeletedType,
 		)
 
-	if wm.SchemaType != "" {
-		query = query.EventData(map[string]interface{}{"schemaType": wm.SchemaType})
-	}
-
 	return query.Builder()
 }
 func (wm *UserSchemaWriteModel) NewUpdatedEvent(
@@ -99,7 +94,7 @@ func (wm *UserSchemaWriteModel) NewUpdatedEvent(
 	if !bytes.Equal(wm.Schema, userSchema) {
 		changes = append(changes, schema.ChangeSchema(userSchema))
 		// change revision if the content of the schema changed
-		changes = append(changes, schema.IncreaseRevision(wm.Revision))
+		changes = append(changes, schema.IncreaseRevision(wm.SchemaRevision))
 	}
 	if len(possibleAuthenticators) > 0 && slices.Compare(wm.PossibleAuthenticators, possibleAuthenticators) != 0 {
 		changes = append(changes, schema.ChangePossibleAuthenticators(possibleAuthenticators))
diff --git a/internal/command/user_v3.go b/internal/command/user_v3.go
index f2cacd6cb0..d5a097ce27 100644
--- a/internal/command/user_v3.go
+++ b/internal/command/user_v3.go
@@ -15,14 +15,14 @@ import (
 )
 
 type CreateSchemaUser struct {
-	Details       *domain.ObjectDetails
-	ResourceOwner string
+	Details *domain.ObjectDetails
 
 	SchemaID       string
 	schemaRevision uint64
 
-	ID   string
-	Data json.RawMessage
+	ResourceOwner string
+	ID            string
+	Data          json.RawMessage
 
 	Email           *Email
 	ReturnCodeEmail string
@@ -45,7 +45,7 @@ func (s *CreateSchemaUser) Valid(ctx context.Context, c *Commands) (err error) {
 	if !schemaWriteModel.Exists() {
 		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-N9QOuN4F7o", "Errors.UserSchema.NotExists")
 	}
-	s.schemaRevision = schemaWriteModel.Revision
+	s.schemaRevision = schemaWriteModel.SchemaRevision
 
 	if s.ID == "" {
 		s.ID, err = c.idGenerator.Next()
@@ -120,13 +120,13 @@ func (c *Commands) CreateSchemaUser(ctx context.Context, user *CreateSchemaUser,
 		),
 	}
 	if user.Email != nil {
-		events, user.ReturnCodeEmail, err = c.updateSchemaUserEmail(ctx, events, userAgg, user.Email, alg)
+		events, user.ReturnCodeEmail, err = c.updateSchemaUserEmail(ctx, writeModel, events, userAgg, user.Email, alg)
 		if err != nil {
 			return err
 		}
 	}
 	if user.Phone != nil {
-		events, user.ReturnCodePhone, err = c.updateSchemaUserPhone(ctx, events, userAgg, user.Phone, alg)
+		events, user.ReturnCodePhone, err = c.updateSchemaUserPhone(ctx, writeModel, events, userAgg, user.Phone, alg)
 		if err != nil {
 			return err
 		}
@@ -139,11 +139,11 @@ func (c *Commands) CreateSchemaUser(ctx context.Context, user *CreateSchemaUser,
 	return nil
 }
 
-func (c *Commands) DeleteSchemaUser(ctx context.Context, id string) (*domain.ObjectDetails, error) {
+func (c *Commands) DeleteSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
 	if id == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Vs4wJCME7T", "Errors.IDMissing")
 	}
-	writeModel, err := c.getSchemaUserExists(ctx, "", id)
+	writeModel, err := c.getSchemaUserExists(ctx, resourceOwner, id)
 	if err != nil {
 		return nil, err
 	}
@@ -161,7 +161,235 @@ func (c *Commands) DeleteSchemaUser(ctx context.Context, id string) (*domain.Obj
 	return writeModelToObjectDetails(&writeModel.WriteModel), nil
 }
 
-func (c *Commands) updateSchemaUserEmail(ctx context.Context, events []eventstore.Command, agg *eventstore.Aggregate, email *Email, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
+type ChangeSchemaUser struct {
+	Details *domain.ObjectDetails
+
+	SchemaID         *string
+	schemaWriteModel *UserSchemaWriteModel
+
+	ResourceOwner string
+	ID            string
+	Data          json.RawMessage
+
+	Email           *Email
+	ReturnCodeEmail string
+	Phone           *Phone
+	ReturnCodePhone string
+}
+
+func (s *ChangeSchemaUser) Valid(ctx context.Context, c *Commands) (err error) {
+	if s.ID == "" {
+		return zerrors.ThrowInvalidArgument(nil, "COMMAND-gEJR1QOGHb", "Errors.IDMissing")
+	}
+	if s.SchemaID != nil {
+		s.schemaWriteModel, err = c.getSchemaWriteModelByID(ctx, "", *s.SchemaID)
+		if err != nil {
+			return err
+		}
+		if !s.schemaWriteModel.Exists() {
+			return zerrors.ThrowPreconditionFailed(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists")
+		}
+	}
+
+	if s.Email != nil && s.Email.Address != "" {
+		if err := s.Email.Validate(); err != nil {
+			return err
+		}
+	}
+
+	if s.Phone != nil && s.Phone.Number != "" {
+		if s.Phone.Number, err = s.Phone.Number.Normalize(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *ChangeSchemaUser) ValidData(ctx context.Context, c *Commands, existingUser *UserV3WriteModel) (err error) {
+	// get role for permission check in schema through extension
+	role, err := c.getSchemaRoleForWrite(ctx, existingUser.ResourceOwner, existingUser.AggregateID)
+	if err != nil {
+		return err
+	}
+
+	if s.schemaWriteModel == nil {
+		s.schemaWriteModel, err = c.getSchemaWriteModelByID(ctx, "", existingUser.SchemaID)
+		if err != nil {
+			return err
+		}
+	}
+
+	schema, err := domain_schema.NewSchema(role, bytes.NewReader(s.schemaWriteModel.Schema))
+	if err != nil {
+		return err
+	}
+
+	// if data not changed but a new schema or revision should be used
+	data := s.Data
+	if s.Data == nil {
+		data = existingUser.Data
+	}
+
+	var v interface{}
+	if err := json.Unmarshal(data, &v); err != nil {
+		return zerrors.ThrowInvalidArgument(nil, "COMMAND-7o3ZGxtXUz", "Errors.User.Invalid")
+	}
+
+	if err := schema.Validate(v); err != nil {
+		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid")
+	}
+	return nil
+}
+
+func (c *Commands) ChangeSchemaUser(ctx context.Context, user *ChangeSchemaUser, alg crypto.EncryptionAlgorithm) (err error) {
+	if err := user.Valid(ctx, c); err != nil {
+		return err
+	}
+
+	writeModel, err := c.getSchemaUserWriteModelByID(ctx, user.ResourceOwner, user.ID)
+	if err != nil {
+		return err
+	}
+	if !writeModel.Exists() {
+		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.NotFound")
+	}
+
+	userAgg := UserV3AggregateFromWriteModel(&writeModel.WriteModel)
+	events := make([]eventstore.Command, 0)
+	if user.Data != nil || user.SchemaID != nil {
+		if err := user.ValidData(ctx, c, writeModel); err != nil {
+			return err
+		}
+		updateEvent := writeModel.NewUpdatedEvent(ctx,
+			userAgg,
+			user.schemaWriteModel.AggregateID,
+			user.schemaWriteModel.SchemaRevision,
+			user.Data,
+		)
+		if updateEvent != nil {
+			events = append(events, updateEvent)
+		}
+	}
+	if user.Email != nil {
+		events, user.ReturnCodeEmail, err = c.updateSchemaUserEmail(ctx, writeModel, events, userAgg, user.Email, alg)
+		if err != nil {
+			return err
+		}
+	}
+	if user.Phone != nil {
+		events, user.ReturnCodePhone, err = c.updateSchemaUserPhone(ctx, writeModel, events, userAgg, user.Phone, alg)
+		if err != nil {
+			return err
+		}
+	}
+	if len(events) == 0 {
+		user.Details = writeModelToObjectDetails(&writeModel.WriteModel)
+		return nil
+	}
+	if err := c.pushAppendAndReduce(ctx, writeModel, events...); err != nil {
+		return err
+	}
+	user.Details = writeModelToObjectDetails(&writeModel.WriteModel)
+	return nil
+}
+
+func (c *Commands) checkPermissionUpdateUserState(ctx context.Context, resourceOwner, userID string) error {
+	return c.checkPermission(ctx, domain.PermissionUserWrite, resourceOwner, userID)
+}
+
+func (c *Commands) LockSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-Eu8I2VAfjF", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserExists(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+	if !writeModel.Exists() || writeModel.Locked {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-G4LOrnjY7q", "Errors.User.NotFound")
+	}
+	if err := c.checkPermissionUpdateUserState(ctx, writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
+		return nil, err
+	}
+	if err := c.pushAppendAndReduce(ctx, writeModel,
+		schemauser.NewLockedEvent(ctx, UserV3AggregateFromWriteModel(&writeModel.WriteModel)),
+	); err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&writeModel.WriteModel), nil
+}
+
+func (c *Commands) UnlockSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-krXtYscQZh", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserExists(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+	if !writeModel.Exists() || !writeModel.Locked {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-gpBv46Lh9m", "Errors.User.NotFound")
+	}
+	if err := c.checkPermissionUpdateUserState(ctx, writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
+		return nil, err
+	}
+	if err := c.pushAppendAndReduce(ctx, writeModel,
+		schemauser.NewUnlockedEvent(ctx, UserV3AggregateFromWriteModel(&writeModel.WriteModel)),
+	); err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&writeModel.WriteModel), nil
+}
+
+func (c *Commands) DeactivateSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-pjJhge86ZV", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserExists(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+	if writeModel.State != domain.UserStateActive {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-Ob6lR5iFTe", "Errors.User.NotFound")
+	}
+	if err := c.checkPermissionUpdateUserState(ctx, writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
+		return nil, err
+	}
+	if err := c.pushAppendAndReduce(ctx, writeModel,
+		schemauser.NewDeactivatedEvent(ctx, UserV3AggregateFromWriteModel(&writeModel.WriteModel)),
+	); err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&writeModel.WriteModel), nil
+}
+
+func (c *Commands) ActivateSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-17XupGvxBJ", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserExists(ctx, "", id)
+	if err != nil {
+		return nil, err
+	}
+	if writeModel.State != domain.UserStateInactive {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-rQjbBr4J3j", "Errors.User.NotFound")
+	}
+	if err := c.checkPermissionUpdateUserState(ctx, writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
+		return nil, err
+	}
+	if err := c.pushAppendAndReduce(ctx, writeModel,
+		schemauser.NewActivatedEvent(ctx, UserV3AggregateFromWriteModel(&writeModel.WriteModel)),
+	); err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&writeModel.WriteModel), nil
+}
+
+func (c *Commands) updateSchemaUserEmail(ctx context.Context, existing *UserV3WriteModel, events []eventstore.Command, agg *eventstore.Aggregate, email *Email, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
+	if existing.Email == string(email.Address) {
+		return events, plainCode, nil
+	}
 
 	events = append(events, schemauser.NewEmailUpdatedEvent(ctx,
 		agg,
@@ -187,8 +415,12 @@ func (c *Commands) updateSchemaUserEmail(ctx context.Context, events []eventstor
 	return events, plainCode, nil
 }
 
-func (c *Commands) updateSchemaUserPhone(ctx context.Context, events []eventstore.Command, agg *eventstore.Aggregate, phone *Phone, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
-	events = append(events, schemauser.NewPhoneChangedEvent(ctx,
+func (c *Commands) updateSchemaUserPhone(ctx context.Context, existing *UserV3WriteModel, events []eventstore.Command, agg *eventstore.Aggregate, phone *Phone, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
+	if existing.Phone == string(phone.Number) {
+		return events, plainCode, nil
+	}
+
+	events = append(events, schemauser.NewPhoneUpdatedEvent(ctx,
 		agg,
 		phone.Number,
 	))
@@ -218,3 +450,11 @@ func (c *Commands) getSchemaUserExists(ctx context.Context, resourceOwner, id st
 	}
 	return writeModel, nil
 }
+
+func (c *Commands) getSchemaUserWriteModelByID(ctx context.Context, resourceOwner, id string) (*UserV3WriteModel, error) {
+	writeModel := NewUserV3WriteModel(resourceOwner, id)
+	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
diff --git a/internal/command/user_v3_model.go b/internal/command/user_v3_model.go
index 51f783aaed..6231558178 100644
--- a/internal/command/user_v3_model.go
+++ b/internal/command/user_v3_model.go
@@ -29,7 +29,8 @@ type UserV3WriteModel struct {
 
 	Data json.RawMessage
 
-	State domain.UserState
+	Locked bool
+	State  domain.UserState
 }
 
 func NewExistsUserV3WriteModel(resourceOwner, userID string) *UserV3WriteModel {
@@ -61,8 +62,9 @@ func (wm *UserV3WriteModel) Reduce() error {
 		switch e := event.(type) {
 		case *schemauser.CreatedEvent:
 			wm.SchemaID = e.SchemaID
-			wm.SchemaRevision = 1
+			wm.SchemaRevision = e.SchemaRevision
 			wm.Data = e.Data
+			wm.Locked = false
 
 			wm.State = domain.UserStateActive
 		case *schemauser.UpdatedEvent:
@@ -79,6 +81,8 @@ func (wm *UserV3WriteModel) Reduce() error {
 			wm.State = domain.UserStateDeleted
 		case *schemauser.EmailUpdatedEvent:
 			wm.Email = string(e.EmailAddress)
+			wm.IsEmailVerified = false
+			wm.EmailVerifiedFailedCount = 0
 		case *schemauser.EmailCodeAddedEvent:
 			wm.IsEmailVerified = false
 			wm.EmailVerifiedFailedCount = 0
@@ -87,8 +91,10 @@ func (wm *UserV3WriteModel) Reduce() error {
 			wm.EmailVerifiedFailedCount = 0
 		case *schemauser.EmailVerificationFailedEvent:
 			wm.EmailVerifiedFailedCount += 1
-		case *schemauser.PhoneChangedEvent:
+		case *schemauser.PhoneUpdatedEvent:
 			wm.Phone = string(e.PhoneNumber)
+			wm.IsPhoneVerified = false
+			wm.PhoneVerifiedFailedCount = 0
 		case *schemauser.PhoneCodeAddedEvent:
 			wm.IsPhoneVerified = false
 			wm.PhoneVerifiedFailedCount = 0
@@ -97,28 +103,39 @@ func (wm *UserV3WriteModel) Reduce() error {
 			wm.IsPhoneVerified = true
 		case *schemauser.PhoneVerificationFailedEvent:
 			wm.PhoneVerifiedFailedCount += 1
+		case *schemauser.LockedEvent:
+			wm.Locked = true
+		case *schemauser.UnlockedEvent:
+			wm.Locked = false
+		case *schemauser.DeactivatedEvent:
+			wm.State = domain.UserStateInactive
+		case *schemauser.ActivatedEvent:
+			wm.State = domain.UserStateActive
 		}
 	}
 	return wm.WriteModel.Reduce()
 }
 
 func (wm *UserV3WriteModel) Query() *eventstore.SearchQueryBuilder {
-	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
-		ResourceOwner(wm.ResourceOwner).
-		AddQuery().
-		AggregateTypes(schemauser.AggregateType).
-		AggregateIDs(wm.AggregateID).
-		EventTypes(
-			schemauser.CreatedType,
-			schemauser.DeletedType,
-		)
+	builder := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent)
+	if wm.ResourceOwner != "" {
+		builder = builder.ResourceOwner(wm.ResourceOwner)
+	}
+	eventtypes := []eventstore.EventType{
+		schemauser.CreatedType,
+		schemauser.DeletedType,
+		schemauser.ActivatedType,
+		schemauser.DeactivatedType,
+		schemauser.LockedType,
+		schemauser.UnlockedType,
+	}
 	if wm.DataWM {
-		query = query.EventTypes(
+		eventtypes = append(eventtypes,
 			schemauser.UpdatedType,
 		)
 	}
 	if wm.EmailWM {
-		query = query.EventTypes(
+		eventtypes = append(eventtypes,
 			schemauser.EmailUpdatedType,
 			schemauser.EmailVerifiedType,
 			schemauser.EmailCodeAddedType,
@@ -126,31 +143,34 @@ func (wm *UserV3WriteModel) Query() *eventstore.SearchQueryBuilder {
 		)
 	}
 	if wm.PhoneWM {
-		query = query.EventTypes(
+		eventtypes = append(eventtypes,
 			schemauser.PhoneUpdatedType,
 			schemauser.PhoneVerifiedType,
 			schemauser.PhoneCodeAddedType,
 			schemauser.PhoneVerificationFailedType,
 		)
 	}
-	return query.Builder()
+	return builder.AddQuery().
+		AggregateTypes(schemauser.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(eventtypes...).Builder()
 }
 
 func (wm *UserV3WriteModel) NewUpdatedEvent(
 	ctx context.Context,
 	agg *eventstore.Aggregate,
-	schemaID *string,
-	schemaRevision *uint64,
+	schemaID string,
+	schemaRevision uint64,
 	data json.RawMessage,
 ) *schemauser.UpdatedEvent {
 	changes := make([]schemauser.Changes, 0)
-	if schemaID != nil && wm.SchemaID != *schemaID {
-		changes = append(changes, schemauser.ChangeSchemaID(wm.SchemaID, *schemaID))
+	if wm.SchemaID != schemaID {
+		changes = append(changes, schemauser.ChangeSchemaID(schemaID))
 	}
-	if schemaRevision != nil && wm.SchemaRevision != *schemaRevision {
-		changes = append(changes, schemauser.ChangeSchemaRevision(wm.SchemaRevision, *schemaRevision))
+	if wm.SchemaRevision != schemaRevision {
+		changes = append(changes, schemauser.ChangeSchemaRevision(schemaRevision))
 	}
-	if !bytes.Equal(wm.Data, data) {
+	if data != nil && !bytes.Equal(wm.Data, data) {
 		changes = append(changes, schemauser.ChangeData(data))
 	}
 	if len(changes) == 0 {
diff --git a/internal/command/user_v3_test.go b/internal/command/user_v3_test.go
index 5bbb9e0c55..69794b3c2e 100644
--- a/internal/command/user_v3_test.go
+++ b/internal/command/user_v3_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 
@@ -673,7 +674,7 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 						"name": "user"
 					}`),
 						),
-						schemauser.NewPhoneChangedEvent(context.Background(),
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("id1", "org1").Aggregate,
 							"+41791234567",
 						),
@@ -751,7 +752,7 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 						"name": "user"
 					}`),
 						),
-						schemauser.NewPhoneChangedEvent(context.Background(),
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("id1", "org1").Aggregate,
 							"+41791234567",
 						),
@@ -834,7 +835,7 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 						schemauser.NewEmailVerifiedEvent(context.Background(),
 							&schemauser.NewAggregate("id1", "org1").Aggregate,
 						),
-						schemauser.NewPhoneChangedEvent(context.Background(),
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("id1", "org1").Aggregate,
 							"+41791234567",
 						),
@@ -904,6 +905,7 @@ func TestCommandSide_DeleteSchemaUser(t *testing.T) {
 	type (
 		args struct {
 			ctx    context.Context
+			orgID  string
 			userID string
 		}
 	)
@@ -1088,7 +1090,7 @@ func TestCommandSide_DeleteSchemaUser(t *testing.T) {
 				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
-			got, err := r.DeleteSchemaUser(tt.args.ctx, tt.args.userID)
+			got, err := r.DeleteSchemaUser(tt.args.ctx, tt.args.orgID, tt.args.userID)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -1101,3 +1103,2022 @@ func TestCommandSide_DeleteSchemaUser(t *testing.T) {
 		})
 	}
 }
+
+func TestCommandSide_LockSchemaUser(t *testing.T) {
+	type fields struct {
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type (
+		args struct {
+			ctx    context.Context
+			orgID  string
+			userID string
+		}
+	)
+	type res struct {
+		want *domain.ObjectDetails
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name: "userid missing, invalid argument error",
+			fields: fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-Eu8I2VAfjF", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			name: "user not existing, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-G4LOrnjY7q", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user removed, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeletedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-G4LOrnjY7q", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user locked, precondition error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewLockedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-G4LOrnjY7q", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "lock user, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewLockedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "lock user, no permission",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			got, err := r.LockSchemaUser(tt.args.ctx, tt.args.orgID, tt.args.userID)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.want, got)
+			}
+		})
+	}
+}
+
+func TestCommandSide_UnlockSchemaUser(t *testing.T) {
+	type fields struct {
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type (
+		args struct {
+			ctx    context.Context
+			orgID  string
+			userID string
+		}
+	)
+	type res struct {
+		want *domain.ObjectDetails
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name: "userid missing, invalid argument error",
+			fields: fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-krXtYscQZh", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			name: "user not existing, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-gpBv46Lh9m", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user removed, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeletedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-gpBv46Lh9m", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user not locked, precondition error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-gpBv46Lh9m", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "unlock user, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewLockedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUnlockedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "unlock user, no permission",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewLockedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			got, err := r.UnlockSchemaUser(tt.args.ctx, tt.args.orgID, tt.args.userID)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.want, got)
+			}
+		})
+	}
+}
+
+func TestCommandSide_DeactivateSchemaUser(t *testing.T) {
+	type fields struct {
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type (
+		args struct {
+			ctx    context.Context
+			orgID  string
+			userID string
+		}
+	)
+	type res struct {
+		want *domain.ObjectDetails
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name: "userid missing, invalid argument error",
+			fields: fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-pjJhge86ZV", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			name: "user not existing, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-Ob6lR5iFTe", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user removed, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeletedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-Ob6lR5iFTe", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user not active, precondition error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeactivatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-Ob6lR5iFTe", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "deactivate user, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewDeactivatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "deactivate user, no permission",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			got, err := r.DeactivateSchemaUser(tt.args.ctx, tt.args.orgID, tt.args.userID)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.want, got)
+			}
+		})
+	}
+}
+
+func TestCommandSide_ReactivateSchemaUser(t *testing.T) {
+	type fields struct {
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type (
+		args struct {
+			ctx    context.Context
+			orgID  string
+			userID string
+		}
+	)
+	type res struct {
+		want *domain.ObjectDetails
+		err  func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name: "userid missing, invalid argument error",
+			fields: fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-17XupGvxBJ", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			name: "user not existing, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-rQjbBr4J3j", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user removed, not found error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeletedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-rQjbBr4J3j", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "user not inactive, precondition error",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-rQjbBr4J3j", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			name: "activate user, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeactivatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewActivatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "activate user, no permission",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"schema",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewDeactivatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			got, err := r.ActivateSchemaUser(tt.args.ctx, tt.args.orgID, tt.args.userID)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.want, got)
+			}
+		})
+	}
+}
+
+func TestCommands_ChangeSchemaUser(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+		newCode         encrypedCodeFunc
+	}
+	type args struct {
+		ctx  context.Context
+		user *ChangeSchemaUser
+	}
+	type res struct {
+		returnCodeEmail string
+		returnCodePhone string
+		details         *domain.ObjectDetails
+		err             func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-gEJR1QOGHb", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"schema not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("type"),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists"))
+				},
+			},
+		},
+		{
+			"no valid email, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:    "user1",
+					Email: &Email{Address: "noemail"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "EMAIL-599BI", "Errors.User.Email.Invalid"))
+				},
+			},
+		},
+		{
+			"no valid phone, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:    "user1",
+					Phone: &Phone{Number: "invalid"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "PHONE-so0wa", "Errors.User.Phone.Invalid"))
+				},
+			},
+		},
+		{
+			"user update, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Data: json.RawMessage(`{
+						"name": "user"
+					}`),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"user updated, same schema",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeData(
+									json.RawMessage(`{
+						"name": "user2"
+					}`),
+								),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Data: json.RawMessage(`{
+						"name": "user2"
+					}`),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, changed schema",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id2", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeSchemaID("id2"),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id2"),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, new schema",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id2", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeSchemaID("id2"),
+								schemauser.ChangeData(
+									json.RawMessage(`{
+						"name": "user2"
+					}`),
+								),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id2"),
+					Data: json.RawMessage(`{
+						"name": "user2"
+					}`),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, same schema revision",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name1": "user1"
+					}`),
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name1": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+						eventFromEventPusher(
+							schema.NewUpdatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								[]schema.Changes{
+									schema.IncreaseRevision(1),
+									schema.ChangeSchema(json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name2": {
+										"type": "string"
+									}
+								}
+							}`)),
+								},
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeSchemaRevision(2),
+								schemauser.ChangeData(
+									json.RawMessage(`{
+						"name2": "user2"
+					}`),
+								),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Data: json.RawMessage(`{
+						"name2": "user2"
+					}`),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, new schema and revision",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id2", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name2": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								2,
+								json.RawMessage(`{
+						"name1": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeSchemaID("id2"),
+								schemauser.ChangeSchemaRevision(1),
+								schemauser.ChangeData(
+									json.RawMessage(`{
+						"name2": "user2"
+					}`),
+								),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id2"),
+					Data: json.RawMessage(`{
+						"name2": "user2"
+					}`),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user update, no field permission as admin",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+									 	"urn:zitadel:schema:permission": {
+											"owner": "r"
+										},
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id1"),
+					Data: json.RawMessage(`{
+						"name": "user"
+					}`),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid"))
+				},
+			},
+		},
+		{
+			"user update, no field permission as user",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+									 	"urn:zitadel:schema:permission": {
+											"self": "r"
+										},
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("type"),
+					Data: json.RawMessage(`{
+						"name": "user"
+					}`),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid"))
+				},
+			},
+		},
+		{
+			"user update, invalid data type",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("type"),
+					Data: json.RawMessage(`{
+						"name": 1
+					}`),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid"))
+				},
+			},
+		},
+		{
+			"user update, additional property",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewUpdatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							[]schemauser.Changes{
+								schemauser.ChangeData(
+									json.RawMessage(`{
+						"name": "user1",
+						"additional": "property"
+					}`),
+								),
+							},
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id1"),
+					Data: json.RawMessage(`{
+						"name": "user1",
+						"additional": "property"
+					}`),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user update, invalid data attribute name",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								},
+       							"additionalProperties": false
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("type"),
+					Data: json.RawMessage(`{
+						"invalid": "user"
+					}`),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid"))
+				},
+			},
+		},
+		{
+			"user update, email not changed",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"test@example.com",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Email: &Email{
+						Address:     "test@example.com",
+						ReturnCode:  true,
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user update, email return",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("emailverify"),
+							},
+							time.Hour*1,
+							"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+							true,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:       "user1",
+					SchemaID: gu.Ptr("id1"),
+					Email: &Email{
+						Address:     "test@example.com",
+						ReturnCode:  true,
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCodeEmail: "emailverify",
+			},
+		},
+		{
+			"user updated, email to verify",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						)),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("emailverify"),
+							},
+							time.Hour*1,
+							"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+							false,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Email: &Email{
+						Address:     "test@example.com",
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, phone no change",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"type",
+								1,
+								json.RawMessage(`{
+						"name": "user"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Phone: &Phone{
+						Number:     "+41791234567",
+						ReturnCode: true,
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, phone return",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("phoneverify"),
+							},
+							time.Hour*1,
+							true,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Phone: &Phone{
+						Number:     "+41791234567",
+						ReturnCode: true,
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCodePhone: "phoneverify",
+			},
+		},
+		{
+			"user updated, phone to verify",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("id1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("phoneverify"),
+							},
+							time.Hour*1,
+							false,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, full verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailVerifiedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneVerifiedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID:    "user1",
+					Email: &Email{Address: "test@example.com", Verified: true},
+					Phone: &Phone{Number: "+41791234567", Verified: true},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:       tt.fields.eventstore(t),
+				checkPermission:  tt.fields.checkPermission,
+				newEncryptedCode: tt.fields.newCode,
+			}
+			err := c.ChangeSchemaUser(tt.args.ctx, tt.args.user, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, tt.args.user.Details)
+			}
+
+			if tt.res.returnCodePhone != "" {
+				assert.Equal(t, tt.res.returnCodePhone, tt.args.user.ReturnCodePhone)
+			}
+			if tt.res.returnCodeEmail != "" {
+				assert.Equal(t, tt.res.returnCodeEmail, tt.args.user.ReturnCodeEmail)
+			}
+		})
+	}
+}
diff --git a/internal/integration/client.go b/internal/integration/client.go
index 82b8ab3b6e..9bf855f5ce 100644
--- a/internal/integration/client.go
+++ b/internal/integration/client.go
@@ -28,7 +28,7 @@ import (
 	object_v3alpha "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
 	oidc_pb_v2beta "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
-	org "github.com/zitadel/zitadel/pkg/grpc/org/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/org/v2"
 	org_v2beta "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
 	action "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha"
 	user_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
@@ -784,3 +784,55 @@ func (i *Instance) CreateInviteCode(ctx context.Context, userID string) *user_v2
 	logging.OnError(err).Fatal("create invite code")
 	return user
 }
+
+func (i *Instance) LockSchemaUser(ctx context.Context, orgID string, userID string) *user_v3alpha.LockUserResponse {
+	var org *object_v3alpha.Organization
+	if orgID != "" {
+		org = &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}}
+	}
+	user, err := i.Client.UserV3Alpha.LockUser(ctx, &user_v3alpha.LockUserRequest{
+		Organization: org,
+		Id:           userID,
+	})
+	logging.OnError(err).Fatal("lock user")
+	return user
+}
+
+func (i *Instance) UnlockSchemaUser(ctx context.Context, orgID string, userID string) *user_v3alpha.UnlockUserResponse {
+	var org *object_v3alpha.Organization
+	if orgID != "" {
+		org = &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}}
+	}
+	user, err := i.Client.UserV3Alpha.UnlockUser(ctx, &user_v3alpha.UnlockUserRequest{
+		Organization: org,
+		Id:           userID,
+	})
+	logging.OnError(err).Fatal("unlock user")
+	return user
+}
+
+func (i *Instance) DeactivateSchemaUser(ctx context.Context, orgID string, userID string) *user_v3alpha.DeactivateUserResponse {
+	var org *object_v3alpha.Organization
+	if orgID != "" {
+		org = &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}}
+	}
+	user, err := i.Client.UserV3Alpha.DeactivateUser(ctx, &user_v3alpha.DeactivateUserRequest{
+		Organization: org,
+		Id:           userID,
+	})
+	logging.OnError(err).Fatal("deactivate user")
+	return user
+}
+
+func (i *Instance) ActivateSchemaUser(ctx context.Context, orgID string, userID string) *user_v3alpha.ActivateUserResponse {
+	var org *object_v3alpha.Organization
+	if orgID != "" {
+		org = &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}}
+	}
+	user, err := i.Client.UserV3Alpha.ActivateUser(ctx, &user_v3alpha.ActivateUserRequest{
+		Organization: org,
+		Id:           userID,
+	})
+	logging.OnError(err).Fatal("reactivate user")
+	return user
+}
diff --git a/internal/repository/user/schemauser/aggregate.go b/internal/repository/user/schemauser/aggregate.go
index 1c9901c08c..18b901281e 100644
--- a/internal/repository/user/schemauser/aggregate.go
+++ b/internal/repository/user/schemauser/aggregate.go
@@ -5,8 +5,8 @@ import (
 )
 
 const (
-	AggregateType    = "user"
-	AggregateVersion = "v3"
+	AggregateType    = "schemauser"
+	AggregateVersion = "v1"
 )
 
 type Aggregate struct {
diff --git a/internal/repository/user/schemauser/email.go b/internal/repository/user/schemauser/email.go
index 07ae1bdf71..b5e4206252 100644
--- a/internal/repository/user/schemauser/email.go
+++ b/internal/repository/user/schemauser/email.go
@@ -8,7 +8,6 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
-	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 const (
@@ -21,11 +20,15 @@ const (
 )
 
 type EmailUpdatedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 
 	EmailAddress domain.EmailAddress `json:"email,omitempty"`
 }
 
+func (e *EmailUpdatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
 func (e *EmailUpdatedEvent) Payload() interface{} {
 	return e
 }
@@ -36,7 +39,7 @@ func (e *EmailUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
 
 func NewEmailUpdatedEvent(ctx context.Context, aggregate *eventstore.Aggregate, emailAddress domain.EmailAddress) *EmailUpdatedEvent {
 	return &EmailUpdatedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			EmailUpdatedType,
@@ -45,24 +48,16 @@ func NewEmailUpdatedEvent(ctx context.Context, aggregate *eventstore.Aggregate,
 	}
 }
 
-func EmailUpdatedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	emailChangedEvent := &EmailUpdatedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-	err := event.Unmarshal(emailChangedEvent)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "USER-4M0sd", "unable to unmarshal human password changed")
-	}
-
-	return emailChangedEvent, nil
-}
-
 type EmailVerifiedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 
 	IsEmailVerified bool `json:"-"`
 }
 
+func (e *EmailVerifiedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
 func (e *EmailVerifiedEvent) Payload() interface{} {
 	return nil
 }
@@ -73,7 +68,7 @@ func (e *EmailVerifiedEvent) UniqueConstraints() []*eventstore.UniqueConstraint
 
 func NewEmailVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *EmailVerifiedEvent {
 	return &EmailVerifiedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			EmailVerifiedType,
@@ -81,18 +76,13 @@ func NewEmailVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate)
 	}
 }
 
-func HumanVerifiedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	emailVerified := &EmailVerifiedEvent{
-		BaseEvent:       *eventstore.BaseEventFromRepo(event),
-		IsEmailVerified: true,
-	}
-	return emailVerified, nil
-}
-
 type EmailVerificationFailedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 }
 
+func (e *EmailVerificationFailedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
 func (e *EmailVerificationFailedEvent) Payload() interface{} {
 	return nil
 }
@@ -101,9 +91,9 @@ func (e *EmailVerificationFailedEvent) UniqueConstraints() []*eventstore.UniqueC
 	return nil
 }
 
-func NewHumanEmailVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *EmailVerificationFailedEvent {
+func NewEmailVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *EmailVerificationFailedEvent {
 	return &EmailVerificationFailedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			EmailVerificationFailedType,
@@ -111,14 +101,8 @@ func NewHumanEmailVerificationFailedEvent(ctx context.Context, aggregate *events
 	}
 }
 
-func EmailVerificationFailedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &EmailVerificationFailedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
-
 type EmailCodeAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
@@ -127,6 +111,10 @@ type EmailCodeAddedEvent struct {
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }
 
+func (e *EmailCodeAddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
 func (e *EmailCodeAddedEvent) Payload() interface{} {
 	return e
 }
@@ -148,7 +136,7 @@ func NewEmailCodeAddedEvent(
 	codeReturned bool,
 ) *EmailCodeAddedEvent {
 	return &EmailCodeAddedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			EmailCodeAddedType,
@@ -161,22 +149,13 @@ func NewEmailCodeAddedEvent(
 	}
 }
 
-func EmailCodeAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	codeAdded := &EmailCodeAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-	err := event.Unmarshal(codeAdded)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "USER-3M0sd", "unable to unmarshal human email code added")
-	}
-
-	return codeAdded, nil
-}
-
 type EmailCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 }
 
+func (e *EmailCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
 func (e *EmailCodeSentEvent) Payload() interface{} {
 	return nil
 }
@@ -185,18 +164,12 @@ func (e *EmailCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint
 	return nil
 }
 
-func NewHumanEmailCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *EmailCodeSentEvent {
+func NewEmailCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *EmailCodeSentEvent {
 	return &EmailCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			EmailCodeSentType,
 		),
 	}
 }
-
-func EmailCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &EmailCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
diff --git a/internal/repository/user/schemauser/eventstore.go b/internal/repository/user/schemauser/eventstore.go
index b9cf03e5d3..85ad15c17d 100644
--- a/internal/repository/user/schemauser/eventstore.go
+++ b/internal/repository/user/schemauser/eventstore.go
@@ -6,4 +6,18 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, CreatedType, eventstore.GenericEventMapper[CreatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UpdatedType, eventstore.GenericEventMapper[UpdatedEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, DeletedType, eventstore.GenericEventMapper[DeletedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, LockedType, eventstore.GenericEventMapper[LockedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, UnlockedType, eventstore.GenericEventMapper[UnlockedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, ActivatedType, eventstore.GenericEventMapper[ActivatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, DeactivatedType, eventstore.GenericEventMapper[DeactivatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, EmailUpdatedType, eventstore.GenericEventMapper[EmailUpdatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, EmailCodeAddedType, eventstore.GenericEventMapper[EmailCodeAddedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, EmailCodeSentType, eventstore.GenericEventMapper[EmailCodeSentEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, EmailVerifiedType, eventstore.GenericEventMapper[EmailVerifiedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, EmailVerificationFailedType, eventstore.GenericEventMapper[EmailVerificationFailedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, PhoneUpdatedType, eventstore.GenericEventMapper[PhoneUpdatedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, PhoneCodeAddedType, eventstore.GenericEventMapper[PhoneCodeAddedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, PhoneCodeSentType, eventstore.GenericEventMapper[PhoneCodeSentEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, PhoneVerifiedType, eventstore.GenericEventMapper[PhoneVerifiedEvent])
+	eventstore.RegisterFilterEventMapper(AggregateType, PhoneVerificationFailedType, eventstore.GenericEventMapper[PhoneVerificationFailedEvent])
 }
diff --git a/internal/repository/user/schemauser/phone.go b/internal/repository/user/schemauser/phone.go
index 5110772c04..a491dab776 100644
--- a/internal/repository/user/schemauser/phone.go
+++ b/internal/repository/user/schemauser/phone.go
@@ -8,7 +8,6 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
-	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 const (
@@ -20,23 +19,27 @@ const (
 	PhoneCodeSentType           = phoneEventPrefix + "code.sent"
 )
 
-type PhoneChangedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+type PhoneUpdatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
 
 	PhoneNumber domain.PhoneNumber `json:"phone,omitempty"`
 }
 
-func (e *PhoneChangedEvent) Payload() interface{} {
+func (e *PhoneUpdatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *PhoneUpdatedEvent) Payload() interface{} {
 	return e
 }
 
-func (e *PhoneChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+func (e *PhoneUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
 	return nil
 }
 
-func NewPhoneChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate, phone domain.PhoneNumber) *PhoneChangedEvent {
-	return &PhoneChangedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+func NewPhoneUpdatedEvent(ctx context.Context, aggregate *eventstore.Aggregate, phone domain.PhoneNumber) *PhoneUpdatedEvent {
+	return &PhoneUpdatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneUpdatedType,
@@ -45,24 +48,15 @@ func NewPhoneChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate,
 	}
 }
 
-func PhoneChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	phoneChangedEvent := &PhoneChangedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-	err := event.Unmarshal(phoneChangedEvent)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "USER-5M0pd", "unable to unmarshal  phone changed")
-	}
-
-	return phoneChangedEvent, nil
-}
-
 type PhoneVerifiedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 
 	IsPhoneVerified bool `json:"-"`
 }
 
+func (e *PhoneVerifiedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
 func (e *PhoneVerifiedEvent) Payload() interface{} {
 	return nil
 }
@@ -73,7 +67,7 @@ func (e *PhoneVerifiedEvent) UniqueConstraints() []*eventstore.UniqueConstraint
 
 func NewPhoneVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *PhoneVerifiedEvent {
 	return &PhoneVerifiedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneVerifiedType,
@@ -81,15 +75,12 @@ func NewPhoneVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate)
 	}
 }
 
-func PhoneVerifiedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &PhoneVerifiedEvent{
-		BaseEvent:       *eventstore.BaseEventFromRepo(event),
-		IsPhoneVerified: true,
-	}, nil
+type PhoneVerificationFailedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
 }
 
-type PhoneVerificationFailedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+func (e *PhoneVerificationFailedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
 }
 
 func (e *PhoneVerificationFailedEvent) Payload() interface{} {
@@ -102,7 +93,7 @@ func (e *PhoneVerificationFailedEvent) UniqueConstraints() []*eventstore.UniqueC
 
 func NewPhoneVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *PhoneVerificationFailedEvent {
 	return &PhoneVerificationFailedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneVerificationFailedType,
@@ -110,14 +101,8 @@ func NewPhoneVerificationFailedEvent(ctx context.Context, aggregate *eventstore.
 	}
 }
 
-func PhoneVerificationFailedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &PhoneVerificationFailedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
-
 type PhoneCodeAddedEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
@@ -137,6 +122,10 @@ func (e *PhoneCodeAddedEvent) TriggerOrigin() string {
 	return e.TriggeredAtOrigin
 }
 
+func (e *PhoneCodeAddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
 func NewPhoneCodeAddedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
@@ -145,7 +134,7 @@ func NewPhoneCodeAddedEvent(
 	codeReturned bool,
 ) *PhoneCodeAddedEvent {
 	return &PhoneCodeAddedEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneCodeAddedType,
@@ -157,20 +146,8 @@ func NewPhoneCodeAddedEvent(
 	}
 }
 
-func PhoneCodeAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	codeAdded := &PhoneCodeAddedEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}
-	err := event.Unmarshal(codeAdded)
-	if err != nil {
-		return nil, zerrors.ThrowInternal(err, "USER-6Ms9d", "unable to unmarshal  phone code added")
-	}
-
-	return codeAdded, nil
-}
-
 type PhoneCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
 }
 
 func (e *PhoneCodeSentEvent) Payload() interface{} {
@@ -181,18 +158,16 @@ func (e *PhoneCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint
 	return nil
 }
 
+func (e *PhoneCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
 func NewPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *PhoneCodeSentEvent {
 	return &PhoneCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneCodeSentType,
 		),
 	}
 }
-
-func PhoneCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &PhoneCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
diff --git a/internal/repository/user/schemauser/user.go b/internal/repository/user/schemauser/user.go
index 4c88d53087..6583e57366 100644
--- a/internal/repository/user/schemauser/user.go
+++ b/internal/repository/user/schemauser/user.go
@@ -8,10 +8,14 @@ import (
 )
 
 const (
-	eventPrefix = "user."
-	CreatedType = eventPrefix + "created"
-	UpdatedType = eventPrefix + "updated"
-	DeletedType = eventPrefix + "deleted"
+	eventPrefix     = "schemauser."
+	CreatedType     = eventPrefix + "created"
+	UpdatedType     = eventPrefix + "updated"
+	DeletedType     = eventPrefix + "deleted"
+	LockedType      = eventPrefix + "locked"
+	UnlockedType    = eventPrefix + "unlocked"
+	DeactivatedType = eventPrefix + "deactivated"
+	ActivatedType   = eventPrefix + "activated"
 )
 
 type CreatedEvent struct {
@@ -60,8 +64,6 @@ type UpdatedEvent struct {
 	SchemaID       *string         `json:"schemaID,omitempty"`
 	SchemaRevision *uint64         `json:"schemaRevision,omitempty"`
 	Data           json.RawMessage `json:"schema,omitempty"`
-	oldSchemaID    string
-	oldRevision    uint64
 }
 
 func (e *UpdatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
@@ -95,16 +97,14 @@ func NewUpdatedEvent(
 
 type Changes func(event *UpdatedEvent)
 
-func ChangeSchemaID(oldSchemaID, schemaID string) func(event *UpdatedEvent) {
+func ChangeSchemaID(schemaID string) func(event *UpdatedEvent) {
 	return func(e *UpdatedEvent) {
 		e.SchemaID = &schemaID
-		e.oldSchemaID = oldSchemaID
 	}
 }
-func ChangeSchemaRevision(oldSchemaRevision, schemaRevision uint64) func(event *UpdatedEvent) {
+func ChangeSchemaRevision(schemaRevision uint64) func(event *UpdatedEvent) {
 	return func(e *UpdatedEvent) {
 		e.SchemaRevision = &schemaRevision
-		e.oldRevision = oldSchemaRevision
 	}
 }
 
@@ -142,3 +142,119 @@ func NewDeletedEvent(
 		),
 	}
 }
+
+type LockedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *LockedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *LockedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *LockedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewLockedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *LockedEvent {
+	return &LockedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LockedType,
+		),
+	}
+}
+
+type UnlockedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UnlockedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *UnlockedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *UnlockedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewUnlockedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *UnlockedEvent {
+	return &UnlockedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UnlockedType,
+		),
+	}
+}
+
+type DeactivatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *DeactivatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *DeactivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *DeactivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *DeactivatedEvent {
+	return &DeactivatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			DeactivatedType,
+		),
+	}
+}
+
+type ActivatedEvent struct {
+	*eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ActivatedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
+}
+
+func (e *ActivatedEvent) Payload() interface{} {
+	return e
+}
+
+func (e *ActivatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
+	return nil
+}
+
+func NewActivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *ActivatedEvent {
+	return &ActivatedEvent{
+		BaseEvent: eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ActivatedType,
+		),
+	}
+}
diff --git a/proto/zitadel/resources/user/v3alpha/user_service.proto b/proto/zitadel/resources/user/v3alpha/user_service.proto
index d39ac1930a..91831bdc40 100644
--- a/proto/zitadel/resources/user/v3alpha/user_service.proto
+++ b/proto/zitadel/resources/user/v3alpha/user_service.proto
@@ -150,7 +150,7 @@ service ZITADELUsers {
   // Returns the user identified by the requested ID.
   rpc GetUser (GetUserRequest) returns (GetUserResponse) {
     option (google.api.http) = {
-      get: "/resources/v3alpha/users/{user_id}"
+      get: "/resources/v3alpha/users/{id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -208,7 +208,7 @@ service ZITADELUsers {
   // Patch an existing user with data based on a user schema.
   rpc PatchUser (PatchUserRequest) returns (PatchUserResponse) {
     option (google.api.http) = {
-      patch: "/resources/v3alpha/users/{user_id}"
+      patch: "/resources/v3alpha/users/{id}"
       body: "user"
     };
 
@@ -238,7 +238,7 @@ service ZITADELUsers {
   // The endpoint returns an error if the user is already in the state 'deactivated'.
   rpc DeactivateUser (DeactivateUserRequest) returns (DeactivateUserResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/_deactivate"
+      post: "/resources/v3alpha/users/{id}/_deactivate"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -257,15 +257,15 @@ service ZITADELUsers {
     };
   }
 
-  // Reactivate a user
+  // Activate a user
   //
-  // Reactivate a previously deactivated user and change the state to 'active'.
+  // Activate a previously deactivated user and change the state to 'active'.
   // The user will be able to log in again.
   //
   // The endpoint returns an error if the user is not in the state 'deactivated'.
-  rpc ReactivateUser (ReactivateUserRequest) returns (ReactivateUserResponse) {
+  rpc ActivateUser (ActivateUserRequest) returns (ActivateUserResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/_reactivate"
+      post: "/resources/v3alpha/users/{id}/_activate"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -278,7 +278,7 @@ service ZITADELUsers {
       responses: {
         key: "200";
         value: {
-          description: "User successfully reactivated";
+          description: "User successfully activated";
         };
       };
     };
@@ -294,7 +294,7 @@ service ZITADELUsers {
   // The endpoint returns an error if the user is already in the state 'locked'.
   rpc LockUser (LockUserRequest) returns (LockUserResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/_lock"
+      post: "/resources/v3alpha/users/{id}/_lock"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -321,7 +321,7 @@ service ZITADELUsers {
   // The endpoint returns an error if the user is not in the state 'locked'.
   rpc UnlockUser (UnlockUserRequest) returns (UnlockUserResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/_unlock"
+      post: "/resources/v3alpha/users/{id}/_unlock"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -346,7 +346,7 @@ service ZITADELUsers {
   // The user will be able to log in anymore.
   rpc DeleteUser (DeleteUserRequest) returns (DeleteUserResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}"
+      delete: "/resources/v3alpha/users/{id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -372,7 +372,7 @@ service ZITADELUsers {
   // which can be either returned or will be sent to the user by email.
   rpc SetContactEmail (SetContactEmailRequest) returns (SetContactEmailResponse) {
     option (google.api.http) = {
-      put: "/resources/v3alpha/users/{user_id}/email"
+      put: "/resources/v3alpha/users/{id}/email"
       body: "email"
     };
 
@@ -397,7 +397,7 @@ service ZITADELUsers {
   // Verify the contact email with the provided code.
   rpc VerifyContactEmail (VerifyContactEmailRequest) returns (VerifyContactEmailResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/email/_verify"
+      post: "/resources/v3alpha/users/{id}/email/_verify"
       body: "verification_code"
     };
 
@@ -422,7 +422,7 @@ service ZITADELUsers {
   // Resend the email with the verification code for the contact email address.
   rpc ResendContactEmailCode (ResendContactEmailCodeRequest) returns (ResendContactEmailCodeResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/email/_resend"
+      post: "/resources/v3alpha/users/{id}/email/_resend"
       body: "*"
     };
 
@@ -449,7 +449,7 @@ service ZITADELUsers {
   // which can be either returned or will be sent to the user by SMS.
   rpc SetContactPhone (SetContactPhoneRequest) returns (SetContactPhoneResponse) {
     option (google.api.http) = {
-      put: "/resources/v3alpha/users/{user_id}/phone"
+      put: "/resources/v3alpha/users/{id}/phone"
       body: "phone"
     };
 
@@ -474,7 +474,7 @@ service ZITADELUsers {
   // Verify the contact phone with the provided code.
   rpc VerifyContactPhone (VerifyContactPhoneRequest) returns (VerifyContactPhoneResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/phone/_verify"
+      post: "/resources/v3alpha/users/{id}/phone/_verify"
       body: "verification_code"
     };
 
@@ -499,7 +499,7 @@ service ZITADELUsers {
   // Resend the phone with the verification code for the contact phone number.
   rpc ResendContactPhoneCode (ResendContactPhoneCodeRequest) returns (ResendContactPhoneCodeResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/phone/_resend"
+      post: "/resources/v3alpha/users/{id}/phone/_resend"
       body: "*"
     };
 
@@ -524,7 +524,7 @@ service ZITADELUsers {
   // Add a new unique username to a user. The username will be used to identify the user on authentication.
   rpc AddUsername (AddUsernameRequest) returns (AddUsernameResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/username"
+      post: "/resources/v3alpha/users/{id}/username"
       body: "username"
     };
 
@@ -549,7 +549,7 @@ service ZITADELUsers {
   // Remove an existing username of a user, so it cannot be used for authentication anymore.
   rpc RemoveUsername (RemoveUsernameRequest) returns (RemoveUsernameResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/username/{username_id}"
+      delete: "/resources/v3alpha/users/{id}/username/{username_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -573,7 +573,7 @@ service ZITADELUsers {
   // Add, update or reset a user's password with either a verification code or the current password.
   rpc SetPassword (SetPasswordRequest) returns (SetPasswordResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/password"
+      post: "/resources/v3alpha/users/{id}/password"
       body: "new_password"
     };
 
@@ -598,7 +598,7 @@ service ZITADELUsers {
   // Request a code to be able to set a new password.
   rpc RequestPasswordReset (RequestPasswordResetRequest) returns (RequestPasswordResetResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/password/_reset"
+      post: "/resources/v3alpha/users/{id}/password/_reset"
       body: "*"
     };
 
@@ -625,7 +625,7 @@ service ZITADELUsers {
   // which are used to verify the device.
   rpc StartWebAuthNRegistration (StartWebAuthNRegistrationRequest) returns (StartWebAuthNRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/webauthn"
+      post: "/resources/v3alpha/users/{id}/webauthn"
       body: "registration"
     };
 
@@ -650,7 +650,7 @@ service ZITADELUsers {
   // Verify the WebAuthN registration started by StartWebAuthNRegistration with the public key credential.
   rpc VerifyWebAuthNRegistration (VerifyWebAuthNRegistrationRequest) returns (VerifyWebAuthNRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/webauthn/{web_auth_n_id}/_verify"
+      post: "/resources/v3alpha/users/{id}/webauthn/{web_auth_n_id}/_verify"
       body: "verify"
     };
 
@@ -675,7 +675,7 @@ service ZITADELUsers {
   // The code will allow the user to start a new WebAuthN registration.
   rpc CreateWebAuthNRegistrationLink (CreateWebAuthNRegistrationLinkRequest) returns (CreateWebAuthNRegistrationLinkResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/webauthn/registration_link"
+      post: "/resources/v3alpha/users/{id}/webauthn/registration_link"
       body: "*"
     };
 
@@ -699,7 +699,7 @@ service ZITADELUsers {
   // Remove an existing WebAuthN authenticator from a user, so it cannot be used for authentication anymore.
   rpc RemoveWebAuthNAuthenticator (RemoveWebAuthNAuthenticatorRequest) returns (RemoveWebAuthNAuthenticatorResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/webauthn/{web_auth_n_id}"
+      delete: "/resources/v3alpha/users/{id}/webauthn/{web_auth_n_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -723,7 +723,7 @@ service ZITADELUsers {
   // As a response a secret is returned, which is used to initialize a TOTP app or device.
   rpc StartTOTPRegistration (StartTOTPRegistrationRequest) returns (StartTOTPRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/totp"
+      post: "/resources/v3alpha/users/{id}/totp"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -746,7 +746,7 @@ service ZITADELUsers {
   // Verify the time-based one-time-password (TOTP) registration with the generated code.
   rpc VerifyTOTPRegistration (VerifyTOTPRegistrationRequest) returns (VerifyTOTPRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/totp/{totp_id}/_verify"
+      post: "/resources/v3alpha/users/{id}/totp/{totp_id}/_verify"
       body: "code"
     };
 
@@ -770,7 +770,7 @@ service ZITADELUsers {
   // Remove an existing time-based one-time-password (TOTP) authenticator from a user, so it cannot be used for authentication anymore.
   rpc RemoveTOTPAuthenticator (RemoveTOTPAuthenticatorRequest) returns (RemoveTOTPAuthenticatorResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/totp/{totp_id}"
+      delete: "/resources/v3alpha/users/{id}/totp/{totp_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -795,7 +795,7 @@ service ZITADELUsers {
   // which can be either returned or will be sent to the user by SMS.
   rpc AddOTPSMSAuthenticator (AddOTPSMSAuthenticatorRequest) returns (AddOTPSMSAuthenticatorResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/otp_sms"
+      post: "/resources/v3alpha/users/{id}/otp_sms"
       body: "phone"
     };
 
@@ -819,7 +819,7 @@ service ZITADELUsers {
   // Verify the OTP SMS registration with the provided code.
   rpc VerifyOTPSMSRegistration (VerifyOTPSMSRegistrationRequest) returns (VerifyOTPSMSRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/otp_sms/{otp_sms_id}/_verify"
+      post: "/resources/v3alpha/users/{id}/otp_sms/{otp_sms_id}/_verify"
       body: "code"
     };
 
@@ -844,7 +844,7 @@ service ZITADELUsers {
   // Remove an existing one-time-password (OTP) SMS authenticator from a user, so it cannot be used for authentication anymore.
   rpc RemoveOTPSMSAuthenticator (RemoveOTPSMSAuthenticatorRequest) returns (RemoveOTPSMSAuthenticatorResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/otp_sms/{otp_sms_id}"
+      delete: "/resources/v3alpha/users/{id}/otp_sms/{otp_sms_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -869,7 +869,7 @@ service ZITADELUsers {
   // which can be either returned or will be sent to the user by email.
   rpc AddOTPEmailAuthenticator (AddOTPEmailAuthenticatorRequest) returns (AddOTPEmailAuthenticatorResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/otp_email"
+      post: "/resources/v3alpha/users/{id}/otp_email"
       body: "email"
     };
 
@@ -893,7 +893,7 @@ service ZITADELUsers {
   // Verify the OTP Email registration with the provided code.
   rpc VerifyOTPEmailRegistration (VerifyOTPEmailRegistrationRequest) returns (VerifyOTPEmailRegistrationResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/otp_email/{otp_email_id}/_verify"
+      post: "/resources/v3alpha/users/{id}/otp_email/{otp_email_id}/_verify"
       body: "code"
     };
 
@@ -918,7 +918,7 @@ service ZITADELUsers {
   // Remove an existing one-time-password (OTP) Email authenticator from a user, so it cannot be used for authentication anymore.
   rpc RemoveOTPEmailAuthenticator (RemoveOTPEmailAuthenticatorRequest) returns (RemoveOTPEmailAuthenticatorResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/otp_email/{otp_email_id}"
+      delete: "/resources/v3alpha/users/{id}/otp_email/{otp_email_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -991,7 +991,7 @@ service ZITADELUsers {
   // This will allow the user to authenticate with the provided IDP.
   rpc AddIDPAuthenticator (AddIDPAuthenticatorRequest) returns (AddIDPAuthenticatorResponse) {
     option (google.api.http) = {
-      post: "/resources/v3alpha/users/{user_id}/idps"
+      post: "/resources/v3alpha/users/{id}/idps"
       body: "authenticator"
     };
 
@@ -1016,7 +1016,7 @@ service ZITADELUsers {
   // Remove an existing identity provider (IDP) authenticator from a user, so it cannot be used for authentication anymore.
   rpc RemoveIDPAuthenticator (RemoveIDPAuthenticatorRequest) returns (RemoveIDPAuthenticatorResponse) {
     option (google.api.http) = {
-      delete: "/resources/v3alpha/users/{user_id}/idps/{idp_id}"
+      delete: "/resources/v3alpha/users/{id}/idps/{idp_id}"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {
@@ -1069,7 +1069,7 @@ message GetUserRequest {
     }
   ];
   // unique identifier of the user.
-  string user_id = 2 [
+  string id = 2 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1123,7 +1123,7 @@ message PatchUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   //  unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"69629012906488334\"";
     }
@@ -1156,7 +1156,7 @@ message DeactivateUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1172,7 +1172,7 @@ message DeactivateUserResponse {
 }
 
 
-message ReactivateUserRequest {
+message ActivateUserRequest {
   optional zitadel.object.v3alpha.Instance instance = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       default: "\"domain from HOST or :authority header\""
@@ -1181,7 +1181,7 @@ message ReactivateUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1192,7 +1192,7 @@ message ReactivateUserRequest {
   ];
 }
 
-message ReactivateUserResponse {
+message ActivateUserResponse {
   zitadel.resources.object.v3alpha.Details details = 1;
 }
 
@@ -1205,7 +1205,7 @@ message LockUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1229,7 +1229,7 @@ message UnlockUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1253,7 +1253,7 @@ message DeleteUserRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1277,7 +1277,7 @@ message SetContactEmailRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1309,7 +1309,7 @@ message VerifyContactEmailRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1343,7 +1343,7 @@ message ResendContactEmailCodeRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1376,7 +1376,7 @@ message SetContactPhoneRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1408,7 +1408,7 @@ message VerifyContactPhoneRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1442,7 +1442,7 @@ message ResendContactPhoneCodeRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1475,7 +1475,7 @@ message AddUsernameRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1507,7 +1507,7 @@ message RemoveUsernameRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1541,7 +1541,7 @@ message SetPasswordRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1567,7 +1567,7 @@ message RequestPasswordResetRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1606,7 +1606,7 @@ message StartWebAuthNRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1645,7 +1645,7 @@ message VerifyWebAuthNRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1680,7 +1680,7 @@ message CreateWebAuthNRegistrationLinkRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1713,7 +1713,7 @@ message RemoveWebAuthNAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1747,7 +1747,7 @@ message StartTOTPRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1789,7 +1789,7 @@ message VerifyTOTPRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1833,7 +1833,7 @@ message RemoveTOTPAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1867,7 +1867,7 @@ message AddOTPSMSAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1906,7 +1906,7 @@ message VerifyOTPSMSRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1950,7 +1950,7 @@ message RemoveOTPSMSAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1984,7 +1984,7 @@ message AddOTPEmailAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -2022,7 +2022,7 @@ message VerifyOTPEmailRegistrationRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -2066,7 +2066,7 @@ message RemoveOTPEmailAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -2170,7 +2170,7 @@ message GetIdentityProviderIntentResponse {
   // and detailed / profile information.
   IDPInformation idp_information = 2;
   // If the user was already federated and linked to a ZITADEL user, it's id will be returned.
-  optional string user_id = 3 [
+  optional string id = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"163840776835432345\"";
     }
@@ -2186,7 +2186,7 @@ message AddIDPAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -2211,7 +2211,7 @@ message RemoveIDPAuthenticatorRequest {
   // Optionally expect the user to be in this organization.
   optional zitadel.object.v3alpha.Organization organization = 2;
   // unique identifier of the user.
-  string user_id = 3 [
+  string id = 3 [
     (validate.rules).string = {min_len: 1, max_len: 200},
     (google.api.field_behavior) = REQUIRED,
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

From 77aa02a5216430bddc1da99a6596b328ea2befad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Tue, 17 Sep 2024 13:08:13 +0300
Subject: [PATCH 02/19] fix(projection): increase transaction duration (#8632)

# Which Problems Are Solved

Reduce the chance for projection dead-locks. Increasing or disabling the
projection transaction duration solved dead-locks in all reported cases.

# How the Problems Are Solved

Increase the default transaction duration to 1 minute.
Due to the high value it is functionally similar to disabling,
however it still provides a safety net for transaction that do freeze,
perhaps due to connection issues with the database.


# Additional Changes

- Integration test uses default.
- Technical advisory

# Additional Context

- Related to https://github.com/zitadel/zitadel/issues/8517

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
---
 cmd/defaults.yaml                        |  5 +-
 docs/docs/support/advisory/a10012.md     | 60 ++++++++++++++++++++++++
 internal/integration/config/zitadel.yaml |  1 -
 3 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100644 docs/docs/support/advisory/a10012.md

diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index a81a1ff126..5da59fa0d0 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -231,7 +231,7 @@ Projections:
   # The maximum duration a transaction remains open
   # before it spots left folding additional events
   # and updates the table.
-  TransactionDuration: 500ms # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
+  TransactionDuration: 1m # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
   # Time interval between scheduled projections
   RequeueEvery: 60s # ZITADEL_PROJECTIONS_REQUEUEEVERY
   # Time between retried database statements resulting from projected events
@@ -246,10 +246,7 @@ Projections:
   HandleActiveInstances: 0s # ZITADEL_PROJECTIONS_HANDLEACTIVEINSTANCES
   # In the Customizations section, all settings from above can be overwritten for each specific projection
   Customizations:
-    Projects:
-      TransactionDuration: 2s
     custom_texts:
-      TransactionDuration: 2s
       BulkLimit: 400
     project_grant_fields:
       TransactionDuration: 0s
diff --git a/docs/docs/support/advisory/a10012.md b/docs/docs/support/advisory/a10012.md
new file mode 100644
index 0000000000..fd08a9afd6
--- /dev/null
+++ b/docs/docs/support/advisory/a10012.md
@@ -0,0 +1,60 @@
+---
+title: Technical Advisory 10012
+---
+
+## Date and Version
+
+Version: 2.63.0
+
+Date: 2024-09-26
+
+## Description
+
+In version 2.63.0 we've increased the transaction duration for projections.
+
+ZITADEL has an event driven architecture. After events are pushed to the eventstore,
+they are reduced into projections in bulk batches. Projections allow for efficient lookup of data through normalized SQL tables.
+
+We've investigated multiple reports of outdated projections.
+For example created users missing in get requests, or missing data after a ZITADEL upgrade[^1].
+The conclusion is that the transaction in which we perform a bulk of queries can timeout.
+The old setting defined a transaction duration of 500ms for a bulk of 200 events.
+A single event may create multiple statements in a single projection.
+A timeout may occur even if the actual bulk size is less than 200,
+which then results in more back-pressure on a busy system, leading to more timeouts and effectively dead-locking a projection.
+
+Increasing or disabling the projection transaction duration solved dead-locks in all reported cases.
+We've decided to increase the transaction duration to 1 minute.
+Due to the high value it is functionally similar to disabling,
+however it still provides a safety net for transaction that do freeze,
+perhaps due to connection issues with the database.
+
+[^1]: Changes written to the eventstore are the main source of truth. When a projection is out of date, some request may serve incomplete or no data. The data itself is however not lost.
+
+## Statement
+
+A summary of bug reports can be found in the following issue: [Missing data due to outdated projections](https://github.com/zitadel/zitadel/issues/8517).
+This change was submitted in the following PR:
+[fix(projection): increase transaction duration](https://github.com/zitadel/zitadel/pull/8632), which will be released in Version [2.63.0](https://github.com/zitadel/zitadel/releases/tag/v2.63.0)
+
+## Mitigation
+
+If you have a custom configuration for projections, this update will not apply to your system or some projections. When encountering projection dead-lock consider increasing the timeout to the new default value.
+
+Note that entries under `Customizations` overwrite the global settings for a single projection.
+
+```yaml
+Projections:
+  TransactionDuration: 1m # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
+  BulkLimit: 200 # ZITADEL_PROJECTIONS_BULKLIMIT
+  Customizations:
+    custom_texts:
+      BulkLimit: 400
+    project_grant_fields:
+      TransactionDuration: 0s
+      BulkLimit: 2000
+```
+
+## Impact
+
+Once this update has been released and deployed, transactions are allowed to run longer. No other functional impact is expected.
diff --git a/internal/integration/config/zitadel.yaml b/internal/integration/config/zitadel.yaml
index 68e0b43f9c..6524b4806f 100644
--- a/internal/integration/config/zitadel.yaml
+++ b/internal/integration/config/zitadel.yaml
@@ -33,7 +33,6 @@ LogStore:
 Projections:
   HandleActiveInstances: 30m
   RequeueEvery: 5s
-  TransactionDuration: 1m
   Customizations:
     NotificationsQuotas:
       RequeueEvery: 1s

From d01bd1c51aa41ead46edc6760e18782f8e656d87 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Tue, 17 Sep 2024 13:34:14 +0200
Subject: [PATCH 03/19] fix: correctly check app state on authentication
 (#8630)

# Which Problems Are Solved

In Zitadel, even after an organization is deactivated, associated
projects, respectively their applications remain active. Users across
other organizations can still log in and access through these
applications, leading to unauthorized access.
Additionally, if a project was deactivated access to applications was
also still possible.

# How the Problems Are Solved

- Correctly check the status of the organization and related project.
(Corresponding functions have been renamed to `Active...`)
---
 internal/api/oidc/client.go                   |  12 +-
 .../api/oidc/integration_test/client_test.go  |  12 +
 internal/api/oidc/introspect.go               |   2 +-
 internal/api/saml/storage.go                  |  10 +-
 internal/integration/oidc.go                  |  14 ++
 internal/query/app.go                         | 217 ++++++++++--------
 internal/query/app_test.go                    | 156 +++++++++++--
 internal/query/introspection.go               |   2 +-
 internal/query/introspection_client_by_id.sql |   5 +-
 internal/query/introspection_test.go          |   4 +-
 internal/query/oidc_client.go                 |   2 +-
 internal/query/oidc_client_by_id.sql          |   5 +-
 internal/query/oidc_client_test.go            |   4 +-
 13 files changed, 299 insertions(+), 146 deletions(-)

diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go
index 41fe19cb4a..6bca54c671 100644
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -50,13 +50,10 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl
 		err = oidcError(err)
 		span.EndWithError(err)
 	}()
-	client, err := o.query.GetOIDCClientByID(ctx, id, false)
+	client, err := o.query.ActiveOIDCClientByID(ctx, id, false)
 	if err != nil {
 		return nil, err
 	}
-	if client.State != domain.AppStateActive {
-		return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-sdaGg", "client is not active")
-	}
 	return ClientFromBusiness(client, o.defaultLoginURL, o.defaultLoginURLV2), nil
 }
 
@@ -979,16 +976,13 @@ func (s *Server) VerifyClient(ctx context.Context, r *op.Request[op.ClientCreden
 	if err != nil {
 		return nil, err
 	}
-	client, err := s.query.GetOIDCClientByID(ctx, clientID, assertion)
+	client, err := s.query.ActiveOIDCClientByID(ctx, clientID, assertion)
 	if zerrors.IsNotFound(err) {
-		return nil, oidc.ErrInvalidClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError).WithDescription("client not found")
+		return nil, oidc.ErrInvalidClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError).WithDescription("no active client not found")
 	}
 	if err != nil {
 		return nil, err // defaults to server error
 	}
-	if client.State != domain.AppStateActive {
-		return nil, oidc.ErrInvalidClient().WithDescription("client is not active")
-	}
 	if client.Settings == nil {
 		client.Settings = &query.OIDCSettings{
 			AccessTokenLifetime: s.defaultAccessTokenLifetime,
diff --git a/internal/api/oidc/integration_test/client_test.go b/internal/api/oidc/integration_test/client_test.go
index 7e9f15ffac..1b9ccd5cb3 100644
--- a/internal/api/oidc/integration_test/client_test.go
+++ b/internal/api/oidc/integration_test/client_test.go
@@ -196,9 +196,13 @@ func TestServer_VerifyClient(t *testing.T) {
 	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
 	project, err := Instance.CreateProject(CTX)
 	require.NoError(t, err)
+	projectInactive, err := Instance.CreateProject(CTX)
+	require.NoError(t, err)
 
 	inactiveClient, err := Instance.CreateOIDCInactivateClient(CTX, redirectURI, logoutRedirectURI, project.GetId())
 	require.NoError(t, err)
+	inactiveProjectClient, err := Instance.CreateOIDCInactivateProjectClient(CTX, redirectURI, logoutRedirectURI, projectInactive.GetId())
+	require.NoError(t, err)
 	nativeClient, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
 	require.NoError(t, err)
 	basicWebClient, err := Instance.CreateOIDCWebClientBasic(CTX, redirectURI, logoutRedirectURI, project.GetId())
@@ -240,6 +244,14 @@ func TestServer_VerifyClient(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "client inactive (project) error",
+			client: clientDetails{
+				authReqClientID: nativeClient.GetClientId(),
+				clientID:        inactiveProjectClient.GetClientId(),
+			},
+			wantErr: true,
+		},
 		{
 			name: "native client success",
 			client: clientDetails{
diff --git a/internal/api/oidc/introspect.go b/internal/api/oidc/introspect.go
index 868676c1f1..c028013d6a 100644
--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -213,7 +213,7 @@ func (s *Server) clientFromCredentials(ctx context.Context, cc *op.ClientCredent
 	if err != nil {
 		return nil, err
 	}
-	client, err = s.query.GetIntrospectionClientByID(ctx, clientID, assertion)
+	client, err = s.query.ActiveIntrospectionClientByID(ctx, clientID, assertion)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, oidc.ErrUnauthorizedClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
 	}
diff --git a/internal/api/saml/storage.go b/internal/api/saml/storage.go
index ca523398f7..8791619ba0 100644
--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@@ -55,13 +55,10 @@ type Storage struct {
 }
 
 func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*serviceprovider.ServiceProvider, error) {
-	app, err := p.query.AppBySAMLEntityID(ctx, entityID)
+	app, err := p.query.ActiveAppBySAMLEntityID(ctx, entityID)
 	if err != nil {
 		return nil, err
 	}
-	if app.State != domain.AppStateActive {
-		return nil, zerrors.ThrowPreconditionFailed(nil, "SAML-sdaGg", "app is not active")
-	}
 	return serviceprovider.NewServiceProvider(
 		app.ID,
 		&serviceprovider.Config{
@@ -72,13 +69,10 @@ func (p *Storage) GetEntityByID(ctx context.Context, entityID string) (*servicep
 }
 
 func (p *Storage) GetEntityIDByAppID(ctx context.Context, appID string) (string, error) {
-	app, err := p.query.AppByID(ctx, appID)
+	app, err := p.query.AppByID(ctx, appID, true)
 	if err != nil {
 		return "", err
 	}
-	if app.State != domain.AppStateActive {
-		return "", zerrors.ThrowPreconditionFailed(nil, "SAML-sdaGg", "app is not active")
-	}
 	return app.SAMLConfig.EntityID, nil
 }
 
diff --git a/internal/integration/oidc.go b/internal/integration/oidc.go
index 9f394e2c2c..3afd262a35 100644
--- a/internal/integration/oidc.go
+++ b/internal/integration/oidc.go
@@ -107,6 +107,20 @@ func (i *Instance) CreateOIDCInactivateClient(ctx context.Context, redirectURI,
 	return client, err
 }
 
+func (i *Instance) CreateOIDCInactivateProjectClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string) (*management.AddOIDCAppResponse, error) {
+	client, err := i.CreateOIDCNativeClient(ctx, redirectURI, logoutRedirectURI, projectID, false)
+	if err != nil {
+		return nil, err
+	}
+	_, err = i.Client.Mgmt.DeactivateProject(ctx, &management.DeactivateProjectRequest{
+		Id: projectID,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return client, err
+}
+
 func (i *Instance) CreateOIDCImplicitFlowClient(ctx context.Context, redirectURI string) (*management.AddOIDCAppResponse, error) {
 	project, err := i.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
 		Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
diff --git a/internal/query/app.go b/internal/query/app.go
index 7d69981dd4..b94cb9cdaf 100644
--- a/internal/query/app.go
+++ b/internal/query/app.go
@@ -256,7 +256,7 @@ func (q *Queries) AppByProjectAndAppID(ctx context.Context, shouldTriggerBulk bo
 		traceSpan.EndWithError(err)
 	}
 
-	stmt, scan := prepareAppQuery(ctx, q.client)
+	stmt, scan := prepareAppQuery(ctx, q.client, false)
 	eq := sq.Eq{
 		AppColumnID.identifier():         appID,
 		AppColumnProjectID.identifier():  projectID,
@@ -274,15 +274,20 @@ func (q *Queries) AppByProjectAndAppID(ctx context.Context, shouldTriggerBulk bo
 	return app, err
 }
 
-func (q *Queries) AppByID(ctx context.Context, appID string) (app *App, err error) {
+func (q *Queries) AppByID(ctx context.Context, appID string, activeOnly bool) (app *App, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	stmt, scan := prepareAppQuery(ctx, q.client)
+	stmt, scan := prepareAppQuery(ctx, q.client, activeOnly)
 	eq := sq.Eq{
 		AppColumnID.identifier():         appID,
 		AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
 	}
+	if activeOnly {
+		eq[AppColumnState.identifier()] = domain.AppStateActive
+		eq[ProjectColumnState.identifier()] = domain.ProjectStateActive
+		eq[OrgColumnState.identifier()] = domain.OrgStateActive
+	}
 	query, args, err := stmt.Where(eq).ToSql()
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "QUERY-immt9", "Errors.Query.SQLStatement")
@@ -295,7 +300,7 @@ func (q *Queries) AppByID(ctx context.Context, appID string) (app *App, err erro
 	return app, err
 }
 
-func (q *Queries) AppBySAMLEntityID(ctx context.Context, entityID string) (app *App, err error) {
+func (q *Queries) ActiveAppBySAMLEntityID(ctx context.Context, entityID string) (app *App, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -303,6 +308,9 @@ func (q *Queries) AppBySAMLEntityID(ctx context.Context, entityID string) (app *
 	eq := sq.Eq{
 		AppSAMLConfigColumnEntityID.identifier(): entityID,
 		AppColumnInstanceID.identifier():         authz.GetInstance(ctx).InstanceID(),
+		AppColumnState.identifier():              domain.AppStateActive,
+		ProjectColumnState.identifier():          domain.ProjectStateActive,
+		OrgColumnState.identifier():              domain.OrgStateActive,
 	}
 	query, args, err := stmt.Where(eq).ToSql()
 	if err != nil {
@@ -413,8 +421,13 @@ func (q *Queries) AppByClientID(ctx context.Context, clientID string) (app *App,
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	stmt, scan := prepareAppQuery(ctx, q.client)
-	eq := sq.Eq{AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID()}
+	stmt, scan := prepareAppQuery(ctx, q.client, true)
+	eq := sq.Eq{
+		AppColumnInstanceID.identifier(): authz.GetInstance(ctx).InstanceID(),
+		AppColumnState.identifier():      domain.AppStateActive,
+		ProjectColumnState.identifier():  domain.ProjectStateActive,
+		OrgColumnState.identifier():      domain.OrgStateActive,
+	}
 	query, args, err := stmt.Where(sq.And{
 		eq,
 		sq.Or{
@@ -491,107 +504,121 @@ func NewAppProjectIDSearchQuery(id string) (SearchQuery, error) {
 	return NewTextQuery(AppColumnProjectID, id, TextEquals)
 }
 
-func prepareAppQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
-	return sq.Select(
-			AppColumnID.identifier(),
-			AppColumnName.identifier(),
-			AppColumnProjectID.identifier(),
-			AppColumnCreationDate.identifier(),
-			AppColumnChangeDate.identifier(),
-			AppColumnResourceOwner.identifier(),
-			AppColumnState.identifier(),
-			AppColumnSequence.identifier(),
+func prepareAppQuery(ctx context.Context, db prepareDatabase, activeOnly bool) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+	query := sq.Select(
+		AppColumnID.identifier(),
+		AppColumnName.identifier(),
+		AppColumnProjectID.identifier(),
+		AppColumnCreationDate.identifier(),
+		AppColumnChangeDate.identifier(),
+		AppColumnResourceOwner.identifier(),
+		AppColumnState.identifier(),
+		AppColumnSequence.identifier(),
 
-			AppAPIConfigColumnAppID.identifier(),
-			AppAPIConfigColumnClientID.identifier(),
-			AppAPIConfigColumnAuthMethod.identifier(),
+		AppAPIConfigColumnAppID.identifier(),
+		AppAPIConfigColumnClientID.identifier(),
+		AppAPIConfigColumnAuthMethod.identifier(),
 
-			AppOIDCConfigColumnAppID.identifier(),
-			AppOIDCConfigColumnVersion.identifier(),
-			AppOIDCConfigColumnClientID.identifier(),
-			AppOIDCConfigColumnRedirectUris.identifier(),
-			AppOIDCConfigColumnResponseTypes.identifier(),
-			AppOIDCConfigColumnGrantTypes.identifier(),
-			AppOIDCConfigColumnApplicationType.identifier(),
-			AppOIDCConfigColumnAuthMethodType.identifier(),
-			AppOIDCConfigColumnPostLogoutRedirectUris.identifier(),
-			AppOIDCConfigColumnDevMode.identifier(),
-			AppOIDCConfigColumnAccessTokenType.identifier(),
-			AppOIDCConfigColumnAccessTokenRoleAssertion.identifier(),
-			AppOIDCConfigColumnIDTokenRoleAssertion.identifier(),
-			AppOIDCConfigColumnIDTokenUserinfoAssertion.identifier(),
-			AppOIDCConfigColumnClockSkew.identifier(),
-			AppOIDCConfigColumnAdditionalOrigins.identifier(),
-			AppOIDCConfigColumnSkipNativeAppSuccessPage.identifier(),
+		AppOIDCConfigColumnAppID.identifier(),
+		AppOIDCConfigColumnVersion.identifier(),
+		AppOIDCConfigColumnClientID.identifier(),
+		AppOIDCConfigColumnRedirectUris.identifier(),
+		AppOIDCConfigColumnResponseTypes.identifier(),
+		AppOIDCConfigColumnGrantTypes.identifier(),
+		AppOIDCConfigColumnApplicationType.identifier(),
+		AppOIDCConfigColumnAuthMethodType.identifier(),
+		AppOIDCConfigColumnPostLogoutRedirectUris.identifier(),
+		AppOIDCConfigColumnDevMode.identifier(),
+		AppOIDCConfigColumnAccessTokenType.identifier(),
+		AppOIDCConfigColumnAccessTokenRoleAssertion.identifier(),
+		AppOIDCConfigColumnIDTokenRoleAssertion.identifier(),
+		AppOIDCConfigColumnIDTokenUserinfoAssertion.identifier(),
+		AppOIDCConfigColumnClockSkew.identifier(),
+		AppOIDCConfigColumnAdditionalOrigins.identifier(),
+		AppOIDCConfigColumnSkipNativeAppSuccessPage.identifier(),
 
-			AppSAMLConfigColumnAppID.identifier(),
-			AppSAMLConfigColumnEntityID.identifier(),
-			AppSAMLConfigColumnMetadata.identifier(),
-			AppSAMLConfigColumnMetadataURL.identifier(),
-		).From(appsTable.identifier()).
+		AppSAMLConfigColumnAppID.identifier(),
+		AppSAMLConfigColumnEntityID.identifier(),
+		AppSAMLConfigColumnMetadata.identifier(),
+		AppSAMLConfigColumnMetadataURL.identifier(),
+	).From(appsTable.identifier()).
+		PlaceholderFormat(sq.Dollar)
+
+	if activeOnly {
+		return query.
+				LeftJoin(join(AppAPIConfigColumnAppID, AppColumnID)).
+				LeftJoin(join(AppOIDCConfigColumnAppID, AppColumnID)).
+				LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID)).
+				LeftJoin(join(ProjectColumnID, AppColumnProjectID)).
+				LeftJoin(join(OrgColumnID, AppColumnResourceOwner) + db.Timetravel(call.Took(ctx))),
+			scanApp
+	}
+	return query.
 			LeftJoin(join(AppAPIConfigColumnAppID, AppColumnID)).
 			LeftJoin(join(AppOIDCConfigColumnAppID, AppColumnID)).
-			LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID) + db.Timetravel(call.Took(ctx))).
-			PlaceholderFormat(sq.Dollar), func(row *sql.Row) (*App, error) {
-			app := new(App)
+			LeftJoin(join(AppSAMLConfigColumnAppID, AppColumnID) + db.Timetravel(call.Took(ctx))),
+		scanApp
+}
 
-			var (
-				apiConfig  = sqlAPIConfig{}
-				oidcConfig = sqlOIDCConfig{}
-				samlConfig = sqlSAMLConfig{}
-			)
+func scanApp(row *sql.Row) (*App, error) {
+	app := new(App)
 
-			err := row.Scan(
-				&app.ID,
-				&app.Name,
-				&app.ProjectID,
-				&app.CreationDate,
-				&app.ChangeDate,
-				&app.ResourceOwner,
-				&app.State,
-				&app.Sequence,
+	var (
+		apiConfig  = sqlAPIConfig{}
+		oidcConfig = sqlOIDCConfig{}
+		samlConfig = sqlSAMLConfig{}
+	)
 
-				&apiConfig.appID,
-				&apiConfig.clientID,
-				&apiConfig.authMethod,
+	err := row.Scan(
+		&app.ID,
+		&app.Name,
+		&app.ProjectID,
+		&app.CreationDate,
+		&app.ChangeDate,
+		&app.ResourceOwner,
+		&app.State,
+		&app.Sequence,
 
-				&oidcConfig.appID,
-				&oidcConfig.version,
-				&oidcConfig.clientID,
-				&oidcConfig.redirectUris,
-				&oidcConfig.responseTypes,
-				&oidcConfig.grantTypes,
-				&oidcConfig.applicationType,
-				&oidcConfig.authMethodType,
-				&oidcConfig.postLogoutRedirectUris,
-				&oidcConfig.devMode,
-				&oidcConfig.accessTokenType,
-				&oidcConfig.accessTokenRoleAssertion,
-				&oidcConfig.iDTokenRoleAssertion,
-				&oidcConfig.iDTokenUserinfoAssertion,
-				&oidcConfig.clockSkew,
-				&oidcConfig.additionalOrigins,
-				&oidcConfig.skipNativeAppSuccessPage,
+		&apiConfig.appID,
+		&apiConfig.clientID,
+		&apiConfig.authMethod,
 
-				&samlConfig.appID,
-				&samlConfig.entityID,
-				&samlConfig.metadata,
-				&samlConfig.metadataURL,
-			)
+		&oidcConfig.appID,
+		&oidcConfig.version,
+		&oidcConfig.clientID,
+		&oidcConfig.redirectUris,
+		&oidcConfig.responseTypes,
+		&oidcConfig.grantTypes,
+		&oidcConfig.applicationType,
+		&oidcConfig.authMethodType,
+		&oidcConfig.postLogoutRedirectUris,
+		&oidcConfig.devMode,
+		&oidcConfig.accessTokenType,
+		&oidcConfig.accessTokenRoleAssertion,
+		&oidcConfig.iDTokenRoleAssertion,
+		&oidcConfig.iDTokenUserinfoAssertion,
+		&oidcConfig.clockSkew,
+		&oidcConfig.additionalOrigins,
+		&oidcConfig.skipNativeAppSuccessPage,
 
-			if err != nil {
-				if errors.Is(err, sql.ErrNoRows) {
-					return nil, zerrors.ThrowNotFound(err, "QUERY-pCP8P", "Errors.App.NotExisting")
-				}
-				return nil, zerrors.ThrowInternal(err, "QUERY-4SJlx", "Errors.Internal")
-			}
+		&samlConfig.appID,
+		&samlConfig.entityID,
+		&samlConfig.metadata,
+		&samlConfig.metadataURL,
+	)
 
-			apiConfig.set(app)
-			oidcConfig.set(app)
-			samlConfig.set(app)
-
-			return app, nil
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, zerrors.ThrowNotFound(err, "QUERY-pCP8P", "Errors.App.NotExisting")
 		}
+		return nil, zerrors.ThrowInternal(err, "QUERY-4SJlx", "Errors.Internal")
+	}
+
+	apiConfig.set(app)
+	oidcConfig.set(app)
+	samlConfig.set(app)
+
+	return app, nil
 }
 
 func prepareOIDCAppQuery() (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
@@ -690,6 +717,8 @@ func prepareSAMLAppQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil
 			AppSAMLConfigColumnMetadataURL.identifier(),
 		).From(appsTable.identifier()).
 			Join(join(AppSAMLConfigColumnAppID, AppColumnID)).
+			Join(join(ProjectColumnID, AppColumnProjectID)).
+			Join(join(OrgColumnID, AppColumnResourceOwner)).
 			PlaceholderFormat(sq.Dollar), func(row *sql.Row) (*App, error) {
 
 			app := new(App)
diff --git a/internal/query/app_test.go b/internal/query/app_test.go
index 3ccec2e4c8..9a9c613868 100644
--- a/internal/query/app_test.go
+++ b/internal/query/app_test.go
@@ -1,6 +1,7 @@
 package query
 
 import (
+	"context"
 	"database/sql"
 	"database/sql/driver"
 	"errors"
@@ -9,13 +10,15 @@ import (
 	"testing"
 	"time"
 
+	sq "github.com/Masterminds/squirrel"
+
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 var (
-	expectedAppQuery = regexp.QuoteMeta(`SELECT projections.apps7.id,` +
+	expectedAppQueryBase = `SELECT projections.apps7.id,` +
 		` projections.apps7.name,` +
 		` projections.apps7.project_id,` +
 		` projections.apps7.creation_date,` +
@@ -53,8 +56,11 @@ var (
 		` FROM projections.apps7` +
 		` LEFT JOIN projections.apps7_api_configs ON projections.apps7.id = projections.apps7_api_configs.app_id AND projections.apps7.instance_id = projections.apps7_api_configs.instance_id` +
 		` LEFT JOIN projections.apps7_oidc_configs ON projections.apps7.id = projections.apps7_oidc_configs.app_id AND projections.apps7.instance_id = projections.apps7_oidc_configs.instance_id` +
-		` LEFT JOIN projections.apps7_saml_configs ON projections.apps7.id = projections.apps7_saml_configs.app_id AND projections.apps7.instance_id = projections.apps7_saml_configs.instance_id` +
-		` AS OF SYSTEM TIME '-1 ms'`)
+		` LEFT JOIN projections.apps7_saml_configs ON projections.apps7.id = projections.apps7_saml_configs.app_id AND projections.apps7.instance_id = projections.apps7_saml_configs.instance_id`
+	expectedAppQuery       = regexp.QuoteMeta(expectedAppQueryBase)
+	expectedActiveAppQuery = regexp.QuoteMeta(expectedAppQueryBase +
+		` LEFT JOIN projections.projects4 ON projections.apps7.project_id = projections.projects4.id AND projections.apps7.instance_id = projections.projects4.instance_id` +
+		` LEFT JOIN projections.orgs1 ON projections.apps7.resource_owner = projections.orgs1.id AND projections.apps7.instance_id = projections.orgs1.instance_id`)
 	expectedAppsQuery = regexp.QuoteMeta(`SELECT projections.apps7.id,` +
 		` projections.apps7.name,` +
 		` projections.apps7.project_id,` +
@@ -1140,8 +1146,10 @@ func Test_AppPrepare(t *testing.T) {
 		object  interface{}
 	}{
 		{
-			name:    "prepareAppQuery no result",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery no result",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueriesScanErr(
 					expectedAppQuery,
@@ -1158,8 +1166,10 @@ func Test_AppPrepare(t *testing.T) {
 			object: (*App)(nil),
 		},
 		{
-			name:    "prepareAppQuery found",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery found",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQuery(
 					expectedAppQuery,
@@ -1215,8 +1225,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery api app",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery api app",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1278,8 +1290,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery oidc app",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery oidc app",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1355,9 +1369,93 @@ func Test_AppPrepare(t *testing.T) {
 					SkipNativeAppSuccessPage: false,
 				},
 			},
-		}, {
-			name:    "prepareAppQuery saml app",
-			prepare: prepareAppQuery,
+		},
+		{
+			name: "prepareAppQuery oidc app active only",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, true)
+			},
+			want: want{
+				sqlExpectations: mockQueries(
+					expectedActiveAppQuery,
+					appCols,
+					[][]driver.Value{
+						{
+							"app-id",
+							"app-name",
+							"project-id",
+							testNow,
+							testNow,
+							"ro",
+							domain.AppStateActive,
+							uint64(20211109),
+							// api config
+							nil,
+							nil,
+							nil,
+							// oidc config
+							"app-id",
+							domain.OIDCVersionV1,
+							"oidc-client-id",
+							database.TextArray[string]{"https://redirect.to/me"},
+							database.NumberArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+							database.NumberArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
+							domain.OIDCApplicationTypeUserAgent,
+							domain.OIDCAuthMethodTypeNone,
+							database.TextArray[string]{"post.logout.ch"},
+							true,
+							domain.OIDCTokenTypeJWT,
+							true,
+							true,
+							true,
+							1 * time.Second,
+							database.TextArray[string]{"additional.origin"},
+							false,
+							// saml config
+							nil,
+							nil,
+							nil,
+							nil,
+						},
+					},
+				),
+			},
+			object: &App{
+				ID:            "app-id",
+				CreationDate:  testNow,
+				ChangeDate:    testNow,
+				ResourceOwner: "ro",
+				State:         domain.AppStateActive,
+				Sequence:      20211109,
+				Name:          "app-name",
+				ProjectID:     "project-id",
+				OIDCConfig: &OIDCApp{
+					Version:                  domain.OIDCVersionV1,
+					ClientID:                 "oidc-client-id",
+					RedirectURIs:             database.TextArray[string]{"https://redirect.to/me"},
+					ResponseTypes:            database.NumberArray[domain.OIDCResponseType]{domain.OIDCResponseTypeIDTokenToken},
+					GrantTypes:               database.NumberArray[domain.OIDCGrantType]{domain.OIDCGrantTypeImplicit},
+					AppType:                  domain.OIDCApplicationTypeUserAgent,
+					AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+					PostLogoutRedirectURIs:   database.TextArray[string]{"post.logout.ch"},
+					IsDevMode:                true,
+					AccessTokenType:          domain.OIDCTokenTypeJWT,
+					AssertAccessTokenRole:    true,
+					AssertIDTokenRole:        true,
+					AssertIDTokenUserinfo:    true,
+					ClockSkew:                1 * time.Second,
+					AdditionalOrigins:        database.TextArray[string]{"additional.origin"},
+					ComplianceProblems:       nil,
+					AllowedOrigins:           database.TextArray[string]{"https://redirect.to", "additional.origin"},
+					SkipNativeAppSuccessPage: false,
+				},
+			},
+		},
+		{
+			name: "prepareAppQuery saml app",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1420,8 +1518,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery oidc app IsDevMode inactive",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery oidc app IsDevMode inactive",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1499,8 +1599,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery oidc app AssertAccessTokenRole inactive",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery oidc app AssertAccessTokenRole inactive",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1578,8 +1680,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery oidc app AssertIDTokenRole inactive",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery oidc app AssertIDTokenRole inactive",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1657,8 +1761,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery oidc app AssertIDTokenUserinfo inactive",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery oidc app AssertIDTokenUserinfo inactive",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueries(
 					expectedAppQuery,
@@ -1736,8 +1842,10 @@ func Test_AppPrepare(t *testing.T) {
 			},
 		},
 		{
-			name:    "prepareAppQuery sql err",
-			prepare: prepareAppQuery,
+			name: "prepareAppQuery sql err",
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Row) (*App, error)) {
+				return prepareAppQuery(ctx, db, false)
+			},
 			want: want{
 				sqlExpectations: mockQueryErr(
 					expectedAppQuery,
diff --git a/internal/query/introspection.go b/internal/query/introspection.go
index a7fdaab718..ee96bf576b 100644
--- a/internal/query/introspection.go
+++ b/internal/query/introspection.go
@@ -52,7 +52,7 @@ type IntrospectionClient struct {
 //go:embed introspection_client_by_id.sql
 var introspectionClientByIDQuery string
 
-func (q *Queries) GetIntrospectionClientByID(ctx context.Context, clientID string, getKeys bool) (_ *IntrospectionClient, err error) {
+func (q *Queries) ActiveIntrospectionClientByID(ctx context.Context, clientID string, getKeys bool) (_ *IntrospectionClient, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
diff --git a/internal/query/introspection_client_by_id.sql b/internal/query/introspection_client_by_id.sql
index 5129d99a70..1cc6baf9ad 100644
--- a/internal/query/introspection_client_by_id.sql
+++ b/internal/query/introspection_client_by_id.sql
@@ -20,6 +20,7 @@ keys as (
 )
 select config.app_id, config.client_id, config.client_secret, config.app_type, apps.project_id, apps.resource_owner, p.project_role_assertion, keys.public_keys
 from config
-join projections.apps7 apps on apps.id = config.app_id and apps.instance_id = config.instance_id
-join projections.projects4 p on p.id = apps.project_id and p.instance_id = $1
+join projections.apps7 apps on apps.id = config.app_id and apps.instance_id = config.instance_id and apps.state = 1
+join projections.projects4 p on p.id = apps.project_id and p.instance_id = $1 and p.state = 1
+join projections.orgs1 o on o.id = p.resource_owner and o.instance_id = config.instance_id and o.org_state = 1
 left join keys on keys.client_id = config.client_id;
diff --git a/internal/query/introspection_test.go b/internal/query/introspection_test.go
index 6535bd1639..4346842bf9 100644
--- a/internal/query/introspection_test.go
+++ b/internal/query/introspection_test.go
@@ -14,7 +14,7 @@ import (
 	"github.com/zitadel/zitadel/internal/database"
 )
 
-func TestQueries_GetIntrospectionClientByID(t *testing.T) {
+func TestQueries_ActiveIntrospectionClientByID(t *testing.T) {
 	pubkeys := database.Map[[]byte]{
 		"key1": {1, 2, 3},
 		"key2": {4, 5, 6},
@@ -96,7 +96,7 @@ func TestQueries_GetIntrospectionClientByID(t *testing.T) {
 					},
 				}
 				ctx := authz.NewMockContext("instanceID", "orgID", "userID")
-				got, err := q.GetIntrospectionClientByID(ctx, tt.args.clientID, tt.args.getKeys)
+				got, err := q.ActiveIntrospectionClientByID(ctx, tt.args.clientID, tt.args.getKeys)
 				require.ErrorIs(t, err, tt.wantErr)
 				assert.Equal(t, tt.want, got)
 			})
diff --git a/internal/query/oidc_client.go b/internal/query/oidc_client.go
index d4364248bb..89d74d4ff8 100644
--- a/internal/query/oidc_client.go
+++ b/internal/query/oidc_client.go
@@ -45,7 +45,7 @@ type OIDCClient struct {
 //go:embed oidc_client_by_id.sql
 var oidcClientQuery string
 
-func (q *Queries) GetOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
+func (q *Queries) ActiveOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
diff --git a/internal/query/oidc_client_by_id.sql b/internal/query/oidc_client_by_id.sql
index 3a0a0a0c95..ef471387b3 100644
--- a/internal/query/oidc_client_by_id.sql
+++ b/internal/query/oidc_client_by_id.sql
@@ -5,8 +5,9 @@ with client as (
 		c.access_token_type, c.access_token_role_assertion, c.id_token_role_assertion,
 		c.id_token_userinfo_assertion, c.clock_skew, c.additional_origins, a.project_id, p.project_role_assertion
 	from projections.apps7_oidc_configs c
-	join projections.apps7 a on a.id = c.app_id and a.instance_id = c.instance_id
-	join projections.projects4 p on p.id = a.project_id and p.instance_id = a.instance_id
+	join projections.apps7 a on a.id = c.app_id and a.instance_id = c.instance_id and a.state = 1
+	join projections.projects4 p on p.id = a.project_id and p.instance_id = a.instance_id and p.state = 1
+    join projections.orgs1 o on o.id = p.resource_owner and o.instance_id = c.instance_id and o.org_state = 1
 	where c.instance_id = $1
 		and c.client_id = $2
 ),
diff --git a/internal/query/oidc_client_test.go b/internal/query/oidc_client_test.go
index 357c34f4e4..bb0890bff3 100644
--- a/internal/query/oidc_client_test.go
+++ b/internal/query/oidc_client_test.go
@@ -29,7 +29,7 @@ var (
 	testdataOidcClientNoSettings string
 )
 
-func TestQueries_GetOIDCClientByID(t *testing.T) {
+func TestQueries_ActiveOIDCClientByID(t *testing.T) {
 	expQuery := regexp.QuoteMeta(oidcClientQuery)
 	cols := []string{"client"}
 	pubkey := `-----BEGIN RSA PUBLIC KEY-----
@@ -232,7 +232,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 					},
 				}
 				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")
-				got, err := q.GetOIDCClientByID(ctx, "clientID", true)
+				got, err := q.ActiveOIDCClientByID(ctx, "clientID", true)
 				require.ErrorIs(t, err, tt.wantErr)
 				assert.Equal(t, tt.want, got)
 			})

From 4ac722d9341888ac3e66a30a475550f6a1600308 Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Tue, 17 Sep 2024 13:53:43 +0200
Subject: [PATCH 04/19] fix: use body for update user on user v2 API (#8635)

Use body for update user endpoint on user v2 API.
---
 proto/zitadel/user/v2/user_service.proto | 1 +
 1 file changed, 1 insertion(+)

diff --git a/proto/zitadel/user/v2/user_service.proto b/proto/zitadel/user/v2/user_service.proto
index 9b82bfe297..20d3b65b67 100644
--- a/proto/zitadel/user/v2/user_service.proto
+++ b/proto/zitadel/user/v2/user_service.proto
@@ -385,6 +385,7 @@ service UserService {
   rpc UpdateHumanUser(UpdateHumanUserRequest) returns (UpdateHumanUserResponse) {
     option (google.api.http) = {
       put: "/v2/users/human/{user_id}"
+      body: "*"
     };
 
     option (zitadel.protoc_gen_zitadel.v2.options) = {

From ca1914e235df8eb62189cec07eb0de2cdad29629 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Tue, 17 Sep 2024 14:18:29 +0200
Subject: [PATCH 05/19] fix: user grants deactivation (#8634)

# Which Problems Are Solved

ZITADEL's user grants deactivation mechanism did not work correctly.
Deactivated user grants were still provided in token, which could lead
to unauthorized access to applications and resources.
Additionally, the management and auth API always returned the state as
active or did not provide any information about the state.

# How the Problems Are Solved

- Correctly check the user grant state on active for tokens and user
information (userinfo, introspection, saml attributes)
- Map state in API and display in Console
---
 .../user-grants/user-grants.component.html      | 17 ++++++++++++++++-
 .../user-grants/user-grants.component.ts        | 10 +++++++++-
 .../src/app/pages/grants/grants.component.html  |  1 +
 .../granted-project-detail.component.html       | 11 ++++++++++-
 .../owned-project-detail.component.html         |  2 +-
 .../auth-user-detail.component.html             | 11 ++++++++++-
 .../user-detail/user-detail.component.html      |  2 +-
 internal/api/grpc/auth/user_grant.go            |  1 +
 internal/api/grpc/user/user_grant.go            | 17 ++++++++++++++++-
 internal/api/oidc/client.go                     | 13 +++++++++----
 internal/api/saml/storage.go                    |  5 +++++
 .../auth/repository/eventsourcing/repository.go |  7 ++++++-
 internal/query/user_grant.go                    |  4 ++++
 internal/query/userinfo_by_id.sql               |  1 +
 proto/zitadel/auth.proto                        |  5 +++++
 15 files changed, 95 insertions(+), 12 deletions(-)

diff --git a/console/src/app/modules/user-grants/user-grants.component.html b/console/src/app/modules/user-grants/user-grants.component.html
index efca9f74ec..82de67c8bb 100644
--- a/console/src/app/modules/user-grants/user-grants.component.html
+++ b/console/src/app/modules/user-grants/user-grants.component.html
@@ -154,10 +154,25 @@
         </td>
       </ng-container>
 
+      <ng-container matColumnDef="state">
+        <th mat-header-cell *matHeaderCellDef>{{ 'PROJECT.GRANT.STATE' | translate }}</th>
+        <td mat-cell *matCellDef="let grant">
+          <span
+            class="state"
+            [ngClass]="{
+              active: grant.state === UserGrantState.USER_GRANT_STATE_ACTIVE,
+              inactive: grant.state === UserGrantState.USER_GRANT_STATE_INACTIVE,
+            }"
+          >
+            {{ 'USER.DATA.STATE' + grant.state | translate }}
+          </span>
+        </td>
+      </ng-container>
+
       <ng-container matColumnDef="actions" stickyEnd>
         <th mat-header-cell *matHeaderCellDef class="user-tr-actions"></th>
         <td mat-cell class="user-tr-actions" *matCellDef="let grant; let i = index">
-          <cnsl-table-actions [hasActions]="true">
+          <cnsl-table-actions [hasActions]="!context.includes('user')">
             <button
               actions
               matTooltip="{{ 'ACTIONS.REMOVE' | translate }}"
diff --git a/console/src/app/modules/user-grants/user-grants.component.ts b/console/src/app/modules/user-grants/user-grants.component.ts
index a25055d336..dac0844e24 100644
--- a/console/src/app/modules/user-grants/user-grants.component.ts
+++ b/console/src/app/modules/user-grants/user-grants.component.ts
@@ -8,7 +8,13 @@ import { tap } from 'rxjs/operators';
 import { enterAnimations } from 'src/app/animations';
 import { UserGrant as AuthUserGrant } from 'src/app/proto/generated/zitadel/auth_pb';
 import { Role } from 'src/app/proto/generated/zitadel/project_pb';
-import { Type, UserGrant as MgmtUserGrant, UserGrantQuery, UserGrant } from 'src/app/proto/generated/zitadel/user_pb';
+import {
+  Type,
+  UserGrant as MgmtUserGrant,
+  UserGrant,
+  UserGrantQuery,
+  UserGrantState,
+} from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -66,6 +72,7 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
   public UserGrantContext: any = UserGrantContext;
   public Type: any = Type;
   public ActionKeysType: any = ActionKeysType;
+  public UserGrantState: any = UserGrantState;
   @Input() public type: Type | undefined = undefined;
 
   public filterOpen: boolean = false;
@@ -86,6 +93,7 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     'type',
     'creationDate',
     'changeDate',
+    'state',
     'roleNamesList',
     'actions',
   ];
diff --git a/console/src/app/pages/grants/grants.component.html b/console/src/app/pages/grants/grants.component.html
index 5eef251b5f..2a26ccaee0 100644
--- a/console/src/app/pages/grants/grants.component.html
+++ b/console/src/app/pages/grants/grants.component.html
@@ -17,6 +17,7 @@
         'type',
         'creationDate',
         'changeDate',
+        'state',
         'roleNamesList',
         'actions',
       ]"
diff --git a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
index 17a41cce91..67fbdfddc7 100644
--- a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
+++ b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
@@ -42,7 +42,16 @@
           [context]="UserGrantContext.GRANTED_PROJECT"
           [projectId]="projectId"
           [grantId]="grantId"
-          [displayedColumns]="['select', 'user', 'projectId', 'creationDate', 'changeDate', 'roleNamesList', 'actions']"
+          [displayedColumns]="[
+            'select',
+            'user',
+            'projectId',
+            'creationDate',
+            'changeDate',
+            'state',
+            'roleNamesList',
+            'actions',
+          ]"
           [disableWrite]="(['user.grant.write$', 'user.grant.write:' + grantId] | hasRole | async) === false"
           [disableDelete]="(['user.grant.delete$', 'user.grant.delete:' + grantId] | hasRole | async) === false"
           [refreshOnPreviousRoutes]="['/grant-create/project/{{projectId}}/grant/{{grantId}}']"
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
index 740c9532d7..a6941d62c4 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
@@ -187,7 +187,7 @@
         <cnsl-user-grants
           [context]="UserGrantContext.OWNED_PROJECT"
           [projectId]="projectId"
-          [displayedColumns]="['select', 'user', 'creationDate', 'changeDate', 'roleNamesList', 'actions']"
+          [displayedColumns]="['select', 'user', 'creationDate', 'changeDate', 'state', 'roleNamesList', 'actions']"
           [refreshOnPreviousRoutes]="['/grant-create/project/' + projectId]"
           [disableWrite]="(['user.grant.write$', 'user.grant.write:' + projectId] | hasRole | async) === false"
           [disableDelete]="(['user.grant.delete$', 'user.grant.delete:' + projectId] | hasRole | async) === false"
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html
index a5d58cc06f..ce18e55e4a 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.html
@@ -136,7 +136,16 @@
           <cnsl-user-grants
             [userId]="user.id"
             [context]="USERGRANTCONTEXT"
-            [displayedColumns]="['org', 'projectId', 'type', 'creationDate', 'changeDate', 'roleNamesList', 'actions']"
+            [displayedColumns]="[
+              'org',
+              'projectId',
+              'type',
+              'creationDate',
+              'changeDate',
+              'state',
+              'roleNamesList',
+              'actions',
+            ]"
             [disableWrite]="(['user.grant.write$'] | hasRole | async) === false"
             [disableDelete]="(['user.grant.delete$'] | hasRole | async) === false"
           >
diff --git a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
index 45b6821b4b..9e319b7bc6 100644
--- a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
+++ b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
@@ -222,7 +222,7 @@
             <cnsl-user-grants
               [userId]="user.id"
               [context]="USERGRANTCONTEXT"
-              [displayedColumns]="['select', 'projectId', 'creationDate', 'changeDate', 'roleNamesList', 'actions']"
+              [displayedColumns]="['select', 'projectId', 'creationDate', 'changeDate', 'state', 'roleNamesList', 'actions']"
               [disableWrite]="(['user.grant.write$'] | hasRole | async) === false"
               [disableDelete]="(['user.grant.delete$'] | hasRole | async) === false"
             >
diff --git a/internal/api/grpc/auth/user_grant.go b/internal/api/grpc/auth/user_grant.go
index 242a54b044..9a1842f9a9 100644
--- a/internal/api/grpc/auth/user_grant.go
+++ b/internal/api/grpc/auth/user_grant.go
@@ -55,5 +55,6 @@ func UserGrantToPb(grant *query.UserGrant) *auth_pb.UserGrant {
 		ProjectGrantId: grant.GrantID,
 		RoleKeys:       grant.Roles,
 		UserType:       user.TypeToPb(grant.UserType),
+		State:          user.UserGrantStateToPb(grant.State),
 	}
 }
diff --git a/internal/api/grpc/user/user_grant.go b/internal/api/grpc/user/user_grant.go
index f4dd099409..eb7f2be205 100644
--- a/internal/api/grpc/user/user_grant.go
+++ b/internal/api/grpc/user/user_grant.go
@@ -23,7 +23,7 @@ func UserGrantToPb(assetPrefix string, grant *query.UserGrant) *user_pb.UserGran
 	return &user_pb.UserGrant{
 		Id:                 grant.ID,
 		UserId:             grant.UserID,
-		State:              user_pb.UserGrantState_USER_GRANT_STATE_ACTIVE,
+		State:              UserGrantStateToPb(grant.State),
 		RoleKeys:           grant.Roles,
 		ProjectId:          grant.ProjectID,
 		OrgId:              grant.ResourceOwner,
@@ -51,6 +51,21 @@ func UserGrantToPb(assetPrefix string, grant *query.UserGrant) *user_pb.UserGran
 	}
 }
 
+func UserGrantStateToPb(state domain.UserGrantState) user_pb.UserGrantState {
+	switch state {
+	case domain.UserGrantStateActive:
+		return user_pb.UserGrantState_USER_GRANT_STATE_ACTIVE
+	case domain.UserGrantStateInactive:
+		return user_pb.UserGrantState_USER_GRANT_STATE_INACTIVE
+	case domain.UserGrantStateRemoved,
+		domain.UserGrantStateUnspecified:
+		// these states should never occur here and are mainly listed for linting purposes
+		fallthrough
+	default:
+		return user_pb.UserGrantState_USER_GRANT_STATE_UNSPECIFIED
+	}
+}
+
 func UserGrantQueriesToQuery(ctx context.Context, queries []*user_pb.UserGrantQuery) (q []query.SearchQuery, err error) {
 	q = make([]query.SearchQuery, len(queries))
 	for i, query := range queries {
diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go
index 6bca54c671..1e6fecda5d 100644
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -799,19 +799,24 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 	if projectID != "" {
 		roleAudience = append(roleAudience, projectID)
 	}
-	queries := make([]query.SearchQuery, 0, 2)
 	projectQuery, err := query.NewUserGrantProjectIDsSearchQuery(roleAudience)
 	if err != nil {
 		return nil, nil, err
 	}
-	queries = append(queries, projectQuery)
 	userIDQuery, err := query.NewUserGrantUserIDSearchQuery(userID)
 	if err != nil {
 		return nil, nil, err
 	}
-	queries = append(queries, userIDQuery)
+	activeQuery, err := query.NewUserGrantStateQuery(domain.UserGrantStateActive)
+	if err != nil {
+		return nil, nil, err
+	}
 	grants, err := o.query.UserGrants(ctx, &query.UserGrantsQueries{
-		Queries: queries,
+		Queries: []query.SearchQuery{
+			projectQuery,
+			userIDQuery,
+			activeQuery,
+		},
 	}, true)
 	if err != nil {
 		return nil, nil, err
diff --git a/internal/api/saml/storage.go b/internal/api/saml/storage.go
index 8791619ba0..8f33e10893 100644
--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@@ -324,10 +324,15 @@ func (p *Storage) getGrants(ctx context.Context, userID, applicationID string) (
 	if err != nil {
 		return nil, err
 	}
+	activeQuery, err := query.NewUserGrantStateQuery(domain.UserGrantStateActive)
+	if err != nil {
+		return nil, err
+	}
 	return p.query.UserGrants(ctx, &query.UserGrantsQueries{
 		Queries: []query.SearchQuery{
 			projectQuery,
 			userIDQuery,
+			activeQuery,
 		},
 	}, true)
 }
diff --git a/internal/auth/repository/eventsourcing/repository.go b/internal/auth/repository/eventsourcing/repository.go
index 9d7b574320..16bee6e7a4 100644
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -11,6 +11,7 @@ import (
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
 	eventstore2 "github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/query"
@@ -119,7 +120,11 @@ func (q queryViewWrapper) UserGrantsByProjectAndUserID(ctx context.Context, proj
 	if err != nil {
 		return nil, err
 	}
-	queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID, userGrantProjectID}}
+	activeQuery, err := query.NewUserGrantStateQuery(domain.UserGrantStateActive)
+	if err != nil {
+		return nil, err
+	}
+	queries := &query.UserGrantsQueries{Queries: []query.SearchQuery{userGrantUserID, userGrantProjectID, activeQuery}}
 	grants, err := q.Queries.UserGrants(ctx, queries, true)
 	if err != nil {
 		return nil, err
diff --git a/internal/query/user_grant.go b/internal/query/user_grant.go
index c8e1dc05a7..e2bbabdc72 100644
--- a/internal/query/user_grant.go
+++ b/internal/query/user_grant.go
@@ -143,6 +143,10 @@ func NewUserGrantRoleQuery(value string) (SearchQuery, error) {
 	return NewTextQuery(UserGrantRoles, value, TextListContains)
 }
 
+func NewUserGrantStateQuery(value domain.UserGrantState) (SearchQuery, error) {
+	return NewNumberQuery(UserGrantState, value, NumberEquals)
+}
+
 func NewUserGrantWithGrantedQuery(owner string) (SearchQuery, error) {
 	orgQuery, err := NewUserGrantResourceOwnerSearchQuery(owner)
 	if err != nil {
diff --git a/internal/query/userinfo_by_id.sql b/internal/query/userinfo_by_id.sql
index 2c09215a69..93db8ab1b4 100644
--- a/internal/query/userinfo_by_id.sql
+++ b/internal/query/userinfo_by_id.sql
@@ -38,6 +38,7 @@ user_grants as (
 	where user_id = $1
 	and instance_id = $2
 	and project_id = any($3)
+    and state = 1
 	{{ if . -}}
 	and resource_owner = any($4)
 	{{- end }}
diff --git a/proto/zitadel/auth.proto b/proto/zitadel/auth.proto
index 0eae6d24e5..ed58d70569 100644
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@@ -1565,6 +1565,11 @@ message UserGrant {
             description: "type of the user (human / machine)"
         }
     ];
+    zitadel.user.v1.UserGrantState state = 13 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "current state of the user grant";
+        }
+    ];
 }
 
 message ListMyProjectOrgsRequest {

From 5b40af79f0d74c2d475cb74930c80e768f975bce Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Tue, 17 Sep 2024 15:21:49 +0200
Subject: [PATCH 06/19] fix: correctly check user state (#8631)

# Which Problems Are Solved

ZITADEL's user account deactivation mechanism did not work correctly
with service accounts. Deactivated service accounts retained the ability
to request tokens, which could lead to unauthorized access to
applications and resources.

# How the Problems Are Solved

Additionally to checking the user state on the session API and login UI,
the state is checked on all oidc session methods resulting in a new
token or when returning the user information (userinfo, introspection,
id_token / access_token and saml attributes)
---
 internal/api/oidc/client.go                   |   3 +
 .../token_client_credentials_test.go          |  10 +
 internal/api/oidc/userinfo.go                 |   5 +-
 internal/api/saml/storage.go                  |   6 +
 internal/command/device_auth.go               |   2 +-
 internal/command/device_auth_test.go          | 115 +++++-
 internal/command/oidc_session.go              |  22 +-
 internal/command/oidc_session_test.go         | 362 +++++++++++++++++-
 internal/integration/oidc.go                  |  26 ++
 internal/query/userinfo_by_id.sql             |   2 +-
 10 files changed, 520 insertions(+), 33 deletions(-)

diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go
index 1e6fecda5d..08ed8c31b9 100644
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -330,6 +330,9 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo *oidc.UserInfo, us
 	if err != nil {
 		return err
 	}
+	if user.State != domain.UserStateActive {
+		return zerrors.ThrowUnauthenticated(nil, "OIDC-S3tha", "Errors.Users.NotActive")
+	}
 	var allRoles bool
 	roles := make([]string, 0)
 	for _, scope := range scopes {
diff --git a/internal/api/oidc/integration_test/token_client_credentials_test.go b/internal/api/oidc/integration_test/token_client_credentials_test.go
index 5316202e31..372baf163d 100644
--- a/internal/api/oidc/integration_test/token_client_credentials_test.go
+++ b/internal/api/oidc/integration_test/token_client_credentials_test.go
@@ -24,6 +24,9 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
 	machine, name, clientID, clientSecret, err := Instance.CreateOIDCCredentialsClient(CTX)
 	require.NoError(t, err)
 
+	_, _, clientIDInactive, clientSecretInactive, err := Instance.CreateOIDCCredentialsClientInactive(CTX)
+	require.NoError(t, err)
+
 	type claims struct {
 		name                       string
 		username                   string
@@ -71,6 +74,13 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
 			scope:        []string{oidc.ScopeOpenID},
 			wantErr:      true,
 		},
+		{
+			name:         "inactive machine user error",
+			clientID:     clientIDInactive,
+			clientSecret: clientSecretInactive,
+			scope:        []string{oidc.ScopeOpenID},
+			wantErr:      true,
+		},
 		{
 			name:         "wrong secret error",
 			clientID:     clientID,
diff --git a/internal/api/oidc/userinfo.go b/internal/api/oidc/userinfo.go
index 542ea6a083..b2121a73a2 100644
--- a/internal/api/oidc/userinfo.go
+++ b/internal/api/oidc/userinfo.go
@@ -66,7 +66,10 @@ func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoReques
 		false,
 	)(ctx, true, domain.TriggerTypePreUserinfoCreation)
 	if err != nil {
-		return nil, err
+		if !zerrors.IsNotFound(err) {
+			return nil, err
+		}
+		return nil, op.NewStatusError(oidc.ErrAccessDenied().WithDescription("no active user").WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError), http.StatusUnauthorized)
 	}
 	return op.NewResponse(userInfo), nil
 }
diff --git a/internal/api/saml/storage.go b/internal/api/saml/storage.go
index 8f33e10893..76173c2592 100644
--- a/internal/api/saml/storage.go
+++ b/internal/api/saml/storage.go
@@ -131,6 +131,9 @@ func (p *Storage) SetUserinfoWithUserID(ctx context.Context, applicationID strin
 	if err != nil {
 		return err
 	}
+	if user.State != domain.UserStateActive {
+		return zerrors.ThrowPreconditionFailed(nil, "SAML-S3gFd", "Errors.User.NotActive")
+	}
 
 	userGrants, err := p.getGrants(ctx, userID, applicationID)
 	if err != nil {
@@ -157,6 +160,9 @@ func (p *Storage) SetUserinfoWithLoginName(ctx context.Context, userinfo models.
 	if err != nil {
 		return err
 	}
+	if user.State != domain.UserStateActive {
+		return zerrors.ThrowPreconditionFailed(nil, "SAML-FJ262", "Errors.User.NotActive")
+	}
 
 	setUserinfo(user, userinfo, attributes, map[string]*customAttribute{})
 	return nil
diff --git a/internal/command/device_auth.go b/internal/command/device_auth.go
index 1a151437b3..a2754650ea 100644
--- a/internal/command/device_auth.go
+++ b/internal/command/device_auth.go
@@ -144,7 +144,7 @@ func (c *Commands) CreateOIDCSessionFromDeviceAuth(ctx context.Context, deviceCo
 		return nil, DeviceAuthStateError(deviceAuthModel.State)
 	}
 
-	cmd, err := c.newOIDCSessionAddEvents(ctx, deviceAuthModel.UserOrgID)
+	cmd, err := c.newOIDCSessionAddEvents(ctx, deviceAuthModel.UserID, deviceAuthModel.UserOrgID)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/command/device_auth_test.go b/internal/command/device_auth_test.go
index 500c7b8f58..f25be7053a 100644
--- a/internal/command/device_auth_test.go
+++ b/internal/command/device_auth_test.go
@@ -126,7 +126,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 	pushErr := errors.New("pushErr")
 
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx               context.Context
@@ -149,7 +149,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 		{
 			name: "not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -169,7 +169,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 		{
 			name: "push error",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(eventFromEventPusherWithInstanceID(
 						"instance1",
 						deviceauth.NewAddedEvent(
@@ -211,7 +211,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 		{
 			name: "success",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(eventFromEventPusherWithInstanceID(
 						"instance1",
 						deviceauth.NewAddedEvent(
@@ -256,7 +256,7 @@ func TestCommands_ApproveDeviceAuth(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			gotDetails, err := c.ApproveDeviceAuth(tt.args.ctx, tt.args.id, tt.args.userID, tt.args.userOrgID, tt.args.authMethods, tt.args.authTime, tt.args.preferredLanguage, tt.args.userAgent, tt.args.sessionID)
 			require.ErrorIs(t, err, tt.wantErr)
@@ -271,7 +271,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 	pushErr := errors.New("pushErr")
 
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx    context.Context
@@ -288,7 +288,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 		{
 			name: "not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -298,7 +298,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 		{
 			name: "push error",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(eventFromEventPusherWithInstanceID(
 						"instance1",
 						deviceauth.NewAddedEvent(
@@ -323,7 +323,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 		{
 			name: "success/denied",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(eventFromEventPusherWithInstanceID(
 						"instance1",
 						deviceauth.NewAddedEvent(
@@ -350,7 +350,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 		{
 			name: "success/expired",
 			fields: fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(eventFromEventPusherWithInstanceID(
 						"instance1",
 						deviceauth.NewAddedEvent(
@@ -378,7 +378,7 @@ func TestCommands_CancelDeviceAuth(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			gotDetails, err := c.CancelDeviceAuth(tt.args.ctx, tt.args.id, tt.args.reason)
 			require.ErrorIs(t, err, tt.wantErr)
@@ -586,6 +586,69 @@ func TestCommands_CreateOIDCSessionFromDeviceAuth(t *testing.T) {
 			},
 			wantErr: DeviceAuthStateError(domain.DeviceAuthStateDone),
 		},
+		{
+			name: "user not active",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusherWithInstanceID(
+							"instance1",
+							deviceauth.NewAddedEvent(
+								ctx,
+								deviceauth.NewAggregate("123", "instance1"),
+								"clientID", "123", "456", time.Now().Add(-time.Minute),
+								[]string{"openid", "offline_access"},
+								[]string{"audience"}, false,
+							),
+						),
+						eventFromEventPusherWithInstanceID(
+							"instance1",
+							deviceauth.NewApprovedEvent(ctx,
+								deviceauth.NewAggregate("123", "instance1"),
+								"userID", "org1",
+								[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+								testNow, &language.Afrikaans, &domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+								"sessionID",
+							),
+						),
+					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							ctx,
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.English,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+						user.NewUserDeactivatedEvent(
+							ctx,
+							&user.NewAggregate("userID", "org1").Aggregate,
+						),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args: args{
+				ctx,
+				"123",
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "OIDCS-kj3g2", "Errors.User.NotActive"),
+		},
 		{
 			name: "approved, success",
 			fields: fields{
@@ -617,6 +680,21 @@ func TestCommands_CreateOIDCSessionFromDeviceAuth(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							ctx,
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.English,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -699,6 +777,21 @@ func TestCommands_CreateOIDCSessionFromDeviceAuth(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							ctx,
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.English,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
diff --git a/internal/command/oidc_session.go b/internal/command/oidc_session.go
index ae201feb7e..1ad46ba7d6 100644
--- a/internal/command/oidc_session.go
+++ b/internal/command/oidc_session.go
@@ -80,7 +80,7 @@ func (c *Commands) CreateOIDCSessionFromAuthRequest(ctx context.Context, authReq
 		return nil, "", err
 	}
 
-	cmd, err := c.newOIDCSessionAddEvents(ctx, sessionModel.UserResourceOwner)
+	cmd, err := c.newOIDCSessionAddEvents(ctx, sessionModel.UserID, sessionModel.UserResourceOwner)
 	if err != nil {
 		return nil, "", err
 	}
@@ -141,7 +141,7 @@ func (c *Commands) CreateOIDCSession(ctx context.Context,
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	cmd, err := c.newOIDCSessionAddEvents(ctx, resourceOwner)
+	cmd, err := c.newOIDCSessionAddEvents(ctx, userID, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -265,7 +265,14 @@ func (c *Commands) RevokeOIDCSessionToken(ctx context.Context, token, clientID s
 	return c.pushAppendAndReduce(ctx, writeModel, oidcsession.NewAccessTokenRevokedEvent(ctx, writeModel.aggregate))
 }
 
-func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, resourceOwner string, pending ...eventstore.Command) (*OIDCSessionEvents, error) {
+func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, userID, resourceOwner string, pending ...eventstore.Command) (*OIDCSessionEvents, error) {
+	userStateModel, err := c.userStateWriteModel(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	if !userStateModel.UserState.IsEnabled() {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "OIDCS-kj3g2", "Errors.User.NotActive")
+	}
 	accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx)
 	if err != nil {
 		return nil, err
@@ -281,6 +288,7 @@ func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, resourceOwner st
 		encryptionAlg:            c.keyAlgorithm,
 		events:                   pending,
 		oidcSessionWriteModel:    NewOIDCSessionWriteModel(sessionID, resourceOwner),
+		userStateModel:           userStateModel,
 		accessTokenLifetime:      accessTokenLifetime,
 		refreshTokenLifeTime:     refreshTokenLifeTime,
 		refreshTokenIdleLifetime: refreshTokenIdleLifetime,
@@ -321,6 +329,13 @@ func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, refreshToken
 	if err = sessionWriteModel.CheckRefreshToken(refreshTokenID); err != nil {
 		return nil, err
 	}
+	userStateWriteModel, err := c.userStateWriteModel(ctx, sessionWriteModel.UserID)
+	if err != nil {
+		return nil, err
+	}
+	if !userStateWriteModel.UserState.IsEnabled() {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "OIDCS-J39h2", "Errors.User.NotActive")
+	}
 	accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx)
 	if err != nil {
 		return nil, err
@@ -342,6 +357,7 @@ type OIDCSessionEvents struct {
 	encryptionAlg         crypto.EncryptionAlgorithm
 	events                []eventstore.Command
 	oidcSessionWriteModel *OIDCSessionWriteModel
+	userStateModel        *UserV2WriteModel
 
 	accessTokenLifetime      time.Duration
 	refreshTokenLifeTime     time.Duration
diff --git a/internal/command/oidc_session_test.go b/internal/command/oidc_session_test.go
index a3af86d25a..6d9ee6e32e 100644
--- a/internal/command/oidc_session_test.go
+++ b/internal/command/oidc_session_test.go
@@ -205,6 +205,103 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
 				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-Flk38", "Errors.Session.NotExisting"),
 			},
 		},
+		{
+			"user not active",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate,
+								"loginClient",
+								"clientID",
+								"redirectURI",
+								"state",
+								"nonce",
+								[]string{"openid", "offline_access"},
+								[]string{"audience"},
+								domain.OIDCResponseTypeCode,
+								domain.OIDCResponseModeQuery,
+								&domain.OIDCCodeChallenge{
+									Challenge: "challenge",
+									Method:    domain.CodeChallengeMethodS256,
+								},
+								[]domain.Prompt{domain.PromptNone},
+								[]string{"en", "de"},
+								gu.Ptr(time.Duration(0)),
+								gu.Ptr("loginHint"),
+								gu.Ptr("hintUserID"),
+								true,
+							),
+						),
+						eventFromEventPusher(
+							authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate),
+						),
+						eventFromEventPusher(
+							authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate,
+								"sessionID",
+								"userID",
+								testNow,
+								[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(),
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							),
+						),
+						eventFromEventPusher(
+							session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+								"userID", "org1", testNow, &language.Afrikaans),
+						),
+						eventFromEventPusher(
+							session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+								testNow),
+						),
+					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+						user.NewUserDeactivatedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+						),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args{
+				ctx:              authz.WithInstanceID(context.Background(), "instanceID"),
+				authRequestID:    "V2_authRequestID",
+				complianceCheck:  mockAuthRequestComplianceChecker(nil),
+				needRefreshToken: true,
+			},
+			res{
+				err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-kj3g2", "Errors.User.NotActive"),
+			},
+		},
 		{
 			"add successful",
 			fields{
@@ -266,6 +363,21 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
 								testNow),
 						),
 					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate),
@@ -382,6 +494,21 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
 								testNow),
 						),
 					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -521,10 +648,81 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 			},
 			wantErr: io.ErrClosedPipe,
 		},
+		{
+			name: "not active user",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+						user.NewUserDeactivatedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+						),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args: args{
+				ctx:               context.Background(),
+				userID:            "userID",
+				resourceOwner:     "org1",
+				clientID:          "clientID",
+				audience:          []string{"audience"},
+				scope:             []string{"openid", "offline_access"},
+				authMethods:       []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+				authTime:          testNow,
+				nonce:             "nonce",
+				preferredLanguage: &language.Afrikaans,
+				userAgent: &domain.UserAgent{
+					FingerprintID: gu.Ptr("fp1"),
+					IP:            net.ParseIP("1.2.3.4"),
+					Description:   gu.Ptr("firefox"),
+					Header:        http.Header{"foo": []string{"bar"}},
+				},
+				reason: domain.TokenReasonAuthRequest,
+				actor: &domain.TokenActor{
+					UserID: "user2",
+					Issuer: "foo.com",
+				},
+				needRefreshToken: false,
+			},
+			wantErr: zerrors.ThrowPreconditionFailed(nil, "OIDCS-kj3g2", "Errors.User.NotActive"),
+		},
 		{
 			name: "without refresh token",
 			fields: fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -606,6 +804,21 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 			name: "with refresh token",
 			fields: fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -689,6 +902,21 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 			name: "with sessionID",
 			fields: fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -772,6 +1000,21 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 			name: "impersonation not allowed",
 			fields: fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 				),
 				idGenerator:                     mock.NewIDGeneratorExpectIDs(t, "oidcSessionID"),
@@ -813,6 +1056,21 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 			name: "impersonation allowed",
 			fields: fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						user.NewUserImpersonatedEvent(context.Background(), &user.NewAggregate("userID", "org1").Aggregate, "clientID", &domain.TokenActor{
@@ -1067,6 +1325,63 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) {
 				err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-3jt2w", "Errors.OIDCSession.RefreshTokenInvalid"),
 			},
 		},
+		{
+			"user not active",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusherWithCreationDateNow(
+							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+								"userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "profile", "offline_access"},
+								[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans,
+								&domain.UserAgent{FingerprintID: gu.Ptr("browserFP")},
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+								"at_accessTokenID", []string{"openid", "profile", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, nil),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							oidcsession.NewRefreshTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+								"rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour),
+						),
+					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+						user.NewUserDeactivatedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+						),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args{
+				ctx:             authz.WithInstanceID(context.Background(), "instanceID"),
+				refreshToken:    "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID:rt_refreshTokenID:userID
+				scope:           []string{"openid", "offline_access"},
+				complianceCheck: mockRefreshTokenComplianceChecker(nil),
+			},
+			res{
+				err: zerrors.ThrowPreconditionFailed(nil, "OIDCS-J39h2", "Errors.User.NotActive"),
+			},
+		},
 		{
 			"refresh successful",
 			fields{
@@ -1088,6 +1403,21 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) {
 								"rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour),
 						),
 					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
 					expectFilter(), // token lifetime
 					expectPush(
 						oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1153,7 +1483,7 @@ func TestCommands_ExchangeOIDCSessionRefreshAndAccessToken(t *testing.T) {
 
 func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 	type fields struct {
-		eventstore                      *eventstore.Eventstore
+		eventstore                      func(*testing.T) *eventstore.Eventstore
 		idGenerator                     id.Generator
 		defaultAccessTokenLifetime      time.Duration
 		defaultRefreshTokenLifetime     time.Duration
@@ -1177,7 +1507,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 		{
 			"invalid refresh token format error",
 			fields{
-				eventstore:   eventstoreExpect(t),
+				eventstore:   expectEventstore(),
 				keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args{
@@ -1191,7 +1521,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 		{
 			"inactive session error",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 				keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
@@ -1207,7 +1537,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 		{
 			"invalid refresh token error",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1235,7 +1565,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 		{
 			"expired refresh token error",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1267,7 +1597,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 		{
 			"get successful",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusherWithCreationDateNow(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1316,7 +1646,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:                      tt.fields.eventstore,
+				eventstore:                      tt.fields.eventstore(t),
 				idGenerator:                     tt.fields.idGenerator,
 				defaultAccessTokenLifetime:      tt.fields.defaultAccessTokenLifetime,
 				defaultRefreshTokenLifetime:     tt.fields.defaultRefreshTokenLifetime,
@@ -1348,7 +1678,7 @@ func TestCommands_OIDCSessionByRefreshToken(t *testing.T) {
 
 func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 	type fields struct {
-		eventstore   *eventstore.Eventstore
+		eventstore   func(*testing.T) *eventstore.Eventstore
 		keyAlgorithm crypto.EncryptionAlgorithm
 	}
 	type args struct {
@@ -1368,7 +1698,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"invalid token",
 			fields{
-				eventstore:   eventstoreExpect(t),
+				eventstore:   expectEventstore(),
 				keyAlgorithm: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args{
@@ -1382,7 +1712,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"refresh_token inactive",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1407,7 +1737,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"refresh_token invalid client",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1432,7 +1762,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"refresh_token revoked",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1468,7 +1798,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"access_token inactive session",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1493,7 +1823,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"access_token invalid client",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1518,7 +1848,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 		{
 			"access_token revoked",
 			fields{
-				eventstore: eventstoreExpect(t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
@@ -1555,7 +1885,7 @@ func TestCommands_RevokeOIDCSessionToken(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:   tt.fields.eventstore,
+				eventstore:   tt.fields.eventstore(t),
 				keyAlgorithm: tt.fields.keyAlgorithm,
 			}
 			err := c.RevokeOIDCSessionToken(tt.args.ctx, tt.args.token, tt.args.clientID)
diff --git a/internal/integration/oidc.go b/internal/integration/oidc.go
index 3afd262a35..f6d779de95 100644
--- a/internal/integration/oidc.go
+++ b/internal/integration/oidc.go
@@ -22,6 +22,7 @@ import (
 	"github.com/zitadel/zitadel/pkg/grpc/authn"
 	"github.com/zitadel/zitadel/pkg/grpc/management"
 	"github.com/zitadel/zitadel/pkg/grpc/user"
+	user_v2 "github.com/zitadel/zitadel/pkg/grpc/user/v2"
 )
 
 func (i *Instance) CreateOIDCClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, appType app.OIDCAppType, authMethod app.OIDCAuthMethodType, devMode bool, grantTypes ...app.OIDCGrantType) (*management.AddOIDCAppResponse, error) {
@@ -355,6 +356,31 @@ func (i *Instance) CreateOIDCCredentialsClient(ctx context.Context) (machine *ma
 	return machine, name, secret.GetClientId(), secret.GetClientSecret(), nil
 }
 
+func (i *Instance) CreateOIDCCredentialsClientInactive(ctx context.Context) (machine *management.AddMachineUserResponse, name, clientID, clientSecret string, err error) {
+	name = gofakeit.Username()
+	machine, err = i.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{
+		Name:            name,
+		UserName:        name,
+		AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT,
+	})
+	if err != nil {
+		return nil, "", "", "", err
+	}
+	secret, err := i.Client.Mgmt.GenerateMachineSecret(ctx, &management.GenerateMachineSecretRequest{
+		UserId: machine.GetUserId(),
+	})
+	if err != nil {
+		return nil, "", "", "", err
+	}
+	_, err = i.Client.UserV2.DeactivateUser(ctx, &user_v2.DeactivateUserRequest{
+		UserId: machine.GetUserId(),
+	})
+	if err != nil {
+		return nil, "", "", "", err
+	}
+	return machine, name, secret.GetClientId(), secret.GetClientSecret(), nil
+}
+
 func (i *Instance) CreateOIDCJWTProfileClient(ctx context.Context) (machine *management.AddMachineUserResponse, name string, keyData []byte, err error) {
 	name = gofakeit.Username()
 	machine, err = i.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{
diff --git a/internal/query/userinfo_by_id.sql b/internal/query/userinfo_by_id.sql
index 93db8ab1b4..cd7f301c72 100644
--- a/internal/query/userinfo_by_id.sql
+++ b/internal/query/userinfo_by_id.sql
@@ -2,7 +2,7 @@ with usr as (
 	select u.id, u.creation_date, u.change_date, u.sequence, u.state, u.resource_owner, u.username, n.login_name as preferred_login_name
 	from projections.users13 u
 	left join projections.login_names3 n on u.id = n.user_id and u.instance_id = n.instance_id
-	where u.id = $1
+	where u.id = $1 and u.state = 1 -- only allow active users
 	and u.instance_id = $2
 	and n.is_primary = true
 ),

From e68b5d4a835eda754002b51e18ce25f45c49d3b1 Mon Sep 17 00:00:00 2001
From: Max Peintner <max@caos.ch>
Date: Wed, 18 Sep 2024 12:00:36 +0200
Subject: [PATCH 07/19] chore(console): dependencies (#8638)

Updates the dependencies

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 console/package.json |  16 +--
 console/yarn.lock    | 300 ++++++++++++++++++++++++++++---------------
 2 files changed, 205 insertions(+), 111 deletions(-)

diff --git a/console/package.json b/console/package.json
index 1631a206d6..e68ccec202 100644
--- a/console/package.json
+++ b/console/package.json
@@ -28,7 +28,7 @@
     "@fortawesome/angular-fontawesome": "^0.13.0",
     "@fortawesome/fontawesome-svg-core": "^6.4.2",
     "@fortawesome/free-brands-svg-icons": "^6.4.2",
-    "@grpc/grpc-js": "^1.11.1",
+    "@grpc/grpc-js": "^1.11.2",
     "@netlify/framework-info": "^9.8.13",
     "@ngx-translate/core": "^15.0.0",
     "angular-oauth2-oidc": "^15.0.1",
@@ -42,14 +42,14 @@
     "google-protobuf": "^3.21.2",
     "grpc-web": "^1.4.1",
     "i18n-iso-countries": "^7.7.0",
-    "libphonenumber-js": "^1.11.4",
+    "libphonenumber-js": "^1.11.8",
     "material-design-icons-iconfont": "^6.1.1",
     "moment": "^2.29.4",
     "ngx-color": "^9.0.0",
     "opentype.js": "^1.3.4",
     "rxjs": "~7.8.0",
     "tinycolor2": "^1.6.0",
-    "tslib": "^2.6.2",
+    "tslib": "^2.7.0",
     "uuid": "^10.0.0",
     "zone.js": "~0.13.3"
   },
@@ -60,16 +60,16 @@
     "@angular-eslint/eslint-plugin-template": "18.0.0",
     "@angular-eslint/schematics": "16.2.0",
     "@angular-eslint/template-parser": "18.3.0",
-    "@angular/cli": "^16.2.14",
+    "@angular/cli": "^16.2.15",
     "@angular/compiler-cli": "^16.2.5",
-    "@angular/language-service": "^18.2.2",
-    "@bufbuild/buf": "^1.39.0",
+    "@angular/language-service": "^18.2.4",
+    "@bufbuild/buf": "^1.41.0",
     "@types/file-saver": "^2.0.7",
     "@types/google-protobuf": "^3.15.3",
     "@types/jasmine": "~5.1.4",
     "@types/jasminewd2": "~2.0.13",
     "@types/jsonwebtoken": "^9.0.6",
-    "@types/node": "^22.5.2",
+    "@types/node": "^22.5.5",
     "@types/opentype.js": "^1.3.8",
     "@types/qrcode": "^1.5.2",
     "@types/uuid": "^10.0.0",
@@ -77,7 +77,7 @@
     "@typescript-eslint/parser": "^5.60.1",
     "codelyzer": "^6.0.2",
     "eslint": "^8.50.0",
-    "jasmine-core": "~5.2.0",
+    "jasmine-core": "~5.3.0",
     "jasmine-spec-reporter": "~7.0.0",
     "karma": "^6.4.2",
     "karma-chrome-launcher": "^3.2.0",
diff --git a/console/yarn.lock b/console/yarn.lock
index eec0cc2438..23f9a4bb84 100644
--- a/console/yarn.lock
+++ b/console/yarn.lock
@@ -26,6 +26,14 @@
     "@angular-devkit/core" "16.2.14"
     rxjs "7.8.1"
 
+"@angular-devkit/architect@0.1602.15":
+  version "0.1602.15"
+  resolved "https://registry.yarnpkg.com/@angular-devkit/architect/-/architect-0.1602.15.tgz#b70f2456677f6859d4dac4ad80c6b13d00108797"
+  integrity sha512-+yPlUG5c8l7Z/A6dyeV7NQjj4WDWnWWQt+8eW/KInwVwoYiM32ntTJ0M4uU/aDdHuwKQnMLly28AcSWPWKYf2Q==
+  dependencies:
+    "@angular-devkit/core" "16.2.15"
+    rxjs "7.8.1"
+
 "@angular-devkit/build-angular@^16.2.2":
   version "16.2.14"
   resolved "https://registry.yarnpkg.com/@angular-devkit/build-angular/-/build-angular-16.2.14.tgz#0c4e41aa3f67e52b474b2fabeb027aebf6e76566"
@@ -118,12 +126,24 @@
     rxjs "7.8.1"
     source-map "0.7.4"
 
-"@angular-devkit/schematics@16.2.14":
-  version "16.2.14"
-  resolved "https://registry.yarnpkg.com/@angular-devkit/schematics/-/schematics-16.2.14.tgz#819c2ef8bb298e383cb312d9d1411f5970f0328f"
-  integrity sha512-B6LQKInCT8w5zx5Pbroext5eFFRTCJdTwHN8GhcVS8IeKCnkeqVTQLjB4lBUg7LEm8Y7UHXwzrVxmk+f+MBXhw==
+"@angular-devkit/core@16.2.15":
+  version "16.2.15"
+  resolved "https://registry.yarnpkg.com/@angular-devkit/core/-/core-16.2.15.tgz#44ef98cda82ef82435a2a41507f8c24720d372df"
+  integrity sha512-68BgPWpcjNKz++uvLFG8IZaOH3ti2BWQVqaE3yTIYaMoNt0y0A0X2MUVd7EGbAGUk2JdloWJv5LTPVZMzCuK4w==
   dependencies:
-    "@angular-devkit/core" "16.2.14"
+    ajv "8.12.0"
+    ajv-formats "2.1.1"
+    jsonc-parser "3.2.0"
+    picomatch "2.3.1"
+    rxjs "7.8.1"
+    source-map "0.7.4"
+
+"@angular-devkit/schematics@16.2.15":
+  version "16.2.15"
+  resolved "https://registry.yarnpkg.com/@angular-devkit/schematics/-/schematics-16.2.15.tgz#cedcb48fdd240db0a779674cf52455a78a4098bb"
+  integrity sha512-C/j2EwapdBMf1HWDuH89bA9B2e511iEYImkyZ+vCSXRwGiWUaZCrhl18bvztpErTrdOLM3mCwNXWEAMXI4zUXA==
+  dependencies:
+    "@angular-devkit/core" "16.2.15"
     jsonc-parser "3.2.0"
     magic-string "0.30.1"
     ora "5.4.1"
@@ -242,15 +262,15 @@
   optionalDependencies:
     parse5 "^7.1.2"
 
-"@angular/cli@^16.2.14":
-  version "16.2.14"
-  resolved "https://registry.yarnpkg.com/@angular/cli/-/cli-16.2.14.tgz#ab58910ae354ee31b89a7479efd5978fd1a3042e"
-  integrity sha512-0y71jtitigVolm4Rim1b8xPQ+B22cGp4Spef2Wunpqj67UowN6tsZaVuWBEQh4u5xauX8LAHKqsvy37ZPWCc4A==
+"@angular/cli@^16.2.15":
+  version "16.2.15"
+  resolved "https://registry.yarnpkg.com/@angular/cli/-/cli-16.2.15.tgz#951d84ef9a7113242b10fe89be1adfa3a94dd6aa"
+  integrity sha512-nNUmt0ZRj2xHH8tGXSJUiusP5rmakAz0f6cc6T4p03OyeShOKdvs9+/F4hzzsM79/ylZofBlFfwYVCBTbOtMqw==
   dependencies:
-    "@angular-devkit/architect" "0.1602.14"
-    "@angular-devkit/core" "16.2.14"
-    "@angular-devkit/schematics" "16.2.14"
-    "@schematics/angular" "16.2.14"
+    "@angular-devkit/architect" "0.1602.15"
+    "@angular-devkit/core" "16.2.15"
+    "@angular-devkit/schematics" "16.2.15"
+    "@schematics/angular" "16.2.15"
     "@yarnpkg/lockfile" "1.1.0"
     ansi-colors "4.1.3"
     ini "4.1.1"
@@ -318,10 +338,10 @@
   dependencies:
     tslib "^2.3.0"
 
-"@angular/language-service@^18.2.2":
-  version "18.2.2"
-  resolved "https://registry.yarnpkg.com/@angular/language-service/-/language-service-18.2.2.tgz#8a6b3f224871cb4b1dd5d76a43a1c3884d14aa62"
-  integrity sha512-aROQNQeLf+o+F5OVvE/9BUe/Tpv8pjzmrZlogBbic5cb4IqSNhR4RjxbgIyXBO/6bhLCZwqfmMqRbW2J2xqMkg==
+"@angular/language-service@^18.2.4":
+  version "18.2.4"
+  resolved "https://registry.yarnpkg.com/@angular/language-service/-/language-service-18.2.4.tgz#c449a75bc405bf519fc90f7a9269a98e2a1f7758"
+  integrity sha512-Keg6n8u8xHLhRDTmx4hUqh1AtVFUt8hDxPMYSUu64czjOT5Dnh8XsgKagu563NEjxbDaCzttPuO+y3DlcaDZoQ==
 
 "@angular/material-moment-adapter@^16.2.4":
   version "16.2.14"
@@ -1462,47 +1482,47 @@
     "@babel/helper-validator-identifier" "^7.24.7"
     to-fast-properties "^2.0.0"
 
-"@bufbuild/buf-darwin-arm64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-darwin-arm64/-/buf-darwin-arm64-1.39.0.tgz#0ab8453dc7fc7694e5bd39c69d934edc51b81c81"
-  integrity sha512-Ptl0uAGssLxQTzoZhGwv1FFTbzUfcstIpEwMhN+XrwiuqsSxOg9eq/n3yXoci5VJsHokjDUHnWkR3y+j5P/5KA==
+"@bufbuild/buf-darwin-arm64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-darwin-arm64/-/buf-darwin-arm64-1.41.0.tgz#a6aee96452f5a624eb7e5b0336833fdd7a3a7911"
+  integrity sha512-+G5DwpIgnm0AkqgxORxoYXVT0RGDcw8P4SXFXcovgvDBkk9rPvEI1dbPF83n3SUxzcu2A2OxC7DxlXszWIh2Gw==
 
-"@bufbuild/buf-darwin-x64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-darwin-x64/-/buf-darwin-x64-1.39.0.tgz#9c9a211c8039b8cb89b45bf44f338edf82d5e506"
-  integrity sha512-XNCuy9sjQwVJ4NIZqxaTIyzUtlyquSkp/Uuoh5W5thJ3nzZ5RSgvXKF5iXHhZmesrfRGApktwoCx5Am8runsfQ==
+"@bufbuild/buf-darwin-x64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-darwin-x64/-/buf-darwin-x64-1.41.0.tgz#aac6a6b86f6d1f30c86f70e918d212e067e5257f"
+  integrity sha512-qjkJ/LAWqNk3HX65n+JTt18WtKrhrrAhIu3Dpfbe0eujsxafFZKoPzlWJYybxvsaF9CdEyMMm/OalBPpoosMOA==
 
-"@bufbuild/buf-linux-aarch64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-linux-aarch64/-/buf-linux-aarch64-1.39.0.tgz#9778732efbdbbfe02ec821017cc2392ce4a0153f"
-  integrity sha512-Am+hrw94awp/eY027ROXwRQBuwAzOpQ/4zI4dgmgsyhzeWZ8w1LWC8z2SSr8T2cqd0cm52KxtoWMW+B3b2qzbw==
+"@bufbuild/buf-linux-aarch64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-linux-aarch64/-/buf-linux-aarch64-1.41.0.tgz#8ac97e7a19cf0c0957ca1b3e690d8c039b0b3468"
+  integrity sha512-5E+MLAF4QHPwAjwVVRRP3Is2U3zpIpQQR7S3di9HlKACbgvefJEBrUfRqQZvHrMuuynQRqjFuZD16Sfvxn9rCQ==
 
-"@bufbuild/buf-linux-x64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-linux-x64/-/buf-linux-x64-1.39.0.tgz#d7ca62c4f506c60011f5a97ca2e8683aa26693b0"
-  integrity sha512-JXVkHoMrTvmpseqdoQPJJ6MRV7/vlloYtvXHHACEzVytYjljOYCNoVET/E5gLBco/edeXFMNc40cCi1KgL3rSw==
+"@bufbuild/buf-linux-x64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-linux-x64/-/buf-linux-x64-1.41.0.tgz#8a272846929215affccb9c271f02948e10f8d4a9"
+  integrity sha512-W4T+uqmdtypzzatv6OXjUzGacZiNzGECogr+qDkJF38MSZd3jHXhTEN2KhRckl3i9rRAnfHBwG68BjCTxxBCOQ==
 
-"@bufbuild/buf-win32-arm64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-win32-arm64/-/buf-win32-arm64-1.39.0.tgz#efdaf1eca30445f04124c6d829a46a676e6b1dc3"
-  integrity sha512-akdGW02mo04wbLfjNMBQqxC4mPQ/L/vTU8/o79I67GSxyFYt7bKifvYIYhAA39C2gibHyB7ZLmoeRPbaU8wbYA==
+"@bufbuild/buf-win32-arm64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-win32-arm64/-/buf-win32-arm64-1.41.0.tgz#e26b67b2da15e284326c3d3c38255b443e201e0b"
+  integrity sha512-OsRVoTZHJZYGIphAwaRqcCeYR9Sk5VEMjpCJiFt/dkHxx2acKH4u/7O+633gcCxQL8EnsU2l8AfdbW7sQaOvlg==
 
-"@bufbuild/buf-win32-x64@1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf-win32-x64/-/buf-win32-x64-1.39.0.tgz#09f2b0290818d826847689d6149f8fb0def4ac4b"
-  integrity sha512-jos08UMg9iUZsGjPrNpLXP+FNk6q6GizO+bjee/GcI0kSijIzXYMg14goQr0TKlvqs/+IRAM5vZIokQBYlAENQ==
+"@bufbuild/buf-win32-x64@1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf-win32-x64/-/buf-win32-x64-1.41.0.tgz#b2ff4e9cdb9f73baaad216d35c91c733c4c4b661"
+  integrity sha512-2KJLp7Py0GsfRjDxwBzS17RMpaYFGCvzkwY5CtxfPMw8cg6cE7E36r+vcjHh5dBOj/CumaiXLTwxhCSBtp0V1g==
 
-"@bufbuild/buf@^1.39.0":
-  version "1.39.0"
-  resolved "https://registry.yarnpkg.com/@bufbuild/buf/-/buf-1.39.0.tgz#65884f55d072b93122959c92b389c1d7d8ab510b"
-  integrity sha512-lm7xb9pc7X04rRjCQ69o9byAAZ7/dsUQGoH+iJ9uBSXQWiwQ1Ts8gneBnuUVsAH2vdW73NFBpmNQGE9XtFauVQ==
+"@bufbuild/buf@^1.41.0":
+  version "1.41.0"
+  resolved "https://registry.yarnpkg.com/@bufbuild/buf/-/buf-1.41.0.tgz#76077338696009c2f34e7ca1c76baf89a04079f5"
+  integrity sha512-6pN2fqMrPqnIkrC1q9KpXpu7fv3Rul0ZPhT4MSYYj+8VcyR3kbLVk6K+CzzPvYhr4itfotnI3ZVGQ/X/vupECg==
   optionalDependencies:
-    "@bufbuild/buf-darwin-arm64" "1.39.0"
-    "@bufbuild/buf-darwin-x64" "1.39.0"
-    "@bufbuild/buf-linux-aarch64" "1.39.0"
-    "@bufbuild/buf-linux-x64" "1.39.0"
-    "@bufbuild/buf-win32-arm64" "1.39.0"
-    "@bufbuild/buf-win32-x64" "1.39.0"
+    "@bufbuild/buf-darwin-arm64" "1.41.0"
+    "@bufbuild/buf-darwin-x64" "1.41.0"
+    "@bufbuild/buf-linux-aarch64" "1.41.0"
+    "@bufbuild/buf-linux-x64" "1.41.0"
+    "@bufbuild/buf-win32-arm64" "1.41.0"
+    "@bufbuild/buf-win32-x64" "1.41.0"
 
 "@colors/colors@1.5.0":
   version "1.5.0"
@@ -1810,10 +1830,10 @@
   resolved "https://registry.yarnpkg.com/@gar/promisify/-/promisify-1.1.3.tgz#555193ab2e3bb3b6adc3d551c9c030d9e860daf6"
   integrity sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==
 
-"@grpc/grpc-js@^1.11.1":
-  version "1.11.1"
-  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.11.1.tgz#a92f33e98f1959feffcd1b25a33b113d2c977b70"
-  integrity sha512-gyt/WayZrVPH2w/UTLansS7F9Nwld472JxxaETamrM8HNlsa+jSLNyKAZmhxI2Me4c3mQHFiS1wWHDY1g1Kthw==
+"@grpc/grpc-js@^1.11.2":
+  version "1.11.2"
+  resolved "https://registry.yarnpkg.com/@grpc/grpc-js/-/grpc-js-1.11.2.tgz#541a00303e533b5efe9d84ed61b84cdf9dd93ee7"
+  integrity sha512-DWp92gDD7/Qkj7r8kus6/HCINeo3yPZWZ3paKgDgsbKbSpoxKg1yvN8xe2Q8uE3zOsPe3bX8FQX2+XValq2yTw==
   dependencies:
     "@grpc/proto-loader" "^0.7.13"
     "@js-sdsl/ordered-map" "^4.4.2"
@@ -2884,13 +2904,13 @@
   resolved "https://registry.yarnpkg.com/@protobufjs/utf8/-/utf8-1.1.0.tgz#a777360b5b39a1a2e5106f8e858f2fd2d060c570"
   integrity sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==
 
-"@schematics/angular@16.2.14":
-  version "16.2.14"
-  resolved "https://registry.yarnpkg.com/@schematics/angular/-/angular-16.2.14.tgz#3aac7e05b6e3919195275cf06ac403d7a3567876"
-  integrity sha512-YqIv727l9Qze8/OL6H9mBHc2jVXzAGRNBYnxYWqWhLbfvuVbbldo6NNIIjgv6lrl2LJSdPAAMNOD5m/f6210ug==
+"@schematics/angular@16.2.15":
+  version "16.2.15"
+  resolved "https://registry.yarnpkg.com/@schematics/angular/-/angular-16.2.15.tgz#f3b810842959808f0d65ce816f4f0c1a7463c176"
+  integrity sha512-T7wEGYxidpLAkis+hO5nsVfnWsy6sXf1T9GS8uztC8IYYsnqB9jTVfjVyfhASugZasdmx7+jWv3oCGy6Z5ZehA==
   dependencies:
-    "@angular-devkit/core" "16.2.14"
-    "@angular-devkit/schematics" "16.2.14"
+    "@angular-devkit/core" "16.2.15"
+    "@angular-devkit/schematics" "16.2.15"
     jsonc-parser "3.2.0"
 
 "@sigstore/bundle@^1.1.0":
@@ -3098,10 +3118,10 @@
   dependencies:
     "@types/node" "*"
 
-"@types/node@*", "@types/node@>=10.0.0", "@types/node@>=13.7.0", "@types/node@^22.5.2":
-  version "22.5.2"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-22.5.2.tgz#e42344429702e69e28c839a7e16a8262a8086793"
-  integrity sha512-acJsPTEqYqulZS/Yp/S3GgeE6GZ0qYODUR8aVr/DkhHQ8l9nd4j5x1/ZJy9/gHrRlFMqkO6i0I3E27Alu4jjPg==
+"@types/node@*", "@types/node@>=10.0.0", "@types/node@>=13.7.0", "@types/node@^22.5.5":
+  version "22.5.5"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-22.5.5.tgz#52f939dd0f65fc552a4ad0b392f3c466cc5d7a44"
+  integrity sha512-Xjs4y5UPO/CLdzpgR6GirZJx36yScjh73+2NlLlkFRSoQN8B0DpfXPdZGnvVmLRLOsqDpOfTNv7D9trgGhmOIA==
   dependencies:
     undici-types "~6.19.2"
 
@@ -3978,7 +3998,25 @@ blocking-proxy@^1.0.0:
   dependencies:
     minimist "^1.2.0"
 
-body-parser@1.20.2, body-parser@^1.19.0:
+body-parser@1.20.3:
+  version "1.20.3"
+  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.3.tgz#1953431221c6fb5cd63c4b36d53fab0928e548c6"
+  integrity sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==
+  dependencies:
+    bytes "3.1.2"
+    content-type "~1.0.5"
+    debug "2.6.9"
+    depd "2.0.0"
+    destroy "1.2.0"
+    http-errors "2.0.0"
+    iconv-lite "0.4.24"
+    on-finished "2.4.1"
+    qs "6.13.0"
+    raw-body "2.5.2"
+    type-is "~1.6.18"
+    unpipe "1.0.0"
+
+body-parser@^1.19.0:
   version "1.20.2"
   resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd"
   integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==
@@ -4902,6 +4940,11 @@ encodeurl@~1.0.2:
   resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-1.0.2.tgz#ad3ff4c86ec2d029322f5a02c3a9a606c95b3f59"
   integrity sha512-TPJXq8JqFaVYm2CWmPvnP2Iyo4ZSM7/QKcSmuMLDObfpH5fi7RUGmd/rTDf+rut/saiDiQEeVTNgAmJEdAOx0w==
 
+encodeurl@~2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/encodeurl/-/encodeurl-2.0.0.tgz#7b8ea898077d7e409d3ac45474ea38eaf0857a58"
+  integrity sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==
+
 encoding@^0.1.13:
   version "0.1.13"
   resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
@@ -5276,36 +5319,36 @@ exponential-backoff@^3.1.1:
   integrity sha512-dX7e/LHVJ6W3DE1MHWi9S1EYzDESENfLrYohG2G++ovZrYOkm4Knwa0mc1cn84xJOR4KEU0WSchhLbd0UklbHw==
 
 express@^4.17.3:
-  version "4.19.2"
-  resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465"
-  integrity sha512-5T6nhjsT+EOMzuck8JjBHARTHfMht0POzlA60WV2pMD3gyXw2LZnZ+ueGdNxG+0calOJcWKbpFcuzLZ91YWq9Q==
+  version "4.20.0"
+  resolved "https://registry.yarnpkg.com/express/-/express-4.20.0.tgz#f1d08e591fcec770c07be4767af8eb9bcfd67c48"
+  integrity sha512-pLdae7I6QqShF5PnNTCVn4hI91Dx0Grkn2+IAsMTgMIKuQVte2dN9PeGSSAME2FR8anOhVA62QDIUaWVfEXVLw==
   dependencies:
     accepts "~1.3.8"
     array-flatten "1.1.1"
-    body-parser "1.20.2"
+    body-parser "1.20.3"
     content-disposition "0.5.4"
     content-type "~1.0.4"
     cookie "0.6.0"
     cookie-signature "1.0.6"
     debug "2.6.9"
     depd "2.0.0"
-    encodeurl "~1.0.2"
+    encodeurl "~2.0.0"
     escape-html "~1.0.3"
     etag "~1.8.1"
     finalhandler "1.2.0"
     fresh "0.5.2"
     http-errors "2.0.0"
-    merge-descriptors "1.0.1"
+    merge-descriptors "1.0.3"
     methods "~1.1.2"
     on-finished "2.4.1"
     parseurl "~1.3.3"
-    path-to-regexp "0.1.7"
+    path-to-regexp "0.1.10"
     proxy-addr "~2.0.7"
     qs "6.11.0"
     range-parser "~1.2.1"
     safe-buffer "5.2.1"
-    send "0.18.0"
-    serve-static "1.15.0"
+    send "0.19.0"
+    serve-static "1.16.0"
     setprototypeof "1.2.0"
     statuses "2.0.1"
     type-is "~1.6.18"
@@ -6482,10 +6525,10 @@ jasmine-core@~2.8.0:
   resolved "https://registry.yarnpkg.com/jasmine-core/-/jasmine-core-2.8.0.tgz#bcc979ae1f9fd05701e45e52e65d3a5d63f1a24e"
   integrity sha512-SNkOkS+/jMZvLhuSx1fjhcNWUC/KG6oVyFUGkSBEr9n1axSNduWU8GlI7suaHXr4yxjet6KjrUZxUTE5WzzWwQ==
 
-jasmine-core@~5.2.0:
-  version "5.2.0"
-  resolved "https://registry.yarnpkg.com/jasmine-core/-/jasmine-core-5.2.0.tgz#7d0aa4c26cb3dbaed201d0505489baf1e48faeca"
-  integrity sha512-tSAtdrvWybZkQmmaIoDgnvHG8ORUNw5kEVlO5CvrXj02Jjr9TZrmjFq7FUiOUzJiOP2wLGYT6PgrQgQF4R1xiw==
+jasmine-core@~5.3.0:
+  version "5.3.0"
+  resolved "https://registry.yarnpkg.com/jasmine-core/-/jasmine-core-5.3.0.tgz#ed784e5a10af43988d8408bad80b9f08e240a3f8"
+  integrity sha512-zsOmeBKESky4toybvWEikRiZ0jHoBEu79wNArLfMdSnlLMZx3Xcp6CSm2sUcYyoJC+Uyj8LBJap/MUbVSfJ27g==
 
 jasmine-spec-reporter@~7.0.0:
   version "7.0.0"
@@ -6810,10 +6853,10 @@ levn@^0.4.1:
     prelude-ls "^1.2.1"
     type-check "~0.4.0"
 
-libphonenumber-js@^1.11.4:
-  version "1.11.5"
-  resolved "https://registry.yarnpkg.com/libphonenumber-js/-/libphonenumber-js-1.11.5.tgz#50a441da5ff9ed9a322d796a14f1e9cbc0fdabdf"
-  integrity sha512-TwHR5BZxGRODtAfz03szucAkjT5OArXr+94SMtAM2pYXIlQNVMrxvb6uSCbnaJJV6QXEyICk7+l6QPgn72WHhg==
+libphonenumber-js@^1.11.8:
+  version "1.11.8"
+  resolved "https://registry.yarnpkg.com/libphonenumber-js/-/libphonenumber-js-1.11.8.tgz#697fdd36500a97bc672d7927d867edf34b4bd2a7"
+  integrity sha512-0fv/YKpJBAgXKy0kaS3fnqoUVN8901vUYAKIGD/MWZaDfhJt1nZjPL3ZzdZBt/G8G8Hw2J1xOIrXWdNHFHPAvg==
 
 license-webpack-plugin@4.0.2:
   version "4.0.2"
@@ -7034,10 +7077,10 @@ memfs@^3.4.12, memfs@^3.4.3:
   dependencies:
     fs-monkey "^1.0.4"
 
-merge-descriptors@1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.1.tgz#b00aaa556dd8b44568150ec9d1b953f3f90cbb61"
-  integrity sha512-cCi6g3/Zr1iqQi6ySbseM1Xvooa98N0w31jzUYrXPX2xqObmFGHJ0tQ5u74H3mVh7wLouTseZyYIq39g8cNp1w==
+merge-descriptors@1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/merge-descriptors/-/merge-descriptors-1.0.3.tgz#d80319a65f3c7935351e5cfdac8f9318504dbed5"
+  integrity sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==
 
 merge-stream@^2.0.0:
   version "2.0.0"
@@ -7855,10 +7898,10 @@ path-scurry@^1.11.1:
     lru-cache "^10.2.0"
     minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
 
-path-to-regexp@0.1.7:
-  version "0.1.7"
-  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.7.tgz#df604178005f522f15eb4490e7247a1bfaa67f8c"
-  integrity sha512-5DFkuoqlv1uYQKxy8omFBeJPQcdoE07Kv2sferDCrAq1ohOU+MSDswDIbnx3YAM60qIOnYa53wBhXW0EbMonrQ==
+path-to-regexp@0.1.10:
+  version "0.1.10"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.10.tgz#67e9108c5c0551b9e5326064387de4763c4d5f8b"
+  integrity sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==
 
 path-type@^4.0.0:
   version "4.0.0"
@@ -8145,6 +8188,13 @@ qs@6.11.0:
   dependencies:
     side-channel "^1.0.4"
 
+qs@6.13.0:
+  version "6.13.0"
+  resolved "https://registry.yarnpkg.com/qs/-/qs-6.13.0.tgz#6ca3bd58439f7e245655798997787b0d88a51906"
+  integrity sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==
+  dependencies:
+    side-channel "^1.0.6"
+
 qs@~6.5.2:
   version "6.5.3"
   resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.3.tgz#3aeeffc91967ef6e35c0e488ef46fb296ab76aad"
@@ -8618,6 +8668,25 @@ send@0.18.0:
     range-parser "~1.2.1"
     statuses "2.0.1"
 
+send@0.19.0:
+  version "0.19.0"
+  resolved "https://registry.yarnpkg.com/send/-/send-0.19.0.tgz#bbc5a388c8ea6c048967049dbeac0e4a3f09d7f8"
+  integrity sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==
+  dependencies:
+    debug "2.6.9"
+    depd "2.0.0"
+    destroy "1.2.0"
+    encodeurl "~1.0.2"
+    escape-html "~1.0.3"
+    etag "~1.8.1"
+    fresh "0.5.2"
+    http-errors "2.0.0"
+    mime "1.6.0"
+    ms "2.1.3"
+    on-finished "2.4.1"
+    range-parser "~1.2.1"
+    statuses "2.0.1"
+
 serialize-javascript@^6.0.0, serialize-javascript@^6.0.1:
   version "6.0.2"
   resolved "https://registry.yarnpkg.com/serialize-javascript/-/serialize-javascript-6.0.2.tgz#defa1e055c83bf6d59ea805d8da862254eb6a6c2"
@@ -8638,10 +8707,10 @@ serve-index@^1.9.1:
     mime-types "~2.1.17"
     parseurl "~1.3.2"
 
-serve-static@1.15.0:
-  version "1.15.0"
-  resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.15.0.tgz#faaef08cffe0a1a62f60cad0c4e513cff0ac9540"
-  integrity sha512-XGuRDNjXUijsUL0vl6nSD7cwURuzEgglbOaFuZM9g3kwDXOWVTck0jLzjPzGD+TazWbboZYu52/9/XPdUgne9g==
+serve-static@1.16.0:
+  version "1.16.0"
+  resolved "https://registry.yarnpkg.com/serve-static/-/serve-static-1.16.0.tgz#2bf4ed49f8af311b519c46f272bf6ac3baf38a92"
+  integrity sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==
   dependencies:
     encodeurl "~1.0.2"
     escape-html "~1.0.3"
@@ -8704,7 +8773,7 @@ shell-quote@^1.8.1:
   resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.8.1.tgz#6dbf4db75515ad5bac63b4f1894c3a154c766680"
   integrity sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==
 
-side-channel@^1.0.4:
+side-channel@^1.0.4, side-channel@^1.0.6:
   version "1.0.6"
   resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.6.tgz#abd25fb7cd24baf45466406b1096b7831c9215f2"
   integrity sha512-fDW/EZ6Q9RiO8eFG8Hj+7u/oW+XrPTIChwCOM2+th2A6OblDtYYIpve9m+KvI9Z4C9qSEXlaGR6bTEYHReuglA==
@@ -8956,7 +9025,16 @@ streamroller@^3.1.5:
     debug "^4.3.4"
     fs-extra "^8.1.0"
 
-"string-width-cjs@npm:string-width@^4.2.0", "string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
+"string-width-cjs@npm:string-width@^4.2.0":
+  version "4.2.3"
+  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
+  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
+  dependencies:
+    emoji-regex "^8.0.0"
+    is-fullwidth-code-point "^3.0.0"
+    strip-ansi "^6.0.1"
+
+"string-width@^1.0.2 || 2 || 3 || 4", string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
   version "4.2.3"
   resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
   integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -8993,7 +9071,7 @@ string_decoder@~1.1.1:
   dependencies:
     safe-buffer "~5.1.0"
 
-"strip-ansi-cjs@npm:strip-ansi@^6.0.1", strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+"strip-ansi-cjs@npm:strip-ansi@^6.0.1":
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
   integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
@@ -9007,6 +9085,13 @@ strip-ansi@^3.0.0:
   dependencies:
     ansi-regex "^2.0.0"
 
+strip-ansi@^6.0.0, strip-ansi@^6.0.1:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
+  integrity sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==
+  dependencies:
+    ansi-regex "^5.0.1"
+
 strip-ansi@^7.0.1:
   version "7.1.0"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-7.1.0.tgz#d5b6568ca689d8561370b0707685d22434faff45"
@@ -9269,10 +9354,10 @@ tslib@^1.10.0, tslib@^1.8.1, tslib@^1.9.0:
   resolved "https://registry.yarnpkg.com/tslib/-/tslib-1.14.1.tgz#cf2d38bdc34a134bcaf1091c41f6619e2f672d00"
   integrity sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==
 
-tslib@^2.0.0, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.3.0, tslib@^2.4.0, tslib@^2.4.1, tslib@^2.6.2:
-  version "2.6.3"
-  resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.6.3.tgz#0438f810ad7a9edcde7a241c3d80db693c8cbfe0"
-  integrity sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ==
+tslib@^2.0.0, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.3.0, tslib@^2.4.0, tslib@^2.4.1, tslib@^2.7.0:
+  version "2.7.0"
+  resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.7.0.tgz#d9b40c5c40ab59e8738f297df3087bf1a2690c01"
+  integrity sha512-gLXCKdN1/j47AiHiOkJN69hJmcbGTHI0ImLmbYLHykhgeN0jVGola9yVjFgzCUklsZQMW55o+dW7IXv3RCXDzA==
 
 tsutils@^3.21.0:
   version "3.21.0"
@@ -9781,7 +9866,7 @@ word-wrap@^1.2.5:
   resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.5.tgz#d2c45c6dd4fbce621a66f136cbe328afd0410b34"
   integrity sha512-BN22B5eaMMI9UMtjrGd5g5eCYPpCPDUy0FJXbYsaT5zYxjFOckS53SQDE3pWkVoWpHXVb3BrYcEN4Twa55B5cA==
 
-"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0", wrap-ansi@^7.0.0:
+"wrap-ansi-cjs@npm:wrap-ansi@^7.0.0":
   version "7.0.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
   integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
@@ -9799,6 +9884,15 @@ wrap-ansi@^6.2.0:
     string-width "^4.1.0"
     strip-ansi "^6.0.0"
 
+wrap-ansi@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
+  integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
+  dependencies:
+    ansi-styles "^4.0.0"
+    string-width "^4.1.0"
+    strip-ansi "^6.0.0"
+
 wrap-ansi@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"

From 87ac5ed2541938ac68bb6fc89724a806f121faf9 Mon Sep 17 00:00:00 2001
From: mffap <mpa@zitadel.com>
Date: Wed, 18 Sep 2024 15:38:55 +0200
Subject: [PATCH 08/19] docs: Improve http notification doc (#8642)

# Which Problems Are Solved

The docs contained typos and links that led to 404.
More subejectively the docs did not provide enough guidance for new
users what providers are and how to configure an HTTP provider and then
activate them. Only basic links to the API docs were given without
examples on how to achieve a basic configuration.

# How the Problems Are Solved

References and typos fixed and reworked the guide.

# Additional Changes

Added code highlighting for json and bash.

# Additional Context

We could further improve by adding more help on this page on how to
configure SMS and SMTP providers.
---
 .../customize/notification-providers.mdx      | 166 ++++++++++++++++++
 .../guides/manage/customize/notifications.md  |  74 --------
 docs/docusaurus.config.js                     |   2 +-
 docs/sidebars.js                              |   9 +-
 4 files changed, 171 insertions(+), 80 deletions(-)
 create mode 100644 docs/docs/guides/manage/customize/notification-providers.mdx
 delete mode 100644 docs/docs/guides/manage/customize/notifications.md

diff --git a/docs/docs/guides/manage/customize/notification-providers.mdx b/docs/docs/guides/manage/customize/notification-providers.mdx
new file mode 100644
index 0000000000..b94ce7542d
--- /dev/null
+++ b/docs/docs/guides/manage/customize/notification-providers.mdx
@@ -0,0 +1,166 @@
+---
+title: SMS, SMTP and HTTP Provider for Notifications
+sidebar_label: Notification Providers
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+ZITADEL can send messages to users via different notification providers, such as SMS, SMTP, or Webhook (HTTP Provider).
+While you can add multiple providers to different channels, messages will only be delivered via the actived provider.
+Message and notification texts can be [customized](./texts) for an instance or for each organization.
+
+## SMS providers
+
+ZITADEL integrates with Twilio as SMS provider.
+
+## SMTP providers
+
+Integration with most SMTP providers is possible through a generic SMTP provider template that allows you to configure custom SMTP providers.
+Additionally, integration templates are available for:
+
+- Amazon SES
+- Mailgun
+- Mailjet
+- Postmark
+- Sendgrid
+
+:::info Default Provider ZITADEL Cloud
+A default SMTP provider is configured for ZITADEL Cloud customers.
+This provider meant for development and testing purposes and you must replace this provider with your custom SMTP provider for production use cases to guarantee security and reliability of your service.
+:::
+
+## Webhook / HTTP provider
+
+Webhook (HTTP Provider) allows you to fully customize the messages and use integrate with any provider or custom solution to deliver the messages to users.
+A provider with HTTP type will send the messages and the data to a pre-defined webhook as JSON.
+
+### Configuring a HTTP provider
+
+<Tabs>
+  <TabItem value="sms" label="SMS" default>
+
+  First [add a new SMS Provider of type HTTP](/apis/resources/admin/admin-service-add-sms-provider-http) to create a new HTTP provider that can be used to send SMS messages:
+
+  ```bash
+  curl -L 'https://$CUSTOM-DOMAIN/admin/v1/sms/http' \
+    -H 'Content-Type: application/json' \
+    -H 'Accept: application/json' \
+    -H 'Authorization: Bearer <TOKEN>' \
+    -d '{
+      "endpoint": "http://relay.example.com/provider",
+      "description": "provider description"
+    }'
+  ```
+
+  Where `endpoint` defines the Webhook endpoint to which the data should be sent to.
+  The result will contain an ID of the provider that we need in the next step.
+
+  You can configure multiple SMS providers at the same time.
+  To use the HTTP provider you need to [activate the SMS provider](/apis/resources/admin/admin-service-activate-sms-provider): 
+
+  ```bash
+  curl -L 'https://$CUSTOM-DOMAIN/admin/v1/sms/:id/_activate' \
+    -H 'Content-Type: application/json' \
+    -H 'Accept: application/json' \
+    -H 'Authorization: Bearer <TOKEN>' \
+    -d '{}'
+  ```
+
+  The `id` is the provider's ID from the previous step.
+
+  See full API reference for [SMS Providers](/apis/resources/admin/sms-provider) for more details.
+
+  </TabItem>
+  <TabItem value="email" label="Email">
+
+    First [add a new Email Provider of type HTTP](/apis/resources/admin/admin-service-add-email-provider-http) to create a new HTTP provider that can be used to send SMS messages:
+
+  ```bash
+  curl -L 'https://$CUSTOM-DOMAIN/admin/v1/email/http' \
+    -H 'Content-Type: application/json' \
+    -H 'Accept: application/json' \
+    -H 'Authorization: Bearer <TOKEN>' \
+    -d '{
+      "endpoint": "http://relay.example.com/provider",
+      "description": "provider description"
+    }'
+  ```
+
+  Where `endpoint` defines the Webhook endpoint to which the data should be sent to.
+  The result will contain an ID of the provider that we need in the next step.
+
+  You can configure multiple Email providers at the same time.
+  To use the HTTP provider you need to [activate the Email provider](/apis/resources/admin/admin-service-activate-email-provider):
+
+  ```bash
+  curl -L 'https://$CUSTOM-DOMAIN/admin/v1/email/:id/_activate' \
+    -H 'Content-Type: application/json' \
+    -H 'Accept: application/json' \
+    -H 'Authorization: Bearer <TOKEN>' \
+    -d '{}'
+  ```
+
+  The `id` is the provider's ID from the previous step.
+
+  See full API reference for [Email Providers](/apis/resources/admin/admin-service-list-email-providers) for more details.
+
+  </TabItem>
+</Tabs>
+
+### HTTP provider payload
+
+In case of the Twilio and Email providers, the messages will be sent as before, in case of the HTTP providers the content of the messages is the same but as a HTTP call.
+
+Here an example of the body of an payload sent via Email HTTP provider:
+
+```json
+{
+  "contextInfo": {
+    "eventType": "user.human.initialization.code.added",
+    "provider": {
+      "id": "285181292935381355",
+      "description": "test"
+    },
+    "recipientEmailAddress": "example@zitadel.com"
+  },
+  "templateData": {
+    "title": "Zitadel - Initialize User",
+    "preHeader": "Initialize User",
+    "subject": "Initialize User",
+    "greeting": "Hello GivenName FamilyName,",
+    "text": "This user was created in Zitadel. Use the username Username to login. Please click the button below to finish the initialization process. (Code 0M53RF) If you didn't ask for this mail, please ignore it.",
+    "url": "http://example.zitadel.com/ui/login/user/init?authRequestID=\u0026code=0M53RF\u0026loginname=Username\u0026orgID=275353657317327214\u0026passwordset=false\u0026userID=285181014567813483",
+    "buttonText": "Finish initialization",
+    "primaryColor": "#5469d4",
+    "backgroundColor": "#fafafa",
+    "fontColor": "#000000",
+    "fontFamily": "-apple-system, BlinkMacSystemFont, Segoe UI, Lato, Arial, Helvetica, sans-serif",
+    "footerText": "InitCode.Footer"
+  },
+  "args": {
+    "changeDate": "2024-09-16T10:58:50.73237+02:00",
+    "code": "0M53RF",
+    "creationDate": "2024-09-16T10:58:50.73237+02:00",
+    "displayName": "GivenName FamilyName",
+    "firstName": "GivenName",
+    "lastEmail": "example@zitadel.com",
+    "lastName": "FamilyName",
+    "lastPhone": "+41791234567",
+    "loginNames": [
+      "Username"
+    ],
+    "nickName": "",
+    "preferredLoginName": "Username",
+    "userName": "Username",
+    "verifiedEmail": "example@zitadel.com",
+    "verifiedPhone": ""
+  }
+}
+```
+
+There are 3 elements to this message:
+
+- `contextInfo`, with information on why this message is sent like the Event, which Email or SMS provider is used and which recipient should receive this message
+- `templateData`, with all texts and format information which can be used with a template to produce the desired message
+- `args`, with the information provided to the user which can be used in the message to customize 
\ No newline at end of file
diff --git a/docs/docs/guides/manage/customize/notifications.md b/docs/docs/guides/manage/customize/notifications.md
deleted file mode 100644
index 6ab69a9335..0000000000
--- a/docs/docs/guides/manage/customize/notifications.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: SMS, SMTP and HTTP Provider for Notifications 
----
-
-All Notifications send as SMS and Email are customizable as that you can define your own providers, 
-which then send the notifications out. These providers can also be defined as an HTTP type, 
-and the text and content, which is used to send the SMS's and Emails will get send to a Webhook as JSON.
-
-With this everything can be customized or even custom logic can be implemented to use a not yet supported provider by ZITADEL.
-
-## How it works
-
-There is a default provider configured in ZITADEL Cloud, both for SMS's and Emails, but this default providers can be changed through the respective API's.
-
-This API's are provided on an instance level:
-- [SMS Providers](/apis/resources/admin/sms-provider)
-- [Email Providers](/apis/resources/admin/email-provider)
-
-To use a non-default provider just add, and then activate. There can only be 1 provider be activated at the same time.
-
-## Resulting messages
-
-In case of the Twilio and SMTP providers, the messages will be sent as before, in case of the HTTP providers the content of the messages is the same but as a HTTP call.
-
-Here an example of the body of an Email sent via HTTP provider:
-```json
-{
-  "contextInfo": {
-    "eventType": "user.human.initialization.code.added",
-    "provider": {
-      "id": "285181292935381355",
-      "description": "test"
-    },
-    "recipientEmailAddress": "example@zitadel.com"
-  },
-  "templateData": {
-    "title": "Zitadel - Initialize User",
-    "preHeader": "Initialize User",
-    "subject": "Initialize User",
-    "greeting": "Hello GivenName FamilyName,",
-    "text": "This user was created in Zitadel. Use the username Username to login. Please click the button below to finish the initialization process. (Code 0M53RF) If you didn't ask for this mail, please ignore it.",
-    "url": "http://example.zitadel.com/ui/login/user/init?authRequestID=\u0026code=0M53RF\u0026loginname=Username\u0026orgID=275353657317327214\u0026passwordset=false\u0026userID=285181014567813483",
-    "buttonText": "Finish initialization",
-    "primaryColor": "#5469d4",
-    "backgroundColor": "#fafafa",
-    "fontColor": "#000000",
-    "fontFamily": "-apple-system, BlinkMacSystemFont, Segoe UI, Lato, Arial, Helvetica, sans-serif",
-    "footerText": "InitCode.Footer"
-  },
-  "args": {
-    "changeDate": "2024-09-16T10:58:50.73237+02:00",
-    "code": "0M53RF",
-    "creationDate": "2024-09-16T10:58:50.73237+02:00",
-    "displayName": "GivenName FamilyName",
-    "firstName": "GivenName",
-    "lastEmail": "example@zitadel.com",
-    "lastName": "FamilyName",
-    "lastPhone": "+41791234567",
-    "loginNames": [
-      "Username"
-    ],
-    "nickName": "",
-    "preferredLoginName": "Username",
-    "userName": "Username",
-    "verifiedEmail": "example@zitadel.com",
-    "verifiedPhone": ""
-  }
-}
-```
-
-There are 3 elements to this message:
-- contextInfo, with information on why this message is sent like the Event, which Email or SMS provider is used and which recipient should receive this message
-- templateData, with all texts and format information which can be used with a template to produce the desired message
-- args, with the information provided to the user which can be used in the message to customize 
diff --git a/docs/docusaurus.config.js b/docs/docusaurus.config.js
index 0318ad074a..c0c7d5a45c 100644
--- a/docs/docusaurus.config.js
+++ b/docs/docusaurus.config.js
@@ -187,7 +187,7 @@ module.exports = {
       selector: "div#",
     },
     prism: {
-      additionalLanguages: ["csharp", "dart", "groovy", "regex", "java", "php", "python", "protobuf"],
+      additionalLanguages: ["csharp", "dart", "groovy", "regex", "java", "php", "python", "protobuf", "json", "bash"],
     },
     colorMode: {
       defaultMode: "dark",
diff --git a/docs/sidebars.js b/docs/sidebars.js
index 4d8ec9f48d..1e26ec6074 100644
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -154,11 +154,10 @@ module.exports = {
           type: "category",
           label: "Customize",
           items: [
-            "guides/manage/customize/branding",
-            "guides/manage/customize/texts",
-            "guides/manage/customize/behavior",
-            "guides/manage/customize/restrictions",
-            "guides/manage/customize/notifications",
+            {
+              type: "autogenerated",
+              dirName: "guides/manage/customize",
+            },
           ],
         },
         {

From ebef53629a395fc1bfbf1ee7bd2f03f0678a6c2c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 18 Sep 2024 14:17:29 +0000
Subject: [PATCH 09/19] chore(deps): bump body-parser from 1.20.2 to 1.20.3 in
 /console (#8640)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps [body-parser](https://github.com/expressjs/body-parser) from
1.20.2 to 1.20.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/releases">body-parser's
releases</a>.</em></p>
<blockquote>
<h2>1.20.3</h2>
<h2>What's Changed</h2>
<h3>Important</h3>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li><strong>IMPORTANT:</strong> The default <code>depth</code> level for
parsing URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>). <a
href="https://github.com/expressjs/body-parser/blob/17529513673e39ba79886a7ce3363320cf1c0c50/README.md#depth">Documentation</a></li>
</ul>
<h3>Other changes</h3>
<ul>
<li>chore: add support for OSSF scorecard reporting by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li>ci: fix errors in ci github action for node 8 and 9 by <a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/523">expressjs/body-parser#523</a></li>
<li>fix: pin to node@22.4.1 by <a
href="https://github.com/wesleytodd"><code>@​wesleytodd</code></a> in <a
href="https://redirect.github.com/expressjs/body-parser/pull/527">expressjs/body-parser#527</a></li>
<li>deps: qs@6.12.3 by <a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li>Add OSSF Scorecard badge by <a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a> in
<a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li>Linter by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
<li>Release: 1.20.3 by <a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
in <a
href="https://redirect.github.com/expressjs/body-parser/pull/535">expressjs/body-parser#535</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/inigomarquinez"><code>@​inigomarquinez</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/522">expressjs/body-parser#522</a></li>
<li><a
href="https://github.com/melikhov-dev"><code>@​melikhov-dev</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/521">expressjs/body-parser#521</a></li>
<li><a
href="https://github.com/bjohansebas"><code>@​bjohansebas</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/531">expressjs/body-parser#531</a></li>
<li><a
href="https://github.com/UlisesGascon"><code>@​UlisesGascon</code></a>
made their first contribution in <a
href="https://redirect.github.com/expressjs/body-parser/pull/534">expressjs/body-parser#534</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/expressjs/body-parser/blob/master/HISTORY.md">body-parser's
changelog</a>.</em></p>
<blockquote>
<h1>1.20.3 / 2024-09-10</h1>
<ul>
<li>deps: qs@6.13.0</li>
<li>add <code>depth</code> option to customize the depth level in the
parser</li>
<li>IMPORTANT: The default <code>depth</code> level for parsing
URL-encoded data is now <code>32</code> (previously was
<code>Infinity</code>)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/expressjs/body-parser/commit/17529513673e39ba79886a7ce3363320cf1c0c50"><code>1752951</code></a>
1.20.3</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/39744cfe2ac4fb37a19ed7c43e3a74332f428e17"><code>39744cf</code></a>
chore: linter (<a
href="https://redirect.github.com/expressjs/body-parser/issues/534">#534</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce"><code>b2695c4</code></a>
Merge commit from fork</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/ade0f3f82f91086d6cd2ed2cb4b0aff448fbc2e5"><code>ade0f3f</code></a>
add scorecard to readme (<a
href="https://redirect.github.com/expressjs/body-parser/issues/531">#531</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/99a1bd62456f932004b84767d6393bc261f75d36"><code>99a1bd6</code></a>
deps: qs@6.12.3 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/521">#521</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/947859160527c7aaaa20da79e2c3ba542baaaf66"><code>9478591</code></a>
fix: pin to node@22.4.1</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/83db46a1e5512135ce01ed90b9132ee16a2657a8"><code>83db46a</code></a>
ci: fix errors in ci github action for node 8 and 9 (<a
href="https://redirect.github.com/expressjs/body-parser/issues/523">#523</a>)</li>
<li><a
href="https://github.com/expressjs/body-parser/commit/9d4e2125b580b055b2a3aa140df9b8fce363af46"><code>9d4e212</code></a>
chore: add support for OSSF scorecard reporting (<a
href="https://redirect.github.com/expressjs/body-parser/issues/522">#522</a>)</li>
<li>See full diff in <a
href="https://github.com/expressjs/body-parser/compare/1.20.2...1.20.3">compare
view</a></li>
</ul>
</details>
<details>
<summary>Maintainer changes</summary>
<p>This version was pushed to npm by <a
href="https://www.npmjs.com/~ulisesgascon">ulisesgascon</a>, a new
releaser for body-parser since your current version.</p>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=body-parser&package-manager=npm_and_yarn&previous-version=1.20.2&new-version=1.20.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
---
 console/yarn.lock | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/console/yarn.lock b/console/yarn.lock
index 23f9a4bb84..9b87fccf03 100644
--- a/console/yarn.lock
+++ b/console/yarn.lock
@@ -3998,7 +3998,7 @@ blocking-proxy@^1.0.0:
   dependencies:
     minimist "^1.2.0"
 
-body-parser@1.20.3:
+body-parser@1.20.3, body-parser@^1.19.0:
   version "1.20.3"
   resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.3.tgz#1953431221c6fb5cd63c4b36d53fab0928e548c6"
   integrity sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==
@@ -4016,24 +4016,6 @@ body-parser@1.20.3:
     type-is "~1.6.18"
     unpipe "1.0.0"
 
-body-parser@^1.19.0:
-  version "1.20.2"
-  resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.20.2.tgz#6feb0e21c4724d06de7ff38da36dad4f57a747fd"
-  integrity sha512-ml9pReCu3M61kGlqoTm2umSXTlRTuGTx0bfYj+uIUKKYycG5NtSbeetV3faSU6R7ajOPw0g/J1PvK4qNy7s5bA==
-  dependencies:
-    bytes "3.1.2"
-    content-type "~1.0.5"
-    debug "2.6.9"
-    depd "2.0.0"
-    destroy "1.2.0"
-    http-errors "2.0.0"
-    iconv-lite "0.4.24"
-    on-finished "2.4.1"
-    qs "6.11.0"
-    raw-body "2.5.2"
-    type-is "~1.6.18"
-    unpipe "1.0.0"
-
 bonjour-service@^1.0.11:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/bonjour-service/-/bonjour-service-1.2.1.tgz#eb41b3085183df3321da1264719fbada12478d02"

From e5e233b439ddb9cc175bc1fdb321acb97da15836 Mon Sep 17 00:00:00 2001
From: Silvan <silvan.reusser@gmail.com>
Date: Thu, 19 Sep 2024 16:27:37 +0200
Subject: [PATCH 10/19] docs(office_hours): add Q&A on 2024-09-25 (#8646)

Added meeting schedule for office hours
---
 MEETING_SCHEDULE.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/MEETING_SCHEDULE.md b/MEETING_SCHEDULE.md
index 671da36fa1..695a19855f 100644
--- a/MEETING_SCHEDULE.md
+++ b/MEETING_SCHEDULE.md
@@ -3,6 +3,34 @@
 Dear community!
 We're excited to announce bi-weekly office hours.
 
+## #5 Q&A
+
+Dear community,
+
+This week's office hour is dedicated for you to drop by and ask any questions you may have about ZITADEL. We are happy to discuss anything, from Actions to Zero downtime deployments. 
+
+Join us on the stage or ask your questions in the chat next Wednesday in the office hours channel on Discord. We're looking forward to have a nice chat with you.
+
+**What to expect:**
+
+* **Q&A Session**: Ask your questions and feel free to join the discussion to help others getting their questions answered
+
+**Details:**
+
+* **Target Audience:** Developers and IT Ops personnel using ZITADEL  
+* **Topic:** Q\&A session  
+* **When**: Wednesday 25th of September 6 pm UTC  
+* **Duration**: about 1 hour  
+* **Platform:** Zitadel Discord Server (Join us here:  https://discord.gg/zitadel-927474939156643850?event=1286221582838272000 )
+
+**In the meantime:**
+
+If you have questions upfront, feel free to already post them in the chat of the [office hours channel](https://zitadel.com/office-hours) on our Discord server :gigi:
+
+We look forward to seeing you there\!
+
+**P.S.** Spread the word\! Share this announcement with your fellow ZITADEL users who might be interested 📢
+
 ## #4 Login UI deepdive
 
 Dear community,

From eb97be6fdff464714f7e181e7fe1b8bee2630ba9 Mon Sep 17 00:00:00 2001
From: Nico Schett <52858351+schettn@users.noreply.github.com>
Date: Tue, 24 Sep 2024 08:43:39 +0200
Subject: [PATCH 11/19] docs(pylon.mdx): update to pylon v2 (#8643)

Hi!

I just release Pylon v2. Due to some breaking changes I need to adapt
the docs.

- Docs: https://pylon.cronit.io/docs/getting-started
- Release notes: https://pylon.cronit.io/docs/release-notes/v2.0
- Migration guide:
https://pylon.cronit.io/docs/release-notes/migrating-from-v1-to-v2
---
 docs/docs/examples/imports/_setup_pylon.mdx |  1 -
 docs/docs/examples/secure-api/pylon.mdx     | 89 +++++++++++----------
 2 files changed, 46 insertions(+), 44 deletions(-)
 delete mode 100644 docs/docs/examples/imports/_setup_pylon.mdx

diff --git a/docs/docs/examples/imports/_setup_pylon.mdx b/docs/docs/examples/imports/_setup_pylon.mdx
deleted file mode 100644
index e68dad2c3c..0000000000
--- a/docs/docs/examples/imports/_setup_pylon.mdx
+++ /dev/null
@@ -1 +0,0 @@
-You have to install Pylon as described in [their documentation](https://pylon.cronit.io/docs/installation/).
diff --git a/docs/docs/examples/secure-api/pylon.mdx b/docs/docs/examples/secure-api/pylon.mdx
index 81f66999af..c8a3cd4635 100644
--- a/docs/docs/examples/secure-api/pylon.mdx
+++ b/docs/docs/examples/secure-api/pylon.mdx
@@ -6,7 +6,6 @@ sidebar_label: Pylon
 import AppJWT from "../imports/_app_jwt.mdx";
 import ServiceuserJWT from "../imports/_serviceuser_jwt.mdx";
 import ServiceuserRole from "../imports/_serviceuser_role.mdx";
-import SetupPylon from "../imports/_setup_pylon.mdx";
 
 This integration guide demonstrates the recommended way to incorporate ZITADEL into your [Pylon](https://pylon.cronit.io) service.
 It explains how to check the token validity in the API and how to check for permissions.
@@ -43,26 +42,27 @@ And the following from the Serviceuser:
 
 ## Setup new Pylon service
 
-### Setup Pylon
+Pylon allows you to create a new service using the `npm create pylon` command. This command creates a new Pylon project with a basic project structure and configuration.
+During the setup process, you can choose your preferred runtime, such as Bun, Node.js, or Cloudflare Workers.
 
-<SetupPylon />
+**This guide uses the Bun runtime.**
 
 ### Creating a new project
 
 To create a new Pylon project, run the following command:
 
 ```bash
-pylon new my-pylon-project
+npm create pylon my-pylon@latest
 ```
 
-This will create a new directory called `my-pylon-project` with a basic Pylon project structure.
+This will create a new directory called `my-pylon` with a basic Pylon project structure.
 
 ### Project structure
 
 Pylon projects are structured as follows:
 
 ```
-my-pylon-project/
+my-pylon/
 ├── .pylon/
 ├── src/
 │   ├── index.ts
@@ -81,16 +81,18 @@ my-pylon-project/
 Here's an example of a basic Pylon service:
 
 ```ts
-import { defineService } from "@getcronit/pylon";
+import { app } from "@getcronit/pylon";
 
-export default defineService({
+export const graphql = {
   Query: {
     sum: (a: number, b: number) => a + b,
   },
   Mutation: {
     divide: (a: number, b: number) => a / b,
   },
-});
+};
+
+export default app;
 ```
 
 ## Secure the API
@@ -113,6 +115,8 @@ AUTH_PROJECT_ID='250719519163548112'
 
 2. Copy the `.json`-key-file that you downloaded from the ZITADEL Console into the root folder of your project and rename it to `key.json`.
 
+3. (Optional) For added convenience in production environments, you can include the content of the .json key file as `AUTH_KEY` in the .env file or as an environment variable.
+
 ### Auth
 
 Pylon provides a auth module and a decorator to check the validity of the token and the permissions.
@@ -140,8 +144,7 @@ The following code demonstrates how to create a Pylon service with the required
 
 ```ts
 import {
-  defineService,
-  PylonAPI,
+  app,
   auth,
   requireAuth,
   getContext,
@@ -208,7 +211,7 @@ class User {
   }
 }
 
-export default defineService({
+export const graphql = {
   Query: {
     me: User.me,
     info: () => "Public Data",
@@ -216,43 +219,43 @@ export default defineService({
   Mutation: {
     createUser: User.create,
   },
+};
+
+// Initialize the authentication middleware
+app.use("*", auth.initialize());
+
+// Automatically try to create a user for each request for demonstration purposes
+app.use(async (_, next) => {
+  try {
+    await User.create();
+  } catch {
+    // Ignore errors
+    // Fail silently if the user already exists
+  }
+
+  await next();
 });
 
-export const configureApp: PylonAPI["configureApp"] = (app) => {
-  // Initialize the authentication middleware
-  app.use("*", auth.initialize());
+app.get("/api/info", (c) => {
+  return new Response("Public Data");
+});
 
-  // Automatically try to create a user for each request for demonstration purposes
-  app.use(async (_, next) => {
-    try {
-      await User.create();
-    } catch {
-      // Ignore errors
-      // Fail silently if the user already exists
-    }
+// The `auth.require()` middleware is optional here, as the `User.me` method already checks for it.
+app.get("/api/me", auth.require(), async (c) => {
+  const user = await User.me();
 
-    await next();
-  });
+  return c.json(user);
+});
 
-  app.get("/api/info", (c) => {
-    return new Response("Public Data");
-  });
+// A role check for `read:messages` is not required here, as the `user.messages` method already checks for it.
+app.get("/api/me/messages", auth.require(), async (c) => {
+  const user = await User.me();
 
-  // The `auth.require()` middleware is optional here, as the `User.me` method already checks for it.
-  app.get("/api/me", auth.require(), async (c) => {
-    const user = await User.me();
+  // This will throw an error if the user does not have the `read:messages` role
+  return c.json(await user.messages());
+});
 
-    return c.json(user);
-  });
-
-  // A role check for `read:messages` is not required here, as the `user.messages` method already checks for it.
-  app.get("/api/me/messages", auth.require(), async (c) => {
-    const user = await User.me();
-
-    // This will throw an error if the user does not have the `read:messages` role
-    return c.json(await user.messages());
-  });
-};
+export default app;
 ```
 
 ### Call the API
@@ -273,7 +276,7 @@ export TOKEN='MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
 Now you have to start the Pylon service:
 
 ```bash
-bun run develop
+bun run dev
 ```
 
 With the access token, you can then do the following calls:

From aeb379e7deee3d6df293d0fdb8f00157184b7ec6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Tue, 24 Sep 2024 19:43:29 +0300
Subject: [PATCH 12/19] fix(eventstore): revert precise decimal (#8527) (#8679)

---
 cmd/mirror/event.go                           | 10 ++--
 cmd/mirror/event_store.go                     |  3 +-
 go.mod                                        |  2 -
 go.sum                                        |  4 --
 internal/api/oidc/key.go                      | 15 +++---
 internal/api/saml/certificate.go              | 15 +++---
 internal/database/cockroach/crdb.go           |  7 ---
 internal/database/postgres/pg.go              |  6 ---
 internal/eventstore/event.go                  |  4 +-
 internal/eventstore/event_base.go             |  6 +--
 internal/eventstore/eventstore.go             | 11 ++---
 .../eventstore/eventstore_querier_test.go     | 16 +++----
 internal/eventstore/eventstore_test.go        | 17 ++++---
 .../eventstore/handler/v2/field_handler.go    |  9 ++--
 internal/eventstore/handler/v2/handler.go     | 19 ++++----
 internal/eventstore/handler/v2/state.go       |  8 ++--
 internal/eventstore/handler/v2/state_test.go  | 13 +++--
 internal/eventstore/handler/v2/statement.go   |  3 +-
 internal/eventstore/local_crdb_test.go        | 29 ++---------
 internal/eventstore/read_model.go             | 22 ++++-----
 internal/eventstore/repository/event.go       |  6 +--
 .../repository/mock/repository.mock.go        | 15 +++---
 .../repository/mock/repository.mock.impl.go   |  5 +-
 .../eventstore/repository/search_query.go     |  6 +--
 internal/eventstore/repository/sql/crdb.go    | 13 ++---
 .../eventstore/repository/sql/crdb_test.go    |  4 +-
 internal/eventstore/repository/sql/query.go   | 25 +++++-----
 .../eventstore/repository/sql/query_test.go   | 27 +++++------
 internal/eventstore/search_query.go           | 16 +++----
 internal/eventstore/search_query_test.go      |  4 +-
 internal/eventstore/v1/models/event.go        |  6 +--
 internal/eventstore/v3/event.go               |  7 ++-
 internal/query/access_token.go                |  7 ++-
 internal/query/current_state.go               | 11 ++---
 internal/query/current_state_test.go          |  8 ++--
 internal/query/user_grant.go                  |  4 +-
 internal/query/user_membership.go             |  4 +-
 internal/v2/database/number_filter.go         |  3 +-
 internal/v2/eventstore/event_store.go         |  6 +--
 internal/v2/eventstore/postgres/push_test.go  | 24 +++++-----
 internal/v2/eventstore/postgres/query_test.go | 48 +++++++++----------
 internal/v2/eventstore/query.go               |  6 +--
 internal/v2/eventstore/query_test.go          | 26 +++++-----
 .../v2/readmodel/last_successful_mirror.go    |  6 +--
 internal/v2/system/mirror/succeeded.go        |  6 +--
 load-test/Makefile                            | 21 ++++----
 load-test/src/use_cases/manipulate_user.ts    |  1 -
 47 files changed, 215 insertions(+), 319 deletions(-)

diff --git a/cmd/mirror/event.go b/cmd/mirror/event.go
index af0ac25e27..2bb0d52f45 100644
--- a/cmd/mirror/event.go
+++ b/cmd/mirror/event.go
@@ -3,8 +3,6 @@ package mirror
 import (
 	"context"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/eventstore"
 	"github.com/zitadel/zitadel/internal/v2/projection"
 	"github.com/zitadel/zitadel/internal/v2/readmodel"
@@ -32,12 +30,12 @@ func queryLastSuccessfulMigration(ctx context.Context, destinationES *eventstore
 	return lastSuccess, nil
 }
 
-func writeMigrationStart(ctx context.Context, sourceES *eventstore.EventStore, id string, destination string) (_ decimal.Decimal, err error) {
+func writeMigrationStart(ctx context.Context, sourceES *eventstore.EventStore, id string, destination string) (_ float64, err error) {
 	var cmd *eventstore.Command
 	if len(instanceIDs) > 0 {
 		cmd, err = mirror_event.NewStartedInstancesCommand(destination, instanceIDs)
 		if err != nil {
-			return decimal.Decimal{}, err
+			return 0, err
 		}
 	} else {
 		cmd = mirror_event.NewStartedSystemCommand(destination)
@@ -60,12 +58,12 @@ func writeMigrationStart(ctx context.Context, sourceES *eventstore.EventStore, i
 		),
 	)
 	if err != nil {
-		return decimal.Decimal{}, err
+		return 0, err
 	}
 	return position.Position, nil
 }
 
-func writeMigrationSucceeded(ctx context.Context, destinationES *eventstore.EventStore, id, source string, position decimal.Decimal) error {
+func writeMigrationSucceeded(ctx context.Context, destinationES *eventstore.EventStore, id, source string, position float64) error {
 	return destinationES.Push(
 		ctx,
 		eventstore.NewPushIntent(
diff --git a/cmd/mirror/event_store.go b/cmd/mirror/event_store.go
index 2eab4eb0da..23145bdc37 100644
--- a/cmd/mirror/event_store.go
+++ b/cmd/mirror/event_store.go
@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5/stdlib"
-	"github.com/shopspring/decimal"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/zitadel/logging"
@@ -181,7 +180,7 @@ func copyEvents(ctx context.Context, source, dest *db.DB, bulkSize uint32) {
 	logging.WithFields("took", time.Since(start), "count", eventCount).Info("events migrated")
 }
 
-func writeCopyEventsDone(ctx context.Context, es *eventstore.EventStore, id, source string, position decimal.Decimal, errs <-chan error) {
+func writeCopyEventsDone(ctx context.Context, es *eventstore.EventStore, id, source string, position float64, errs <-chan error) {
 	joinedErrs := make([]error, 0, len(errs))
 	for err := range errs {
 		joinedErrs = append(joinedErrs, err)
diff --git a/go.mod b/go.mod
index 0137251400..2d6c815520 100644
--- a/go.mod
+++ b/go.mod
@@ -38,7 +38,6 @@ require (
 	github.com/h2non/gock v1.2.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/improbable-eng/grpc-web v0.15.0
-	github.com/jackc/pgx-shopspring-decimal v0.0.0-20220624020537-1d36b5a1853e
 	github.com/jackc/pgx/v5 v5.6.0
 	github.com/jarcoal/jpath v0.0.0-20140328210829-f76b8b2dbf52
 	github.com/jinzhu/gorm v1.9.16
@@ -55,7 +54,6 @@ require (
 	github.com/rakyll/statik v0.1.7
 	github.com/rs/cors v1.11.0
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
-	github.com/shopspring/decimal v1.4.0
 	github.com/sony/sonyflake v1.2.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
diff --git a/go.sum b/go.sum
index de6c80d513..606f4048cc 100644
--- a/go.sum
+++ b/go.sum
@@ -405,8 +405,6 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 h1:L0QtFUgDarD7Fpv9jeVMgy/+Ec0mtnmYuImjTz6dtDA=
 github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx-shopspring-decimal v0.0.0-20220624020537-1d36b5a1853e h1:i3gQ/Zo7sk4LUVbsAjTNeC4gIjoPNIZVzs4EXstssV4=
-github.com/jackc/pgx-shopspring-decimal v0.0.0-20220624020537-1d36b5a1853e/go.mod h1:zUHglCZ4mpDUPgIwqEKoba6+tcUQzRdb1+DPTuYe9pI=
 github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
 github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
@@ -651,8 +649,6 @@ github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
-github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
diff --git a/internal/api/oidc/key.go b/internal/api/oidc/key.go
index f7aa88409e..a7e156fe78 100644
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -11,7 +11,6 @@ import (
 	"github.com/go-jose/go-jose/v4"
 	"github.com/jonboulle/clockwork"
 	"github.com/muhlemmer/gu"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/op"
 
@@ -351,14 +350,14 @@ func (o *OPStorage) getSigningKey(ctx context.Context) (op.SigningKey, error) {
 	if len(keys.Keys) > 0 {
 		return o.privateKeyToSigningKey(selectSigningKey(keys.Keys))
 	}
-	var position decimal.Decimal
+	var position float64
 	if keys.State != nil {
 		position = keys.State.Position
 	}
 	return nil, o.refreshSigningKey(ctx, o.signingKeyAlgorithm, position)
 }
 
-func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, position decimal.Decimal) error {
+func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, position float64) error {
 	ok, err := o.ensureIsLatestKey(ctx, position)
 	if err != nil || !ok {
 		return zerrors.ThrowInternal(err, "OIDC-ASfh3", "cannot ensure that projection is up to date")
@@ -370,12 +369,12 @@ func (o *OPStorage) refreshSigningKey(ctx context.Context, algorithm string, pos
 	return zerrors.ThrowInternal(nil, "OIDC-Df1bh", "")
 }
 
-func (o *OPStorage) ensureIsLatestKey(ctx context.Context, position decimal.Decimal) (bool, error) {
+func (o *OPStorage) ensureIsLatestKey(ctx context.Context, position float64) (bool, error) {
 	maxSequence, err := o.getMaxKeySequence(ctx)
 	if err != nil {
 		return false, fmt.Errorf("error retrieving new events: %w", err)
 	}
-	return position.GreaterThanOrEqual(maxSequence), nil
+	return position >= maxSequence, nil
 }
 
 func (o *OPStorage) privateKeyToSigningKey(key query.PrivateKey) (_ op.SigningKey, err error) {
@@ -413,9 +412,9 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
 	return o.command.GenerateSigningKeyPair(setOIDCCtx(ctx), algorithm)
 }
 
-func (o *OPStorage) getMaxKeySequence(ctx context.Context) (decimal.Decimal, error) {
-	return o.eventstore.LatestPosition(ctx,
-		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxPosition).
+func (o *OPStorage) getMaxKeySequence(ctx context.Context) (float64, error) {
+	return o.eventstore.LatestSequence(ctx,
+		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
 			ResourceOwner(authz.GetInstance(ctx).InstanceID()).
 			AwaitOpenTransactions().
 			AllowTimeTravel().
diff --git a/internal/api/saml/certificate.go b/internal/api/saml/certificate.go
index 079655391e..2eac0e4d36 100644
--- a/internal/api/saml/certificate.go
+++ b/internal/api/saml/certificate.go
@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/go-jose/go-jose/v4"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/saml/pkg/provider/key"
 
@@ -77,7 +76,7 @@ func (p *Storage) getCertificateAndKey(ctx context.Context, usage crypto.KeyUsag
 		return p.certificateToCertificateAndKey(selectCertificate(certs.Certificates))
 	}
 
-	var position decimal.Decimal
+	var position float64
 	if certs.State != nil {
 		position = certs.State.Position
 	}
@@ -88,7 +87,7 @@ func (p *Storage) getCertificateAndKey(ctx context.Context, usage crypto.KeyUsag
 func (p *Storage) refreshCertificate(
 	ctx context.Context,
 	usage crypto.KeyUsage,
-	position decimal.Decimal,
+	position float64,
 ) error {
 	ok, err := p.ensureIsLatestCertificate(ctx, position)
 	if err != nil {
@@ -104,12 +103,12 @@ func (p *Storage) refreshCertificate(
 	return nil
 }
 
-func (p *Storage) ensureIsLatestCertificate(ctx context.Context, position decimal.Decimal) (bool, error) {
+func (p *Storage) ensureIsLatestCertificate(ctx context.Context, position float64) (bool, error) {
 	maxSequence, err := p.getMaxKeySequence(ctx)
 	if err != nil {
 		return false, fmt.Errorf("error retrieving new events: %w", err)
 	}
-	return position.GreaterThanOrEqual(maxSequence), nil
+	return position >= maxSequence, nil
 }
 
 func (p *Storage) lockAndGenerateCertificateAndKey(ctx context.Context, usage crypto.KeyUsage) error {
@@ -152,9 +151,9 @@ func (p *Storage) lockAndGenerateCertificateAndKey(ctx context.Context, usage cr
 	}
 }
 
-func (p *Storage) getMaxKeySequence(ctx context.Context) (decimal.Decimal, error) {
-	return p.eventstore.LatestPosition(ctx,
-		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxPosition).
+func (p *Storage) getMaxKeySequence(ctx context.Context) (float64, error) {
+	return p.eventstore.LatestSequence(ctx,
+		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
 			ResourceOwner(authz.GetInstance(ctx).InstanceID()).
 			AwaitOpenTransactions().
 			AddQuery().
diff --git a/internal/database/cockroach/crdb.go b/internal/database/cockroach/crdb.go
index 988f678e16..2f685f6d92 100644
--- a/internal/database/cockroach/crdb.go
+++ b/internal/database/cockroach/crdb.go
@@ -7,8 +7,6 @@ import (
 	"strings"
 	"time"
 
-	pgxdecimal "github.com/jackc/pgx-shopspring-decimal"
-	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/jackc/pgx/v5/stdlib"
 	"github.com/mitchellh/mapstructure"
@@ -84,11 +82,6 @@ func (c *Config) Connect(useAdmin bool, pusherRatio, spoolerRatio float64, purpo
 		return nil, err
 	}
 
-	config.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
-		pgxdecimal.Register(conn.TypeMap())
-		return nil
-	}
-
 	if connConfig.MaxOpenConns != 0 {
 		config.MaxConns = int32(connConfig.MaxOpenConns)
 	}
diff --git a/internal/database/postgres/pg.go b/internal/database/postgres/pg.go
index 24b31a55fb..ecafbe877a 100644
--- a/internal/database/postgres/pg.go
+++ b/internal/database/postgres/pg.go
@@ -7,8 +7,6 @@ import (
 	"strings"
 	"time"
 
-	pgxdecimal "github.com/jackc/pgx-shopspring-decimal"
-	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/jackc/pgx/v5/stdlib"
 	"github.com/mitchellh/mapstructure"
@@ -84,10 +82,6 @@ func (c *Config) Connect(useAdmin bool, pusherRatio, spoolerRatio float64, purpo
 	if err != nil {
 		return nil, err
 	}
-	config.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
-		pgxdecimal.Register(conn.TypeMap())
-		return nil
-	}
 
 	if connConfig.MaxOpenConns != 0 {
 		config.MaxConns = int32(connConfig.MaxOpenConns)
diff --git a/internal/eventstore/event.go b/internal/eventstore/event.go
index 656a02f33d..3df096f069 100644
--- a/internal/eventstore/event.go
+++ b/internal/eventstore/event.go
@@ -5,8 +5,6 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -46,7 +44,7 @@ type Event interface {
 	// CreatedAt is the time the event was created at
 	CreatedAt() time.Time
 	// Position is the global position of the event
-	Position() decimal.Decimal
+	Position() float64
 
 	// Unmarshal parses the payload and stores the result
 	// in the value pointed to by ptr. If ptr is nil or not a pointer,
diff --git a/internal/eventstore/event_base.go b/internal/eventstore/event_base.go
index 0cd5b6440c..c2b56128a8 100644
--- a/internal/eventstore/event_base.go
+++ b/internal/eventstore/event_base.go
@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/service"
 )
@@ -23,7 +21,7 @@ type BaseEvent struct {
 	Agg *Aggregate
 
 	Seq                           uint64
-	Pos                           decimal.Decimal
+	Pos                           float64
 	Creation                      time.Time
 	previousAggregateSequence     uint64
 	previousAggregateTypeSequence uint64
@@ -36,7 +34,7 @@ type BaseEvent struct {
 }
 
 // Position implements Event.
-func (e *BaseEvent) Position() decimal.Decimal {
+func (e *BaseEvent) Position() float64 {
 	return e.Pos
 }
 
diff --git a/internal/eventstore/eventstore.go b/internal/eventstore/eventstore.go
index 066a876da3..e456135828 100644
--- a/internal/eventstore/eventstore.go
+++ b/internal/eventstore/eventstore.go
@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -218,11 +217,11 @@ func (es *Eventstore) FilterToReducer(ctx context.Context, searchQuery *SearchQu
 	})
 }
 
-// LatestPosition filters the latest position for the given search query
-func (es *Eventstore) LatestPosition(ctx context.Context, queryFactory *SearchQueryBuilder) (decimal.Decimal, error) {
+// LatestSequence filters the latest sequence for the given search query
+func (es *Eventstore) LatestSequence(ctx context.Context, queryFactory *SearchQueryBuilder) (float64, error) {
 	queryFactory.InstanceID(authz.GetInstance(ctx).InstanceID())
 
-	return es.querier.LatestPosition(ctx, queryFactory)
+	return es.querier.LatestSequence(ctx, queryFactory)
 }
 
 // InstanceIDs returns the instance ids found by the search query
@@ -267,8 +266,8 @@ type Querier interface {
 	Health(ctx context.Context) error
 	// FilterToReducer calls r for every event returned from the storage
 	FilterToReducer(ctx context.Context, searchQuery *SearchQueryBuilder, r Reducer) error
-	// LatestPosition returns the latest position found by the search query
-	LatestPosition(ctx context.Context, queryFactory *SearchQueryBuilder) (decimal.Decimal, error)
+	// LatestSequence returns the latest sequence found by the search query
+	LatestSequence(ctx context.Context, queryFactory *SearchQueryBuilder) (float64, error)
 	// InstanceIDs returns the instance ids found by the search query
 	InstanceIDs(ctx context.Context, queryFactory *SearchQueryBuilder) ([]string, error)
 }
diff --git a/internal/eventstore/eventstore_querier_test.go b/internal/eventstore/eventstore_querier_test.go
index 6a01c6fbf0..856bb4a20e 100644
--- a/internal/eventstore/eventstore_querier_test.go
+++ b/internal/eventstore/eventstore_querier_test.go
@@ -4,8 +4,6 @@ import (
 	"context"
 	"testing"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/eventstore"
 )
 
@@ -100,7 +98,7 @@ func TestCRDB_Filter(t *testing.T) {
 	}
 }
 
-func TestCRDB_LatestPosition(t *testing.T) {
+func TestCRDB_LatestSequence(t *testing.T) {
 	type args struct {
 		searchQuery *eventstore.SearchQueryBuilder
 	}
@@ -108,7 +106,7 @@ func TestCRDB_LatestPosition(t *testing.T) {
 		existingEvents []eventstore.Command
 	}
 	type res struct {
-		position decimal.Decimal
+		sequence float64
 	}
 	tests := []struct {
 		name    string
@@ -120,7 +118,7 @@ func TestCRDB_LatestPosition(t *testing.T) {
 		{
 			name: "aggregate type filter no sequence",
 			args: args{
-				searchQuery: eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxPosition).
+				searchQuery: eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
 					AddQuery().
 					AggregateTypes("not found").
 					Builder(),
@@ -137,7 +135,7 @@ func TestCRDB_LatestPosition(t *testing.T) {
 		{
 			name: "aggregate type filter sequence",
 			args: args{
-				searchQuery: eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxPosition).
+				searchQuery: eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
 					AddQuery().
 					AggregateTypes(eventstore.AggregateType(t.Name())).
 					Builder(),
@@ -171,12 +169,12 @@ func TestCRDB_LatestPosition(t *testing.T) {
 					return
 				}
 
-				position, err := db.LatestPosition(context.Background(), tt.args.searchQuery)
+				sequence, err := db.LatestSequence(context.Background(), tt.args.searchQuery)
 				if (err != nil) != tt.wantErr {
 					t.Errorf("CRDB.query() error = %v, wantErr %v", err, tt.wantErr)
 				}
-				if tt.res.position.GreaterThan(position) {
-					t.Errorf("CRDB.query() expected sequence: %v got %v", tt.res.position, position)
+				if tt.res.sequence > sequence {
+					t.Errorf("CRDB.query() expected sequence: %v got %v", tt.res.sequence, sequence)
 				}
 			})
 		}
diff --git a/internal/eventstore/eventstore_test.go b/internal/eventstore/eventstore_test.go
index 86f7809f24..53ef4e54cf 100644
--- a/internal/eventstore/eventstore_test.go
+++ b/internal/eventstore/eventstore_test.go
@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/service"
@@ -391,7 +390,7 @@ func (repo *testPusher) Push(ctx context.Context, commands ...Command) (events [
 
 type testQuerier struct {
 	events    []Event
-	sequence  decimal.Decimal
+	sequence  float64
 	instances []string
 	err       error
 	t         *testing.T
@@ -424,9 +423,9 @@ func (repo *testQuerier) FilterToReducer(ctx context.Context, searchQuery *Searc
 	return nil
 }
 
-func (repo *testQuerier) LatestPosition(ctx context.Context, queryFactory *SearchQueryBuilder) (decimal.Decimal, error) {
+func (repo *testQuerier) LatestSequence(ctx context.Context, queryFactory *SearchQueryBuilder) (float64, error) {
 	if repo.err != nil {
-		return decimal.Decimal{}, repo.err
+		return 0, repo.err
 	}
 	return repo.sequence, nil
 }
@@ -1056,7 +1055,7 @@ func TestEventstore_FilterEvents(t *testing.T) {
 	}
 }
 
-func TestEventstore_LatestPosition(t *testing.T) {
+func TestEventstore_LatestSequence(t *testing.T) {
 	type args struct {
 		query *SearchQueryBuilder
 	}
@@ -1076,7 +1075,7 @@ func TestEventstore_LatestPosition(t *testing.T) {
 			name: "no events",
 			args: args{
 				query: &SearchQueryBuilder{
-					columns: ColumnsMaxPosition,
+					columns: ColumnsMaxSequence,
 					queries: []*SearchQuery{
 						{
 							builder:        &SearchQueryBuilder{},
@@ -1099,7 +1098,7 @@ func TestEventstore_LatestPosition(t *testing.T) {
 			name: "repo error",
 			args: args{
 				query: &SearchQueryBuilder{
-					columns: ColumnsMaxPosition,
+					columns: ColumnsMaxSequence,
 					queries: []*SearchQuery{
 						{
 							builder:        &SearchQueryBuilder{},
@@ -1122,7 +1121,7 @@ func TestEventstore_LatestPosition(t *testing.T) {
 			name: "found events",
 			args: args{
 				query: &SearchQueryBuilder{
-					columns: ColumnsMaxPosition,
+					columns: ColumnsMaxSequence,
 					queries: []*SearchQuery{
 						{
 							builder:        &SearchQueryBuilder{},
@@ -1148,7 +1147,7 @@ func TestEventstore_LatestPosition(t *testing.T) {
 				querier: tt.fields.repo,
 			}
 
-			_, err := es.LatestPosition(context.Background(), tt.args.query)
+			_, err := es.LatestSequence(context.Background(), tt.args.query)
 			if (err != nil) != tt.res.wantErr {
 				t.Errorf("Eventstore.aggregatesToEvents() error = %v, wantErr %v", err, tt.res.wantErr)
 			}
diff --git a/internal/eventstore/handler/v2/field_handler.go b/internal/eventstore/handler/v2/field_handler.go
index 2c371d67ec..8b71f32519 100644
--- a/internal/eventstore/handler/v2/field_handler.go
+++ b/internal/eventstore/handler/v2/field_handler.go
@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 
 	"github.com/zitadel/zitadel/internal/eventstore"
 )
@@ -124,7 +123,7 @@ func (h *FieldHandler) processEvents(ctx context.Context, config *triggerConfig)
 		return additionalIteration, err
 	}
 	// stop execution if currentState.eventTimestamp >= config.maxCreatedAt
-	if !config.maxPosition.IsZero() && currentState.position.GreaterThanOrEqual(config.maxPosition) {
+	if config.maxPosition != 0 && currentState.position >= config.maxPosition {
 		return false, nil
 	}
 
@@ -157,7 +156,7 @@ func (h *FieldHandler) fetchEvents(ctx context.Context, tx *sql.Tx, currentState
 
 	idx, offset := skipPreviouslyReducedEvents(events, currentState)
 
-	if currentState.position.Equal(events[len(events)-1].Position()) {
+	if currentState.position == events[len(events)-1].Position() {
 		offset += currentState.offset
 	}
 	currentState.position = events[len(events)-1].Position()
@@ -187,9 +186,9 @@ func (h *FieldHandler) fetchEvents(ctx context.Context, tx *sql.Tx, currentState
 }
 
 func skipPreviouslyReducedEvents(events []eventstore.Event, currentState *state) (index int, offset uint32) {
-	var position decimal.Decimal
+	var position float64
 	for i, event := range events {
-		if !event.Position().Equal(position) {
+		if event.Position() != position {
 			offset = 0
 			position = event.Position()
 		}
diff --git a/internal/eventstore/handler/v2/handler.go b/internal/eventstore/handler/v2/handler.go
index aaefec2e9b..b395035b8f 100644
--- a/internal/eventstore/handler/v2/handler.go
+++ b/internal/eventstore/handler/v2/handler.go
@@ -4,13 +4,13 @@ import (
 	"context"
 	"database/sql"
 	"errors"
+	"math"
 	"math/rand"
 	"slices"
 	"sync"
 	"time"
 
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -379,7 +379,7 @@ func (h *Handler) existingInstances(ctx context.Context) ([]string, error) {
 
 type triggerConfig struct {
 	awaitRunning bool
-	maxPosition  decimal.Decimal
+	maxPosition  float64
 }
 
 type TriggerOpt func(conf *triggerConfig)
@@ -390,7 +390,7 @@ func WithAwaitRunning() TriggerOpt {
 	}
 }
 
-func WithMaxPosition(position decimal.Decimal) TriggerOpt {
+func WithMaxPosition(position float64) TriggerOpt {
 	return func(conf *triggerConfig) {
 		conf.maxPosition = position
 	}
@@ -500,7 +500,7 @@ func (h *Handler) processEvents(ctx context.Context, config *triggerConfig) (add
 		return additionalIteration, err
 	}
 	// stop execution if currentState.eventTimestamp >= config.maxCreatedAt
-	if !config.maxPosition.Equal(decimal.Decimal{}) && currentState.position.GreaterThanOrEqual(config.maxPosition) {
+	if config.maxPosition != 0 && currentState.position >= config.maxPosition {
 		return false, nil
 	}
 
@@ -576,7 +576,7 @@ func (h *Handler) generateStatements(ctx context.Context, tx *sql.Tx, currentSta
 
 func skipPreviouslyReducedStatements(statements []*Statement, currentState *state) int {
 	for i, statement := range statements {
-		if statement.Position.Equal(currentState.position) &&
+		if statement.Position == currentState.position &&
 			statement.AggregateID == currentState.aggregateID &&
 			statement.AggregateType == currentState.aggregateType &&
 			statement.Sequence == currentState.sequence {
@@ -609,14 +609,14 @@ func (h *Handler) executeStatement(ctx context.Context, tx *sql.Tx, currentState
 		return nil
 	}
 
-	_, err = tx.ExecContext(ctx, "SAVEPOINT exec")
+	_, err = tx.Exec("SAVEPOINT exec")
 	if err != nil {
 		h.log().WithError(err).Debug("create savepoint failed")
 		return err
 	}
 	var shouldContinue bool
 	defer func() {
-		_, errSave := tx.ExecContext(ctx, "RELEASE SAVEPOINT exec")
+		_, errSave := tx.Exec("RELEASE SAVEPOINT exec")
 		if err == nil {
 			err = errSave
 		}
@@ -644,8 +644,9 @@ func (h *Handler) eventQuery(currentState *state) *eventstore.SearchQueryBuilder
 		OrderAsc().
 		InstanceID(currentState.instanceID)
 
-	if currentState.position.GreaterThan(decimal.Decimal{}) {
-		builder = builder.PositionGreaterEqual(currentState.position)
+	if currentState.position > 0 {
+		// decrease position by 10 because builder.PositionAfter filters for position > and we need position >=
+		builder = builder.PositionAfter(math.Float64frombits(math.Float64bits(currentState.position) - 10))
 		if currentState.offset > 0 {
 			builder = builder.Offset(currentState.offset)
 		}
diff --git a/internal/eventstore/handler/v2/state.go b/internal/eventstore/handler/v2/state.go
index c4afaed204..d3b6953488 100644
--- a/internal/eventstore/handler/v2/state.go
+++ b/internal/eventstore/handler/v2/state.go
@@ -7,8 +7,6 @@ import (
 	"errors"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -16,7 +14,7 @@ import (
 
 type state struct {
 	instanceID     string
-	position       decimal.Decimal
+	position       float64
 	eventTimestamp time.Time
 	aggregateType  eventstore.AggregateType
 	aggregateID    string
@@ -47,7 +45,7 @@ func (h *Handler) currentState(ctx context.Context, tx *sql.Tx, config *triggerC
 		aggregateType = new(sql.NullString)
 		sequence      = new(sql.NullInt64)
 		timestamp     = new(sql.NullTime)
-		position      = new(decimal.NullDecimal)
+		position      = new(sql.NullFloat64)
 		offset        = new(sql.NullInt64)
 	)
 
@@ -77,7 +75,7 @@ func (h *Handler) currentState(ctx context.Context, tx *sql.Tx, config *triggerC
 	currentState.aggregateType = eventstore.AggregateType(aggregateType.String)
 	currentState.sequence = uint64(sequence.Int64)
 	currentState.eventTimestamp = timestamp.Time
-	currentState.position = position.Decimal
+	currentState.position = position.Float64
 	// psql does not provide unsigned numbers so we work around it
 	currentState.offset = uint32(offset.Int64)
 	return currentState, nil
diff --git a/internal/eventstore/handler/v2/state_test.go b/internal/eventstore/handler/v2/state_test.go
index ef91d78e55..cc5fb1fbab 100644
--- a/internal/eventstore/handler/v2/state_test.go
+++ b/internal/eventstore/handler/v2/state_test.go
@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database/mock"
@@ -167,7 +166,7 @@ func TestHandler_updateLastUpdated(t *testing.T) {
 				updatedState: &state{
 					instanceID:     "instance",
 					eventTimestamp: time.Now(),
-					position:       decimal.NewFromInt(42),
+					position:       42,
 				},
 			},
 			isErr: func(t *testing.T, err error) {
@@ -193,7 +192,7 @@ func TestHandler_updateLastUpdated(t *testing.T) {
 				updatedState: &state{
 					instanceID:     "instance",
 					eventTimestamp: time.Now(),
-					position:       decimal.NewFromInt(42),
+					position:       42,
 				},
 			},
 			isErr: func(t *testing.T, err error) {
@@ -218,7 +217,7 @@ func TestHandler_updateLastUpdated(t *testing.T) {
 							eventstore.AggregateType("aggregate type"),
 							uint64(42),
 							mock.AnyType[time.Time]{},
-							decimal.NewFromInt(42),
+							float64(42),
 							uint32(0),
 						),
 						mock.WithExecRowsAffected(1),
@@ -229,7 +228,7 @@ func TestHandler_updateLastUpdated(t *testing.T) {
 				updatedState: &state{
 					instanceID:     "instance",
 					eventTimestamp: time.Now(),
-					position:       decimal.NewFromInt(42),
+					position:       42,
 					aggregateType:  "aggregate type",
 					aggregateID:    "aggregate id",
 					sequence:       42,
@@ -398,7 +397,7 @@ func TestHandler_currentState(t *testing.T) {
 									"aggregate type",
 									int64(42),
 									testTime,
-									decimal.NewFromInt(42).String(),
+									float64(42),
 									uint16(10),
 								},
 							},
@@ -413,7 +412,7 @@ func TestHandler_currentState(t *testing.T) {
 				currentState: &state{
 					instanceID:     "instance",
 					eventTimestamp: testTime,
-					position:       decimal.NewFromInt(42),
+					position:       42,
 					aggregateType:  "aggregate type",
 					aggregateID:    "aggregate id",
 					sequence:       42,
diff --git a/internal/eventstore/handler/v2/statement.go b/internal/eventstore/handler/v2/statement.go
index 4bc660d9f9..207f3d0f58 100644
--- a/internal/eventstore/handler/v2/statement.go
+++ b/internal/eventstore/handler/v2/statement.go
@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 	"golang.org/x/exp/constraints"
 
@@ -84,7 +83,7 @@ type Statement struct {
 	AggregateType eventstore.AggregateType
 	AggregateID   string
 	Sequence      uint64
-	Position      decimal.Decimal
+	Position      float64
 	CreationDate  time.Time
 	InstanceID    string
 
diff --git a/internal/eventstore/local_crdb_test.go b/internal/eventstore/local_crdb_test.go
index e46509ba9f..6df9e9fd29 100644
--- a/internal/eventstore/local_crdb_test.go
+++ b/internal/eventstore/local_crdb_test.go
@@ -2,16 +2,13 @@ package eventstore_test
 
 import (
 	"context"
+	"database/sql"
 	"encoding/json"
 	"os"
 	"testing"
 	"time"
 
 	"github.com/cockroachdb/cockroach-go/v2/testserver"
-	pgxdecimal "github.com/jackc/pgx-shopspring-decimal"
-	"github.com/jackc/pgx/v5"
-	"github.com/jackc/pgx/v5/pgxpool"
-	"github.com/jackc/pgx/v5/stdlib"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/cmd/initialise"
@@ -42,19 +39,10 @@ func TestMain(m *testing.M) {
 	testCRDBClient = &database.DB{
 		Database: new(testDB),
 	}
-	config, err := pgxpool.ParseConfig(ts.PGURL().String())
+	testCRDBClient.DB, err = sql.Open("postgres", ts.PGURL().String())
 	if err != nil {
-		logging.WithFields("error", err).Fatal("unable to parse db config")
+		logging.WithFields("error", err).Fatal("unable to connect to db")
 	}
-	config.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
-		pgxdecimal.Register(conn.TypeMap())
-		return nil
-	}
-	pool, err := pgxpool.NewWithConfig(context.Background(), config)
-	if err != nil {
-		logging.WithFields("error", err).Fatal("unable to create db pool")
-	}
-	testCRDBClient.DB = stdlib.OpenDBFromPool(pool)
 	if err = testCRDBClient.Ping(); err != nil {
 		logging.WithFields("error", err).Fatal("unable to ping db")
 	}
@@ -115,19 +103,10 @@ func initDB(db *database.DB) error {
 }
 
 func connectLocalhost() (*database.DB, error) {
-	config, err := pgxpool.ParseConfig("postgresql://root@localhost:26257/defaultdb?sslmode=disable")
+	client, err := sql.Open("pgx", "postgresql://root@localhost:26257/defaultdb?sslmode=disable")
 	if err != nil {
 		return nil, err
 	}
-	config.AfterConnect = func(ctx context.Context, conn *pgx.Conn) error {
-		pgxdecimal.Register(conn.TypeMap())
-		return nil
-	}
-	pool, err := pgxpool.NewWithConfig(context.Background(), config)
-	if err != nil {
-		return nil, err
-	}
-	client := stdlib.OpenDBFromPool(pool)
 	if err = client.Ping(); err != nil {
 		return nil, err
 	}
diff --git a/internal/eventstore/read_model.go b/internal/eventstore/read_model.go
index ae77275732..d2c755cc3a 100644
--- a/internal/eventstore/read_model.go
+++ b/internal/eventstore/read_model.go
@@ -1,23 +1,19 @@
 package eventstore
 
-import (
-	"time"
-
-	"github.com/shopspring/decimal"
-)
+import "time"
 
 // ReadModel is the minimum representation of a read model.
 // It implements a basic reducer
 // it might be saved in a database or in memory
 type ReadModel struct {
-	AggregateID       string          `json:"-"`
-	ProcessedSequence uint64          `json:"-"`
-	CreationDate      time.Time       `json:"-"`
-	ChangeDate        time.Time       `json:"-"`
-	Events            []Event         `json:"-"`
-	ResourceOwner     string          `json:"-"`
-	InstanceID        string          `json:"-"`
-	Position          decimal.Decimal `json:"-"`
+	AggregateID       string    `json:"-"`
+	ProcessedSequence uint64    `json:"-"`
+	CreationDate      time.Time `json:"-"`
+	ChangeDate        time.Time `json:"-"`
+	Events            []Event   `json:"-"`
+	ResourceOwner     string    `json:"-"`
+	InstanceID        string    `json:"-"`
+	Position          float64   `json:"-"`
 }
 
 // AppendEvents adds all the events to the read model.
diff --git a/internal/eventstore/repository/event.go b/internal/eventstore/repository/event.go
index 2f4c1d8843..57b85f15ba 100644
--- a/internal/eventstore/repository/event.go
+++ b/internal/eventstore/repository/event.go
@@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/eventstore"
 )
 
@@ -20,7 +18,7 @@ type Event struct {
 	// Seq is the sequence of the event
 	Seq uint64
 	// Pos is the global sequence of the event multiple events can have the same sequence
-	Pos decimal.Decimal
+	Pos float64
 
 	//CreationDate is the time the event is created
 	// it's used for human readability.
@@ -93,7 +91,7 @@ func (e *Event) Sequence() uint64 {
 }
 
 // Position implements [eventstore.Event]
-func (e *Event) Position() decimal.Decimal {
+func (e *Event) Position() float64 {
 	return e.Pos
 }
 
diff --git a/internal/eventstore/repository/mock/repository.mock.go b/internal/eventstore/repository/mock/repository.mock.go
index ebd5f501a2..a854de2995 100644
--- a/internal/eventstore/repository/mock/repository.mock.go
+++ b/internal/eventstore/repository/mock/repository.mock.go
@@ -13,7 +13,6 @@ import (
 	context "context"
 	reflect "reflect"
 
-	decimal "github.com/shopspring/decimal"
 	eventstore "github.com/zitadel/zitadel/internal/eventstore"
 	gomock "go.uber.org/mock/gomock"
 )
@@ -84,19 +83,19 @@ func (mr *MockQuerierMockRecorder) InstanceIDs(arg0, arg1 any) *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InstanceIDs", reflect.TypeOf((*MockQuerier)(nil).InstanceIDs), arg0, arg1)
 }
 
-// LatestPosition mocks base method.
-func (m *MockQuerier) LatestPosition(arg0 context.Context, arg1 *eventstore.SearchQueryBuilder) (decimal.Decimal, error) {
+// LatestSequence mocks base method.
+func (m *MockQuerier) LatestSequence(arg0 context.Context, arg1 *eventstore.SearchQueryBuilder) (float64, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "LatestPosition", arg0, arg1)
-	ret0, _ := ret[0].(decimal.Decimal)
+	ret := m.ctrl.Call(m, "LatestSequence", arg0, arg1)
+	ret0, _ := ret[0].(float64)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
-// LatestPosition indicates an expected call of LatestPosition.
-func (mr *MockQuerierMockRecorder) LatestPosition(arg0, arg1 any) *gomock.Call {
+// LatestSequence indicates an expected call of LatestSequence.
+func (mr *MockQuerierMockRecorder) LatestSequence(arg0, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LatestPosition", reflect.TypeOf((*MockQuerier)(nil).LatestPosition), arg0, arg1)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LatestSequence", reflect.TypeOf((*MockQuerier)(nil).LatestSequence), arg0, arg1)
 }
 
 // MockPusher is a mock of Pusher interface.
diff --git a/internal/eventstore/repository/mock/repository.mock.impl.go b/internal/eventstore/repository/mock/repository.mock.impl.go
index 41ad4befd3..d41521ad8f 100644
--- a/internal/eventstore/repository/mock/repository.mock.impl.go
+++ b/internal/eventstore/repository/mock/repository.mock.impl.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/shopspring/decimal"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 
@@ -187,8 +186,8 @@ func (e *mockEvent) Sequence() uint64 {
 	return e.sequence
 }
 
-func (e *mockEvent) Position() decimal.Decimal {
-	return decimal.Decimal{}
+func (e *mockEvent) Position() float64 {
+	return 0
 }
 
 func (e *mockEvent) CreatedAt() time.Time {
diff --git a/internal/eventstore/repository/search_query.go b/internal/eventstore/repository/search_query.go
index b28574cc84..39cca8b149 100644
--- a/internal/eventstore/repository/search_query.go
+++ b/internal/eventstore/repository/search_query.go
@@ -55,8 +55,6 @@ const (
 	//OperationNotIn checks if a stored value does not match one of the passed value list
 	OperationNotIn
 
-	OperationGreaterEqual
-
 	operationCount
 )
 
@@ -234,10 +232,10 @@ func instanceIDsFilter(builder *eventstore.SearchQueryBuilder, query *SearchQuer
 }
 
 func positionAfterFilter(builder *eventstore.SearchQueryBuilder, query *SearchQuery) *Filter {
-	if builder.GetPositionAfter().IsZero() {
+	if builder.GetPositionAfter() == 0 {
 		return nil
 	}
-	query.Position = NewFilter(FieldPosition, builder.GetPositionAfter(), OperationGreaterEqual)
+	query.Position = NewFilter(FieldPosition, builder.GetPositionAfter(), OperationGreater)
 	return query.Position
 }
 
diff --git a/internal/eventstore/repository/sql/crdb.go b/internal/eventstore/repository/sql/crdb.go
index c778015497..a60a2ef7b8 100644
--- a/internal/eventstore/repository/sql/crdb.go
+++ b/internal/eventstore/repository/sql/crdb.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/cockroachdb/cockroach-go/v2/crdb"
 	"github.com/jackc/pgx/v5/pgconn"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -266,11 +265,11 @@ func (crdb *CRDB) FilterToReducer(ctx context.Context, searchQuery *eventstore.S
 	return err
 }
 
-// LatestPosition returns the latest position found by the search query
-func (db *CRDB) LatestPosition(ctx context.Context, searchQuery *eventstore.SearchQueryBuilder) (decimal.Decimal, error) {
-	var position decimal.Decimal
+// LatestSequence returns the latest sequence found by the search query
+func (db *CRDB) LatestSequence(ctx context.Context, searchQuery *eventstore.SearchQueryBuilder) (float64, error) {
+	var position sql.NullFloat64
 	err := query(ctx, db, searchQuery, &position, false)
-	return position, err
+	return position.Float64, err
 }
 
 // InstanceIDs returns the instance ids found by the search query
@@ -337,7 +336,7 @@ func (db *CRDB) eventQuery(useV1 bool) string {
 		" FROM eventstore.events2"
 }
 
-func (db *CRDB) maxPositionQuery(useV1 bool) string {
+func (db *CRDB) maxSequenceQuery(useV1 bool) string {
 	if useV1 {
 		return `SELECT event_sequence FROM eventstore.events`
 	}
@@ -415,8 +414,6 @@ func (db *CRDB) operation(operation repository.Operation) string {
 		return "="
 	case repository.OperationGreater:
 		return ">"
-	case repository.OperationGreaterEqual:
-		return ">="
 	case repository.OperationLess:
 		return "<"
 	case repository.OperationJSONContains:
diff --git a/internal/eventstore/repository/sql/crdb_test.go b/internal/eventstore/repository/sql/crdb_test.go
index aae2fde78d..a3f3331a82 100644
--- a/internal/eventstore/repository/sql/crdb_test.go
+++ b/internal/eventstore/repository/sql/crdb_test.go
@@ -4,8 +4,6 @@ import (
 	"database/sql"
 	"testing"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/repository"
 )
@@ -314,7 +312,7 @@ func generateEvent(t *testing.T, aggregateID string, opts ...func(*repository.Ev
 		ResourceOwner: sql.NullString{String: "ro", Valid: true},
 		Typ:           "test.created",
 		Version:       "v1",
-		Pos:           decimal.NewFromInt(42),
+		Pos:           42,
 	}
 
 	for _, opt := range opts {
diff --git a/internal/eventstore/repository/sql/query.go b/internal/eventstore/repository/sql/query.go
index c20bb62275..3cddcb7924 100644
--- a/internal/eventstore/repository/sql/query.go
+++ b/internal/eventstore/repository/sql/query.go
@@ -9,7 +9,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/call"
@@ -26,7 +25,7 @@ type querier interface {
 	conditionFormat(repository.Operation) string
 	placeholder(query string) string
 	eventQuery(useV1 bool) string
-	maxPositionQuery(useV1 bool) string
+	maxSequenceQuery(useV1 bool) string
 	instanceIDsQuery(useV1 bool) string
 	db() *database.DB
 	orderByEventSequence(desc, shouldOrderBySequence, useV1 bool) string
@@ -75,7 +74,7 @@ func query(ctx context.Context, criteria querier, searchQuery *eventstore.Search
 
 	// instead of using the max function of the database (which doesn't work for postgres)
 	// we select the most recent row
-	if q.Columns == eventstore.ColumnsMaxPosition {
+	if q.Columns == eventstore.ColumnsMaxSequence {
 		q.Limit = 1
 		q.Desc = true
 	}
@@ -92,7 +91,7 @@ func query(ctx context.Context, criteria querier, searchQuery *eventstore.Search
 
 	switch q.Columns {
 	case eventstore.ColumnsEvent,
-		eventstore.ColumnsMaxPosition:
+		eventstore.ColumnsMaxSequence:
 		query += criteria.orderByEventSequence(q.Desc, shouldOrderBySequence, useV1)
 	}
 
@@ -136,8 +135,8 @@ func query(ctx context.Context, criteria querier, searchQuery *eventstore.Search
 
 func prepareColumns(criteria querier, columns eventstore.Columns, useV1 bool) (string, func(s scan, dest interface{}) error) {
 	switch columns {
-	case eventstore.ColumnsMaxPosition:
-		return criteria.maxPositionQuery(useV1), maxPositionScanner
+	case eventstore.ColumnsMaxSequence:
+		return criteria.maxSequenceQuery(useV1), maxSequenceScanner
 	case eventstore.ColumnsInstanceIDs:
 		return criteria.instanceIDsQuery(useV1), instanceIDsScanner
 	case eventstore.ColumnsEvent:
@@ -155,15 +154,13 @@ func prepareTimeTravel(ctx context.Context, criteria querier, allow bool) string
 	return criteria.Timetravel(took)
 }
 
-func maxPositionScanner(row scan, dest interface{}) (err error) {
-	position, ok := dest.(*decimal.Decimal)
+func maxSequenceScanner(row scan, dest interface{}) (err error) {
+	position, ok := dest.(*sql.NullFloat64)
 	if !ok {
-		return zerrors.ThrowInvalidArgumentf(nil, "SQL-NBjA9", "type must be decimal.Decimal got: %T", dest)
+		return zerrors.ThrowInvalidArgumentf(nil, "SQL-NBjA9", "type must be sql.NullInt64 got: %T", dest)
 	}
-	var res decimal.NullDecimal
-	err = row(&res)
+	err = row(position)
 	if err == nil || errors.Is(err, sql.ErrNoRows) {
-		*position = res.Decimal
 		return nil
 	}
 	return zerrors.ThrowInternal(err, "SQL-bN5xg", "something went wrong")
@@ -192,7 +189,7 @@ func eventsScanner(useV1 bool) func(scanner scan, dest interface{}) (err error)
 			return zerrors.ThrowInvalidArgumentf(nil, "SQL-4GP6F", "events scanner: invalid type %T", dest)
 		}
 		event := new(repository.Event)
-		position := new(decimal.NullDecimal)
+		position := new(sql.NullFloat64)
 
 		if useV1 {
 			err = scanner(
@@ -229,7 +226,7 @@ func eventsScanner(useV1 bool) func(scanner scan, dest interface{}) (err error)
 			logging.New().WithError(err).Warn("unable to scan row")
 			return zerrors.ThrowInternal(err, "SQL-M0dsf", "unable to scan row")
 		}
-		event.Pos = position.Decimal
+		event.Pos = position.Float64
 		return reduce(event)
 	}
 }
diff --git a/internal/eventstore/repository/sql/query_test.go b/internal/eventstore/repository/sql/query_test.go
index 654fa6d0b5..5d54b27c21 100644
--- a/internal/eventstore/repository/sql/query_test.go
+++ b/internal/eventstore/repository/sql/query_test.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	"github.com/DATA-DOG/go-sqlmock"
-	"github.com/shopspring/decimal"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/zitadel/zitadel/internal/database"
@@ -110,36 +109,36 @@ func Test_prepareColumns(t *testing.T) {
 		{
 			name: "max column",
 			args: args{
-				columns: eventstore.ColumnsMaxPosition,
-				dest:    new(decimal.Decimal),
+				columns: eventstore.ColumnsMaxSequence,
+				dest:    new(sql.NullFloat64),
 				useV1:   true,
 			},
 			res: res{
 				query:    `SELECT event_sequence FROM eventstore.events`,
-				expected: decimal.NewFromInt(42),
+				expected: sql.NullFloat64{Float64: 43, Valid: true},
 			},
 			fields: fields{
-				dbRow: []interface{}{decimal.NewNullDecimal(decimal.NewFromInt(42))},
+				dbRow: []interface{}{sql.NullFloat64{Float64: 43, Valid: true}},
 			},
 		},
 		{
 			name: "max column v2",
 			args: args{
-				columns: eventstore.ColumnsMaxPosition,
-				dest:    new(decimal.Decimal),
+				columns: eventstore.ColumnsMaxSequence,
+				dest:    new(sql.NullFloat64),
 			},
 			res: res{
 				query:    `SELECT "position" FROM eventstore.events2`,
-				expected: decimal.NewFromInt(42),
+				expected: sql.NullFloat64{Float64: 43, Valid: true},
 			},
 			fields: fields{
-				dbRow: []interface{}{decimal.NewNullDecimal(decimal.NewFromInt(42))},
+				dbRow: []interface{}{sql.NullFloat64{Float64: 43, Valid: true}},
 			},
 		},
 		{
 			name: "max sequence wrong dest type",
 			args: args{
-				columns: eventstore.ColumnsMaxPosition,
+				columns: eventstore.ColumnsMaxSequence,
 				dest:    new(uint64),
 			},
 			res: res{
@@ -179,11 +178,11 @@ func Test_prepareColumns(t *testing.T) {
 			res: res{
 				query: `SELECT created_at, event_type, "sequence", "position", payload, creator, "owner", instance_id, aggregate_type, aggregate_id, revision FROM eventstore.events2`,
 				expected: []eventstore.Event{
-					&repository.Event{AggregateID: "hodor", AggregateType: "user", Seq: 5, Pos: decimal.NewFromInt(42), Data: nil, Version: "v1"},
+					&repository.Event{AggregateID: "hodor", AggregateType: "user", Seq: 5, Pos: 42, Data: nil, Version: "v1"},
 				},
 			},
 			fields: fields{
-				dbRow: []interface{}{time.Time{}, eventstore.EventType(""), uint64(5), decimal.NewNullDecimal(decimal.NewFromInt(42)), sql.RawBytes(nil), "", sql.NullString{}, "", eventstore.AggregateType("user"), "hodor", uint8(1)},
+				dbRow: []interface{}{time.Time{}, eventstore.EventType(""), uint64(5), sql.NullFloat64{Float64: 42, Valid: true}, sql.RawBytes(nil), "", sql.NullString{}, "", eventstore.AggregateType("user"), "hodor", uint8(1)},
 			},
 		},
 		{
@@ -198,11 +197,11 @@ func Test_prepareColumns(t *testing.T) {
 			res: res{
 				query: `SELECT created_at, event_type, "sequence", "position", payload, creator, "owner", instance_id, aggregate_type, aggregate_id, revision FROM eventstore.events2`,
 				expected: []eventstore.Event{
-					&repository.Event{AggregateID: "hodor", AggregateType: "user", Seq: 5, Pos: decimal.Decimal{}, Data: nil, Version: "v1"},
+					&repository.Event{AggregateID: "hodor", AggregateType: "user", Seq: 5, Pos: 0, Data: nil, Version: "v1"},
 				},
 			},
 			fields: fields{
-				dbRow: []interface{}{time.Time{}, eventstore.EventType(""), uint64(5), decimal.NullDecimal{}, sql.RawBytes(nil), "", sql.NullString{}, "", eventstore.AggregateType("user"), "hodor", uint8(1)},
+				dbRow: []interface{}{time.Time{}, eventstore.EventType(""), uint64(5), sql.NullFloat64{Float64: 0, Valid: false}, sql.RawBytes(nil), "", sql.NullString{}, "", eventstore.AggregateType("user"), "hodor", uint8(1)},
 			},
 		},
 		{
diff --git a/internal/eventstore/search_query.go b/internal/eventstore/search_query.go
index c7f9a65da3..0c08a260eb 100644
--- a/internal/eventstore/search_query.go
+++ b/internal/eventstore/search_query.go
@@ -5,8 +5,6 @@ import (
 	"database/sql"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -25,7 +23,7 @@ type SearchQueryBuilder struct {
 	queries               []*SearchQuery
 	tx                    *sql.Tx
 	allowTimeTravel       bool
-	positionGreaterEqual  decimal.Decimal
+	positionAfter         float64
 	awaitOpenTransactions bool
 	creationDateAfter     time.Time
 	creationDateBefore    time.Time
@@ -76,8 +74,8 @@ func (b *SearchQueryBuilder) GetAllowTimeTravel() bool {
 	return b.allowTimeTravel
 }
 
-func (b SearchQueryBuilder) GetPositionAfter() decimal.Decimal {
-	return b.positionGreaterEqual
+func (b SearchQueryBuilder) GetPositionAfter() float64 {
+	return b.positionAfter
 }
 
 func (b SearchQueryBuilder) GetAwaitOpenTransactions() bool {
@@ -133,8 +131,8 @@ type Columns int8
 const (
 	//ColumnsEvent represents all fields of an event
 	ColumnsEvent = iota + 1
-	// ColumnsMaxPosition represents the latest sequence of the filtered events
-	ColumnsMaxPosition
+	// ColumnsMaxSequence represents the latest sequence of the filtered events
+	ColumnsMaxSequence
 	// ColumnsInstanceIDs represents the instance ids of the filtered events
 	ColumnsInstanceIDs
 
@@ -269,8 +267,8 @@ func (builder *SearchQueryBuilder) AllowTimeTravel() *SearchQueryBuilder {
 }
 
 // PositionAfter filters for events which happened after the specified time
-func (builder *SearchQueryBuilder) PositionGreaterEqual(position decimal.Decimal) *SearchQueryBuilder {
-	builder.positionGreaterEqual = position
+func (builder *SearchQueryBuilder) PositionAfter(position float64) *SearchQueryBuilder {
+	builder.positionAfter = position
 	return builder
 }
 
diff --git a/internal/eventstore/search_query_test.go b/internal/eventstore/search_query_test.go
index da8acf878d..8c654911ea 100644
--- a/internal/eventstore/search_query_test.go
+++ b/internal/eventstore/search_query_test.go
@@ -116,10 +116,10 @@ func TestSearchQuerybuilderSetters(t *testing.T) {
 		{
 			name: "set columns",
 			args: args{
-				setters: []func(*SearchQueryBuilder) *SearchQueryBuilder{testSetColumns(ColumnsMaxPosition)},
+				setters: []func(*SearchQueryBuilder) *SearchQueryBuilder{testSetColumns(ColumnsMaxSequence)},
 			},
 			res: &SearchQueryBuilder{
-				columns: ColumnsMaxPosition,
+				columns: ColumnsMaxSequence,
 			},
 		},
 		{
diff --git a/internal/eventstore/v1/models/event.go b/internal/eventstore/v1/models/event.go
index ab2b608872..8c50d64da0 100644
--- a/internal/eventstore/v1/models/event.go
+++ b/internal/eventstore/v1/models/event.go
@@ -5,8 +5,6 @@ import (
 	"reflect"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -22,7 +20,7 @@ var _ eventstore.Event = (*Event)(nil)
 type Event struct {
 	ID               string
 	Seq              uint64
-	Pos              decimal.Decimal
+	Pos              float64
 	CreationDate     time.Time
 	Typ              eventstore.EventType
 	PreviousSequence uint64
@@ -82,7 +80,7 @@ func (e *Event) Sequence() uint64 {
 }
 
 // Position implements [eventstore.Event]
-func (e *Event) Position() decimal.Decimal {
+func (e *Event) Position() float64 {
 	return e.Pos
 }
 
diff --git a/internal/eventstore/v3/event.go b/internal/eventstore/v3/event.go
index f489d98396..e1c95f13ff 100644
--- a/internal/eventstore/v3/event.go
+++ b/internal/eventstore/v3/event.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/eventstore"
@@ -22,7 +21,7 @@ type event struct {
 	typ       eventstore.EventType
 	createdAt time.Time
 	sequence  uint64
-	position  decimal.Decimal
+	position  float64
 	payload   Payload
 }
 
@@ -85,8 +84,8 @@ func (e *event) Sequence() uint64 {
 	return e.sequence
 }
 
-// Position implements [eventstore.Event]
-func (e *event) Position() decimal.Decimal {
+// Sequence implements [eventstore.Event]
+func (e *event) Position() float64 {
 	return e.position
 }
 
diff --git a/internal/query/access_token.go b/internal/query/access_token.go
index a5edc068cd..4180a6ad5e 100644
--- a/internal/query/access_token.go
+++ b/internal/query/access_token.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/shopspring/decimal"
 	"golang.org/x/text/language"
 
 	"github.com/zitadel/zitadel/internal/domain"
@@ -141,7 +140,7 @@ func (q *Queries) accessTokenByOIDCSessionAndTokenID(ctx context.Context, oidcSe
 
 // checkSessionNotTerminatedAfter checks if a [session.TerminateType] event (or user events leading to a session termination)
 // occurred after a certain time and will return an error if so.
-func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, userID string, position decimal.Decimal, fingerprintID string) (err error) {
+func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID, userID string, position float64, fingerprintID string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
@@ -163,7 +162,7 @@ func (q *Queries) checkSessionNotTerminatedAfter(ctx context.Context, sessionID,
 }
 
 type sessionTerminatedModel struct {
-	position      decimal.Decimal
+	position      float64
 	sessionID     string
 	userID        string
 	fingerPrintID string
@@ -183,7 +182,7 @@ func (s *sessionTerminatedModel) AppendEvents(events ...eventstore.Event) {
 
 func (s *sessionTerminatedModel) Query() *eventstore.SearchQueryBuilder {
 	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
-		PositionGreaterEqual(s.position).
+		PositionAfter(s.position).
 		AddQuery().
 		AggregateTypes(session.AggregateType).
 		AggregateIDs(s.sessionID).
diff --git a/internal/query/current_state.go b/internal/query/current_state.go
index 790b594c2d..29497e6eec 100644
--- a/internal/query/current_state.go
+++ b/internal/query/current_state.go
@@ -10,7 +10,6 @@ import (
 	"time"
 
 	sq "github.com/Masterminds/squirrel"
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/call"
@@ -27,7 +26,7 @@ type Stateful interface {
 type State struct {
 	LastRun time.Time
 
-	Position       decimal.Decimal
+	Position       float64
 	EventCreatedAt time.Time
 	AggregateID    string
 	AggregateType  eventstore.AggregateType
@@ -222,7 +221,7 @@ func prepareLatestState(ctx context.Context, db prepareDatabase) (sq.SelectBuild
 			var (
 				creationDate sql.NullTime
 				lastUpdated  sql.NullTime
-				position     decimal.NullDecimal
+				position     sql.NullFloat64
 			)
 			err := row.Scan(
 				&creationDate,
@@ -235,7 +234,7 @@ func prepareLatestState(ctx context.Context, db prepareDatabase) (sq.SelectBuild
 			return &State{
 				EventCreatedAt: creationDate.Time,
 				LastRun:        lastUpdated.Time,
-				Position:       position.Decimal,
+				Position:       position.Float64,
 			}, nil
 		}
 }
@@ -260,7 +259,7 @@ func prepareCurrentStateQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				var (
 					lastRun         sql.NullTime
 					eventDate       sql.NullTime
-					currentPosition decimal.NullDecimal
+					currentPosition sql.NullFloat64
 					aggregateType   sql.NullString
 					aggregateID     sql.NullString
 					sequence        sql.NullInt64
@@ -281,7 +280,7 @@ func prepareCurrentStateQuery(ctx context.Context, db prepareDatabase) (sq.Selec
 				}
 				currentState.State.EventCreatedAt = eventDate.Time
 				currentState.State.LastRun = lastRun.Time
-				currentState.Position = currentPosition.Decimal
+				currentState.Position = currentPosition.Float64
 				currentState.AggregateType = eventstore.AggregateType(aggregateType.String)
 				currentState.AggregateID = aggregateID.String
 				currentState.Sequence = uint64(sequence.Int64)
diff --git a/internal/query/current_state_test.go b/internal/query/current_state_test.go
index f17509aa9c..c76dae710e 100644
--- a/internal/query/current_state_test.go
+++ b/internal/query/current_state_test.go
@@ -7,8 +7,6 @@ import (
 	"fmt"
 	"regexp"
 	"testing"
-
-	"github.com/shopspring/decimal"
 )
 
 var (
@@ -89,7 +87,7 @@ func Test_CurrentSequencesPrepares(t *testing.T) {
 						State: State{
 							EventCreatedAt: testNow,
 							LastRun:        testNow,
-							Position:       decimal.NewFromInt(20211108),
+							Position:       20211108,
 							AggregateID:    "agg-id",
 							AggregateType:  "agg-type",
 							Sequence:       20211108,
@@ -136,7 +134,7 @@ func Test_CurrentSequencesPrepares(t *testing.T) {
 						ProjectionName: "projection-name",
 						State: State{
 							EventCreatedAt: testNow,
-							Position:       decimal.NewFromInt(20211108),
+							Position:       20211108,
 							LastRun:        testNow,
 							AggregateID:    "agg-id",
 							AggregateType:  "agg-type",
@@ -147,7 +145,7 @@ func Test_CurrentSequencesPrepares(t *testing.T) {
 						ProjectionName: "projection-name2",
 						State: State{
 							EventCreatedAt: testNow,
-							Position:       decimal.NewFromInt(20211108),
+							Position:       20211108,
 							LastRun:        testNow,
 							AggregateID:    "agg-id",
 							AggregateType:  "agg-type",
diff --git a/internal/query/user_grant.go b/internal/query/user_grant.go
index e2bbabdc72..265d8eaae1 100644
--- a/internal/query/user_grant.go
+++ b/internal/query/user_grant.go
@@ -281,7 +281,7 @@ func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, sh
 		return nil, zerrors.ThrowInternal(err, "QUERY-wXnQR", "Errors.Query.SQLStatement")
 	}
 
-	latestState, err := q.latestState(ctx, userGrantTable)
+	latestSequence, err := q.latestState(ctx, userGrantTable)
 	if err != nil {
 		return nil, err
 	}
@@ -294,7 +294,7 @@ func (q *Queries) UserGrants(ctx context.Context, queries *UserGrantsQueries, sh
 		return nil, err
 	}
 
-	grants.State = latestState
+	grants.State = latestSequence
 	return grants, nil
 }
 
diff --git a/internal/query/user_membership.go b/internal/query/user_membership.go
index a08617d57b..7ba2629cfa 100644
--- a/internal/query/user_membership.go
+++ b/internal/query/user_membership.go
@@ -144,7 +144,7 @@ func (q *Queries) Memberships(ctx context.Context, queries *MembershipSearchQuer
 	if err != nil {
 		return nil, zerrors.ThrowInvalidArgument(err, "QUERY-T84X9", "Errors.Query.InvalidRequest")
 	}
-	latestState, err := q.latestState(ctx, orgMemberTable, instanceMemberTable, projectMemberTable, projectGrantMemberTable)
+	latestSequence, err := q.latestState(ctx, orgMemberTable, instanceMemberTable, projectMemberTable, projectGrantMemberTable)
 	if err != nil {
 		return nil, err
 	}
@@ -157,7 +157,7 @@ func (q *Queries) Memberships(ctx context.Context, queries *MembershipSearchQuer
 	if err != nil {
 		return nil, err
 	}
-	memberships.State = latestState
+	memberships.State = latestSequence
 	return memberships, nil
 }
 
diff --git a/internal/v2/database/number_filter.go b/internal/v2/database/number_filter.go
index 4853806457..ce263ceeee 100644
--- a/internal/v2/database/number_filter.go
+++ b/internal/v2/database/number_filter.go
@@ -3,7 +3,6 @@ package database
 import (
 	"time"
 
-	"github.com/shopspring/decimal"
 	"github.com/zitadel/logging"
 	"golang.org/x/exp/constraints"
 )
@@ -95,7 +94,7 @@ func (c numberCompare) String() string {
 }
 
 type number interface {
-	constraints.Integer | constraints.Float | time.Time | decimal.Decimal
+	constraints.Integer | constraints.Float | time.Time
 	// TODO: condition must know if it's args are named parameters or not
 	// constraints.Integer | constraints.Float | time.Time | placeholder
 }
diff --git a/internal/v2/eventstore/event_store.go b/internal/v2/eventstore/event_store.go
index e89786c657..cc447c5e15 100644
--- a/internal/v2/eventstore/event_store.go
+++ b/internal/v2/eventstore/event_store.go
@@ -2,8 +2,6 @@ package eventstore
 
 import (
 	"context"
-
-	"github.com/shopspring/decimal"
 )
 
 func NewEventstore(querier Querier, pusher Pusher) *EventStore {
@@ -32,12 +30,12 @@ type healthier interface {
 }
 
 type GlobalPosition struct {
-	Position        decimal.Decimal
+	Position        float64
 	InPositionOrder uint32
 }
 
 func (gp GlobalPosition) IsLess(other GlobalPosition) bool {
-	return gp.Position.LessThan(other.Position) || (gp.Position.Equal(other.Position) && gp.InPositionOrder < other.InPositionOrder)
+	return gp.Position < other.Position || (gp.Position == other.Position && gp.InPositionOrder < other.InPositionOrder)
 }
 
 type Reducer interface {
diff --git a/internal/v2/eventstore/postgres/push_test.go b/internal/v2/eventstore/postgres/push_test.go
index 6f8b224c41..91fdc1fcd7 100644
--- a/internal/v2/eventstore/postgres/push_test.go
+++ b/internal/v2/eventstore/postgres/push_test.go
@@ -8,8 +8,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/database/mock"
 	"github.com/zitadel/zitadel/internal/v2/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -820,7 +818,7 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 							},
 						),
@@ -901,11 +899,11 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 								{
 									time.Now(),
-									decimal.NewFromFloat(123.1).String(),
+									float64(123.1),
 								},
 							},
 						),
@@ -986,11 +984,11 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 								{
 									time.Now(),
-									decimal.NewFromFloat(123.1).String(),
+									float64(123.1),
 								},
 							},
 						),
@@ -1046,7 +1044,7 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 							},
 						),
@@ -1101,7 +1099,7 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 							},
 						),
@@ -1183,11 +1181,11 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 								{
 									time.Now(),
-									decimal.NewFromFloat(123.1).String(),
+									float64(123.1),
 								},
 							},
 						),
@@ -1274,11 +1272,11 @@ func Test_push(t *testing.T) {
 							[][]driver.Value{
 								{
 									time.Now(),
-									decimal.NewFromFloat(123).String(),
+									float64(123),
 								},
 								{
 									time.Now(),
-									decimal.NewFromFloat(123.1).String(),
+									float64(123.1),
 								},
 							},
 						),
diff --git a/internal/v2/eventstore/postgres/query_test.go b/internal/v2/eventstore/postgres/query_test.go
index 34b73bd820..56f506ac50 100644
--- a/internal/v2/eventstore/postgres/query_test.go
+++ b/internal/v2/eventstore/postgres/query_test.go
@@ -8,8 +8,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/database"
 	"github.com/zitadel/zitadel/internal/v2/database/mock"
 	"github.com/zitadel/zitadel/internal/v2/eventstore"
@@ -543,13 +541,13 @@ func Test_writeFilter(t *testing.T) {
 			args: args{
 				filter: eventstore.NewFilter(
 					eventstore.FilterPagination(
-						eventstore.PositionGreater(decimal.NewFromFloat(123.4), 0),
+						eventstore.PositionGreater(123.4, 0),
 					),
 				),
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND position > $2 ORDER BY position, in_tx_order",
-				args:  []any{"i1", decimal.NewFromFloat(123.4)},
+				args:  []any{"i1", 123.4},
 			},
 		},
 		{
@@ -557,18 +555,18 @@ func Test_writeFilter(t *testing.T) {
 			args: args{
 				filter: eventstore.NewFilter(
 					eventstore.FilterPagination(
-						// 	eventstore.PositionGreater(decimal.NewFromFloat(123.4), 0),
+						// 	eventstore.PositionGreater(123.4, 0),
 						// 	eventstore.PositionLess(125.4, 10),
 						eventstore.PositionBetween(
-							&eventstore.GlobalPosition{Position: decimal.NewFromFloat(123.4)},
-							&eventstore.GlobalPosition{Position: decimal.NewFromFloat(125.4), InPositionOrder: 10},
+							&eventstore.GlobalPosition{Position: 123.4},
+							&eventstore.GlobalPosition{Position: 125.4, InPositionOrder: 10},
 						),
 					),
 				),
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND ((position = $2 AND in_tx_order < $3) OR position < $4) AND position > $5 ORDER BY position, in_tx_order",
-				args:  []any{"i1", decimal.NewFromFloat(125.4), uint32(10), decimal.NewFromFloat(125.4), decimal.NewFromFloat(123.4)},
+				args:  []any{"i1", 125.4, uint32(10), 125.4, 123.4},
 				// TODO: (adlerhurst) would require some refactoring to reuse existing args
 				// query: " WHERE instance_id = $1 AND position > $2 AND ((position = $3 AND in_tx_order < $4) OR position < $3) ORDER BY position, in_tx_order",
 				// args:  []any{"i1", 123.4, 125.4, uint32(10)},
@@ -579,13 +577,13 @@ func Test_writeFilter(t *testing.T) {
 			args: args{
 				filter: eventstore.NewFilter(
 					eventstore.FilterPagination(
-						eventstore.PositionGreater(decimal.NewFromFloat(123.4), 12),
+						eventstore.PositionGreater(123.4, 12),
 					),
 				),
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND ((position = $2 AND in_tx_order > $3) OR position > $4) ORDER BY position, in_tx_order",
-				args:  []any{"i1", decimal.NewFromFloat(123.4), uint32(12), decimal.NewFromFloat(123.4)},
+				args:  []any{"i1", 123.4, uint32(12), 123.4},
 			},
 		},
 		{
@@ -595,13 +593,13 @@ func Test_writeFilter(t *testing.T) {
 					eventstore.FilterPagination(
 						eventstore.Limit(10),
 						eventstore.Offset(3),
-						eventstore.PositionGreater(decimal.NewFromFloat(123.4), 12),
+						eventstore.PositionGreater(123.4, 12),
 					),
 				),
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND ((position = $2 AND in_tx_order > $3) OR position > $4) ORDER BY position, in_tx_order LIMIT $5 OFFSET $6",
-				args:  []any{"i1", decimal.NewFromFloat(123.4), uint32(12), decimal.NewFromFloat(123.4), uint32(10), uint32(3)},
+				args:  []any{"i1", 123.4, uint32(12), 123.4, uint32(10), uint32(3)},
 			},
 		},
 		{
@@ -611,14 +609,14 @@ func Test_writeFilter(t *testing.T) {
 					eventstore.FilterPagination(
 						eventstore.Limit(10),
 						eventstore.Offset(3),
-						eventstore.PositionGreater(decimal.NewFromFloat(123.4), 12),
+						eventstore.PositionGreater(123.4, 12),
 					),
 					eventstore.AppendAggregateFilter("user"),
 				),
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND aggregate_type = $2 AND ((position = $3 AND in_tx_order > $4) OR position > $5) ORDER BY position, in_tx_order LIMIT $6 OFFSET $7",
-				args:  []any{"i1", "user", decimal.NewFromFloat(123.4), uint32(12), decimal.NewFromFloat(123.4), uint32(10), uint32(3)},
+				args:  []any{"i1", "user", 123.4, uint32(12), 123.4, uint32(10), uint32(3)},
 			},
 		},
 		{
@@ -628,7 +626,7 @@ func Test_writeFilter(t *testing.T) {
 					eventstore.FilterPagination(
 						eventstore.Limit(10),
 						eventstore.Offset(3),
-						eventstore.PositionGreater(decimal.NewFromFloat(123.4), 12),
+						eventstore.PositionGreater(123.4, 12),
 					),
 					eventstore.AppendAggregateFilter("user"),
 					eventstore.AppendAggregateFilter(
@@ -639,7 +637,7 @@ func Test_writeFilter(t *testing.T) {
 			},
 			want: wantQuery{
 				query: " WHERE instance_id = $1 AND (aggregate_type = $2 OR (aggregate_type = $3 AND aggregate_id = $4)) AND ((position = $5 AND in_tx_order > $6) OR position > $7) ORDER BY position, in_tx_order LIMIT $8 OFFSET $9",
-				args:  []any{"i1", "user", "org", "o1", decimal.NewFromFloat(123.4), uint32(12), decimal.NewFromFloat(123.4), uint32(10), uint32(3)},
+				args:  []any{"i1", "user", "org", "o1", 123.4, uint32(12), 123.4, uint32(10), uint32(3)},
 			},
 		},
 	}
@@ -958,7 +956,7 @@ func Test_writeQueryUse_examples(t *testing.T) {
 							),
 							eventstore.FilterPagination(
 								// used because we need to check for first login and an app which is not console
-								eventstore.PositionGreater(decimal.NewFromInt(12), 4),
+								eventstore.PositionGreater(12, 4),
 							),
 						),
 						eventstore.NewFilter(
@@ -1067,9 +1065,9 @@ func Test_writeQueryUse_examples(t *testing.T) {
 					"instance",
 					"user",
 					"user.token.added",
-					decimal.NewFromInt(12),
+					float64(12),
 					uint32(4),
-					decimal.NewFromInt(12),
+					float64(12),
 					"instance",
 					"instance",
 					[]string{"instance.idp.config.added", "instance.idp.oauth.added", "instance.idp.oidc.added", "instance.idp.jwt.added", "instance.idp.azure.added", "instance.idp.github.added", "instance.idp.github.enterprise.added", "instance.idp.gitlab.added", "instance.idp.gitlab.selfhosted.added", "instance.idp.google.added", "instance.idp.ldap.added", "instance.idp.config.apple.added", "instance.idp.saml.added"},
@@ -1203,7 +1201,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(23),
-						decimal.NewFromInt(123).String(),
+						float64(123),
 						uint32(0),
 						nil,
 						"gigi",
@@ -1237,7 +1235,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(23),
-						decimal.NewFromInt(123).String(),
+						float64(123),
 						uint32(0),
 						[]byte(`{"name": "gigi"}`),
 						"gigi",
@@ -1271,7 +1269,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(23),
-						decimal.NewFromInt(123).String(),
+						float64(123),
 						uint32(0),
 						nil,
 						"gigi",
@@ -1285,7 +1283,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(24),
-						decimal.NewFromInt(124).String(),
+						float64(124),
 						uint32(0),
 						[]byte(`{"name": "gigi"}`),
 						"gigi",
@@ -1319,7 +1317,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(23),
-						decimal.NewFromInt(123).String(),
+						float64(123),
 						uint32(0),
 						nil,
 						"gigi",
@@ -1333,7 +1331,7 @@ func Test_executeQuery(t *testing.T) {
 						time.Now(),
 						"event.type",
 						uint32(24),
-						decimal.NewFromInt(124).String(),
+						float64(124),
 						uint32(0),
 						[]byte(`{"name": "gigi"}`),
 						"gigi",
diff --git a/internal/v2/eventstore/query.go b/internal/v2/eventstore/query.go
index f7a30a2139..c9b3cecd37 100644
--- a/internal/v2/eventstore/query.go
+++ b/internal/v2/eventstore/query.go
@@ -7,8 +7,6 @@ import (
 	"slices"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/database"
 )
 
@@ -725,7 +723,7 @@ func (pc *PositionCondition) Min() *GlobalPosition {
 // PositionGreater prepares the condition as follows
 // if inPositionOrder is set: position = AND in_tx_order > OR or position >
 // if inPositionOrder is NOT set: position >
-func PositionGreater(position decimal.Decimal, inPositionOrder uint32) paginationOpt {
+func PositionGreater(position float64, inPositionOrder uint32) paginationOpt {
 	return func(p *Pagination) {
 		p.ensurePosition()
 		p.position.min = &GlobalPosition{
@@ -745,7 +743,7 @@ func GlobalPositionGreater(position *GlobalPosition) paginationOpt {
 // PositionLess prepares the condition as follows
 // if inPositionOrder is set: position = AND in_tx_order > OR or position >
 // if inPositionOrder is NOT set: position >
-func PositionLess(position decimal.Decimal, inPositionOrder uint32) paginationOpt {
+func PositionLess(position float64, inPositionOrder uint32) paginationOpt {
 	return func(p *Pagination) {
 		p.ensurePosition()
 		p.position.max = &GlobalPosition{
diff --git a/internal/v2/eventstore/query_test.go b/internal/v2/eventstore/query_test.go
index 0f313e9560..00c08914c1 100644
--- a/internal/v2/eventstore/query_test.go
+++ b/internal/v2/eventstore/query_test.go
@@ -6,8 +6,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/database"
 )
 
@@ -76,13 +74,13 @@ func TestPaginationOpt(t *testing.T) {
 			name: "global position greater",
 			args: args{
 				opts: []paginationOpt{
-					GlobalPositionGreater(&GlobalPosition{Position: decimal.NewFromInt(10)}),
+					GlobalPositionGreater(&GlobalPosition{Position: 10}),
 				},
 			},
 			want: &Pagination{
 				position: &PositionCondition{
 					min: &GlobalPosition{
-						Position:        decimal.NewFromInt(10),
+						Position:        10,
 						InPositionOrder: 0,
 					},
 				},
@@ -92,13 +90,13 @@ func TestPaginationOpt(t *testing.T) {
 			name: "position greater",
 			args: args{
 				opts: []paginationOpt{
-					PositionGreater(decimal.NewFromInt(10), 0),
+					PositionGreater(10, 0),
 				},
 			},
 			want: &Pagination{
 				position: &PositionCondition{
 					min: &GlobalPosition{
-						Position:        decimal.NewFromInt(10),
+						Position:        10,
 						InPositionOrder: 0,
 					},
 				},
@@ -109,13 +107,13 @@ func TestPaginationOpt(t *testing.T) {
 			name: "position less",
 			args: args{
 				opts: []paginationOpt{
-					PositionLess(decimal.NewFromInt(10), 12),
+					PositionLess(10, 12),
 				},
 			},
 			want: &Pagination{
 				position: &PositionCondition{
 					max: &GlobalPosition{
-						Position:        decimal.NewFromInt(10),
+						Position:        10,
 						InPositionOrder: 12,
 					},
 				},
@@ -125,13 +123,13 @@ func TestPaginationOpt(t *testing.T) {
 			name: "global position less",
 			args: args{
 				opts: []paginationOpt{
-					GlobalPositionLess(&GlobalPosition{Position: decimal.NewFromInt(12), InPositionOrder: 24}),
+					GlobalPositionLess(&GlobalPosition{Position: 12, InPositionOrder: 24}),
 				},
 			},
 			want: &Pagination{
 				position: &PositionCondition{
 					max: &GlobalPosition{
-						Position:        decimal.NewFromInt(12),
+						Position:        12,
 						InPositionOrder: 24,
 					},
 				},
@@ -142,19 +140,19 @@ func TestPaginationOpt(t *testing.T) {
 			args: args{
 				opts: []paginationOpt{
 					PositionBetween(
-						&GlobalPosition{decimal.NewFromInt(10), 12},
-						&GlobalPosition{decimal.NewFromInt(20), 0},
+						&GlobalPosition{10, 12},
+						&GlobalPosition{20, 0},
 					),
 				},
 			},
 			want: &Pagination{
 				position: &PositionCondition{
 					min: &GlobalPosition{
-						Position:        decimal.NewFromInt(10),
+						Position:        10,
 						InPositionOrder: 12,
 					},
 					max: &GlobalPosition{
-						Position:        decimal.NewFromInt(20),
+						Position:        20,
 						InPositionOrder: 0,
 					},
 				},
diff --git a/internal/v2/readmodel/last_successful_mirror.go b/internal/v2/readmodel/last_successful_mirror.go
index 6635b73342..80b436b896 100644
--- a/internal/v2/readmodel/last_successful_mirror.go
+++ b/internal/v2/readmodel/last_successful_mirror.go
@@ -1,8 +1,6 @@
 package readmodel
 
 import (
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/eventstore"
 	"github.com/zitadel/zitadel/internal/v2/system"
 	"github.com/zitadel/zitadel/internal/v2/system/mirror"
@@ -10,7 +8,7 @@ import (
 
 type LastSuccessfulMirror struct {
 	ID       string
-	Position decimal.Decimal
+	Position float64
 	source   string
 }
 
@@ -55,7 +53,7 @@ func (h *LastSuccessfulMirror) Reduce(events ...*eventstore.StorageEvent) (err e
 
 func (h *LastSuccessfulMirror) reduceSucceeded(event *eventstore.StorageEvent) error {
 	// if position is set we skip all older events
-	if h.Position.GreaterThan(decimal.NewFromInt(0)) {
+	if h.Position > 0 {
 		return nil
 
 	}
diff --git a/internal/v2/system/mirror/succeeded.go b/internal/v2/system/mirror/succeeded.go
index 34d74f184f..6d0fba2c25 100644
--- a/internal/v2/system/mirror/succeeded.go
+++ b/internal/v2/system/mirror/succeeded.go
@@ -1,8 +1,6 @@
 package mirror
 
 import (
-	"github.com/shopspring/decimal"
-
 	"github.com/zitadel/zitadel/internal/v2/eventstore"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -11,7 +9,7 @@ type succeededPayload struct {
 	// Source is the name of the database data are mirrored from
 	Source string `json:"source"`
 	// Position until data will be mirrored
-	Position decimal.Decimal `json:"position"`
+	Position float64 `json:"position"`
 }
 
 const SucceededType = eventTypePrefix + "succeeded"
@@ -40,7 +38,7 @@ func SucceededEventFromStorage(event *eventstore.StorageEvent) (e *SucceededEven
 	}, nil
 }
 
-func NewSucceededCommand(source string, position decimal.Decimal) *eventstore.Command {
+func NewSucceededCommand(source string, position float64) *eventstore.Command {
 	return &eventstore.Command{
 		Action: eventstore.Action[any]{
 			Creator:  Creator,
diff --git a/load-test/Makefile b/load-test/Makefile
index bbd5ebf538..61494e27cb 100644
--- a/load-test/Makefile
+++ b/load-test/Makefile
@@ -4,43 +4,42 @@ ZITADEL_HOST ?=
 ADMIN_LOGIN_NAME ?=
 ADMIN_PASSWORD ?=
 
-K6 := ./../../xk6-modules/k6
-
 .PHONY: human_password_login
 human_password_login: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/human_password_login.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/human_password_login.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: machine_pat_login
 machine_pat_login: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_pat_login.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_pat_login.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: machine_client_credentials_login
 machine_client_credentials_login: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_client_credentials_login.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_client_credentials_login.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: user_info
 user_info: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/user_info.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/user_info.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: manipulate_user
 manipulate_user: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/manipulate_user.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/manipulate_user.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: introspect
 introspect: ensure_modules bundle
 	go install go.k6.io/xk6/cmd/xk6@latest
 	cd ../../xk6-modules && xk6 build --with xk6-zitadel=.
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/introspection.js --vus ${VUS} --duration ${DURATION}
+	./../../xk6-modules/k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/introspection.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: add_session
 add_session: bundle
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/session.js --vus ${VUS} --duration ${DURATION}
+	k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/session.js --vus ${VUS} --duration ${DURATION}
 
 .PHONY: machine_jwt_profile_grant
 machine_jwt_profile_grant: ensure_modules ensure_key_pair bundle
 	go install go.k6.io/xk6/cmd/xk6@latest
 	cd ../../xk6-modules && xk6 build --with xk6-zitadel=.
-	${K6} run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_jwt_profile_grant.js --vus ${VUS} --duration ${DURATION}
+	./../../xk6-modules/k6 run --summary-trend-stats "min,avg,max,p(50),p(95),p(99)" dist/machine_jwt_profile_grant.js --iterations 1
+	# --vus ${VUS} --duration ${DURATION}
 
 .PHONY: machine_jwt_profile_grant_single_user
 machine_jwt_profile_grant_single_user: ensure_modules ensure_key_pair bundle
@@ -65,8 +64,6 @@ endif
 bundle:
 	npm i
 	npm run bundle
-	go install go.k6.io/xk6/cmd/xk6@latest
-	cd ../../xk6-modules && xk6 build --with xk6-zitadel=.
 
 .PHONY: ensure_key_pair
 ensure_key_pair:
diff --git a/load-test/src/use_cases/manipulate_user.ts b/load-test/src/use_cases/manipulate_user.ts
index 058bde05f1..2ea53bd324 100644
--- a/load-test/src/use_cases/manipulate_user.ts
+++ b/load-test/src/use_cases/manipulate_user.ts
@@ -45,4 +45,3 @@ export function teardown(data: any) {
   removeOrg(data.org, data.tokens.accessToken);
   console.info('teardown: org removed');
 }
-

From 624fee97c0521e54c56289e290fc5499a6df70da Mon Sep 17 00:00:00 2001
From: mffap <mpa@zitadel.com>
Date: Wed, 25 Sep 2024 10:14:58 +0200
Subject: [PATCH 13/19] docs: optimized examples and sdk for search (#8657)

# Which Problems Are Solved

Page title was "introduction" and the headings were missing a h2 level.
This makes it difficult to index for search, both internal and external.

# How the Problems Are Solved

* Change the page title
* Pulled all headings one level up

# Additional Changes

- Show all elements in sdk-example folder automaticalls
---
 docs/docs/sdk-examples/introduction.mdx | 13 +++++++------
 docs/sidebars.js                        | 16 ++++------------
 docs/src/components/tile.jsx            |  2 +-
 3 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/docs/docs/sdk-examples/introduction.mdx b/docs/docs/sdk-examples/introduction.mdx
index 45e2465fb8..de928731c3 100644
--- a/docs/docs/sdk-examples/introduction.mdx
+++ b/docs/docs/sdk-examples/introduction.mdx
@@ -1,6 +1,7 @@
 ---
-title: Introduction
+title: Examples and SDKs for ZITADEL
 sidebar_label: Introduction
+sidebar_position: 1
 ---
 
 You can integrate ZITADEL quickly into your application and be up and running within minutes.
@@ -10,7 +11,7 @@ The SDKs and integration depend on the framework and language you are using.
 
 import { Frameworks } from "../../src/components/frameworks";
 
-### Resources
+## Resources
 
 <Frameworks />
 
@@ -20,7 +21,7 @@ To further streamline your setup, simply visit the console in ZITADEL where you
 
 To begin configuring login for any of these samples, start [here](https://zitadel.com/signin).
 
-### OIDC Libraries
+## OIDC Libraries
 
 OIDC is a standard for authentication and most languages and frameworks do provide a OIDC library which can be easily integrated to your application.
 If we do not provide an specific example, SDK or guide, we strongly recommend using existing authentication libraries for your
@@ -34,7 +35,7 @@ You might want to check out the following links to find a good library:
 - [OpenID General References](https://openid.net/developers/libraries/)
 - [OpenID certified developer tools](https://openid.net/certified-open-id-developer-tools/)
 
-### Other example applications
+## Other example applications
 
 - [B2B customer portal](https://github.com/zitadel/zitadel-nextjs-b2b): Showcase the use of personal access tokens in a B2B environment. Uses NextJS Framework.
 - [Frontend with backend API](https://github.com/zitadel/example-quote-generator-app): A simple web application using a React front-end and a Python back-end API, both secured using ZITADEL
@@ -43,7 +44,7 @@ You might want to check out the following links to find a good library:
 
 Search for the "example" tag in our repository to [explore all examples](https://github.com/search?q=topic%3Aexamples+org%3Azitadel&type=repositories).
 
-### Missing SDK
+## Missing SDK
 
 Is your language/framework missing? Fear not, you can generate your gRPC API Client with ease.
 
@@ -54,7 +55,7 @@ Is your language/framework missing? Fear not, you can generate your gRPC API Cli
 Let us make an example with Ruby. Any other supported language by buf will work as well. Consult
 the [buf plugin registry](https://buf.build/plugins) for more ideas.
 
-#### Example with Ruby
+### Example with Ruby
 
 With gRPC we usually need to generate the client stub and the messages/types. This is why we need two plugins.
 The plugin `grpc/ruby` generates the client stub and the plugin `protocolbuffers/ruby` takes care of the messages/types.
diff --git a/docs/sidebars.js b/docs/sidebars.js
index 1e26ec6074..38596d4bfc 100644
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -54,18 +54,10 @@ module.exports = {
       label: "Examples & SDKs",
       link: {type: "doc", id: "sdk-examples/introduction"},
       items: [
-        "sdk-examples/introduction",
-        "sdk-examples/angular",
-        "sdk-examples/flutter",
-        "sdk-examples/go",
-        "sdk-examples/java",
-        "sdk-examples/nestjs",
-        "sdk-examples/nextjs",
-        "sdk-examples/python-flask",
-        "sdk-examples/python-django",
-        "sdk-examples/react",
-        "sdk-examples/symfony",
-        "sdk-examples/vue",
+        {
+          type: "autogenerated", 
+          dirName: "sdk-examples"
+        },
         {
           type: "link",
           label: "Dart",
diff --git a/docs/src/components/tile.jsx b/docs/src/components/tile.jsx
index e1066325ce..1ce2a1c1f8 100644
--- a/docs/src/components/tile.jsx
+++ b/docs/src/components/tile.jsx
@@ -8,7 +8,7 @@ export function Tile({ title, imageSource, imageSourceLight, link, external }) {
       className={styles.tile}
       target={external ? "_blank" : "_self"}
     >
-      <h4>{title}</h4>
+      <h3>{title}</h3>
       <img
         className={imageSourceLight ? "hideonlight" : ""}
         src={imageSource}

From 62cdec222e392acc047f4663a587dc3d87843d3f Mon Sep 17 00:00:00 2001
From: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Date: Wed, 25 Sep 2024 15:31:31 +0200
Subject: [PATCH 14/19] feat: user v3 contact email and phone (#8644)

# Which Problems Are Solved

Endpoints to maintain email and phone contact on user v3 are not
implemented.

# How the Problems Are Solved

Add 3 endpoints with SetContactEmail, VerifyContactEmail and
ResendContactEmailCode.
Add 3 endpoints with SetContactPhone, VerifyContactPhone and
ResendContactPhoneCode.
Refactor the logic how contact is managed in the user creation and
update.

# Additional Changes

None

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/6433

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 cmd/start/start.go                            |    2 +-
 .../api/grpc/resources/user/v3alpha/email.go  |   83 ++
 .../v3alpha/integration_test/email_test.go    |  772 ++++++++++++
 .../v3alpha/integration_test/phone_test.go    |  701 +++++++++++
 .../v3alpha/integration_test/server_test.go   |   12 +-
 .../v3alpha/integration_test/user_test.go     |   33 +-
 .../api/grpc/resources/user/v3alpha/phone.go  |   81 ++
 .../api/grpc/resources/user/v3alpha/query.go  |   14 +
 .../api/grpc/resources/user/v3alpha/server.go |    8 +-
 .../api/grpc/resources/user/v3alpha/user.go   |   88 +-
 .../v3alpha/integration_test/server_test.go   |   12 +-
 internal/command/command.go                   |   17 +
 internal/command/user_v3.go                   |  283 ++---
 internal/command/user_v3_email.go             |  115 ++
 internal/command/user_v3_email_test.go        | 1076 +++++++++++++++++
 internal/command/user_v3_model.go             |  510 +++++++-
 internal/command/user_v3_phone.go             |  107 ++
 internal/command/user_v3_phone_test.go        | 1040 ++++++++++++++++
 internal/command/user_v3_test.go              |  374 +++---
 internal/integration/client.go                |   26 +
 .../resources/user/v3alpha/user_service.proto |    2 +-
 21 files changed, 4924 insertions(+), 432 deletions(-)
 create mode 100644 internal/api/grpc/resources/user/v3alpha/email.go
 create mode 100644 internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go
 create mode 100644 internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go
 create mode 100644 internal/api/grpc/resources/user/v3alpha/phone.go
 create mode 100644 internal/api/grpc/resources/user/v3alpha/query.go
 create mode 100644 internal/command/user_v3_email.go
 create mode 100644 internal/command/user_v3_email_test.go
 create mode 100644 internal/command/user_v3_phone.go
 create mode 100644 internal/command/user_v3_phone_test.go

diff --git a/cmd/start/start.go b/cmd/start/start.go
index 5fc4ba936a..68c5bdb915 100644
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -454,7 +454,7 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, userschema_v3_alpha.CreateServer(config.SystemDefaults, commands, queries)); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterService(ctx, user_v3_alpha.CreateServer(commands, keys.User)); err != nil {
+	if err := apis.RegisterService(ctx, user_v3_alpha.CreateServer(commands)); err != nil {
 		return nil, err
 	}
 	if err := apis.RegisterService(ctx, webkey.CreateServer(commands, queries)); err != nil {
diff --git a/internal/api/grpc/resources/user/v3alpha/email.go b/internal/api/grpc/resources/user/v3alpha/email.go
new file mode 100644
index 0000000000..7b0b561cd9
--- /dev/null
+++ b/internal/api/grpc/resources/user/v3alpha/email.go
@@ -0,0 +1,83 @@
+package user
+
+import (
+	"context"
+
+	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func (s *Server) SetContactEmail(ctx context.Context, req *user.SetContactEmailRequest) (_ *user.SetContactEmailResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	schemauser := setContactEmailRequestToChangeSchemaUserEmail(req)
+	details, err := s.command.ChangeSchemaUserEmail(ctx, schemauser)
+	if err != nil {
+		return nil, err
+	}
+	return &user.SetContactEmailResponse{
+		Details:          resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		VerificationCode: schemauser.ReturnCode,
+	}, nil
+}
+
+func setContactEmailRequestToChangeSchemaUserEmail(req *user.SetContactEmailRequest) *command.ChangeSchemaUserEmail {
+	return &command.ChangeSchemaUserEmail{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		Email:         setEmailToEmail(req.Email),
+	}
+}
+
+func setEmailToEmail(setEmail *user.SetEmail) *command.Email {
+	if setEmail == nil {
+		return nil
+	}
+	return &command.Email{
+		Address:     domain.EmailAddress(setEmail.Address),
+		ReturnCode:  setEmail.GetReturnCode() != nil,
+		Verified:    setEmail.GetIsVerified(),
+		URLTemplate: setEmail.GetSendCode().GetUrlTemplate(),
+	}
+}
+
+func (s *Server) VerifyContactEmail(ctx context.Context, req *user.VerifyContactEmailRequest) (_ *user.VerifyContactEmailResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	details, err := s.command.VerifySchemaUserEmail(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId(), req.GetVerificationCode())
+	if err != nil {
+		return nil, err
+	}
+	return &user.VerifyContactEmailResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
+
+func (s *Server) ResendContactEmailCode(ctx context.Context, req *user.ResendContactEmailCodeRequest) (_ *user.ResendContactEmailCodeResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	schemauser := resendContactEmailCodeRequestToResendSchemaUserEmailCode(req)
+	details, err := s.command.ResendSchemaUserEmailCode(ctx, schemauser)
+	if err != nil {
+		return nil, err
+	}
+	return &user.ResendContactEmailCodeResponse{
+		Details:          resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		VerificationCode: schemauser.PlainCode,
+	}, nil
+}
+
+func resendContactEmailCodeRequestToResendSchemaUserEmailCode(req *user.ResendContactEmailCodeRequest) *command.ResendSchemaUserEmailCode {
+	return &command.ResendSchemaUserEmailCode{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		URLTemplate:   req.GetSendCode().GetUrlTemplate(),
+		ReturnCode:    req.GetReturnCode() != nil,
+	}
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go
new file mode 100644
index 0000000000..c5bec9008e
--- /dev/null
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go
@@ -0,0 +1,772 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	resource_object "github.com/zitadel/zitadel/pkg/grpc/resources/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func TestServer_SetContactEmail(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want       *resource_object.Details
+		returnCode bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.SetContactEmailRequest) error
+		req     *user.SetContactEmailRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "email patch, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address: gofakeit.Email(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address: gofakeit.Email(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+				Email: &user.SetEmail{
+					Address: gofakeit.Email(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+				Email: &user.SetEmail{
+					Address: gofakeit.Email(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, empty",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				email := gofakeit.Email()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, email)
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, no change",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				email := gofakeit.Email()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, email)
+				req.Email.Address = email
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email patch, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Email: &user.SetEmail{
+					Address: gofakeit.Email(),
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email patch, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address:      gofakeit.Email(),
+					Verification: &user.SetEmail_ReturnCode{},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCode: true,
+			},
+		},
+		{
+			name: "email patch, return, invalid template",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address:      gofakeit.Email(),
+					Verification: &user.SetEmail_SendCode{SendCode: &user.SendEmailVerificationCode{UrlTemplate: gu.Ptr("{{")}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email patch, verified, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address:      gofakeit.Email(),
+					Verification: &user.SetEmail_IsVerified{IsVerified: true},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email patch, template, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address:      gofakeit.Email(),
+					Verification: &user.SetEmail_SendCode{SendCode: &user.SendEmailVerificationCode{UrlTemplate: gu.Ptr("https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}")}},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email patch, sent, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Email: &user.SetEmail{
+					Address:      gofakeit.Email(),
+					Verification: &user.SetEmail_SendCode{},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.SetContactEmail(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+			if tt.res.returnCode {
+				assert.NotNil(t, got.VerificationCode)
+			} else {
+				assert.Nil(t, got.VerificationCode)
+			}
+		})
+	}
+}
+
+func TestServer_VerifyContactEmail(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want *resource_object.Details
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.VerifyContactEmailRequest) error
+		req     *user.VerifyContactEmailRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "email verify, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email verify, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email verify, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id:               "notexisting",
+				VerificationCode: "unimportant",
+			},
+			wantErr: true,
+		},
+		{
+			name: "email verify, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email verify, wrong code",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				VerificationCode: "wrong",
+			},
+			wantErr: true,
+		},
+		{
+			name: "email verify, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email verify, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactEmailRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactEmailRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.VerifyContactEmail(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+		})
+	}
+}
+
+func TestServer_ResendContactEmailCode(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want       *resource_object.Details
+		returnCode bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.ResendContactEmailCodeRequest) error
+		req     *user.ResendContactEmailCodeRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "email resend, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email resend, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email resend, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "email resend, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email resend, no code",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "email resend, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "email resend, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Verification: &user.ResendContactEmailCodeRequest_ReturnCode{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCode: true,
+			},
+		},
+		{
+			name: "email resend, sent, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactEmailCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserEmail(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Email())
+				return nil
+			},
+			req: &user.ResendContactEmailCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Verification: &user.ResendContactEmailCodeRequest_SendCode{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.ResendContactEmailCode(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+			if tt.res.returnCode {
+				assert.NotNil(t, got.VerificationCode)
+			} else {
+				assert.Nil(t, got.VerificationCode)
+			}
+		})
+	}
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go
new file mode 100644
index 0000000000..d61135d30d
--- /dev/null
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go
@@ -0,0 +1,701 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	resource_object "github.com/zitadel/zitadel/pkg/grpc/resources/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func TestServer_SetContactPhone(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want       *resource_object.Details
+		returnCode bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.SetContactPhoneRequest) error
+		req     *user.SetContactPhoneRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "phone patch, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{
+					Number: gofakeit.Phone(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone patch, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{
+					Number: gofakeit.Phone(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone patch, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+				Phone: &user.SetPhone{
+					Number: gofakeit.Phone(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone patch, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+				Phone: &user.SetPhone{
+					Number: gofakeit.Phone(),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone patch, no change",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				number := gofakeit.Phone()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, number)
+				req.Phone.Number = number
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "phone patch, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Phone: &user.SetPhone{
+					Number: gofakeit.Phone(),
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "phone patch, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{
+					Number:       gofakeit.Phone(),
+					Verification: &user.SetPhone_ReturnCode{},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCode: true,
+			},
+		},
+		{
+			name: "phone patch, verified, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{
+					Number:       gofakeit.Phone(),
+					Verification: &user.SetPhone_IsVerified{IsVerified: true},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "phone patch, sent, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.SetContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.SetContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Phone: &user.SetPhone{
+					Number:       gofakeit.Phone(),
+					Verification: &user.SetPhone_SendCode{},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.SetContactPhone(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+			if tt.res.returnCode {
+				assert.NotNil(t, got.VerificationCode)
+			} else {
+				assert.Nil(t, got.VerificationCode)
+			}
+		})
+	}
+}
+
+func TestServer_VerifyContactPhone(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want            *resource_object.Details
+		returnCodePhone bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.VerifyContactPhoneRequest) error
+		req     *user.VerifyContactPhoneRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "phone verify, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone verify, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone verify, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id:               "notexisting",
+				VerificationCode: "unimportant",
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone verify, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone verify, wrong code",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				VerificationCode: "wrong",
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone verify, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "phone verify, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.VerifyContactPhoneRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				verifyResp := instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				req.VerificationCode = verifyResp.GetVerificationCode()
+				return nil
+			},
+			req: &user.VerifyContactPhoneRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCodePhone: true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.VerifyContactPhone(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+		})
+	}
+}
+
+func TestServer_ResendContactPhoneCode(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want       *resource_object.Details
+		returnCode bool
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.ResendContactPhoneCodeRequest) error
+		req     *user.ResendContactPhoneCodeRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "phone resend, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone resend, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone resend, not found",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone resend, not found, org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "not existing",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone resend, no code",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				data := "{\"name\": \"user\"}"
+				schemaID := schemaResp.GetDetails().GetId()
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaID, []byte(data))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "phone resend, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "phone resend, return, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Verification: &user.ResendContactPhoneCodeRequest_ReturnCode{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+				returnCode: true,
+			},
+		},
+		{
+			name: "phone resend, sent, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.ResendContactPhoneCodeRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				instance.UpdateSchemaUserPhone(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, gofakeit.Phone())
+				return nil
+			},
+			req: &user.ResendContactPhoneCodeRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Verification: &user.ResendContactPhoneCodeRequest_SendCode{},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				require.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.ResendContactPhoneCode(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+			if tt.res.returnCode {
+				assert.NotNil(t, got.VerificationCode)
+			} else {
+				assert.Nil(t, got.VerificationCode)
+			}
+		})
+	}
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
index b2b11fd510..fee1a38430 100644
--- a/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/server_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
 )
 
 var (
@@ -51,7 +52,7 @@ func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
 			f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 				Inheritance: true,
 			})
-			require.NoError(ttt, err)
+			assert.NoError(ttt, err)
 			if f.UserSchema.GetEnabled() {
 				return
 			}
@@ -59,4 +60,13 @@ func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
 		retryDuration,
 		time.Second,
 		"timed out waiting for ensuring instance feature")
+
+	require.EventuallyWithT(t,
+		func(ttt *assert.CollectT) {
+			_, err := instance.Client.UserV3Alpha.SearchUsers(ctx, &user.SearchUsersRequest{})
+			assert.NoError(ttt, err)
+		},
+		retryDuration,
+		time.Second,
+		"timed out waiting for ensuring instance feature call")
 }
diff --git a/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go b/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
index c8db0f7f6a..95e98b1a9e 100644
--- a/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
+++ b/internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/brianvoe/gofakeit/v6"
 	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/logging"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -628,16 +629,20 @@ func TestServer_PatchUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.PatchUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.res.want, got.Details)
 			if tt.res.returnCodeEmail {
-				require.NotNil(t, got.EmailCode)
+				assert.NotNil(t, got.EmailCode)
+			} else {
+				assert.Nil(t, got.EmailCode)
 			}
 			if tt.res.returnCodePhone {
-				require.NotNil(t, got.PhoneCode)
+				assert.NotNil(t, got.PhoneCode)
+			} else {
+				assert.Nil(t, got.PhoneCode)
 			}
 		})
 	}
@@ -843,10 +848,10 @@ func TestServer_DeleteUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.DeleteUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.want, got.Details)
 		})
 	}
@@ -1054,10 +1059,10 @@ func TestServer_LockUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.LockUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.want, got.Details)
 		})
 	}
@@ -1237,10 +1242,10 @@ func TestServer_UnlockUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.UnlockUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.want, got.Details)
 		})
 	}
@@ -1439,10 +1444,10 @@ func TestServer_DeactivateUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.DeactivateUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.want, got.Details)
 		})
 	}
@@ -1622,10 +1627,10 @@ func TestServer_ActivateUser(t *testing.T) {
 			}
 			got, err := instance.Client.UserV3Alpha.ActivateUser(tt.ctx, tt.req)
 			if tt.wantErr {
-				require.Error(t, err)
+				assert.Error(t, err)
 				return
 			}
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			integration.AssertResourceDetails(t, tt.want, got.Details)
 		})
 	}
diff --git a/internal/api/grpc/resources/user/v3alpha/phone.go b/internal/api/grpc/resources/user/v3alpha/phone.go
new file mode 100644
index 0000000000..64cab1c13b
--- /dev/null
+++ b/internal/api/grpc/resources/user/v3alpha/phone.go
@@ -0,0 +1,81 @@
+package user
+
+import (
+	"context"
+
+	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func (s *Server) SetContactPhone(ctx context.Context, req *user.SetContactPhoneRequest) (_ *user.SetContactPhoneResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	schemauser := setContactPhoneRequestToChangeSchemaUserPhone(req)
+	details, err := s.command.ChangeSchemaUserPhone(ctx, schemauser)
+	if err != nil {
+		return nil, err
+	}
+	return &user.SetContactPhoneResponse{
+		Details:          resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		VerificationCode: schemauser.ReturnCode,
+	}, nil
+}
+
+func setContactPhoneRequestToChangeSchemaUserPhone(req *user.SetContactPhoneRequest) *command.ChangeSchemaUserPhone {
+	return &command.ChangeSchemaUserPhone{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		Phone:         setPhoneToPhone(req.Phone),
+	}
+}
+
+func setPhoneToPhone(setPhone *user.SetPhone) *command.Phone {
+	if setPhone == nil {
+		return nil
+	}
+	return &command.Phone{
+		Number:     domain.PhoneNumber(setPhone.Number),
+		ReturnCode: setPhone.GetReturnCode() != nil,
+		Verified:   setPhone.GetIsVerified(),
+	}
+}
+
+func (s *Server) VerifyContactPhone(ctx context.Context, req *user.VerifyContactPhoneRequest) (_ *user.VerifyContactPhoneResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	details, err := s.command.VerifySchemaUserPhone(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId(), req.GetVerificationCode())
+	if err != nil {
+		return nil, err
+	}
+	return &user.VerifyContactPhoneResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}
+
+func (s *Server) ResendContactPhoneCode(ctx context.Context, req *user.ResendContactPhoneCodeRequest) (_ *user.ResendContactPhoneCodeResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	schemauser := resendContactPhoneCodeRequestToResendSchemaUserPhoneCode(req)
+	details, err := s.command.ResendSchemaUserPhoneCode(ctx, schemauser)
+	if err != nil {
+		return nil, err
+	}
+	return &user.ResendContactPhoneCodeResponse{
+		Details:          resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		VerificationCode: schemauser.PlainCode,
+	}, nil
+}
+
+func resendContactPhoneCodeRequestToResendSchemaUserPhoneCode(req *user.ResendContactPhoneCodeRequest) *command.ResendSchemaUserPhoneCode {
+	return &command.ResendSchemaUserPhoneCode{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		ReturnCode:    req.GetReturnCode() != nil,
+	}
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/query.go b/internal/api/grpc/resources/user/v3alpha/query.go
new file mode 100644
index 0000000000..802ad3fdc3
--- /dev/null
+++ b/internal/api/grpc/resources/user/v3alpha/query.go
@@ -0,0 +1,14 @@
+package user
+
+import (
+	"context"
+
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func (s *Server) SearchUsers(ctx context.Context, _ *user.SearchUsersRequest) (_ *user.SearchUsersResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	return &user.SearchUsersResponse{}, nil
+}
diff --git a/internal/api/grpc/resources/user/v3alpha/server.go b/internal/api/grpc/resources/user/v3alpha/server.go
index e18f017453..57b2e44016 100644
--- a/internal/api/grpc/resources/user/v3alpha/server.go
+++ b/internal/api/grpc/resources/user/v3alpha/server.go
@@ -6,7 +6,6 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/crypto"
 	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
 )
 
@@ -14,19 +13,16 @@ var _ user.ZITADELUsersServer = (*Server)(nil)
 
 type Server struct {
 	user.UnimplementedZITADELUsersServer
-	command     *command.Commands
-	userCodeAlg crypto.EncryptionAlgorithm
+	command *command.Commands
 }
 
 type Config struct{}
 
 func CreateServer(
 	command *command.Commands,
-	userCodeAlg crypto.EncryptionAlgorithm,
 ) *Server {
 	return &Server{
-		command:     command,
-		userCodeAlg: userCodeAlg,
+		command: command,
 	}
 }
 
diff --git a/internal/api/grpc/resources/user/v3alpha/user.go b/internal/api/grpc/resources/user/v3alpha/user.go
index 7c3f2a750e..971644de7d 100644
--- a/internal/api/grpc/resources/user/v3alpha/user.go
+++ b/internal/api/grpc/resources/user/v3alpha/user.go
@@ -3,12 +3,9 @@ package user
 import (
 	"context"
 
-	"github.com/muhlemmer/gu"
-
 	"github.com/zitadel/zitadel/internal/api/authz"
 	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
 	"github.com/zitadel/zitadel/internal/command"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
 	"github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
@@ -22,14 +19,14 @@ func (s *Server) CreateUser(ctx context.Context, req *user.CreateUserRequest) (_
 	if err != nil {
 		return nil, err
 	}
-
-	if err := s.command.CreateSchemaUser(ctx, schemauser, s.userCodeAlg); err != nil {
+	details, err := s.command.CreateSchemaUser(ctx, schemauser)
+	if err != nil {
 		return nil, err
 	}
 	return &user.CreateUserResponse{
-		Details:   resource_object.DomainToDetailsPb(schemauser.Details, object.OwnerType_OWNER_TYPE_ORG, schemauser.Details.ResourceOwner),
-		EmailCode: gu.Ptr(schemauser.ReturnCodeEmail),
-		PhoneCode: gu.Ptr(schemauser.ReturnCodePhone),
+		Details:   resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		EmailCode: schemauser.ReturnCodeEmail,
+		PhoneCode: schemauser.ReturnCodePhone,
 	}, nil
 }
 
@@ -44,6 +41,8 @@ func createUserRequestToCreateSchemaUser(ctx context.Context, req *user.CreateUs
 		SchemaID:      req.GetUser().GetSchemaId(),
 		ID:            req.GetUser().GetUserId(),
 		Data:          data,
+		Email:         setEmailToEmail(req.GetUser().GetContact().GetEmail()),
+		Phone:         setPhoneToPhone(req.GetUser().GetContact().GetPhone()),
 	}, nil
 }
 
@@ -91,17 +90,36 @@ func (s *Server) PatchUser(ctx context.Context, req *user.PatchUserRequest) (_ *
 		return nil, err
 	}
 
-	if err := s.command.ChangeSchemaUser(ctx, schemauser, s.userCodeAlg); err != nil {
+	details, err := s.command.ChangeSchemaUser(ctx, schemauser)
+	if err != nil {
 		return nil, err
 	}
 	return &user.PatchUserResponse{
-		Details:   resource_object.DomainToDetailsPb(schemauser.Details, object.OwnerType_OWNER_TYPE_ORG, schemauser.Details.ResourceOwner),
-		EmailCode: gu.Ptr(schemauser.ReturnCodeEmail),
-		PhoneCode: gu.Ptr(schemauser.ReturnCodePhone),
+		Details:   resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		EmailCode: schemauser.ReturnCodeEmail,
+		PhoneCode: schemauser.ReturnCodePhone,
 	}, nil
 }
 
 func patchUserRequestToChangeSchemaUser(req *user.PatchUserRequest) (_ *command.ChangeSchemaUser, err error) {
+	schemaUser, err := setSchemaUserToSchemaUser(req)
+	if err != nil {
+		return nil, err
+	}
+	email, phone := setContactToContact(req.GetUser().GetContact())
+	return &command.ChangeSchemaUser{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		ID:            req.GetId(),
+		SchemaUser:    schemaUser,
+		Email:         email,
+		Phone:         phone,
+	}, nil
+}
+
+func setSchemaUserToSchemaUser(req *user.PatchUserRequest) (_ *command.SchemaUser, err error) {
+	if req.GetUser() == nil {
+		return nil, nil
+	}
 	var data []byte
 	if req.GetUser().Data != nil {
 		data, err = req.GetUser().GetData().MarshalJSON()
@@ -110,45 +128,19 @@ func patchUserRequestToChangeSchemaUser(req *user.PatchUserRequest) (_ *command.
 		}
 	}
 
-	var email *command.Email
-	var phone *command.Phone
-	if req.GetUser().GetContact() != nil {
-		if req.GetUser().GetContact().GetEmail() != nil {
-			email = &command.Email{
-				Address: domain.EmailAddress(req.GetUser().GetContact().Email.Address),
-			}
-			if req.GetUser().GetContact().Email.GetIsVerified() {
-				email.Verified = true
-			}
-			if req.GetUser().GetContact().Email.GetReturnCode() != nil {
-				email.ReturnCode = true
-			}
-			if req.GetUser().GetContact().Email.GetSendCode() != nil {
-				email.URLTemplate = req.GetUser().GetContact().Email.GetSendCode().GetUrlTemplate()
-			}
-		}
-		if req.GetUser().GetContact().Phone != nil {
-			phone = &command.Phone{
-				Number: domain.PhoneNumber(req.GetUser().GetContact().Phone.Number),
-			}
-			if req.GetUser().GetContact().Phone.GetIsVerified() {
-				phone.Verified = true
-			}
-			if req.GetUser().GetContact().Phone.GetReturnCode() != nil {
-				phone.ReturnCode = true
-			}
-		}
-	}
-	return &command.ChangeSchemaUser{
-		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
-		ID:            req.GetId(),
-		SchemaID:      req.GetUser().SchemaId,
-		Data:          data,
-		Email:         email,
-		Phone:         phone,
+	return &command.SchemaUser{
+		SchemaID: req.GetUser().GetSchemaId(),
+		Data:     data,
 	}, nil
 }
 
+func setContactToContact(contact *user.SetContact) (*command.Email, *command.Phone) {
+	if contact == nil {
+		return nil, nil
+	}
+	return setEmailToEmail(contact.GetEmail()), setPhoneToPhone(contact.GetPhone())
+}
+
 func (s *Server) DeactivateUser(ctx context.Context, req *user.DeactivateUserRequest) (_ *user.DeactivateUserResponse, err error) {
 	if err := checkUserSchemaEnabled(ctx); err != nil {
 		return nil, err
diff --git a/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go b/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
index f779a98d87..c562f9613a 100644
--- a/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
+++ b/internal/api/grpc/resources/userschema/v3alpha/integration_test/server_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
+	schema "github.com/zitadel/zitadel/pkg/grpc/resources/userschema/v3alpha"
 )
 
 var (
@@ -51,7 +52,7 @@ func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
 			f, err := instance.Client.FeatureV2.GetInstanceFeatures(ctx, &feature.GetInstanceFeaturesRequest{
 				Inheritance: true,
 			})
-			require.NoError(ttt, err)
+			assert.NoError(ttt, err)
 			if f.UserSchema.GetEnabled() {
 				return
 			}
@@ -59,4 +60,13 @@ func ensureFeatureEnabled(t *testing.T, instance *integration.Instance) {
 		retryDuration,
 		time.Second,
 		"timed out waiting for ensuring instance feature")
+
+	require.EventuallyWithT(t,
+		func(ttt *assert.CollectT) {
+			_, err := instance.Client.UserSchemaV3.SearchUserSchemas(ctx, &schema.SearchUserSchemasRequest{})
+			assert.NoError(ttt, err)
+		},
+		retryDuration,
+		time.Second,
+		"timed out waiting for ensuring instance feature call")
 }
diff --git a/internal/command/command.go b/internal/command/command.go
index 89f23e6ff7..30e383c5df 100644
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -189,6 +189,9 @@ type AppendReducer interface {
 }
 
 func (c *Commands) pushAppendAndReduce(ctx context.Context, object AppendReducer, cmds ...eventstore.Command) error {
+	if len(cmds) == 0 {
+		return nil
+	}
 	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return err
@@ -196,6 +199,20 @@ func (c *Commands) pushAppendAndReduce(ctx context.Context, object AppendReducer
 	return AppendAndReduce(object, events...)
 }
 
+type AppendReducerDetails interface {
+	AppendEvents(...eventstore.Event)
+	// TODO: Why is it allowed to return an error here?
+	Reduce() error
+	GetWriteModel() *eventstore.WriteModel
+}
+
+func (c *Commands) pushAppendAndReduceDetails(ctx context.Context, object AppendReducerDetails, cmds ...eventstore.Command) (*domain.ObjectDetails, error) {
+	if err := c.pushAppendAndReduce(ctx, object, cmds...); err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(object.GetWriteModel()), nil
+}
+
 func AppendAndReduce(object AppendReducer, events ...eventstore.Event) error {
 	object.AppendEvents(events...)
 	return object.Reduce()
diff --git a/internal/command/user_v3.go b/internal/command/user_v3.go
index d5a097ce27..2251baa136 100644
--- a/internal/command/user_v3.go
+++ b/internal/command/user_v3.go
@@ -6,17 +6,13 @@ import (
 	"encoding/json"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	domain_schema "github.com/zitadel/zitadel/internal/domain/schema"
-	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 type CreateSchemaUser struct {
-	Details *domain.ObjectDetails
-
 	SchemaID       string
 	schemaRevision uint64
 
@@ -25,9 +21,9 @@ type CreateSchemaUser struct {
 	Data          json.RawMessage
 
 	Email           *Email
-	ReturnCodeEmail string
+	ReturnCodeEmail *string
 	Phone           *Phone
-	ReturnCodePhone string
+	ReturnCodePhone *string
 }
 
 func (s *CreateSchemaUser) Valid(ctx context.Context, c *Commands) (err error) {
@@ -99,44 +95,36 @@ func (c *Commands) getSchemaRoleForWrite(ctx context.Context, resourceOwner, use
 	return domain_schema.RoleOwner, nil
 }
 
-func (c *Commands) CreateSchemaUser(ctx context.Context, user *CreateSchemaUser, alg crypto.EncryptionAlgorithm) (err error) {
+func (c *Commands) CreateSchemaUser(ctx context.Context, user *CreateSchemaUser) (*domain.ObjectDetails, error) {
 	if err := user.Valid(ctx, c); err != nil {
-		return err
+		return nil, err
 	}
 
 	writeModel, err := c.getSchemaUserExists(ctx, user.ResourceOwner, user.ID)
 	if err != nil {
-		return err
-	}
-	if writeModel.Exists() {
-		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.AlreadyExists")
+		return nil, err
 	}
 
-	userAgg := UserV3AggregateFromWriteModel(&writeModel.WriteModel)
-	events := []eventstore.Command{
-		schemauser.NewCreatedEvent(ctx,
-			userAgg,
-			user.SchemaID, user.schemaRevision, user.Data,
-		),
+	events, codeEmail, codePhone, err := writeModel.NewCreated(ctx,
+		user.SchemaID,
+		user.schemaRevision,
+		user.Data,
+		user.Email,
+		user.Phone,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+	)
+	if err != nil {
+		return nil, err
 	}
-	if user.Email != nil {
-		events, user.ReturnCodeEmail, err = c.updateSchemaUserEmail(ctx, writeModel, events, userAgg, user.Email, alg)
-		if err != nil {
-			return err
-		}
+	if codeEmail != "" {
+		user.ReturnCodeEmail = &codeEmail
 	}
-	if user.Phone != nil {
-		events, user.ReturnCodePhone, err = c.updateSchemaUserPhone(ctx, writeModel, events, userAgg, user.Phone, alg)
-		if err != nil {
-			return err
-		}
+	if codePhone != "" {
+		user.ReturnCodePhone = &codePhone
 	}
-
-	if err := c.pushAppendAndReduce(ctx, writeModel, events...); err != nil {
-		return err
-	}
-	user.Details = writeModelToObjectDetails(&writeModel.WriteModel)
-	return nil
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
 }
 
 func (c *Commands) DeleteSchemaUser(ctx context.Context, resourceOwner, id string) (*domain.ObjectDetails, error) {
@@ -147,50 +135,38 @@ func (c *Commands) DeleteSchemaUser(ctx context.Context, resourceOwner, id strin
 	if err != nil {
 		return nil, err
 	}
-	if !writeModel.Exists() {
-		return nil, zerrors.ThrowNotFound(nil, "COMMAND-syHyCsGmvM", "Errors.User.NotFound")
-	}
-	if err := c.checkPermissionDeleteUser(ctx, writeModel.ResourceOwner, writeModel.AggregateID); err != nil {
+
+	events, err := writeModel.NewDelete(ctx)
+	if err != nil {
 		return nil, err
 	}
-	if err := c.pushAppendAndReduce(ctx, writeModel,
-		schemauser.NewDeletedEvent(ctx, UserV3AggregateFromWriteModel(&writeModel.WriteModel)),
-	); err != nil {
-		return nil, err
-	}
-	return writeModelToObjectDetails(&writeModel.WriteModel), nil
+
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
 }
 
 type ChangeSchemaUser struct {
-	Details *domain.ObjectDetails
-
-	SchemaID         *string
 	schemaWriteModel *UserSchemaWriteModel
 
 	ResourceOwner string
 	ID            string
-	Data          json.RawMessage
+
+	SchemaUser *SchemaUser
 
 	Email           *Email
-	ReturnCodeEmail string
+	ReturnCodeEmail *string
 	Phone           *Phone
-	ReturnCodePhone string
+	ReturnCodePhone *string
 }
 
-func (s *ChangeSchemaUser) Valid(ctx context.Context, c *Commands) (err error) {
+type SchemaUser struct {
+	SchemaID string
+	Data     json.RawMessage
+}
+
+func (s *ChangeSchemaUser) Valid() (err error) {
 	if s.ID == "" {
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-gEJR1QOGHb", "Errors.IDMissing")
 	}
-	if s.SchemaID != nil {
-		s.schemaWriteModel, err = c.getSchemaWriteModelByID(ctx, "", *s.SchemaID)
-		if err != nil {
-			return err
-		}
-		if !s.schemaWriteModel.Exists() {
-			return zerrors.ThrowPreconditionFailed(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists")
-		}
-	}
-
 	if s.Email != nil && s.Email.Address != "" {
 		if err := s.Email.Validate(); err != nil {
 			return err
@@ -206,92 +182,56 @@ func (s *ChangeSchemaUser) Valid(ctx context.Context, c *Commands) (err error) {
 	return nil
 }
 
-func (s *ChangeSchemaUser) ValidData(ctx context.Context, c *Commands, existingUser *UserV3WriteModel) (err error) {
-	// get role for permission check in schema through extension
-	role, err := c.getSchemaRoleForWrite(ctx, existingUser.ResourceOwner, existingUser.AggregateID)
-	if err != nil {
-		return err
-	}
-
-	if s.schemaWriteModel == nil {
-		s.schemaWriteModel, err = c.getSchemaWriteModelByID(ctx, "", existingUser.SchemaID)
-		if err != nil {
-			return err
-		}
-	}
-
-	schema, err := domain_schema.NewSchema(role, bytes.NewReader(s.schemaWriteModel.Schema))
-	if err != nil {
-		return err
-	}
-
-	// if data not changed but a new schema or revision should be used
-	data := s.Data
-	if s.Data == nil {
-		data = existingUser.Data
-	}
-
-	var v interface{}
-	if err := json.Unmarshal(data, &v); err != nil {
-		return zerrors.ThrowInvalidArgument(nil, "COMMAND-7o3ZGxtXUz", "Errors.User.Invalid")
-	}
-
-	if err := schema.Validate(v); err != nil {
-		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid")
-	}
-	return nil
-}
-
-func (c *Commands) ChangeSchemaUser(ctx context.Context, user *ChangeSchemaUser, alg crypto.EncryptionAlgorithm) (err error) {
-	if err := user.Valid(ctx, c); err != nil {
-		return err
+func (c *Commands) ChangeSchemaUser(ctx context.Context, user *ChangeSchemaUser) (*domain.ObjectDetails, error) {
+	if err := user.Valid(); err != nil {
+		return nil, err
 	}
 
 	writeModel, err := c.getSchemaUserWriteModelByID(ctx, user.ResourceOwner, user.ID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !writeModel.Exists() {
-		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.NotFound")
+		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.NotFound")
 	}
 
-	userAgg := UserV3AggregateFromWriteModel(&writeModel.WriteModel)
-	events := make([]eventstore.Command, 0)
-	if user.Data != nil || user.SchemaID != nil {
-		if err := user.ValidData(ctx, c, writeModel); err != nil {
-			return err
-		}
-		updateEvent := writeModel.NewUpdatedEvent(ctx,
-			userAgg,
-			user.schemaWriteModel.AggregateID,
-			user.schemaWriteModel.SchemaRevision,
-			user.Data,
-		)
-		if updateEvent != nil {
-			events = append(events, updateEvent)
-		}
+	schemaID := writeModel.SchemaID
+	if user.SchemaUser != nil && user.SchemaUser.SchemaID != "" {
+		schemaID = user.SchemaUser.SchemaID
 	}
-	if user.Email != nil {
-		events, user.ReturnCodeEmail, err = c.updateSchemaUserEmail(ctx, writeModel, events, userAgg, user.Email, alg)
+
+	var schemaWM *UserSchemaWriteModel
+	if user.SchemaUser != nil {
+		schemaWriteModel, err := c.getSchemaWriteModelByID(ctx, "", schemaID)
 		if err != nil {
-			return err
+			return nil, err
 		}
-	}
-	if user.Phone != nil {
-		events, user.ReturnCodePhone, err = c.updateSchemaUserPhone(ctx, writeModel, events, userAgg, user.Phone, alg)
-		if err != nil {
-			return err
+		if !schemaWriteModel.Exists() {
+			return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists")
 		}
+		schemaWM = schemaWriteModel
 	}
-	if len(events) == 0 {
-		user.Details = writeModelToObjectDetails(&writeModel.WriteModel)
-		return nil
+
+	events, codeEmail, codePhone, err := writeModel.NewUpdate(ctx,
+		schemaWM,
+		user.SchemaUser,
+		user.Email,
+		user.Phone,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+	)
+	if err != nil {
+		return nil, err
 	}
-	if err := c.pushAppendAndReduce(ctx, writeModel, events...); err != nil {
-		return err
+
+	if codeEmail != "" {
+		user.ReturnCodeEmail = &codeEmail
 	}
-	user.Details = writeModelToObjectDetails(&writeModel.WriteModel)
-	return nil
+	if codePhone != "" {
+		user.ReturnCodePhone = &codePhone
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
 }
 
 func (c *Commands) checkPermissionUpdateUserState(ctx context.Context, resourceOwner, userID string) error {
@@ -368,7 +308,7 @@ func (c *Commands) ActivateSchemaUser(ctx context.Context, resourceOwner, id str
 	if id == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-17XupGvxBJ", "Errors.IDMissing")
 	}
-	writeModel, err := c.getSchemaUserExists(ctx, "", id)
+	writeModel, err := c.getSchemaUserExists(ctx, resourceOwner, id)
 	if err != nil {
 		return nil, err
 	}
@@ -386,65 +326,8 @@ func (c *Commands) ActivateSchemaUser(ctx context.Context, resourceOwner, id str
 	return writeModelToObjectDetails(&writeModel.WriteModel), nil
 }
 
-func (c *Commands) updateSchemaUserEmail(ctx context.Context, existing *UserV3WriteModel, events []eventstore.Command, agg *eventstore.Aggregate, email *Email, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
-	if existing.Email == string(email.Address) {
-		return events, plainCode, nil
-	}
-
-	events = append(events, schemauser.NewEmailUpdatedEvent(ctx,
-		agg,
-		email.Address,
-	))
-	if email.Verified {
-		events = append(events, schemauser.NewEmailVerifiedEvent(ctx, agg))
-	} else {
-		cryptoCode, err := c.newEmailCode(ctx, c.eventstore.Filter, alg) //nolint:staticcheck
-		if err != nil {
-			return nil, "", err
-		}
-		if email.ReturnCode {
-			plainCode = cryptoCode.Plain
-		}
-		events = append(events, schemauser.NewEmailCodeAddedEvent(ctx, agg,
-			cryptoCode.Crypted,
-			cryptoCode.Expiry,
-			email.URLTemplate,
-			email.ReturnCode,
-		))
-	}
-	return events, plainCode, nil
-}
-
-func (c *Commands) updateSchemaUserPhone(ctx context.Context, existing *UserV3WriteModel, events []eventstore.Command, agg *eventstore.Aggregate, phone *Phone, alg crypto.EncryptionAlgorithm) (_ []eventstore.Command, plainCode string, err error) {
-	if existing.Phone == string(phone.Number) {
-		return events, plainCode, nil
-	}
-
-	events = append(events, schemauser.NewPhoneUpdatedEvent(ctx,
-		agg,
-		phone.Number,
-	))
-	if phone.Verified {
-		events = append(events, schemauser.NewPhoneVerifiedEvent(ctx, agg))
-	} else {
-		cryptoCode, err := c.newPhoneCode(ctx, c.eventstore.Filter, alg) //nolint:staticcheck
-		if err != nil {
-			return nil, "", err
-		}
-		if phone.ReturnCode {
-			plainCode = cryptoCode.Plain
-		}
-		events = append(events, schemauser.NewPhoneCodeAddedEvent(ctx, agg,
-			cryptoCode.Crypted,
-			cryptoCode.Expiry,
-			phone.ReturnCode,
-		))
-	}
-	return events, plainCode, nil
-}
-
 func (c *Commands) getSchemaUserExists(ctx context.Context, resourceOwner, id string) (*UserV3WriteModel, error) {
-	writeModel := NewExistsUserV3WriteModel(resourceOwner, id)
+	writeModel := NewExistsUserV3WriteModel(resourceOwner, id, c.checkPermission)
 	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
 		return nil, err
 	}
@@ -452,7 +335,23 @@ func (c *Commands) getSchemaUserExists(ctx context.Context, resourceOwner, id st
 }
 
 func (c *Commands) getSchemaUserWriteModelByID(ctx context.Context, resourceOwner, id string) (*UserV3WriteModel, error) {
-	writeModel := NewUserV3WriteModel(resourceOwner, id)
+	writeModel := NewUserV3WriteModel(resourceOwner, id, c.checkPermission)
+	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
+
+func (c *Commands) getSchemaUserEmailWriteModelByID(ctx context.Context, resourceOwner, id string) (*UserV3WriteModel, error) {
+	writeModel := NewUserV3EmailWriteModel(resourceOwner, id, c.checkPermission)
+	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}
+
+func (c *Commands) getSchemaUserPhoneWriteModelByID(ctx context.Context, resourceOwner, id string) (*UserV3WriteModel, error) {
+	writeModel := NewUserV3PhoneWriteModel(resourceOwner, id, c.checkPermission)
 	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
 		return nil, err
 	}
diff --git a/internal/command/user_v3_email.go b/internal/command/user_v3_email.go
new file mode 100644
index 0000000000..9fa3a235f5
--- /dev/null
+++ b/internal/command/user_v3_email.go
@@ -0,0 +1,115 @@
+package command
+
+import (
+	"context"
+	"io"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type ChangeSchemaUserEmail struct {
+	ResourceOwner string
+	ID            string
+
+	Email      *Email
+	ReturnCode *string
+}
+
+func (s *ChangeSchemaUserEmail) Valid() (err error) {
+	if s.ID == "" {
+		return zerrors.ThrowInvalidArgument(nil, "COMMAND-0oj2PquNGA", "Errors.IDMissing")
+	}
+	if s.Email != nil && s.Email.Address != "" {
+		if err := s.Email.Validate(); err != nil {
+			return err
+		}
+	}
+	if s.Email != nil && s.Email.URLTemplate != "" {
+		if err := domain.RenderConfirmURLTemplate(io.Discard, s.Email.URLTemplate, s.ID, "code", "orgID"); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Commands) ChangeSchemaUserEmail(ctx context.Context, user *ChangeSchemaUserEmail) (_ *domain.ObjectDetails, err error) {
+	if err := user.Valid(); err != nil {
+		return nil, err
+	}
+
+	writeModel, err := c.getSchemaUserEmailWriteModelByID(ctx, user.ResourceOwner, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	events, plainCode, err := writeModel.NewEmailUpdate(ctx,
+		user.Email,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	if plainCode != "" {
+		user.ReturnCode = &plainCode
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) VerifySchemaUserEmail(ctx context.Context, resourceOwner, id, code string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-y3n4Sdu8j5", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserEmailWriteModelByID(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+
+	events, err := writeModel.NewEmailVerify(ctx,
+		func(creationDate time.Time, expiry time.Duration, cryptoCode *crypto.CryptoValue) error {
+			return crypto.VerifyCode(creationDate, expiry, cryptoCode, code, c.userEncryption)
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+type ResendSchemaUserEmailCode struct {
+	ResourceOwner string
+	ID            string
+
+	URLTemplate string
+	ReturnCode  bool
+	PlainCode   *string
+}
+
+func (c *Commands) ResendSchemaUserEmailCode(ctx context.Context, user *ResendSchemaUserEmailCode) (*domain.ObjectDetails, error) {
+	if user.ID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-KvPc5o9GeJ", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserEmailWriteModelByID(ctx, user.ResourceOwner, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	events, plainCode, err := writeModel.NewResendEmailCode(ctx,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+		user.URLTemplate,
+		user.ReturnCode,
+	)
+	if err != nil {
+		return nil, err
+	}
+	if plainCode != "" {
+		user.PlainCode = &plainCode
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
diff --git a/internal/command/user_v3_email_test.go b/internal/command/user_v3_email_test.go
new file mode 100644
index 0000000000..5516b32f19
--- /dev/null
+++ b/internal/command/user_v3_email_test.go
@@ -0,0 +1,1076 @@
+package command
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user/schema"
+	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func TestCommands_ChangeSchemaUserEmail(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+		newCode         encrypedCodeFunc
+	}
+	type args struct {
+		ctx  context.Context
+		user *ChangeSchemaUserEmail
+	}
+	type res struct {
+		returnCode string
+		details    *domain.ObjectDetails
+		err        func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-0oj2PquNGA", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"no valid email, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID:    "user1",
+					Email: &Email{Address: "noemail"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "EMAIL-599BI", "Errors.User.Email.Invalid"))
+				},
+			},
+		},
+		{
+			"no valid template, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID:    "user1",
+					Email: &Email{Address: "noemail", URLTemplate: "{{"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "EMAIL-599BI", "Errors.User.Email.Invalid"))
+				},
+			},
+		},
+		{
+			"email update, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-nJ0TQFuRmP", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"email update, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID:    "user1",
+					Email: &Email{Address: "noemail@example.com"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"email update, email not changed",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"test@example.com",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID: "user1",
+					Email: &Email{
+						Address:     "test@example.com",
+						ReturnCode:  true,
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"email update, email return",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("emailverify"),
+							},
+							time.Hour*1,
+							"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+							true,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID: "user1",
+					Email: &Email{
+						Address:     "test@example.com",
+						ReturnCode:  true,
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCode: "emailverify",
+			},
+		},
+		{
+			"user updated, email to verify",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						)),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("emailverify"),
+							},
+							time.Hour*1,
+							"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+							false,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID: "user1",
+					Email: &Email{
+						Address:     "test@example.com",
+						URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectPush(
+						schemauser.NewEmailUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"test@example.com",
+						),
+						schemauser.NewEmailVerifiedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserEmail{
+					ID:    "user1",
+					Email: &Email{Address: "test@example.com", Verified: true},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:       tt.fields.eventstore(t),
+				checkPermission:  tt.fields.checkPermission,
+				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.ChangeSchemaUserEmail(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+				if tt.res.returnCode != "" {
+					assert.NotNil(t, tt.args.user.ReturnCode)
+					assert.Equal(t, tt.res.returnCode, *tt.args.user.ReturnCode)
+				}
+			}
+		})
+	}
+}
+
+func TestCommands_VerifySchemaUserEmail(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx           context.Context
+		resourceOwner string
+		id            string
+		code          string
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore: expectEventstore(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-y3n4Sdu8j5", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"email verify, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-qbGyMPvjvj", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"email verify, no code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"email verify, already verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"email update, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"email verify, wrong code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"))
+				},
+			},
+		},
+		{
+			"email verify, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewEmailVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				id:   "user1",
+				code: "emailverify",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+				userEncryption:  crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.VerifySchemaUserEmail(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.code)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+		})
+	}
+}
+
+func TestCommands_ResendSchemaUserEmailCode(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+		newCode         encrypedCodeFunc
+	}
+	type args struct {
+		ctx  context.Context
+		user *ResendSchemaUserEmailCode
+	}
+	type res struct {
+		returnCode string
+		details    *domain.ObjectDetails
+		err        func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore: expectEventstore(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID: "",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-KvPc5o9GeJ", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"email code resend, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-EajeF6ypOV", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"email code resend, no code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-QRkNTBwF8q", "Errors.User.Code.Empty"))
+				},
+			},
+		},
+		{
+			"email code resend, already verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-QRkNTBwF8q", "Errors.User.Code.Empty"))
+				},
+			},
+		},
+		{
+			"email code resend, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"email code resend, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify2"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify2", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID:          "user1",
+					URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"email code resend, return, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewEmailUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"test@example.com",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewEmailCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("emailverify2"),
+								},
+								time.Hour*1,
+								"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+								true,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("emailverify2", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserEmailCode{
+					ID:          "user1",
+					URLTemplate: "https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}",
+					ReturnCode:  true,
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCode: "emailverify2",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:       tt.fields.eventstore(t),
+				checkPermission:  tt.fields.checkPermission,
+				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.ResendSchemaUserEmailCode(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+				return
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+				if tt.res.returnCode != "" {
+					assert.NotNil(t, tt.args.user.PlainCode)
+					assert.Equal(t, tt.res.returnCode, *tt.args.user.PlainCode)
+				}
+			}
+		})
+	}
+}
diff --git a/internal/command/user_v3_model.go b/internal/command/user_v3_model.go
index 6231558178..574ed6cd63 100644
--- a/internal/command/user_v3_model.go
+++ b/internal/command/user_v3_model.go
@@ -4,10 +4,15 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"time"
 
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
+	domain_schema "github.com/zitadel/zitadel/internal/domain/schema"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 type UserV3WriteModel struct {
@@ -23,37 +28,77 @@ type UserV3WriteModel struct {
 	Email                    string
 	IsEmailVerified          bool
 	EmailVerifiedFailedCount int
+	EmailCode                *VerifyCode
+
 	Phone                    string
 	IsPhoneVerified          bool
 	PhoneVerifiedFailedCount int
+	PhoneCode                *VerifyCode
 
 	Data json.RawMessage
 
 	Locked bool
 	State  domain.UserState
+
+	checkPermission      domain.PermissionCheck
+	writePermissionCheck bool
 }
 
-func NewExistsUserV3WriteModel(resourceOwner, userID string) *UserV3WriteModel {
+func (wm *UserV3WriteModel) GetWriteModel() *eventstore.WriteModel {
+	return &wm.WriteModel
+}
+
+type VerifyCode struct {
+	Code         *crypto.CryptoValue
+	CreationDate time.Time
+	Expiry       time.Duration
+}
+
+func NewExistsUserV3WriteModel(resourceOwner, userID string, checkPermission domain.PermissionCheck) *UserV3WriteModel {
 	return &UserV3WriteModel{
 		WriteModel: eventstore.WriteModel{
 			AggregateID:   userID,
 			ResourceOwner: resourceOwner,
 		},
-		PhoneWM: false,
-		EmailWM: false,
-		DataWM:  false,
+		PhoneWM:         false,
+		EmailWM:         false,
+		DataWM:          false,
+		checkPermission: checkPermission,
 	}
 }
 
-func NewUserV3WriteModel(resourceOwner, userID string) *UserV3WriteModel {
+func NewUserV3WriteModel(resourceOwner, userID string, checkPermission domain.PermissionCheck) *UserV3WriteModel {
 	return &UserV3WriteModel{
 		WriteModel: eventstore.WriteModel{
 			AggregateID:   userID,
 			ResourceOwner: resourceOwner,
 		},
-		PhoneWM: true,
-		EmailWM: true,
-		DataWM:  true,
+		PhoneWM:         true,
+		EmailWM:         true,
+		DataWM:          true,
+		checkPermission: checkPermission,
+	}
+}
+
+func NewUserV3EmailWriteModel(resourceOwner, userID string, checkPermission domain.PermissionCheck) *UserV3WriteModel {
+	return &UserV3WriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
+		},
+		EmailWM:         true,
+		checkPermission: checkPermission,
+	}
+}
+
+func NewUserV3PhoneWriteModel(resourceOwner, userID string, checkPermission domain.PermissionCheck) *UserV3WriteModel {
+	return &UserV3WriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
+		},
+		PhoneWM:         true,
+		checkPermission: checkPermission,
 	}
 }
 
@@ -83,24 +128,38 @@ func (wm *UserV3WriteModel) Reduce() error {
 			wm.Email = string(e.EmailAddress)
 			wm.IsEmailVerified = false
 			wm.EmailVerifiedFailedCount = 0
+			wm.EmailCode = nil
 		case *schemauser.EmailCodeAddedEvent:
 			wm.IsEmailVerified = false
 			wm.EmailVerifiedFailedCount = 0
+			wm.EmailCode = &VerifyCode{
+				Code:         e.Code,
+				CreationDate: e.CreationDate(),
+				Expiry:       e.Expiry,
+			}
 		case *schemauser.EmailVerifiedEvent:
 			wm.IsEmailVerified = true
 			wm.EmailVerifiedFailedCount = 0
+			wm.EmailCode = nil
 		case *schemauser.EmailVerificationFailedEvent:
 			wm.EmailVerifiedFailedCount += 1
 		case *schemauser.PhoneUpdatedEvent:
 			wm.Phone = string(e.PhoneNumber)
 			wm.IsPhoneVerified = false
 			wm.PhoneVerifiedFailedCount = 0
+			wm.EmailCode = nil
 		case *schemauser.PhoneCodeAddedEvent:
 			wm.IsPhoneVerified = false
 			wm.PhoneVerifiedFailedCount = 0
+			wm.PhoneCode = &VerifyCode{
+				Code:         e.Code,
+				CreationDate: e.CreationDate(),
+				Expiry:       e.Expiry,
+			}
 		case *schemauser.PhoneVerifiedEvent:
 			wm.PhoneVerifiedFailedCount = 0
 			wm.IsPhoneVerified = true
+			wm.PhoneCode = nil
 		case *schemauser.PhoneVerificationFailedEvent:
 			wm.PhoneVerifiedFailedCount += 1
 		case *schemauser.LockedEvent:
@@ -156,13 +215,159 @@ func (wm *UserV3WriteModel) Query() *eventstore.SearchQueryBuilder {
 		EventTypes(eventtypes...).Builder()
 }
 
-func (wm *UserV3WriteModel) NewUpdatedEvent(
+func (wm *UserV3WriteModel) NewCreated(
 	ctx context.Context,
-	agg *eventstore.Aggregate,
 	schemaID string,
 	schemaRevision uint64,
 	data json.RawMessage,
-) *schemauser.UpdatedEvent {
+	email *Email,
+	phone *Phone,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, codeEmail string, codePhone string, err error) {
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", "", err
+	}
+	if wm.Exists() {
+		return nil, "", "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.AlreadyExists")
+	}
+	events := []eventstore.Command{
+		schemauser.NewCreatedEvent(ctx,
+			UserV3AggregateFromWriteModel(&wm.WriteModel),
+			schemaID, schemaRevision, data,
+		),
+	}
+	if email != nil {
+		emailEvents, plainCodeEmail, err := wm.NewEmailCreate(ctx,
+			email,
+			code,
+		)
+		if err != nil {
+			return nil, "", "", err
+		}
+		if plainCodeEmail != "" {
+			codeEmail = plainCodeEmail
+		}
+		events = append(events, emailEvents...)
+	}
+
+	if phone != nil {
+		phoneEvents, plainCodePhone, err := wm.NewPhoneCreate(ctx,
+			phone,
+			code,
+		)
+		if err != nil {
+			return nil, "", "", err
+		}
+		if plainCodePhone != "" {
+			codePhone = plainCodePhone
+		}
+		events = append(events, phoneEvents...)
+	}
+
+	return events, codeEmail, codePhone, nil
+}
+
+func (wm *UserV3WriteModel) getSchemaRoleForWrite(ctx context.Context, resourceOwner, userID string) (domain_schema.Role, error) {
+	if userID == authz.GetCtxData(ctx).UserID {
+		return domain_schema.RoleSelf, nil
+	}
+	if err := wm.checkPermission(ctx, domain.PermissionUserWrite, resourceOwner, userID); err != nil {
+		return domain_schema.RoleUnspecified, err
+	}
+	return domain_schema.RoleOwner, nil
+}
+
+func (wm *UserV3WriteModel) validateData(ctx context.Context, data []byte, schemaWM *UserSchemaWriteModel) (string, uint64, error) {
+	// get role for permission check in schema through extension
+	role, err := wm.getSchemaRoleForWrite(ctx, wm.ResourceOwner, wm.AggregateID)
+	if err != nil {
+		return "", 0, err
+	}
+
+	schema, err := domain_schema.NewSchema(role, bytes.NewReader(schemaWM.Schema))
+	if err != nil {
+		return "", 0, err
+	}
+
+	// if data not changed but a new schema or revision should be used
+	if data == nil {
+		data = wm.Data
+	}
+	var v interface{}
+	if err := json.Unmarshal(data, &v); err != nil {
+		return "", 0, zerrors.ThrowInvalidArgument(nil, "COMMAND-7o3ZGxtXUz", "Errors.User.Invalid")
+	}
+
+	if err := schema.Validate(v); err != nil {
+		return "", 0, zerrors.ThrowPreconditionFailed(nil, "COMMAND-SlKXqLSeL6", "Errors.UserSchema.Data.Invalid")
+	}
+	return schemaWM.AggregateID, schemaWM.SchemaRevision, nil
+}
+
+func (wm *UserV3WriteModel) NewUpdate(
+	ctx context.Context,
+	schemaWM *UserSchemaWriteModel,
+	user *SchemaUser,
+	email *Email,
+	phone *Phone,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, codeEmail string, codePhone string, err error) {
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", "", err
+	}
+	if !wm.Exists() {
+		return nil, "", "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-Nn8CRVlkeZ", "Errors.User.NotFound")
+	}
+	events := make([]eventstore.Command, 0)
+	if user != nil {
+		schemaID, schemaRevision, err := wm.validateData(ctx, user.Data, schemaWM)
+		if err != nil {
+			return nil, "", "", err
+		}
+		userEvents := wm.newUpdatedEvents(ctx,
+			schemaID,
+			schemaRevision,
+			user.Data,
+		)
+		events = append(events, userEvents...)
+	}
+	if email != nil {
+		emailEvents, plainCodeEmail, err := wm.NewEmailUpdate(ctx,
+			email,
+			code,
+		)
+		if err != nil {
+			return nil, "", "", err
+		}
+		if plainCodeEmail != "" {
+			codeEmail = plainCodeEmail
+		}
+		events = append(events, emailEvents...)
+	}
+
+	if phone != nil {
+		phoneEvents, plainCodePhone, err := wm.NewPhoneCreate(ctx,
+			phone,
+			code,
+		)
+		if err != nil {
+			return nil, "", "", err
+		}
+		if plainCodePhone != "" {
+			codePhone = plainCodePhone
+		}
+		events = append(events, phoneEvents...)
+	}
+
+	return events, codeEmail, codePhone, nil
+}
+
+func (wm *UserV3WriteModel) newUpdatedEvents(
+	ctx context.Context,
+	schemaID string,
+	schemaRevision uint64,
+	data json.RawMessage,
+) []eventstore.Command {
 	changes := make([]schemauser.Changes, 0)
 	if wm.SchemaID != schemaID {
 		changes = append(changes, schemauser.ChangeSchemaID(schemaID))
@@ -176,7 +381,20 @@ func (wm *UserV3WriteModel) NewUpdatedEvent(
 	if len(changes) == 0 {
 		return nil
 	}
-	return schemauser.NewUpdatedEvent(ctx, agg, changes)
+	return []eventstore.Command{schemauser.NewUpdatedEvent(ctx, UserV3AggregateFromWriteModel(&wm.WriteModel), changes)}
+}
+
+func (wm *UserV3WriteModel) NewDelete(
+	ctx context.Context,
+) (_ []eventstore.Command, err error) {
+	if !wm.Exists() {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-syHyCsGmvM", "Errors.User.NotFound")
+	}
+	if err := wm.checkPermissionDelete(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{schemauser.NewDeletedEvent(ctx, UserV3AggregateFromWriteModel(&wm.WriteModel))}, nil
+
 }
 
 func UserV3AggregateFromWriteModel(wm *eventstore.WriteModel) *eventstore.Aggregate {
@@ -192,3 +410,271 @@ func UserV3AggregateFromWriteModel(wm *eventstore.WriteModel) *eventstore.Aggreg
 func (wm *UserV3WriteModel) Exists() bool {
 	return wm.State != domain.UserStateDeleted && wm.State != domain.UserStateUnspecified
 }
+
+func (wm *UserV3WriteModel) checkPermissionWrite(
+	ctx context.Context,
+	resourceOwner string,
+	userID string,
+) error {
+	if wm.writePermissionCheck {
+		return nil
+	}
+	if userID != "" && userID == authz.GetCtxData(ctx).UserID {
+		return nil
+	}
+	if err := wm.checkPermission(ctx, domain.PermissionUserWrite, resourceOwner, userID); err != nil {
+		return err
+	}
+	wm.writePermissionCheck = true
+	return nil
+}
+
+func (wm *UserV3WriteModel) checkPermissionDelete(
+	ctx context.Context,
+	resourceOwner string,
+	userID string,
+) error {
+	if userID != "" && userID == authz.GetCtxData(ctx).UserID {
+		return nil
+	}
+	return wm.checkPermission(ctx, domain.PermissionUserDelete, resourceOwner, userID)
+}
+
+func (wm *UserV3WriteModel) NewEmailCreate(
+	ctx context.Context,
+	email *Email,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, plainCode string, err error) {
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", err
+	}
+	if email == nil || wm.Email == string(email.Address) {
+		return nil, "", nil
+	}
+	events := []eventstore.Command{
+		schemauser.NewEmailUpdatedEvent(ctx,
+			UserV3AggregateFromWriteModel(&wm.WriteModel),
+			email.Address,
+		),
+	}
+	if email.Verified {
+		events = append(events, wm.newEmailVerifiedEvent(ctx))
+	} else {
+		codeEvent, code, err := wm.newEmailCodeAddedEvent(ctx, code, email.URLTemplate, email.ReturnCode)
+		if err != nil {
+			return nil, "", err
+		}
+		events = append(events, codeEvent)
+		if code != "" {
+			plainCode = code
+		}
+	}
+	return events, plainCode, nil
+}
+
+func (wm *UserV3WriteModel) NewEmailUpdate(
+	ctx context.Context,
+	email *Email,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, plainCode string, err error) {
+	if !wm.EmailWM {
+		return nil, "", nil
+	}
+	if !wm.Exists() {
+		return nil, "", zerrors.ThrowNotFound(nil, "COMMAND-nJ0TQFuRmP", "Errors.User.NotFound")
+	}
+	return wm.NewEmailCreate(ctx, email, code)
+}
+
+func (wm *UserV3WriteModel) NewEmailVerify(
+	ctx context.Context,
+	verify func(creationDate time.Time, expiry time.Duration, cryptoCode *crypto.CryptoValue) error,
+) ([]eventstore.Command, error) {
+	if !wm.EmailWM {
+		return nil, nil
+	}
+	if !wm.Exists() {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-qbGyMPvjvj", "Errors.User.NotFound")
+	}
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, err
+	}
+	if wm.EmailCode == nil {
+		return nil, nil
+	}
+	if err := verify(wm.EmailCode.CreationDate, wm.EmailCode.Expiry, wm.EmailCode.Code); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{wm.newEmailVerifiedEvent(ctx)}, nil
+}
+
+func (wm *UserV3WriteModel) newEmailVerifiedEvent(
+	ctx context.Context,
+) *schemauser.EmailVerifiedEvent {
+	return schemauser.NewEmailVerifiedEvent(ctx, UserV3AggregateFromWriteModel(&wm.WriteModel))
+}
+
+func (wm *UserV3WriteModel) NewResendEmailCode(
+	ctx context.Context,
+	code func(context.Context) (*EncryptedCode, error),
+	urlTemplate string,
+	isReturnCode bool,
+) (_ []eventstore.Command, plainCode string, err error) {
+	if !wm.EmailWM {
+		return nil, "", nil
+	}
+	if !wm.Exists() {
+		return nil, "", zerrors.ThrowNotFound(nil, "COMMAND-EajeF6ypOV", "Errors.User.NotFound")
+	}
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", err
+	}
+	if wm.EmailCode == nil {
+		return nil, "", zerrors.ThrowPreconditionFailed(err, "COMMAND-QRkNTBwF8q", "Errors.User.Code.Empty")
+	}
+	event, plainCode, err := wm.newEmailCodeAddedEvent(ctx, code, urlTemplate, isReturnCode)
+	if err != nil {
+		return nil, "", err
+	}
+	return []eventstore.Command{event}, plainCode, nil
+}
+
+func (wm *UserV3WriteModel) newEmailCodeAddedEvent(
+	ctx context.Context,
+	code func(context.Context) (*EncryptedCode, error),
+	urlTemplate string,
+	isReturnCode bool,
+) (_ *schemauser.EmailCodeAddedEvent, plainCode string, err error) {
+	cryptoCode, err := code(ctx)
+	if err != nil {
+		return nil, "", err
+	}
+	if isReturnCode {
+		plainCode = cryptoCode.Plain
+	}
+	return schemauser.NewEmailCodeAddedEvent(ctx,
+		UserV3AggregateFromWriteModel(&wm.WriteModel),
+		cryptoCode.Crypted,
+		cryptoCode.Expiry,
+		urlTemplate,
+		isReturnCode,
+	), plainCode, nil
+}
+
+func (wm *UserV3WriteModel) NewPhoneCreate(
+	ctx context.Context,
+	phone *Phone,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, plainCode string, err error) {
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", err
+	}
+	if phone == nil || wm.Phone == string(phone.Number) {
+		return nil, "", nil
+	}
+	events := []eventstore.Command{
+		schemauser.NewPhoneUpdatedEvent(ctx,
+			UserV3AggregateFromWriteModel(&wm.WriteModel),
+			phone.Number,
+		),
+	}
+	if phone.Verified {
+		events = append(events, wm.newPhoneVerifiedEvent(ctx))
+	} else {
+		codeEvent, code, err := wm.newPhoneCodeAddedEvent(ctx, code, phone.ReturnCode)
+		if err != nil {
+			return nil, "", err
+		}
+		events = append(events, codeEvent)
+		if code != "" {
+			plainCode = code
+		}
+	}
+	return events, plainCode, nil
+}
+
+func (wm *UserV3WriteModel) NewPhoneUpdate(
+	ctx context.Context,
+	phone *Phone,
+	code func(context.Context) (*EncryptedCode, error),
+) (_ []eventstore.Command, plainCode string, err error) {
+	if !wm.PhoneWM {
+		return nil, "", nil
+	}
+	if !wm.Exists() {
+		return nil, "", zerrors.ThrowNotFound(nil, "COMMAND-b33QAVgel6", "Errors.User.NotFound")
+	}
+	return wm.NewPhoneCreate(ctx, phone, code)
+}
+
+func (wm *UserV3WriteModel) NewPhoneVerify(
+	ctx context.Context,
+	verify func(creationDate time.Time, expiry time.Duration, cryptoCode *crypto.CryptoValue) error,
+) ([]eventstore.Command, error) {
+	if !wm.PhoneWM {
+		return nil, nil
+	}
+	if !wm.Exists() {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-bx2OLtgGNS", "Errors.User.NotFound")
+	}
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, err
+	}
+	if wm.PhoneCode == nil {
+		return nil, nil
+	}
+	if err := verify(wm.PhoneCode.CreationDate, wm.PhoneCode.Expiry, wm.PhoneCode.Code); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{wm.newPhoneVerifiedEvent(ctx)}, nil
+}
+
+func (wm *UserV3WriteModel) newPhoneVerifiedEvent(
+	ctx context.Context,
+) *schemauser.PhoneVerifiedEvent {
+	return schemauser.NewPhoneVerifiedEvent(ctx, UserV3AggregateFromWriteModel(&wm.WriteModel))
+}
+
+func (wm *UserV3WriteModel) NewResendPhoneCode(
+	ctx context.Context,
+	code func(context.Context) (*EncryptedCode, error),
+	isReturnCode bool,
+) (_ []eventstore.Command, plainCode string, err error) {
+	if !wm.PhoneWM {
+		return nil, "", nil
+	}
+	if !wm.Exists() {
+		return nil, "", zerrors.ThrowNotFound(nil, "COMMAND-z8Bu9vuL9s", "Errors.User.NotFound")
+	}
+	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
+		return nil, "", err
+	}
+	if wm.PhoneCode == nil {
+		return nil, "", zerrors.ThrowPreconditionFailed(err, "COMMAND-fEsHdqECzb", "Errors.User.Code.Empty")
+	}
+	event, plainCode, err := wm.newPhoneCodeAddedEvent(ctx, code, isReturnCode)
+	if err != nil {
+		return nil, "", err
+	}
+	return []eventstore.Command{event}, plainCode, nil
+}
+
+func (wm *UserV3WriteModel) newPhoneCodeAddedEvent(
+	ctx context.Context,
+	code func(context.Context) (*EncryptedCode, error),
+	isReturnCode bool,
+) (_ *schemauser.PhoneCodeAddedEvent, plainCode string, err error) {
+	cryptoCode, err := code(ctx)
+	if err != nil {
+		return nil, "", err
+	}
+	if isReturnCode {
+		plainCode = cryptoCode.Plain
+	}
+	return schemauser.NewPhoneCodeAddedEvent(ctx,
+		UserV3AggregateFromWriteModel(&wm.WriteModel),
+		cryptoCode.Crypted,
+		cryptoCode.Expiry,
+		isReturnCode,
+	), plainCode, nil
+}
diff --git a/internal/command/user_v3_phone.go b/internal/command/user_v3_phone.go
new file mode 100644
index 0000000000..65ca36a0ee
--- /dev/null
+++ b/internal/command/user_v3_phone.go
@@ -0,0 +1,107 @@
+package command
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type ChangeSchemaUserPhone struct {
+	ResourceOwner string
+	ID            string
+
+	Phone      *Phone
+	ReturnCode *string
+}
+
+func (s *ChangeSchemaUserPhone) Valid() (err error) {
+	if s.ID == "" {
+		return zerrors.ThrowInvalidArgument(nil, "COMMAND-DkQ9aurv5u", "Errors.IDMissing")
+	}
+	if s.Phone != nil && s.Phone.Number != "" {
+		if s.Phone.Number, err = s.Phone.Number.Normalize(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Commands) ChangeSchemaUserPhone(ctx context.Context, user *ChangeSchemaUserPhone) (_ *domain.ObjectDetails, err error) {
+	if err := user.Valid(); err != nil {
+		return nil, err
+	}
+
+	writeModel, err := c.getSchemaUserPhoneWriteModelByID(ctx, user.ResourceOwner, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	events, plainCode, err := writeModel.NewPhoneUpdate(ctx,
+		user.Phone,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	if plainCode != "" {
+		user.ReturnCode = &plainCode
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) VerifySchemaUserPhone(ctx context.Context, resourceOwner, id, code string) (*domain.ObjectDetails, error) {
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-R4LKY44Ke3", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserPhoneWriteModelByID(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+
+	events, err := writeModel.NewPhoneVerify(ctx,
+		func(creationDate time.Time, expiry time.Duration, cryptoCode *crypto.CryptoValue) error {
+			return crypto.VerifyCode(creationDate, expiry, cryptoCode, code, c.userEncryption)
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+type ResendSchemaUserPhoneCode struct {
+	ResourceOwner string
+	ID            string
+
+	ReturnCode bool
+	PlainCode  *string
+}
+
+func (c *Commands) ResendSchemaUserPhoneCode(ctx context.Context, user *ResendSchemaUserPhoneCode) (*domain.ObjectDetails, error) {
+	if user.ID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-zmxIFR2nMo", "Errors.IDMissing")
+	}
+	writeModel, err := c.getSchemaUserPhoneWriteModelByID(ctx, user.ResourceOwner, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	events, plainCode, err := writeModel.NewResendPhoneCode(ctx,
+		func(ctx context.Context) (*EncryptedCode, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		},
+		user.ReturnCode,
+	)
+	if err != nil {
+		return nil, err
+	}
+	if plainCode != "" {
+		user.PlainCode = &plainCode
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
diff --git a/internal/command/user_v3_phone_test.go b/internal/command/user_v3_phone_test.go
new file mode 100644
index 0000000000..8a5a1ae0b0
--- /dev/null
+++ b/internal/command/user_v3_phone_test.go
@@ -0,0 +1,1040 @@
+package command
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user/schema"
+	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+		newCode         encrypedCodeFunc
+	}
+	type args struct {
+		ctx  context.Context
+		user *ChangeSchemaUserPhone
+	}
+	type res struct {
+		returnCode string
+		details    *domain.ObjectDetails
+		err        func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-DkQ9aurv5u", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"no valid phone, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID:    "user1",
+					Phone: &Phone{Number: "nonumber"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "PHONE-so0wa", "Errors.User.Phone.Invalid"))
+				},
+			},
+		}, {
+			"phone update, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-b33QAVgel6", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"phone update, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID:    "user1",
+					Phone: &Phone{Number: "+41791234567"},
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"phone update, phone not changed",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"+41791234567",
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+					Phone: &Phone{
+						Number:     "+41791234567",
+						ReturnCode: true,
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"phone update, phone return",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("phoneverify"),
+							},
+							time.Hour*1,
+							true,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+					Phone: &Phone{
+						Number:     "+41791234567",
+						ReturnCode: true,
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCode: "phoneverify",
+			},
+		},
+		{
+			"user updated, phone to verify",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						)),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							&crypto.CryptoValue{
+								CryptoType: crypto.TypeEncryption,
+								Algorithm:  "enc",
+								KeyID:      "id",
+								Crypted:    []byte("phoneverify"),
+							}, time.Hour*1,
+							false,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneVerifiedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+					Phone: &Phone{
+						Number:   "+41791234567",
+						Verified: true,
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:       tt.fields.eventstore(t),
+				checkPermission:  tt.fields.checkPermission,
+				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.ChangeSchemaUserPhone(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+
+			if tt.res.returnCode != "" {
+				assert.NotNil(t, tt.args.user.ReturnCode)
+				assert.Equal(t, tt.res.returnCode, *tt.args.user.ReturnCode)
+			}
+		})
+	}
+}
+
+func TestCommands_VerifySchemaUserPhone(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx           context.Context
+		resourceOwner string
+		id            string
+		code          string
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore: expectEventstore(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-R4LKY44Ke3", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"phone verify, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-bx2OLtgGNS", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"phone verify, no code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"phone verify, already verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"phone update, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"phone verify, wrong code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "user1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid"))
+				},
+			},
+		},
+		{
+			"phone verify, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewPhoneVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				id:   "user1",
+				code: "phoneverify",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+				userEncryption:  crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.VerifySchemaUserPhone(tt.args.ctx, tt.args.resourceOwner, tt.args.id, tt.args.code)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+		})
+	}
+}
+
+func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+		newCode         encrypedCodeFunc
+	}
+	type args struct {
+		ctx  context.Context
+		user *ResendSchemaUserPhoneCode
+	}
+	type res struct {
+		returnCode string
+		details    *domain.ObjectDetails
+		err        func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore: expectEventstore(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-zmxIFR2nMo", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"phone code resend, user not found",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-z8Bu9vuL9s", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"phone code resend, no code",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-fEsHdqECzb", "Errors.User.Code.Empty"))
+				},
+			},
+		},
+		{
+			"phone code resend, already verified",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneVerifiedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "COMMAND-fEsHdqECzb", "Errors.User.Code.Empty"))
+				},
+			},
+		},
+		{
+			"phone code resend, no permission",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"phone code resend, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify2"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify2", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"phone code resend, return, ok",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify"),
+								},
+								time.Hour*1,
+								false,
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeEncryption,
+									Algorithm:  "enc",
+									KeyID:      "id",
+									Crypted:    []byte("phoneverify2"),
+								},
+								time.Hour*1,
+								true,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				newCode:         mockEncryptedCode("phoneverify2", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID:         "user1",
+					ReturnCode: true,
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				returnCode: "phoneverify2",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:       tt.fields.eventstore(t),
+				checkPermission:  tt.fields.checkPermission,
+				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			}
+			details, err := c.ResendSchemaUserPhoneCode(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+				if tt.res.returnCode != "" {
+					assert.NotNil(t, tt.args.user.PlainCode)
+					assert.Equal(t, tt.res.returnCode, *tt.args.user.PlainCode)
+				}
+			}
+		})
+	}
+}
diff --git a/internal/command/user_v3_test.go b/internal/command/user_v3_test.go
index 69794b3c2e..4825626b15 100644
--- a/internal/command/user_v3_test.go
+++ b/internal/command/user_v3_test.go
@@ -7,7 +7,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 
@@ -875,8 +874,9 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 				idGenerator:      tt.fields.idGenerator,
 				checkPermission:  tt.fields.checkPermission,
 				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			}
-			err := c.CreateSchemaUser(tt.args.ctx, tt.args.user, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			details, err := c.CreateSchemaUser(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -884,14 +884,16 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 				t.Errorf("got wrong err: %v ", err)
 			}
 			if tt.res.err == nil {
-				assertObjectDetails(t, tt.res.details, tt.args.user.Details)
+				assertObjectDetails(t, tt.res.details, details)
 			}
 
 			if tt.res.returnCodePhone != "" {
-				assert.Equal(t, tt.res.returnCodePhone, tt.args.user.ReturnCodePhone)
+				assert.NotNil(t, tt.args.user.ReturnCodePhone)
+				assert.Equal(t, tt.res.returnCodePhone, *tt.args.user.ReturnCodePhone)
 			}
 			if tt.res.returnCodeEmail != "" {
-				assert.Equal(t, tt.res.returnCodeEmail, tt.args.user.ReturnCodeEmail)
+				assert.NotNil(t, tt.args.user.ReturnCodeEmail)
+				assert.Equal(t, tt.res.returnCodeEmail, *tt.args.user.ReturnCodeEmail)
 			}
 		})
 	}
@@ -1988,6 +1990,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"schema not existing, error",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
@@ -1995,8 +2010,10 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("type"),
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "type",
+					},
 				},
 			},
 			res{
@@ -2060,6 +2077,25 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
 				),
 				checkPermission: newMockPermissionCheckNotAllowed(),
 			},
@@ -2067,9 +2103,11 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
 					ID: "user1",
-					Data: json.RawMessage(`{
+					SchemaUser: &SchemaUser{
+						Data: json.RawMessage(`{
 						"name": "user"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2134,9 +2172,11 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
 					ID: "user1",
-					Data: json.RawMessage(`{
+					SchemaUser: &SchemaUser{
+						Data: json.RawMessage(`{
 						"name": "user2"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2149,6 +2189,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user updated, changed schema",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2168,19 +2221,6 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 					expectPush(
 						schemauser.NewUpdatedEvent(
 							context.Background(),
@@ -2196,8 +2236,10 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id2"),
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id2",
+					},
 				},
 			},
 			res{
@@ -2210,6 +2252,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user updated, new schema",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2229,19 +2284,6 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 					expectPush(
 						schemauser.NewUpdatedEvent(
 							context.Background(),
@@ -2262,11 +2304,13 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id2"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id2",
+						Data: json.RawMessage(`{
 						"name": "user2"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2350,9 +2394,11 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
 					ID: "user1",
-					Data: json.RawMessage(`{
+					SchemaUser: &SchemaUser{
+						Data: json.RawMessage(`{
 						"name2": "user2"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2365,6 +2411,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user updated, new schema and revision",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								2,
+								json.RawMessage(`{
+						"name1": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2384,19 +2443,6 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								2,
-								json.RawMessage(`{
-						"name1": "user1"
-					}`),
-							),
-						),
-					),
 					expectPush(
 						schemauser.NewUpdatedEvent(
 							context.Background(),
@@ -2418,11 +2464,13 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id2"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id2",
+						Data: json.RawMessage(`{
 						"name2": "user2"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2435,6 +2483,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user update, no field permission as admin",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2457,30 +2518,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id1"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id1",
+						Data: json.RawMessage(`{
 						"name": "user"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2494,6 +2544,18 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			fields{
 				eventstore: expectEventstore(
 					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					), expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
 								context.Background(),
@@ -2515,29 +2577,18 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 				),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("type"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "type",
+						Data: json.RawMessage(`{
 						"name": "user"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2550,6 +2601,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user update, invalid data type",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2569,30 +2633,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("type"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "type",
+						Data: json.RawMessage(`{
 						"name": 1
 					}`),
+					},
 				},
 			},
 			res{
@@ -2605,6 +2658,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user update, additional property",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2624,19 +2690,6 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 					expectPush(
 						schemauser.NewUpdatedEvent(
 							context.Background(),
@@ -2657,12 +2710,14 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id1"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id1",
+						Data: json.RawMessage(`{
 						"name": "user1",
 						"additional": "property"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2675,6 +2730,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user update, invalid data attribute name",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2695,30 +2763,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "org1", "user1"),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("type"),
-					Data: json.RawMessage(`{
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "type",
+						Data: json.RawMessage(`{
 						"invalid": "user"
 					}`),
+					},
 				},
 			},
 			res{
@@ -2775,6 +2832,19 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			"user update, email return",
 			fields{
 				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+					),
 					expectFilter(
 						eventFromEventPusher(
 							schema.NewCreatedEvent(
@@ -2794,19 +2864,6 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							schemauser.NewCreatedEvent(
-								context.Background(),
-								&schemauser.NewAggregate("user1", "org1").Aggregate,
-								"id1",
-								1,
-								json.RawMessage(`{
-						"name": "user1"
-					}`),
-							),
-						),
-					),
 					expectPush(
 						schemauser.NewEmailUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("user1", "org1").Aggregate,
@@ -2832,8 +2889,10 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
 				user: &ChangeSchemaUser{
-					ID:       "user1",
-					SchemaID: gu.Ptr("id1"),
+					ID: "user1",
+					SchemaUser: &SchemaUser{
+						SchemaID: "id1",
+					},
 					Email: &Email{
 						Address:     "test@example.com",
 						ReturnCode:  true,
@@ -3101,8 +3160,9 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 				eventstore:       tt.fields.eventstore(t),
 				checkPermission:  tt.fields.checkPermission,
 				newEncryptedCode: tt.fields.newCode,
+				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			}
-			err := c.ChangeSchemaUser(tt.args.ctx, tt.args.user, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
+			details, err := c.ChangeSchemaUser(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -3110,14 +3170,16 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 				t.Errorf("got wrong err: %v ", err)
 			}
 			if tt.res.err == nil {
-				assertObjectDetails(t, tt.res.details, tt.args.user.Details)
+				assertObjectDetails(t, tt.res.details, details)
 			}
 
 			if tt.res.returnCodePhone != "" {
-				assert.Equal(t, tt.res.returnCodePhone, tt.args.user.ReturnCodePhone)
+				assert.NotNil(t, tt.args.user.ReturnCodePhone)
+				assert.Equal(t, tt.res.returnCodePhone, *tt.args.user.ReturnCodePhone)
 			}
 			if tt.res.returnCodeEmail != "" {
-				assert.Equal(t, tt.res.returnCodeEmail, tt.args.user.ReturnCodeEmail)
+				assert.NotNil(t, tt.args.user.ReturnCodeEmail)
+				assert.Equal(t, tt.res.returnCodeEmail, *tt.args.user.ReturnCodeEmail)
 			}
 		})
 	}
diff --git a/internal/integration/client.go b/internal/integration/client.go
index 9bf855f5ce..dde8822acd 100644
--- a/internal/integration/client.go
+++ b/internal/integration/client.go
@@ -776,6 +776,32 @@ func (i *Instance) CreateSchemaUser(ctx context.Context, orgID string, schemaID
 	return user
 }
 
+func (i *Instance) UpdateSchemaUserEmail(ctx context.Context, orgID string, userID string, email string) *user_v3alpha.SetContactEmailResponse {
+	user, err := i.Client.UserV3Alpha.SetContactEmail(ctx, &user_v3alpha.SetContactEmailRequest{
+		Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
+		Id:           userID,
+		Email: &user_v3alpha.SetEmail{
+			Address:      email,
+			Verification: &user_v3alpha.SetEmail_ReturnCode{},
+		},
+	})
+	logging.OnError(err).Fatal("create user")
+	return user
+}
+
+func (i *Instance) UpdateSchemaUserPhone(ctx context.Context, orgID string, userID string, phone string) *user_v3alpha.SetContactPhoneResponse {
+	user, err := i.Client.UserV3Alpha.SetContactPhone(ctx, &user_v3alpha.SetContactPhoneRequest{
+		Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
+		Id:           userID,
+		Phone: &user_v3alpha.SetPhone{
+			Number:       phone,
+			Verification: &user_v3alpha.SetPhone_ReturnCode{},
+		},
+	})
+	logging.OnError(err).Fatal("create user")
+	return user
+}
+
 func (i *Instance) CreateInviteCode(ctx context.Context, userID string) *user_v2.CreateInviteCodeResponse {
 	user, err := i.Client.UserV2.CreateInviteCode(ctx, &user_v2.CreateInviteCodeRequest{
 		UserId:       userID,
diff --git a/proto/zitadel/resources/user/v3alpha/user_service.proto b/proto/zitadel/resources/user/v3alpha/user_service.proto
index 91831bdc40..96e595d81d 100644
--- a/proto/zitadel/resources/user/v3alpha/user_service.proto
+++ b/proto/zitadel/resources/user/v3alpha/user_service.proto
@@ -1392,7 +1392,7 @@ message SetContactPhoneRequest {
 message SetContactPhoneResponse {
   zitadel.resources.object.v3alpha.Details details = 1;
   // The phone verification code will be set if a contact phone was set with a return_code verification option.
-  optional string email_code = 3 [
+  optional string verification_code = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"SKJd342k\"";
     }

From a6ea83168d113a1c5c79d2ffefea77b43a413a3b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 25 Sep 2024 13:53:38 +0000
Subject: [PATCH 15/19] chore(deps): bump micromatch from 4.0.7 to 4.0.8 in
 /docs (#8493)

Bumps [micromatch](https://github.com/micromatch/micromatch) from 4.0.7
to 4.0.8.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/releases">micromatch's
releases</a>.</em></p>
<blockquote>
<h2>4.0.8</h2>
<p>Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We
consider the issues low-priority, so even if you see automated scanners
saying otherwise, don't be scared.</p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md">micromatch's
changelog</a>.</em></p>
<blockquote>
<h2>[4.0.8] - 2024-08-22</h2>
<ul>
<li>backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/micromatch/micromatch/commit/8bd704ec0d9894693d35da425d827819916be920"><code>8bd704e</code></a>
4.0.8</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/a0e68416a44da10f3e4e30845ab95af4fd286d5a"><code>a0e6841</code></a>
run verb to generate README documentation</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/4ec288484f6e8cccf597ad3d43529c31d0f7a02a"><code>4ec2884</code></a>
Merge branch 'v4' into hauserkristof-feature/v4.0.8</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade"><code>03aa805</code></a>
Merge pull request <a
href="https://redirect.github.com/micromatch/micromatch/issues/266">#266</a>
from hauserkristof/feature/v4.0.8</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/814f5f70efcd100ca9d29198867812a3d6ab91a8"><code>814f5f7</code></a>
lint</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/67fcce6a1077c2faf5ad0c5f998fa70202cc5dae"><code>67fcce6</code></a>
fix: CHANGELOG about braces &amp; CVE-2024-4068, v4.0.5</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/113f2e3fa7cb30b429eda7c4c38475a8e8ba1b30"><code>113f2e3</code></a>
fix: CVE numbers in CHANGELOG</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/d9dbd9a266686f44afb38da26fe016f96d1ec04f"><code>d9dbd9a</code></a>
feat: updated CHANGELOG</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/2ab13157f416679f54e3a32b1425e184bd16749e"><code>2ab1315</code></a>
fix: use actions/setup-node@v4</li>
<li><a
href="https://github.com/micromatch/micromatch/commit/1406ea38f3e24b29f4d4f46908d5cffcb3e6c4ce"><code>1406ea3</code></a>
feat: rework test to work on macos with node 10,12 and 14</li>
<li>Additional commits viewable in <a
href="https://github.com/micromatch/micromatch/compare/4.0.7...4.0.8">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=micromatch&package-manager=npm_and_yarn&previous-version=4.0.7&new-version=4.0.8)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/zitadel/zitadel/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 docs/yarn.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/yarn.lock b/docs/yarn.lock
index 00d8b00c75..d799eddad4 100644
--- a/docs/yarn.lock
+++ b/docs/yarn.lock
@@ -7976,9 +7976,9 @@ micromark@^4.0.0:
     micromark-util-types "^2.0.0"
 
 micromatch@^4.0.2, micromatch@^4.0.4, micromatch@^4.0.5:
-  version "4.0.7"
-  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.7.tgz#33e8190d9fe474a9895525f5618eee136d46c2e5"
-  integrity sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==
+  version "4.0.8"
+  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.8.tgz#d66fa18f3a47076789320b9b1af32bd86d9fa202"
+  integrity sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==
   dependencies:
     braces "^3.0.3"
     picomatch "^2.3.1"

From 4eaa3163b6f4e795f789925ee89d9596d2bf9a6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Wed, 25 Sep 2024 22:40:21 +0300
Subject: [PATCH 16/19] feat(storage): generic cache interface (#8628)

# Which Problems Are Solved

We identified the need of caching.
Currently we have a number of places where we use different ways of
caching, like go maps or LRU.
We might also want shared chaches in the future, like Redis-based or in
special SQL tables.

# How the Problems Are Solved

Define a generic Cache interface which allows different implementations.

- A noop implementation is provided and enabled as.
- An implementation using go maps is provided
  - disabled in defaults.yaml
  - enabled in integration tests
- Authz middleware instance objects are cached using the interface.

# Additional Changes

- Enabled integration test command raceflag
- Fix a race condition in the limits integration test client
- Fix a number of flaky integration tests. (Because zitadel is super
fast now!) :guitar: :rocket:

# Additional Context

Related to https://github.com/zitadel/zitadel/issues/8648
---
 Makefile                                      |   2 +-
 cmd/defaults.yaml                             |  31 ++
 cmd/mirror/projections.go                     |   3 +
 cmd/setup/config.go                           |   2 +
 cmd/setup/setup.go                            |   1 +
 cmd/start/config.go                           |   2 +
 cmd/start/start.go                            |   1 +
 internal/api/grpc/admin/import.go             |   4 +-
 .../limits_auditlogretention_test.go          |  74 ++--
 .../token_jwt_profile_test.go                 |  21 +-
 internal/cache/cache.go                       | 106 ++++++
 internal/cache/error.go                       |  29 ++
 internal/cache/gomap/gomap.go                 | 204 +++++++++++
 internal/cache/gomap/gomap_test.go            | 334 ++++++++++++++++++
 internal/cache/noop/noop.go                   |  22 ++
 internal/cache/pruner.go                      |  76 ++++
 internal/cache/pruner_test.go                 |  43 +++
 .../eventstore/handler/v2/failed_event.go     |   6 +-
 internal/eventstore/handler/v2/handler.go     |  65 +++-
 internal/eventstore/handler/v2/statement.go   |  22 +-
 internal/integration/config/zitadel.yaml      |  17 +
 internal/query/cache.go                       |  95 +++++
 internal/query/instance.go                    |  85 ++++-
 internal/query/instance_by_domain.sql         |  18 +-
 internal/query/instance_by_id.sql             |  16 +-
 internal/query/instanceindex_enumer.go        |  78 ++++
 internal/query/projection/event_test.go       |   4 +-
 internal/query/query.go                       |   7 +
 28 files changed, 1290 insertions(+), 78 deletions(-)
 create mode 100644 internal/cache/cache.go
 create mode 100644 internal/cache/error.go
 create mode 100644 internal/cache/gomap/gomap.go
 create mode 100644 internal/cache/gomap/gomap_test.go
 create mode 100644 internal/cache/noop/noop.go
 create mode 100644 internal/cache/pruner.go
 create mode 100644 internal/cache/pruner_test.go
 create mode 100644 internal/query/cache.go
 create mode 100644 internal/query/instanceindex_enumer.go

diff --git a/Makefile b/Makefile
index 17e1bbd9b7..79aaa7f1b2 100644
--- a/Makefile
+++ b/Makefile
@@ -135,7 +135,7 @@ core_integration_server_start: core_integration_setup
 
 .PHONY: core_integration_test_packages
 core_integration_test_packages:
-	go test -count 1 -tags integration -timeout 30m $$(go list -tags integration ./... | grep "integration_test")
+	go test -race -count 1 -tags integration -timeout 30m $$(go list -tags integration ./... | grep "integration_test")
 
 .PHONY: core_integration_server_stop
 core_integration_server_stop:
diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index 5da59fa0d0..81c312137c 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -183,6 +183,37 @@ Database:
         Cert: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT
         Key: # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY
 
+# Caches are EXPERIMENTAL. The following config may have breaking changes in the future.
+# If no config is provided, caching is disabled by default.
+# Caches:
+  # Connectors are reused by caches.
+#  Connectors:
+    # Memory connector works with local server memory.
+    # It is the simplest (and probably fastest) cache implementation.
+    # Unsuitable for deployments with multiple containers,
+    # as each container's cache may hold a different state of the same object.
+#    Memory:
+#      Enabled: true
+      # AutoPrune removes invalidated or expired object from the cache.
+#      AutoPrune:
+#        Interval: 15m
+#        TimeOut: 30s
+
+  # Instance caches auth middleware instances, gettable by domain or ID.
+#  Instance:
+    # Connector must be enabled above.
+    # When connector is empty, this cache will be disabled.
+#    Connector: "memory"
+#    MaxAge: 1h
+#    LastUsage: 10m
+#
+    # Log enables cache-specific logging. Default to error log to stdout when omitted.
+#    Log:
+#      Level: debug
+#      AddSource: true
+#      Formatter:
+#        Format: text
+
 Machine:
   # Cloud-hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.
   Identification:
diff --git a/cmd/mirror/projections.go b/cmd/mirror/projections.go
index af7ba98c5c..c7b83c9d3a 100644
--- a/cmd/mirror/projections.go
+++ b/cmd/mirror/projections.go
@@ -25,6 +25,7 @@ import (
 	auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
 	"github.com/zitadel/zitadel/internal/authz"
 	authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
+	"github.com/zitadel/zitadel/internal/cache"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/config/systemdefaults"
 	crypto_db "github.com/zitadel/zitadel/internal/crypto/database"
@@ -71,6 +72,7 @@ type ProjectionsConfig struct {
 	EncryptionKeys *encryption.EncryptionKeyConfig
 	SystemAPIUsers map[string]*internal_authz.SystemAPIUser
 	Eventstore     *eventstore.Config
+	Caches         *cache.CachesConfig
 
 	Admin admin_es.Config
 	Auth  auth_es.Config
@@ -132,6 +134,7 @@ func projections(
 		esV4.Querier,
 		client,
 		client,
+		config.Caches,
 		config.Projections,
 		config.SystemDefaults,
 		keys.IDPConfig,
diff --git a/cmd/setup/config.go b/cmd/setup/config.go
index 02f1f2aa26..465aa5aa34 100644
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -15,6 +15,7 @@ import (
 	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
+	"github.com/zitadel/zitadel/internal/cache"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/config/hook"
 	"github.com/zitadel/zitadel/internal/config/systemdefaults"
@@ -30,6 +31,7 @@ import (
 type Config struct {
 	ForMirror       bool
 	Database        database.Config
+	Caches          *cache.CachesConfig
 	SystemDefaults  systemdefaults.SystemDefaults
 	InternalAuthZ   internal_authz.Config
 	ExternalDomain  string
diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go
index 3cfc28fadb..37688b7957 100644
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -309,6 +309,7 @@ func initProjections(
 		eventstoreV4.Querier,
 		queryDBClient,
 		projectionDBClient,
+		config.Caches,
 		config.Projections,
 		config.SystemDefaults,
 		keys.IDPConfig,
diff --git a/cmd/start/config.go b/cmd/start/config.go
index 1e36d3310a..ea432e6296 100644
--- a/cmd/start/config.go
+++ b/cmd/start/config.go
@@ -18,6 +18,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/ui/console"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/zitadel/zitadel/internal/cache"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/config/hook"
 	"github.com/zitadel/zitadel/internal/config/network"
@@ -48,6 +49,7 @@ type Config struct {
 	HTTP1HostHeader     string
 	WebAuthNName        string
 	Database            database.Config
+	Caches              *cache.CachesConfig
 	Tracing             tracing.Config
 	Metrics             metrics.Config
 	Profiler            profiler.Config
diff --git a/cmd/start/start.go b/cmd/start/start.go
index 68c5bdb915..991e4df592 100644
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -184,6 +184,7 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
 		eventstoreV4.Querier,
 		queryDBClient,
 		projectionDBClient,
+		config.Caches,
 		config.Projections,
 		config.SystemDefaults,
 		keys.IDPConfig,
diff --git a/internal/api/grpc/admin/import.go b/internal/api/grpc/admin/import.go
index 6a8c1a9297..338d90b0bb 100644
--- a/internal/api/grpc/admin/import.go
+++ b/internal/api/grpc/admin/import.go
@@ -123,7 +123,9 @@ func (s *Server) ImportData(ctx context.Context, req *admin_pb.ImportDataRequest
 			return nil, ctxTimeout.Err()
 		case result := <-ch:
 			logging.OnError(result.err).Errorf("error while importing: %v", result.err)
-			logging.Infof("Import done: %s", result.count.getProgress())
+			if result.count != nil {
+				logging.Infof("Import done: %s", result.count.getProgress())
+			}
 			return result.ret, result.err
 		}
 	} else {
diff --git a/internal/api/grpc/system/integration_test/limits_auditlogretention_test.go b/internal/api/grpc/system/integration_test/limits_auditlogretention_test.go
index b92999d395..077054eb33 100644
--- a/internal/api/grpc/system/integration_test/limits_auditlogretention_test.go
+++ b/internal/api/grpc/system/integration_test/limits_auditlogretention_test.go
@@ -31,11 +31,11 @@ func TestServer_Limits_AuditLogRetention(t *testing.T) {
 	farPast := timestamppb.New(beforeTime.Add(-10 * time.Hour).UTC())
 	zeroCounts := &eventCounts{}
 	seededCount := requireEventually(t, iamOwnerCtx, isoInstance.Client, userID, projectID, appID, projectGrantID, func(c assert.TestingT, counts *eventCounts) {
-		counts.assertAll(t, c, "seeded events are > 0", assert.Greater, zeroCounts)
+		counts.assertAll(c, "seeded events are > 0", assert.Greater, zeroCounts)
 	}, "wait for seeded event assertions to pass")
 	produceEvents(iamOwnerCtx, t, isoInstance.Client, userID, appID, projectID, projectGrantID)
 	addedCount := requireEventually(t, iamOwnerCtx, isoInstance.Client, userID, projectID, appID, projectGrantID, func(c assert.TestingT, counts *eventCounts) {
-		counts.assertAll(t, c, "added events are > seeded events", assert.Greater, seededCount)
+		counts.assertAll(c, "added events are > seeded events", assert.Greater, seededCount)
 	}, "wait for added event assertions to pass")
 	_, err := integration.SystemClient().SetLimits(CTX, &system.SetLimitsRequest{
 		InstanceId:        isoInstance.ID(),
@@ -44,8 +44,8 @@ func TestServer_Limits_AuditLogRetention(t *testing.T) {
 	require.NoError(t, err)
 	var limitedCounts *eventCounts
 	requireEventually(t, iamOwnerCtx, isoInstance.Client, userID, projectID, appID, projectGrantID, func(c assert.TestingT, counts *eventCounts) {
-		counts.assertAll(t, c, "limited events < added events", assert.Less, addedCount)
-		counts.assertAll(t, c, "limited events > 0", assert.Greater, zeroCounts)
+		counts.assertAll(c, "limited events < added events", assert.Less, addedCount)
+		counts.assertAll(c, "limited events > 0", assert.Greater, zeroCounts)
 		limitedCounts = counts
 	}, "wait for limited event assertions to pass")
 	listedEvents, err := isoInstance.Client.Admin.ListEvents(iamOwnerCtx, &admin.ListEventsRequest{CreationDateFilter: &admin.ListEventsRequest_From{
@@ -63,7 +63,7 @@ func TestServer_Limits_AuditLogRetention(t *testing.T) {
 	})
 	require.NoError(t, err)
 	requireEventually(t, iamOwnerCtx, isoInstance.Client, userID, projectID, appID, projectGrantID, func(c assert.TestingT, counts *eventCounts) {
-		counts.assertAll(t, c, "with reset limit, added events are > seeded events", assert.Greater, seededCount)
+		counts.assertAll(c, "with reset limit, added events are > seeded events", assert.Greater, seededCount)
 	}, "wait for reset event assertions to pass")
 }
 
@@ -77,7 +77,7 @@ func requireEventually(
 ) (counts *eventCounts) {
 	countTimeout := 30 * time.Second
 	assertTimeout := countTimeout + time.Second
-	countCtx, cancel := context.WithTimeout(ctx, countTimeout)
+	countCtx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 	require.EventuallyWithT(t, func(c *assert.CollectT) {
 		counts = countEvents(countCtx, c, cc, userID, projectID, appID, projectGrantID)
@@ -168,63 +168,77 @@ type eventCounts struct {
 	all, myUser, aUser, grant, project, app, org int
 }
 
-func (e *eventCounts) assertAll(t *testing.T, c assert.TestingT, name string, compare assert.ComparisonAssertionFunc, than *eventCounts) {
-	t.Run(name, func(t *testing.T) {
-		compare(c, e.all, than.all, "ListEvents")
-		compare(c, e.myUser, than.myUser, "ListMyUserChanges")
-		compare(c, e.aUser, than.aUser, "ListUserChanges")
-		compare(c, e.grant, than.grant, "ListProjectGrantChanges")
-		compare(c, e.project, than.project, "ListProjectChanges")
-		compare(c, e.app, than.app, "ListAppChanges")
-		compare(c, e.org, than.org, "ListOrgChanges")
-	})
+func (e *eventCounts) assertAll(c assert.TestingT, name string, compare assert.ComparisonAssertionFunc, than *eventCounts) {
+	compare(c, e.all, than.all, name+"ListEvents")
+	compare(c, e.myUser, than.myUser, name+"ListMyUserChanges")
+	compare(c, e.aUser, than.aUser, name+"ListUserChanges")
+	compare(c, e.grant, than.grant, name+"ListProjectGrantChanges")
+	compare(c, e.project, than.project, name+"ListProjectChanges")
+	compare(c, e.app, than.app, name+"ListAppChanges")
+	compare(c, e.org, than.org, name+"ListOrgChanges")
 }
 
 func countEvents(ctx context.Context, t assert.TestingT, cc *integration.Client, userID, projectID, appID, grantID string) *eventCounts {
 	counts := new(eventCounts)
 	var wg sync.WaitGroup
 	wg.Add(7)
+
+	var mutex sync.Mutex
+	assertResultLocked := func(err error, f func(counts *eventCounts)) {
+		mutex.Lock()
+		assert.NoError(t, err)
+		f(counts)
+		mutex.Unlock()
+	}
+
 	go func() {
 		defer wg.Done()
 		result, err := cc.Admin.ListEvents(ctx, &admin.ListEventsRequest{})
-		assert.NoError(t, err)
-		counts.all = len(result.GetEvents())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.all = len(result.GetEvents())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Auth.ListMyUserChanges(ctx, &auth.ListMyUserChangesRequest{})
-		assert.NoError(t, err)
-		counts.myUser = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.myUser = len(result.GetResult())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Mgmt.ListUserChanges(ctx, &management.ListUserChangesRequest{UserId: userID})
-		assert.NoError(t, err)
-		counts.aUser = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.aUser = len(result.GetResult())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Mgmt.ListAppChanges(ctx, &management.ListAppChangesRequest{ProjectId: projectID, AppId: appID})
-		assert.NoError(t, err)
-		counts.app = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.app = len(result.GetResult())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Mgmt.ListOrgChanges(ctx, &management.ListOrgChangesRequest{})
-		assert.NoError(t, err)
-		counts.org = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.org = len(result.GetResult())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Mgmt.ListProjectChanges(ctx, &management.ListProjectChangesRequest{ProjectId: projectID})
-		assert.NoError(t, err)
-		counts.project = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.project = len(result.GetResult())
+		})
 	}()
 	go func() {
 		defer wg.Done()
 		result, err := cc.Mgmt.ListProjectGrantChanges(ctx, &management.ListProjectGrantChangesRequest{ProjectId: projectID, GrantId: grantID})
-		assert.NoError(t, err)
-		counts.grant = len(result.GetResult())
+		assertResultLocked(err, func(counts *eventCounts) {
+			counts.grant = len(result.GetResult())
+		})
 	}()
 	wg.Wait()
 	return counts
diff --git a/internal/api/oidc/integration_test/token_jwt_profile_test.go b/internal/api/oidc/integration_test/token_jwt_profile_test.go
index 24fad41a2b..4315b0b30d 100644
--- a/internal/api/oidc/integration_test/token_jwt_profile_test.go
+++ b/internal/api/oidc/integration_test/token_jwt_profile_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/client/profile"
 	"github.com/zitadel/oidc/v3/pkg/client/rp"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"golang.org/x/oauth2"
 
 	oidc_api "github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/domain"
@@ -98,13 +99,19 @@ func TestServer_JWTProfile(t *testing.T) {
 			tokenSource, err := profile.NewJWTProfileTokenSourceFromKeyFileData(CTX, Instance.OIDCIssuer(), tt.keyData, tt.scope)
 			require.NoError(t, err)
 
-			tokens, err := tokenSource.TokenCtx(CTX)
-			if tt.wantErr {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-			require.NotNil(t, tokens)
+			var tokens *oauth2.Token
+			require.EventuallyWithT(
+				t, func(collect *assert.CollectT) {
+					tokens, err = tokenSource.TokenCtx(CTX)
+					if tt.wantErr {
+						assert.Error(collect, err)
+						return
+					}
+					assert.NoError(collect, err)
+					assert.NotNil(collect, tokens)
+				},
+				time.Minute, time.Second,
+			)
 
 			provider, err := rp.NewRelyingPartyOIDC(CTX, Instance.OIDCIssuer(), "", "", redirectURI, tt.scope)
 			require.NoError(t, err)
diff --git a/internal/cache/cache.go b/internal/cache/cache.go
new file mode 100644
index 0000000000..f6b474eefd
--- /dev/null
+++ b/internal/cache/cache.go
@@ -0,0 +1,106 @@
+// Package cache provides abstraction of cache implementations that can be used by zitadel.
+package cache
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/logging"
+)
+
+// Cache stores objects with a value of type `V`.
+// Objects may be referred to by one or more indices.
+// Implementations may encode the value for storage.
+// This means non-exported fields may be lost and objects
+// with function values may fail to encode.
+// See https://pkg.go.dev/encoding/json#Marshal for example.
+//
+// `I` is the type by which indices are identified,
+// typically an enum for type-safe access.
+// Indices are defined when calling the constructor of an implementation of this interface.
+// It is illegal to refer to an idex not defined during construction.
+//
+// `K` is the type used as key in each index.
+// Due to the limitations in type constraints, all indices use the same key type.
+//
+// Implementations are free to use stricter type constraints or fixed typing.
+type Cache[I, K comparable, V Entry[I, K]] interface {
+	// Get an object through specified index.
+	// An [IndexUnknownError] may be returned if the index is unknown.
+	// [ErrCacheMiss] is returned if the key was not found in the index,
+	// or the object is not valid.
+	Get(ctx context.Context, index I, key K) (V, bool)
+
+	// Set an object.
+	// Keys are created on each index based in the [Entry.Keys] method.
+	// If any key maps to an existing object, the object is invalidated,
+	// regardless if the object has other keys defined in the new entry.
+	// This to prevent ghost objects when an entry reduces the amount of keys
+	// for a given index.
+	Set(ctx context.Context, value V)
+
+	// Invalidate an object through specified index.
+	// Implementations may choose to instantly delete the object,
+	// defer until prune or a separate cleanup routine.
+	// Invalidated object are no longer returned from Get.
+	// It is safe to call Invalidate multiple times or on non-existing entries.
+	Invalidate(ctx context.Context, index I, key ...K) error
+
+	// Delete one or more keys from a specific index.
+	// An [IndexUnknownError] may be returned if the index is unknown.
+	// The referred object is not invalidated and may still be accessible though
+	// other indices and keys.
+	// It is safe to call Delete multiple times or on non-existing entries
+	Delete(ctx context.Context, index I, key ...K) error
+
+	// Truncate deletes all cached objects.
+	Truncate(ctx context.Context) error
+
+	// Close the cache. Subsequent calls to the cache are not allowed.
+	Close(ctx context.Context) error
+}
+
+// Entry contains a value of type `V` to be cached.
+//
+// `I` is the type by which indices are identified,
+// typically an enum for type-safe access.
+//
+// `K` is the type used as key in an index.
+// Due to the limitations in type constraints, all indices use the same key type.
+type Entry[I, K comparable] interface {
+	// Keys returns which keys map to the object in a specified index.
+	// May return nil if the index in unknown or when there are no keys.
+	Keys(index I) (key []K)
+}
+
+type CachesConfig struct {
+	Connectors struct {
+		Memory MemoryConnectorConfig
+		// SQL database.Config
+		// Redis redis.Config?
+	}
+	Instance *CacheConfig
+}
+
+type CacheConfig struct {
+	Connector string
+
+	// Age since an object was added to the cache,
+	// after which the object is considered invalid.
+	// 0 disables max age checks.
+	MaxAge time.Duration
+
+	// Age since last use (Get) of an object,
+	// after which the object is considered invalid.
+	// 0 disables last use age checks.
+	LastUseAge time.Duration
+
+	// Log allows logging of the specific cache.
+	// By default only errors are logged to stdout.
+	Log *logging.Config
+}
+
+type MemoryConnectorConfig struct {
+	Enabled   bool
+	AutoPrune AutoPruneConfig
+}
diff --git a/internal/cache/error.go b/internal/cache/error.go
new file mode 100644
index 0000000000..b66b9447bf
--- /dev/null
+++ b/internal/cache/error.go
@@ -0,0 +1,29 @@
+package cache
+
+import (
+	"errors"
+	"fmt"
+)
+
+type IndexUnknownError[I comparable] struct {
+	index I
+}
+
+func NewIndexUnknownErr[I comparable](index I) error {
+	return IndexUnknownError[I]{index}
+}
+
+func (i IndexUnknownError[I]) Error() string {
+	return fmt.Sprintf("index %v unknown", i.index)
+}
+
+func (a IndexUnknownError[I]) Is(err error) bool {
+	if b, ok := err.(IndexUnknownError[I]); ok {
+		return a.index == b.index
+	}
+	return false
+}
+
+var (
+	ErrCacheMiss = errors.New("cache miss")
+)
diff --git a/internal/cache/gomap/gomap.go b/internal/cache/gomap/gomap.go
new file mode 100644
index 0000000000..e9c938bbf9
--- /dev/null
+++ b/internal/cache/gomap/gomap.go
@@ -0,0 +1,204 @@
+package gomap
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"maps"
+	"os"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/cache"
+)
+
+type mapCache[I, K comparable, V cache.Entry[I, K]] struct {
+	config   *cache.CacheConfig
+	indexMap map[I]*index[K, V]
+	logger   *slog.Logger
+}
+
+// NewCache returns an in-memory Cache implementation based on the builtin go map type.
+// Object values are stored as-is and there is no encoding or decoding involved.
+func NewCache[I, K comparable, V cache.Entry[I, K]](background context.Context, indices []I, config cache.CacheConfig) cache.PrunerCache[I, K, V] {
+	m := &mapCache[I, K, V]{
+		config:   &config,
+		indexMap: make(map[I]*index[K, V], len(indices)),
+		logger: slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			AddSource: true,
+			Level:     slog.LevelError,
+		})),
+	}
+	if config.Log != nil {
+		m.logger = config.Log.Slog()
+	}
+	m.logger.InfoContext(background, "map cache logging enabled")
+
+	for _, name := range indices {
+		m.indexMap[name] = &index[K, V]{
+			config:  m.config,
+			entries: make(map[K]*entry[V]),
+		}
+	}
+	return m
+}
+
+func (c *mapCache[I, K, V]) Get(ctx context.Context, index I, key K) (value V, ok bool) {
+	i, ok := c.indexMap[index]
+	if !ok {
+		c.logger.ErrorContext(ctx, "map cache get", "err", cache.NewIndexUnknownErr(index), "index", index, "key", key)
+		return value, false
+	}
+	entry, err := i.Get(key)
+	if err == nil {
+		c.logger.DebugContext(ctx, "map cache get", "index", index, "key", key)
+		return entry.value, true
+	}
+	if errors.Is(err, cache.ErrCacheMiss) {
+		c.logger.InfoContext(ctx, "map cache get", "err", err, "index", index, "key", key)
+		return value, false
+	}
+	c.logger.ErrorContext(ctx, "map cache get", "err", cache.NewIndexUnknownErr(index), "index", index, "key", key)
+	return value, false
+}
+
+func (c *mapCache[I, K, V]) Set(ctx context.Context, value V) {
+	now := time.Now()
+	entry := &entry[V]{
+		value:   value,
+		created: now,
+	}
+	entry.lastUse.Store(now.UnixMicro())
+
+	for name, i := range c.indexMap {
+		keys := value.Keys(name)
+		i.Set(keys, entry)
+		c.logger.DebugContext(ctx, "map cache set", "index", name, "keys", keys)
+	}
+}
+
+func (c *mapCache[I, K, V]) Invalidate(ctx context.Context, index I, keys ...K) error {
+	i, ok := c.indexMap[index]
+	if !ok {
+		return cache.NewIndexUnknownErr(index)
+	}
+	i.Invalidate(keys)
+	c.logger.DebugContext(ctx, "map cache invalidate", "index", index, "keys", keys)
+	return nil
+}
+
+func (c *mapCache[I, K, V]) Delete(ctx context.Context, index I, keys ...K) error {
+	i, ok := c.indexMap[index]
+	if !ok {
+		return cache.NewIndexUnknownErr(index)
+	}
+	i.Delete(keys)
+	c.logger.DebugContext(ctx, "map cache delete", "index", index, "keys", keys)
+	return nil
+}
+
+func (c *mapCache[I, K, V]) Prune(ctx context.Context) error {
+	for name, index := range c.indexMap {
+		index.Prune()
+		c.logger.DebugContext(ctx, "map cache prune", "index", name)
+	}
+	return nil
+}
+
+func (c *mapCache[I, K, V]) Truncate(ctx context.Context) error {
+	for name, index := range c.indexMap {
+		index.Truncate()
+		c.logger.DebugContext(ctx, "map cache clear", "index", name)
+	}
+	return nil
+}
+
+func (c *mapCache[I, K, V]) Close(ctx context.Context) error {
+	return ctx.Err()
+}
+
+type index[K comparable, V any] struct {
+	mutex   sync.RWMutex
+	config  *cache.CacheConfig
+	entries map[K]*entry[V]
+}
+
+func (i *index[K, V]) Get(key K) (*entry[V], error) {
+	i.mutex.RLock()
+	entry, ok := i.entries[key]
+	i.mutex.RUnlock()
+	if ok && entry.isValid(i.config) {
+		return entry, nil
+	}
+	return nil, cache.ErrCacheMiss
+}
+
+func (c *index[K, V]) Set(keys []K, entry *entry[V]) {
+	c.mutex.Lock()
+	for _, key := range keys {
+		c.entries[key] = entry
+	}
+	c.mutex.Unlock()
+}
+
+func (i *index[K, V]) Invalidate(keys []K) {
+	i.mutex.RLock()
+	for _, key := range keys {
+		if entry, ok := i.entries[key]; ok {
+			entry.invalid.Store(true)
+		}
+	}
+	i.mutex.RUnlock()
+}
+
+func (c *index[K, V]) Delete(keys []K) {
+	c.mutex.Lock()
+	for _, key := range keys {
+		delete(c.entries, key)
+	}
+	c.mutex.Unlock()
+}
+
+func (c *index[K, V]) Prune() {
+	c.mutex.Lock()
+	maps.DeleteFunc(c.entries, func(_ K, entry *entry[V]) bool {
+		return !entry.isValid(c.config)
+	})
+	c.mutex.Unlock()
+}
+
+func (c *index[K, V]) Truncate() {
+	c.mutex.Lock()
+	c.entries = make(map[K]*entry[V])
+	c.mutex.Unlock()
+}
+
+type entry[V any] struct {
+	value   V
+	created time.Time
+	invalid atomic.Bool
+	lastUse atomic.Int64 // UnixMicro time
+}
+
+func (e *entry[V]) isValid(c *cache.CacheConfig) bool {
+	if e.invalid.Load() {
+		return false
+	}
+	now := time.Now()
+	if c.MaxAge > 0 {
+		if e.created.Add(c.MaxAge).Before(now) {
+			e.invalid.Store(true)
+			return false
+		}
+	}
+	if c.LastUseAge > 0 {
+		lastUse := e.lastUse.Load()
+		if time.UnixMicro(lastUse).Add(c.LastUseAge).Before(now) {
+			e.invalid.Store(true)
+			return false
+		}
+		e.lastUse.CompareAndSwap(lastUse, now.UnixMicro())
+	}
+	return true
+}
diff --git a/internal/cache/gomap/gomap_test.go b/internal/cache/gomap/gomap_test.go
new file mode 100644
index 0000000000..21a273b616
--- /dev/null
+++ b/internal/cache/gomap/gomap_test.go
@@ -0,0 +1,334 @@
+package gomap
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/cache"
+)
+
+type testIndex int
+
+const (
+	testIndexID testIndex = iota
+	testIndexName
+)
+
+var testIndices = []testIndex{
+	testIndexID,
+	testIndexName,
+}
+
+type testObject struct {
+	id    string
+	names []string
+}
+
+func (o *testObject) Keys(index testIndex) []string {
+	switch index {
+	case testIndexID:
+		return []string{o.id}
+	case testIndexName:
+		return o.names
+	default:
+		return nil
+	}
+}
+
+func Test_mapCache_Get(t *testing.T) {
+	c := NewCache[testIndex, string, *testObject](context.Background(), testIndices, cache.CacheConfig{
+		MaxAge:     time.Second,
+		LastUseAge: time.Second / 4,
+		Log: &logging.Config{
+			Level:     "debug",
+			AddSource: true,
+		},
+	})
+	defer c.Close(context.Background())
+	obj := &testObject{
+		id:    "id",
+		names: []string{"foo", "bar"},
+	}
+	c.Set(context.Background(), obj)
+
+	type args struct {
+		index testIndex
+		key   string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		want   *testObject
+		wantOk bool
+	}{
+		{
+			name: "ok",
+			args: args{
+				index: testIndexID,
+				key:   "id",
+			},
+			want:   obj,
+			wantOk: true,
+		},
+		{
+			name: "miss",
+			args: args{
+				index: testIndexID,
+				key:   "spanac",
+			},
+			want:   nil,
+			wantOk: false,
+		},
+		{
+			name: "unknown index",
+			args: args{
+				index: 99,
+				key:   "id",
+			},
+			want:   nil,
+			wantOk: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, ok := c.Get(context.Background(), tt.args.index, tt.args.key)
+			assert.Equal(t, tt.want, got)
+			assert.Equal(t, tt.wantOk, ok)
+		})
+	}
+}
+
+func Test_mapCache_Invalidate(t *testing.T) {
+	c := NewCache[testIndex, string, *testObject](context.Background(), testIndices, cache.CacheConfig{
+		MaxAge:     time.Second,
+		LastUseAge: time.Second / 4,
+		Log: &logging.Config{
+			Level:     "debug",
+			AddSource: true,
+		},
+	})
+	defer c.Close(context.Background())
+	obj := &testObject{
+		id:    "id",
+		names: []string{"foo", "bar"},
+	}
+	c.Set(context.Background(), obj)
+	err := c.Invalidate(context.Background(), testIndexName, "bar")
+	require.NoError(t, err)
+	got, ok := c.Get(context.Background(), testIndexID, "id")
+	assert.Nil(t, got)
+	assert.False(t, ok)
+}
+
+func Test_mapCache_Delete(t *testing.T) {
+	c := NewCache[testIndex, string, *testObject](context.Background(), testIndices, cache.CacheConfig{
+		MaxAge:     time.Second,
+		LastUseAge: time.Second / 4,
+		Log: &logging.Config{
+			Level:     "debug",
+			AddSource: true,
+		},
+	})
+	defer c.Close(context.Background())
+	obj := &testObject{
+		id:    "id",
+		names: []string{"foo", "bar"},
+	}
+	c.Set(context.Background(), obj)
+	err := c.Delete(context.Background(), testIndexName, "bar")
+	require.NoError(t, err)
+
+	// Shouldn't find object by deleted name
+	got, ok := c.Get(context.Background(), testIndexName, "bar")
+	assert.Nil(t, got)
+	assert.False(t, ok)
+
+	// Should find object by other name
+	got, ok = c.Get(context.Background(), testIndexName, "foo")
+	assert.Equal(t, obj, got)
+	assert.True(t, ok)
+
+	// Should find object by id
+	got, ok = c.Get(context.Background(), testIndexID, "id")
+	assert.Equal(t, obj, got)
+	assert.True(t, ok)
+}
+
+func Test_mapCache_Prune(t *testing.T) {
+	c := NewCache[testIndex, string, *testObject](context.Background(), testIndices, cache.CacheConfig{
+		MaxAge:     time.Second,
+		LastUseAge: time.Second / 4,
+		Log: &logging.Config{
+			Level:     "debug",
+			AddSource: true,
+		},
+	})
+	defer c.Close(context.Background())
+
+	objects := []*testObject{
+		{
+			id:    "id1",
+			names: []string{"foo", "bar"},
+		},
+		{
+			id:    "id2",
+			names: []string{"hello"},
+		},
+	}
+	for _, obj := range objects {
+		c.Set(context.Background(), obj)
+	}
+	// invalidate one entry
+	err := c.Invalidate(context.Background(), testIndexName, "bar")
+	require.NoError(t, err)
+
+	err = c.(cache.Pruner).Prune(context.Background())
+	require.NoError(t, err)
+
+	// Other object should still be found
+	got, ok := c.Get(context.Background(), testIndexID, "id2")
+	assert.Equal(t, objects[1], got)
+	assert.True(t, ok)
+}
+
+func Test_mapCache_Truncate(t *testing.T) {
+	c := NewCache[testIndex, string, *testObject](context.Background(), testIndices, cache.CacheConfig{
+		MaxAge:     time.Second,
+		LastUseAge: time.Second / 4,
+		Log: &logging.Config{
+			Level:     "debug",
+			AddSource: true,
+		},
+	})
+	defer c.Close(context.Background())
+	objects := []*testObject{
+		{
+			id:    "id1",
+			names: []string{"foo", "bar"},
+		},
+		{
+			id:    "id2",
+			names: []string{"hello"},
+		},
+	}
+	for _, obj := range objects {
+		c.Set(context.Background(), obj)
+	}
+
+	err := c.Truncate(context.Background())
+	require.NoError(t, err)
+
+	mc := c.(*mapCache[testIndex, string, *testObject])
+	for _, index := range mc.indexMap {
+		index.mutex.RLock()
+		assert.Len(t, index.entries, 0)
+		index.mutex.RUnlock()
+	}
+}
+
+func Test_entry_isValid(t *testing.T) {
+	type fields struct {
+		created time.Time
+		invalid bool
+		lastUse time.Time
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		config *cache.CacheConfig
+		want   bool
+	}{
+		{
+			name: "invalid",
+			fields: fields{
+				created: time.Now(),
+				invalid: true,
+				lastUse: time.Now(),
+			},
+			config: &cache.CacheConfig{
+				MaxAge:     time.Minute,
+				LastUseAge: time.Second,
+			},
+			want: false,
+		},
+		{
+			name: "max age exceeded",
+			fields: fields{
+				created: time.Now().Add(-(time.Minute + time.Second)),
+				invalid: false,
+				lastUse: time.Now(),
+			},
+			config: &cache.CacheConfig{
+				MaxAge:     time.Minute,
+				LastUseAge: time.Second,
+			},
+			want: false,
+		},
+		{
+			name: "max age disabled",
+			fields: fields{
+				created: time.Now().Add(-(time.Minute + time.Second)),
+				invalid: false,
+				lastUse: time.Now(),
+			},
+			config: &cache.CacheConfig{
+				LastUseAge: time.Second,
+			},
+			want: true,
+		},
+		{
+			name: "last use age exceeded",
+			fields: fields{
+				created: time.Now().Add(-(time.Minute / 2)),
+				invalid: false,
+				lastUse: time.Now().Add(-(time.Second * 2)),
+			},
+			config: &cache.CacheConfig{
+				MaxAge:     time.Minute,
+				LastUseAge: time.Second,
+			},
+			want: false,
+		},
+		{
+			name: "last use age disabled",
+			fields: fields{
+				created: time.Now().Add(-(time.Minute / 2)),
+				invalid: false,
+				lastUse: time.Now().Add(-(time.Second * 2)),
+			},
+			config: &cache.CacheConfig{
+				MaxAge: time.Minute,
+			},
+			want: true,
+		},
+		{
+			name: "valid",
+			fields: fields{
+				created: time.Now(),
+				invalid: false,
+				lastUse: time.Now(),
+			},
+			config: &cache.CacheConfig{
+				MaxAge:     time.Minute,
+				LastUseAge: time.Second,
+			},
+			want: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			e := &entry[any]{
+				created: tt.fields.created,
+			}
+			e.invalid.Store(tt.fields.invalid)
+			e.lastUse.Store(tt.fields.lastUse.UnixMicro())
+			got := e.isValid(tt.config)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
diff --git a/internal/cache/noop/noop.go b/internal/cache/noop/noop.go
new file mode 100644
index 0000000000..03c82d574d
--- /dev/null
+++ b/internal/cache/noop/noop.go
@@ -0,0 +1,22 @@
+package noop
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/cache"
+)
+
+type noop[I, K comparable, V cache.Entry[I, K]] struct{}
+
+// NewCache returns a cache that does nothing
+func NewCache[I, K comparable, V cache.Entry[I, K]]() cache.Cache[I, K, V] {
+	return noop[I, K, V]{}
+}
+
+func (noop[I, K, V]) Set(context.Context, V)                          {}
+func (noop[I, K, V]) Get(context.Context, I, K) (value V, ok bool)    { return }
+func (noop[I, K, V]) Invalidate(context.Context, I, ...K) (err error) { return }
+func (noop[I, K, V]) Delete(context.Context, I, ...K) (err error)     { return }
+func (noop[I, K, V]) Prune(context.Context) (err error)               { return }
+func (noop[I, K, V]) Truncate(context.Context) (err error)            { return }
+func (noop[I, K, V]) Close(context.Context) (err error)               { return }
diff --git a/internal/cache/pruner.go b/internal/cache/pruner.go
new file mode 100644
index 0000000000..d4b0b41266
--- /dev/null
+++ b/internal/cache/pruner.go
@@ -0,0 +1,76 @@
+package cache
+
+import (
+	"context"
+	"math/rand"
+	"time"
+
+	"github.com/jonboulle/clockwork"
+	"github.com/zitadel/logging"
+)
+
+// Pruner is an optional [Cache] interface.
+type Pruner interface {
+	// Prune deletes all invalidated or expired objects.
+	Prune(ctx context.Context) error
+}
+
+type PrunerCache[I, K comparable, V Entry[I, K]] interface {
+	Cache[I, K, V]
+	Pruner
+}
+
+type AutoPruneConfig struct {
+	// Interval at which the cache is automatically pruned.
+	// 0 or lower disables automatic pruning.
+	Interval time.Duration
+
+	// Timeout for an automatic prune.
+	// It is recommended to keep the value shorter than AutoPruneInterval
+	// 0 or lower disables automatic pruning.
+	Timeout time.Duration
+}
+
+func (c AutoPruneConfig) StartAutoPrune(background context.Context, pruner Pruner, name string) (close func()) {
+	return c.startAutoPrune(background, pruner, name, clockwork.NewRealClock())
+}
+
+func (c *AutoPruneConfig) startAutoPrune(background context.Context, pruner Pruner, name string, clock clockwork.Clock) (close func()) {
+	if c.Interval <= 0 {
+		return func() {}
+	}
+	background, cancel := context.WithCancel(background)
+	// randomize the first interval
+	timer := clock.NewTimer(time.Duration(rand.Int63n(int64(c.Interval))))
+	go c.pruneTimer(background, pruner, name, timer)
+	return cancel
+}
+
+func (c *AutoPruneConfig) pruneTimer(background context.Context, pruner Pruner, name string, timer clockwork.Timer) {
+	defer func() {
+		if !timer.Stop() {
+			<-timer.Chan()
+		}
+	}()
+
+	for {
+		select {
+		case <-background.Done():
+			return
+		case <-timer.Chan():
+			timer.Reset(c.Interval)
+			err := c.doPrune(background, pruner)
+			logging.OnError(err).WithField("name", name).Error("cache auto prune")
+		}
+	}
+}
+
+func (c *AutoPruneConfig) doPrune(background context.Context, pruner Pruner) error {
+	ctx, cancel := context.WithCancel(background)
+	defer cancel()
+	if c.Timeout > 0 {
+		ctx, cancel = context.WithTimeout(background, c.Timeout)
+		defer cancel()
+	}
+	return pruner.Prune(ctx)
+}
diff --git a/internal/cache/pruner_test.go b/internal/cache/pruner_test.go
new file mode 100644
index 0000000000..ababe81e59
--- /dev/null
+++ b/internal/cache/pruner_test.go
@@ -0,0 +1,43 @@
+package cache
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/jonboulle/clockwork"
+	"github.com/stretchr/testify/assert"
+)
+
+type testPruner struct {
+	called chan struct{}
+}
+
+func (p *testPruner) Prune(context.Context) error {
+	p.called <- struct{}{}
+	return nil
+}
+
+func TestAutoPruneConfig_startAutoPrune(t *testing.T) {
+	c := AutoPruneConfig{
+		Interval: time.Second,
+		Timeout:  time.Millisecond,
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+
+	pruner := testPruner{
+		called: make(chan struct{}),
+	}
+	clock := clockwork.NewFakeClock()
+	close := c.startAutoPrune(ctx, &pruner, "foo", clock)
+	defer close()
+	clock.Advance(time.Second)
+
+	select {
+	case _, ok := <-pruner.called:
+		assert.True(t, ok)
+	case <-ctx.Done():
+		t.Fatal(ctx.Err())
+	}
+}
diff --git a/internal/eventstore/handler/v2/failed_event.go b/internal/eventstore/handler/v2/failed_event.go
index 53457883ca..cee1bbc774 100644
--- a/internal/eventstore/handler/v2/failed_event.go
+++ b/internal/eventstore/handler/v2/failed_event.go
@@ -39,9 +39,9 @@ func failureFromEvent(event eventstore.Event, err error) *failure {
 func failureFromStatement(statement *Statement, err error) *failure {
 	return &failure{
 		sequence:      statement.Sequence,
-		instance:      statement.InstanceID,
-		aggregateID:   statement.AggregateID,
-		aggregateType: statement.AggregateType,
+		instance:      statement.Aggregate.InstanceID,
+		aggregateID:   statement.Aggregate.ID,
+		aggregateType: statement.Aggregate.Type,
 		eventDate:     statement.CreationDate,
 		err:           err,
 	}
diff --git a/internal/eventstore/handler/v2/handler.go b/internal/eventstore/handler/v2/handler.go
index b395035b8f..615a9a6fcc 100644
--- a/internal/eventstore/handler/v2/handler.go
+++ b/internal/eventstore/handler/v2/handler.go
@@ -62,6 +62,7 @@ type Handler struct {
 	triggeredInstancesSync sync.Map
 
 	triggerWithoutEvents Reduce
+	cacheInvalidations   []func(ctx context.Context, aggregates []*eventstore.Aggregate)
 }
 
 var _ migration.Migration = (*Handler)(nil)
@@ -418,6 +419,12 @@ func (h *Handler) Trigger(ctx context.Context, opts ...TriggerOpt) (_ context.Co
 	}
 }
 
+// RegisterCacheInvalidation registers a function to be called when a cache needs to be invalidated.
+// In order to avoid race conditions, this method must be called before [Handler.Start] is called.
+func (h *Handler) RegisterCacheInvalidation(invalidate func(ctx context.Context, aggregates []*eventstore.Aggregate)) {
+	h.cacheInvalidations = append(h.cacheInvalidations, invalidate)
+}
+
 // lockInstance tries to lock the instance.
 // If the instance is already locked from another process no cancel function is returned
 // the instance can be skipped then
@@ -486,10 +493,6 @@ func (h *Handler) processEvents(ctx context.Context, config *triggerConfig) (add
 			h.log().OnError(rollbackErr).Debug("unable to rollback tx")
 			return
 		}
-		commitErr := tx.Commit()
-		if err == nil {
-			err = commitErr
-		}
 	}()
 
 	currentState, err := h.currentState(ctx, tx, config)
@@ -509,6 +512,17 @@ func (h *Handler) processEvents(ctx context.Context, config *triggerConfig) (add
 	if err != nil {
 		return additionalIteration, err
 	}
+
+	defer func() {
+		commitErr := tx.Commit()
+		if err == nil {
+			err = commitErr
+		}
+		if err == nil && currentState.aggregateID != "" && len(statements) > 0 {
+			h.invalidateCaches(ctx, aggregatesFromStatements(statements))
+		}
+	}()
+
 	if len(statements) == 0 {
 		err = h.setState(tx, currentState)
 		return additionalIteration, err
@@ -522,8 +536,8 @@ func (h *Handler) processEvents(ctx context.Context, config *triggerConfig) (add
 
 	currentState.position = statements[lastProcessedIndex].Position
 	currentState.offset = statements[lastProcessedIndex].offset
-	currentState.aggregateID = statements[lastProcessedIndex].AggregateID
-	currentState.aggregateType = statements[lastProcessedIndex].AggregateType
+	currentState.aggregateID = statements[lastProcessedIndex].Aggregate.ID
+	currentState.aggregateType = statements[lastProcessedIndex].Aggregate.Type
 	currentState.sequence = statements[lastProcessedIndex].Sequence
 	currentState.eventTimestamp = statements[lastProcessedIndex].CreationDate
 	err = h.setState(tx, currentState)
@@ -556,8 +570,8 @@ func (h *Handler) generateStatements(ctx context.Context, tx *sql.Tx, currentSta
 	if idx+1 == len(statements) {
 		currentState.position = statements[len(statements)-1].Position
 		currentState.offset = statements[len(statements)-1].offset
-		currentState.aggregateID = statements[len(statements)-1].AggregateID
-		currentState.aggregateType = statements[len(statements)-1].AggregateType
+		currentState.aggregateID = statements[len(statements)-1].Aggregate.ID
+		currentState.aggregateType = statements[len(statements)-1].Aggregate.Type
 		currentState.sequence = statements[len(statements)-1].Sequence
 		currentState.eventTimestamp = statements[len(statements)-1].CreationDate
 
@@ -577,8 +591,8 @@ func (h *Handler) generateStatements(ctx context.Context, tx *sql.Tx, currentSta
 func skipPreviouslyReducedStatements(statements []*Statement, currentState *state) int {
 	for i, statement := range statements {
 		if statement.Position == currentState.position &&
-			statement.AggregateID == currentState.aggregateID &&
-			statement.AggregateType == currentState.aggregateType &&
+			statement.Aggregate.ID == currentState.aggregateID &&
+			statement.Aggregate.Type == currentState.aggregateType &&
 			statement.Sequence == currentState.sequence {
 			return i
 		}
@@ -667,3 +681,34 @@ func (h *Handler) eventQuery(currentState *state) *eventstore.SearchQueryBuilder
 func (h *Handler) ProjectionName() string {
 	return h.projection.Name()
 }
+
+func (h *Handler) invalidateCaches(ctx context.Context, aggregates []*eventstore.Aggregate) {
+	if len(h.cacheInvalidations) == 0 {
+		return
+	}
+
+	var wg sync.WaitGroup
+	wg.Add(len(h.cacheInvalidations))
+
+	for _, invalidate := range h.cacheInvalidations {
+		go func(invalidate func(context.Context, []*eventstore.Aggregate)) {
+			defer wg.Done()
+			invalidate(ctx, aggregates)
+		}(invalidate)
+	}
+	wg.Wait()
+}
+
+// aggregatesFromStatements returns the unique aggregates from statements.
+// Duplicate aggregates are omitted.
+func aggregatesFromStatements(statements []*Statement) []*eventstore.Aggregate {
+	aggregates := make([]*eventstore.Aggregate, 0, len(statements))
+	for _, statement := range statements {
+		if !slices.ContainsFunc(aggregates, func(aggregate *eventstore.Aggregate) bool {
+			return *statement.Aggregate == *aggregate
+		}) {
+			aggregates = append(aggregates, statement.Aggregate)
+		}
+	}
+	return aggregates
+}
diff --git a/internal/eventstore/handler/v2/statement.go b/internal/eventstore/handler/v2/statement.go
index 207f3d0f58..6ff10fb2e1 100644
--- a/internal/eventstore/handler/v2/statement.go
+++ b/internal/eventstore/handler/v2/statement.go
@@ -80,12 +80,10 @@ func (h *Handler) reduce(event eventstore.Event) (*Statement, error) {
 }
 
 type Statement struct {
-	AggregateType eventstore.AggregateType
-	AggregateID   string
-	Sequence      uint64
-	Position      float64
-	CreationDate  time.Time
-	InstanceID    string
+	Aggregate    *eventstore.Aggregate
+	Sequence     uint64
+	Position     float64
+	CreationDate time.Time
 
 	offset uint32
 
@@ -108,13 +106,11 @@ var (
 
 func NewStatement(event eventstore.Event, e Exec) *Statement {
 	return &Statement{
-		AggregateType: event.Aggregate().Type,
-		Sequence:      event.Sequence(),
-		Position:      event.Position(),
-		AggregateID:   event.Aggregate().ID,
-		CreationDate:  event.CreatedAt(),
-		InstanceID:    event.Aggregate().InstanceID,
-		Execute:       e,
+		Aggregate:    event.Aggregate(),
+		Sequence:     event.Sequence(),
+		Position:     event.Position(),
+		CreationDate: event.CreatedAt(),
+		Execute:      e,
 	}
 }
 
diff --git a/internal/integration/config/zitadel.yaml b/internal/integration/config/zitadel.yaml
index 6524b4806f..8ff36b2175 100644
--- a/internal/integration/config/zitadel.yaml
+++ b/internal/integration/config/zitadel.yaml
@@ -6,6 +6,23 @@ ExternalSecure: false
 TLS:
   Enabled: false
 
+Caches:
+  Connectors:
+    Memory:
+      Enabled: true
+      AutoPrune:
+        Interval: 30s
+        TimeOut: 1s
+  Instance:
+    Connector: "memory"
+    MaxAge: 1m
+    LastUsage: 30s
+    Log:
+      Level: info
+      AddSource: true
+      Formatter:
+        Format: text
+
 Quotas:
   Access:
     Enabled: true
diff --git a/internal/query/cache.go b/internal/query/cache.go
new file mode 100644
index 0000000000..742bf4af58
--- /dev/null
+++ b/internal/query/cache.go
@@ -0,0 +1,95 @@
+package query
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/cache"
+	"github.com/zitadel/zitadel/internal/cache/gomap"
+	"github.com/zitadel/zitadel/internal/cache/noop"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+type Caches struct {
+	connectors *cacheConnectors
+	instance   cache.Cache[instanceIndex, string, *authzInstance]
+}
+
+func startCaches(background context.Context, conf *cache.CachesConfig) (_ *Caches, err error) {
+	caches := &Caches{
+		instance: noop.NewCache[instanceIndex, string, *authzInstance](),
+	}
+	if conf == nil {
+		return caches, nil
+	}
+	caches.connectors, err = startCacheConnectors(background, conf)
+	if err != nil {
+		return nil, err
+	}
+	caches.instance, err = startCache[instanceIndex, string, *authzInstance](background, instanceIndexValues(), "authz_instance", conf.Instance, caches.connectors)
+	if err != nil {
+		return nil, err
+	}
+	caches.registerInstanceInvalidation()
+
+	return caches, nil
+}
+
+type cacheConnectors struct {
+	memory *cache.AutoPruneConfig
+	// pool   *pgxpool.Pool
+}
+
+func startCacheConnectors(_ context.Context, conf *cache.CachesConfig) (*cacheConnectors, error) {
+	connectors := new(cacheConnectors)
+	if conf.Connectors.Memory.Enabled {
+		connectors.memory = &conf.Connectors.Memory.AutoPrune
+	}
+
+	return connectors, nil
+}
+
+func startCache[I, K comparable, V cache.Entry[I, K]](background context.Context, indices []I, name string, conf *cache.CacheConfig, connectors *cacheConnectors) (cache.Cache[I, K, V], error) {
+	if conf == nil || conf.Connector == "" {
+		return noop.NewCache[I, K, V](), nil
+	}
+	if strings.EqualFold(conf.Connector, "memory") && connectors.memory != nil {
+		c := gomap.NewCache[I, K, V](background, indices, *conf)
+		connectors.memory.StartAutoPrune(background, c, name)
+		return c, nil
+	}
+
+	/* TODO
+	if strings.EqualFold(conf.Connector, "sql") && connectors.pool != nil {
+		return ...
+	}
+	*/
+
+	return nil, fmt.Errorf("cache connector %q not enabled", conf.Connector)
+}
+
+type invalidator[I comparable] interface {
+	Invalidate(ctx context.Context, index I, key ...string) error
+}
+
+func cacheInvalidationFunc[I comparable](cache invalidator[I], index I, getID func(*eventstore.Aggregate) string) func(context.Context, []*eventstore.Aggregate) {
+	return func(ctx context.Context, aggregates []*eventstore.Aggregate) {
+		ids := make([]string, len(aggregates))
+		for i, aggregate := range aggregates {
+			ids[i] = getID(aggregate)
+		}
+		err := cache.Invalidate(ctx, index, ids...)
+		logging.OnError(err).Warn("cache invalidation failed")
+	}
+}
+
+func getAggregateID(aggregate *eventstore.Aggregate) string {
+	return aggregate.ID
+}
+
+func getResourceOwner(aggregate *eventstore.Aggregate) string {
+	return aggregate.ResourceOwner
+}
diff --git a/internal/query/instance.go b/internal/query/instance.go
index fb60946d31..6b1292014f 100644
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
@@ -17,6 +18,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/call"
 	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/feature"
 	"github.com/zitadel/zitadel/internal/query/projection"
@@ -206,22 +208,35 @@ func (q *Queries) InstanceByHost(ctx context.Context, instanceHost, publicHost s
 
 	instanceDomain := strings.Split(instanceHost, ":")[0] // remove possible port
 	publicDomain := strings.Split(publicHost, ":")[0]     // remove possible port
-	instance, scan := scanAuthzInstance()
-	// in case public domain is the same as the instance domain, we do not need to check it
-	// and can empty it for the check
-	if instanceDomain == publicDomain {
-		publicDomain = ""
+
+	instance, ok := q.caches.instance.Get(ctx, instanceIndexByHost, instanceDomain)
+	if ok {
+		return instance, instance.checkDomain(instanceDomain, publicDomain)
 	}
-	err = q.client.QueryRowContext(ctx, scan, instanceByDomainQuery, instanceDomain, publicDomain)
-	return instance, err
+	instance, scan := scanAuthzInstance()
+	if err = q.client.QueryRowContext(ctx, scan, instanceByDomainQuery, instanceDomain); err != nil {
+		return nil, err
+	}
+	q.caches.instance.Set(ctx, instance)
+
+	return instance, instance.checkDomain(instanceDomain, publicDomain)
 }
 
 func (q *Queries) InstanceByID(ctx context.Context, id string) (_ authz.Instance, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
+
+	instance, ok := q.caches.instance.Get(ctx, instanceIndexByID, id)
+	if ok {
+		return instance, nil
+	}
+
 	instance, scan := scanAuthzInstance()
 	err = q.client.QueryRowContext(ctx, scan, instanceByIDQuery, id)
 	logging.OnError(err).WithField("instance_id", id).Warn("instance by ID")
+	if err == nil {
+		q.caches.instance.Set(ctx, instance)
+	}
 	return instance, err
 }
 
@@ -431,6 +446,8 @@ type authzInstance struct {
 	block               *bool
 	auditLogRetention   *time.Duration
 	features            feature.Features
+	externalDomains     database.TextArray[string]
+	trustedDomains      database.TextArray[string]
 }
 
 type csp struct {
@@ -485,6 +502,31 @@ func (i *authzInstance) Features() feature.Features {
 	return i.features
 }
 
+var errPublicDomain = "public domain %q not trusted"
+
+func (i *authzInstance) checkDomain(instanceDomain, publicDomain string) error {
+	// in case public domain is empty, or the same as the instance domain, we do not need to check it
+	if publicDomain == "" || instanceDomain == publicDomain {
+		return nil
+	}
+	if !slices.Contains(i.trustedDomains, publicDomain) {
+		return zerrors.ThrowNotFound(fmt.Errorf(errPublicDomain, publicDomain), "QUERY-IuGh1", "Errors.IAM.NotFound")
+	}
+	return nil
+}
+
+// Keys implements [cache.Entry]
+func (i *authzInstance) Keys(index instanceIndex) []string {
+	switch index {
+	case instanceIndexByID:
+		return []string{i.id}
+	case instanceIndexByHost:
+		return i.externalDomains
+	default:
+		return nil
+	}
+}
+
 func scanAuthzInstance() (*authzInstance, func(row *sql.Row) error) {
 	instance := &authzInstance{}
 	return instance, func(row *sql.Row) error {
@@ -509,6 +551,8 @@ func scanAuthzInstance() (*authzInstance, func(row *sql.Row) error) {
 			&auditLogRetention,
 			&block,
 			&features,
+			&instance.externalDomains,
+			&instance.trustedDomains,
 		)
 		if errors.Is(err, sql.ErrNoRows) {
 			return zerrors.ThrowNotFound(nil, "QUERY-1kIjX", "Errors.IAM.NotFound")
@@ -534,3 +578,30 @@ func scanAuthzInstance() (*authzInstance, func(row *sql.Row) error) {
 		return nil
 	}
 }
+
+func (c *Caches) registerInstanceInvalidation() {
+	invalidate := cacheInvalidationFunc(c.instance, instanceIndexByID, getAggregateID)
+	projection.InstanceProjection.RegisterCacheInvalidation(invalidate)
+	projection.InstanceDomainProjection.RegisterCacheInvalidation(invalidate)
+	projection.InstanceFeatureProjection.RegisterCacheInvalidation(invalidate)
+	projection.InstanceTrustedDomainProjection.RegisterCacheInvalidation(invalidate)
+	projection.SecurityPolicyProjection.RegisterCacheInvalidation(invalidate)
+
+	// limits uses own aggregate ID, invalidate using resource owner.
+	invalidate = cacheInvalidationFunc(c.instance, instanceIndexByID, getResourceOwner)
+	projection.LimitsProjection.RegisterCacheInvalidation(invalidate)
+
+	// System feature update should invalidate all instances, so Truncate the cache.
+	projection.SystemFeatureProjection.RegisterCacheInvalidation(func(ctx context.Context, _ []*eventstore.Aggregate) {
+		err := c.instance.Truncate(ctx)
+		logging.OnError(err).Warn("cache truncate failed")
+	})
+}
+
+type instanceIndex int16
+
+//go:generate enumer -type instanceIndex
+const (
+	instanceIndexByID instanceIndex = iota
+	instanceIndexByHost
+)
diff --git a/internal/query/instance_by_domain.sql b/internal/query/instance_by_domain.sql
index 0d0aeeb4f5..2f3fcb3518 100644
--- a/internal/query/instance_by_domain.sql
+++ b/internal/query/instance_by_domain.sql
@@ -14,6 +14,16 @@ with domain as (
 	cross join projections.system_features s
 	full outer join instance_features i using (instance_id, key)
 	group by instance_id
+), external_domains as (
+	select ed.instance_id, array_agg(ed.domain) as domains
+	from domain d
+	join projections.instance_domains ed on d.instance_id = ed.instance_id
+	group by ed.instance_id
+), trusted_domains as (
+	select td.instance_id, array_agg(td.domain) as domains
+	from domain d
+	join projections.instance_trusted_domains td on d.instance_id = td.instance_id
+	group by td.instance_id
 )
 select
     i.id,
@@ -27,11 +37,13 @@ select
 	s.enable_impersonation,
     l.audit_log_retention,
     l.block,
-	f.features
+	f.features,
+	ed.domains as external_domains,
+	td.domains as trusted_domains
 from domain d
 join projections.instances i on i.id = d.instance_id
-left join projections.instance_trusted_domains td on i.id = td.instance_id
 left join projections.security_policies2 s on i.id = s.instance_id
 left join projections.limits l on i.id = l.instance_id
 left join features f on i.id = f.instance_id
-where case when $2 = '' then true else td.domain = $2 end;
+left join external_domains ed on i.id = ed.instance_id
+left join trusted_domains td on i.id = td.instance_id;
diff --git a/internal/query/instance_by_id.sql b/internal/query/instance_by_id.sql
index 08398846cc..d4000b8d8e 100644
--- a/internal/query/instance_by_id.sql
+++ b/internal/query/instance_by_id.sql
@@ -7,6 +7,16 @@ with features as (
 	cross join projections.system_features s
 	full outer join projections.instance_features2 i using (key, instance_id)
 	group by instance_id
+), external_domains as (
+	select instance_id, array_agg(domain) as domains
+	from projections.instance_domains
+    where instance_id = $1
+	group by instance_id
+), trusted_domains as (
+	select instance_id, array_agg(domain) as domains
+	from projections.instance_trusted_domains
+    where instance_id = $1
+	group by instance_id
 )
 select
     i.id,
@@ -20,9 +30,13 @@ select
 	s.enable_impersonation,
     l.audit_log_retention,
     l.block,
-	f.features
+	f.features,
+    ed.domains as external_domains,
+	td.domains as trusted_domains
 from projections.instances i
 left join projections.security_policies2 s on i.id = s.instance_id
 left join projections.limits l on i.id = l.instance_id
 left join features f on i.id = f.instance_id
+left join external_domains ed on i.id = ed.instance_id
+left join trusted_domains td on i.id = td.instance_id
 where i.id = $1;
diff --git a/internal/query/instanceindex_enumer.go b/internal/query/instanceindex_enumer.go
new file mode 100644
index 0000000000..5a1516c47f
--- /dev/null
+++ b/internal/query/instanceindex_enumer.go
@@ -0,0 +1,78 @@
+// Code generated by "enumer -type instanceIndex"; DO NOT EDIT.
+
+package query
+
+import (
+	"fmt"
+	"strings"
+)
+
+const _instanceIndexName = "instanceIndexByIDinstanceIndexByHost"
+
+var _instanceIndexIndex = [...]uint8{0, 17, 36}
+
+const _instanceIndexLowerName = "instanceindexbyidinstanceindexbyhost"
+
+func (i instanceIndex) String() string {
+	if i < 0 || i >= instanceIndex(len(_instanceIndexIndex)-1) {
+		return fmt.Sprintf("instanceIndex(%d)", i)
+	}
+	return _instanceIndexName[_instanceIndexIndex[i]:_instanceIndexIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _instanceIndexNoOp() {
+	var x [1]struct{}
+	_ = x[instanceIndexByID-(0)]
+	_ = x[instanceIndexByHost-(1)]
+}
+
+var _instanceIndexValues = []instanceIndex{instanceIndexByID, instanceIndexByHost}
+
+var _instanceIndexNameToValueMap = map[string]instanceIndex{
+	_instanceIndexName[0:17]:       instanceIndexByID,
+	_instanceIndexLowerName[0:17]:  instanceIndexByID,
+	_instanceIndexName[17:36]:      instanceIndexByHost,
+	_instanceIndexLowerName[17:36]: instanceIndexByHost,
+}
+
+var _instanceIndexNames = []string{
+	_instanceIndexName[0:17],
+	_instanceIndexName[17:36],
+}
+
+// instanceIndexString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func instanceIndexString(s string) (instanceIndex, error) {
+	if val, ok := _instanceIndexNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _instanceIndexNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to instanceIndex values", s)
+}
+
+// instanceIndexValues returns all values of the enum
+func instanceIndexValues() []instanceIndex {
+	return _instanceIndexValues
+}
+
+// instanceIndexStrings returns a slice of all String values of the enum
+func instanceIndexStrings() []string {
+	strs := make([]string, len(_instanceIndexNames))
+	copy(strs, _instanceIndexNames)
+	return strs
+}
+
+// IsAinstanceIndex returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i instanceIndex) IsAinstanceIndex() bool {
+	for _, v := range _instanceIndexValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/query/projection/event_test.go b/internal/query/projection/event_test.go
index 4998629cf6..50975265be 100644
--- a/internal/query/projection/event_test.go
+++ b/internal/query/projection/event_test.go
@@ -74,8 +74,8 @@ func assertReduce(t *testing.T, stmt *handler.Statement, err error, projection s
 	if want.err != nil && want.err(err) {
 		return
 	}
-	if stmt.AggregateType != want.aggregateType {
-		t.Errorf("wrong aggregate type: want: %q got: %q", want.aggregateType, stmt.AggregateType)
+	if stmt.Aggregate.Type != want.aggregateType {
+		t.Errorf("wrong aggregate type: want: %q got: %q", want.aggregateType, stmt.Aggregate.Type)
 	}
 
 	if stmt.Sequence != want.sequence {
diff --git a/internal/query/query.go b/internal/query/query.go
index c2fbcb00a3..8768294457 100644
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -11,6 +11,7 @@ import (
 	"golang.org/x/text/language"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/cache"
 	sd "github.com/zitadel/zitadel/internal/config/systemdefaults"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
@@ -26,6 +27,7 @@ type Queries struct {
 	eventstore   *eventstore.Eventstore
 	eventStoreV4 es_v4.Querier
 	client       *database.DB
+	caches       *Caches
 
 	keyEncryptionAlgorithm crypto.EncryptionAlgorithm
 	idpConfigEncryption    crypto.EncryptionAlgorithm
@@ -47,6 +49,7 @@ func StartQueries(
 	es *eventstore.Eventstore,
 	esV4 es_v4.Querier,
 	querySqlClient, projectionSqlClient *database.DB,
+	caches *cache.CachesConfig,
 	projections projection.Config,
 	defaults sd.SystemDefaults,
 	idpConfigEncryption, otpEncryption, keyEncryptionAlgorithm, certEncryptionAlgorithm crypto.EncryptionAlgorithm,
@@ -86,6 +89,10 @@ func StartQueries(
 	if startProjections {
 		projection.Start(ctx)
 	}
+	repo.caches, err = startCaches(ctx, caches)
+	if err != nil {
+		return nil, err
+	}
 
 	return repo, nil
 }

From 14e2aba1bcd0ad6655ce276003c18a40af9931bc Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Thu, 26 Sep 2024 09:14:33 +0200
Subject: [PATCH 17/19] feat: Add Twilio Verification Service (#8678)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Which Problems Are Solved
Twilio supports a robust, multi-channel verification service that
notably supports multi-region SMS sender numbers required for our use
case. Currently, Zitadel does much of the work of the Twilio Verify (eg.
localization, code generation, messaging) but doesn't support the pool
of sender numbers that Twilio Verify does.

# How the Problems Are Solved
To support this API, we need to be able to store the Twilio Service ID
and send that in a verification request where appropriate: phone number
verification and SMS 2FA code paths.

This PR does the following:
- Adds the ability to use Twilio Verify of standard messaging through
Twilio
- Adds support for international numbers and more reliable verification
messages sent from multiple numbers
- Adds a new Twilio configuration option to support Twilio Verify in the
admin console
- Sends verification SMS messages through Twilio Verify
- Implements Twilio Verification Checks for codes generated through the
same

# Additional Changes

# Additional Context
- base was implemented by @zhirschtritt in
https://github.com/zitadel/zitadel/pull/8268 ❤️
- closes https://github.com/zitadel/zitadel/issues/8581

---------

Co-authored-by: Zachary Hirschtritt <zachary.hirschtritt@klaviyo.com>
Co-authored-by: Joey Biscoglia <joey.biscoglia@klaviyo.com>
---
 cmd/setup/27.go                               |   2 +-
 cmd/setup/33.go                               |  27 +
 cmd/setup/33.sql                              |   1 +
 cmd/setup/config.go                           |   1 +
 cmd/setup/setup.go                            |   2 +
 .../dialog-add-sms-provider.component.html    |   8 +
 .../dialog-add-sms-provider.component.ts      |  10 +-
 console/src/assets/i18n/bg.json               |   2 +
 console/src/assets/i18n/cs.json               |   2 +
 console/src/assets/i18n/de.json               |   2 +
 console/src/assets/i18n/en.json               |   2 +
 console/src/assets/i18n/es.json               |   2 +
 console/src/assets/i18n/fr.json               |   2 +
 console/src/assets/i18n/id.json               |   2 +
 console/src/assets/i18n/it.json               |   2 +
 console/src/assets/i18n/ja.json               |   2 +
 console/src/assets/i18n/mk.json               |   2 +
 console/src/assets/i18n/nl.json               |   2 +
 console/src/assets/i18n/pl.json               |   2 +
 console/src/assets/i18n/pt.json               |   2 +
 console/src/assets/i18n/ru.json               |   2 +
 console/src/assets/i18n/sv.json               |   2 +
 console/src/assets/i18n/zh.json               |   2 +
 .../manage/console/default-settings.mdx       |   5 +-
 docs/static/img/guides/console/twilio.png     | Bin 40165 -> 35695 bytes
 go.mod                                        |   6 +-
 go.sum                                        |  27 +-
 internal/api/grpc/admin/sms_converter.go      |  27 +-
 internal/command/command.go                   |   3 +
 internal/command/crypto.go                    |  23 +
 internal/command/crypto_test.go               |  21 +
 internal/command/phone.go                     |  14 +-
 internal/command/session.go                   |  22 +-
 internal/command/session_model.go             |  17 +-
 internal/command/session_otp.go               |  39 +-
 internal/command/session_otp_test.go          |  85 ++-
 internal/command/sms_config.go                |  33 +-
 internal/command/sms_config_model.go          |  66 ++-
 internal/command/sms_config_test.go           |  47 +-
 internal/command/user_human.go                |  42 +-
 internal/command/user_human_otp.go            |  48 +-
 internal/command/user_human_otp_model.go      |  35 ++
 internal/command/user_human_otp_test.go       | 418 +++++++++++----
 internal/command/user_human_password.go       |  45 +-
 internal/command/user_human_password_model.go |   8 +
 internal/command/user_human_password_test.go  | 149 +++++-
 internal/command/user_human_phone.go          |  72 ++-
 internal/command/user_human_phone_model.go    |   7 +
 internal/command/user_human_phone_test.go     | 499 +++++++++++++++---
 internal/command/user_human_test.go           | 182 ++++++-
 internal/command/user_v2_human.go             |  13 +-
 internal/command/user_v2_human_test.go        | 402 ++++++++++++--
 internal/command/user_v2_model.go             |  34 +-
 internal/command/user_v2_model_test.go        |  63 +++
 internal/command/user_v2_phone.go             |  43 +-
 internal/command/user_v2_phone_test.go        | 367 ++++++++++---
 internal/command/user_v3.go                   |   6 +
 internal/command/user_v3_model.go             |  29 +-
 internal/command/user_v3_phone.go             |   8 +-
 internal/command/user_v3_phone_test.go        | 359 ++++++++++++-
 internal/command/user_v3_test.go              | 390 +++++++++++++-
 internal/domain/human_phone.go                |  11 -
 .../notification/channels/twilio/channel.go   |  28 +-
 .../notification/channels/twilio/config.go    |  35 +-
 internal/notification/handlers/commands.go    |   9 +-
 internal/notification/handlers/config_sms.go  |   7 +-
 .../handlers/mock/commands.mock.go            | 117 ++--
 .../notification/handlers/user_notifier.go    |  50 +-
 .../handlers/user_notifier_test.go            | 285 ++++++++--
 internal/notification/messages/sms.go         |   3 +
 .../notification/senders/code_verifier.go     |  24 +
 internal/notification/senders/gen_mock.go     |   3 +
 .../senders/mock/code_generator.mock.go       |  53 ++
 internal/notification/types/notification.go   |   2 +
 internal/notification/types/user_phone.go     |  12 +-
 internal/query/projection/sms.go              |  20 +-
 internal/query/projection/sms_test.go         |  52 +-
 internal/query/sms.go                         |  31 +-
 internal/query/sms_test.go                    |  38 +-
 internal/repository/instance/sms.go           |  38 +-
 internal/repository/session/session.go        |   8 +
 internal/repository/user/eventstore.go        |   8 +-
 internal/repository/user/human_mfa_otp.go     |  10 +-
 internal/repository/user/human_password.go    |  27 +-
 internal/repository/user/human_phone.go       |  27 +-
 internal/repository/user/schemauser/phone.go  |   9 +-
 internal/static/i18n/en.yaml                  |   1 +
 proto/zitadel/admin.proto                     |  24 +-
 proto/zitadel/settings.proto                  |   1 +
 89 files changed, 3888 insertions(+), 782 deletions(-)
 create mode 100644 cmd/setup/33.go
 create mode 100644 cmd/setup/33.sql
 create mode 100644 internal/notification/senders/code_verifier.go
 create mode 100644 internal/notification/senders/gen_mock.go
 create mode 100644 internal/notification/senders/mock/code_generator.mock.go

diff --git a/cmd/setup/27.go b/cmd/setup/27.go
index ee420ddfae..22ded046e7 100644
--- a/cmd/setup/27.go
+++ b/cmd/setup/27.go
@@ -23,5 +23,5 @@ func (mig *IDPTemplate6SAMLNameIDFormat) Execute(ctx context.Context, _ eventsto
 }
 
 func (mig *IDPTemplate6SAMLNameIDFormat) String() string {
-	return "26_idp_templates6_add_saml_name_id_format"
+	return "27_idp_templates6_add_saml_name_id_format"
 }
diff --git a/cmd/setup/33.go b/cmd/setup/33.go
new file mode 100644
index 0000000000..2dd8038f5c
--- /dev/null
+++ b/cmd/setup/33.go
@@ -0,0 +1,27 @@
+package setup
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+var (
+	//go:embed 33.sql
+	addTwilioVerifyServiceSID string
+)
+
+type SMSConfigs3TwilioAddVerifyServiceSid struct {
+	dbClient *database.DB
+}
+
+func (mig *SMSConfigs3TwilioAddVerifyServiceSid) Execute(ctx context.Context, _ eventstore.Event) error {
+	_, err := mig.dbClient.ExecContext(ctx, addTwilioVerifyServiceSID)
+	return err
+}
+
+func (mig *SMSConfigs3TwilioAddVerifyServiceSid) String() string {
+	return "33_sms_configs3_twilio_add_verification_sid"
+}
diff --git a/cmd/setup/33.sql b/cmd/setup/33.sql
new file mode 100644
index 0000000000..62353e58e4
--- /dev/null
+++ b/cmd/setup/33.sql
@@ -0,0 +1 @@
+ALTER TABLE IF EXISTS projections.sms_configs3_twilio ADD COLUMN IF NOT EXISTS verify_service_sid TEXT;
diff --git a/cmd/setup/config.go b/cmd/setup/config.go
index 465aa5aa34..bb1f030b1d 100644
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -119,6 +119,7 @@ type Steps struct {
 	s30FillFieldsForOrgDomainVerified      *FillFieldsForOrgDomainVerified
 	s31AddAggregateIndexToFields           *AddAggregateIndexToFields
 	s32AddAuthSessionID                    *AddAuthSessionID
+	s33SMSConfigs3TwilioAddVerifyServiceSid *SMSConfigs3TwilioAddVerifyServiceSid
 }
 
 func MustNewSteps(v *viper.Viper) *Steps {
diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go
index 37688b7957..6391c271ed 100644
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -161,6 +161,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 	steps.s30FillFieldsForOrgDomainVerified = &FillFieldsForOrgDomainVerified{eventstore: eventstoreClient}
 	steps.s31AddAggregateIndexToFields = &AddAggregateIndexToFields{dbClient: esPusherDBClient}
 	steps.s32AddAuthSessionID = &AddAuthSessionID{dbClient: esPusherDBClient}
+	steps.s33SMSConfigs3TwilioAddVerifyServiceSid = &SMSConfigs3TwilioAddVerifyServiceSid{dbClient: esPusherDBClient}
 
 	err = projection.Create(ctx, projectionDBClient, eventstoreClient, config.Projections, nil, nil, nil)
 	logging.OnError(err).Fatal("unable to start projections")
@@ -218,6 +219,7 @@ func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string)
 		steps.s25User11AddLowerFieldsToVerifiedEmail,
 		steps.s27IDPTemplate6SAMLNameIDFormat,
 		steps.s32AddAuthSessionID,
+		steps.s33SMSConfigs3TwilioAddVerifyServiceSid,
 	} {
 		mustExecuteMigration(ctx, eventstoreClient, step, "migration failed")
 	}
diff --git a/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.html b/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.html
index 78f70c7fbe..442b11b6db 100644
--- a/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.html
+++ b/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.html
@@ -18,6 +18,14 @@
       <input cnslInput name="senderNumber" formControlName="senderNumber" />
     </cnsl-form-field>
 
+    <cnsl-form-field class="sms-form-field" label="Verification Service Sid">
+      <cnsl-label>{{ 'SETTING.SMS.TWILIO.VERIFYSERVICESID' | translate }}</cnsl-label>
+      <input cnslInput name="verifyServiceSid" formControlName="verifyServiceSid" />
+    </cnsl-form-field>
+    <cnsl-info-section class="feature-info">{{
+      'SETTING.SMS.TWILIO.VERIFYSERVICESID_DESCRIPTION' | translate
+    }}</cnsl-info-section>
+
     <button *ngIf="twilio" type="button" mat-stroked-button (click)="changeToken()" data-e2e="edit-sms-token-button">
       {{ 'SETTING.SMS.TWILIO.CHANGETOKEN' | translate }}
     </button>
diff --git a/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.ts b/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.ts
index e766f6c360..7f3e3f3b0d 100644
--- a/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.ts
+++ b/console/src/app/modules/policies/notification-sms-provider/dialog-add-sms-provider/dialog-add-sms-provider.component.ts
@@ -41,7 +41,9 @@ export class DialogAddSMSProviderComponent {
   ) {
     this.twilioForm = this.fb.group({
       sid: ['', [requiredValidator]],
-      senderNumber: ['', [requiredValidator]],
+      senderNumber: [''],
+      // NB: not required if not using verification service
+      verifyServiceSid: [''],
     });
 
     this.smsProviders = data.smsProviders;
@@ -62,12 +64,14 @@ export class DialogAddSMSProviderComponent {
       this.req.setId(this.twilioProvider.id);
       this.req.setSid(this.sid?.value);
       this.req.setSenderNumber(this.senderNumber?.value);
+      this.req.setVerifyServiceSid(this.verifyServiceSid?.value ?? '');
       this.dialogRef.close(this.req);
     } else {
       this.req = new AddSMSProviderTwilioRequest();
       this.req.setSid(this.sid?.value);
       this.req.setToken(this.token?.value);
       this.req.setSenderNumber(this.senderNumber?.value);
+      this.req.setVerifyServiceSid(this.verifyServiceSid?.value ?? '');
       this.dialogRef.close(this.req);
     }
   }
@@ -104,6 +108,10 @@ export class DialogAddSMSProviderComponent {
     return this.twilioForm.get('senderNumber');
   }
 
+  public get verifyServiceSid(): AbstractControl | null {
+    return this.twilioForm.get('verifyServiceSid');
+  }
+
   public get token(): AbstractControl | null {
     return this.twilioForm.get('token');
   }
diff --git a/console/src/assets/i18n/bg.json b/console/src/assets/i18n/bg.json
index 88cc186625..3dbab7b72c 100644
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@@ -1419,6 +1419,8 @@
         "SID": "Сид",
         "TOKEN": "Токен",
         "SENDERNUMBER": "Номер на изпращача",
+        "VERIFYSERVICESID": "Идентификатор на услугата за проверка",
+        "VERIFYSERVICESID_DESCRIPTION": "Задаването на идентификатор на услугата за проверка позволява използването на услугата за проверка на Twilio вместо услугата за съобщения за проверка на телефонни номера и OTP SMS.",
         "ADDED": "Twilio добави успешно.",
         "UPDATED": "Twilio се актуализира успешно.",
         "REMOVED": "Twilio премахнат",
diff --git a/console/src/assets/i18n/cs.json b/console/src/assets/i18n/cs.json
index c49d2ce87a..92e6d02da5 100644
--- a/console/src/assets/i18n/cs.json
+++ b/console/src/assets/i18n/cs.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Číslo odesílatele",
+        "VERIFYSERVICESID": "ID služby ověření",
+        "VERIFYSERVICESID_DESCRIPTION": "Nastavení ID služby ověření umožňuje použití služby Twilio Verify místo služby Zprávy pro ověření telefonních čísel a SMS OTP.",
         "ADDED": "Twilio bylo úspěšně přidáno.",
         "UPDATED": "Twilio bylo úspěšně aktualizováno.",
         "REMOVED": "Twilio bylo odebráno",
diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json
index f0f01e4682..871cdbaae4 100644
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@@ -1420,6 +1420,8 @@
         "SID": "SID",
         "TOKEN": "Token",
         "SENDERNUMBER": "Sender Number",
+        "VERIFYSERVICESID": "Verification Service Sid",
+        "VERIFYSERVICESID_DESCRIPTION": "Das Setzen einer Verification Service Sid ermöglicht die Verwendung des Twilio Verify-Dienstes anstelle des Nachrichtendienstes zur Überprüfung von Telefonnummern und OTP-SMS.",
         "ADDED": "Twilio erfolgreich hinzugefügt.",
         "UPDATED": "Twilio wurde erfolgreich aktualisiert.",
         "REMOVED": "Twilio entfernt",
diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json
index 63b07aba72..023fb6e80e 100644
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Sender Number",
+        "VERIFYSERVICESID": "Verification Service Sid",
+        "VERIFYSERVICESID_DESCRIPTION": "Setting a Verification Service Sid, allows using the Twilio Verify Service instead of the Messages Service for verification of phone numbers and OTP SMS",
         "ADDED": "Twilio added successfully.",
         "UPDATED": "Twilio updated successfully.",
         "REMOVED": "Twilio removed",
diff --git a/console/src/assets/i18n/es.json b/console/src/assets/i18n/es.json
index 979541eb43..92f74c884e 100644
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@@ -1421,6 +1421,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Número de emisor",
+        "VERIFYSERVICESID": "SID del servicio de verificación",
+        "VERIFYSERVICESID_DESCRIPTION": "Establecer un SID del servicio de verificación permite usar el servicio Twilio Verify en lugar del servicio de mensajes para la verificación de números de teléfono y SMS OTP.",
         "ADDED": "Twilio añadido con éxito.",
         "UPDATED": "Twilio actualizado con éxito",
         "REMOVED": "Twilio eliminado",
diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json
index e7f99670a7..65257fb261 100644
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "Jeton",
         "SENDERNUMBER": "Numéro d'expéditeur",
+        "VERIFYSERVICESID": "SID du service de vérification",
+        "VERIFYSERVICESID_DESCRIPTION": "Le réglage d'un SID du service de vérification permet d'utiliser le service Twilio Verify au lieu du service de messagerie pour la vérification des numéros de téléphone et des SMS OTP.",
         "ADDED": "Twilio a été ajouté avec succès.",
         "UPDATED": "Twilio a été mis à jour avec succès.",
         "REMOVED": "Twilio a été supprimé avec succès",
diff --git a/console/src/assets/i18n/id.json b/console/src/assets/i18n/id.json
index 2569835012..f4d76cf078 100644
--- a/console/src/assets/i18n/id.json
+++ b/console/src/assets/i18n/id.json
@@ -1294,6 +1294,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Nomor Pengirim",
+        "VERIFYSERVICESID": "ID Layanan Verifikasi",
+        "VERIFYSERVICESID_DESCRIPTION": "Menetapkan ID Layanan Verifikasi memungkinkan penggunaan Layanan Verifikasi Twilio alih-alih Layanan Pesan untuk verifikasi nomor telepon dan SMS OTP.",
         "ADDED": "Twilio menambahkan dengan sukses.",
         "UPDATED": "Twilio berhasil diperbarui.",
         "REMOVED": "Twilio dihapus",
diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json
index cf793e78b6..8d81c8471f 100644
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Sender Number",
+        "VERIFYSERVICESID": "SID del servizio di verifica",
+        "VERIFYSERVICESID_DESCRIPTION": "Impostando un SID del servizio di verifica, è possibile utilizzare il servizio Twilio Verify invece del servizio messaggi per la verifica dei numeri di telefono e degli SMS OTP.",
         "ADDED": "Twilio aggiunto con successo.",
         "UPDATED": "Twilio aggiornato correttamente.",
         "REMOVED": "Twilio rimosso con successo.",
diff --git a/console/src/assets/i18n/ja.json b/console/src/assets/i18n/ja.json
index 4ba6a69d72..c617d82ecb 100644
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "トークン",
         "SENDERNUMBER": "送信者番号",
+        "VERIFYSERVICESID": "検証サービス SID",
+        "VERIFYSERVICESID_DESCRIPTION": "検証サービス SID を設定すると、電話番号と OTP SMS の検証にメッセージサービスの代わりに Twilio Verify サービスを使用できるようになります。",
         "ADDED": "Twilioは正常に追加されました。",
         "UPDATED": "Twilio が正常に更新されました。",
         "REMOVED": "Twilioが削除されました",
diff --git a/console/src/assets/i18n/mk.json b/console/src/assets/i18n/mk.json
index ecf038eacc..a975731e06 100644
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@@ -1421,6 +1421,8 @@
         "SID": "Sid",
         "TOKEN": "Токен",
         "SENDERNUMBER": "Број на испраќач",
+        "VERIFYSERVICESID": "Идентификатор на услугата за проверка",
+        "VERIFYSERVICESID_DESCRIPTION": "Поставувањето на идентификатор на услугата за проверка овозможува користење на услугата за проверка на Twilio наместо услугата за пораки за проверка на телефонски броеви и OTP SMS.",
         "ADDED": "Twilio e успешно додаден.",
         "UPDATED": "Twilio се ажурираше успешно.",
         "REMOVED": "Twilio отстранет",
diff --git a/console/src/assets/i18n/nl.json b/console/src/assets/i18n/nl.json
index 525113e0b5..92592ba427 100644
--- a/console/src/assets/i18n/nl.json
+++ b/console/src/assets/i18n/nl.json
@@ -1419,6 +1419,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Verzender Nummer",
+        "VERIFYSERVICESID": "Verificatieservice-SID",
+        "VERIFYSERVICESID_DESCRIPTION": "Het instellen van een Verificatieservice-SID maakt het mogelijk om de Twilio Verify-service te gebruiken in plaats van de Berichten-service voor het verifiëren van telefoonnummers en OTP-SMS.",
         "ADDED": "Twilio succesvol toegevoegd.",
         "UPDATED": "Twilio succesvol bijgewerkt.",
         "REMOVED": "Twilio verwijderd",
diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json
index a739bc08d2..9e8df33974 100644
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@@ -1419,6 +1419,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Numer nadawcy",
+        "VERIFYSERVICESID": "SID usługi weryfikacji",
+        "VERIFYSERVICESID_DESCRIPTION": "Ustawienie SID usługi weryfikacji umożliwia korzystanie z usługi Twilio Verify zamiast usługi wiadomości do weryfikacji numerów telefonów i SMS OTP.",
         "ADDED": "Twilio dodano pomyślnie.",
         "UPDATED": "Twilio zostało pomyślnie zaktualizowane.",
         "REMOVED": "Twilio usunięte",
diff --git a/console/src/assets/i18n/pt.json b/console/src/assets/i18n/pt.json
index 1bd825e7a1..18389e0fc5 100644
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@@ -1421,6 +1421,8 @@
         "SID": "SID",
         "TOKEN": "Token",
         "SENDERNUMBER": "Número do remetente",
+        "VERIFYSERVICESID": "SID do serviço de verificação",
+        "VERIFYSERVICESID_DESCRIPTION": "Configurar um SID do serviço de verificação permite usar o serviço Twilio Verify em vez do serviço de mensagens para a verificação de números de telefone e SMS OTP.",
         "ADDED": "Twilio adicionado com sucesso.",
         "UPDATED": "Twilio atualizado com sucesso.",
         "REMOVED": "Twilio removido",
diff --git a/console/src/assets/i18n/ru.json b/console/src/assets/i18n/ru.json
index 292280af37..663a0d100a 100644
--- a/console/src/assets/i18n/ru.json
+++ b/console/src/assets/i18n/ru.json
@@ -1464,6 +1464,8 @@
         "SID": "ID Безопасности",
         "TOKEN": "Токен",
         "SENDERNUMBER": "Номер отправителя",
+        "VERIFYSERVICESID": "Идентификатор службы проверки",
+        "VERIFYSERVICESID_DESCRIPTION": "Установка идентификатора службы проверки позволяет использовать службу проверки Twilio вместо службы сообщений для проверки телефонных номеров и SMS OTP.",
         "ADDED": "Twilio успешно добавлен.",
         "REMOVED": "Twilio удалён",
         "CHANGETOKEN": "Изменить токен",
diff --git a/console/src/assets/i18n/sv.json b/console/src/assets/i18n/sv.json
index 061cbb6bba..ab267adf14 100644
--- a/console/src/assets/i18n/sv.json
+++ b/console/src/assets/i18n/sv.json
@@ -1424,6 +1424,8 @@
         "SID": "Sid",
         "TOKEN": "Token",
         "SENDERNUMBER": "Avsändarnummer",
+        "VERIFYSERVICESID": "Verifieringstjänst-SID",
+        "VERIFYSERVICESID_DESCRIPTION": "Inställning av en Verifieringstjänst-SID gör det möjligt att använda Twilio Verify-tjänsten istället för Meddelandetjänsten för verifiering av telefonnummer och OTP-SMS.",
         "ADDED": "Twilio tillagd framgångsrikt.",
         "UPDATED": "Twilio uppdaterad framgångsrikt.",
         "REMOVED": "Twilio borttagen",
diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json
index 48f7ae849e..346f29745d 100644
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@@ -1420,6 +1420,8 @@
         "SID": "Sid",
         "TOKEN": "令牌",
         "SENDERNUMBER": "发件人号码",
+        "VERIFYSERVICESID": "验证服务 SID",
+        "VERIFYSERVICESID_DESCRIPTION": "设置验证服务 SID，允许使用 Twilio 验证服务而不是消息服务来验证电话号码和 OTP SMS。",
         "ADDED": "Twilio 添加成功。",
         "UPDATED": "Twilio 更新成功。",
         "REMOVED": "Twilio 已删除",
diff --git a/docs/docs/guides/manage/console/default-settings.mdx b/docs/docs/guides/manage/console/default-settings.mdx
index 4936131029..dce9f4648b 100644
--- a/docs/docs/guides/manage/console/default-settings.mdx
+++ b/docs/docs/guides/manage/console/default-settings.mdx
@@ -118,9 +118,10 @@ In the SMTP providers table you can hover on a provider row to show buttons that
 
 ### SMS
 
-No default provider is configured to send some SMS to your users. If you like to validate the phone numbers of your users make sure to add your twilio configuration by adding your Sid, Token and Sender Number.
+No default provider is configured to send some SMS to your users. If you like to validate the phone numbers of your users make sure to add your twilio configuration by adding your Sid, Token and either a Sender Number or a Verification Service Sid.
+Setting a Verification Service Sid allows using the Twilio Verify Service instead of the Messages Service for verification.
 
-<img src="/docs/img/guides/console/twilio.png" alt="Twilio" width="700px" />
+<img src="/docs/img/guides/console/twilio.png" alt="Twilio" />
 
 ## Login Behavior and Access
 
diff --git a/docs/static/img/guides/console/twilio.png b/docs/static/img/guides/console/twilio.png
index eb253128a4007b285227a78aac6e84ea4b62c5b8..e8fb891d97c56ea743ff09a9aba1b62460f28c37 100644
GIT binary patch
literal 35695
zcmeFZbx>T-*C&hy2n0=V*FbQByF;)9cXxujTY|d{?(PI1G`PEj;2Lyrw;dqg=l95N
z)o#6iyw6rG8ES6d+o${XvHqNMngoBA6@T*@_ca6r#2ZNo5qSs*$Sw#7C@T0@;5)BO
zsLR1$FeZXBf)Ef@k%)JCu;4bafrPva1cVzU1cc8w2#6c-EuU=&2uDT;h+SO>2(Cm3
z2rQda;1?e711lp{Nn;rq2paG;JOmUZIs`QM3KIMeBG3#1=J^@|0z4A<2PP%}0uKC*
z4*u25g#1^}OsIc)LUv_B|8osR^+Y77AS@{f{#G!sGcvNWH??+Hn6KLdFTui0QPn|J
zMw-jO+LB(+&|2S!-o?`9i3Ebjg$sOXY2=_s>|*)V%AU)Gm-M*@7x?<=HUlZ~a~B5-
zUQ$(=&&0ykc1FZ(^o;b3q<pW5iHUja42`+uMa2G+gIm0$rVb7^Tnr4(&d&7CEcDiP
zCJaoRoSY1d%nZ!Tbl@Iz_O4bAdM<QU_GB-E{4<V-k-dSPnT>;)wH5KxxO)25jt;z}
zq)!w5+t15;8o8MLYbGoEzsmwIkm2bG0~0+X!~cxT!OZx7LH6|Ih3t7<FVpcn4aOyG
z{ngq|!A8%(h>wZqdHjEW>t8ST()+WSi_up#5i?7$48RNFV`cq^=s!RC&y-5`Ms~v1
zmS92$zJCev?~MQc;eRH49$58XQ+{M+{!8_rpZq(@rv-D#*_nZ7(|h9h)7t*ay}$i=
z7@oxO@5J*W`{%o0;q$%bVfZ&i;(Hw+u1^dBApjvMBB<yBxt|87`&JY$piN-g?=0dy
ze70Y9;Z<lz2<+R>T%Y1eTP~61^DeXBeo2OxR}w%|Y=7lP{5m9!lDGv{=wy_;U;Bby
zC3bMp_%tGBJ}oWnWN5LK`#iLP+GJJrc&%Cc%#Mg58Ui5-{PBs07rE+_&Mnw`D<o&Q
zEeAy|07V{!i+~N>lEj{D{19gw+hlP@28m7#{`gKwx5xHy)}r#lej0`~S(5aDkpO?%
z<9)K6w`Q_2Mb`cH-tbVpbcW={U_3+VNF3p)viDVEdmaE1{YVT#ecK6Xd|swm?0GH$
zC?|3O!5V|IAJR`#3qV0)WD>s$3uAwJI|zhd(GalX5w!!%FYgN@?c;~d$h`F2lU!FE
z>a7U(49%d(^H8XakgxUI`&^)3Rz`sE8TCN5gcjquDbNn{J_wR*{msiP|7Vl7_unbB
zI~VNYHI%s)m-88?!$=UrA|!^B=IJtHhW-xllgO(6<s3Fg0*Nl+2y^Ed@mq>Rp@{fK
zL#+s;(T5ZZUWxz>>B@mx>P;7OJbX6$cF}fIXKBpS{bZ7rn}xbo0d-YWExr6CYc#}9
zPpe@g*Y(QRP{6073^LXgyyMILTq8I{l0*8$Tnh~N;(#Qg0l{z%H6%LXAY(?!_fpK(
zazY`^-=8EhK?v!cUMo4lX5S?lLTu`YCMNh%_~=VIgx^h2FyKXM@*zI;Cbc^1CL${;
zE13XNX+P7qzlB{rG%swhT3))8eri8&1Sy@O{<83SOKlVcJ02e-mE@u6gfOh|S06sL
zyDYg+@n%5!X`i54EgHWak-@R)A2ecj9t(ZZ4P+P(zDHpyWD-*nH|j8elvANeg73>C
zIj8`_21_QlmTeQLR{y+8V%+aG{XuZnfX^g6wVDA!s!o)mPplwbQ4SW0>~X<w8b+oE
zwxGs&<YyA&=6&ij5fO2d%pi%)l>+dIBF0CNMn0*d4~#sKuWE2`BME!Cxa8OUH-P<u
z)c5&g*xBw(VMB>B!6Y9!Hs3CN$Cvxd2?AgEvUg)hA9K;0x^QDTq*wR^F+~g~WW?gJ
z)C16_ezsc#IX`Km04@c@u#ZziY&?e?yIU-hvfx`06r9k@h&@UfF<I9SFM5_twlao{
zg1#<D7u!V*?-!)$)>jnEo)RcoOtSQ>r)J4MlH92uyOFv>k(2zdIb`#R-G<V{!_T6L
zv?>4E&L~WCpRC<?DjdIU3Kea7S9*$y7kh~EA%bZ(51S3uCX@3cCS_tkaBJLPrD~RV
zwg3UB2lS(2Rz8OTVO+@9*|YdA(~>AVlPS;q_JN5JYY!xcrTGL2pB)+JsVS>&=8E<F
z(hvwPBr6K;9<OXfKn27%L|J6U1^ydLhi`G@UN}1O)_21^$ouk^I*6~&U1o4klnCvV
z`7f=H4;J0A9W|<x*S^s%1qB13*_ba1pPBaWV^gSr?Zg>MT*GF~5JW!+D-a7vC4)~r
zNbGe!cbG5(;C;X=a<3;-fIxuB@WFySvFiu0U88obVEHq>+>Y{jhv0%H!oa+@8B+p9
zRyez&oZG?k;t^B>eB23+vuVLhQXpsW+xGoF`;BKo*!r)(fv4~#H&xR0+h&3M12JNf
zMgFtqWkvg9#8vs^7q&Fjk%O{&)4_0pNQ{`Xs;;ts8JR$_qP@-opPeG#(6;<`ObUVl
zAdPku^_P?A7)Qk<+6-=Z%+hfY-hSI;Eh1GkD7|zM(9T)g;(v$mLJgXYA(srvU~fbd
z0dQ-{-uJQj|0Bj)c=CxKB7|$bvaAnr{ha!LSQavV^=7C-BTSar<54Tu*bvwE)mqHv
z9=1nAF0RwrWDpW;UKcAFjxOC#<n;=Ok8uyiB~T!m?4JIth>Uk6vYP1KnaGQEwWsX2
z><;bE&ih~l^6QRpclqlpQGEi)_nFr{0vLlm!?>ZZkz$Bn#TX8JE7NEK8V<)$WcC>t
z82D2Lu`kBS;LdnU7Cc_%pbQG5EKn_j7Rp9hOa`|50GyHM=Ce^JmkVVTwbqlVe%qN{
z&`+F(=Y>4<+g9lu;f$J0;<G)GtU@Q`b<;fgGr0HGI{*oXTq<Gc_u<XCX`|g{$mF@j
zY&mxt)gPEL8ThXvA`2Qr-$MZ&V$N$D)Z&TT+jtQMgfDDrK>w_cUXosM{6_S>lu!zq
z9>#4$&&r3OP~ulK+9RuJqhUyt1M(p*Q|@_=*)Ao#mvLckEo~P%jczT?OkQr;j6Y9&
z8l3i6RqN6D=YcX_d`F?9h4mh-TKS{N4DUcq;!DYGeI_oio;SA|nRd0a)KLM-sz_(>
z;94-_w`EJ^r0P_FzRsOuIyt__lMg@J1Qwd>0q_swFWPq{*sj(Il^|eEO)iYu@;)6P
zwZx1uV9{+&O;e`9mVj4WVh8f0I2m0flkGPdOi;Qx2bJFUgr!hoX#oX7-_enlX?%>q
zo|fUd38zNS14`qumXbLyseO95J0)uCg^qqT@%x8k)7PbwJOx6V7?wZ7C;I1qHd;?M
z6#+Jc@uLPO_n?*^<_F^D@}G}@9vBqTC{NO;q=Cfx;xLjw8#*GWHNu0a50Q;2@ENet
z>Fjo~;Od&SJIMu|nD#qchP_~@#&U7U_P*mf^rQ#o4`@cu-_1N4XuBTJ%xBl!TCbgk
z3zfy|y_&u3r}`%ki`?_(EQZ|~B;t1^A70FyX{{0*CS6E5r0RLGGceI8EVc97zS5)K
zB2uB%Rp`kI%)$i((6=cn%?R{~e_%?eS||^5QUvuzW{f3$aCc4;N&2>p4Jx7{Vnrs%
z=;4J!CX7i;Tsd{g|73*2Tv>oAEIl)Key^?8a$#_7`#8#lqE>Aj&&kqb2I*uN0{60$
zhX@dlZhWhx6hva{{wCr_U|+d5Uvq6w@Xk1ANdZJJUejo|xc|}MUA4-%qglhP(j^7R
zSEF`|tdrX`V`oCNZ_Jn1!DD=U{KRguZlYMr8Hdfz@1xncB=C|jyFyQFudAxlFM*!y
zdE?!~kl?hG6cqeuAkzqysDN;GwMcQuZB?XGpTFMFKX`t|1mvsIga*aGsy(NA_*jTl
zzl2Ix&$`FXb?5JRq?#89ODE89PUJ}n=Y2g)Z9XI`I{3D{%d(roeoI<*_Jw5^q^P)W
zB>jkQVwt=<zO?~m)41ra;4a%jP&k;+7OLg8*DdGUzBG;86-Jiy+^%k{27+e2+U_3;
zGGVd4npl<5>oks7o@IPp+C6GJT(bLXOFs7qS2;`%-)t#2wNarXdpTzm9WLhn%sW`w
z{~4g(rWuarZF)<u`1!V_+NH6Xh(SU$^z97y>WX><{@nRF>mFOKgrwA>b_d$w;U|a1
zM*b;j<<3RVS%MxC{+C_U1MMi&7GV<0Q*`Cf5e4De-Mz50rP{P{ssdwHOTBF*G-886
z3s~AjGp>b0uqY>IRg_Z~I0&GsNA?FzyepaE?tnX8xw}4%*#7aSK{9(yqY7EhF^czA
zCSsDsWP~fi_1TS?`9ak5xRxXvV$FLZGR=+Wr^81S(k+jq^A@m#CFL<FmSjiPA6)f(
z3A*PenCfNKaZyfpJ7My?yIc<3+?{?eo~TQ>|H!EaNO2$RK5*Q{ZEI9&xD9Nu(wb%b
z3tW#f1e%HSe;B7dZk~SF_%q)+vsxK|s+D77-FBP)(3Nq?AB5NYL2XTWI!#^Rw&L+h
zq4!*uX#Z-LTRhHEgWVB71*KTUT|GmeVB^sH&ZxD^-~}uBz;~JH`p|WCb?j`cJD`8I
z>cGWb%(qb`j?6;>Fz7f9t$lm!#bZbO1~(fv+yrQ8!v)B9-RG%i^!VM*OD$1iEMe2&
zu=LQK`Y458Vh-C5328O&`@ijnCZl))4TBhrW)VAMah8{@`4F;!KZ%5;YlxXEkvKQ$
zMW{^mv_4DGhS@e+a-*x8_CaATJ$f9eP`j%vKzTV-1FbeO_e(E8{F*c6s)eU#Qy7s0
z>^fehCN;^<Wj~$l74q9~_H%KFo_1)}D2SRa9@A~N^gCL(UqWXwnca?uz(`MiXAc4@
zzeHLVZ@snQIxIT1)%QH=VIWOu=`e2V3NMM#w9bYt1*N^+gN1UP$oc9i)Xono<pWKj
z%YbCZ<h(w5PSA-k|FiQVhrEm&BR66t)fnlZ;R0Z5$ztd`wXQg9aoFN_En_;TQ(KgO
zGj(~(2<Z@?eS2oYy7~$)c=E{~3#gNzI$leAd>N(_ap}%TX_g5j1RZab1$4a+I<~nI
zeBPIJC84s=ySlXU%ir)wt?A{zzyS$j9GC@DEq%c=7O#SaRN1>QpP&Cc!G@8>HRM9#
z*dj;NZ>K(f^(;@Ymt};c2<jhKn2mvDp`UH|H{@Up^>Zp!RS$7|D53YoMVTc)z%mUh
z^CG^03th^n4nORnty0c;o)^F;;SM9OtN?{7qJwkn$a|nfASM0$u2B;(9%hjhdkEKv
z0;m{PYiNHV)vs`Y7?^SImhj$pM{k@uhfZF$OY$TEA6#@@8}Ygr@}P*O7n1?M0vic9
z!jcsIf&KD2{bT}y(uDj=GB5nV00&ViisYd$?1|!mdfT;eyuSF-_y3S|#4mAbI;?*X
z`tUE3^&P{o8Rsz(l(uuy)R(d2X^#Gjpr9yF@!z}#V~}LmfPW%J3$#pP^%A~BycdgM
z1UCZ^cw(RR8@&<}jA(0j{TsnS))V5u00(=C?JR09()cf=M+&I^EP1TbMutEB3L)9Y
z8+WUKINvOWmgkv|0=UFcd<I+l!opuh`oh%Yd6EVq`ANwFFXD}5aQj%4Xa<)b@uM-Q
z<ob&*x1?5uU^h#wohSx6Z<G!{^@QOVfst5n`MCe{f{5>6tTfwb(DgPtZFOC`JjFO}
zxid&4^ocxk`sdl`y0S%IOFk~8Z7wvPo;(cH+L3XobJch%=^Geq-hB_XQ@(DpM|&*~
zMoJ4>+0TXsjy6b9%>X}?Z<d9D?+KdDXGt4OcRq=aC)e$7aIhgy<VjI6F){T}|MkBU
z9FX%hsN+x~78PGQf1|HXIA~Wnlz&uNEVMB?q#^qN7><2o0T@Vrhe*NfZ@Gjpaix;f
z{ls|R4YbN|Vyhd6k~_C;XS3ghtsV_-(P0FvswZ3hWjnfIj2d;NH!fY3t#;?TN@nBv
zC1)Uh9@jG$_Gc#gSi=7jLuFF_m1V(iwge3QdS_S?*K&)T#Cq_iAY>qgJrWEqMH4Di
zKLkeN$NIP7$87J7%j&s2!vpdtHUuzr_%65GeuH$<LjtYZh3`gR^y1M>1`g@u-l#V+
zk>d&0v2}RJpbXDnJwSt;N6I`uoD_YH*~c(xG8|i2Xd!>lSg^4_XD_SdxPOHZ+=@mQ
zu2WP3P-|AbZ@j|E&v&htbw2v`BB?S|@Or&!^s15e=aus1aLe{U9o?Z5&MSQ)=T|e$
zq7xUj#%}V%{R#yztK0wh0I)L>Lb(5qAWm<X%D|CPlxco9(h_>9LX`Al(~gL|uQiF;
zD8|7&VdovIZBJ|`?bHxWYCU5*D3AX|)l3mYw73k^RSvVnM~xf>*FFb(I#5e5)tQmt
zPGh`#XN2!|*9C(gk|oa5{Ib!-_#9A9=k}``X1(mMF)}`WiC@2k{Y|+bgR>b<g`$5$
zY2rC>vtO(a{%>p};Nxc+sBVb!()=%^Uu*YCJwa<RMVfDdX&vfCaz{-AZ}gsfx7)$!
zTWiK{8{ATuFLO28-Y^VqG8Ezb2qzXos^*<nq4#c*p#PdiQ&m|h{SxP(IzXY}FiYjf
zMDCb?@?;FYl7-amFpCbN>bsn`Q@!oX^uEU-d13-Ns(?TAs5+1R@qTS+bvSW$%E#S$
zh68y9TDYgjs_78vjV>3zyXU~_WZY*Z-{e83hWwOt5`Y-h<Q|>{OD#Wu0p;{1)Ya7j
zyRE&MH})@SBvc`=+d}OymVYt!849q+vsz>{d1;b>Q%p!CUtiJ*<o^>=5!l;1Z|^`<
z&e&(1hh9kvb~f)UzPr9O;W@$1rZ1XB@Wt7DKnMG&D&<6~7e5sR&R7NDb7GJ`JEs3T
zNsHt0U9GD07a8ULH#zqIf!Y6oR2NS$ti@J_l-aP3-fS!E$wa@3fd$Uvez5kHENHy<
z;z_mU^0ZaKx&YpEc_9Byfy53psMLteX_E$dIuo+BTGO5s$%g_V(<sP<?nReG4F}cU
z&wNSzMi!{D;Cl-Dhvgk9TeRHW{qe&tnL?c=z3r>VkN?pWu<u~7$zEI=i1JyD*UxmQ
zWyyCZaH8SKaC&`L(JpaT_YXY+h=V=P!YQpa5cKiiJ^Xb}7`~qovMqtq2a4CUh%ctU
z4bDRfkET+;<TAhj3U=HtzJvB9fc%yYh6ZOtNu)0`!h-wKsZtN2|92wwDTApxS&!_?
zhGj7v4*AY(Jwi_HZ9SJs%%EIT`BnWf{cT&GY0UcGRQdNXA{O%T`$g{h=p|k*@)Nm`
zUfxa6#C0>L_(kr*i2IX2B9_4bTQVk{yu{5Vi1yD&8sJi;JRWa+d?M?hM6hVVVP}mo
zPcFkjvpeKnwEMsk#UfYRR$PHbC|2xRcMN^aRv+ow8$;Y{R-JXG7p6HwMK3WFq?g1$
zTt<z2?X|k6U}ICpq|?IryhTFUFgi^ks)?j$how_%Qqt$lec4w>uneT!oNct=(;B@G
z=@KT6W2L0*=~Qxi%G3I^JncxM#R+=fZk~41A1-rnvTGN2_DZ>yd-*Zc_LRXuT#DHI
z7HSQ?WqK{HnwZ-GK&*5U^QZKM#!Yj@I3(PQfV)cPwy82DEp5w-ABI6;ai>`H9G-}7
zPL@=1yw`;S0^oRss^zAI{t=&#hNxVdR-?`;mPU?`a<*ItfVIbF4?H}I&WWMZP~KTC
z2>oa|E-8EO{CnqS!06QQ{P&v^P|Rg5|A<QY!{>y;6ORV-=(~$v9Xs)z7$DLitr|%M
zn;9_<vtiUam8?Wb-6DbQ8@ws0PbD@sMApA(6^w_bcOnQlB|arIgW-q%=IruA6sQGG
z>e_u^AoF2yGtl!kZ_WR5P>%nRbkXgNQ&;zMhDYK9Ow1CTDU(nN-y%&L;f+=@TXDrV
zvwwgB-S^j90Qxlb!7VzSPqoPveLvn=<T_tAFg4MtRZ9pu-j`j6<_fOQZv3vbm{1Eg
zd_q&T2{IeEi|(6wH^ZCvC^MX&G)jzFT`zX147;`^<!gHePY#0>m>qQGJb9U!TX-I}
zJDIH}kaiZm8`cTeA?SKWcwg;KQey;!j>mi~7f!4$=E0%2&zFv&vrzWLO(Kymr(vp?
ztjtU0vsc!(7*`E-o=x}9)qS{=Z<Cc-XXErZOPng5RCFY$h{Y=A&FSR}MB1jtMzmZk
z51g`?Qn&ijYpKo}ABMvskua2$XSyoHtlNj3#ORtpM);hb5>O`vJFjoQ9JYVUCD(&U
z@%ZOxj1F6cjb+@0(@Qla>+y*^R`}F7oQs=3*M{WEWoU;I(%eks4W7)+9N3A~o_YPc
zjMWtyz=$UrU-mtYH6GX;RN2_GcH(TskSn~>pY}e`wxB;8$tdr643Y4Ky2hU!w-fe&
z^XA+*Vj;S_J(Q%&zdqTDhb+#+4!YH!SFt-@qqtUfY}8hv8#}z*kIg{7BL!4wMt6Ki
z<jQulSR$nW%^EGuOVup<zZ;OknbsF+6mMD5F_!TZW;Psp@4V<5xSn3l3pY5T<-Tzg
zZGg=GZ|h8<SIC)&AmpY8$AT1(MW8;)@ZBP-F$?u}w=)8Bm~pKDD%o_qR6IB)_O+hT
zF&SJ8JhDF{y^is?>*h?wC1_=RlLey^qh6h1^A3Z<9F1=0#kSkW_Pw**jw+^U0PWA0
z+S7|=V!A;I49@F4Z?q`M@J|9k`YI;yjy11|a<s9XsDGy1&j^WEB4W`O(@!>?UvGW@
z5Ipd_WbP!|+2};V24&JX<UavuvYOzZQh|iaV5ZChwNqN<<;J-Df3>LQ6wd;Casdu#
zJGp`_SkqVflxA5yV5poI`q|*y{JD!k68EQ_D@NhBWn%)1sf~wykkcVUrN9qL%SEjO
zW#fTFKpkg2zFP+)L3T5F%{+0!34;J$V9jJlqvb98kH-S&6W#Cb6gjx|JXt_jBKO>E
z{depmiE$rYP@WtWIB1(lZ@|nwicaQXuC!K3;xnrmS^OS~l?P7o+U-txGh1%)EOuWz
z#P^=pLc^i#9COdAWmXj{!3SFPRkY4g)1|azciSvS@^h;j5?L<LZVoIK0bF#G;MP=|
zymDGc=ZR)(Q0ofJYw6Vz8I9Qw5Ar5jr0`lIP8P0D!D-jqnf!5m)&e;GT;Ip!W_cB^
zdh0xm#%;dtjkIWM>FEA-ZGdYv)ehsA;>|GnRnuCY?-9>{S)f+t$0luD<qYv^-}mt6
zJyel5XtBw~`#hRjgZ@&`Z$A`Mi)(rfxR$?%zU~j8*HI?5>8wy>^2b14cLZscr?Mj&
z*8?%QomcOVJBO5{OMj~B+2OAVgicOpNhgY|bJ@?Z;*UPz+;$q6Z2Gh>=0+Pm&tX*0
zWerYxurS5NxSq^X9fk<>tH0sSz96xppJ@t{h`S=U)Jx=wN)LvBHqj=)7X*_)3Wk7+
zj*KiX%~fy{3ClHK>Luu<2BSwQB{&x0=jMMQ)lK<+oteyFZB_KSwX~g$l<jx^OAQpB
z53+Q#r?t1~;_f|_9H+(sf|q$#=s4RRDoFrC>rvQ`&sE}<UM<`XFiFpQc&;E63bjAN
z<+6(QjK`H^NGRzn$*U_^;lU_<Y~qivo&zv)bb(Ijzlet=AjnF-4(Z^e){qmtTgpTK
z3+~trjnV5!CV=BjVpg=u$?91)zr^HLfuWbWlg~N)XVfwks-c%0fdDqR*$I&*`4@FW
zf>DQ?V+a0U)Zq(89Y|wI<S!fO|0DhXnN2>HFic!G0q5Jy;!oPDYY*k*cJW&b6@`eC
z5{1_$W4O(Ymheeds)7FslAI5&zku2*ctpqPm!+T7qJ08}IKX9VZO#G<E1J$EOI2JC
zJpy0b7H$M9byP9vmk8hSW$$fCr1YF!V;9cdq=&1$)b|skJkw|)betr<D+ETdm-t4I
zomxErwKKLrwtyqLP|8GvG|UhmE<k+2<Xd&yDUKic#W;I%vn554t>P8n*+;a?!U$0W
zf#befh0SW(7mLfH0$Uufeg5BgO%QBxh{~_4|JLf=z{WbpViNMw7xU>1fNmb6)PF0|
zI<zk5Ety#3@I5M_yD5zLjTTXRa%Zc@118xtMxm|Y^zERMf!N4?xWi#U_#U8tPuPw7
z4w|<QoJ)_RwJlk%!yML5sQrLBAj58Ce?@UlEVVVnY^TbfHo6(Q9LLAY{c4!faIR^v
zFR%o&KPR4slGXjDb*=tw{M=;k0It$jxAkZgu-3xV+Zx|knvjkqKTJ{?*qrpl@jDVQ
z_TX{9NS!KD;{B48!fsi3FPowKit^r}U^F$Jg@%s<UZw(cuvx$S80VDcHn^f^a34lt
zTM59MidkCZ=AcjIb=IcW2GX*}RSj<dSA}o;JO?;Vdhz&U4|F`KBKdFlsTF{Vb~)3R
zI*oQp^jfX70443%_54DtaGu?6!)~~}jZ6NAge{p}DWJnn7ap8uq_mvDX#eVnJJ^%o
zk)iJBFzyAaH<&ht5%LK<0irr^;mxGMCd*Hr(c8<_<k+t5wNIcmI75s?z_f(c>aY_N
zLr<E9gvTjJuid<H#7-pgUTV0is>+zb^J|xh=6lUTAKOBHe%1S|6&>Oc1@$~D29o(Y
zZ!+s)o!p!h=6kxf9LM2;y>J(t!sTsN73<?TfCyxK?=btHs8Y2bePh8ahJol`tL=M#
zs-zEHo+du=(ND0Q&9A}YQoGUSIQwJiWsESY2Aj8<)j|WwVVUX&)Ueg!CKi?Q)Zd5e
zZ&HkYmtIfg34frr7pLxbQc$K#KgFbvz8wTi(slMvE-NlZd9wZyMKtDcdGuIO*<m-$
zRY+xG*EgJxu!g-1!~U%TqE+~WxC72ACd_i3#Y7yaOLT*)H>5vq?&~)XoR<}}lA|ZC
zHn~pZTehCiKizhoRQ#CU!~JFM83Bj<6aKO{k@;-YL{4G-fj&to^!zM|1zfX2q4I5Y
zI!KOdt1o>^lc*Cxz`xq}VU2*>E-H@JwWO=3YoMa-o@CJ-CE?^UE?)4yX%OZ1LaH0?
z5Rl>ZAR2;6O}^|^uhAouTy$9RaK|!H=cr&dm)}I2%C5xauv4HhzzeK<=Rj7VLRSxl
zUjyw~1{)cj;*0qh1j{!qU}O<deGxi3m`>ysHwaiCSq&~%@b4Vv{4tnoTT#;dHenlY
z{04TjFM9n(`{5~h>l;U|3kH+|Hxj`Mmi0@djdn|=qMNHBD1BDvM=f6Wz%V>kiII#p
z;&W{)IxTnPm|X^*4^K%<wI9ag>uzm#Cn@NeXeX<^8RksiqB1qCPioj%A7_7G#wlAi
z4Mykm<_SDB|F#|qg0wp~k84(}Z~W+87P^0R!@bzzd@|)dQ6oyVGv(>CAYWQ20JAmZ
zsS?@~P1ftcBSB@K9~MJxAVx471<AWHv(}y4ZLydu73mwJv}v)hEqJ4zK$`@+Zms41
zCgwux#`KGKtt7PP@D+<uk0vi>qYdbz+64%|NU2)gqnS5Pb-ZIj9l^9ktZWn0aUowx
zp+AwypWbA=<GW#d6ce-F3GMZ6iq=UkuD$3U(o@ZFb5_`Udxk;1ABS1w)9~(Szr7qk
zwY792$*7X`dwVR}1cTm(coOJ^f*dk=?{cjs`jT18C_AIWIHf@>)9AK>1+AMONzfud
z0pGg`?><wrUkzm<qFOB3D^yQ=NACNl46&fu_(Z&Xh3p%%r5ay+o~snY&vccIh?tT~
z&8~6nhVeYEb|nb7IRpY96dP2Cbd<{gXa<zrcf)Wh>qLD858P!MA5dp$lUU5ghrK3c
z)FsL_TWGEVl?fIaf>}1BA9)Kk985Rgeo$8B{gqS0*qbZG5HvU)Pwm-cuIH7b@l8B3
z7@Q#vohs3qB$0)S*A>oO9ZBV+f<?r%34vP7o3>ybr>lSEXz{6OHhIv9^+H9=@j9D=
zefRu<%i|SA`%{dvzf>)k;e5cUI-=8%8Tp6W)*X~Y^|6!a0t9Fdncd5w<jC`<H`{nT
zWpFZme3MeQEho2=Xr0b!;tOgGD4cQKfu*?e-`vbU7!u5ND2h2*f5<TUQ_lPQu`5^s
z`IRi>OBq&>Qul-4x9$DgV-wf4<4^J+5clRrk%GENm|Cj+R%;Fr-rJ6t$MdE%^A=^X
z_@|wzV{4Xr&f|l-5b~X!L~Z$9B#u^cKqwOdo>z~_*RNr=+h@VYqjGHC<&R}r*Aa>h
zkA%TraDL@=8C_@~66lQ&t39MYM>Pl-Mk7U-AAz#t*`8NfualR3{R7FpTN^N|$e`Ha
z(kE=+gxLO~803qRWA`T64rrBfq)X8PI-s3YpbK_(e_HVF;e5u(#Ch<)iU;3DZMC$J
zmw)&iE?B1dj$IEHMX$zh4A$jg0hSkZE+1|V)L<^sWkP&MH>g~}Ca)EYbM{LsR%Q27
z+V5%DbtAgp4zZU@IypUPWcZSq^Nj8nDGq~(T0e}P1!^IP6b5mL`RW19O2vG)xmLk~
z8y<~NuqOx!>K_Ylv$eJTm>P$YnETn6y%=u2xrkAU6Kurd#cS#a!I6>Gch`{9GS^VW
zJ@$fyGWBRFK!xnveW_`5(ZS>BK%%kPF;WKGc{;vHSFmtvA@p}%fewGQeop|l+<G~E
zT5rI8EX`G)bqW4CC~7;siJ$e5^MucR<0y4YFiCZ@ME#90IPDh5OJ=<GS7yDB-t(Hl
zTCA)vG8u*APTH|^Pua$D9Z^aM2SmoM`n&J3x-k_`Uu@P{!^AogW2)9W^Kz*(s4%W|
zHt3C79T@g^sQLACn=0X0ffEzVu6KLtA6J|&7B~gdF*JpKHO!-rJSu1<n$ETSF3qa>
z`VfMdJgm|B_U?8!C5>54Mm~w%J?5e}alwVvj8c7bIPG?)ok2b5r}e#f2Kj40oGg?D
z?+PS>UsAn+fHyS*;;l^GmRw>mO|6fDj*uz<!F!;YFLa6-%by*rcPxQb=9s%zOv0P~
zMyH#_=Ep?b4;5&zF9H`u5P3>>uJ$L}Y{V2k2WnGiy3Vake7QG$al?<_k4J1_E|K<L
zlPT7xx+WOdDYOqsII!a)(}~ftaO6?WHgHKBOIGxtF>P&+tZGYZOPYgIL!7m(<I^PC
zaf{dt4lRV+u7-wg{kiH{0L>Z7n@@03tagRUKav1VHB3eCi;xz&#lb~f-zh2L-57Oo
z(Dr*fd=9L>DZD_$=O7L(v3W9;m<wYA=Oyr%M)>v#)sj8H^gP7q;VC)j15+vqu3Zef
z>6O1Ug`N(4>aR$@gre=q;5x@lDb`lVQ&$P%E^w3N)yT&Gg0x*3@$__anC@MijDV_T
zI~OO{OTvBy!{=Q}=fLNm<-GjGbc7g(!}xb^g)wq0XGnyQbUapZuDvb^ubuvY#>Nb2
zo)Br27y{2(yQkfw=cdtcU`B4kdpiPsA06fzB<cW2Ap@JIVI@c*Kk^(6byv^QkFXg8
z{cfPs2ynXA{(%o3pvVV81Z`BiiDMp~v=<!Q#lHl17?9k&?v`XhMLURH&Hpb@`@cRY
z1t*Ska;#M&>Fu9`95yQ50+R|$m}77*?PLu4a_+9AckL+v_i=<@NeVTo&`Pz0v7JpP
z+I+YjP<VTAGW@I-v@#I-K_>L+El##*b9R^^j&CVf`&QpMuXy~tmi`_jvw`95-P{JY
zXgYvY>QDY*0DHaSdmZH`7#AJA<DUUx@KT6Eb%@P2f@k7!-E|1T2nITck#|VEWL5q{
zaa!3ATl~BCOObJ3<T<NCufVOuH~3PaMg8v)sG*wu<bkD@O21HfBYzea@MQiIw2+gp
zGTHRO`*he)l-du&Q7RnfMRGK>uXn$<-3PLt!sQ?V@Ybst34E_YpBlHlr$QH3y<ybN
z<_FI-6n)9|TJNM4rTO`EtOvS)KbgT6KJeJ~VTz~@O*G|Wj=tkyRGCo5vcb#wz)ZAu
z7OWP#fmga?Ye*&{Y^WkiXuIAHu@irDDhWPb7v{Xu_t~b<f?@9LdV7pD{80JN<w;^6
z6YE_-M*~p$-p>?}ykh-)I9i?s5|1ZTp^^A^<}3MA6d%{;a}ZQeMYl<*1F++T!BbiY
zV$@fXPbsRRSRdZ>pKNGdQ`hhG%U`5bDhzg&X+T}s7x&j80d|#QR}x$n3DWWnx=U~S
zVb|#0O@iMB&#UC_kTzQ%Z0rFGt`2EEOBPZ)U4vzMkfKl8;08b41BxYn-nsHDCeuE~
z87F~@8jX3Tf|4{?-iUu9GTJWP5CQC?!@;}VSk-WcO$z2J75jAR6|+aYrVl5lG5pr_
z1fXE?Lx4$!N8cW=a#N!Gxn8YZe!|@^<AUTVsD(b0Xrb$kVM)(ifro|Pdp+UUYNy8l
zX7e>6vY_5k^lrpK;dh`IBO;Goc<3*tlXnzJ7c;K|m+{~6d)cJj%Ek~ZgY2&g&IBuD
zD<u5Y<pwLOP7N0W4uWIm8}wtmT=?$3?upDcyJjvNju6s{M`pw%SDeiVl6=DubHI!v
zLSiu*B0i*FUZKOym=)?r7vgXiVrYC^;&y0#I(*Ta;SHd_ryRUS1bA$*MnQnCVC~wP
zD&=^U1q044DAbruCcr85@EF_4gg*6it&8*fy|LnmIC?c{KGny@rb5q~MKxf9!&fbp
z2X1>=?@?gA#e47}#RM6R)^pd2cTl+^o~l`zMVu&KNdk&4jKdEpu1_{&>H%K4-`D@>
zJj9u#yNp#Vd@Q}MX`a~^EvR$`P?HQ#&Hrfpe!Qu|-xsW4vN75g$@yJoCsyrL1%YtC
zEO|;gZVGyHP$GSSok}wEk=Io$;{G<n<9;zR!bKeUYtD>daLpmBHVxk-&76KvkZ`}9
z?&y{}61#V+!mCIxDK@W*aIfHgS9>RM9Dm1^2pzjMF+`iQ6(@8&j1L9{^a%(o2?Kdj
zDtR~6k=v%7=l4>wNkXpHm3w4yuJsn`PwOy7d^be4eDI)_-&?=EP@BtRRAw4|7fc^7
zZ~eO*H2mEH<`K#fbsC$(v=v{S9ehe9*iWn3K@@z#jQlczF0Tplk<ViREx*P5UAs(r
z%fjlPz4pG*yg`-Rp1~IUpV3|s`*R<At)1^Tj!-t*U3?h<?1{9Vn|W*Z&i&wn!g-^W
zNnG3F86FhS;;lP-bt1F8)89EWKk%Q{=HlllrSN%jCGk1u(dx9QiB~ynQbiQ<cs}0s
zmyn@P3d$d{i0Tz}=FS8jyH_geeT~6+t?waPXQi${qtq<!b$vjD!|xfa+2q74TEZdL
zq6DB;(qz1_+ikO#H8WCN^jg<Be2=o^T>viXO`!~p$1aU)305m!s>4nXbigl~SmgId
z8&GZHQM@u`?eGM;6<eh#l`ISYt}iURA7@SaVB&P`axJ2EzWPVLcAzunKEKotR7R5X
zXTU@U6a&V}1I<PEd1nXRilHBboM-QyZ<+;$+>ny<*L#RIEYC9QP9(bRxU5xj%KMLO
z5gi75&?E??J?+1TRAe}qDU8}a%FO+c;AG9ezFhToY~E%|=P51$*Jd;6N2}H!CI5KE
zI)pmyCR(|Dg{SNIgtAQbg(j^x-I_|r>!Z|IvijWv<unD>tmW%fSj0}x%llDeU$a|t
zIy1#XwZ*(AL|kVzPj|1KK@nNZ0e9}9WcOzv%bNRWPiLa^9^P!3IRb}=x2lVEfxp2S
zu|H4U&c*RcJich&rwFLos=Dsg>8s;4t>BYzI>HNwWZhf9`8ZoHK6s*(GCkPke!~S!
zclNl=iDOXt6jB7pg>HMGt6x?YQ7)g)ZlVj9SkhsXM^O1TW%Yacr}Z}8se@K>n+c#o
zq<<f_#IQd^=H%*eVDDtJ`I_?HuI4t-e?ro+CB+--&uFjXj<WlW-t<AEQg)6tw&d<;
zxg{P)tM`%1L(-$<a=FZT1LwdR?$XZI6^4g6CDI`|g<>Ny%wrlKl_fCpykxdhfxu`a
z^~+KktE%yk7Rg~V)@)0}q500db@aeA_cnlMsz15gx-S*B#1ZShop9LEnfByvbCzGC
z;^$=AkK5^dcB9STWjAxah!s<w%AS{dQe~8$n^(b;%qrcH#~yL3XGy0MDxPp{D$?PH
zEW6Ol*M6`keWK@niWlWEH|)Nk(}Xm!9j=C)DLQ6H2lmBIKf*+e;$9fXI<rCclNoM{
zw3E)*Tr^!k(HdLxqlMeu8y!`o6NVISTC<PP4T$UCO&0}n`CLrm9w2e*<!~02<j`GB
z=6dDpuOT>HwyklpfUk~^v@17+Io&~iD}r2RGt90QtLoQRlNB&p<u<0StG>ZRR^U^>
z<lq|YMQ;jEgpS*)?ftr|R<NqubO-M5`uJA9hS?H7qJ=1?(>O+?SufGh4SU>zZ+}{x
zm&=>pniMJv9+I$Z0NpCz9L&oHvOiw0_UfFY5HaAmR0j&PGjusUtexNd^f?x&i4&Le
z5XY@2pmg~>oP<qf$4>pTwMFF1begJqC<IV%m6>|A$1r61fupo(XC-jvz3PgNF>8X-
z+6?JY0+2OBaj}loa9OTR@)ViOu;VNb=>BeYtmW=jM?6pX5W&3JA_bJcpV>7=lz^Hc
zN!Da)yFF!+P5Wg{v*EKgYb&P&U>eIJ*SZ1cRC%{^u6Q9uSvFxQ4NtPJRIP?c+b+uc
zjQpcHi{g^9<8s4;{mu7Rkc`^OIp!4SP;bc)m1b`joM(6GPt>O~#xB=Kd3S%hX&ejf
zW?iRUuw1PgPV|kO^a*bo?hME|-Vv3~)3})Z+(<_t<3dnpd{4C7=+QXg2QsUkFKJl&
zUX=RD;I`M^@Zk)Si;pbq`Zkawu;>sM#_{S3mRab2Fp31!WcJPZQcdcfkfrc=)t78*
z`=-ZQH_naZbhCMSJZl+cuy${@d*vJ8r~A|;?s_JJvb(hSVy>6ceMcZBw-?zXHJW?X
z7ox?o11oqahH}myCXR+5Qi}0BP>w3JLe+tU0maLh+MkY~+(37t1T&gMS0e_RXbgzF
zaI&!#Q)3XnvPV{r(uC9McbV01kkX2Dav6<VkE^GcjEfQVj`_cm6u&M$ae?LZyl7S|
zo7a+a_=(596gHY3dOMLXLZE*#RFL6KMTe`Tq7_;%b$Rh7FDp6dM1GwQSZgB|ywn}4
zvQZUy_|5??8}`^?6Hak<%ET>|lG)R(0O5o8ouf2J0j2C5ug>)VBr^D#4x*v=(YZp`
zm=M3`d`$mtJC@+aW3*LgQ;!v#?l7qCbe(ov#Me$-fL`@&Xp)5z<Vrj{`m|_bIDQho
zyLw-Ud2)_dZ}GF27nOzQ8xio3e!AmYivKec8*E_x3P9t{xb=1f%sR?g_jPx~;?4dg
ze<X+M+5S}snQ81RB}cad_lQ|9mwD|fr%*ntMWZk>{3~Ve@))lxUHKS>go<J=|H}GZ
z9<i4D5+-oy?}&5s<2X?t_}G5PWhGZifKcK;+WISxFy?+rxVp|De_x70F#$Myvj-rL
zv%f@XGv!lJw17YvOb%HO7}nV{ZEv=!hK%5XQ)ph8^4_7o*V>t=Yfb<9(R-ZB{>ROg
z;IvlLV>=PEqparTx!`oiH@u0aJbI!Y2<x`8!i(F>4YMLt{$p|XuE(Fygl5yqq+v7s
z>YRl-H7-NtqB&R&slv;NALd(^N*MH%87Ze-?6Kt;1Ky#Q>mAU@E7szAa_TsK<8sfQ
z@C4R|cx1+V@3vLnG=*u$(d^a-96R4BDABpbq2`#pGD38ikaauP`0joe?LIv?M}ot0
zt>p;<q3qU|nL~DZwpg_7|6&wx3(KT%k9GTUqjavjT8|KD0t1{M7Dm5;dL&PRfc=sc
zDsNq;R&AINNYtP)deh~Pt%XK?a75h0?~pT;v>=Z7yK^_307V0S$zF+u>jy*?hsRm&
zIuABn!Kn7wII*WR=x68G#R*%W#x97to;rGNiw$Rp)Dw8(4}=Y2H)sgM!SIg9Y-#&4
zwiyT_3qk^#h2wm$Uy_$t27E9<F0gxWI6@H*Jpr0;>Wi7l6KI={@otV}d3ZLlp>050
z@93fysgpi5XoS2SgMwlDxKL+(u{*;K(}gOsj>|V(I=mj=a4{N<G2wmn75|e0#afz@
zipHsm_Gh})ub+mjIF5a<4!@LHcM_;*4QyR8HesAkmad)xH+>RDvA8cxNmxNYsnoOH
zpB{P>vbygX)cjsO(l_ORXK<rg;B3xaCF*iH&t^JlPF7r}2{Nr(bv6phYI0e)&SKYf
zd7Qa1f^GX!({Qx5HF#Z2R#TXv$l&j2&O^<>_t=21*v5dw`_WQW#(CO+I*>`jwf%^b
zIa8eFKHFFF^I_54VxquCMM{wy<Uk?lR{^27z@wEc&8p>`YaBlB)_qg>%*S0!I>Ux{
z#jufwy=$Dp6jBLcz^0{?hMN@r04d^?Wej4HX1d6&qI#1sX93iey05oOW~Jm5ufxyn
zdZ6FwxbeIn>u4(W+E?ZCu}Z=;-zT0zUi_H&-oJ{xS+ohrB>cMw^BkI4N~<?f(qCN(
zeb|K+Bv^mI#=7LEY??tIeh!VMRc3RmWbwvoSX{@HX@*Mh!5@=Py|o+}1q93TY5-he
znbq=h_vRtjDXfz8CV)ZG_qC-ATW`<WLj$o>sQPl8UP4@!E!PMml14DqrONRp;?*OR
zA`+D)x-szO0Wq1N*@Y;Fr0<TzoZq)PQ&`c3<)$tW6@S3tMdyW+arO{TgX+rA<-sX)
z&7p$L4t5`;Mssp}k9Y!gAtomTbihWq1TCeoYdT|OhdP$rXtlEDWz6$5^{kadjA__h
zpD0aRs;fn|3AK-t_5gdR4S>7bjE0bb^s;yUg$5k!n_Q!X$G!2uOF_7x$8|GfMlZNT
z*zhdqntXQ$7quHFvuuEH(&43J*rot#zbF4=zRv3zkFz`-gQC{8&2tziGcP1G=$)%7
z{jbPn7&W@`Za%pDA?JfV{dZ>fc?r9Oo!`>yDq3^fHnx%H9uBm5^L-PbdftxZRj(aH
z`ysrt!S-&)<5RC;UGL?QEiNZ$05b4VV?V-A#Vf{Q9<_H&L<TCV;8Frs0xiNGagO7g
zYYVNuFep?bjE8?KXSTNb<l&6ZMkH{V%H-sCOy!_Z|7Ej>1A8DCH1eGV&NY-i)8eq=
zT3QaXBNSQPZ>3c+97PyrjO#{-7vd81C{wS`6k*7rLyJX!D-n9Dd2ZA5jZj)!2xqLs
zXC|=?xh%?2s&_zqkZRjDn~OC)D$n}Oq-~DH<v|{i`OlwM+381Fz$?sQoa`p&mOQ5W
zvUskDkar+ugEDcRI+2V0d(m*X<$N8}qe}5moY=3J^!KWvn;l8ewTz@lJr#@y{ri+3
z+T{2WNy%O{=Ti>xWLNkH9{(^vZenY#ha3!N<bG$6=e%f}LI&@K&&c#T)^!NE?2fEg
zcH3$|eEJBI((`)#u86F;bWy&>htT>_q9tghDOg#f2)+C4B%P%g4t6;<*gWk+z^jNt
z3v8*bP?(;hVdS+NpWmh{jRiEj%j7+UZvx#5`SJewzX1A0?weSZmb;PMc<>&!)89;G
zx#KX9n9liOP~NO?3uEy>nYDiZbzSSGu8Nd<6}`5)_(i5pg1TOR7?Zk!5Pw@p5P*qq
zJnDGBFIqoxgPfA5Q6e*?%LSAen?9TT$xmRth8@`n6S!mGzRiT}5Zh8<OvGmPS%%jX
zH#A+Q@!maSPP{pwQ{-)!j&6Xl6Dwz?#7~bK8SLy?9T`(beD%rgj+?bkH86Z*^>sas
zQ@EB58iWs(Yc4VfgN~&Mo5`{zFtB0iy&N-8J`x_pF2nOqi_UMv4<K5DpyClJ=Dp{?
z7xIOh3y^EWtbvcFs_f=(M$N*L@|}^q)eoMzjbgIT^S(58qolJEy4MRRZ8Cb_U^PNE
zvdYNEYP-dJf8tB{nxh6ntVmL<tq>%6*Hq?$W|j*~1vGOi>WFK5-`^8??(d+edpAuX
ziPfBFCZ!zi@Yxib+n!JR1tG{4J_Z+mK;^~qoMw*7@>ECY!bV<<!!V&`S*C{;8;Qo*
z<-RIKhaA!j=-i-}?y_~9R{}8iELFxLvE>Ssptqp)G#Iuvb2{#!u?V+anMbZ)L{5EU
z3QGdreQh=NXR4W>8jNN5BS+9urtZ_nZS20*1X*u)ue_7n(-L0gAnib{U79(BKdYeA
z>+JBOm_>!%cz~3*5vfh;+qK87)%k5XF}tEQqIv{tF)vN+dN(3VXO-0?Q6Ou2fUq@W
ztBL8Neuuo|dCEb-H_VQ3Oj@mzmjZyVOGmWS(DR{>&y)Vs*F9HJ&xf5y0DgA)q%)7b
zpO#2%wUm9u5WfgYA+jKki!#^9Ni8ZR#`u|zkR@p8o`mh;QFW{wyq&B(UJ<Deoy*$X
zvI-koWJW&qOpj<=<dIV@nqf+CZYO!LBpOWs7nVN-YL76$Z3C%Qi7RlIxs%@Oq_16W
zMb<AZnA47L3teEc70r&}LW@`X>(t=poPHeHMv)4$)sqZrx?w5U+{4BQWmNtan8F>{
ztljLuDcV!_B_pxL)WI`(Qv7;qcI<%Fo@3|-Z+XHnc87keF<+0g$(a>4FKiF1$8ue1
zTE6o(6J<E|Z2K#y6^o%^_`@5VFfO6iaZwN*%2mtOC}4j5l7rJR$mDIhQlg&ukzmEZ
z2`t$eIf22CM2k6LN3Y#JzFKJ!&o5Jt$KHO)4pS88^V7EO!9+TWvG#nYPC6YjU?U6K
znYFpH(@RLJAaZ~LuHdhRFUJaN^T^N$N_8#zFKBqAPxwCScoWS^$&T5zIBXWDYXuQ;
zB+xW))sXvfR=+9Bj(aP-v8;r|d!016iy}1(*L3|L5K)!n%l?P{aj65&?#;RDaA%mg
z_uwCy_d~8fL(`f#m<BIX()c+EFSgv<d$5S?U1klOcNznZ9V0w$X~?`PmRfuJi-c=l
zf03)EI-7}2VSG>r8ZOwNxCL$d2@`wv49x|;qM|vh5-|?b(AeZvoTxA!{z5FtZcsw&
zF;@jo7%Q?n<sro2)O(Xtv!Ptf^nn(>C;J3@degtVcTo|Gz7CL02Cl04;FM;34cGXP
zG+~z4b43z>jS;D6!9EU)7_F0MoTeX0<}esAuhnWpDyk90Uan(=$g~ijnlRBje}K;V
z<<;ZUpV5?xLsZ)rz*KH#oqy83$G1%=N;V2vBp#yINl$eX@|%nN`^Rz@lu=u-Xw}kH
zO+j;d2pvI?mP6VkoIR!Oy3#p4zcLEEec!@ZY%p@aMaIAws{7+H2Rw~KKG__;27-39
z?X|-h6HEOmps$dovOK7b3MNvq68}KW>o)54VwHL%t^YhB@c;}-X${SK669zQZJzyU
z^4lc-#TOL;K2j64MKz5b#W+|qH#og9EBq)y%|FY9b4j^5nKsO;>en8y{9*c+fIPv>
z2i&IihS2pEr3^01yM6kw)j(clrqkn}G<4I@eRCJ73>wa2_*<iKKVpME4!L%7&geTS
z<AoYnQeZL~JW6}x6V6E1D(uMJZ80YHZJIBSd+?5}>-Ge8|Cw)_!<y<>5Ob}hN2%jx
z_pVZ47-YJ;zwSzwH^6`yf?>BN^gU_%jc_nq7QEy_Fvzzp(T?T&ks+uD$aI%@#Gp7*
z*%;`k|1)(iq=n;+U>B73S5;)etJ}UdpsCKQN*nyiCf-`@$`UvyU)%ceDyo2AnRqEk
z?XuY=jUQ?v&~%6q=ZAM1wrV{~ew+6!o0<Kxt6a+cjXyJAH7C2N^N2sG;jUK=<&DJd
z9y+^Nt2^I`XzZ~#wFFd^MIV~$0%60f1rGlq3HSxw(Dqw)`04=HR+r_hKuIg<jS1c?
zIFtQ=Dsk!uZ*j6}1NsVrB_mQr4fD3Sp4R`vA$TWL$s(PJJTK#Fm;QCp^)<@l6Z;y5
zT}Ais+)MRK7-;2Dx+r>O^Ee4gOYA*$Q!3W6U0LRxpNo=}Yr@V|{EN|`lRsq(OXZEB
zgVPlYX|@LUZd3&9EFTu<5FEq(|B$bQ3nXKSSlh_&;?fE<RO<wt>Bb-!I}jUUTXx=%
zbrRwNPkH80&ZsIFh5cnR@ak~)P3J7txV0)O{9H*mRLi%gi=vsir*$-hdjke4dscQe
zEf-yX@c#MTAwkU@{A&Wq^}8B=r>s7KQUcbL*d*iQH_M?)-@2+CILtt6O-@O*6ra4C
z#)vi7YK35d^nDC{O^eRkSi_O|lIaLRrE{^Z$_rmi+roVeQg7p1x2p)p&x=PyB@`ml
z(^d>FU)p~UV5W)ha`l!ol{-CDazZ<i`t6n1fjXTXyS~-eDj~}miL35AOsYC62uoKf
zAnud3W;t2=b|&7{umksGs>ku5PL0y>*C6>5^*ij|tE%`O2!3t4Ox`vAp2AxNkj;^)
zuZqxeUzkI%oVai#;BzidIadyboyvBdVhDIsDU6!R??mJ%@F0l+GjW%jY%}$PD#g7I
z(do3U9J9FTw{Rz36Z@_2LmV_4cGbGry4&c^$}fI&%=csOzRLhscT0wW<4OT^vvvz{
z!>bhx$q$KO=2i0sD*Mjm#ifamRe<)%JF>ZZ(Dh#T+Yo5Xj>mE>X`e)|=JB`86`dJp
zj8%FD^6FMm(GQ*L>S)sTu<e6LeB)~5g06-y&X4>c^j!C&PnZ=gSp$`Mot9l&tW#GS
zt4{-)E52Nitm-DeW}`fo-zwWr#D|_#!JA^UFfB6hxBp5Xarmya9x?yT*q(--UbbhX
zt@@Ay6uo!NHnreF?VrpDI19ZhVZ@#{DkWBrbUHnj;#W&>DUPiX_bIw`9cgKw$=u>_
z*0WmTw8W?2N-K0t2)qyYaF35BA7D~5lrI=6C_V+f0q7wkAYULdr5ig`=t0uc`Wf)|
zrXMRe>ZR6ZyD<vXRJP^Kc@g(49w~z&J7w{HAs*YF`+W0H6XGGR9HkUNrwf{&qWmAt
zePvr5P1GhX!QDMTaQEOAf&~b{-QC^YEjR=Z?hZ4!y9T%5?(RE~XWzYcf5CF~mtm@>
zt4<xSbMBsJHo^>LTgvSI2#fpa#dZ_9RXq6+QM)H12_q11zdQB#<Aaji7LGG|zr4;y
z)o~H1MrZ=Uu0B5WnTe~^j=HXj<q#9uO#cZZzIX)LAjq}IfN4U+TwY_oSQF@4=3TWZ
z9DcX5K+V1(bYDF~WQj=r(tKJmt$AJ*aychJ<}3>#89HA&goz2YQYEiiX6s$A=kM_t
zC?PPCMU=q*<%lA@sR}sB(7VA|{Y`=Q=*jEhUas|&ropDWV9wU#<~g@Ly=rg0{Aj-6
z<o<!*Fk$fqWoINZX+6Na)?)roPlIjNC&*shwbkZb-wxDjzPToC<yI5(xtDmS&!%`?
zTMJ&d3A5O&q_ehnR)4t+R$F2AwE>RG1Z903m)=Epqq@=}jyVJ#z$7LO-UZE-L_hE1
zbTFU{gQkzMhiRV}p3M#9GtCF8kL=%qL#t)LF+9$UkwiOZ{*1IMeWgGD8)VfZ^owc9
zp)aKX&4l~tW3<x7edGbTm<zKrnMkSe!LQpWdLA!8t&*BHf5LOMJRC657zg<=aOX-Z
zhKZ&W@e`~jsq>3x;&bmViIOypb}WQ>yL`8|P9Gv(4=!DQq@oUE;eoS&LtiuBwFxB%
zrlvz6x6`)o#;ocyTG2|s?(cE#GEj%7>G6Zz));efyyl}{N-UW0FZPn!#ST6ZwZQpo
z%ZH5FBm&(iLhPn<38K(TBabl-#z>@~MLBZL(LPs98I8^@6m^lEAAxa_wO%51Fi3of
zP0{CE@;C6447-CtLjpO4SN!)LHJ7`LEsZtZQ_wP^R*Flc&L?~dE@2f~=qA_Csx5vd
zaQW+JQ`=*DmT0-A&MvfvY<p<TM{;SEl(+Lbz?ebVklR9Hh$B`cC9V6K=H0Y%-362$
z0@jz#ou##q*O?VL+^o)S5(8SDG?~+;ozCfI!G>MUQ>2iL9+vn`D!1%IyapI8A^-<S
zsOtb;B6An6eEsv8)O<dDFf%bFnUFFy{_`Gm9?ih7d%v;UZmSm!E`N5Ew5*?P1W0in
zCyaifPwh}OjF6a#8kWndst!BxnK$hDU84}N_;s@DK0$by+h9u0Z{?S+kGu+Bj<r8e
z%TxX1UXvee19b<seoD!F@+d!r28b!7>Pg_L*?>st?UT-6aj@KxIwwm$UkHFs8HW08
z<I~mu=3Sp5_B#fz(sY08+YNDYOZy;)^v19pWnV#=Wfrr7-?D2@U!N7!@#q*yUmD7@
zx9WI@rwrb9?=2)o;O9iI-4n=*jmwx}P?E$c+|^B#35+n3DkcN)Wof@>3pX+@j{vU$
zT#GBePXN&S{g9|OAnTij=_G5QSMS*Q4Hj9M?U~CiNFO^PnMBTXlXRWNtVqsryISi&
zn5`1)H<e=Bths)H-4M|eWR87G>4xdP`GuxaH5^u5q<k7Z$p?<-OcGV6DX74ddGwv!
z(%y2ZxnSEpdQf(-UVab1u+YH<WJVI8wDy9V@a$Y^`R??mu*D`ahRY*mfoy6!jPz5!
z%5HPXJT7{p-YGLjV{%12kw61ao5}dYF{<CdvnvNGT^x^4OtD?}?bImv5!^Y^)O&z*
zX4xdmU+729zOLLjp&IykanuE)w4+K0iZ2XMRS6s2vN{TgO430rSszjL-@0}oP3+ex
zn0+Q6&M3zcKu6p3^1ih)3_9W?r0-QiLZ3jb45Gq3cxE4+;<pVy;?-!d*!9M9MClqq
zOy98t3C=U}G++m0;LP29PQ(LV>6%G>J!8H=mGg-7o0nq0h+tUOO`lv_$&7rwGm{5B
zka^~?rnz!>Y<$OqUHb!BPv6p-btX;$VS#4N+qtieNYrQ*S7l~NjKvQRdU5o?mA*z3
zM929F1PSu0`ljd2g&Nx((*5aXJLX(ObHWOvzOrFiI_kqG{X$~PY$C*vsOsus;5wp5
z<h%pdA7p7>fqUKX)l(c!v}Y&fEO%8K-Do5{kVk9~s`rA7xIZnDS-!%dz^F@)OJK7!
zx-RPpI*WCOJg-*5IUF6)^UDL&eD%9F>vWc?UfQEWk*crXqg&P0a$&eE^0R`LChqXK
z4#_&K2f<a8S^#0}x8|i<(@{1M3i$hkK=4a)`lNO&mWx!NQhbN!-LX{Bv|>gARS0H6
zvF@rbdUyF-g<O12ro}J->=6y^)An0r2LCFdYR_w9BFAF&*bK~F`PHBLjguPMKMgF<
z&fN`;8MJ&V@IGq}dwPWBy7T9BE@d@ob~g=k0X~t11|uZ#OHc^-2zo6@vG;FQ5bhj)
zmRkbVXz7*t&_lF=P=)FgoL5Od%#RRQ+n!=C;`c<`-10bGyVb7jj5QFILAzdrY=^*i
z^GU%Ql_H}k(ia6MA|3GtL{;v}9y8_JFcok;3iz!51bAzoUQHQHu*YzM$K7TU=}azp
z>2=;FmMUEAELm)6)$5e3kCm3U{srY1sv1&v0eeg7qmq`7GoUodqPb|giq4dTug~3i
z?3hVnGB4kqa)o173(N1;D=)941SXBIHaItDwRTi76TMt@@^r1895;MCzv=ZHzw_nj
zb~bT&_zbW$03GV<?-~{fy;2v?O-5p!F9eMiz=Ol|p22@C71A9d+Y+eAfJzr$K5Y*t
zP7x>@P$y#(Ngh~Kk^8ZBc0tk`b>KDN>*eT=Y`I+jFn&8yjwV3Zt}X_vXx>zKo$>QO
zG0_xFons&>lx4~(%PLPT*z6~<to~6drQ>xH1}`Jo{1{Cr;4V_7LgUV?I|*@)@5ZrY
z(8FEI#K_E`{BWc3$M`bL3X7Mu6#1t)HCpcT`9)aG-E-6sqKc6f3ru@0%g~R!W=V+h
z71-};npP52jfkt>wL2H*^Y~EQ!MHo_xXk*|FKAug=rr|=?2CprQB2u*+Fw(3(*}}{
zIb9l#QM0IhJ`?ID>Sli>(K6dp>|Twt4e)3!v06aFW0Oy-C#iT2#~v&sxp19mFjo|{
zNkGc$LJjP@&cd)fLlmuQLXN<nA-MSo9U++TnlO<<)B~nbln5;SjUSSp7e!_eBh3w0
z%atBebs7ST*>i?L2`Xl_c*%8I+|fBK;2;`wv{Y8H;ev4xGzLbc2(g$M;<R3VrKa>>
zd617|GZ!_pgx)FFl;}CJWbi(pL7^QR^Jf@a)oKt<KYBPk-E_}|Y3k6MOT|~FD|Xa(
zl<(jh7U0ZHz_Muk!fOOst90m&+<wDgv7h`?e5ha}VN$DpVj~kU3OgWNfBq2aXXWVC
zyy=I7?~n=`<*t-2##_qC6=Eg&6o89Oi^^rZ6BSl?3a714dh_?@HqOWCS8!9xG0Q_Y
zbiu&c#;$qk1h^>C$9_5TqwgErWpS)FFiM(Q53;jN^z$||Rp8-uUz1yU%SQ*c5<2H>
zW;G><H3GmiLiH+O=R*P}HS1Ce#<g<9;cYITzaPRFSOh!Nhr#;P%6`tLL|$^Ps_^A<
z=9YhP&BkNE4GhSS$Ss+HgC&SCUGcgaMD}VkS*u*EASx3_RMZb+{O-aDPEAMPYisls
zYmOo3K4PWvv2>-b-FslB;w3OaiA{)w48m=-sEqP2S-r|}sd>XaTqpZD1fif+*s8ZI
zb-_z^zLw;16ugFusov_3me^H~=_YH>2FvfFjjkHb#M^rZOT;#hlj*JPAR{}gkiA^d
zfNcj3Tsu+{5p;Ng<z2>Eav7e>8cR&J5X=)N$TT&Yv*ILGxMfqP<4ZVKubYardNTj+
zB|~5uT;2yelsuUmWwk{LV3vh$FQgO9p6()1A&y2k0CRe)PAH6NRbAJ1Z2)y}w6dJv
z5c$C~v{*iSY}7T#7Ew6gZ=&GLm#{ZXijMb$f>##*@G|T4E(vB^k_sfj)kP4f%@BL?
z)@_AikaIz15Sw2QO#kfB?7d&ANi)Xy>1pwnaJMQd3~3Z8J#LT&QhnT*FX>DFQ+h8?
zMm@+lF?=KO3LZ^}`QA7N%COgGh}7ZhRty|@E?8e0E{(+tCh;MjuBkWvnV9NGXBR_7
zzCk5Z+_M%{p)EM9R0@t<Z&~OKSojnf)TX(Mm&%co9BngCaOo7Gux9yC>v?Trj(E<-
z;9H6l6}LO{8^6x`ujhj2a_cRQlFZQGvmx0jZ8asKTg;=2oNaw<4+>i}BOdU%kxlJB
z4x4S(uBOKxM7cW4Nme$(K#WJ*)v^k_le_j;N_5f9#h%pRI#Oq|X`!|U>n!Y7meaCH
ztwPsqi2`}1aphuDD4coCz;(?Q*N)~3Td1qe4nB<WH8dTC$KhVWn1vrX3xc@L=;uGp
zxVzINb0FL>j;F(!gF$?o^v1UXD1zm0^=W>9j-Ayi@@OulP;>yZRtD3ORi@>V+l7zK
zs_jZ5m;MukmDE!?&GYY`@}P{L&j&yfr@2i~RR`gw#_G|=y0NNwzo3j)|D961wd^k_
zG_6e2W4!cFdE0?CiNHr^sghAiN9wlOD{-^6ng(+s>>ms#q5$!&@3>C(VqtLVDtlDy
zjY6nnD$SaktYZqup_b?R&`3<rsa*1M4B>K_#BvisPjiC(`Qhf*>)Vj&26@mhum~uq
zOV}9_lz=7F9x)t<v$MXQtkclK-~OGwp?ves=viJHWJK3Fg2=<=y&v!fKR(D<<9R+C
zV^DsHslxb+t3O{#$_R<t2|CxMOsUi7R4_0cPe10Y`?kE$AnNjq&qwB=W9bxBC*(MH
zkXJ&7jA4oxQY};`lj*i0Z1oLCWIC^V*gg0+7tj@#Ew!j`nv~m=L0hH3n^6m3E><c?
zUCQ#g3`cZs{&M_tF4FL7DOH;gV!Zh!nt{4TqYo1Z-!zG_Z*ZAM=ETo+RCxnsz4Ie(
z8EkKLqdh1qaumX^c&gyPnrr9uOnx?2CJdN?b5MK%fNIP3s||6P`ljHztzMlgqk#_T
z5B^Tx*E%KSbgRV0z~Ct6!TYPeo+TG3vyI1~(+{(W8{*wF&;bY=G8GwOJqoo4dG3lB
zRJ$!_%M|W}c83isO<OaRg>P0x8)Lh-3QZS*MP|>ScR38hB);l)0#B})CFI-~I2v!o
zC;#$gD^I?C3I*O0*%y|e&wc{nPiJR=*81ZZc<PgMG~}!s=YQ|WWlGF(UeKNvxH-tE
zeWJN=T{c!9(SP8|sMA)`H9p(lmjzC-I}lmTzqJ55N(tjW3mN5;vG<dH;}Jdqt$Shq
zf_l*5I4|RzpsAT&ONq*^gnJxs&$)`xEy_wvQ@>L4$azms&kVr{hvqG~lHo&B=G4iI
z`hz%xR)Iyrq>;QqQJ>e2yo?yYvANk$VP(!Vj-cYSN)7M`2usVJt`k;f*b^jrnx5?9
z>~eb)%amQ1vBO<|S4N%BB-V>$^)p*#)!n=UJL4_~VY(76cZdlQKpf$ocul^rP)H1m
zGjgbqZL$n^dB?|%u*2ZdFND<Z1Po0dbB8j08FY8rV3W+WY;>!!+8rdpP+_K+tbarW
zZk8#+=tT`8s{-p~k4I`ePKEa;Ec_{aGLJUMv>l@!YP>>{K!{!^{j;`$v!?i){Lx|o
zj=u2pg)@rip~<C}-x=p@D|Stb^Gg5VA~>{W{&MKi`ZkIvzFZ-#{1c<{UfV_HvzKJ#
z<HR!&THIJEbeyg|{2w{;p+KTIX2xh7q=f#x3a+8Q<0kgQfA_f#<rj;|5Jv^`gVk%y
zh{rS9_ZkdczX8GtAlxt7UH8NPW|el=fVbQmAg$%oschdYg&#0>z)vUhLSJ9~owEak
z&FvdIZ7^0!;MS=teMO85=E@t%95UJ(ou=;LD86+MpFWdZmW-huX<>f~xZjTk+1k*!
z3TlInJ||C@cxn5)4VPF<7DNfW&(FrAzg!8uA@<pf#{}3h7eYr;D8=Ik)AEGE`?8YA
zb&8FfwZ9{DR2T6`$R6BX9Fkn6@mr3HOF|TffdL{|K$X{}PcH?UqoBOD2>BnMJHZ$E
zZx}#3tx@p_(BXj2b#6+=WoqLi`iXwB83Y3HzcS#De!f}&8J=Nw_{4FIe}%b6k{~_U
z&MW(!oZiNDWAYK>zK|;BU|iXLac)LwRj;qVr8Ei+Ii9@bS(N+IX;VNa>kGotaWikv
z_HZ*o0KAN9+r~*+<(+E=sN=y6s_BT_?MbnBg`cmjj0!_@0^v+aJb1;h#%7Mn-H-RC
z)zNAG#Ok7m(SDAoaex21DY`!Cv>2(OS_*6yugf`yI%E)g9?m0RF_6FmfRC(^dA#(R
zzWQ<5sgJ%P)I(`Ooj#j0Ke!v>fn&&XrYH>I+IU8Km9WI6#|>03M8R7qZ;3V6>Lsd0
z%|AnRgxa-W?n0sp>DOI@Y$+Pt%2n+KP6Wc?8v-FB6?`@*i1mkJj`Hq)#JFZfIf4gj
z9V2}3>sd`=E)5cYU4fOG=`uCU3#j1;lM+SP<XULcMgL`C&gO@<x%LBL?Q)1sUf?&h
zdFK`Q2CZdn-|bJ&d;9(UC!c2rndAJ2->U;){-)faRGinGH>ey>)rbXoLy&}=H^JS;
z)2O0lyN{mz)+_jZfT3SpCWWNtB2S_aH1Z$}t&2#jcnHAxa{1Dwa>v$u_NCM5;j_90
zOV4V)s)cb=v3cIP(PhZtij*V5q$3i-UbRZu0!+T0P93_KfzoB;s#>Wmm+<@qhq<=C
zuNQ6gLUXlAN$DQm`Srp47lGxb?l6thu_&j^DCWDeB2KsvGwLG?gpl$jm}pNWl1mT}
zgplc5INQymKwA~JJBUr#_ozEwnX%~i>QT>tyX;sGM7XK&1pF|uDk(BJ1Y8{73Kq-e
zoX&7!^%s|~G5>J2Sy*zq<1eZI0~p5jiWIB@DfabG90JNhr*W72v!}mb&ziIhTNW(4
zsn%2xy=1K9w4~GwLlw2+5=&iTo0T4=)QpND$iq&==84%a!mp~Tyz5x0uR(>S$OL}f
z{R|V>42T3yrGK!Em<gbP?(^MF1AEQ>tt#seE*7+)gUFK8-bI$4-7)17*BH4q`d~QN
z^<cL`j)=7hXXI)o3q`^kaj%2(5AM@Ws#(m01($gOhzMB0?e`eK@$5uc4Uc&#SY#ug
z{h<DBoL07PT>@!)8>5x#zvdy3u)n<>6N$+C#+!?bYZk&0xMf;)=5YA)^XO&I*zV!8
zQ$=*}Ld$Gp{s3Oz60?dj*`BVorY^dd#S%MoC0X1i(v{27<K1@up4R3dp3S+1V$ftJ
zL=>%Qvux0N<T^rge{Ib-YGw_L;OAPZFQUBt<Pj{I*eaG{?;qOC__<Bx_}I-Q6@Bp|
z#zm-?Y{-pOajn68Q2=u`)(rrC=*k=sX(#Y++Mi0=`b3_>wO4LhP;ELoTp>`3%Cwn`
zF(tx&S9b=Y9H1|L0R$dRqgaye;To_<kXiS*k^zkMJZ}PAB;fm?w1{M+^(^XO>N98c
z?1(&?^Z~LY$yN`>BO1jvS^U+Fmg+oe?xn}uXXv6Jcr{esw=Vf=xrCp32*|;fdc!El
z4S%1UOxO24Hc1L1*4BPUmE(Kl>UW!UKRav%A`<Y)Fa10$5<`pU)OOwR*)TV$R$YGz
zvuq$c8ZHkWxZ9VmlWo2lB1Bu>j9D(d^$JwJ1r<~3f6N!0%uub@=CVRT^@rC8siHzb
zV<EgiAaG)4j2L7M{ySHxEWTSQ1)QrFoX>{dKB)SOKen8>kH6CwMPQyA^-4sh_Gfq?
zseT$dX^qU0xt0AY%B^DZV36(DBMQgzMf1xjYcCYu(fR@HvMb(~WJVDLGS03F)phIE
zFusHCqpE6;<AUca<3r}<NZA%aHICk6#2=SlZ{V14#Ne-4n4Qw`EX`!PmQsm4N-&Km
zK3t95Eg)Rn(wHc#`7?O505H6<7CjdA&y!z2+3x}ts(W4U?einE-O)qz(or+#lwB_y
z^w<)?lAE8gXA<vxPtZRXTfTPgRUH1XY~^jutu$!=PQir7Mzu8<m(9yfWb=yV@9#w-
zU!-OC+3Ln}`L=d(3xB(%_NqKMd74^%(p2rWxFPp)POsq;B7~&4R`S}*=Q8SMS9DF>
zl3u|rx3Mh&fU@>W=9JvhdXCY3Gb?VS^_e1NgqcCBXy1raI#KBF$*8EP7QOY{dpai5
zb0-f-eo)@a|7*wdG)<8dbBz$ZCJ?*art|Lm*Cs{Ea5KLy?VOO9%!$n(pz5PrkJE2(
zwCa*6XNs@+g>_~{ZCYu2C$bdn2Eldlv|pJ`ijfjkDppDWNTqNxr+1sWl#mP@wGLKp
z>-c@}K0H@3%L*ShG=&>mMs8(rC#5v9RGY0M7M2cKZoYXL43Ssr*`gg1MYaBji?Px<
zo$=p0>Fdl}`#EY+ASF<Le*3FY1?aWT(jUS-ODBzvDh6t)^P6}B>Wr>mqd9)2v6exU
zu$eq4x$9VQXCUfZ|9KFOIaFCbXh3B!9$mR-y2GGO-T%tZ;FO@Z0V)R?0yA2KkJnJ=
zC@!WhK~(7rSZUr>R-xm3$^87tzi>Nk!wW~>ldd(W5%Dzv9cR9#ySvT#ntCL;mDs2C
zQnFLzNk9vK7<(pTIak3cCf=O)I^)w}a#V7)DBoVSg3K4;QdIp&4u9suI+=1w#DZ>V
zFynCjBlKG7^9=}%P~ApQJnTL)^NUzL1u}R%jyiEgC^8kmE2FO7=vbDWAH}#uNBdcu
zc;Z1T=O!^9)L{yT1Ofsy<$jduUFHux5s56-n;NFCS0!Mef{S57*x%uf&0fePheC*0
znsf@Y?o7QDoItS&JS;7EKslcN%A5m<jB*pkwqY!8j*={>N)UpVopJ{eGDyd4Yw3)-
zwEnCyj6*Uu#n4<iLqFc)HUxrLQspl&MvgG}{Dj2id_Zo5+4%d9$2rY23LERB(V@CP
zU_atqi4$<}qfrX3K|x=aa{@S<e3TKI#ByID4}Wb|YU=vw1AKS8E16JoHH+Ni+P=e-
z@~F8uF^l#70dutZNVZdJ@QMA1ND$c$s4{+U*t9r0?Jk<L?g&3~7u0t|BkG&(QHVH~
z-IJyuThVcs&R6?cO15K()lbN(;l73-^a<xXn_djDVCqK#Z_|CfoX<U-Iw2Xx%)$5r
z{4agSjD)V*Ev~&*Tt&dMwx@5#G9{h7QoQJ(Oz=@nGZ!>Vz2|0%{5!DUCvYGfd9s%3
z6+)lo|L&*)q14p1q~iZ;78QTP##3h*!Ty&OHhqKD8%{6&H&!(P1aOm!)%`!Wf*@5U
zTR7BA(O5a&yEB1MM^{JnVWbiR*F_O#w*-Sf-`~oS0@uUuq1R1$4gAg+3ZH0u{{&yZ
zBqeiDiI()<j;aX%4!|R83qQUE)&9pJVF+5mFM5~6>pA=v-#t(hXrI}Y;@;*nLIbkw
zv>(C9dTO!XpnU43SJaClbR$}26i}+a;wiA~%D)C-9Op?72);Fx3PA`{WoH7A!6UzL
zBihsEM32GvhlVTI7m1<f7R`K9Nyuvu8BN%KTbmF*87fmSr`t}!3!~C=y;42eZ9A{%
zDDLajfXmO`w^l#DSTyF$${TdizqP^$lXuucXq$_nc3K5zlD+@I)I(+XZk``-!?~m9
zL{CWg!#SQ~<q4u69R}gkPQT+Cd0<q<z@;4y8vC0vrt#B_Xo?WOkq7ifh8SPjKGXo%
zK$d@W{w)i#NOfwb^c?>-1p!>cIn{XFJN^yjmDO;76zzz|so35kv#*3~?QpJgc$-dT
zs|(t?+hkN-zv4^BDwHK<Xk1*}Pihy&u;}Qd+TF21&|3~>DmZ>=#^bkjp&g7;8uTIB
zD>YaulKKeTpI+f<#T1jBj({K;efi%z+Vw-RVTcP96y`n!7w_?f<KX<kJ3w{{1^j;R
z0RM&#LKn<U$7B$7ZVb9OjAu2=K~_jEQhIOwg~I{|b>Q|PGHC-aX{}|bgW$6n6$%~S
zb_A6cq5(}zCc86*EQ25J|M~X_)izYxH!mwi0ir*YCUAwHO$y$+f`vfXAt~QJ{^$9}
z3jGD8y8YNTiT>>{=NqPtUVhD&e;@roJ~7N#<olaMKww~RFp$BCL*)O+3MJ?3zZawy
zwqzYAgU7}j<XWaE?pALmN-ap20eZWM+~?=ZB>Cm(`e}<dAc9ut&3C4*VgR9(O3$pS
z6(o4RUQ^p249M3w^i%QN%xT|m{%w52xg)aIU9)C2clAjImf7(d_XuU!Y^|)cSGM0x
z7)Y=cdFjI5o-&T6bDrS_<Ge*H9b-_I_02B!bO(b&iH5yX&Ae$K2!%Ju#IGmIJo#?%
zFsxn|rfRj`2KMn^CLeK_v}pRHUrVPyfuJDkOmAwQs!plj;QEhmH(wxW(gY~p5w8A#
zy0}eCT0yWj2ek+FX#*;2M~<3!{LUpH2#(N2Pu?L=3mBMItSzWjtj(Va5bY6fzt;9F
zi15<6;<LuDj_Pu<NC85gOZ<f74&q7B#f_nxZ1y?k>#N5%Q0Wf^2zu|}V{j9q-NR+2
z58>8Sp)?c09K-a=&sU;nHO_J$`IsfLj#_y^GFb0<Dr%I|xmSUuCdH{j`N~tRwmaGT
zgUjn0y<^43TTTm29pu-BrOB21m76Gk>#=?kFI85fp^r_kcWaMZSJjXJg2vg1alVVK
z@y_zzi2bX{jBsx6mDj{St}l3vjrvblw~%W?Hw=eY*Cpcu#oe0%%k9qFe7y2ap%;wm
z%%a|RCv4y`7_UdkaorDqsN~Ey=Fn9J3DsSi+d)|W)#T93q1UW3sLMVK;4F*Zz9=lP
z1dt^zvaNJ9eJp9Kl<xmw|2J7w5vV79@8e+tp(E~edhSDtfEo*R*hL&$LV7Ypn>!1j
z=*|CwC2WzeST&QID=%Fw!f-=_f<@e<dpJ$o7DIPXs*jbtd+|M%NWuAAQefc6k6goi
zuMQ?VnF}T-t<4`De5QYTjJ-a+zB-J#Y&_W;13f=n25v^@08g958=OAxk@A9S=Ax_J
z+?ucEU<;;_%9l*f&LZ~Wc;u(hT0N#7Y`CV9rIV)xUj&l9?RS{dt_M8vxsM>!Z?0+6
zZuew(w_*dl`iGHQ4m@{9gT5<H1z2Y~Qp;wt%J%Vd_#_d=rv>)L2357SWsZ@!<>N}i
z^I!hSyGR#f1a83KJ3Ncwv;Q?ryPcQ8n{D$V%kVi-ySmx9-Cwk8k1Mq5Uvnk8KAM!3
zjbMfI1%qR^fIt<qy2ZpI`Y3H=wB5!R*?YDjT}jzC=6XF3Ka~aT--zJj%<+75ak$rd
zE0`PBxXRGhSELQM178#6V|z3(+&8bUMt?7DpXIS`q)q{K?QNHq)R<U0_myk|sNr(F
zD!RRm<#-}Lo_(9-`BB_@OMF*Ku$`nk1gT&nH~MNfwRWEbL8steUO;ryx<&lP?eKSc
z<k{xKZKA#^W1Ii}R_E@(i#Ol7%2bTX`11p?RBNEF^-^1a90BV@s79MT$BO$S$=)^B
zT7lX0EA25aMmIb(Di}DbX&;m=lEM;?=V&ZRA@^h1^nQj*GSsS(r&gSNF*aro$@pIj
z7dDe+X~~;?S*u0NFOx$q_p>k@NxjjPud=D1rG7aRS(klOYr69Q2d!_3gptT8j)k*L
zZwGWH9tlv%d1a9tHrBQ}So(<~7{?@bsywB|HCf$%LqUAnFY=`7>9$GW=t{uO%=n<m
z$gm_moK(4$YqiwI?`?oGPD1cT`#Q`w+RL||&+3;%^=?Id@>ExB*N9KQ$Jag8<~Lj6
zT5~^{%Z-K&I}95SoBl-*D$n5kaGzXvpU(8z;Ex10`H9O4z{czxNHVe9|7z^H&Qi%f
zSD_`ptK}JlkKWXxzm2~?TxjcdJw%|xWt6khWEN3&i6Stnp*k-oU~E6lRGH6nnORVO
zIEzvFtrD#;w9#_K`Ysm?f)orwf!tTAU~#pqtSon_*NLMosh=xk#A}O5k??+@rG8j2
z7X`ar#A>PGeEGJux1O`@M}MKBAcl*}Dvw*PO=Mb?Me^96`r&oQ+0??Y#J@pTTRs9G
z#Us4#9+rKT<bM~x-gq>-KW#Ua?!{9^gxVy)*E~yy{$0JW2W&RLvu|`c><vxk?S(a?
z3}S5rpp3KRH<@)AZb-7fuwTn92(IN1mHutSX(bJcQ|TNR;14n8cg><f#(LlPL8vN`
z?>DRd?Sk^@oHmr+PaCXu<`);z5?{#vDlZic_bWPGd-w7wSelw9Br>&WQmKTr-(O$%
zytci1Qy<Tt2khRmA5?p8ey9{nX2ftQJXw^5b)hYo?kS1PiaJuX{~U!i_jt!R4Zqnx
zxcuY=>f5~LI9^ps!wnUc8Xxy}?i?uH>op-Mgx-+AU%g9U(Am|jch7hd6+(L556UxJ
z*o`n-cZgAX#RwUGA@OpBX>GCfb1W?>DWJKPQ4x)__wu@vl#SHI6as@1`U{3OKtq2(
zD42E$hE6$bJA$->-@ibw-eQbH0v*(w^lQKT!l`0ZqamMxrt%8lbW9J;YB@C)LL%XG
z?NsNmd(x5fdVYF4y*Df|way=tNIv4%f^VqDz;p0@(>+sw5qn>?jM3J6CXQs?lu0h)
zA*>ibFPRSuXK=b~u;+ls-@Cvg3+5Qd8^jQ!5kj*0cilRk@SdJ*9{|E^>Bl?xz<CDN
zZ!88uxRPd%gLJgo3{<tnb0h(MmrI6s>^l$2uhJH?WrZ6X(SLSBwR`3`uhTWSRcJS-
z`n%{vUy?@}3hU@onR`H@;44&1?Q0P_YKU{5Q7$@$D_q%rj@)~2u*K0*TJgvM>X`#g
z0d&dAgVFUAm=HF>dcW9qF}T3ogiySRlCRJMoNiExK+*uz+c44ze|RBOjkB@t31JW!
z!Jwuj!TkTPZ^a}~?*~!54?i@RqW<;Te_)qqF9=n8Q;2L3acDg$uE*-$-r8*45$hkN
zeQzmGmEI>1OY`<+$$|NKm788cQ%)8YRmbDcTN=(c&Ktn=8-UXfx&!1cFKgb9qNe(X
zc&7z}`2b;0rB@5*-}aMK35xuhki1<kat(ZF4Zpgw=BK%ZLFOsiD5l}nro3+@-i4W>
zHeL;`@y3kpOP)V0Xknaap$Vk3VO%YquibLZU+E9#6}){&PioEZ+Q&R0k#yL$rhlV$
zCsmI#e?<+&_xl2$+vafhoj|T}pZyH}ofxQrLWUJ&FsbyOZ*u@$9Z_IVlTnCA|7fZv
z4x)`RkRTo!{B0Sw6kx)R6p(!X$od1#m(+OXq|fjl9hc#RP*(;zkl%kdRvC&kRIMJ!
zqV{$l7&sS5opG^N1%S2#49*Y>98Ukov9%2L|1Xau<tjCf81#Q*76~|Z<KM}Ub5dh|
zhX8nwU{X#p&EGJfE#!m{fx}|>9v%l47c0!drY5BddP~-q5Bed<$HiJp4GGD~l01`(
zI(?^_d3Rosz53skwPdld9ufIIfM^Np?|X-$sMP-Cy{q6o2xhMJC#p!f2e}%_>AOxt
zkU5v<*Lu1&%<MeMNS+|^jQSPatn|xD#jc>GQ4Y>|dUgC!Mu86>A~-ary|#9CraCji
ziz_OkZ<K#1T3N{;j#^pDaz)D+j-h?c%F2>FMnDMLZS{~Z{^dgTAVC6pIxV<eB--ov
zzAYRUGJ$+KUt&>I9K+n{f>5F~ab90|hHRU9Suy?0gYGZJQo`Yb{u86dfsDKq3MVC`
z2(ro)RYG%fa|*iP77VpLx9HC*nQY@kAS=}YPKr9$U4|}NFw!;d12#Yz@?-}#U)Vf6
z07srhwVkNPnJKWvbGe)f4w3;s8T3#(Vc~X%T4ST4DI<lg=KjW{%J4Weu{Ps@LaAD(
z&1N>pH$lStNXqVOMB2XFf#|&00@!Glrm?(t|ME7_FSruV_^{8x1m;a*SjB~ueEVR`
zwdk$02d8Amw3tI}7&NdbC_+8?IZC)Dpzcp2cdeTX2tOhUfPR+-Jr*6c9w^n#jOJjo
zz?za`X$Zx_LYeR`du&j-<WT$BSkTz0J&sRQq;JB7jS=dP`5W+<+X<3^gH!O0e{4=J
z4Cap;wh}7!rdq(@et!jhODo*-kF&-6!Jt^sfoSpXOpp2{5hP3jZx*|VRB&y}uFI}}
zBJg}uhV%RTQ&*teUy6{ncQ;TotShwd$!}<#D~n+)4n3}7_EQUq^NCl0ilsl!b^2Pj
zw;dl79{28XbaD>+wZ&DQH_+3b=P^3byAa+)NCdU%G8Y}7*Tnr|%9OEM-I!$UX^-XA
z3cY5I0b!t6ad#=&>AZ86bJe+_Qe+ZieKjliD(<qv7eMUk8tp1?%0KFD%8P}G`Dyjj
zy9~I)|5|8FvHqM#XEm=Z+sNM-O{~!p6pr9vW}6kge+;)k2(KGdq?^k22(AV+{ljr}
zPMt--Finy|sS?S-!4Zt~?q+@A@{5q?7Aqh;pHM6*DNf#o#kQ(*npUSLIV8wEKgzPQ
zhn?`n%7yXS`>V7cOF~4i5?q37?;t7)X*J)pV8@ksbtFg9ev5y+2>5wpsUv&%!&8QW
z@vivFY6VmTd41p@v6N;+f_~e*<hJ{Z#)~J|K*#OetW1a!?+MKBi1M3)5;e6?9=Fj!
zoh)x5U-{iM>BEj6*~J<O(>}wBz-u>{`V|mEhK!BzRMf&4u>iu3=z{v0cM?YlcEW`%
zWa^<EG2f*BHrZJTjCRtk*`?(1qKqwg5R<9xO8xJ5&#3bZE*wQEDHMR)R0g}-5If%E
zpC>iPKXG2BLt9dg2Q<_J4N4)Il9h}PB#TPw5|USpadR~H7U}<wCqB~Q)r|&H|L#!6
z?X5xP2l!t;tUU*qo;XQPqlNUf_ZC=b(>?TdbnoXgIZw?vs7x#pDLanFjycNAiMYEc
z(_9}bevx!xO!(#s?Y2)7GKIfBo!{iU6Ll<&^>}DD(t^eA-D%ESKPP;3HX|v4q8rZE
z^+5qr^}Ay%ePUuFtOT#;ye=){!55!Qp7fXMGo!TEEjIR(K8+sf28X>_DXuV^8XE?O
zbMq>N7NnO3zJjTenZvzC3?E9bJ6@yqHc3S$JFdfqW4^sQvV})1R=*t3YRF~&hFqxg
z?yt(5t$Jvf*(eibOuy<r?4HW!M#z5-EHOZ0cU?4boQpWz?{+eB9QW~|lS15A5}Vdp
zBaLPebJ5Wxw`#|v8(E&^VSlbix;m@{4C1^pVdsK+q-EMXoIKPRka!{HD9hWwHU$@<
ztxx|psC<Ub@S5Gf8Usp~{USVkj^R;XY}W)Vo9bMwQ(tIsxhFanrrR_JL?5mtOK7?x
zM-kc)gFHIO48e=92dm`~S0wCbh7=WbmP`y9ZBs>gAV(oK1L|&Z{khUQ_BHx=HB&py
z_4D(|GV#?=GN0L%Z?|a+YEyT_1x>q?Cx3iax~RuZ?_Q}a*2Ydc`9|W_b)id+78c9H
zU3%+PdM!{ow(#nJRN$UOLCq=hhh?``DSGe)q<>MT>t=cHcY=t?CKi>6GRd9k8=^IW
zlsonRy!`X_fvaFFy14;z!SuV;N0LES9f~cijXqh8PuQh-3VHo#{cFrOUjeT%N~SxJ
z9%jdYYj(>$A%OAGXr0laGe404NNLsl>WJapQgCzPp9!BXXz^-wBRQ^&TGM1xEJHVW
zYC&mzm|?_c^T}%|HXck+Le!_vWs>1e+R>a#=0>SRc6;0jp><0>sLa%qT^h1A$PV1N
zfGm{ZU`|X_-cai{+mLp4FxxkYFgu~}iQ8};Pgt8=+$I_9XIX5pGU&QvBJ+QW+#qU{
zjV<k<lZ?rw-Vyky68hBCH_p_W^77E}-F&*hSKzTdpEXG(3}rl%+UAd&$0ULxt~~EK
zxBJaL5Bp)~qs+YmILHDsLfFU)gtet{#@?y*C{UApWm@*6uctGWMG$<=lsm%HSsC?m
zK}b}dMO$Ofv(B>lL@luG{-7X^S!(mUe{GE_eV2aqtEcFJbbNGtm#b&Y&DC8~o1*57
zYeE<(F7QUcetLFWtaGC~-^59d0)#TQ8wO%BYBNLwJn5BHPE}eqU9z;9FKFG*7y8Zo
znn364-s}b&<u1b(K_<Th5-KoJ&UIWyO&9uHO61xs(ni>RXj*t)t>ax?bV1jYmz1Ox
zEVF4PokN0zoezHbtcTY9YB6uCHdMwp=;&U)ow{wIKw1I(+4Ha7)uPR&OT2e=wf{lj
zS@F^@m&Pf63XjP{X&1a0qq7p*uC*W2Ba?y!uYlrq$4d0lF*7Eg!r)wbxGhX<CplEv
z1p2pdAkB8Wv^hHcUpx>^yw7^!)I6%O;e(b>LA@rtSZ-lL6DxdiF8X+kurztXpU-*w
z79DJ3VfB=LJDe?U`jV;d6khxAFf%>cQ7Kp#Amof;nh?^~*XK^#M)eY61#mq>VhM2`
zaQWOj$kls<IR|^ai`jjpwk%iX*F%{xHKdxttg|-N9))J6;b2}pNYcilM`%vlYd7=7
z0&|3BBZGhwn7l%sfyMSC6h^?oFN=R`Mt>qoCD<C}q;!s={Qiyw@!hq~M*o|bwRGJU
z1spLc`NQ3AU)<z?mCgsQDe7nvfc@@Z`q7ieCXmw7jnIn(6~EaqPzVhLF=+l>(SIJ@
zS2q&m0K8qO!65sL$Z+>>gjkZ0Ayk|V2q$CX&Hn(d9;KImW43wo)`RKW)F?$9Vj@ZV
zdNhnLE-zWH57&+!*8g)-QYo@u;k8u&JPsM0wV7AVhxBO+XCg?{tp2LXS`3+xk?s5Z
zn0}$$|Kt2%4CKrQ%d@VS)$TJ1+<qD$6W=||x+_hvcW@{c4Y?WJ!J$-wT>n4L6550~
zX~<2bs+be7efWF-XaNbx>Eb{C(=zsZ0g>g85P7Z0mfGc#_F}!2G$;hc)@ev5*|!J>
zWi)mN9JYB1H)XkUydC}`LXeU=2@#9+`oui0X307MM|8kYjl|wuxb{q{vFz<}&SI6u
z^Sb)vnqK&()zP>!TGP3@N^2z-Xpr0Y@#5m5P6fWWeDV{U{kxl1%^KM!&`YoW3H+SI
z0P+=<MtgmB;+wqHLxwzbYsfe2LgEcV%^qzSD(mdxrP?s_w&&2BO3wiGdi1q>TJ43|
zuc7)%#FiE%e^m4VWg>2fi%FmMv0oe;N_M_{$PEWGdfQ7=bqM-kz$Z>PyE2@`Pi-|}
z;y>|6B0>s?zQh~H42P*Ad{`eu(=nU-3P-kGr`R(gZac+XA_K4A^WrH5>Gu20^YZ%!
z6^I)8dTG`zp`W8WiK<U#{?z`-O5{VYqib7vkNmly+KeSyis_X909<Z;DMb|*3&>;f
zgB0@>_lM4nv+r?v<oqhUl_Pfe2@gk%CTxSrcZVkMbBST&Z|KQovaQJxNDk2WqmQJ~
zK_Z`eELgX$oWR3~Bfc9J(wP1>`3w%tqSh(RSwZ7VM*SY}gbTSNPo&~o4ewK{RdjA_
zt<*5U!bp60=SfiHDhlR5&#oDV^&Spo2Z7?MhAN`q^?zK-j^xMwLBGnOPL>VH@LwD@
zAP2EOoeBD{^T~%1{P(*^@j(IC<a|sD^xFe{g~CA}X&}V7|9xVIOMzzDR;s3<4uw%3
zf%ta^B$VPGLg^+oR5oT$NAUmVG8zX4Rn2pP6$$@u&?eLrMQD<dNuP-y@;?W-CRr$r
z{Zk-mL2>`lict#BzbEv;L(Ns7`lp<$WsCj``A`RN{Su&9Qchqlhvp+E(f*A?`1rSy
z@`ZSH8kr`Pc*Tv~4F$aXKjDo12rhqoZdvDqtB7iK-iZ`7`LMJ17bE1IguX&kP^?8n
z&ccY)MLRt1J)G=+QoR%)-@{Tca1w~j#q}H>0kbed{bT<W8EmCU(SmgvM=&thb15<5
z?@YO^j15_=pRNkfav<JUI&lG4WnAUVZ8N4Ge|Bvl?|MK<7P=mArTc=2ogo^fAB0<4
zoE`jtD~zY?|LLD|p8^L*X;`j1s(TEV%idWx@Fybwr)V>_bjwgGKhwP%w<~+ExLwu=
zk$k0dZlZELVQ_CY^8BnJThZ!&Kkz%lS3I0vxgJP(h(2`2@u5rWQc>0%z4d6}WMQwQ
za?HQT1@|l-$SEDSqW^V!z6_7SDzaem=gL5D+rg|UM^V&1eY#2d*vJ6%+Y<K4Vske2
zI;{P}ayT8<ei_3$Fu1v=k=g?sNw&&)Mz38*EhB~-a6@{_{2j3*jXUgw8xjif>+(ng
z{7~NZf?X8CjC-WG-+CG`YFR?q!a2O^F~vSVAN{o3D`?=DERf<iklcNC;I8A7<l!<a
z3|4X>x4ZBZ;LKk5Jw@p&<O*@XvWRU(=n>_=kxTN3rR1BdL^aMF0|x3_8O{~RRO82w
z`Ys{tz&Yn2#^JqNyg=+SYx&ff-aXOMLCuhKzIul7&SV`yzH`-cEMkJu!xBp34lzrr
z7$fO3*)!$F4&MgU$y3Qgk$L9Fg+mEH=hLJB7w8nE6VUG$`qFU&wf~e%9i3BLAzuyz
zQT;Onu~2^u8W8L8>H_V6tuxlu(H(2u=<67N8A6jZcW6zJbCcw}!(}lsOeC>@#cU0S
z>EeV7goe28+;6TDD3+R%7vh&8SRjg$psRF5M9J$IEePK^HB?f>>&^C-@KvaSBd4w@
ziU=4Cy`c>ZoA%r!@%CG`Uidx8Y8??#jNdhb8S>$cyoLziA)@7ve?)mK%$9p5T5%SB
z%BT?T;hJ!&Lrt2Hf~WDcYT5iMdk|u`DIY5Bl`z=4kvS2axGW}SJeR95#~u176^u}d
z{Jwpg+wvN;>B0m7E7pxoh+KgS!l=yzIAqn7H|N)8(S^0#VYC{qaPWG65YK&41&s<&
zUu^$riZ6nGJ=Lm7=*szYl6g~%;cbj<$X^A3l>wx*FYa-h{^q}l4IZz)=Ay{#i=|vy
zMEn|}k2bfbl;Fq%nT|IfSP$Z%dU?5g(7dE7Yg8Bc#;UQ2Px%=zp|1%QmluzNuT)pO
z!LB%CY`0U=urL0I0D@Ck!OHqKcRb2$l917iMUp(`#>a@9jY`KHOso)Q@m)kle_YP$
z7}o=@VU^PRyP<ZNWiP~zuHK`37j(m;9ne|m8OYxQDOhsUos=|EiadxQ7&~+U;bp^H
zKO&5P`h?F=aq)Crdc|p%^90A(XzQlzCgF4Q3Tp{0dsHu&j3vpI_ICB@R&nOW3IBGL
z9!fJNtpX_tss?{(VV(5U6g`#yVlmAU#vq&6-}DZO-j>>Uzgi<udgGd%?Bbwe=Ls-#
z=a^cUw?Lg3hw&cHf)YT{u%m`#A5%xTiBk6Fc;ah0(6CyzC_<OxatV{nW335AMIv%n
z;|1)DWZaeJ<@uH8x$pj|4k*&tE@93p+y}&NPN?+Ggbqnm**0)mcN61I{nCZ5;$L2n
zj=4SRt;emZ{NG^TmD(3-@MqP`=wD;aU8+iW;%U$dBp*=L=;a;)5li)$Ke*d|$Z}`o
z2%5|@7sLCfs@cH{4J`LQB7>`IOS?-ehdJ0N{1U-|gd=w;3k}c5Z;;ezVqsE<UHRk{
zBzv-F<M?+TpQ`{UA5$^$o){hdDHLm91b}6HaNM8mCG-SqfZ_~bPyrLJ>xE*s-5nFz
zTqN(O^JWiYc1O~1KHBzu&uoJE)uEyGYsPd}NXFy(fhyfZEwSk5S;3@d_(Ons9ub^6
zZVHL5pZQmS5(xh+02_HW(fIxRiJj`LDZ0bCH3yZ2LoFVnO8rD2omeXY@t1+bT>K%U
zd!cq~$Fcmzjej~KyBYOc;1?P|)YwulaE8GI*8@&?tMik-VR7*O_iLmCiCt3Q9Gy9~
zk!A_ryBh)Khlpm&%NbFjH8Lv<?N}SU00O+^4B(fj4MY_SAzYRxWw>y@vQ~bW*)=*;
zvias|G`VByBt-O&mYCp;o8^>JLR`@oF4woQt+0-@k$;MUF~v?s$yt%9D1gO(kBi2;
zf375S7VV7zIynXoieUG$D*OPD?|OuE819aUOUw2n8aDmMl;qkHn8=v|Ohr_laK0+I
zumGuHoBIh^lQ5N*Cw@$m)*{$_rx(Xlk#qYG-_sPJ-uJ%><IDL39{uN(WWry0rFoMA
zIK4juNogm|6;Ao8P~G@~zZOP|G9AKS0j{Tk9;I9d@8Zf2^%R{Y^%E|WGuuR{F}qt<
z5!DToF??gvkoY^Zq*ohbYpPOk@qSo$PY2F_T;pdOvgEs(X`LBWu_+IlA&JW#xzdBG
zW*SBw{E;ai|4};cB>dO^B>H1E$wIdi9`n%L=v=3hDh(X@?p8Ga@4-SI7FsU|;%4-*
zn%|PDBieb@fZYEw!4M!)+BPMS)!YFdcwLbh#D%X$h;07!<9s=EG(kqf)Ftpu>zpmZ
z{W)CmQ3#X?0fQp{O1fvqe!m}bME2XGX7g(R=>f%c9Io@F9gDokc&Uac^r3J?*6dM5
qwCR6&wm6{=lFLFle!o0-&t6f@c54hLd11joe^TOdVih8~{{IWmeD;C>

literal 40165
zcmd43bySq^7d<*A3JL-O(h3SnhlHf!5R%f}-QA@kB?2Er8V2bYh8nu18|m(@p&5o4
z?!))4yVm{VcmKbvam^CmdGkEy?6dbi6Z%<R@-Z$2E(8L3{7DL`1cBU%gg|ahJh%;h
zV?--00^S}vNNGAlAo#5}|8B)F<5NN)&mo_nA5=V&cV^vnw8v-f@26J0Cz9Ez&zbCb
zX8fq)V2-(jJEdMSDcg2Pc<6xl(=e~x(9Yt7<C5@x`yFK5t$;~N<I`X7kFJ)D$nUgI
zJoqnV{lb#i5j9vXIkdXAxH03bX~d0l8xk*}HPr7y27xRT{)KJggR_A^W}Xf)-Ml|z
z%T&F2=g^UY-@F@C{ik*dyf-<#K-`@EmqjtHdpCb*2`sz0Ku8dtCCSbEBeMVh?4WQ?
zyR4$(@<O|jfi6b+WJ0-UtKRpSz6rE*C)dH<os2kCBki-Bi)&15Y)+QBy2@Cu%Xp#p
z*;hGEBz-qi{@nEf^6S^X38<S}^Nj5(XOx_e-L4`q(DQImS+wGriJjfyB{I^xrglrZ
zN~f@-Br2nRwz<{wUSOOE_IMixYxsm}o0{S>bA#IIe)RJjOc{NMdn_XxF9ZGi75gb{
zZBNv}<(DqFonO2s>UoLZKVJ|%?Tjsl$5N0#G_PSF?(Wn$3mexP5+7~PW(K<rY|EMz
zu9yAf@aKA4)YtD&P&y=1x6(^fLu!F~oRdiJ+5*}x5xqwQPIsmSRbHaX%)BY<ZfIts
zQQO?!{v#wYQA^~)$y?L&<llW#@t|NEjmqY+b^*clr4@G*W7~IK0`D+^B&s|xRN*dl
zN{0e0#U~EzYk|hCC`;8Eu5F&@O%T_S!spIQ`1lci!_^!P0<k+@Y59g(Q1seJQN=_<
z!VI;7Hs$&1?r|x=l(j|R?>F78G&MMxrIyDy{|fA@D)<Fr4sS*$`OHUzaCMbz_K9kd
zB9ls9UV_(TT+Av$vdCUnQpWg{7;J0s-P?9<E7F<aixi6y%`qCSuo=-xw5%=v047BZ
z{{H1*;#kS(cT7p7P*pXeez{!#QZHkSUto$=i$k<&V0vc8#lWCAz4W}ZL^&&qBqP;=
zg-a`*pIzu}XM1~M&!P+ZSf@cJ%86H%PjI-eZ!-;%l&OTLO#D#!5Osa^0ew7F`lAwi
zKDU2A{Ab{Sv$5DW^T|ogFma=59X&Ng*Bxm0M*X~FD*21Q$hB6eM@?;FeEjQ}?uv@j
z%dj>^`IKE0idy&G>rPQ#hM}I8zL61V+Gk#U%dS3l0nhUS9bOJBC3AFFJkA^pwLDH0
z-m==-CLt;QT|i(Ww2dx7R!>(s6_$_^3(FX^a2ciXGl))2t;`zvhT#-pV-R7Js60V5
zHmYlBaYhOBE;n9o$_Z*)(|MhhkOjN1)w^R&=m`A}PTX^pl_sg&d~{@OWHVC`;qRYY
z*xC+scL^r@IQ3@Hd>8w$bXmP<_yPa4f(pN~J_A`(b86C!IX{=srOr~y@)qaiRg)oo
zb@%K-Ln9u}vsG~#k)Hm`m~o(@(sc$!`2aiyWvlyUw>6|$S+Yn84gXS(Ar>6?Wz#fz
zA3ubV5D9I=?cGxNUF|%4B_(T98!ii~t2ZCB_J;mQA$EPix;@O^sLG^r`)ku|pXoR1
zcrw0=hH$tzT~r~Ijxad*eqiwZ-8pxUdF)CTIw9nzcssigvTuGsTfKSNF(ri>yrN0_
zu9x6@Y?-E;yrHe_1Hva3Um7C|zxS+qRn>wQo95f=dbH>pW;oS4$>=CgzKRuF-15#&
z)d|*h+8s4$RYvT|tfNDf>Tfo^ze!9K%K!QwJ9t@sxU9X#>YJPMDckKC^sMwa%4YVn
zmT0ihvPY&b4Uwh#_D)V7crBmu!gu4KLBZHf`@PeXIgal;D<;?7cnY7g)@q2r6A{$j
ze#aTr0<XVbT<`6jjo;YssI*;m3dZ-NaireerP|#kWeu6fTs35LC^2AemhSsVGqbrZ
zdICHAee~wuo`PIYzP-iLVbx;V2jr!1sKxfxwoDHb1w~>)qL2uBlq}UKeG7v}{;rzr
z!qmxH#?r*Z!r@P2WF=#m22@2$>tJiZuVv8z=CgB)UBR91d{}>Ovxe6%Pld^)R<Fcn
zvHb)dB9*0NzPh5SHfqH~K}MES?VLVgb6PXnlb>&e7beXxY)-dygt5Qe5to$orrSbo
z3cHKc7d9wnj8@g~4<u3A(nS?$mcJC{mdqG?67~7D$I*%U&aQ39YgT$jX2BvveZasn
z=Hh}yyYxLB;q}UDj{kLs|65+&>dA|D92_1mgu|-;F<CBNYToke>X6UMGG~6;?I?1O
z(L7lHa_1F&n!)EZe$Oo%#e-E?gNSnIOD3+jB5duWqnMl`p`%*S2E^yrAsZ?FeilY_
zj?Ru=r<;<Yuek;7#|dy;<Xqic<%;{ERW$<FhbM6?y?tzPsw-<`r>Ccr(~~b-JAOdv
zyuFixX(x_Tul=&&HYO}SyD{c+a&m7e`UaQZV93I}yw7cH5$Y`3nHP7mD=QoGs;g_V
zBSNUCcVRx4A9$05Iru$}J)|`~v(z$N9g0)<_}aS$=XzRpUuVe{r-BE{@z{(3asTYX
z#B|;Fu&uIYuSy|B;CiBh^~lH^Il0poMkIo<5mcrjA!LftdNSB>r>hoCV}{GFU&tSq
zxVT}Fqm<|RwV=K}I^?%B$&s<OcCej}LzT=c)7e>J@wTk_tKvpDTv8pD5`DcTqd+|P
z!xXPW7EZj!O=vq+{3|ry)HKGv5uK(Za{RlX;PMLR7a2o4$x}U}bSA>tMo(5^RZ;A5
zl5-w;jYKzd{y>h|<rY~{Vp7ta|9s80_r;at+>m|a^ztHV%fMa+dg{hIP1E2Hg7D}N
z4{S_I8uu?ZN{u(^YKJ)T*~5Ex0s{Qcj;3pJbrn=pbP{7yZqDhQzyu@fPf?FEeo#0b
z;Xitmn1C-=_FoT9p`I<};2LyG_InD#)!+YGaL@O*zQfhpZSw*1OANYk!Kqr2FikMi
zJ0UVD1S}Lj9-bHJ><w79)!uvA#U-24c7BWYb7!GR@S{Is|BG}JJ36i8-%V!7(2ZHN
z2-6!@bKEd?T@km-pG8ILy1p&cF3-Rt$?osfF^!3ex!Ak*<24dkLkZ)QYq1jEJJY=u
zn;HBI^ZYL%g)coSC}@pYy>Jdy2+!Zv^Ev5@6v23TsJu%578aMEZynk>-ShGJf<pFy
zQRwRzBC#PWP8jb!|Mal@pMO8JrO`9GZvLB@`AtsT*V#=;qe{NJn{t8AK&)u+rKq~P
zi@!)_jQzSLbzUSXvHv(Y<gO2PCwD)!;jmW}dp><H)RBeP+T*G-<Ou`a-b}guSuRIL
zaqdfI#?+9twmus39Azj%t?|VFnubO-G&d{jWCxRm?wCiPU;cRSuTQtN7q^+t^btNt
z^UmuB*mpxt4!m%t>n|+i{Nln@Q8lNmOlORJd>Idbx-VTx31wP}n!+{3NM!J*|CI9H
zC2@~%&i;FIlydRgsKE+EsWBT1$AO4sP%wuxo$_$0m$$uR&T!}c6SG`)9@`y~Y-x6a
zKqh;I$b+O`Jvbs5mkR~G>s^>{a8ZRG?MT^gEuk{k<pIA#Dr7eay#UkCkhc_aUS|FA
z2u{QP_Nnexs1VlgL_Y2F$T&{~TTxz~F%1X$g8|3(i?Z@aM^}~Ya=yP%r>j>S0R`>t
z?S+N%=i6N1Daw+xXxWz|Ym*YvnV#aBUUAVeRcVx&jS|t-_#bJRGX}3L=WMrkb9%jq
zBM65-Zsgfu4M!n!f|-$d8%mq3sVL7~CM;{xxZPB-mCHSR?~Qb}wF{KCmHpmKt*GZ7
z)&yjrYR;$wM@|U|3Fyk+_SHlN`WoHB9&e=wvx8=iTFswfdW<WKZA>z!?G*-CxzNWO
zJ2Z(?FP`GM1kMTzgQ}{8cQkmC75foR?DAOq>x-g4ogLHBZASG6=RLu{6q4U1O-)X6
zpI3vcF?jxn8DUk#%F)`uyQZzGTWNkB1+XBI;!bkz#5=`4^+Gd~HJFT?ebS84M;#iz
zrumMRzP7o!vEC8r^Cufb1YtZ_W&1(%ytdC$HB(O8nn`PBAFZh;re>C`&au`#DsrEF
zb(bq$!$EfObJ%XLny{ctq$X+Dd+(&IjF;5M8zmJI(z3`uH61=2qJ^MwZp$T4)86>P
zvqQ|p!g7E<Aq^8Bj7lTd<dY@S<PePjkz`6jqFU3uVw@9j`|8TK9^*4Nr7AOCprfRx
zm=b#fU3`0Dnr|-coLo(ddU(!P(#mRUyhs<dv+^G5RxxI+#;S?5`qVv%C+N0YAMoAK
z%Bs{#Txn)z@;3I_kuswK-yt7|$98hZ>SN!#k)lWWN@+vh=J#<(X#LN_5#c0Am1Y+I
z`Rr^`Hg}7<iqiZww7-}3o?wc6&OkPs)K4Ucy9!%)LbatlstpDc0g0Xm9(#uIA{<2d
z2CKH9_VPz9uCbBmXwo)z-DC?ht8Sx`y84;=`WZfZje7U%DEh7(GgKD1f~IGvZ)MU@
z%sp}N>hH$~S!qzwu=o7W(RyDA=rN{6vD|;l#mPZjunS*jLh0zz(`B+S_u58B%MrG_
zPMD_l6Xs~r{!|}(*MKNvJp_-K|NOt9GzOwjlz@AEPj{F3P=09W_mHQ!SxR|J2UQH?
zcG(W-Up@D+dnwlqht1Idh-vc{O_zGk?jvv_lldJFcS3S3-X^YO<V4aaJlsczKER9k
z@qi@sXW;F>zLet+?llWv;42uT!3tj>MMac#=fbTE;MSLZ=)e2Le>!NY^<NTUF1#ea
z<CvSSDiq(Nr(cvA5PcC9;^pN%k68~^9d%V694IVI+l(0-Q<IZpT~@cVwKk{W7ZjA$
z)l$t5lCZ_Of8XVzyb@Vb`kR6rZ|~H;2?qz~;{1Yjlr*k~*|q?2CZwleuP<(TvdO&;
zhi}`TvLGb1RaCT8RL=V%Xi3?nbsEjcllt`PoeuJTI~&hgJ_7gJtabLcnyZr&d;Vym
zx}MLk5UQQsQj2s;9y%d_3W*2%buV&W=MyPvnyU8hJfKTl-HT4uf9to}V@eWwv`(Z5
z)o{?8V`ZA><Rdd*`(S)TGV8ayYZLNX=<V5MZVVDdXM=xHt`0+1R$?}yi<H<+X3rmH
zye7#H2#)yF+Ai~pNRuTtCFSu=ANyr7K7piwp{Ul};!=rEqw}9daG~eWEUhd5EbGqn
z)U>31jMOnwMOjbpg|q1SMEvU#C^(VJZ$@UU-zF6oE8M-NhXV1|u8wv^zX#rrs2=T>
z77%1g4!KYA<JYgWlVY|^b8Z4PHvP<`c7dT>c%O?iTa|HrJ#kTn<Sjpu-sTdyKEC?#
zap(q7{-TcReQ<M3&MZekV>8;_W@biDW}nFIy+OJUDtt?iX=$2ju8wYy+VER0(!;Zl
zA3N*oKZdpr&z=OW-DJgI@f#27kE@YLK_1qyke}h<Fz<6kZ1}j-r<Y4)FkhSPtB=FX
z;E6^@rZCX4#a#>?DLiVN6sCXOd3}vNPhzB*_Cn4kBqiC+6?gZJ9A~YkdYp#_OR$h`
zFE3-x6;juaJfSX^&>w6+Vq#Ren5(CzG(@jfT52jo{;m~+73ROc*T^0AaHF#jA+xZw
zlgmtXun91=iU%f;k*`3Tkc^U=LV%f{|M}~G1EZss$NJCb^z1(2ExVFca!%N|xtP2r
z>{>mnInUFgdkk&_>Py<dT@Rn>F->ek4=Fpp<Ccw^-3R|hStg#y@K7VvwM$;6O)J@X
zObicLtkC1m0QBVaH11j5S=B^A@+Eu2)F&wD)GMss+VFa>{%D(>trw4zuGT3`f)6i=
zKZMcPxw<~?Z@E2YVl!Xe0eTKALlme0aiR@TPN!lYjfs=`P95CkLLzy%h?t&sw{$Tk
zc(<TLJy@FN$ESN{=la(M{Lf6c0(-l+w6equ-^55r26C26PjpJL5T2ZzM$V~&m0{=i
zg4>INThPeO#lzRvSlgR1OdKEIt(U|Ss-mfiG@p-JRJa5|>W_wxza(-r@d&AfA7Stk
z<oeV#TAf_V!oow%NTX87$ha@@wbcvDPSHJ3I%7%6i#UCc^s<8H`GJo4@r!kPtYYP#
z3Fy|wVAfFSRLy-db4hOH;h3Ii3H99E{C9qIuY~F2LVo@XWEVkyhtkPw@n7$kM90Z6
zt5}t%Ao>np;pyn6gl>F3{4`7L2=YnOlV@I9!u~IYK>_OQv{*gNB-G3V=~tB2PaqvT
zIdc5!Q|Q`SHc_a>RpP3wp+#rGuAu*CCKW&z;Na8h*Bh05ehwbp$)Gf#Wp?|81I1tY
zV_VoyhHNz(cNF}u*5T|Tn;Qn~F^NU`wLWKK{rxBc5iEeR(9A&#EcWz5L8O9*i%#YB
z6Belu?f;(e)%ofAF5_HZIQ8aAL#<-Y8)^L%_4LZ^`naN`T8&DQQ>Z0dQQ)aZie8zW
ziOEAp=H@ULqK#KW&XIxwQ!-hkaCJ8FK_@r)za6Q*+;z~5K`J31pQH9s=u--!XB1p-
z(a+z$+&>HDzFC<R;cLCsWjK{KpP5tx0&q(v;$4@$ssU*NQxIuhKN^6^&{BO)mg&>@
z_1nPom9NKkHlbWra=pXCKhApe6A-!#E&qnCw6xs*w#kGZl)U(R%dLV}LP89*{Mz#l
zFN6hIS+z6B-#ud3j=Mf!-<zp)EN@JWeE+;^YAQBK-C<?o&8$*(Et<;8uBOz%unw6~
zADfFr!i#fP&bpAStOyofcvhC{nXWKnMm=I#z41!>vMzq3lY>#xo1Wg#USHqWSK05w
z;N;O}jbJy|Q{1-3>x+cQfof0Z4BtATo7P85&Rt!>(^M6d&6&DpZ4|0C&zX#?G=om8
zMJ!-v*G5)O7Hp%g?!LL&eU!JkN@6_28yf<^y!Vm2e|Ts_$d5;ku8y%GZ2<vy0P1}e
z#|#qP=*UmU4_AvT(V#^LBU-k#VFAg8Dc?#VS-|^XDQg;$K}N;49z&Lj`)Hq)xyb9f
zMZwiQYsulAQB+BEMoV4Qvo&Tc2rTn~EbF(4DYd65@8V+l{q5d=i5zME*0Jh_KK`w)
zk|N@q2C(g(@LiC-KN*GgQJK{cK-?_`o6m4i`l1~CXWiC~u_rwp1xM`z`lqK(aa}6|
zb^GUU-3ja@WGYJ}0I<C5BtKVGgDmeKy3nUboE9dDt5VO_RDdVv;LdrR0D&xTpinPB
z-$<#iKQJ`(W01s5GT76*ns{*1*>ZUH9i%0v?K$6<uZH1TLPR0_K8wHES?_X)YfVor
zFPk~@C%;3|vmi2c*n$VvL!oq%ID(@3dneYhoa$>Nx=dGQ9d<sLM`(tZ@(_cW+D~Lh
zYKy3~-Q9!UXaeo{q}hVzyx&LjI}-?{{A{E;he)q>{l^E{5Qkb+=!38_Tz6rbR7z@c
z8VaGFw#mU(mF8uqRVUA$(TbrS67zu^9zOk)P5fplDL8SU2QK8?)jdcZFun11Qt;&u
zV)wpmI-*~y>zLky7(kvV-7-krloz~Ds~rWnU$du9OpsodH5QYm1QNjY8ZbQ1y#3_^
z=R%qq*uj_0z+_xVQ15<_*3HJ*cwplh)<<uUbbv0F6<$$+R8f*kn3)djpl(4>z9IP#
z2lb@Q=x6OW8~4hlF5QA08%yA5{_n#<e<f8v?$I_yMt<leq7GIQr2qQABjU<>tB4=p
zt-_i4%YNt*+>!90;D(((=RHv*nS2U)mN9T&8TKkixcKIv8>7F)RbQ$=;zJhKf8^oD
z3{z^{?EF}AUeUF=??w0R%lO&1{PKoQDeX-^0EhjD(JMSZV@izX-j^iu>&qqzy-%sP
zoNI0~103*0WX4Rz6zR#r7T32_JfVT6fSAG5053PH6(gOYIM+X%P5-}x%1+setCEKG
za2q*0oZo}oX*NQ>Yh}P!$XLt!eK^gJkn=TYn?Hs?qMeg6^1)3o=$xQpi!*oe9!OXU
z{Cq>PGc58B46@*pDUv`QQ6;sQ&Y}{mnC>tKv%ejb`3TVEfH0EPPp>!R`T!%8C5;)v
zQ%IJP<68;43pk2Yzr#h)u-4RgW&20o!io^s&Bn*V<e&p0S0NG^mUec7d#LQ(NlsSn
z(&rri8Z*muUh-lw*6dI9nPPfyvJD%DEoT!=2^as8;jzy;;tl(EhG$=7W~U$ER20NX
zvjXhSI6smk>Yvq+mIsG>AIgQBSsP!0{@&DNEq`Py&%*yMn?gt^xU4gc)}dT`^V`gF
zi@usCr;L88a<jF2zEG%-$lhcQt+2zshN<df!Z%NGt*vEzcTIoM_?}?{f+Nc-D!4@%
z7<zYicYC_~8Pl<TnyRk03JUXOu4d<GenRkZjCn=<)c}Ec4Si5yTFIy9Pv%g_Alk1%
zo)Fof;940AsReW`LBES+_TX;ht746tNF%F?jvoCjXE3U*r3xRZulI$vt{;U+F~o6;
zQarV`-h3>orMV>l&_Sj5K-%U`@9~}^9bkfa@B1-4=Vrdfhw)rKc-wo&fU5w(V!m`b
z=pLR{ZoGeS58{4@GzoD{QiK{gmP<WEpUB74GIQ~=73EI(Z^TRI(WU2h{x>;DXu}Jy
z##kMeC<BZEeah$VX5jz{YqP5va^lB8{Zo5qW=uAh0znZt{QC80L2`0(Sc^7H%2!#r
z>ndsd0CR~z7Y*m~%==aHSsK>Ck<l3$zOpW7)p+EltExo}$Hy16K4Wup<Ybh#c6JQW
zJ;K5|fnp!r`rD53$e}AcJH-|s>Y}3lLFv{Us-eeNoYYTQq@hQ~U>kS$y%J(`3d*De
zy}q!dUDVnkCQdN4vs3EqFiZh8>;4_n&BM#vJv!;Q_tj*Uro(?bQ|Sm$6LxI<(pg;0
zg4a4$_X*qDB$5)Py)Mpu>xBVP4tkz9=4?*}?`V(3>9Dywxj2+njuNE^`8K#rpzFrQ
zVijz>7cvwYjDpY_He+}LHiCYKEW@0%v;$e69*U(cw5`)9zgDI7Ilf0IE)fL%elJPt
zrR^^D8*?RQxK%K^Z+O^tZe|j6L*Qn1C}e_^A9=0CTd1F>26x{R?!A0Q#AWTKGJ!+u
z3j+REnL|THK!6s4iMa@n?lTL2=w6zPB~KFW`R~6|#(ZVn-ri2?PnHP_3+LtG+1%U(
z#Vgm|VyeNovha#?+R>>LfR%%iX!AIRSGeJK{VzKFlc{zk{eS!VUOhZAzPj@9(6Q6>
z98II|Ai-Vj!w)i*A$<`39Tew72lvS;KN6%nesG2g)AecO^@F>YgmUEM4<)I-a#icN
zL-sLst>3Ff^k6z{m3h^eiBRrd#e=YM{h3P9cU*KMy(5{mIp*_UR{;3ojP#tn@I<=X
z^r~|vCnYHleZ$a|<mTj{H$s1(*GSMEo}NB)^oV3LguysOdFh1Wdlu`?W{g#NPH+gQ
z>FMax9A>9hfz06R>)X|#%*2$RFkta%=(e{YC8p`Ugqa-x&MHs~S(nyE(K8i<8gZ10
z)xk;y;u^bvT=YMf($Hq;PqnsvRX;RT1K0vdbFwgvLB%ve!xsz;OF){!A)wvc+493+
z80A4NFUkGxIR?mM6DQBZl3}~T{!e)8VbJ#a`g+O8oRLw!2oDS!Tg1a7BY-sWt+(-M
zMA)LcLSHipy%Z2g?laS^cH+TIY@%R#bX<Jgn!kQqSX<M_^>8DPoSfN-24nlIK^#z1
z*&q-FAsc61+`Vx!Ez_xdd=gfMr`Qg`j%(^$5RTVV)3^o7+;sxJmZSasYZ;M^L=Wyp
zij=*hV|gu1&&R}N(!bNm-Y_>gIY~@SQeimTtspXu+S+<bLU=xZ?fYUo?wz0@ASw^f
zW`Zm18Z=xiFCu2?N)B2GY)~i^qAK<WgWh#mkvsM{#=H^Z#z#ETfN?_)D~SA#_Kr$;
z_?(E6U=L9gxeiiMGQX#qmF2<lGJ&d^Dj%QzY_Z*H)JpWLtkrh940D*rN-gcFEBaXE
z<SYQ_5qWuem1Sk0nTiJXt5lRoY02ngpP^5>eSCy)a7d81ed0eqTi8yC@usAAmY2tm
z>tO;h&r;4Yf4c9>bMjdB*MoiZZ23h~0@BjVj3LtA`%hL@jHRdmmkl_7U0vb1IU33_
zwrh1`B&zXTy{JM}b-X_UU({j$86ltotjnf`N^#A$S9?foNUbqLfqPf$#Mv+Dg!tXu
zRw8sSv<fS{Jge;Hs?L$@?r-_@M^E}jCl6G*F*WDye>Ab%V=Vsb^#mk84zjB=vrR?L
z_pi*}tS59Oat<z%4V6|2p#rpd^_bpF*Y9z}_2|}GO>U{mG)$NKC%au<)=5iuH%=b3
z?7!!h7tCg0h+6y$$Wk=Ar;K8EBeJx<et2+Do{jQs!C&91JQ0BJpAnCYu^i8i4F2tw
zmFAza`(Kk09$@M^Duw?`h>?M+sSORvh4bGIrgeg=v5?~4qxHx3H8m~Fyi){aaUWzs
z=BLuUNxSRYpaGf14Rkume+2^dhH5?L^bflevJqPZL{qDtY*)d?d38n2<qeBU&z3~c
zhZs40E-~CaTny%m>!4Olw_bFS&VSz&7b0HkS0zH+G~D8fZfNm7rG|mNt}j2!zVYH#
zaF3tG_S(1RrCmYyF!A(Y+L@8r*=Y68{Pw6Fi2q(#;4A1`L9QJo%gGRSb0Oi`#(CdF
zXu|gY;|2K45Qor5(gBHty7m-^!@YfdZa$5bNTfIBS71*p%bC>$x*8KmxcEX=3nc8*
zqm%Rf=pq~2f=U~`TIX@>k9;deoQpn6b^rZFcEHcLhFh0w5%7&GG+xH`tj;xB+75j?
ztH=43(frZKOwtF_=boY~47k4S@xrs?FndoS)E#YJQqmZoTIWb97Ow^DV~~7fVnBEF
zbfeK4{k5<V_2<tQ&`-`?40KS02U*Tfbvw08#el@X%v`ke@D(wp4s`5l%1<<M_5|~y
za|Yf#?Vg)!$lub^)~2MxCBW<N?A_hjd6E9JKnD+x+u4~I(D6_9flkb?Bd@EQA)R%4
z=(3LI@y49}iK2fh3uEQ;rg_Qno!zn2KX8OCpsGMiH#RsqYHMsP2c;-a>{uou4DNf8
z{`Knzgc^L%Vpb;w)H`i$9B$rT3+rtQ>pcMO8Pg%6d&D{YHMP}Fo;u3Pp)oP5tEJtc
z?hK-hxqtp>WT}*wmGSCVZ&{f4{I1loMdatdN-r#gl^#md(kf)vWtJs(eFNMJC<Zh%
zg)Q1Lay^e8?emb56Dzu?Xn09Ps5uW;yGIeeAWx`PFVq>eDl=UjT_qVceDSq~Iho(J
zFgqIv);cV8tz`RIN?`~3GRn#_fCg|;c}D12RSOD6^OBOif_uYz2d>pRr8K|>Mx+WY
zFYmsIeHJ+^udjdox21!UA~CpeeYvb<&FPdzsxU9l{MXV(<gXAQ5Dp~EM4$Amlzu(@
z!Gwb&m_5l!5HuLeuIsWYEdyFze!1{24U?61ph_KAV?`3QvP8T^Qu@|7B=HGX*Yr)W
zklftd3M4YSBm#3Ve-v8xWB=cuANh$tx+$`c9s~Y}#x8?k&k_HOlY}&m_w8G2o~dum
zM)dS)d3h#hMdtecqDR|#D*2_QM@H#%A)QjMA3Qp){V!HHJ#Pdr0kGrJS@|1Ec_|1U
z!mgD&k`XW~>+R3*QJ`q`CM8F^56+DNW#CtcSil_$ilpf&f##0^OmHja{QS_|hLXI7
zlCI$vTj)iOQa@P839>L)!t(Cw2dJUp2XakM5Wdjg2{Gn|hGuqVORJ0h>qnr<)2Cw_
zuyu7|SU){kJk!;fURQ${)lo5U!d)jS6hu^?m9^Ei)Y1m67!D0@L7v@b<qoxMXaAM@
zHBbc*AyHBPg~-1AweSbBCi)2aGOi2b^TF45IBg}`c^!(-sL1_Od<GhDqLTPNBhfO`
z<<F5Aomo>Qs7vk1-WQ3CHOFdb8T$QU4Ns4`q-3s2zA>XxP`icu<r7-6qiz`mRn^fg
z25t^%>7IIUYoxnvZEYH^?Ck%sh$;}Mhid4k&p+Rei+t8c9sK$A1H8vhu8vDbo?~jU
zfZxj4?mRaIh$y4yV$~^XBZwO4+<KOl;XfX{VJ|A>;OlAB5b7`N>y;I(Ez&QU1FOV&
zna7!w)NIl4?`Z`u3vXCRl}<mazC2*79&f8>Cs#kACV?fy6e(KE_Q{@mUAUxG*VYDy
z^vcS0Seo>T-*2}M#@NMiu1R(oA#a;wFdm*EZFHf~nL*C>M~`R!a)^0o{D(k{GN#&^
z`z1>$3z%gyKr^+;-@^w_kB<`*!gUHhW(+#K)1laoS65&ujyPg^Nfd<$KLO>{$nPx|
zkyABQxwP>4KF#_U+F&ij3qVH-9&cB>Zj48FELT*N6Dz98W0T{h_|(n4y{BtxB(fcL
z`r)I=*1-wzFy((N{&^!hP3zqD^7i)nn&PS+8vmj)azG#{WF^znl|W6bja{!s9|kT{
z<<{3<`P@qFSWT3A2|PJ-<5(L5`OicpA>a`@%zGi!WS~MKmE{Oy6#^b;=5}UmXDf7Q
zRM?nV6sS-5#2WVIbt>~MaPI0IeMxh32{X2%*?EV1_u9ZqNhS<uPv8H<O50pLPL|<%
zX?xFZtbcc`(YS;&Dld;5L}?2iK%WhB*np@KhuwVB(4*zk9l?TW6(ubiZb3SSSba~^
z7zsqRiqhKpGAj|eE)#1l;!5Q3pD#(wD5x*7Jvc7cZPb5fn(MqrMps#Qdq!F_%~fDh
zay?olE>R=RLO?A{c<;llt2>)bRDuGWUo^__dXR^Q$J1!~&W-#e{jNwY&;O(yPVD(E
zMzuU8WfqTU2_Rhm3FrSpYHGb&i8#ahjJ{>RiJq&eW$o>osC2HHFQ9hjMiTOLT)qaV
zSW6?GTEM9eiDU$ld{>v>w~O+U66ttRbXbwwmf43HHD%cdPR^)D;tr$<@lx#yU+E(-
zGj(FwIvHy7V}jYklas8`1RO^ngD8DHBAuHQEF}3bC%?OJoQ}fM>03YvJEay9h|0cw
z=|jpIk8YX!c=A||tzVwNZnEjO`TA2}VM;H}4`N@4iB;t)0svvcf5WVAj>F2p&TMF&
zT{&L`m_!mZJ!{?+KO!a$m1VoOx+pwId_JV7&HP>lnz@VGBncBI_EZE8HY+W=5-(zI
zPgg57x4$zJld-X+(3i2#f&=fDPTFvD6Z7#g(rxW-s=ikBy(;a_*9uo7CZp_IbkeYi
z4XzE#SU%ZPWz^Hp`}|AI+SvA0Od|K4uK@wl%rbc;of8^w(+vA-&a*-DRMdESIiT;o
zh%u)D7MZq1r`wml6E+n(BG03HE`s~M)2GMAj=^Aa6Y-tDegR3774G2d?B-O)Ua!M>
z;2t`#uBoX7YR1brg7`$~-oBzpe((&mH9v)R4iEQD4-2!~Z!B?}OX3(u5hk_3Zp>P`
zY?RftKpi=}Rb5#rsn*}Qi44FEeE*z-hsRJPZYTNMMlQ!%Nlq|4F3!8Z+yDx|lTwzn
zs?TPrR+gKqYvNg0&3~~ZG&IRc`uzO4&(jaPnc5Z%d~_ZK_YmUV0}<2R&2-^q%Bnss
zD<_vQzOl2@B>SAaqi>2_*ZElT6V%O(7i8O%6k#12_scz0@bVFcavZ_$c6q%2;*v9o
z!uKwh$<^V|Q0cvgj$&zFFe7g%Ts1Lr>py;qthpxHp{a+vy4a784i1l9=t%*_`}5pC
z6e<ML!}S;S*T2`+*2L19nvGUcaRkQwgw37#sYt_Cfn8yR|LN*5x0BGU?uF^$R$@))
z@nnC0c3w50FG53Rf~fsedCIT2CYJ&qR(l5a_72WmhBY+6^l0o@jKDz_-up)z`Uh|V
zXsW>yn~-POyAv`~7Y6;EqWnaVaZ1VR1JtO*(V~-uH%V7j7p?|3UWYnX>5$&E(Oms$
z>Gh|P-@X~~sWU3LtH*xO(ZPc_nA@2Tiqy}s7%+6G9pU`|IXC+;9F&x~hK8A$Fo2sn
zmfPAvDM<v%GH#emPd8KOMv}e1Mx6zgnO*1;i<+-*OQ`a?OSo)ZgLIaBPp4+JkD|Fc
z+I@a+Z)2movsbgiB`vbDV=*HKl+5-$L`sV50?WKR_9RM&w+W=`J3eu2dY`?jXIff#
zUijey4#LI?)O_DoBwNhyz@WQoYU4yv1^RPCPBA@;TZId-2Z3S<PQ13m=P|asDWGJN
zw6Jx>b(tJ38|x-hlLQ0+DcQ=VrujF)Bm9|0OGMU4IwE6vdv`w4aWXn~Ym4G71)@M-
z#7GACAA$D*sUQr>*x7D>z2+o_g%r3`q+fEOHg={?uCR+}vfRQvxV?p!)ASwP+1bb8
zK=7759=pTidO}goK+heFQOx`7Tkfkq)cidT<}a3^#yx&WtSBR6-90%17!u_-s;e=h
zS(RF?ShL-q9BYyZ`k!4;K3YS~7(E!u3G-ggw!Sv$2&yMz0xhl%#FW0mi(}Q4f&z6m
z)u+O@H(P@0D_9kUQNB14fPwPeItT{X)A=Z-sDXT2xz?=L80J{J7ccLv-O;~?W(B%K
zqgl0BT9uBPrk2*<WhY6hxeS>gKBdndUGwAHfW-hVJJFP10&5W?OecKv*#F9Io}x$>
zoto~)4AgjaZB7odR*+TL`kQZm7wZJ*3W4P-whITWrBSQVeK|bhW#^)+tFf`M5`f?X
zLmfeTrOp%sT0Y6kw%4@Jo*dpA5JmP$z3%N}HYqFwHNJP%iLX%qoy)iG+D?;s>iJ#W
zDucPO0TBrnU?3BSae`Tz6c8VM)|9c{MhOS6wfF1Qc>I-2^%wn1_5fnwVP_u*@ihd5
zdA5I%J3YHXCE(gqeakb7DpUK+2ExOgiYqVN)?o=-3OY7r!N5czHs(NJqd7m}vTCOJ
z)esn`4kkN9u{%lHY%m^iQik@>S4;I55xt#rk9RXJ35Oy`cI$*@V%aqJi_oHj@&{Mh
zjHX7u!{PZ63>*~pV!S|XefE2P2mc!}jOb5J^_?o+6KIUOing}CkHt0vO&nYao)6!)
zb8m+&##58%0l$i}qU!6X-@o7WJL&68@E=~&JAb|R%Go%BJ=1)C8W5-pFpkA{1zw3e
zKT2*WZsQ2V+`Z!{HO>lLh<jL4Bx2|-LD3S;7YKxy1CyKI_8&83MzvkgTJ9{2!`H_+
z=!O)gT~7H`URih>Vqjp$iL{*Rx42=PE4jXw+}aKCk1T%-+_7AX(>iiq9{;1LOBvi4
zBrNWIsqIIwQ>6qcQv&w5smjh+1#$-tafqb2P~lx9o>>V}zu}@8?%n)SA?ZvdH}4xb
znuBw6vR&X$TnPH-C)hs*M*(r*v95BS;-tL|xzv#D_`!H{aCeI(?uzVE;M-QVUBZ)B
zcz8p<C;c0+H6T>IwLtSHQh723rgF1?)LpUHkfsO9E=EwWqj(_`b;#LZ;vw<#o0A%e
z-}lu6P1*ga1c9s@Q}<7C(P;1?gLpxK@*4turXoR?Wx8h=kx}hJcP#@nLHsH65)FO7
z!=l6<P2fcsCTTc0m!a;<y2h+)*ZexGith=`>%wV>2@#L>R|Hx~)o7P3lf2)|8w+B{
zf~0AUq@gO)$>><c;wvLi5<8{xRNUNL3D{|=sOkbvb#;@~ShS%~1)J#_-*r@yDzG}F
z#AJ<hD+w?%Y;7D2yBE_#s?;q)HI&B%ZaDddS(9=b-#$!!VcyZ>M8Uchdw=Zca->~f
zZ@+dmDy^$hUs?P53Uvnr#P!i%^JSHb%k30k+8E_=%_HMtY*dDDyww^il`#9vN@)Ef
zWAoV!{hr;U%SECF9~HsOSXUOr#=@wH$_*&a??AYXr<6DQ4CcU{Gnsky@F~Q=N^Y_1
z$&C;qAbUN;p6YvSC+WNiRya@k<;GuX#N)OwvR9ATpN2tA#mTfNe`F~+(+SksdxMPt
zs~a)w2Rylw&Xym>x(HWg$QV&)=PifnWwABQG8l8wtBu**kk7t#&q3I7SD1~4|L@$I
zbCoa4QjgHILekKru_6k+jonoma+>Bv2VQ#};X0oWM#)(tbUdu^`g&(BLEpVyQQsrX
z#lxdD9VXUk_k9bXk#3QMMefXFf$pi0tqF-IH%_iHd){btb6LBC5g3P=QgX**j~_ZB
z3(LEUTT3d++5=Au^{T&z6joFKTeZULr;i>zVx=gyIk;Uz>aaJ#tsrvQbhS-Mku*ME
ziKt6YeDgDfxcq3F!2f7X0WVAjAnsJz3y8t%cG!@BN<JD>_)HtbG+)<>69YBdry6Y5
z^;V2bVVTa=Wlsv7@p3EXBOaaue=^8-KxSQ7Tz0P$1YU&bIM|Ey)JBY?E^yz0?lIL5
z%Sw2)l9jVp<p??B{CKlY%y$Jneuu=qe8nZ|<yiyhELwh-pX48P%Y8VNX^5!}?d)P<
zQQSu4<I_Z>L>7jI*=q2}6n<`_VRz9TM!?j6E_r|^gnXI4S@#YD0$w{K3xACIcODRj
z#uv)nnecv&QL@zZ6hHZud6y<q5(=K#P`QP7M{){P$cD5GTsn)QB(Ja`DukaZqQ1V*
z#O)SDRQ_hYX2@>HkKO0~aIywCa^?PPr|KDibD(8rt3%AJ>HwgGSX}=#AtwIhGh;)i
zRl~0cAEgoUu~8B<E(wtmT+?=!bia@DrS{)lze)S+?_X}Rk|^K1hXV^t95r1K(1c_C
z=5X+-jc>nFZm?=2^4GUlC(G&GsRK$7BQhf>NP?~uS-$2Zsn@u@VW9w}2+yvrHsz`X
zlAZhT@c3KU=uK>)OoO8pm}0sy2hRUnh2E#MhTUO5WB}I+?kJ1A^q)^f_uoU`c?N=J
zf(qXp@LKe|wi=bcLQ0(uy)VugtH~f|gf}xGRdFZB$FO&CcBXH99eRSmC315)yC&gN
z37EYp_gMKW*Sq`)1(trpQBh>b#(1Mg+iah>IxxSUpJizO&&JE&r3-0_Bpw5S@=vfO
zF}wQO;IO%spHF=q_%E%_>V^PQrSG@+iBU2*xh@O<h3NS~AYog6NgV)qiY=2$$p6Li
z)+jG908S1r+VEZgpS=6dN@w|P$O0-8eNWZ?mN9rP=&FxhjH<wLi<moU`MS6YL@!-7
z_)A~eI|dfzQ#tx)lk^I8E?6-Msec8Jx79p6s%Qk9jM{2&u7Lr;Yw{lC@<B<f89w(c
z4&=;{^FK<3Nb?yPwQ_o_aC=2mQrWm(*=G}x$%b1H*|4uzc{)1MlJ;kxOgFKdYuVb5
z>PzkHEn?w=KXslFKps6w3ilMeKd|tTA4rXI<3Az2K)tTIBb5z-7!O@<68;}XYraf>
zAqRqVW#+u{E07Jr&;NO3=h!;A7Wjr{Y}-YA<+eXP{(tT2i-^JTQ;6U9?A4KA5LMvk
z|2V|+WjgR(KG3}X9epDDe|`G@^N9anLqeifzzf;fc(Sd3wM0S_DLCwV3-X0?VdoKK
zd~!kq#8UG>$Ml58#OSE9OWv`=VHdF8a%t;(VMB}mHPK5d?4H@}@rSc$J!?E^a0Ojp
z<N2<>YoJ(~!R}U8)M6UoySWnTz_bU@1jOUmA}7B^eJ(Z|EzJ#iqO43@?PGA+Z4BmR
zY;COAm_h1%y>LXv_$paJZf|2}j06k{XlY6#Sh6ZAcu!8kiRS~;G+DW>>qlN>R!H^K
z=v6g!t~|!OXl)-#*d_xNz|rIOfh=&=*@d?y9@>k23%KKlL6W6VQG0oLB_$SyyrR>m
z9l#u|Jtc{AadRae1oK9Mf|LaAalJb;4GmaMN={Pp#>-1$ACaQk9JGrxlk)4B#Op=A
zBAot1W%#J8Yj~>>Fcft3hi+}h0g^t#;saCp*_FK>LE>tT5`24$vb{)%fwW}qvW*#-
zYD`J^GF9FA;((mMPtRP0M9Qdpl$XodurR%5>hJANI`ekzsPdt&FEjqTcG)qtyQkK#
z5U){ta5t~CK|VbHLl%olcd)wi`olHyPYoNk!#(o179_>9s0?U|H3~{9kP?^Ptz#u&
zjKz*`e*$DcNSM?&2NVaewDkA<f2AllJq-%#mkvpt{x>0%ehAEmbw_iO#uZ4fHX~zW
zdc<kaG-|feG8~M40Q*O+8|}Yb9<3pPcT@HnwM$N#Z5yPh>8keTnV)$DYVc5t<Zfdw
zK0fLrYhP>T%?+_ErIXcDU1FO_hf9gAi99vTxX#lj*7dDoAEqSAoxJrgWYKt#_tzkc
zeF^Ct9PIBMDJ#x}lBtHiW-kIS3uxcZf*Ig_)7LK=8agCQ%8Vri*cum?-P7Ci5j(-7
zedX6rfrnlnPA**n!fNl*dZ&((zsLS_+63lGM0bTc=P<qifv{7udv_r5DEV=)`-iz4
zI>e7M{nH9U#e&a=v01})K{C+e+|W^FhB0BS6OtIGY;Rl$hbBn>@1d=W#i0zxyS>-|
z$&cUe07m{|d;ZF{H9LG;&7pcmS9IrklwF^Cuu3aqwRn;#+>1_l(Bdr>zIIlPrD<Lu
zCQ(%exNBb-DN35Fo2jAZ?sVY>{_0q+KMB^?iccaO1St<BVsYsF-a8Gi>ZR%&S{`m-
zlGoSYo=(Lc+G&cDMD|?G`(F?K8@XJw$2R}=Km0ol6j~}FC!4-}(+^+$#J(06HY~z-
zYbhuSBROkp_z@a4os(T3=m@QgUZh|99g81iDbdqsw1ur*TzDlVB)GVvS9DoKJP&u8
z78Y3bFIulMkQhAeNKc7hS63;u7Xs&H6tme+z8+Ywxjj62#Y(XX?n}}uQm+|yNYimk
zo$8m`7L@_*-R(G5*$`)!Vq>Icj4F>+xtR+!n0$d<1&><E$+~!0Yis-ZM%%%|!j?a3
z^JQn5rwaJ`t^UZw`X$)S<yXc9X9OUS$d8{a+ZGUFNs%}IPeDe1++026B!+=eydr;0
zenx<=mY18G9TwE`4`MUGEj&^t8zVhBJj}<zzp=FhNMiT1jV{pGXT|jtRaCgTxBx0p
zDG$?dM{+>7v$K!Apdg=I<u$*}X+BAqx7USyR<iljje|{tPFgm8dTPoK<s+ed6!Y(2
zQ#GgJI=cxzK2u2NXxpZFkw}LTQa<GqD+?20n0R(J15-?XcA*FlkFkNl{v;#q!^a7(
zd6_KijSdC|99%*gGE;z48k(;gWhg()K*14Kt6Wi&dztd0$8H)9Re0fYqT80UOeJ;s
zYADp+OFC{|oFlbc3;j2c^ciW4(n;e$gCBOYL#;@sl*3U^P2NvS!p(AXLRmcWWvUj3
zKPt$T8HlLAaY>Xt=G%FgV$LswaU{n9FPYMaU4^Ip{rbTl&0gj4MwnZWaW7pdj{<ox
z&^U+L*2lhl`;x;UcD}7yW;5X(J(DQrEC4M1zWJ*x1R~(g8x|%{Y=Z59qq96rBo3C)
zvh29LY-DA%J&<L#0dvKQWv3QZR>paMFmyCk?K|5G3ap+4V-h+V8qJpzbAy=uJ4r-K
z#%O9OhICi!SYYj{oWJ@5&j}6zGhJ6}eW~51hu}B=g(QQ4*je3vV91`TPxU-+2mlMg
z=u&v@)+<YeZg2T+Z~Q6G4oVq{BHzsc`q-s*&lb=t@f1|zLOvcI{+PSm)m~TPo}lW#
z^mO(+m<qGMT6_#l2ZKB$xNWd2NiZ37107#|MP6QB)d85cMYQ5zYfD|!i0QZ!903&C
zpuqbg7b6+hmyM!84i_}zo0<~v!?x1`I6gHyOh!uaHodeK9tIB^t{(ZhDA?WGAKiuX
zE#Nl81*y*P=qMsAAL^1<_7e;a?ZngC78C$P&8-*{@>JT?*0$bGi6wOaaMQqBbo}>2
zphU*NSttG2JWI-@Czw3wBlb85$Hg(NK~x7^IfuXWp`-gjx-`uVsoFNQA%PTH+clgY
z<jnhES0lba=EXyg04ZO8+Kp_yI1=63mSBT=t=UWgQ)^Egn}GAFn1cQMS~wi%J`NhC
z(4g7lG}#1nYQM&dKY$;ptBS9h*pQ@|k%iXm%?C$!t%AgIb_EMS6|x;1+2!u6t;s@x
zM;hF$pB}NHCi%Y-ba>xGm#lZ)(Z^D(z3*%y&Zpk$I6Ds)qSE%Y)W;{L#%RD8An^48
zg6hrdx{-NyO5~(q_DfsTpB+4HcV_%X&8#z1ZQW3(=dmru6*SSVtV9Vgw?i-&+TZDA
zC#?Jo(o_r@)FvsWn3_L-s{Z`(0LDz9dTPY}K3nY256=ZgEVtdc>m_7lk#2cGdj3?`
zpdT<!0D%$c&8oWUnz~7G>StR$3Pm~%9=&B=^-glOs(p`R0&m|U+@14&&DZDvT}@)W
z1!u3ZR0AeC;VRSR*o!d$_rwrtfcbE9a~hfD`~Wa3I#nT-Rr3iERWYy(fLQ`Flhs|(
z_=3+HM~9cx^}B*z_8LV@u7Bb*pM23M7@yj5S*1PE8C~`RjU_EWX)`0$BgeoZ5}%M1
zQO(1+ZUmh1bybtVss(fi0KnzzR)ORPn-g*7j-E!$O!GYr*)~HpD1)@(<y8f^!M+6Q
zPf##S00K5>AZmAWbMjyoMte%Nk3Q1m@VAq7sggj<)$i@gx;_I_-8Y>K6l#O7{d|F2
z-*bCndXh*{`{J3hBDrA0^u-#xUP(#GRD(0RsY#CgluQQdThI5%=Lb-7G~TYgR0kBR
z(N8yz)gRqfbU%JRn)P1DM&f5DR_1uCKsRn?BPAsn3Ck<WtvhP+Kjo>A=&-P{RbNi?
z`E4yO^6t*wg;Yt-T&QaX-tE(>G{eZEZ#Vt3ovb@eX}n?+VGHV`5n!DFuy3v^F$6Hb
z_NN7hKejSDl-WpQlZ9MSX0FXG0obelR6cthTN4%&>7U_0VID5bVQn@4!FbZ0pc?y)
zbJ$@3HJ(wDhig^?RyVV(x9hK;qEQ`6Q-{rba|z1alcufOg>yetiiLDA9Ips;u1}&g
zOl0|V|1%Y97Q6k9Dk3cUPU^t0RXORJnGcPAWlY~9|GO#uJ<8ygwPJ5??>!H92t?HB
zoL1Y_)$#D;AXd81QwP<wU;zA-&CN@W?PkCVt)e>qs<p$;dj)&4t@f5jmoW4vHT4b{
zpe!MN6DQr>?zwbIUE5(_U0z-fuQi|i1qkzHD{IOLs)~SmMAT;uMNQv@{gSAd>8V<8
zFF;BD7tc`{k+);Omww2Y>VL5|pzoJ5>;<O8|L^YwaM%v|_fM0D$CW7b<xBo1Ao&z2
zj7^QnLwU+wt;z*B4GX1AdRZ7;S2jM;<>%&WmOaO&;qa1>#0A|QIA3oR$<NQrn2t+?
zQ4<oDx}B7QASNPow*Hd8HD&LPvb3@b4aJ==GgP(I1XaI>B|T*S2~C{$+D@S01R(_S
z-`ubj81w$pXm4q$X?XBTvr!fdk(_%VG-6$j&o<YXS<h$V@RRz6_O>`6qGG`H(aoG6
z%O?LQd3AktGg~DeOkcwIUER*YHTGn6b(aU`&x`><3oM6VrpAV}79-sgc)YXBs4Ov$
z$ge0|JkiI#upGSXEH*GV$Kg$y^;z8t=~maC_Pe@hMCet&eEGU*d|H_yI!;yP6|JDI
znqHR*Q1@><3*!hqQetXFJw?~N6)t5M47R+uMnp_aNJ5yHqU~VrFAgRzK^ra|c(|N0
zpF6_Dn?(QguwH0}zBwS(b1O>!>a>V#2&u_3wv$`DDnp9Tbf1zkX@1^2H^1goeqI#v
zg;p@OBs9EXs<fm+tHEV3@VH>8hi^t$h~;f=2GGp2VIdkUYEt_w_Ur^-zs!%1>-%gT
zu9o7`;o?4W0Afy2?jib!lZ)u|_!K6XIyXEl0|o6-ZYKxOi<Gjgs;3g85?WYrkS+(`
z#wy(K@SJhHrw1C&fL%jEG6<NH4l#9ebJ(!Jw%*H%|NdyAP;7vU9~$qu8&7C+TF>31
zBXj?HeYH=0Jo4uQ&z&gNYY%jzDT!)JkG{{Tqdhx1&i|Y_#_DG+%?3jSuK3#d?i)zc
zQ}T^H6Pg)ibg7fOa}>cNj!ow(fQ)K7khd>|gk~aAr8alADk@5KfU8a^uOPp0)PjeU
zbd4y~V-MS6!)rbHD{#^9MUHa6WA#j?_(MQd1G_?t84?J2WbD!t$h~4UxGMbS>jfsO
z?*SV(p`wRIaee(RaL-*_m;zJSfny2y;(?SDT`!-n5D1;IF&!6otzpVt;?Rlyv6}1(
zzhjGok&@LznqL})gqml#$Ig7}kSgyO{BHEAyU*mbn|Rhh+u@_{BE$JWr=6S>UMnvV
z0NJ(LlT1*cHY9h|%G%R23yek|QG=<Y?jH7+bm0=(^Z#}hQPNNv6dOgjM4UT!sZ-@#
z<KL;N(yT01nMA*YWb*f~(vxStU49c=W1CY|Eq6|*2dyFi_kZ-kg@lpy`Ja951M@m3
z;c|dN=~kkkA(hqIWzE^&ieimJC&WzWVIzVme#nq`HC%vJ+|>uuZY{?migfZWD?gvZ
zD>#>h1M#P4dBe}e(UHQ>ysfBVQXG7hg9I=Z45SbvnD@46wZ<hFqOIRjtd(eGtU0}d
znpjyeaq)sKEOt@wmsBgT{X<)2NerHmKWu6F#>$!{#1<Fg;Uf~)@&W>>-`d^2KAN8c
z9Ik(CqXN*ZNW*652BT7<{dZau7R@vBPXB8?RPpc7wsm)kc?OyBmL@5!oZ1S}APCFy
z->u;qo*m@&%^pRe?Ccc?W_c9k<kU}5qGC4@>*;LlG75m7y0*IL`KB>`7jS1q^cU7&
zbm*ySyH9_l(~5t_9!EeW;3LaM`#hZ$jY#daz6GgDfX&VAp{dUN2EI~C=eV<>D5Bav
zK5iSXk%4e{czbCzx;&~v59N!DYa?<C7V++WMc$65jgdArH&-_|k3-Q+GQ~(U#K~lh
zvvYCq@{X~h__JX!Jz`?cNOxh?u#OrM{?q|JK5o`G^}SHlP$<ij2MpIgz}J&R7d1Tq
zUoK(rT`6z}mfTr5PzDAtV`8EKetXI-*bFQuP`dw%wYQF|>igP7w}}!`A}A?>Al)4b
zn=a`NNy$xjs^CUSK)R%bO-Of137e2^HX$9G?l_b0?|0sN-h1AA&%Nh!_QyX!)?RDP
zwdR~-jAuOK8DNTIKT6~l6{$Rx4Ux=znXw=jcj?`*wP^z~fxvs+%f_-eJr5r;S9d8?
z$@>x<{`kR(9t$rM*Zaf0cD?Q2&)<O>zPI!Rh0MXfq154F!BI$4>c|ob!yDBKh`gw9
zaj>eI+Tg$}DDRJs$D_mB0pvd0t*y1E6WkStJtLYD?X*G^ZnM)Q>2K-dkjQREfTVU<
zzRgo37mOqz!mssMd{!8%qdOHrCd}^{KvJmT#ltNuz|k|-SyxuJA*PcP9W8GE)?c=8
z)cBPKxTJqwEO?Oj{PR8@YUGaej`0kvU$KwgukF%kD6X2E$A72dsKKgmtGOYo6P7Bm
zqyUTa(Z#lCQ1|HrI28E&Vg0YvV7A`~ZvprfGX3HPLHvJ$eZU|7OIQi~|Nks5<6u#H
z2V!Jj?cMn2cYN!TLyaDf?zJB<(4H_yj*itZ4MC05-zr<<qVGRn8+vW!>EyhAsk)jy
z1gta#SdVPjA))OrB|D4(ETr}W<L^h+NTv#tdu>lST@58;A4Q~^Xx33^RPd_(SyHE_
zUa)s}8<qn*`OWA^e$6{7^knNWgW4=>9GeR;M|{h{xQyV<zqJr%U1w&TGr$1)Z`j8W
zLGbV$PQ724MCt|o0JvGuJphZr;h!WsWCJl#*LNWP>2ClKN)1>m0IRX61(_Pii<=A!
zKK^H<gib?TymX31Efy$T2>6$S#*@Sqj{y$4kMTd_YyQ_3=*Gn<dbFs&AG(~@+M`Q+
zuX53SO561I^M{rX%wlm~En?WFKc;_-c^PA9iA7#s{!JY-yFly}shG6bZJFQUCY{0L
zos4@FrOejoIus@5uifsb7yPI7hR<WS75jaZn%5Sk`h{<<Kk#o2pNxNN_(1>t+TjK_
zIJT-%LuU+YtW+%~1kQ45?9tFkw8roY7u>SZ`sp8b_XGx!L3PM$=NkE#ok$<5LG@2*
zY@xQ6CKc~&aEz?jaT8zY-%ge=C_8M5`YO}rZNxp|l@iH<0ik9xWNMO+`KguOFyYKM
zSn-MSh2|Qy{v8MzDKco^4LLv%rOGT`DKjJSKxx2vsG!99Y0Wn}YTtvLi`CCkl=`a^
zk;GVcGoteyv1P;t^5d)Jj2HH3OYJKjLR8fnIu9d#=G4z$N1%v{cxJ+1G_YZ}hE}9L
z-F0f4EFq@s>}KbY(zzE;@Ku8j`Aq=~Gn&D3kf8&-Euh44@Gp@g|J8qs9Q~&U)cn-A
zQLRSXknJh6we~!+wt)HUgOtf(df>+iPW4culaJp~oumfxJwjI<IASI2nKo^|On86o
zUy~-4N*M0Eah$!Y>k}1KC00aHVy|y?#WC?a5Q10n@|eK{0*S|tV=QM~<v73a4L`Z^
zN3)7IPzt_u=s+2EW>=opR{^z_{ton1Pn3!N4x>qYgh~$cMuF&>WRY@ve`Fieme4AN
zNzr`>UnUh8h`dag$nnLI0Cgg>a(!IX*dO-bDqSI|{0m>$zJp!;kcsFr&ze|Q8>MKc
z&0jK^p4`6YP<8*ZTmNJUE0K$QoBNN0mu3QB7WbM|@V&|y0^stuP{Nmm;(A62@;-hx
zrLja@=R#G-m0BL#aV2@gztvb$&&S{S_6-vEW2V7*X&y=#2l+VsIBtLmSo=}J{$RB$
z(Pas`E4DxQ#6&3HwdnCSslYrC7q?tADSlw_csbZqApOV4N=@c5TPGgA878ftT+eTO
zIZ>G|uQ8tL0W&j_<#)E-#x**vnA_Y>tE#usB{89;qI6liP{q`9hqMyLxfdCvF%C$g
z^}ysk>cAlQGE$BIGva<t^J?ZJ^%y3+EAHo<67*KbUJLh5Ht)pC?)WhQ|EFW8TrXXb
zSjN?B(=(l>`llFElWL~!tU7xBbi-tUGFZXqdlRz)O=EUdb}QP4@zwcD^<O$Ge`456
zvJ1~Wf`$wH;i)n`?wve4jjc@Y;=|6?bZ3rI{UhKMo3JM7qK2tq&*lvQsr(aFv9sN{
zIEJs&!$UoU*MW^jd3p__X3sNPef!b(>nMU1YN`<daBQ)XZ}DL)$i?L%IikeQ1?&|!
z3hWB|G@esbWx$xtB|}h!gPuLb-k9wjEYp03h{bzyl=umy3>|{&Zv~ZTP1QU%H4mK;
zBrWExS)tqa{AF&E%xts(LOWce^-WFm-rlH7(z%>{tD~RsHiTrk|KS>x=J{v~27Hwk
z@v7Q27a95doAaqROR699t8>w#fc{PK+d+MCc|o@WupV1cKf^wW{*;m0oHzTcWO8Hf
zDYbE;&$e^qr;ewEa|<=(b{P0u`_+RI3-gG|>VjkIXmD^<;T?@x!Is7jp>?XD+<nvh
zw1WzQ$Qay%ls$)A&1;|jxxv7W!tmw!YGJ!hFv(hp`(o*fG}{p*Zz{EFr)=Huc$*qr
zOXOV;0=u4O(-kucA`5=p<Fn*DN-8azyE9gi!e>0;#gk{ewFR2=#$y|~s6RvHQ;Q_%
zKobg=_hYw%gxXS!x*&K&Y#)gr%?aiWL$%bB(J%1`m7`v(F~rhgeS*=fT)g|avD_Ft
z@`w}vVX(~O2V*r%qG(vs%UJx@0w<kqH9CC!-HUr1F-8kM$<J8(UuoaM500qFHlW|$
z@whf#oA_I5{)L9nhX3q`IN~<+T)2<cksF^D>yu}CJY3~&29jt}RhR%0@4X7FvONQ1
zg73=KSVT>JL*_~eO4zCA3Ff{Nx_W7S#tXOp>gY4{U{&1h=|NZ1$)TaArvfpnq4#`L
z;Pn-{bIMgCux6W6E~WpFQ+0#1i=QbnWW`r-+~dzi@nJPZ1n<Fp?^~%W!BL+wn%Z(h
zv?RrPloV{C&P{oT$GetO*n!aUAv4r^<-M0%U(OjKhFTodE!+J#+-w~uUXJh8VfM;O
zFm*bm+(Ka-1)Hxu^BHa(yDD$mDt`EsH-BNHp@<<O8on$Ob4?nzcV*glaS!sY<+pmR
z^cV!v*-;vOUS}rem~Zwz<BxrEDaQdZv#96^A1|Hw%b0Q(XB?af_>U&PokBNFLVP7c
zv+p4+Lg><vI1mwCFN`S-3|JmE*4eTA?w>d~+&21(6Y;N&KZ8AkRP=0qK#JJY^>6#_
zfYq%0yAZyaY19QvXQ=QgJLkd*yn-<7l7IAD&x`LcBFL}2_VL{+Vgtb3U%GjUGHJ!A
z(mKcM-Kw8QA<Q{fEl*6&SJhb?&QNPZrN>*Me4a$1IU`oH7h_J0EHx~Hfe=VC0q_v`
z6nuTJ$=8C0JJY<=D}Wl0UH$T)#J)x2#blkJt0v*Vy_H@7y2XIklKasdxy5VPfGAyV
z*SzA)2qZ%G={sK4kD<=q4~^<Wvy^0N_Xe??N;$M*Ep0bE(Tf!d%qDv8oR$;3`g%TZ
zU$f%}e-fkKJH3P+Orx$VTrcDBi?AU^1YkRFwp7tpPl|a*&)5gEML+(zS@4BA=$&~#
z{llD*1haObeoghU?A%-mCF}b>doPZ!|DbVgCTo%C{j@rxqmRc|{i^*}h@wWzsE8MP
zmFRJ&t{4P-)z7X5@Z?2Khxa3k02hcLkhAc~lfRryPIJwXtZT*<iNAiW={C+%c;^q%
zuBxhLsRW}|(42==l@(58X>oCda`I%e@UCG)zaQ+vz2C>^U^A7B<2E*%RdKeX<U(9*
zY}NKHdYL7K4Vlq!tyme(RhQt0Vv&CqcPlF^6V5Oq$Wq_(S-1v{Ezam`lNUT^<+V83
zt~WsU>Bl^)$gi&c>51}9>Qw}UJ3dBEeZ<I5CX+J3&<-BNh$NJq{Y&X!#^j{u{#V+Q
zz0yJIvWdYPIK<L2uS<X&St|ZS&Pfh2COA;<53xw^UY|tkSJwZeI?n9pkw+q<kY?m5
z!bAIIfRf^GR>pzD-0`TaJxZ}NMx(g#f;#=}PX8EcMqOJR>T=kNJMFYlp;>f+LS2}F
z$0xhAY&z?(p@11Uy>i@iI_f3phQ=w3lBK;q-#>TV$~#+)?(Y|MyOKa@i$R}+9J2a(
z4Vb%K?6)@+XxF9xG}0+mtnzKmaT7h^a>M{dOF?YMg;v~&2VCN84LEVBIZB+XAmK1M
zB}l6hEW#~OsG>ebwz|2>lW_kphqi`B(7?F48(#;u2TL3xefKwWeo9|tnH(_@Q5*eV
zz_nD2<CIMQL;EslFrS6J1&s?dzAALgO0;^-kpYt*p=w%eg($8+*6S<PkwfTU=&vt(
zQT`~@=;%D|3E{$mYzUV1#yUo?IJAw;#=t;P-6d?yYxwVAiH<^T%b#iE1J8!tT?aZo
zPm;L;HZ~)>jn!^xxfrA=QTDw@xf`t`q}#QZXBi)af}RKX&*=Kho#-O_IPeBq#HISM
z!+JYj`^zcHewE8stnyNMMD+zIP#9jK?=*SsB_v+DbjbuOU7uFDp^o8Gi?q~%dRGWT
zk)L*#nj1VeiLr4$OG}LCn(H``G}uJczQ&CEA!q-!Dm~u#R`~V#VRSc1ds4B;@o6pV
zR=C3o*F6Z|<*#H7Tb?9?G@A+?@rDQ}O(YyAXcz>ktsO6TTgtQwv)d&E^o?P#wAQtQ
z^UId8N7@A@JR8U79~+V~X<xqlp`JfE`LTt|k^=|Z5HUm>FMsJ6D5M?tzC^3R0LF&1
zFNAjV>RC=7z{$xaB?+3SYT}8P^72w>m$+BMubm!_88?+8%3NiBtsLzrm#q@MB7b=)
zlGfyBv{OCH<X@&_=Axe{lFcSsSCI9+c6lyfQk<o#uE5lj3XdwIVT5qT$5%d@r*-gg
zbV|&;eeH*p?CsRXJ1(EQkzcCN1*Y1|d32Q4?`;gK-Vx&WCMv&t{J_s~%oa-XBv>ES
zb{5p}gt~Ns+_mn-^XHF%ubv?rkA4Ic`ocPn>g&l$PNuYVzOl1ow<ex7^+sxh^sek%
z4tFowXymD}=&`xYf2g6Q4Sb=Ir!L!s66Mp_R%0-Ej41(2%PTGxWf9S!7b<#Rq{2|B
zF||`PbQN%`1PX*UKPn|9>SU?NcqYC(LEOKOae39;^K{9hW&$kLMIjddG6l1dThz64
z^&ZbEN=s`;DIW}zy{GT#??QHgx*U#_-!M;w-a;ssFe~Q?7q6f=l~G;odEc*a^=EFr
zPZ#*Eaz(w$tL;4<2Arw)&b%>jxo`F@C6U96MZc2`Ri$g6139fHZeh3lR|&4lR4g>B
z0DUnn7WoPNZN*stk#7y8yAq%2N)|jrlPN%DYN5G9YxaES=NRzZwofNNA1@wbtgn+E
zo|zU(lIyJQx-%Ycb3U5_OU}cxM6wVQ*$C-l18}{*a8B~3bKI1^+s|P5k;YiQ8hh|V
zhnSHHy5V6#%7WeVJBXsDg?yx@-tG*RpZipWP=C|q?0VNLp-FCTN{!!U_lEZ2^!%?%
zei-SfA4Y1o+PHS2)4Z20j%PqAtLs)#qM(I&6iX!B*o3==KOvIo8D#E6zB?HL2rooS
z?Loue=2Q{AefxT1-pMn*f2U|GbZ7~JgP1x6i9D$A9yGY#4H?N9qO}^%$IpDA6{{c(
zH_>*Toz`y2m5~Y7pAqhyjvKL(lZF$ANThF%oK*8gbZ)uUiKpbaCJB!R_BaIm!MgPI
zb5nx3DWQ|KiF69h>y>dJ7Bvkc7%H)8hT7^IxF^By{q#Q$EyW_Uyp-4qE8U#0mvQ^`
zJ=Ow4mU{)J%zr-XUEIAw!BQ_;t_z}MvdQ`{*NRzz?51T!;@o8ISrFj!Tm*Re9fVw;
z&y=xV><>u!c9#}(Zd{I8!=x&0ApVQ^eO}r`PyTu}%y#5Fq5h)W@h#>t2R3OkAr&(-
z_l(ghcLLKBgc`MsjEt**{<&4So^rYxIOYi&Wk@RP{$lwqUht=p^YGdWYA!lRE8CJ;
zJ3(+(W+rmW6$l_ogl6RAXynTEAiFSeMAZ>79yR>x=SNevuGER5Fjpxlw^gg3^G>(n
zH@l-s>WV;}=f%})G4BG6%!dYMM1-02tc(*i2oAoJ3Zt{~>gw^z%J9+3qfqCMV(F_}
zTZF+96WUKPHb^npJc)i;<xeBm-Q~Sm5kok~rMDp@$OJ!D#=73w!NJ6o7<})^(b2VC
zcbv1~womS9{ivxa3mfu9Np8A;l~b@MYA39n4V!8-3vBka7TQ9;Wyx_ReHI%tubJ8A
z61R$CN$)aGtA3N#Z>ZiN%E$?9u!VNVJGX7Yx7Oqc((3e*8a);)k!?znP~{F_^>)uM
z3k%6XX*~G6!|!VZ>{y{y-4rI^jY3G|4h{+zCY5gf_OHMn0>Nwe7s5m3`7ia~*9VEy
z8$19-i^?KZLCRtpSFFz;Kf3E*7Cp8>%B7ocy{<DQ_(EUq<mPaB;iqe7fld~7QzeLo
zOdz`|SxW|ivjyte{mErY6!k*7c8pKruQ~q0{s&5U#rkTz-o;CGe_opSHbl8)-g%Ul
z>-0_lu=1R&g~ro2)YVL7gifn-1QCSK#M#-|ayVaF6W{kAj3Ppd33yGBfUuhpGPTJ6
z0;BZB|A$Z>4D~-_9skvk|0^s24zGqtVH2(~fHO$m96(Logkr>-`viVh#-LOL^pC&$
zr+06^$pXj%gybO@Asjx<lB>l;9eNL-N%Vv+mfZX@ZpeI4S^p3pm|-GhTtV&b`bB**
z_^Bs_lQT5zPP2V73hg)vwxFyVy*@r!z9B1F$3bR9QJvB5uX!xM7Y9E_BbNx9c<2N<
zt9zTjd-P7?7!=3Bv4g;TIyn~6oB1<b>ZED5)gn%(sU_p^W~XJR<Cf9gxS2k-dcEf+
z_BBAg85#yWko&g-hX4NU2`wk|nNObJe2mGD@6j*|%CW;2gQcmT)Xmt{_4YYTH-Dc1
z+CWel;1GCd%k1ploQ-S$b=uhC7i9(-m6EsgrWxB)0Q%zFc+fgU*6HMhI7;KRFxPa8
z=;SQLiZ)A#TKKhDARnj)oS2ObQn2Nc1l8=Gp&#D+MMP|1WMd0^Z*$cbNPKZFiYAgz
z(@;@s{<*0zW>`^I%E0+z#)bl9E^+Z`Y1(=dxL>faj4tkSaq(!XqgOl(=pXkbs7J=;
zfUS)uDbw7~7EGqUG&7~yD_B}bIUB{3HD1LdR#-gSu3lLxT?Gk5uet;xrMb9F^9m-%
zW@hA|#4Lh-M$Jr*F;$|XX$c&_4mhUkc5-<u=p6%ttYaw$fOn_1?5z0f-C#KVFHU|X
z1k&a9t{+xsbJR#PMLnctBE4#RW_FDVRmSO$sPO));=4(AvEz3FGw8-3=1V!T!+^}S
zec~@HWzu!qd222?2_7^LY(m7?R@>6S!0sq0ED2=iU25BCL;7ih)*tcIpI_yUd7}sW
zNA1`W&Z488Tf&YtMymC<qZU3?U7tV4H#5(|hzo&cn921Oiw>W(cl5Gjo(|HkoL&Yb
zURH22$f~MDX%uUt?fHg=4p&%`McLkOZ?DbNx~yEBIvIHFlT%}ID?&s1b)}(c1qLgJ
zo_l+av8=imyL4%|*opk%$bRIh)qW+pAmftb=~7(5@7^u}EmV9;0y{IW#bM&120|fI
znYCd~5Baqs@6_HM_1gda+_C3YG`~?0B_ow&-0mH2$}{T%BCfv4Kd?%bz@uS?J78{n
zY8d-8?{T$ZD_F`gc$oL<#i&AmKSI#`_poTQgE!EpcxPg5r#KqCO(n>g0tc3R+Rp8|
zc`nY-N0^OG8XDtu>~pcUqJdz>dr)3pepWyG>7;u1*?<+dOl{jt%!p#{5E^%QgdBK4
z6B7w76?Z-^hxf5iI|`&+-uVb}F7PalSN;27p{#h6d8{^}eL`;lT?pI6uj#61U_unm
z8VdT&ZXSzXaFxGhdLq+i9Mb+w$GBpgV^GQc6GFDIbc#H^Bv-h>rv-x}!C6wm(%U;(
znx2L_Qj3YqZ%;agBM2VO&|#&@VDcft*4691hd&mmsiC%dZ^N^yS_FbXKvL){N?m@E
zIkYA;090^*Sl=gkSsmJp#Kb#KErSv`yTR+nHuN3lHN|#vTpa7DH}dFOaMEWvUhf~R
z(X*qj-A-f-&&-A$`}SCWZ!kb7R*;tKC|FrJ*1j<`&?vtOQ2?6ZbSiw{%#h^xuG)pT
z#goD**X5O^PmSTno<1y9x|tfED+hk4#}YR6psY$5V%WvzBYlU4zx|y~W-8Gt82N!a
zN{K0{p3Naio$y{|#He_E$9R|_#zjkW<GolqcrFRO;uw#}^cu{4G~HkZ27SR#aBnV0
zXG*Y=%YKMEOkoqxT_#kXwQVH+#@9}-Aog86ID05|YkJU2YRtPA&@7Et?Z&(8Nw(~j
zj%2*n<~8y!!$Lyz+5E!ASdLG<4T^c$*;C<a-SMYR7In#ebKkTY{nN~}!5z^M1U`FO
zs#RC(Wv=$EJ4+?t^;<nPs<^IaNjfjb(bN2#aZDn-l22RN<U=_mv(<D82(xu>?v2kS
znwx;?JxpCeCsD*1mVAj})lNMRwuq2VVu;>GpUzaH*9Y$Pz04h_`{ovh2U{pZUWX)u
zV%R0IVQ;Fs!$?e=r%-Cna_jlg*q%_6$3{4R8N*)g5_l9-m1qtU6*)P~%YfImGta@q
zDwWe19v(hCN)X$!nJnD`tG&4TVqs2Q6#;b9-~VbHNvUI8=}Gn2{bEK?GQQ+W8fMGQ
zU6Ffob#tf9Z6r0aZkvS=szEJRN52GRAz*F(#RaGmN@4prl2^AFYn|pXzw{GCI~GxO
zK-?2`eX60A=qT9Jg0VO~_w^sNJDBBxK#SnZ1x4<gv;NN}{eQG?Y=`a*B5R+@WbZU<
zOEW~eH#Gi-h3)^^p0A`3?hLXZ`Uhv<f^!#>GwxE$$Y)tY{7p<qF6=yB;(ameoL%Ls
z7EYDeU*Stuj6-hipSKRagvje-)(8o5`n1$LxoT`<X&N1#Pq$#;r?p`27v7e~iH9AQ
ze>pqV2&SL;s-vNThfoh`&oF@juam2IjQ4$|+SqVKrCSi9cQpY9s%?y{Uh4=K=G@$O
zyxKst#_kOD&B*@uEIIh%f1URDUp*@O*xIG@v8#S&UZ@q??RvFxqo`3x#S6p#)!l#m
z8Rfih5ke=?*Y&##q{TvBE1<|rmNwU-3EgnH2mI>RxPr?A+t_xghY)${cUd4S<WK0j
zaa>$BK{i%+mafGl02>fW>-Y0KVtkAVt6Mrd0)gxH>`<8$1aedOlP85xMi&c{Jh-b@
z)C|^sFx+fHomWp?i%o$FZ+Mj4b1jB9cr}gn$_#h}f%k@@Txt(Vc^b}Ja>dejFs_|c
zJ+w<a?BVc7+&qMlI)!Hgpm;B21XJP{uBgHO$g(Yxg^!n)S1wbdSI}bg68Ca_F1_PV
zQJT+u%x8+~a|>M2WmhjTEF|)a-Q|^w+sr;2es2N&<&}aa%B8;*eA%sU6Em$p&0PA@
z`!a5Kx5R^A+bU*#&B73qC;r>FleS_?Ma97ilBuhM;r&OsoV;}VvFc-AK2e9STwM)r
zfaRAqyWc8~qrk{gPxb26ZnrgTk#GB;aR`FvadLJaq@Fy^Q*c?EOxqVDgfCLCh>@l$
z)U_8;MBVZ6=agq74Y(I72zAzE(a-Qtw*zLjPnrxxJ+8&C-G*>bA<FbD4elORvV-Jq
zB0J5k5!$wuM%JR2UAUF#X{YOczr*H!%DU}!B#6ME<u+X&8@x7+o9juRrPQgdtOPFB
z)?JQgE<Y~jae^CD^7EPBPP<x|M6guo*x+6+RH5sSck@Y$F^hmkq|d>aU;R?J*F7e$
z30hQSS5}kz>TGVB&)QYm^?Gst#UhCMWT4pMafY4)i+<i``5Q1PwR?Pm=>WepS_fs3
z)w{8jaWRiswCh(pHj3&uW<Rg=6g{|m`xtdDPOZ|>_Cu|EE*2+@8ERT4xale-CN|yk
zG&`;Md=Pz1s4S&f<xljJNw6$qc-y`wSy>jUfe;p9iG}AMlaE*ATJ<y(PyMu<EKg=+
z)ji$DNK@3aNV9BS*~cGf{$6wXGZHRPS4&7p_`&*^@&~XO&~lgaZ71Ts-maqPF4HkX
zFA4j?&J8n?Ah?EKWn*UM#<y8kNPPEK4W)75mQGb$h76307@zK$5rg#kmf$foivhwn
zb#i$n>~*{~QHSoLqbQ_jJo5A*ZJaLMMHJJyKSY*_1^ihNwff4~>2T$Lz2tZ4Wz<Zj
z6CY_l=kEI<C)ICv1a-L_*|FT(l1peONWiJ_&bJA*atJ70bZMTxZ92|*x09Cu?o*+o
zpe+;0!fpWgt`}D=Z=8CsYWs@psAXjobsB9Pl+xD9xHmpG(Xg|>TXKs%N|Z;4>iS*P
z>~nGsO7RN5r#RbL>}Tkf>z4f@hNXYwdNj{Aa04#_f6B1jIFDuiH+owra%gRHbv3^r
z-=S_M*EiG}_-MG=iVfrt|L7NwG11jq9V6C_Y?YOy*m<7fvL-|C667l#+XoA$+&qM4
zr;~dE-t5oK{aGCYrL?KsnKm1h`eNy9taON)>=?M~_N3R68S(XH_89!Vxy0J+`ekQ9
z3;I~}>T{FG?)VF#e!|GE;WRu-R)Sz}5kp1AWd{mr$5Iw|KDj=_lcnXt-p{&$V)N5Z
z=60wODW)exPvjB#BK8+BEJ$+RuLKQRg557masmRiqrST_t@GcyY3`kRAY)UHyK=41
z0d?*-<xXe2)reJ0yD?4!11m3bi=RWy@4T-YI9JfDx4&5d_i2B0OIX;4Ym?ae^U!J6
zx(k2|v%VsM{R1MTEf|zVuC;nEzVO@FOx1X?;+Ndk$W#Faw8V5bLrGMZ*PArfjBgt%
za2F2$QAdZZ`73q0=oSS28-2{n#dEzEnP$bkeihI{Y~Wo{QJ7iSz^Q>aol=e1Cqs#{
zo%HOpMx0Jw*PjpcQ=aS^ULPcZ{s7{tA^t>o1E|#Nl@zz>iv=eo0%iS~^u#+ZovIz+
zL8DUrPJ<0a<)J_%1gz+@sWiW-ks(mJ;GMj}8@_mT(#FdD>@c<42fWC?eA@$t*Sk_x
ze%I%`dJ0hMF~8uOoP8Tea@beIBu0795ALIUS3b^9u>0xQDZ$WxzH-y@TXro-03y?)
zT<fvzhL#Gj(@r8-Vb&XPWd;quBil4<`Ot-YMi%Y!_BbH9kRC|1M9V*sfUZARejhAN
zQ#)UawmtRq8sbGs-qQ!u4CsvS9UlE5`1ssqZNce!fBW;J&-=^jW41GuWz|2LmmGbM
zPVeWbaafy6$d)S75a8fwGa!y!+>Y-@ETtTa03WsG2~bZ!sC5(=l!<T=yk>gRn<gj-
zZnW6}1DA(}mR5&pbWYkI1bwB0#xV>XYt9vwE}Mn<55oyaOE&Bq_U(C$CO9poA1Ntc
zBPLG_ZT8cfI&|JF7A!SczRmxWs$&L$<OWYU{H@!Vd$6Y*k1r}!K<>5cP(a3<>~tGj
zn~AJ5=G$X9G~>^&Gx0ESaVbxgr?Hk+?91jBK{-)<-SSmh1+lOqIbr31*Zy$I6$K$r
zIX{0mNh~cj3m$!ZYSrn+mZ8nG*iC@)BUIVD)N^JEU5_%h(Fbc-ub>i92jo9L2hsjy
zN=hw)+1NduUEb6t0_;{wpR-dx)OkG7&xa3pTb3T~I)pswLljINpCzFSw5!-<;`qEY
zJnTo{fNpT(X@M0%{%9qLwF)FTikgnT#4yJ8Ca9+?Dew!(a*&hjU%jS!F@xuw8kaN!
z=8N&Ib5i4y_k9JJO`?BBW;l0aZ;}zE3vc$n&Y06tr>+PJ)+yxp7LOrDtfHKQ>lhJ0
znH)v=10e`@>C!Szk5rf)ySX`8-q3d?v!|o)ZAfQrG$hYj#Bl)C5q+$Qo}zqk_X83O
zb1$p|BuXBIFK+R8x%6JuCvVQ3vw4rvx%|0tcr4=B{Hg$xeqweYPZ{A{dpCt;cUod!
zhys0vV;Fcpe@_TCKFq<)n!99=kj(rNHd5~Wj*02FXx|Z_zJrKb0^0WVEfra*R?~QO
z*SvlBEC(H<Fz3u`C^oW`X=-HVvi)bkttT6ivwAn-Oi)B-g^sPP88$w56&VY|?+E3N
zaoeMUo`ccK@Hu(LHw3|2^p7WPj^<Ru7YkA4c^a=kH9%PzM|hDQ1(_P&<Uigg*-%#K
zC(=@_&rGA@IK9-7s~Kpf6lLYwT_mjOL}d7nnvTj3m5#ql%Oqi2tuN--Ym)o=MXo=<
z-Kndl2$MTt@`YO|UPo&9_)>qJ`K09if8CSp`MkHqSN7I$r`g}*w{e%O5&{8ZBT?b;
z_84|Mz8&BnPT|&4noj4ff0+)V*iI&!VX)5t2up9C?BQ1c&u7$|o)7@e7?<h8Sqs{>
zd3#saBU3XoQwuXPD;t4yeS0BT#Y7=bU9Wi>RX#yvKXBwMt0w5;5v=2gd}V~V9EgYx
zlZr+`NbvM&5SMuV*v7`XfK`3K)YdW|%gdK9PrjLH$L#&qn|^{2=HcNf&j!{|x{b~`
z{^lLxJ?<-CcdU_>!(8dfhlhlKRLZlk{H$s=&elKEHe@AB=|MTaK6n?8O-)&2n%ts$
z_uF`DeLF!}nIT&C-t9LI$^m*Wt!)Gxxz(LQ*jZRybqs)X!Mm$f>redQF!W}k2(wb5
z21v7Lb9Rd%)*p>-5D@09tYF@~ognWyo8hs-lIW)saTEH^$>aA$LJDokH%9${6KM-l
zEHnfqor~N_%%r@wpdi9yD)%V-QFszjJ*82b?SDiw#;Gg4%jqL&e(VPdsQlLX&9yZ-
z#lbC-jYsObRa?oTu%mWj{of9HGcDr!!VN7okK}U#6q2f9V;}dXa<`)QE8Lv7riG7w
z0RJ~S)=rw4@fCa|zukDCr0TvuXX5`2Rt$9d2eSO{@dD@IA=XOYbft-=msDIUe@6_E
z!_`p!y>#EFyWYthHqqD#0LECJOpC@5&Xs*!$lRu~fyz&hjo+l1kY;UwNd5=HXrDc@
zir?n|z&d-+_rv)E9}6IJOk)EB*~$oNeTjd=nV@)m<@jGTD7%Q2P_p0Qz$Adre_{uL
z-~SH;BJ(?RSeLUBw_sVa0k3S!Ue`;|-$Y*E_Hy_c3Ry7SDUbN5)iLF53I2)R{C~De
z-`oiRZh!4+2(c(9_X!w%5wj2i|0SPaGPJ%(&<>+z&#ieJpMj?ZroYji5zRke_&;#3
z|Dp)O4OCeRuZ~KjfVw<x=k#Xo@x|()W@?hC+mR*x8kcT~ch^R-klRKtZ>T{`YL4G!
z%*xflxnasx{>^>7{K!_{OGNY+6h%4cB))l?X<wtaMXsOb)A-J?7vzjC24mv%OFzIx
z46Al~t7dWRir@ZD0~caKI+9hbkJiDZS>g({8cjz-9c>FFn@h#TWAlB^QC`=oaZ?IV
zfK{X=>bd<4fKzy^&R$s7r0Y-F93Ax)MTi)v0wB&Ecl}dxP(FYTL{3&YL8G1OXE*#u
zxX!#h0=PxEBKEwU4uWo)j~+durKRnoXYEakJ)c4ekNg=Yo3t72*?X%~NY83Ek$L8Z
zKHViB+TX9O_2RXi?I_&@-Z(Lfesa{egU_O(;!w*VwOF&y7~J3*u;So%@ih9zZ+s1W
z4f^0S5^cL`?WNeAyL1EYCaQAaUp#~G=}o&6h~h{4oRPsnYU;^yk10{ZOE>$j?hqDv
z1;wZ?({$TO!CLIIZ^@fIU<ZP7S(_)c&hMOFGGs@=X$W=?E`+E(7mk&1v<sjIYZe=g
zev8~WSH9_QSC7w!hKArj3JYHh&n*{M6<-^x?(FJ|*1Gf+JjEjJ!C4a1psL=AB?a+@
zy+BHuZzW6l(uY&0#<I;1-@ehLp-{ulCo{Mrc9xd38FDOFeKB!{7u)A)Y}jQ7ADr&p
zZrSc$*EIB-0&z&B2=`JVf)$DEee%;r+yrS2yUMMrbL*)xuFv<qDocATpLPU1y5jox
z3G&np*XdHgam|h^i08G?uqo)6w;$as_BwB()M6TCWNkW$3TY~HIWHnMxX}EWVtBdN
z0!)yF;fY0ohSSzaoL_~<6tcMf4b&`K0z@cg-g*TC<CWVX#X)iG1}&LLzF@zZn@5`a
zhOe{m2p1bqS;pa=j6=X%dYTL+&Em^*x#Ig$x9^US7tm!)lrg|T?a>orMU>y%cYmV0
zW1d0=H*^HzVm%5<P&Z?~|3_7+X{VzJg|pn=<9rAI>C|K=)Axpk5P11B_4i$0mWb(1
z9-rfqg^pOkYOmJI%hf=k|KDjrJKgMoAEFoTy<>)GdWIgqzb)q~s!_r8)o~!al9L<q
zJDU&)$4ahxKYMS56<g!{&mA`<Fy&^?)9O!;yb==DaHqX;UsLfdPjS>Ur1eWdH4Q!1
z=KMW6w`Hl%2FQ60OC4)k=iQGlBa(DOv6lNi{-%3LP|uHU0WN$&7XA1!88M=_Ti&fk
z51{inFuiPzS)Y|H0G%=$qJK=f&4IUtRhamFZUFdqU_Z;XKPt4FtZ%6P@x8wMB;b5|
z@BFf3^a!|gV2fX0-NdvVnz8`x!BT|F7ErJzO${BI$CyAt;0tE%XC8L|MA$Xij+D}_
zFzY&|P6!Q;53A^_*7<a98->d&@wzw6f{uv;UP>S`WAl52&&^FLj#XFdd3`i33SXVa
zKqsW8#U(}0%+9(@xM|`IU|qYrTn7kH6Fj&Fyu#{>U+t_-doTO<p^xWoD~aw?<Cidb
z^{U4$EtwbVUoU0cTlq1P-)jg%os2x826f=NHO3P?Uj|d^jum%OLw|f(35Gu+)dd#=
zqF_o23EXAV8;6(M5lVu|iW!GZeisAZOlJxbmH@WLQ(0k=^%OvTH_VpIj8HhBdVt^+
zh|v1=*+fcfX`=8p`$5cuu&WlRw)*fv>f0@dYWUbjv@DHX1RbCgy?z`iOY_3<SHkmT
z%aM)4t5eqg4OP`Ifb!*3y0=%VY0g@=DkzucbG0-dX*ZUdFQ>uM-z}TQo!PUpf8!Hk
zYC+4Z@|Wq3FYB{@P_eSo(J`7Vhn9kA8f##`ZPMfuwaE8Tq@tpNIsVm0J22mpims2A
zfPhn4@f3-t=l4pMlkY$})YCUrj3pv$1Q6+|F>x+!?ATdEVDA#&P<r0@5GUXJO{u8^
zL9c{YT{6(}_bt;BSj$0`@`{Sj_6y^y^Fj7@?qewS9efuTH$i~NM#Vlcku7EE{f?^i
zIX>E|;~c~WS%>vU6p7qrq3}w(DRyJ2;NXW`Ht(VPKeK#$K8Tw^n!j<HmaMBrCpGeG
z--6&p8l(}BNqYo6+)su;hk=;qz{KHcZ5Vc|p2ulBO25W?sT(Uo7E#B@3Usf`CA1wJ
zS{f7Y*d70FycN+|S6AxkX2y-b=KK&>)LqG3QU|Q&Jipg81eK3S%Vkk|{ZJ^NRe;6_
z8%HUveuxLckL+(z8<PZ`9%V~Wqa$fs34Q{fPUK{HFB4`65RM{N9ve(y@@J)?r!VF8
zVy2d^%*T3uioxL@4(~0V9Hn>_)vTB9l|})aEIJM}fin`(Lh%_(^}us8C0*s;+W)|Y
z#5?9&t%Ja;6Z0;J9Tejj2bUnPKfU_v_))}cmcOjZ21U50^NTgv^04I`-PhISy-Qhq
z|09^gK$8lZ^|k9W45&X%3{APUEJ$$VIk%0ia$0=T_uGmAWTL93b0;>AMEOhCq!${9
z7^K<LHB0EQ=fU@p`7uuNh=4a`z2>S6G5q}60GX%BNKR&=7O)ZO`1Dr)MuVI%^ML_n
zY-}v>9y`yUZSx^8x4CF(Wmw|)Q&_0G`}%08GfTqYfYSojHZWrvOoqQoH%GSwrK*h9
zK^4bA`3v$^5B>={O*V);bI0hT)J3H1mp)xSL#8JZ|73Un!E0@RXkbMHC!lm2f{bPF
z)nvx6i#lKDsg|>#t6OEVPYKDs3J92QO*b4z#UMYnLV{RDwNS62AZhOBy`cH|St4IJ
zvRhtBMg~N%=T=s%m)n@s9F?wrUd?%2Wh#j@fjD`_cSB)g6b3fdeto|FB}bo1*VZ=H
zX%H^Uu^1TW=()GLXeRc?hG?=7KfH%4yca*S&9`POAW+9}yq%=1eAevawl%G;t@Sl6
zOU}l2W4!G6ceWZ><f*A?Ro)ZE)MuVkB$h5fJXurUqwC<JUROh(_dNx`WWB-MagD;f
z@4q@QIqM<m%XAA8iq}_OYrYlK@@D^Zg?TtPN3p+u-(3j2Ox?=u@sp)keBJvPcS0%d
z1Nsf+c`qfaPDy!r)_X~bJZT!PBxXa{%;`K`+Jp@t5Zvi>AWzBlbTz2ElB=5XnJ>jE
zs@^m%?$>NUHw&VDhsP`uPt;ke&OyJcvq?k|-}Ur8vi>SEyUTt*QMN<eRAcu3#+^No
zr%U$gE3htZoVF^ny|6+GUSHDVJ-9ozJz3^95~hh2_$#)x(4;Sx`#pu{RlA@5egpCe
z3m=FRH{`B87hBS<_{Ik~WbWO>#>tAIdf8aQ9&ILm<BL=oowQ$2vc}Y!MDkBhV9Vw2
zCUzn?A|9t^Tm?P8s3zL`H#~r&Ps*VFUa61+;y={3#fCvi<}%V>^`GDY0Q}$BmQVj>
z$-(~$dk0_q|L=4Ygx4Iri&*3uyQTX0N)<T4{xaOII<#4M08D@VGP<4qFLmTwDm-Xy
ztO)>E4bo8a_SJgZ(qp&n_1r-Y{6*@@3;nLUBsY79R*<ks6B{Kj7{lvtLsr9WY#?yo
z*moc!UULi&Fw-uPrinw+5On?dN(+|0{HGO<RIHuHz3hh%QsM5Yxe&rR5{+gy`7B1v
zrp&>0^MH7o$o#uGmA$tevg9Cqb?>>YQcs@me+%{@>#Px`sOkiT&Roy9Z!<#6@(9#F
zF9y@GG(YHT4wsfJ8kDF7bbp>$VJF4cs&kx17wF5AKZYiS-yKGS8l}H6l;>(p;5!1p
zDki>H{GH|2!H^ZVT@|VLZ7P9Xvd-NAX-$VHElIqh=eO)W^Pd<cU+I{)_2XO9tuG3<
zJeuQlh2McRKb24aT9;e|4&BpZi4%Js0U{BT#nbncnw$Zz^e^0RI3hU|k<zP&r_}oG
zUHhIs#*y@(BqWq>z3DpP_cs<_n}0YOxQuwvYcqAiIll0)Ga2l;0`Ba^S@2h(o4@|=
zzH<Mv_C2!@QTG+1#q^n(j>KYKU+>lm&AV~v>C)xpq@rLOTZjduLPc9ch0kw$bAl5I
zFp0bGYVR<7+V5MO9N(F~erCkL@lTaXGnC@8{ZjO5o|(1rq63!d-o4})7e{pcw`fWy
z)E4Xx;m(#2i`ymAYHC~!0PlV)UIt}SR8WZR%5we8Ip~t|5a39=mN*c+lqbx5D|BwN
zuICZke#ak`KFR@}!>spt!*7jy_AdwC4+p&dUeWLou4i}rb>!LFmp-!9Oz<A}3jqbB
zJ3sNQT1s;b)=H7?B_$Y@U{%5C06EG60PQ(TW`28D)-EGSRkmjbwFp*RJCE~1-qFoj
zE!~RK!m-q`+?PtA(+X6$xRVh-gphDSiYa2ms$1^Mlb#e|Yf0?_4RI(4X+Sn69VaT9
zz~WmRL8LqbGfT3FTVD?V2~?t-bIVTXZ*+m|my=S{fQtC6iJgWP+t$|D_0=X;u_<wK
z+4?9Y%6B8oZQAt(zVPAa&PwzTCVJh286+%U*c}eHYdY+pyj~p*DXz}@={>Mq>{h=Q
z(WH3B4uMuZM}WSK7H8$t;949*IAEew>lJD|)t#!^9tWj~+`^(t&80wOJow?RSO8V^
z8%GrtH@66XGr2EVo37`;`W}r814#{xOlG{BGL;Gc=Rqr{CU&m-VPoDE9vf0=-V_h+
zu9GIFf<zVAv*n-^#Z_7Ep1>^t?19Ea9qL-MkqXv}MW9Cah}v_WvUthVEGu`7?wlTy
zp$F(9`d;~-UJ8KXT4o;0_?H9NP8&{LCZYc0qXdvg(qjR?*hNUi#lME;$CD(;Pfl3?
zTn)e}Cb}5-9zKmm8DTrS&@lUOK&bLxb^eiVDJikW&dW)n5>{xNo(td=%lpFkGcNu8
ze!G7f3=6O4cIHPvQ~DTB9nAoG-k5>Q#Gcs-Mim(e7ecLDhJnHe)1hX@mOO=Ae`YDW
zT}GxBFb3oq6ck5anLKWB;AUziP<C^JsYDf()zQ6rRZ`Xec#bbvtA|ZqX5hd`kcrV=
zz#(uH|7L+%G*-=??tm#`*l4r6vcVJdM3%-lqEpbj3`D}i-(XVTpB=mc;5Br3Vr0Ly
zj`DGcglHYQFD~_3_00ru3${-E>d!#0T<6J0x2U?=d#X@I_GBxrbsnj4vNQn54pRUQ
zfou3;pFSIJ^&42)E6x`R2xYpLZJJwCO27r1TG`*4G9)g!12-ml2!M=b-MT9z@2n@<
z@cLw<pR(HPsAq3&$Pre*-QB&lLEM+d>0Rd6u$$Jt!dz{?c8cBl*VJP6^kdTX>AEiT
zU?zsxip#2aY;1PGi~|R6K(4s{bSUk@NXLK&pLUI)$!~E)?0K!|TtRGHw7MRjex^!S
z*5Ef9{Q?aWjzi=UNBE-r<sGt4%aQdz9apcv_YbEfMVq<tktq`6CwvC)JD2o;3CV$-
zIr3vf*4xnGt|AL~f`N5tFH<G6!(Lu}r!idEL;HZqTJZ>>v$ohm!Ot+K@0C}RNxnP3
z#gB!q571{A_YJScnhZ}mt)X1ZtmpG-m!ONGo2%>fPA4wG04c12E*5U+b(-+)u|8;Y
zgMig99-qH(GJ*`G*R;ncM2h%$ruv%!R63y6Gij!!v|z*vLC*+MO~BNA_{;}7aFbcc
zK;NjDyM3xeuW!pJ4wCawJoRdIn7+D$0rt4Q1mTZxrYF|#iP#*8a-<>gx3!LXPG_QW
zO$@gQ-z^$`ZTo!n%=%tf8PCDxcQyRfx*w~DuYkMy&XPf;&tKf1Q=Muq#Q9+^=rJ0Y
zO<uM5Tj;C>zbcdMg>Sf);L*aO7XLHJe@ytls^$1@(TzR_uT=vRo%e6Ku>beGdJY8(
zp3%fB@7osIu~>Jh_3uICaa2!CF(CG%duJEM%I-O8p$|&5{vIl9y<(on=E=^ziXUu`
zxG9x1T6f?hbF5(+R8JPF(Ob6Xd!c`?**(YkZxT4*M(GS3P%}-|Z_TxC0(<6DuER|{
z2U^kq5*-OCXUyjb`L%^k!ags4Q0fr!>DPMVomS#?=Z9y*kMq<Pj!)0!FM;bu=Jxl|
zC(sp~Q&<7i9o!yWa;&OwIl#pxP?nK-PW*uEM<HE?hm(bit7}!I%U#2$gvcVbc0l$B
zA9pFxP}SmVsH!SXFX6AIc`2!^p##)RVHBlz;{Zc7p*I$AMdL{%0DaCr9koKrm4r(=
zRX@w#7|p=Q3{twAMFoy^!s&ssX7c8ei5xG37EfDRT7bhQlIGVI394i&D%|#jL}A-Z
z0drHl9>7QSZ4zZ+;dwDb6$vMQq=|f&*=rt$Gy|C>c6Q8&&Z&WknW-r^$7@UgfU<L$
z0>)2?PFU+22;u{NP~K<2d+<ptU5sUs&+fNzm@_|Q(U>ImxgF;83(v<v??~=j9^TE)
zT^qtaOPy^zI#LW)%TQ8KMyR#$F+K@l?3TOqHPrRW9a~XHsJ+VTYAF{GOMC;Xm=sHQ
zl9!PYDDEVrq@0>I#!e}H8q|wK=H(YX<qW0}nYOB!$WqA@;jXDK$Z|xB0Ft@)oj|=J
zHHHR?2p0C|kK;fBSNTn2yOpgKI|np4co*dL-|WAYtZn(Ow6(=qQRVifE#p&l^>(UA
z@t7R+rK+E%o6^pbZ<8VY<7Fk}+7>6yqj+!*`@h--c08T?K->)z@UIennG8UTY_JtN
zFi>CH8RC%Y-6WCHG<eW+DK)C*Q*V)^nR(YtO`;6)R!sQ5QekyB9($;f%4Ar%j68xM
zc-%;OYjqRY1T2=4|Eqk!&^##MCZ+zsRX$Pv&SHg0$;8VCDS(I{0tf`3A8{}LHKl9o
zJjC9JcdnT^9dfij8VmD{8ComXvDHBI+VJ!zYNy7=P7V$Vcz?{wg4WH<in7H=WnpEH
zBo|;O^-@@|RkP-)WsK!IJG)ZyP*|peR-VJ*or@qHgKA_pW=CT7m?OV?y#FKgSdTth
z)=MF0UJgPPMG|z9x68leERdpz4Y~J#6THj-_zGVt-$Le@b2A=(D_fgl0z0JV;R*^2
zt~;J2=$*nPs^cx9eR=<s%gPMYMabrrYZbKo5GYCAo;?8sJ25)^H3GuRtJl~5+6Z#_
zLE1-32+$x_BJgz0G6>A--O1zAiyKOyh}8)(k^>lVfIfh>e@`v%7iyUB;0CuF=gE(b
z*pdx=kj*nCsq8m>R_4<nB2ldLJmVt<?jbI=K(b=Uh=8!D+i#n-wJj`Hy5obRwZlAy
z>_O9KtJ`Z2abkg|=r8?FE4GD5M45`=iX2#P;-0iJqbo9y30=MqSn?`)G{U`X%Q`76
z=}mtAE2oVj(JI+$zn9Y0ef_?J_VqwFC3UXi!LEbD?eykh6x!8`iAT4TCGzEonb9v4
z0Z{8a(%72PtzhL+MC9Zg8Tpv_W6AgTV^IvhGnoR&15c8$u)d+1n!Q-|%?6m<^0EXr
zVpX;;6o*G?Q6>06ZrCbDn&w&QIQ+M9MSHsyC`t!H-J3Ui(ooJ)_}DiTx)=dtVrBt)
zr_%$MyH*vlFQY+@rmgK{jzC}K*ADt%i>Gd2JT)$^)xpH@0~NtTAb<cvDHHPm_?e>(
zFgYZlEw8F2sM9+a4?Tq(c1u$9XIgnHwQbw>!Kh3We=qExNwHFrkdTp(^z<)QJahSp
z;^kv%nYUkFHZNoPxUGKUaASJu5PkWiQy2t?uk?z?Rvv{re|$spM4L$?4;mE}Wm7Tv
zfw-PjcgonLg0}r0dCH7IgjD)l`DsTsXLB<%tpX{1nZztP`#Sw|++mEg^~0{(Pj?r2
zUzmLaw2=`jbv?b!oj@RZO8G#VmY_i-aOJeJvhNQA=nSHfr}L=l5q4s*G?fujHpDqN
zm^?)vcn=qr9uoIXeJ=0Zjs+gh(=gkQ%jw&*1|OeG&_C9)<;jDB%Z-C78@@jp)cC+Z
zGD3p6h8Qt5&vJ2faSHI)DFl@|@b(PAFa}+p<B&1&B!Kver+zDAs%=bOp^pd*TiJA>
zB==n-2V;+=`pak{B1Jmta4egdN<?Ad(Bkg1gFG;4L6J^XRsXoB>BWz+4McuXSGRnB
zUpL+Zt*R*#u1cIVdaH84C5d5>q<P|}+whizl6Y)#6u<UYIid`>hIqupg2peKf;s@A
zWHH#+BTomo;V>Rt@*jniBF|q(v9zol1I;W)GGe_!l<3!Q-^K?ffDdCIaCYD<Zl{=o
zqGUTf#?@wm4i7tzFCOL4Y(z!7P*mk+A_Sckw8X@`#ePNlqP7HGr$F6CYh+BMBJ_^A
zleM)J6&~OStExtU?Y!5nxELnX;&vlEF&EnYKa^$)qNdllxXszguBnYg4#s|Dn~0>(
zJ>Q2yRRVdiD}ZRJNL8ymv<;6_((o1Ma_gUrU;#}fZ$<wf)!qLjyNu-j$7oHlXWY=3
zozRwJ^!Pnc3TO_-z4PGu^rqejeEzZj%`&eIfy7MwFF(&4F={^MudrK2-NE66H-Z1_
zcxb03Ib@EDU!P9+zvq$u)A{=>6RPh)s07G6O?~HY%9z3DpU{8qV4ja<kQR7Bx@su}
zHzDXRt6%6AcNY8Fb-?oU=;YH*nN?Q0IT_t1pW?6y%A0%cSYA>X0+}Zg(k5T5M3^Lm
zl7Y^d5Vj}g1d27-4z~=O(O7;+Z~)<sSB*bR<->|h%0F!_6&ahxy7ra1s6Z_yU+SWd
zfkhUA?+e=?pz_PhVB`C7Y`|CeBZjE);M(c%cY#bH26rHEq3}ibzW!660RLl>q;Qn5
zfK2N@Z7vlFgGjEDNJt;J-wAkUqUCY5>Wz#zw7+<O4PoQCiN2Lcp6za3?5GcLeB|=Y
z#ene1bPB{ol*B%T^^E=|>QTl`n2!j$290X$3d-7km$lzjb{Us6VNF{t=k!>6;sZt;
z$zj|EY5lW9F`79RByul&-H04rcB|nh#G*1fKHl`Nig{>Q#(|sB4Uw>mv*UqA(7Pa?
zEm500L2%q7^PScw_ri#DKa*BOM>7&ba<WXWDMf3YT%5JYpO`Auo4Bally@Y5aVYwc
zxFd#e;KlKMvhzYfdu<gr*ufPzaNiyZXiE86`c2bCI`Ag94gC|U@kxH}h_*5d_2zeo
z#d$=#_^Nt9i<JTwXw)XBgf}@I^4*W4uzt|eB{<<xa3f-_NFm-vS?A^Q_dYiJMb*%q
z(2^EjWaH_|-ERJuG&=ry)HV$<onP{$^hfyzE)gAQt(0L__Y7x6|Gm-$Bx}R_(qjTj
zVlPl&@z?P*kJknKz`=o?JKNXwit&{I4s6Wf%ckxvyyuJhYogotGez(_YCF=N8<PNZ
zCw_qVEOj#rvRLs+^yH)Hz!9C^HH@=`vr9{X0u-`_<<se`2V+{GZfY?A_JHz0zo?sW
z_@cngQvs?{D6Wq{G-O6A(b9P<-07b*W{el2VRp#*b1SzsZ~SMbTnod_h<EY7K3ssL
zT|7ykzgY^4rmn7(nR*xsomQXn$d6I>3zpT<n8Iu$B&S?ixZt2y#;=F<I>BKqv}U0?
zy_ksVS+dRo>B<Npw}92mxH2~bbWIupZXzRcY~I<o)RP?l;a!^o4NllL$V^mwAdk9U
z*=KF1&Mu-(RvACgDQjCQw;Wi4?9JxJ#)`X$2#f1g{RDe=JPs+ZQpdJd>^z^yfkvAZ
z_mUZ{G{Sz=NYPmc5_p?2jGuMnp}qpQ5HfXqjaF7P1u{nx&rX>-j`f+Dgf3sQ(IiGu
zS0`-5%Dn%E%&^4QXZmcsrf$%@j1Umx69Ff5c=+#Ys-M@*Z&FxV7LROZ8WHsce4H<~
zE^#$Ms93C5Vsp5%VbKfJZ_LO#x5l+61}3;YiG}(FQ>5&yt;;4rsldaB4lTLZt-zHA
zIUYG0<GLATUANV@;;O5GI$@q&3xPU?AZZx%OcQjLH`k<jN%ND*nkUI^d)Ar*Co6}>
zu=?O)KBY6{Nsl^%2`G)YzTTQS)g;u;z}V4^k$oWZ;7y=3)g~2H2o-{gI>Q#R-{G2i
z>8;p*;DJ_3+BaWIwW~vwE9pLNE7XO4H;ehn`kYBjn(ABy{rMNkb5ldOw`gv^rBzMU
zmoFMV4K>H3ettf68(n1+6ZaBx7`l}J|Ne_a@YMaqsjB>eDh9FNdEFcmXS<+<1;{Cc
zf1aruv^5XPsLj`lP2RK@h~r{p_3~7B$@%>6hUkpv)q<IwT_w|hYw5b<+1%cEsx3+{
zs`IK^HCm<AXw__0>`|N8d(YatxF~Ja-pNJ92x3-)3PsfjS0hm)iBTg&?HS?sy7%|z
z`+m-Q&U4QBocEmPd!Fa}H6IWk`e}hH=(<v?9%u}<dk%fZlWX(x_GM^BWCCAgP*7Bm
z_iGDFBeB3Bg{=N`RB!x+=P#^uoZ+!0_tqAjZAb+RS;oqYI)>$l2h3aB2N8>a%JGsh
z>F7vRRrSbaZRvDt+y@n8UVEp=;uzRS&<ADZ?bTzB5=1I0qwU&_#@!#i+w%D*+uUeQ
zQyoAqCpvh^W;#)q(apVDOCyc&W&Fx_ZoU|^4TryRiuZA(NR&_yR22_;5R~Ohg)z9Q
zT}%?2O^rP#U3nB9g5F~;_VAGUQ3VKH`=cW5{ad#;CG+7Ns~$*eZy=Np#>t{)=s*}P
zRf|4CGpLqUcGSw!K1YOw;lEU4$^7w!BBCd#(n0T*aeSfs)2V}&=!kV%QiG$Ls%opd
zeX@m!oOwD7M%~bF2{O#d4x`wIBQVYd(7bST^TEV+4t;5TamS+Pt8Nk+^@7pO!;3ii
zI0BHM2IM>8M@HdOsOSi4ce?Y0<Kv}8N7g@5*_B=MhlhtL<h5X>oyvhN;A&&IwtV&W
zZU0b6_|#M7w9!XEJf*g7cCC*qn)W+dG&_~p350M@O+o01mkGDmt}$Nls?qslw>h;9
zc178&ys@E#V(0QC2QAjzGCU&Y{v_~XC<<72cT!tTP4Jm{$%}CMjQ*y5S=Z)*0qwu!
zMFX7z-&t&XN6r(D==Zl#jV@+iiHDoDz4oHQ->DRXDIjU3>5CVTqKLutM~zL?kR}z4
z^@9!#rk<Q0j}GF3WI4+Oz<RLLDlFORf%M=5G3y;EY24`olEkju&>+FgyahlPmw2Ug
z7JfPIc5rQ+@Y410!Y~MH%`i8|h4{N}C3mjRh;QNbI*~r74uF<RiR3^Pk62<!C9#9#
z`M99her@eG+Zz?8Uccm$hRnQDhxssCHo<#66sL!Uj<`7Ph>m}JqJ+F5$j|uK*Duth
z-Z`W<>3C%igFM~g29!*&B1jgNHK`X+5rs!GG7ZH9NAn=3Kregy6&3y0h?##ja)S(A
znkT;*XS`A7H9e#;6zM@v>>pcrK9*~-=DX4;A}6g-K#gKdlaP#qFHcN_?ql!Wf5>s?
zwoQ1;?|=pl%)k)E((XAIZ@hq~a_ryHGw=Ex7x_M?^x7XTws9vWr~&7yQP)CfkzP1S
zSer2qnzxY8e-o#ri|=oKySU&aRwd1WNyd@^StLvA&1u%+79U$bjqO91o8FO!y@#(b
zWdcGyb49#P25tt<33E<*+`)=I#u)_#t+B_J%Ia?YZ$|4kn}cuPNNM)5t=r!Pb%#(*
z{}^llh>!ty3Fl7mf%)N#00W;))$u75sbOoQML`je2x8lp>D~L>Q*n2~&w&zCk#Y&^
z6&%L|5lYGEr+j{$$w`UNeED6r0Wx=f0B&UQhrW68uElg%8=)5G9ai17i)rhg<%t)+
z?6a;YSi1R}mKe{LT*7bf2L_XIBVq*V;T5ocNl(wB<Sxc#MagJ+4~No4WBHcrqAQNS
zr)3&m2Rg*AgOvhbQU2Tm5RVy}KtwdsJ$<~E7Mw>gVy&#d*clHl(Y+48T58>rl~L6E
zDnYOjvuGD`b+BQ=e4ylO#6wMq%Om9Df0E{i(c@%a|8m|NDL5^T@gtogMRQ?-MI+8V
z{G_CO$=C)0sgf6!RuU`k_~h;zQjI*-@o&gv^WXl4My;dki=A!>>famli9C2|sWWE1
zOpH#V=H=#A)e4Wi{3uqHv$gH-?7VbW_6IZ1fTFkj?pWpuspW{e&-BxxDEMH2dj@-B
z<?m_`y-_GJZL40Py5#YI`*=-;J?be_BxNtEhWm-N&|qsU0S^Q@d;_rTZD-w2{@zh(
zY(EYUCZ>;LVOc=Roz_i=8mWpaNU?ruO(JjS+d9&(06*SbAZukEgkQGEGN@dRI3DU-
zpTUzcn|>KpTDqSa>Wksj{uF>bF#8PAMj(XuE4>*~)!J<2Cp~P~3NW=M9%Jr0r=7NT
z&xsT81b}uK-_Ndmvb0WGb7x!lQ8%L0(?;xH3<x>FS!z3PAIG-ViQ6=`r)OnNY;M%=
z)6OZnDV88spMGVB)#C;MJWlb(Gj#>C{SU4?7ycpdXlSsHw;ZSQUrL4Vwu%Bwn2ts4
zZ*nb0<~I!t9A_1po^`fNt*K^^mq)LSYo@6;+2owpU8%ndM3iD?7{^a?!YH{^e1BzL
zA*WNeM7MjhsHkY0PXokDu+bdYt{``{vX4B2GY7Fv5W)~e{)v8PeJblxT9<7mzlLSX
z{f10nv8$Bevjxq!)VyjRczDFKnXXn+oo0obrq+Nu1g8#pT=Q$I?`dhK`~EQ^Po%Qy
zvv2S>&sX(}l<_Gk^|?y59*xrVytY-P4-r;Aoa}mWDR~aAe%Xy(6(kd}H;mE@h581<
zzH&wFw8x>BuKp-`aO`Fb<nQs@k4Inb)*cy>EuxTDG!yLD*)If28y~H$3B3D8cFf7n
z)=Ez4u?H}bz-Ao4nXo)>a1F?+S2@e))6`MG|A_cz*D@kjaf$bC>AXNMm`wIhE_wg)
zdu<fa+5|!=6Rw5DSVA=!`(J*1_2ntJM8$h`Y=;8uS-RJ*YwKVrMM>@f+Qz`O^o}|c
zSpU!DokGqs>hXCfYl|0K3fR6r2~KWkU^j2b91)LDBx$9g0DjN6JD0(--QtI#Pb<A?
zmR8z=8AifxXy1oI7WXyM0WbG5I84iM{!>>SKun4xL5w_B+^fno*nxj;V`lW{C~47M
z;5_09v}zDw3C;e%BVz?@0}Vgz>sNNdvIB*){*3>iQe0QZL!yd-8S9@?q;!M?G(MBS
zHTYZa;H~-YxSpnw29RIh$id-eEGaK=yq%a-1DY9y7R2S;JWsJ9diAH$>9d_cL8f9h
z0XCGVBl|Gt+WFb}*2$Hr7H@zEcVPj@)8zKEl7yj`-MrmD`_b|zJWtjzbt2{*0WJ^f
z)dN-+1C<%Ik|sQ@tt{HYk=?f9?8*sh-wq<+Whni7*YdRmaXn)IC16e!u(HnkBtY^x
z7{Q{VZmq4bBDrvQO*0BXML}vF-FiDXh#>bZh=p6Pi^@sK^UX-+JcKSuzK!yrj^`kS
z1S8`c{cs;Gp<(k!(ghfJe(nk-ENo$*HyXX!CZ|LsAiw|2)hx{Y>HjHhM0}fhrFeGq
z%VwI>1eLW__<^p8sWCv0oXi$C3P=oaadFL0zJ)2CHg|kF3LbwbDG${}@BW$)LwKw+
z^2T-FjlIxyh<8?mncIvjE-%l8F}FwHf?KP$jGRz*Q{qw*LB+e(`-1N8oWTgf@!Y;C
zJ%d{GZBD^>ZEbDSBH@BUWyoLMog;_kbh+>WT4*B{%rpIp9`x*ZQ%1<xOqj{7#kWMo
zAao~n<-Ogl@t6Xo2tOU^M;Hw2MHmz=8A#VLvzf6}ubB2(1<SBw#r2%ARnmFrfF{d|
zA53q-&7ydqVxH|*o}dlS)684%gI|V5ImPTN(4g<7$FM1z+w0m6YksKq(#9!Q@f+8F
zX=Ly-r=-*?2qaxdumk?V7Y|XVtyCWT5*?e267kAReJ%-$^l#aE`Kqi>2tO=U3u0U1
z+k+UvXcXEcoBktji-qmOce~O9+80x2$pIEL^dApJDjY%-*)ClJ(+&}0qBm9%#3=1X
z4ymS^Z)P7b2&hSj#hpY`deEHNhQ4&nG>89`J0+YB6r=RP#6hf`c5aWr4!g+!n$vrx
zpLGGt5EIW^mA*V=dlBSY@zOdw$ZNCiN-6Ce&kuQmOT=_|$&qY~)fql;d{v$KHTrcH
z<;k7v5)VKsU!mbCHj;A}ZyR@y)@h!V;Ny?!T$#L>cOAs%1S?!I?NU$zkC$VwvVeHz
z=n6S!=8I2GbZS<@IO>Q%>4U!0%F6cZtb*kUm3CQYgnJhRHzukpo}EW{*t}2tsrkY3
zoNe@L7TA`)o@c4>88sxM*%%!H5if_If`DW)zh2i<$V?420$eN*s4L0emSCJFH!_P8
z`e+doCsNULb2up^rsTg54Juw|#S2M<g+2^HaK*KN<_vpIe<wVK3)AWU*R<HjPR*}*
z=KFHDKr!gpNMl^0L|QBP%&Pd9HaP|*{g`q9l+h3LeI<N$g~H?bT)KgsH7|?j6Wz0>
zklfj)74Cc|3M^-!jLZctvo}kdCb@7X5T6UlG1T_|))#b!Uu5H^fq;(j1Vo`tr0XE1
z<I-Gb)m1BhujW)rM~vS&H}jHt!>g)`lXvok%$Xz4$5ZkCoE(@CwFmiYgn@oeq_bS;
z;Nvam+dp?J{u_3I3ROHIkYavSJuvqx)653bDe2Vgm(jn*@S}dO7x&^>ch}IDbSgoK
zI#OE>6y+-BGeeEyODl1GSNKe&L7d7AJmvmplUQ<Z3z$G2BL>0$KeGUjEb#N$hELDN
z`BCf;6NsVj^-v|}8TygSv@b3KiUD!Xd|3HcicS1%K*oArs0W@+n2c?Z0+`Jj=&s*&
zz2JY}{M=J?_+WFcvn^y89)1Rd^c3(wUod_KZLVUIq0f^HAX$TkNb8P+7N3qM1){}c
z8Bvxez}Zk4Db(Ixhyygg0%QqD1*C(&JqRSnLc_9v=1gU<RY3kv;Pz3R8gN~&a|<C5
zf9==OLpPJRs`Ez)dna+a2%IJ(ASXfgKm4`x7M5lC#a|zqKR_E|x0m9$c{AsTo*v`;
zDye)a%H#|pV^iH6z4~{@?|{BiZy<Q283LU1rw1sWWfCuDqagzELqo#=uzpq9l}j{3
zbJZOIcqhM!tG=W}`2BLpI^@vwi14-NoE$(+GuXY;m`57E2nnamvzj%)x+=BGwz2;M
Dt;&o0

diff --git a/go.mod b/go.mod
index 2d6c815520..4f14fd5261 100644
--- a/go.mod
+++ b/go.mod
@@ -42,7 +42,6 @@ require (
 	github.com/jarcoal/jpath v0.0.0-20140328210829-f76b8b2dbf52
 	github.com/jinzhu/gorm v1.9.16
 	github.com/k3a/html2text v1.2.1
-	github.com/kevinburke/twilio-go v0.0.0-20240623211326-c7334b537077
 	github.com/lucasb-eyer/go-colorful v1.2.0
 	github.com/minio/minio-go/v7 v7.0.73
 	github.com/mitchellh/mapstructure v1.5.0
@@ -60,6 +59,7 @@ require (
 	github.com/stretchr/testify v1.9.0
 	github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203
 	github.com/ttacon/libphonenumber v1.2.1
+	github.com/twilio/twilio-go v1.22.2
 	github.com/zitadel/logging v0.6.0
 	github.com/zitadel/oidc/v3 v3.28.1
 	github.com/zitadel/passwap v0.6.0
@@ -103,6 +103,7 @@ require (
 	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-tpm v0.9.0 // indirect
 	github.com/google/pprof v0.0.0-20240528025155-186aa0362fba // indirect
@@ -157,7 +158,6 @@ require (
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
 	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
-	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/golang/geo v0.0.0-20230421003525-6adc56603217 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/uuid v1.6.0
@@ -172,8 +172,6 @@ require (
 	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jonboulle/clockwork v0.4.0
-	github.com/kevinburke/go-types v0.0.0-20210723172823-2deba1f80ba7 // indirect
-	github.com/kevinburke/rest v0.0.0-20240617045629-3ed0ad3487f0 // indirect
 	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
diff --git a/go.sum b/go.sum
index 606f4048cc..ac626ea25a 100644
--- a/go.sum
+++ b/go.sum
@@ -239,7 +239,6 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
 github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
 github.com/go-webauthn/webauthn v0.10.2 h1:OG7B+DyuTytrEPFmTX503K77fqs3HDK/0Iv+z8UYbq4=
 github.com/go-webauthn/webauthn v0.10.2/go.mod h1:Gd1IDsGAybuvK1NkwUTLbGmeksxuRJjVN2PE/xsPxHs=
 github.com/go-webauthn/x v0.1.9 h1:v1oeLmoaa+gPOaZqUdDentu6Rl7HkSSsmOT6gxEQHhE=
@@ -254,13 +253,12 @@ github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
 github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
-github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
@@ -396,7 +394,6 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
 github.com/improbable-eng/grpc-web v0.15.0 h1:BN+7z6uNXZ1tQGcNAuaU1YjsLTApzkjt2tzCixLaUPQ=
 github.com/improbable-eng/grpc-web v0.15.0/go.mod h1:1sy9HKV4Jt9aEs9JSnkWlRJPuPtwNr0l57L4f878wP8=
-github.com/inconshreveable/log15 v3.0.0-testing.5+incompatible/go.mod h1:cOaXtrgN4ScfRrD9Bre7U1thNq5RtJ8ZoP4iXVGRj6o=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
@@ -450,12 +447,6 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/k3a/html2text v1.2.1 h1:nvnKgBvBR/myqrwfLuiqecUtaK1lB9hGziIJKatNFVY=
 github.com/k3a/html2text v1.2.1/go.mod h1:ieEXykM67iT8lTvEWBh6fhpH4B23kB9OMKPdIBmgUqA=
-github.com/kevinburke/go-types v0.0.0-20210723172823-2deba1f80ba7 h1:K8qael4LemsmJCGt+ccI8b0fCNFDttmEu3qtpFt3G0M=
-github.com/kevinburke/go-types v0.0.0-20210723172823-2deba1f80ba7/go.mod h1:/Pk5i/SqYdYv1cie5wGwoZ4P6TpgMi+Yf58mtJSHdOw=
-github.com/kevinburke/rest v0.0.0-20240617045629-3ed0ad3487f0 h1:qksAIHu0d4vkA0rIePBn+K9eO33RxkUMiceFn3T7lO4=
-github.com/kevinburke/rest v0.0.0-20240617045629-3ed0ad3487f0/go.mod h1:dcLMT8KO9krIMJQ4578Lex1Su6ewuJUqEDeQ1nTORug=
-github.com/kevinburke/twilio-go v0.0.0-20240623211326-c7334b537077 h1:IBBYDggH8Ra+xBzJ/7e+X9MG5TUNQ6kjyU2qf08m8c8=
-github.com/kevinburke/twilio-go v0.0.0-20240623211326-c7334b537077/go.mod h1:ywO98mC3XU46KlDLgCDChBOpf5CihdaETKriwam/8eE=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -489,6 +480,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
+github.com/localtunnel/go-localtunnel v0.0.0-20170326223115-8a804488f275 h1:IZycmTpoUtQK3PD60UYBwjaCUHUP7cML494ao9/O8+Q=
+github.com/localtunnel/go-localtunnel v0.0.0-20170326223115-8a804488f275/go.mod h1:zt6UU74K6Z6oMOYJbJzYpYucqdcQwSMPBEdSvGiaUMw=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
@@ -556,6 +549,7 @@ github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32 h1:W6apQkHrMkS0Muv8G/TipAy
 github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms=
 github.com/nicksnyder/go-i18n/v2 v2.4.0 h1:3IcvPOAvnCKwNm0TB0dLDTuawWEj+ax/RERNC+diLMM=
 github.com/nicksnyder/go-i18n/v2 v2.4.0/go.mod h1:nxYSZE9M0bf3Y70gPQjN9ha7XNHX7gMc814+6wVyEI4=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -706,6 +700,8 @@ github.com/ttacon/builder v0.0.0-20170518171403-c099f663e1c2 h1:5u+EJUQiosu3JFX0
 github.com/ttacon/builder v0.0.0-20170518171403-c099f663e1c2/go.mod h1:4kyMkleCiLkgY6z8gK5BkI01ChBtxR0ro3I1ZDcGM3w=
 github.com/ttacon/libphonenumber v1.2.1 h1:fzOfY5zUADkCkbIafAed11gL1sW+bJ26p6zWLBMElR4=
 github.com/ttacon/libphonenumber v1.2.1/go.mod h1:E0TpmdVMq5dyVlQ7oenAkhsLu86OkUl+yR4OAxyEg/M=
+github.com/twilio/twilio-go v1.22.2 h1:LUz6OTWKY4/oW4e+O2ah2JMq03gJvGu6bxaF0Y7l+Xc=
+github.com/twilio/twilio-go v1.22.2/go.mod h1:zRkMjudW7v7MqQ3cWNZmSoZJ7EBjPZ4OpNh2zm7Q6ko=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -719,6 +715,7 @@ github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 h1:+qGGcbkzsfDQNPPe
 github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913/go.mod h1:4aEEwZQutDLsQv2Deui4iYQ6DWTxR14g6m8Wv88+Xqk=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zenazn/goji v1.0.1 h1:4lbD8Mx2h7IvloP7r2C0D6ltZP6Ufip8Hn0wmSK5LR8=
 github.com/zenazn/goji v1.0.1/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
@@ -815,6 +812,7 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -849,6 +847,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
@@ -870,6 +869,7 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
@@ -901,7 +901,9 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -912,8 +914,6 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
@@ -922,7 +922,6 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -958,6 +957,7 @@ golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapK
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1018,6 +1018,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
diff --git a/internal/api/grpc/admin/sms_converter.go b/internal/api/grpc/admin/sms_converter.go
index d13b68f558..72f33cb548 100644
--- a/internal/api/grpc/admin/sms_converter.go
+++ b/internal/api/grpc/admin/sms_converter.go
@@ -64,8 +64,9 @@ func HTTPConfigToPb(http *query.HTTP) *settings_pb.SMSProvider_Http {
 func TwilioConfigToPb(twilio *query.Twilio) *settings_pb.SMSProvider_Twilio {
 	return &settings_pb.SMSProvider_Twilio{
 		Twilio: &settings_pb.TwilioConfig{
-			Sid:          twilio.SID,
-			SenderNumber: twilio.SenderNumber,
+			Sid:              twilio.SID,
+			SenderNumber:     twilio.SenderNumber,
+			VerifyServiceSid: twilio.VerifyServiceSID,
 		},
 	}
 }
@@ -83,21 +84,23 @@ func smsStateToPb(state domain.SMSConfigState) settings_pb.SMSProviderConfigStat
 
 func addSMSConfigTwilioToConfig(ctx context.Context, req *admin_pb.AddSMSProviderTwilioRequest) *command.AddTwilioConfig {
 	return &command.AddTwilioConfig{
-		ResourceOwner: authz.GetInstance(ctx).InstanceID(),
-		Description:   req.Description,
-		SID:           req.Sid,
-		SenderNumber:  req.SenderNumber,
-		Token:         req.Token,
+		ResourceOwner:    authz.GetInstance(ctx).InstanceID(),
+		Description:      req.Description,
+		SID:              req.Sid,
+		SenderNumber:     req.SenderNumber,
+		Token:            req.Token,
+		VerifyServiceSID: req.VerifyServiceSid,
 	}
 }
 
 func updateSMSConfigTwilioToConfig(ctx context.Context, req *admin_pb.UpdateSMSProviderTwilioRequest) *command.ChangeTwilioConfig {
 	return &command.ChangeTwilioConfig{
-		ResourceOwner: authz.GetInstance(ctx).InstanceID(),
-		ID:            req.Id,
-		Description:   gu.Ptr(req.Description),
-		SID:           gu.Ptr(req.Sid),
-		SenderNumber:  gu.Ptr(req.SenderNumber),
+		ResourceOwner:    authz.GetInstance(ctx).InstanceID(),
+		ID:               req.Id,
+		Description:      gu.Ptr(req.Description),
+		SID:              gu.Ptr(req.Sid),
+		SenderNumber:     gu.Ptr(req.SenderNumber),
+		VerifyServiceSID: gu.Ptr(req.VerifyServiceSid),
 	}
 }
 
diff --git a/internal/command/command.go b/internal/command/command.go
index 30e383c5df..4ee8310525 100644
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -24,6 +24,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/static"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	webauthn_helper "github.com/zitadel/zitadel/internal/webauthn"
@@ -64,6 +65,7 @@ type Commands struct {
 	defaultAccessTokenLifetime      time.Duration
 	defaultRefreshTokenLifetime     time.Duration
 	defaultRefreshTokenIdleLifetime time.Duration
+	phoneCodeVerifier               func(ctx context.Context, id string) (senders.CodeGenerator, error)
 
 	multifactors            domain.MultifactorConfigs
 	webauthnConfig          *webauthn_helper.Config
@@ -179,6 +181,7 @@ func StartCommands(
 	if defaultSecretGenerators != nil && defaultSecretGenerators.ClientSecret != nil {
 		repo.newHashedSecret = newHashedSecretWithDefault(secretHasher, defaultSecretGenerators.ClientSecret)
 	}
+	repo.phoneCodeVerifier = repo.phoneCodeVerifierFromConfig
 	return repo, nil
 }
 
diff --git a/internal/command/crypto.go b/internal/command/crypto.go
index 45c597fd95..94b009aaa2 100644
--- a/internal/command/crypto.go
+++ b/internal/command/crypto.go
@@ -13,6 +13,8 @@ type encrypedCodeFunc func(ctx context.Context, filter preparation.FilterToQuery
 
 type encryptedCodeWithDefaultFunc func(ctx context.Context, filter preparation.FilterToQueryReducer, typ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, defaultConfig *crypto.GeneratorConfig) (*EncryptedCode, error)
 
+type encryptedCodeGeneratorWithDefaultFunc func(ctx context.Context, filter preparation.FilterToQueryReducer, typ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, defaultConfig *crypto.GeneratorConfig) (*EncryptedCode, string, error)
+
 var emptyConfig = &crypto.GeneratorConfig{}
 
 type EncryptedCode struct {
@@ -21,6 +23,27 @@ type EncryptedCode struct {
 	Expiry  time.Duration
 }
 
+func (e *EncryptedCode) CryptedCode() *crypto.CryptoValue {
+	if e == nil {
+		return nil
+	}
+	return e.Crypted
+}
+
+func (e *EncryptedCode) PlainCode() string {
+	if e == nil {
+		return ""
+	}
+	return e.Plain
+}
+
+func (e *EncryptedCode) CodeExpiry() time.Duration {
+	if e == nil {
+		return 0
+	}
+	return e.Expiry
+}
+
 func newEncryptedCode(ctx context.Context, filter preparation.FilterToQueryReducer, typ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm) (*EncryptedCode, error) {
 	return newEncryptedCodeWithDefaultConfig(ctx, filter, typ, alg, emptyConfig)
 }
diff --git a/internal/command/crypto_test.go b/internal/command/crypto_test.go
index 815539120a..03a5f61975 100644
--- a/internal/command/crypto_test.go
+++ b/internal/command/crypto_test.go
@@ -49,6 +49,27 @@ func mockEncryptedCodeWithDefault(code string, exp time.Duration) encryptedCodeW
 	}
 }
 
+func mockEncryptedCodeGeneratorWithDefault(code string, exp time.Duration) encryptedCodeGeneratorWithDefaultFunc {
+	return func(ctx context.Context, filter preparation.FilterToQueryReducer, _ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, _ *crypto.GeneratorConfig) (*EncryptedCode, string, error) {
+		return &EncryptedCode{
+			Crypted: &crypto.CryptoValue{
+				CryptoType: crypto.TypeEncryption,
+				Algorithm:  "enc",
+				KeyID:      "id",
+				Crypted:    []byte(code),
+			},
+			Plain:  code,
+			Expiry: exp,
+		}, "", nil
+	}
+}
+
+func mockEncryptedCodeGeneratorWithDefaultExternal(id string) encryptedCodeGeneratorWithDefaultFunc {
+	return func(ctx context.Context, filter preparation.FilterToQueryReducer, _ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, _ *crypto.GeneratorConfig) (*EncryptedCode, string, error) {
+		return nil, id, nil
+	}
+}
+
 func mockHashedSecret(secret string) hashedSecretFunc {
 	return func(_ context.Context, _ preparation.FilterToQueryReducer) (encodedHash string, plain string, err error) {
 		return secret, secret, nil
diff --git a/internal/command/phone.go b/internal/command/phone.go
index 0770231969..8d971e2f98 100644
--- a/internal/command/phone.go
+++ b/internal/command/phone.go
@@ -16,6 +16,16 @@ type Phone struct {
 	ReturnCode bool
 }
 
-func (c *Commands) newPhoneCode(ctx context.Context, filter preparation.FilterToQueryReducer, alg crypto.EncryptionAlgorithm) (*EncryptedCode, error) {
-	return c.newEncryptedCode(ctx, filter, domain.SecretGeneratorTypeVerifyPhoneCode, alg)
+// newPhoneCode generates a new code to be sent out to via SMS or
+// returns the ID of the external code provider (e.g. when using Twilio verification API)
+func (c *Commands) newPhoneCode(ctx context.Context, filter preparation.FilterToQueryReducer, secretGeneratorType domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, defaultConfig *crypto.GeneratorConfig) (*EncryptedCode, string, error) {
+	externalID, err := c.activeSMSProvider(ctx)
+	if err != nil {
+		return nil, "", err
+	}
+	if externalID != "" {
+		return nil, externalID, nil
+	}
+	code, err := c.newEncryptedCodeWithDefault(ctx, filter, secretGeneratorType, alg, defaultConfig)
+	return code, "", err
 }
diff --git a/internal/command/session.go b/internal/command/session.go
index ccc224cab7..dafb10b818 100644
--- a/internal/command/session.go
+++ b/internal/command/session.go
@@ -16,6 +16,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/session"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -31,13 +32,15 @@ type SessionCommands struct {
 	eventstore        *eventstore.Eventstore
 	eventCommands     []eventstore.Command
 
-	hasher      *crypto.Hasher
-	intentAlg   crypto.EncryptionAlgorithm
-	totpAlg     crypto.EncryptionAlgorithm
-	otpAlg      crypto.EncryptionAlgorithm
-	createCode  encryptedCodeWithDefaultFunc
-	createToken func(sessionID string) (id string, token string, err error)
-	now         func() time.Time
+	hasher          *crypto.Hasher
+	intentAlg       crypto.EncryptionAlgorithm
+	totpAlg         crypto.EncryptionAlgorithm
+	otpAlg          crypto.EncryptionAlgorithm
+	createCode      encryptedCodeWithDefaultFunc
+	createPhoneCode encryptedCodeGeneratorWithDefaultFunc
+	createToken     func(sessionID string) (id string, token string, err error)
+	getCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error)
+	now             func() time.Time
 }
 
 func (c *Commands) NewSessionCommands(cmds []SessionCommand, session *SessionWriteModel) *SessionCommands {
@@ -50,6 +53,7 @@ func (c *Commands) NewSessionCommands(cmds []SessionCommand, session *SessionWri
 		totpAlg:           c.multifactors.OTP.CryptoMFA,
 		otpAlg:            c.userEncryption,
 		createCode:        c.newEncryptedCodeWithDefault,
+		createPhoneCode:   c.newPhoneCode,
 		createToken:       c.sessionTokenCreator,
 		now:               time.Now,
 	}
@@ -188,8 +192,8 @@ func (s *SessionCommands) TOTPChecked(ctx context.Context, checkedAt time.Time)
 	s.eventCommands = append(s.eventCommands, session.NewTOTPCheckedEvent(ctx, s.sessionWriteModel.aggregate, checkedAt))
 }
 
-func (s *SessionCommands) OTPSMSChallenged(ctx context.Context, code *crypto.CryptoValue, expiry time.Duration, returnCode bool) {
-	s.eventCommands = append(s.eventCommands, session.NewOTPSMSChallengedEvent(ctx, s.sessionWriteModel.aggregate, code, expiry, returnCode))
+func (s *SessionCommands) OTPSMSChallenged(ctx context.Context, code *crypto.CryptoValue, expiry time.Duration, returnCode bool, generatorID string) {
+	s.eventCommands = append(s.eventCommands, session.NewOTPSMSChallengedEvent(ctx, s.sessionWriteModel.aggregate, code, expiry, returnCode, generatorID))
 }
 
 func (s *SessionCommands) OTPSMSChecked(ctx context.Context, checkedAt time.Time) {
diff --git a/internal/command/session_model.go b/internal/command/session_model.go
index e418a3adb3..646bee97e9 100644
--- a/internal/command/session_model.go
+++ b/internal/command/session_model.go
@@ -20,9 +20,11 @@ type WebAuthNChallengeModel struct {
 }
 
 type OTPCode struct {
-	Code         *crypto.CryptoValue
-	Expiry       time.Duration
-	CreationDate time.Time
+	Code           *crypto.CryptoValue
+	Expiry         time.Duration
+	CreationDate   time.Time
+	GeneratorID    string
+	VerificationID string
 }
 
 func (p *WebAuthNChallengeModel) WebAuthNLogin(human *domain.Human, credentialAssertionData []byte) *domain.WebAuthNLogin {
@@ -92,6 +94,8 @@ func (wm *SessionWriteModel) Reduce() error {
 			wm.reduceTOTPChecked(e)
 		case *session.OTPSMSChallengedEvent:
 			wm.reduceOTPSMSChallenged(e)
+		case *session.OTPSMSSentEvent:
+			wm.reduceOTPSMSSent(e)
 		case *session.OTPSMSCheckedEvent:
 			wm.reduceOTPSMSChecked(e)
 		case *session.OTPEmailChallengedEvent:
@@ -123,6 +127,7 @@ func (wm *SessionWriteModel) Query() *eventstore.SearchQueryBuilder {
 			session.WebAuthNCheckedType,
 			session.TOTPCheckedType,
 			session.OTPSMSChallengedType,
+			session.OTPSMSSentType,
 			session.OTPSMSCheckedType,
 			session.OTPEmailChallengedType,
 			session.OTPEmailCheckedType,
@@ -183,9 +188,15 @@ func (wm *SessionWriteModel) reduceOTPSMSChallenged(e *session.OTPSMSChallengedE
 		Code:         e.Code,
 		Expiry:       e.Expiry,
 		CreationDate: e.CreationDate(),
+		GeneratorID:  e.GeneratorID,
 	}
 }
 
+func (wm *SessionWriteModel) reduceOTPSMSSent(e *session.OTPSMSSentEvent) {
+	wm.OTPSMSCodeChallenge.GeneratorID = e.GeneratorInfo.GetID()
+	wm.OTPSMSCodeChallenge.VerificationID = e.GeneratorInfo.GetVerificationID()
+}
+
 func (wm *SessionWriteModel) reduceOTPSMSChecked(e *session.OTPSMSCheckedEvent) {
 	wm.OTPSMSCodeChallenge = nil
 	wm.OTPSMSCheckedAt = e.CheckedAt
diff --git a/internal/command/session_otp.go b/internal/command/session_otp.go
index 6b7e20fb1a..6a4517c982 100644
--- a/internal/command/session_otp.go
+++ b/internal/command/session_otp.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/session"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -33,19 +34,19 @@ func (c *Commands) createOTPSMSChallenge(returnCode bool, dst *string) SessionCo
 		if !writeModel.OTPAdded() {
 			return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-BJ2g3", "Errors.User.MFA.OTP.NotReady")
 		}
-		code, err := cmd.createCode(ctx, cmd.eventstore.Filter, domain.SecretGeneratorTypeOTPSMS, cmd.otpAlg, c.defaultSecretGenerators.OTPSMS)
+		code, generatorID, err := cmd.createPhoneCode(ctx, cmd.eventstore.Filter, domain.SecretGeneratorTypeOTPSMS, cmd.otpAlg, c.defaultSecretGenerators.OTPSMS) //nolint:staticcheck
 		if err != nil {
 			return nil, err
 		}
 		if returnCode {
 			*dst = code.Plain
 		}
-		cmd.OTPSMSChallenged(ctx, code.Crypted, code.Expiry, returnCode)
+		cmd.OTPSMSChallenged(ctx, code.CryptedCode(), code.CodeExpiry(), returnCode, generatorID)
 		return nil, nil
 	}
 }
 
-func (c *Commands) OTPSMSSent(ctx context.Context, sessionID, resourceOwner string) error {
+func (c *Commands) OTPSMSSent(ctx context.Context, sessionID, resourceOwner string, generatorInfo *senders.CodeGeneratorInfo) error {
 	sessionWriteModel := NewSessionWriteModel(sessionID, resourceOwner)
 	err := c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
 	if err != nil {
@@ -55,7 +56,7 @@ func (c *Commands) OTPSMSSent(ctx context.Context, sessionID, resourceOwner stri
 		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-G3t31", "Errors.User.Code.NotFound")
 	}
 	return c.pushAppendAndReduce(ctx, sessionWriteModel,
-		session.NewOTPSMSSentEvent(ctx, &session.NewAggregate(sessionID, sessionWriteModel.ResourceOwner).Aggregate),
+		session.NewOTPSMSSentEvent(ctx, &session.NewAggregate(sessionID, sessionWriteModel.ResourceOwner).Aggregate, generatorInfo),
 	)
 }
 
@@ -86,7 +87,7 @@ func (c *Commands) createOTPEmailChallenge(returnCode bool, urlTmpl string, dst
 		if !writeModel.OTPAdded() {
 			return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-JKLJ3", "Errors.User.MFA.OTP.NotReady")
 		}
-		code, err := cmd.createCode(ctx, cmd.eventstore.Filter, domain.SecretGeneratorTypeOTPEmail, cmd.otpAlg, c.defaultSecretGenerators.OTPEmail)
+		code, err := cmd.createCode(ctx, cmd.eventstore.Filter, domain.SecretGeneratorTypeOTPEmail, cmd.otpAlg, c.defaultSecretGenerators.OTPEmail) //nolint:staticcheck
 		if err != nil {
 			return nil, err
 		}
@@ -130,7 +131,19 @@ func CheckOTPSMS(code string) SessionCommand {
 		failedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
 			return user.NewHumanOTPSMSCheckFailedEvent(ctx, aggregate, nil)
 		}
-		commands, err := checkOTP(ctx, cmd.sessionWriteModel.UserID, code, "", nil, writeModel, cmd.eventstore.FilterToQueryReducer, cmd.otpAlg, succeededEvent, failedEvent)
+		commands, err := checkOTP(
+			ctx,
+			cmd.sessionWriteModel.UserID,
+			code,
+			"",
+			nil,
+			writeModel,
+			cmd.eventstore.FilterToQueryReducer,
+			cmd.otpAlg,
+			cmd.getCodeVerifier,
+			succeededEvent,
+			failedEvent,
+		)
 		if err != nil {
 			return commands, err
 		}
@@ -158,7 +171,19 @@ func CheckOTPEmail(code string) SessionCommand {
 		failedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command {
 			return user.NewHumanOTPEmailCheckFailedEvent(ctx, aggregate, nil)
 		}
-		commands, err := checkOTP(ctx, cmd.sessionWriteModel.UserID, code, "", nil, writeModel, cmd.eventstore.FilterToQueryReducer, cmd.otpAlg, succeededEvent, failedEvent)
+		commands, err := checkOTP(
+			ctx,
+			cmd.sessionWriteModel.UserID,
+			code,
+			"",
+			nil,
+			writeModel,
+			cmd.eventstore.FilterToQueryReducer,
+			cmd.otpAlg,
+			cmd.getCodeVerifier,
+			succeededEvent,
+			failedEvent,
+		)
 		if err != nil {
 			return commands, err
 		}
diff --git a/internal/command/session_otp_test.go b/internal/command/session_otp_test.go
index d6934d0472..3e061749b0 100644
--- a/internal/command/session_otp_test.go
+++ b/internal/command/session_otp_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/session"
 	"github.com/zitadel/zitadel/internal/repository/user"
@@ -19,9 +20,9 @@ import (
 
 func TestCommands_CreateOTPSMSChallengeReturnCode(t *testing.T) {
 	type fields struct {
-		userID     string
-		eventstore func(*testing.T) *eventstore.Eventstore
-		createCode encryptedCodeWithDefaultFunc
+		userID          string
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		createPhoneCode encryptedCodeGeneratorWithDefaultFunc
 	}
 	type res struct {
 		err        error
@@ -66,7 +67,7 @@ func TestCommands_CreateOTPSMSChallengeReturnCode(t *testing.T) {
 						),
 					),
 				),
-				createCode: mockEncryptedCodeWithDefault("1234567", 5*time.Minute),
+				createPhoneCode: mockEncryptedCodeGeneratorWithDefault("1234567", 5*time.Minute),
 			},
 			res: res{
 				returnCode: "1234567",
@@ -80,6 +81,7 @@ func TestCommands_CreateOTPSMSChallengeReturnCode(t *testing.T) {
 						},
 						5*time.Minute,
 						true,
+						"",
 					),
 				},
 			},
@@ -107,7 +109,7 @@ func TestCommands_CreateOTPSMSChallengeReturnCode(t *testing.T) {
 				sessionCommands:   []SessionCommand{cmd},
 				sessionWriteModel: sessionModel,
 				eventstore:        tt.fields.eventstore(t),
-				createCode:        tt.fields.createCode,
+				createPhoneCode:   tt.fields.createPhoneCode,
 				now:               time.Now,
 			}
 
@@ -122,9 +124,9 @@ func TestCommands_CreateOTPSMSChallengeReturnCode(t *testing.T) {
 
 func TestCommands_CreateOTPSMSChallenge(t *testing.T) {
 	type fields struct {
-		userID     string
-		eventstore func(*testing.T) *eventstore.Eventstore
-		createCode encryptedCodeWithDefaultFunc
+		userID          string
+		eventstore      func(*testing.T) *eventstore.Eventstore
+		createPhoneCode encryptedCodeGeneratorWithDefaultFunc
 	}
 	type res struct {
 		err      error
@@ -168,7 +170,7 @@ func TestCommands_CreateOTPSMSChallenge(t *testing.T) {
 						),
 					),
 				),
-				createCode: mockEncryptedCodeWithDefault("1234567", 5*time.Minute),
+				createPhoneCode: mockEncryptedCodeGeneratorWithDefault("1234567", 5*time.Minute),
 			},
 			res: res{
 				commands: []eventstore.Command{
@@ -181,6 +183,31 @@ func TestCommands_CreateOTPSMSChallenge(t *testing.T) {
 						},
 						5*time.Minute,
 						false,
+						"",
+					),
+				},
+			},
+		},
+		{
+			name: "generate code externally",
+			fields: fields{
+				userID: "userID",
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanOTPSMSAddedEvent(context.Background(), &user.NewAggregate("userID", "org").Aggregate),
+						),
+					),
+				),
+				createPhoneCode: mockEncryptedCodeGeneratorWithDefaultExternal("generatorID"),
+			},
+			res: res{
+				commands: []eventstore.Command{
+					session.NewOTPSMSChallengedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+						nil,
+						0,
+						false,
+						"generatorID",
 					),
 				},
 			},
@@ -208,7 +235,7 @@ func TestCommands_CreateOTPSMSChallenge(t *testing.T) {
 				sessionCommands:   []SessionCommand{cmd},
 				sessionWriteModel: sessionModel,
 				eventstore:        tt.fields.eventstore(t),
-				createCode:        tt.fields.createCode,
+				createPhoneCode:   tt.fields.createPhoneCode,
 				now:               time.Now,
 			}
 
@@ -228,6 +255,7 @@ func TestCommands_OTPSMSSent(t *testing.T) {
 		ctx           context.Context
 		sessionID     string
 		resourceOwner string
+		generatorInfo *senders.CodeGeneratorInfo
 	}
 	tests := []struct {
 		name    string
@@ -246,6 +274,7 @@ func TestCommands_OTPSMSSent(t *testing.T) {
 				ctx:           context.Background(),
 				sessionID:     "sessionID",
 				resourceOwner: "instanceID",
+				generatorInfo: &senders.CodeGeneratorInfo{},
 			},
 			wantErr: zerrors.ThrowPreconditionFailed(nil, "COMMAND-G3t31", "Errors.User.Code.NotFound"),
 		},
@@ -264,11 +293,12 @@ func TestCommands_OTPSMSSent(t *testing.T) {
 								},
 								5*time.Minute,
 								false,
+								"",
 							),
 						),
 					),
 					expectPush(
-						session.NewOTPSMSSentEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate),
+						session.NewOTPSMSSentEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, &senders.CodeGeneratorInfo{}),
 					),
 				),
 			},
@@ -276,6 +306,37 @@ func TestCommands_OTPSMSSent(t *testing.T) {
 				ctx:           context.Background(),
 				sessionID:     "sessionID",
 				resourceOwner: "instanceID",
+				generatorInfo: &senders.CodeGeneratorInfo{},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "challenged and sent (externally)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							session.NewOTPSMSChallengedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+								nil,
+								0,
+								false,
+								"",
+							),
+						),
+					),
+					expectPush(
+						session.NewOTPSMSSentEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate, &senders.CodeGeneratorInfo{ID: "generatorID", VerificationID: "verificationID"}),
+					),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				sessionID:     "sessionID",
+				resourceOwner: "instanceID",
+				generatorInfo: &senders.CodeGeneratorInfo{
+					ID:             "generatorID",
+					VerificationID: "verificationID",
+				},
 			},
 			wantErr: nil,
 		},
@@ -285,7 +346,7 @@ func TestCommands_OTPSMSSent(t *testing.T) {
 			c := &Commands{
 				eventstore: tt.fields.eventstore(t),
 			}
-			err := c.OTPSMSSent(tt.args.ctx, tt.args.sessionID, tt.args.resourceOwner)
+			err := c.OTPSMSSent(tt.args.ctx, tt.args.sessionID, tt.args.resourceOwner, tt.args.generatorInfo)
 			assert.ErrorIs(t, err, tt.wantErr)
 		})
 	}
diff --git a/internal/command/sms_config.go b/internal/command/sms_config.go
index 82eae763df..bc16380217 100644
--- a/internal/command/sms_config.go
+++ b/internal/command/sms_config.go
@@ -14,10 +14,11 @@ type AddTwilioConfig struct {
 	ResourceOwner string
 	ID            string
 
-	Description  string
-	SID          string
-	Token        string
-	SenderNumber string
+	Description      string
+	SID              string
+	Token            string
+	SenderNumber     string
+	VerifyServiceSID string
 }
 
 func (c *Commands) AddSMSConfigTwilio(ctx context.Context, config *AddTwilioConfig) (err error) {
@@ -52,6 +53,7 @@ func (c *Commands) AddSMSConfigTwilio(ctx context.Context, config *AddTwilioConf
 			config.SID,
 			config.SenderNumber,
 			token,
+			config.VerifyServiceSID,
 		),
 	)
 	if err != nil {
@@ -66,10 +68,11 @@ type ChangeTwilioConfig struct {
 	ResourceOwner string
 	ID            string
 
-	Description  *string
-	SID          *string
-	Token        *string
-	SenderNumber *string
+	Description      *string
+	SID              *string
+	Token            *string
+	SenderNumber     *string
+	VerifyServiceSID *string
 }
 
 func (c *Commands) ChangeSMSConfigTwilio(ctx context.Context, config *ChangeTwilioConfig) (err error) {
@@ -92,7 +95,9 @@ func (c *Commands) ChangeSMSConfigTwilio(ctx context.Context, config *ChangeTwil
 		config.ID,
 		config.Description,
 		config.SID,
-		config.SenderNumber)
+		config.SenderNumber,
+		config.VerifyServiceSID,
+	)
 	if err != nil {
 		return err
 	}
@@ -330,3 +335,13 @@ func (c *Commands) getSMSConfig(ctx context.Context, instanceID, id string) (_ *
 	}
 	return writeModel, nil
 }
+
+// getActiveSMSConfig returns the last activated SMS configuration
+func (c *Commands) getActiveSMSConfig(ctx context.Context, instanceID string) (_ *IAMSMSConfigWriteModel, err error) {
+	writeModel := NewIAMSMSLastActivatedConfigWriteModel(instanceID)
+	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return c.getSMSConfig(ctx, instanceID, writeModel.activeID)
+}
diff --git a/internal/command/sms_config_model.go b/internal/command/sms_config_model.go
index 06360a5cfd..922c43ada5 100644
--- a/internal/command/sms_config_model.go
+++ b/internal/command/sms_config_model.go
@@ -20,9 +20,10 @@ type IAMSMSConfigWriteModel struct {
 }
 
 type TwilioConfig struct {
-	SID          string
-	Token        *crypto.CryptoValue
-	SenderNumber string
+	SID              string
+	Token            *crypto.CryptoValue
+	SenderNumber     string
+	VerifyServiceSID string
 }
 
 type HTTPConfig struct {
@@ -48,9 +49,10 @@ func (wm *IAMSMSConfigWriteModel) Reduce() error {
 				continue
 			}
 			wm.Twilio = &TwilioConfig{
-				SID:          e.SID,
-				Token:        e.Token,
-				SenderNumber: e.SenderNumber,
+				SID:              e.SID,
+				Token:            e.Token,
+				SenderNumber:     e.SenderNumber,
+				VerifyServiceSID: e.VerifyServiceSID,
 			}
 			wm.Description = e.Description
 			wm.State = domain.SMSConfigStateInactive
@@ -67,6 +69,9 @@ func (wm *IAMSMSConfigWriteModel) Reduce() error {
 			if e.SenderNumber != nil {
 				wm.Twilio.SenderNumber = *e.SenderNumber
 			}
+			if e.VerifyServiceSID != nil {
+				wm.Twilio.VerifyServiceSID = *e.VerifyServiceSID
+			}
 		case *instance.SMSConfigTwilioTokenChangedEvent:
 			if wm.ID != e.ID {
 				continue
@@ -131,6 +136,7 @@ func (wm *IAMSMSConfigWriteModel) Reduce() error {
 	}
 	return wm.WriteModel.Reduce()
 }
+
 func (wm *IAMSMSConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
 		ResourceOwner(wm.ResourceOwner).
@@ -152,7 +158,7 @@ func (wm *IAMSMSConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
 		Builder()
 }
 
-func (wm *IAMSMSConfigWriteModel) NewTwilioChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate, id string, description, sid, senderNumber *string) (*instance.SMSConfigTwilioChangedEvent, bool, error) {
+func (wm *IAMSMSConfigWriteModel) NewTwilioChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate, id string, description, sid, senderNumber, verifyServiceSID *string) (*instance.SMSConfigTwilioChangedEvent, bool, error) {
 	changes := make([]instance.SMSConfigTwilioChanges, 0)
 	var err error
 
@@ -169,6 +175,9 @@ func (wm *IAMSMSConfigWriteModel) NewTwilioChangedEvent(ctx context.Context, agg
 	if senderNumber != nil && wm.Twilio.SenderNumber != *senderNumber {
 		changes = append(changes, instance.ChangeSMSConfigTwilioSenderNumber(*senderNumber))
 	}
+	if verifyServiceSID != nil && wm.Twilio.VerifyServiceSID != *verifyServiceSID {
+		changes = append(changes, instance.ChangeSMSConfigTwilioVerifyServiceSID(*verifyServiceSID))
+	}
 
 	if len(changes) == 0 {
 		return nil, false, nil
@@ -204,3 +213,46 @@ func (wm *IAMSMSConfigWriteModel) NewHTTPChangedEvent(ctx context.Context, aggre
 	}
 	return changeEvent, true, nil
 }
+
+type IAMSMSLastActivatedConfigWriteModel struct {
+	eventstore.WriteModel
+
+	activeID string
+}
+
+func NewIAMSMSLastActivatedConfigWriteModel(instanceID string) *IAMSMSLastActivatedConfigWriteModel {
+	return &IAMSMSLastActivatedConfigWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   instanceID,
+			ResourceOwner: instanceID,
+			InstanceID:    instanceID,
+		},
+	}
+}
+
+func (wm *IAMSMSLastActivatedConfigWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *instance.SMSConfigActivatedEvent:
+			wm.activeID = e.ID
+		case *instance.SMSConfigTwilioActivatedEvent:
+			wm.activeID = e.ID
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *IAMSMSLastActivatedConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(wm.ResourceOwner).
+		OrderDesc().
+		Limit(1).
+		AddQuery().
+		AggregateTypes(instance.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			instance.SMSConfigActivatedEventType,
+			instance.SMSConfigTwilioActivatedEventType,
+		).
+		Builder()
+}
diff --git a/internal/command/sms_config_test.go b/internal/command/sms_config_test.go
index b0936ab8f1..12fcd8661c 100644
--- a/internal/command/sms_config_test.go
+++ b/internal/command/sms_config_test.go
@@ -72,6 +72,7 @@ func TestCommandSide_AddSMSConfigTwilio(t *testing.T) {
 								KeyID:      "id",
 								Crypted:    []byte("token"),
 							},
+							"",
 						),
 					),
 				),
@@ -81,11 +82,12 @@ func TestCommandSide_AddSMSConfigTwilio(t *testing.T) {
 			args: args{
 				ctx: context.Background(),
 				sms: &AddTwilioConfig{
-					ResourceOwner: "INSTANCE",
-					Description:   "description",
-					SID:           "sid",
-					Token:         "token",
-					SenderNumber:  "senderName",
+					ResourceOwner:    "INSTANCE",
+					Description:      "description",
+					SID:              "sid",
+					Token:            "token",
+					SenderNumber:     "senderName",
+					VerifyServiceSID: "",
 				},
 			},
 			res: res{
@@ -206,6 +208,7 @@ func TestCommandSide_ChangeSMSConfigTwilio(t *testing.T) {
 									KeyID:      "id",
 									Crypted:    []byte("token"),
 								},
+								"",
 							),
 						),
 					),
@@ -214,11 +217,12 @@ func TestCommandSide_ChangeSMSConfigTwilio(t *testing.T) {
 			args: args{
 				ctx: context.Background(),
 				sms: &ChangeTwilioConfig{
-					ResourceOwner: "INSTANCE",
-					ID:            "providerid",
-					SID:           gu.Ptr("sid"),
-					Token:         gu.Ptr("token"),
-					SenderNumber:  gu.Ptr("senderName"),
+					ResourceOwner:    "INSTANCE",
+					ID:               "providerid",
+					SID:              gu.Ptr("sid"),
+					Token:            gu.Ptr("token"),
+					SenderNumber:     gu.Ptr("senderName"),
+					VerifyServiceSID: gu.Ptr(""),
 				},
 			},
 			res: res{
@@ -246,6 +250,7 @@ func TestCommandSide_ChangeSMSConfigTwilio(t *testing.T) {
 									KeyID:      "id",
 									Crypted:    []byte("token"),
 								},
+								"verifyServiceSid",
 							),
 						),
 					),
@@ -256,6 +261,7 @@ func TestCommandSide_ChangeSMSConfigTwilio(t *testing.T) {
 							"sid2",
 							"senderName2",
 							"description2",
+							"verifyServiceSid2",
 						),
 					),
 				),
@@ -263,12 +269,13 @@ func TestCommandSide_ChangeSMSConfigTwilio(t *testing.T) {
 			args: args{
 				ctx: context.Background(),
 				sms: &ChangeTwilioConfig{
-					ResourceOwner: "INSTANCE",
-					ID:            "providerid",
-					Description:   gu.Ptr("description2"),
-					SID:           gu.Ptr("sid2"),
-					Token:         gu.Ptr("token2"),
-					SenderNumber:  gu.Ptr("senderName2"),
+					ResourceOwner:    "INSTANCE",
+					ID:               "providerid",
+					Description:      gu.Ptr("description2"),
+					SID:              gu.Ptr("sid2"),
+					Token:            gu.Ptr("token2"),
+					SenderNumber:     gu.Ptr("senderName2"),
+					VerifyServiceSID: gu.Ptr("verifyServiceSid2"),
 				},
 			},
 			res: res{
@@ -626,6 +633,7 @@ func TestCommandSide_ActivateSMSConfig(t *testing.T) {
 								"sid",
 								"sender-name",
 								&crypto.CryptoValue{},
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -663,6 +671,7 @@ func TestCommandSide_ActivateSMSConfig(t *testing.T) {
 								"sid",
 								"sender-name",
 								&crypto.CryptoValue{},
+								"",
 							),
 						),
 					),
@@ -820,6 +829,7 @@ func TestCommandSide_DeactivateSMSConfig(t *testing.T) {
 								"sid",
 								"sender-name",
 								&crypto.CryptoValue{},
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -864,6 +874,7 @@ func TestCommandSide_DeactivateSMSConfig(t *testing.T) {
 								"sid",
 								"sender-name",
 								&crypto.CryptoValue{},
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -1036,6 +1047,7 @@ func TestCommandSide_RemoveSMSConfig(t *testing.T) {
 								"sid",
 								"sender-name",
 								&crypto.CryptoValue{},
+								"",
 							),
 						),
 					),
@@ -1114,11 +1126,12 @@ func TestCommandSide_RemoveSMSConfig(t *testing.T) {
 	}
 }
 
-func newSMSConfigTwilioChangedEvent(ctx context.Context, id, sid, senderName, description string) *instance.SMSConfigTwilioChangedEvent {
+func newSMSConfigTwilioChangedEvent(ctx context.Context, id, sid, senderName, description, verifyServiceSid string) *instance.SMSConfigTwilioChangedEvent {
 	changes := []instance.SMSConfigTwilioChanges{
 		instance.ChangeSMSConfigTwilioSID(sid),
 		instance.ChangeSMSConfigTwilioSenderNumber(senderName),
 		instance.ChangeSMSConfigTwilioDescription(description),
+		instance.ChangeSMSConfigTwilioVerifyServiceSID(verifyServiceSid),
 	}
 	event, _ := instance.NewSMSConfigTwilioChangedEvent(ctx,
 		&instance.NewAggregate("INSTANCE").Aggregate,
diff --git a/internal/command/user_human.go b/internal/command/user_human.go
index 1208296159..825ae50f9c 100644
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@@ -3,6 +3,7 @@ package command
 import (
 	"context"
 	"strings"
+	"time"
 
 	"golang.org/x/text/language"
 
@@ -11,6 +12,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -315,14 +317,14 @@ func (c *Commands) addHumanCommandPhone(ctx context.Context, filter preparation.
 	if human.Phone.Verified {
 		return append(cmds, user.NewHumanPhoneVerifiedEvent(ctx, &a.Aggregate)), nil
 	}
-	phoneCode, err := c.newPhoneCode(ctx, filter, codeAlg)
+	phoneCode, generatorID, err := c.newPhoneCode(ctx, filter, domain.SecretGeneratorTypeVerifyPhoneCode, codeAlg, c.defaultSecretGenerators.PhoneVerificationCode)
 	if err != nil {
 		return nil, err
 	}
 	if human.Phone.ReturnCode {
 		human.PhoneCode = &phoneCode.Plain
 	}
-	return append(cmds, user.NewHumanPhoneCodeAddedEventV2(ctx, &a.Aggregate, phoneCode.Crypted, phoneCode.Expiry, human.Phone.ReturnCode)), nil
+	return append(cmds, user.NewHumanPhoneCodeAddedEventV2(ctx, &a.Aggregate, phoneCode.CryptedCode(), phoneCode.CodeExpiry(), human.Phone.ReturnCode, generatorID)), nil
 }
 
 // Deprecated: use commands.NewUserHumanWriteModel, to remove deprecated eventstore.Filter
@@ -561,11 +563,11 @@ func (c *Commands) createHuman(ctx context.Context, orgID string, human *domain.
 	}
 
 	if human.Phone != nil && human.PhoneNumber != "" && !human.IsPhoneVerified {
-		phoneCode, err := domain.NewPhoneCode(phoneCodeGenerator)
+		phoneCode, generatorID, err := c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 		if err != nil {
 			return nil, nil, err
 		}
-		events = append(events, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry))
+		events = append(events, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.CryptedCode(), phoneCode.CodeExpiry(), generatorID))
 	} else if human.Phone != nil && human.PhoneNumber != "" && human.IsPhoneVerified {
 		events = append(events, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
 	}
@@ -733,3 +735,35 @@ func AddHumanFromDomain(user *domain.Human, metadataList []*domain.Metadata, aut
 	}
 	return human
 }
+
+func verifyCode(
+	ctx context.Context,
+	codeCreationDate time.Time,
+	codeExpiry time.Duration,
+	encryptedCode *crypto.CryptoValue,
+	codeProviderID string,
+	codeVerificationID string,
+	code string,
+	codeAlg crypto.EncryptionAlgorithm,
+	getCodeVerifier func(ctx context.Context, id string) (_ senders.CodeGenerator, err error),
+) (err error) {
+	if codeProviderID == "" {
+		if encryptedCode == nil {
+			return zerrors.ThrowPreconditionFailed(nil, "COMMAND-2M9fs", "Errors.User.Code.NotFound")
+		}
+		_, spanCrypto := tracing.NewNamedSpan(ctx, "crypto.VerifyCode")
+		defer func() {
+			spanCrypto.EndWithError(err)
+		}()
+		return crypto.VerifyCode(codeCreationDate, codeExpiry, encryptedCode, code, codeAlg)
+	}
+	if getCodeVerifier == nil {
+		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-M0g95", "Errors.User.Code.NotConfigured")
+	}
+	verifier, err := getCodeVerifier(ctx, codeProviderID)
+	if err != nil {
+		return err
+	}
+
+	return verifier.VerifyCode(codeVerificationID, code)
+}
diff --git a/internal/command/user_human_otp.go b/internal/command/user_human_otp.go
index 7f587cf9e5..e505288cbd 100644
--- a/internal/command/user_human_otp.go
+++ b/internal/command/user_human_otp.go
@@ -9,9 +9,11 @@ import (
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -335,8 +337,8 @@ func (c *Commands) HumanSendOTPSMS(ctx context.Context, userID, resourceOwner st
 	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
 		return c.otpSMSWriteModelByID(ctx, userID, resourceOwner)
 	}
-	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command {
-		return user.NewHumanOTPSMSCodeAddedEvent(ctx, aggregate, code, expiry, info)
+	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo, generatorID string) eventstore.Command {
+		return user.NewHumanOTPSMSCodeAddedEvent(ctx, aggregate, code, expiry, info, generatorID)
 	}
 	return c.sendHumanOTP(
 		ctx,
@@ -347,15 +349,16 @@ func (c *Commands) HumanSendOTPSMS(ctx context.Context, userID, resourceOwner st
 		domain.SecretGeneratorTypeOTPSMS,
 		c.defaultSecretGenerators.OTPSMS,
 		codeAddedEvent,
+		c.newPhoneCode,
 	)
 }
 
-func (c *Commands) HumanOTPSMSCodeSent(ctx context.Context, userID, resourceOwner string) (err error) {
+func (c *Commands) HumanOTPSMSCodeSent(ctx context.Context, userID, resourceOwner string, generatorInfo *senders.CodeGeneratorInfo) (err error) {
 	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
 		return c.otpSMSWriteModelByID(ctx, userID, resourceOwner)
 	}
 	codeSentEvent := func(ctx context.Context, aggregate *eventstore.Aggregate) eventstore.Command {
-		return user.NewHumanOTPSMSCodeSentEvent(ctx, aggregate)
+		return user.NewHumanOTPSMSCodeSentEvent(ctx, aggregate, generatorInfo)
 	}
 	return c.humanOTPSent(ctx, userID, resourceOwner, smsWriteModel, codeSentEvent)
 }
@@ -379,6 +382,7 @@ func (c *Commands) HumanCheckOTPSMS(ctx context.Context, userID, code, resourceO
 		writeModel,
 		c.eventstore.FilterToQueryReducer,
 		c.userEncryption,
+		c.phoneCodeVerifier,
 		succeededEvent,
 		failedEvent,
 	)
@@ -467,9 +471,13 @@ func (c *Commands) HumanSendOTPEmail(ctx context.Context, userID, resourceOwner
 	smsWriteModel := func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error) {
 		return c.otpEmailWriteModelByID(ctx, userID, resourceOwner)
 	}
-	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command {
+	codeAddedEvent := func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo, _ string) eventstore.Command {
 		return user.NewHumanOTPEmailCodeAddedEvent(ctx, aggregate, code, expiry, info)
 	}
+	generateCode := func(ctx context.Context, filter preparation.FilterToQueryReducer, typ domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, defaultConfig *crypto.GeneratorConfig) (*EncryptedCode, string, error) {
+		code, err := c.newEncryptedCodeWithDefault(ctx, filter, typ, alg, defaultConfig)
+		return code, "", err
+	}
 	return c.sendHumanOTP(
 		ctx,
 		userID,
@@ -479,6 +487,7 @@ func (c *Commands) HumanSendOTPEmail(ctx context.Context, userID, resourceOwner
 		domain.SecretGeneratorTypeOTPEmail,
 		c.defaultSecretGenerators.OTPEmail,
 		codeAddedEvent,
+		generateCode,
 	)
 }
 
@@ -511,6 +520,7 @@ func (c *Commands) HumanCheckOTPEmail(ctx context.Context, userID, code, resourc
 		writeModel,
 		c.eventstore.FilterToQueryReducer,
 		c.userEncryption,
+		nil, // email currently always uses local code checks
 		succeededEvent,
 		failedEvent,
 	)
@@ -529,7 +539,8 @@ func (c *Commands) sendHumanOTP(
 	writeModelByID func(ctx context.Context, userID string, resourceOwner string) (OTPWriteModel, error),
 	secretGeneratorType domain.SecretGeneratorType,
 	defaultSecretGenerator *crypto.GeneratorConfig,
-	codeAddedEvent func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo) eventstore.Command,
+	codeAddedEvent func(ctx context.Context, aggregate *eventstore.Aggregate, code *crypto.CryptoValue, expiry time.Duration, info *user.AuthRequestInfo, generatorID string) eventstore.Command,
+	generateCode func(ctx context.Context, filter preparation.FilterToQueryReducer, secretGeneratorType domain.SecretGeneratorType, alg crypto.EncryptionAlgorithm, defaultConfig *crypto.GeneratorConfig) (*EncryptedCode, string, error),
 ) (err error) {
 	if userID == "" {
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-S3SF1", "Errors.User.UserIDMissing")
@@ -541,17 +552,12 @@ func (c *Commands) sendHumanOTP(
 	if !existingOTP.OTPAdded() {
 		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-SFD52", "Errors.User.MFA.OTP.NotReady")
 	}
-	config, err := cryptoGeneratorConfigWithDefault(ctx, c.eventstore.Filter, secretGeneratorType, defaultSecretGenerator) //nolint:staticcheck
-	if err != nil {
-		return err
-	}
-	gen := crypto.NewEncryptionGenerator(*config, c.userEncryption)
-	value, _, err := crypto.NewCode(gen)
+	code, generatorID, err := generateCode(ctx, c.eventstore.Filter, secretGeneratorType, c.userEncryption, defaultSecretGenerator) //nolint:staticcheck
 	if err != nil {
 		return err
 	}
 	userAgg := &user.NewAggregate(userID, resourceOwner).Aggregate
-	_, err = c.eventstore.Push(ctx, codeAddedEvent(ctx, userAgg, value, gen.Expiry(), authRequestDomainToAuthRequestInfo(authRequest)))
+	_, err = c.eventstore.Push(ctx, codeAddedEvent(ctx, userAgg, code.CryptedCode(), code.CodeExpiry(), authRequestDomainToAuthRequestInfo(authRequest), generatorID))
 	return err
 }
 
@@ -583,6 +589,7 @@ func checkOTP(
 	writeModelByID func(ctx context.Context, userID string, resourceOwner string) (OTPCodeWriteModel, error),
 	queryReducer func(ctx context.Context, r eventstore.QueryReducer) error,
 	alg crypto.EncryptionAlgorithm,
+	getCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error),
 	checkSucceededEvent, checkFailedEvent func(ctx context.Context, aggregate *eventstore.Aggregate, info *user.AuthRequestInfo) eventstore.Command,
 ) ([]eventstore.Command, error) {
 	if userID == "" {
@@ -598,12 +605,21 @@ func checkOTP(
 	if !existingOTP.OTPAdded() {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-d2r52", "Errors.User.MFA.OTP.NotReady")
 	}
-	if existingOTP.Code() == nil {
+	if existingOTP.Code() == nil && existingOTP.GeneratorID() == "" {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-S34gh", "Errors.User.Code.NotFound")
 	}
 	userAgg := &user.NewAggregate(userID, existingOTP.ResourceOwner()).Aggregate
-	verifyErr := crypto.VerifyCode(existingOTP.CodeCreationDate(), existingOTP.CodeExpiry(), existingOTP.Code(), code, alg)
-
+	verifyErr := verifyCode(
+		ctx,
+		existingOTP.CodeCreationDate(),
+		existingOTP.CodeExpiry(),
+		existingOTP.Code(),
+		existingOTP.GeneratorID(),
+		existingOTP.ProviderVerificationID(),
+		code,
+		alg,
+		getCodeVerifier,
+	)
 	// recheck for additional events (failed OTP checks or locks)
 	recheckErr := queryReducer(ctx, existingOTP)
 	if recheckErr != nil {
diff --git a/internal/command/user_human_otp_model.go b/internal/command/user_human_otp_model.go
index 2780a52d7c..7119adfea8 100644
--- a/internal/command/user_human_otp_model.go
+++ b/internal/command/user_human_otp_model.go
@@ -90,6 +90,8 @@ type OTPCodeWriteModel interface {
 	Code() *crypto.CryptoValue
 	CheckFailedCount() uint64
 	UserLocked() bool
+	GeneratorID() string
+	ProviderVerificationID() string
 	eventstore.QueryReducer
 }
 
@@ -192,6 +194,20 @@ func (wm *HumanOTPSMSCodeWriteModel) UserLocked() bool {
 	return wm.userLocked
 }
 
+func (wm *HumanOTPSMSCodeWriteModel) GeneratorID() string {
+	if wm.otpCode == nil {
+		return ""
+	}
+	return wm.otpCode.GeneratorID
+}
+
+func (wm *HumanOTPSMSCodeWriteModel) ProviderVerificationID() string {
+	if wm.otpCode == nil {
+		return ""
+	}
+	return wm.otpCode.VerificationID
+}
+
 func NewHumanOTPSMSCodeWriteModel(userID, resourceOwner string) *HumanOTPSMSCodeWriteModel {
 	return &HumanOTPSMSCodeWriteModel{
 		HumanOTPSMSWriteModel: NewHumanOTPSMSWriteModel(userID, resourceOwner),
@@ -206,7 +222,11 @@ func (wm *HumanOTPSMSCodeWriteModel) Reduce() error {
 				Code:         e.Code,
 				CreationDate: e.CreationDate(),
 				Expiry:       e.Expiry,
+				GeneratorID:  e.GeneratorID,
 			}
+		case *user.HumanOTPSMSCodeSentEvent:
+			wm.otpCode.GeneratorID = e.GeneratorInfo.GetID()
+			wm.otpCode.VerificationID = e.GeneratorInfo.GetVerificationID()
 		case *user.HumanOTPSMSCheckSucceededEvent:
 			wm.checkFailedCount = 0
 		case *user.HumanOTPSMSCheckFailedEvent:
@@ -228,6 +248,7 @@ func (wm *HumanOTPSMSCodeWriteModel) Query() *eventstore.SearchQueryBuilder {
 		AggregateIDs(wm.AggregateID).
 		EventTypes(
 			user.HumanOTPSMSCodeAddedType,
+			user.HumanOTPSMSCodeSentType,
 			user.HumanOTPSMSCheckSucceededType,
 			user.HumanOTPSMSCheckFailedType,
 			user.UserLockedType,
@@ -344,6 +365,20 @@ func (wm *HumanOTPEmailCodeWriteModel) UserLocked() bool {
 	return wm.userLocked
 }
 
+func (wm *HumanOTPEmailCodeWriteModel) GeneratorID() string {
+	if wm.otpCode == nil {
+		return ""
+	}
+	return wm.otpCode.GeneratorID
+}
+
+func (wm *HumanOTPEmailCodeWriteModel) ProviderVerificationID() string {
+	if wm.otpCode == nil {
+		return ""
+	}
+	return wm.otpCode.VerificationID
+}
+
 func NewHumanOTPEmailCodeWriteModel(userID, resourceOwner string) *HumanOTPEmailCodeWriteModel {
 	return &HumanOTPEmailCodeWriteModel{
 		HumanOTPEmailWriteModel: NewHumanOTPEmailWriteModel(userID, resourceOwner),
diff --git a/internal/command/user_human_otp_test.go b/internal/command/user_human_otp_test.go
index 197d222518..330025cf37 100644
--- a/internal/command/user_human_otp_test.go
+++ b/internal/command/user_human_otp_test.go
@@ -18,6 +18,8 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
+	"github.com/zitadel/zitadel/internal/notification/senders/mock"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/user"
@@ -1439,9 +1441,9 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 		},
 	}
 	type fields struct {
-		eventstore              func(*testing.T) *eventstore.Eventstore
-		userEncryption          crypto.EncryptionAlgorithm
-		defaultSecretGenerators *SecretGenerators
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		defaultSecretGenerators     *SecretGenerators
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type (
 		args struct {
@@ -1506,16 +1508,33 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 					),
 					expectFilter(
 						eventFromEventPusher(
-							instance.NewSecretGeneratorAddedEvent(context.Background(),
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
 								&instance.NewAggregate("instanceID").Aggregate,
-								domain.SecretGeneratorTypeOTPSMS,
-								8,
-								time.Hour,
-								true,
-								true,
-								true,
-								true,
-							)),
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
 					),
 					expectPush(
 						user.NewHumanOTPSMSCodeAddedEvent(ctx,
@@ -1528,11 +1547,77 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 							},
 							time.Hour,
 							nil,
+							"",
 						),
 					),
 				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+			},
+			args: args{
+				ctx:           ctx,
+				userID:        "user1",
+				resourceOwner: "org1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "successful add (external code)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanOTPSMSAddedEvent(ctx,
+								&user.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSID",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanOTPSMSCodeAddedEvent(ctx,
+							&user.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							nil,
+							"id",
+						),
+					),
+				),
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
 			},
 			args: args{
 				ctx:           ctx,
@@ -1556,7 +1641,36 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanOTPSMSCodeAddedEvent(ctx,
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -1568,11 +1682,12 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 							},
 							time.Hour,
 							nil,
+							"",
 						),
 					),
 				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
 			},
 			args: args{
 				ctx:           ctx,
@@ -1598,16 +1713,33 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 					),
 					expectFilter(
 						eventFromEventPusher(
-							instance.NewSecretGeneratorAddedEvent(context.Background(),
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
 								&instance.NewAggregate("instanceID").Aggregate,
-								domain.SecretGeneratorTypeOTPSMS,
-								8,
-								time.Hour,
-								true,
-								true,
-								true,
-								true,
-							)),
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
 					),
 					expectPush(
 						user.NewHumanOTPSMSCodeAddedEvent(ctx,
@@ -1628,11 +1760,12 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 									RemoteIP:       net.IP{192, 0, 2, 1},
 								},
 							},
+							"",
 						),
 					),
 				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
 			},
 			args: args{
 				ctx:           ctx,
@@ -1658,9 +1791,9 @@ func TestCommandSide_HumanSendOTPSMS(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:              tt.fields.eventstore(t),
-				userEncryption:          tt.fields.userEncryption,
-				defaultSecretGenerators: tt.fields.defaultSecretGenerators,
+				eventstore:                  tt.fields.eventstore(t),
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
 			}
 			err := r.HumanSendOTPSMS(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
 			assert.ErrorIs(t, err, tt.res.err)
@@ -1678,6 +1811,7 @@ func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
 			ctx           context.Context
 			userID        string
 			resourceOwner string
+			generatorInfo *senders.CodeGeneratorInfo
 		}
 	)
 	type res struct {
@@ -1734,6 +1868,7 @@ func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
 					expectPush(
 						user.NewHumanOTPSMSCodeSentEvent(ctx,
 							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{},
 						),
 					),
 				),
@@ -1742,6 +1877,44 @@ func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
 				ctx:           ctx,
 				userID:        "user1",
 				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{},
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "successful add (external code)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanOTPSMSAddedEvent(ctx,
+								&user.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanOTPSMSCodeSentEvent(ctx,
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{
+								ID:             "generatorID",
+								VerificationID: "verificationID",
+							},
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:           ctx,
+				userID:        "user1",
+				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{
+					ID:             "generatorID",
+					VerificationID: "verificationID",
+				},
 			},
 			res: res{
 				want: &domain.ObjectDetails{
@@ -1755,7 +1928,7 @@ func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore(t),
 			}
-			err := r.HumanOTPSMSCodeSent(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
+			err := r.HumanOTPSMSCodeSent(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.generatorInfo)
 			assert.ErrorIs(t, err, tt.res.err)
 		})
 	}
@@ -1764,8 +1937,9 @@ func TestCommandSide_HumanOTPSMSCodeSent(t *testing.T) {
 func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 	ctx := authz.NewMockContext("inst1", "org1", "user1")
 	type fields struct {
-		eventstore     func(*testing.T) *eventstore.Eventstore
-		userEncryption crypto.EncryptionAlgorithm
+		eventstore        func(*testing.T) *eventstore.Eventstore
+		userEncryption    crypto.EncryptionAlgorithm
+		phoneCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error)
 	}
 	type (
 		args struct {
@@ -1885,6 +2059,7 @@ func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 										RemoteIP:       net.IP{192, 0, 2, 1},
 									},
 								},
+								"",
 							),
 						),
 					),
@@ -1962,6 +2137,7 @@ func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 										RemoteIP:       net.IP{192, 0, 2, 1},
 									},
 								},
+								"",
 							),
 						),
 					),
@@ -2042,6 +2218,7 @@ func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 										RemoteIP:       net.IP{192, 0, 2, 1},
 									},
 								},
+								"",
 							),
 						),
 					),
@@ -2113,6 +2290,7 @@ func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 										RemoteIP:       net.IP{192, 0, 2, 1},
 									},
 								},
+								"",
 							),
 						),
 					),
@@ -2143,12 +2321,94 @@ func TestCommandSide_HumanCheckOTPSMS(t *testing.T) {
 				err: zerrors.ThrowPreconditionFailed(nil, "COMMAND-S6h4R", "Errors.User.Locked"),
 			},
 		},
+		{
+			name: "code ok (external)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanOTPSMSAddedEvent(ctx,
+								&user.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanOTPSMSCodeAddedEvent(ctx,
+								&user.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								&user.AuthRequestInfo{
+									ID:          "authRequestID",
+									UserAgentID: "userAgentID",
+									BrowserInfo: &user.BrowserInfo{
+										UserAgent:      "user-agent",
+										AcceptLanguage: "en",
+										RemoteIP:       net.IP{192, 0, 2, 1},
+									},
+								},
+								"id",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanOTPSMSCodeSentEvent(ctx,
+								&user.NewAggregate("user1", "org1").Aggregate,
+								&senders.CodeGeneratorInfo{
+									ID:             "id",
+									VerificationID: "verificationID",
+								},
+							),
+						),
+					),
+					expectFilter(), // recheck
+					expectPush(
+						user.NewHumanOTPSMSCheckSucceededEvent(ctx,
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&user.AuthRequestInfo{
+								ID:          "authRequestID",
+								UserAgentID: "userAgentID",
+								BrowserInfo: &user.BrowserInfo{
+									UserAgent:      "user-agent",
+									AcceptLanguage: "en",
+									RemoteIP:       net.IP{192, 0, 2, 1},
+								},
+							},
+						),
+					),
+				),
+				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				phoneCodeVerifier: func(ctx context.Context, id string) (senders.CodeGenerator, error) {
+					sender := mock.NewMockCodeGenerator(gomock.NewController(t))
+					sender.EXPECT().VerifyCode("verificationID", "code").Return(nil)
+					return sender, nil
+				},
+			},
+			args: args{
+				ctx:           ctx,
+				userID:        "user1",
+				code:          "code",
+				resourceOwner: "org1",
+				authRequest: &domain.AuthRequest{
+					ID:      "authRequestID",
+					AgentID: "userAgentID",
+					BrowserInfo: &domain.BrowserInfo{
+						UserAgent:      "user-agent",
+						AcceptLanguage: "en",
+						RemoteIP:       net.IP{192, 0, 2, 1},
+					},
+				},
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:     tt.fields.eventstore(t),
-				userEncryption: tt.fields.userEncryption,
+				eventstore:        tt.fields.eventstore(t),
+				userEncryption:    tt.fields.userEncryption,
+				phoneCodeVerifier: tt.fields.phoneCodeVerifier,
 			}
 			err := r.HumanCheckOTPSMS(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.resourceOwner, tt.args.authRequest)
 			assert.ErrorIs(t, err, tt.res.err)
@@ -2594,9 +2854,9 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 		},
 	}
 	type fields struct {
-		eventstore              func(*testing.T) *eventstore.Eventstore
-		userEncryption          crypto.EncryptionAlgorithm
-		defaultSecretGenerators *SecretGenerators
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		defaultSecretGenerators     *SecretGenerators
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type (
 		args struct {
@@ -2659,19 +2919,6 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							instance.NewSecretGeneratorAddedEvent(context.Background(),
-								&instance.NewAggregate("instanceID").Aggregate,
-								domain.SecretGeneratorTypeOTPEmail,
-								8,
-								time.Hour,
-								true,
-								true,
-								true,
-								true,
-							)),
-					),
 					expectPush(
 						user.NewHumanOTPEmailCodeAddedEvent(ctx,
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -2686,48 +2933,8 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 						),
 					),
 				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
-			},
-			args: args{
-				ctx:           ctx,
-				userID:        "user1",
-				resourceOwner: "org1",
-			},
-			res: res{
-				want: &domain.ObjectDetails{
-					ResourceOwner: "org1",
-				},
-			},
-		},
-		{
-			name: "successful add (without secret config)",
-			fields: fields{
-				eventstore: expectEventstore(
-					expectFilter(
-						eventFromEventPusher(
-							user.NewHumanOTPEmailAddedEvent(ctx,
-								&user.NewAggregate("user1", "org1").Aggregate,
-							),
-						),
-					),
-					expectFilter(),
-					expectPush(
-						user.NewHumanOTPEmailCodeAddedEvent(ctx,
-							&user.NewAggregate("user1", "org1").Aggregate,
-							&crypto.CryptoValue{
-								CryptoType: crypto.TypeEncryption,
-								Algorithm:  "enc",
-								KeyID:      "id",
-								Crypted:    []byte("12345678"),
-							},
-							time.Hour,
-							nil,
-						),
-					),
-				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:           ctx,
@@ -2751,19 +2958,6 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 							),
 						),
 					),
-					expectFilter(
-						eventFromEventPusher(
-							instance.NewSecretGeneratorAddedEvent(context.Background(),
-								&instance.NewAggregate("instanceID").Aggregate,
-								domain.SecretGeneratorTypeOTPEmail,
-								8,
-								time.Hour,
-								true,
-								true,
-								true,
-								true,
-							)),
-					),
 					expectPush(
 						user.NewHumanOTPEmailCodeAddedEvent(ctx,
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -2786,8 +2980,8 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 						),
 					),
 				),
-				userEncryption:          crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
-				defaultSecretGenerators: defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:           ctx,
@@ -2813,9 +3007,9 @@ func TestCommandSide_HumanSendOTPEmail(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:              tt.fields.eventstore(t),
-				userEncryption:          tt.fields.userEncryption,
-				defaultSecretGenerators: tt.fields.defaultSecretGenerators,
+				eventstore:                  tt.fields.eventstore(t),
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
 			}
 			err := r.HumanSendOTPEmail(tt.args.ctx, tt.args.userID, tt.args.resourceOwner, tt.args.authRequest)
 			assert.ErrorIs(t, err, tt.res.err)
diff --git a/internal/command/user_human_password.go b/internal/command/user_human_password.go
index a94624231a..9b686f88b7 100644
--- a/internal/command/user_human_password.go
+++ b/internal/command/user_human_password.go
@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -67,7 +68,14 @@ func (c *Commands) SetPasswordWithVerifyCode(ctx context.Context, orgID, userID,
 		"",
 		userAgentID,
 		changeRequired,
-		c.setPasswordWithVerifyCode(wm.CodeCreationDate, wm.CodeExpiry, wm.Code, code),
+		c.setPasswordWithVerifyCode(
+			wm.CodeCreationDate,
+			wm.CodeExpiry,
+			wm.Code,
+			wm.GeneratorID,
+			wm.VerificationID,
+			code,
+		),
 	)
 }
 
@@ -111,17 +119,22 @@ func (c *Commands) setPasswordWithVerifyCode(
 	passwordCodeCreationDate time.Time,
 	passwordCodeExpiry time.Duration,
 	passwordCode *crypto.CryptoValue,
+	passwordCodeProviderID string,
+	passwordCodeVerificationID string,
 	code string,
 ) setPasswordVerification {
 	return func(ctx context.Context) (_ string, err error) {
-		if passwordCode == nil {
-			return "", zerrors.ThrowPreconditionFailed(nil, "COMMAND-2M9fs", "Errors.User.Code.NotFound")
-		}
-		_, spanCrypto := tracing.NewNamedSpan(ctx, "crypto.VerifyCode")
-		defer func() {
-			spanCrypto.EndWithError(err)
-		}()
-		return "", crypto.VerifyCode(passwordCodeCreationDate, passwordCodeExpiry, passwordCode, code, c.userEncryption)
+		return "", verifyCode(
+			ctx,
+			passwordCodeCreationDate,
+			passwordCodeExpiry,
+			passwordCode,
+			passwordCodeProviderID,
+			passwordCodeVerificationID,
+			code,
+			c.userEncryption,
+			c.phoneCodeVerifier, // password code can only be custom generated by SMS
+		)
 	}
 }
 
@@ -253,11 +266,17 @@ func (c *Commands) RequestSetPassword(ctx context.Context, userID, resourceOwner
 		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.NotInitialised")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingHuman.WriteModel)
-	passwordCode, err := c.newEncryptedCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordResetCode, c.userEncryption) //nolint:staticcheck
+	var passwordCode *EncryptedCode
+	var generatorID string
+	if notifyType == domain.NotificationTypeSms {
+		passwordCode, generatorID, err = c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordResetCode, c.userEncryption, c.defaultSecretGenerators.PasswordVerificationCode) //nolint:staticcheck
+	} else {
+		passwordCode, err = c.newEncryptedCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypePasswordResetCode, c.userEncryption) //nolint:staticcheck
+	}
 	if err != nil {
 		return nil, err
 	}
-	pushedEvents, err := c.eventstore.Push(ctx, user.NewHumanPasswordCodeAddedEvent(ctx, userAgg, passwordCode.Crypted, passwordCode.Expiry, notifyType, authRequestID))
+	pushedEvents, err := c.eventstore.Push(ctx, user.NewHumanPasswordCodeAddedEvent(ctx, userAgg, passwordCode.CryptedCode(), passwordCode.CodeExpiry(), notifyType, authRequestID, generatorID))
 	if err != nil {
 		return nil, err
 	}
@@ -269,7 +288,7 @@ func (c *Commands) RequestSetPassword(ctx context.Context, userID, resourceOwner
 }
 
 // PasswordCodeSent notification send with code to change password
-func (c *Commands) PasswordCodeSent(ctx context.Context, orgID, userID string) (err error) {
+func (c *Commands) PasswordCodeSent(ctx context.Context, orgID, userID string, generatorInfo *senders.CodeGeneratorInfo) (err error) {
 	if userID == "" {
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-meEfe", "Errors.User.UserIDMissing")
 	}
@@ -282,7 +301,7 @@ func (c *Commands) PasswordCodeSent(ctx context.Context, orgID, userID string) (
 		return zerrors.ThrowPreconditionFailed(nil, "COMMAND-3n77z", "Errors.User.NotFound")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingPassword.WriteModel)
-	_, err = c.eventstore.Push(ctx, user.NewHumanPasswordCodeSentEvent(ctx, userAgg))
+	_, err = c.eventstore.Push(ctx, user.NewHumanPasswordCodeSentEvent(ctx, userAgg, generatorInfo))
 	return err
 }
 
diff --git a/internal/command/user_human_password_model.go b/internal/command/user_human_password_model.go
index ce23769812..e43731d866 100644
--- a/internal/command/user_human_password_model.go
+++ b/internal/command/user_human_password_model.go
@@ -19,6 +19,8 @@ type HumanPasswordWriteModel struct {
 	CodeCreationDate         time.Time
 	CodeExpiry               time.Duration
 	PasswordCheckFailedCount uint64
+	GeneratorID              string
+	VerificationID           string
 
 	UserState domain.UserState
 }
@@ -56,6 +58,10 @@ func (wm *HumanPasswordWriteModel) Reduce() error {
 			wm.Code = e.Code
 			wm.CodeCreationDate = e.CreationDate()
 			wm.CodeExpiry = e.Expiry
+			wm.GeneratorID = e.GeneratorID
+		case *user.HumanPasswordCodeSentEvent:
+			wm.GeneratorID = e.GeneratorInfo.GetID()
+			wm.VerificationID = e.GeneratorInfo.GetVerificationID()
 		case *user.HumanEmailVerifiedEvent:
 			if wm.UserState == domain.UserStateInitial {
 				wm.UserState = domain.UserStateActive
@@ -91,6 +97,7 @@ func (wm *HumanPasswordWriteModel) Query() *eventstore.SearchQueryBuilder {
 			user.HumanInitializedCheckSucceededType,
 			user.HumanPasswordChangedType,
 			user.HumanPasswordCodeAddedType,
+			user.HumanPasswordCodeSentType,
 			user.HumanEmailVerifiedType,
 			user.HumanPasswordCheckFailedType,
 			user.HumanPasswordCheckSucceededType,
@@ -104,6 +111,7 @@ func (wm *HumanPasswordWriteModel) Query() *eventstore.SearchQueryBuilder {
 			user.UserV1InitializedCheckSucceededType,
 			user.UserV1PasswordChangedType,
 			user.UserV1PasswordCodeAddedType,
+			user.UserV1PasswordCodeSentType,
 			user.UserV1EmailVerifiedType,
 			user.UserV1PasswordCheckFailedType,
 			user.UserV1PasswordCheckSucceededType,
diff --git a/internal/command/user_human_password_test.go b/internal/command/user_human_password_test.go
index 1eb886828b..9eee9d5b93 100644
--- a/internal/command/user_human_password_test.go
+++ b/internal/command/user_human_password_test.go
@@ -15,6 +15,8 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
+	"github.com/zitadel/zitadel/internal/notification/senders/mock"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -265,6 +267,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 		eventstore         func(*testing.T) *eventstore.Eventstore
 		userEncryption     crypto.EncryptionAlgorithm
 		userPasswordHasher *crypto.Hasher
+		phoneCodeVerifier  func(ctx context.Context, id string) (senders.CodeGenerator, error)
 	}
 	type args struct {
 		ctx            context.Context
@@ -393,6 +396,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 								time.Hour*1,
 								domain.NotificationTypeEmail,
 								"",
+								"",
 							),
 						),
 					),
@@ -446,6 +450,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 								time.Hour*1,
 								domain.NotificationTypeEmail,
 								"",
+								"",
 							),
 						),
 					),
@@ -522,6 +527,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 								time.Hour*1,
 								domain.NotificationTypeEmail,
 								"",
+								"",
 							),
 						),
 					),
@@ -599,6 +605,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 								time.Hour*1,
 								domain.NotificationTypeEmail,
 								"",
+								"",
 							),
 						),
 					),
@@ -641,6 +648,92 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "set password (external code), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanEmailVerifiedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanPasswordCodeAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								domain.NotificationTypeSms,
+								"",
+								"id",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanPasswordCodeSentEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								&senders.CodeGeneratorInfo{
+									ID:             "id",
+									VerificationID: "verificationID",
+								},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								1,
+								false,
+								false,
+								false,
+								false,
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPasswordChangedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							"$plain$x$password",
+							false,
+							"",
+						),
+					),
+				),
+				userPasswordHasher: mockPasswordHasher("x"),
+				userEncryption:     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				phoneCodeVerifier: func(ctx context.Context, id string) (senders.CodeGenerator, error) {
+					sender := mock.NewMockCodeGenerator(gomock.NewController(t))
+					sender.EXPECT().VerifyCode("verificationID", "a").Return(nil)
+					return sender, nil
+				},
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				password:      "password",
+				code:          "a",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -648,6 +741,7 @@ func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 				eventstore:         tt.fields.eventstore(t),
 				userPasswordHasher: tt.fields.userPasswordHasher,
 				userEncryption:     tt.fields.userEncryption,
+				phoneCodeVerifier:  tt.fields.phoneCodeVerifier,
 			}
 			got, err := r.SetPasswordWithVerifyCode(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.code, tt.args.password, tt.args.userAgentID, tt.args.changeRequired)
 			if tt.res.err == nil {
@@ -1248,6 +1342,7 @@ func TestCommandSide_RequestSetPassword(t *testing.T) {
 							time.Hour*1,
 							domain.NotificationTypeEmail,
 							"",
+							"",
 						),
 					),
 				),
@@ -1304,6 +1399,7 @@ func TestCommandSide_RequestSetPassword(t *testing.T) {
 							time.Hour*1,
 							domain.NotificationTypeEmail,
 							"authRequestID",
+							"",
 						),
 					),
 				),
@@ -1350,6 +1446,7 @@ func TestCommandSide_PasswordCodeSent(t *testing.T) {
 		ctx           context.Context
 		userID        string
 		resourceOwner string
+		generatorInfo *senders.CodeGeneratorInfo
 	}
 	type res struct {
 		err func(error) bool
@@ -1418,6 +1515,7 @@ func TestCommandSide_PasswordCodeSent(t *testing.T) {
 					expectPush(
 						user.NewHumanPasswordCodeSentEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{},
 						),
 					),
 				),
@@ -1426,6 +1524,55 @@ func TestCommandSide_PasswordCodeSent(t *testing.T) {
 				ctx:           context.Background(),
 				userID:        "user1",
 				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{},
+			},
+			res: res{},
+		},
+		{
+			name: "code sent (external code), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneChangedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"+411234567",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPasswordCodeSentEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{
+								ID:             "generatorID",
+								VerificationID: "verificationID",
+							},
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{
+					ID:             "generatorID",
+					VerificationID: "verificationID",
+				},
 			},
 			res: res{},
 		},
@@ -1435,7 +1582,7 @@ func TestCommandSide_PasswordCodeSent(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore(t),
 			}
-			err := r.PasswordCodeSent(tt.args.ctx, tt.args.resourceOwner, tt.args.userID)
+			err := r.PasswordCodeSent(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.generatorInfo)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
diff --git a/internal/command/user_human_phone.go b/internal/command/user_human_phone.go
index 7003c0530c..0da72b0222 100644
--- a/internal/command/user_human_phone.go
+++ b/internal/command/user_human_phone.go
@@ -5,9 +5,12 @@ import (
 
 	"github.com/zitadel/logging"
 
+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/channels/twilio"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -40,11 +43,11 @@ func (c *Commands) ChangeHumanPhone(ctx context.Context, phone *domain.Phone, re
 	if phone.IsPhoneVerified {
 		events = append(events, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
 	} else {
-		phoneCode, err := domain.NewPhoneCode(phoneCodeGenerator)
+		phoneCode, generatorID, err := c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 		if err != nil {
 			return nil, err
 		}
-		events = append(events, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry))
+		events = append(events, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.CryptedCode(), phoneCode.CodeExpiry(), generatorID))
 	}
 
 	pushedEvents, err := c.eventstore.Push(ctx, events...)
@@ -74,12 +77,22 @@ func (c *Commands) VerifyHumanPhone(ctx context.Context, userID, code, resourceo
 	if !existingCode.UserState.Exists() {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Rsj8c", "Errors.User.NotFound")
 	}
-	if !existingCode.State.Exists() || existingCode.Code == nil {
+	if !existingCode.State.Exists() || (existingCode.Code == nil && existingCode.GeneratorID == "") {
 		return nil, zerrors.ThrowNotFound(nil, "COMMAND-Rsj8c", "Errors.User.Code.NotFound")
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingCode.WriteModel)
-	err = crypto.VerifyCode(existingCode.CodeCreationDate, existingCode.CodeExpiry, existingCode.Code, code, phoneCodeGenerator.Alg())
+	err = verifyCode(
+		ctx,
+		existingCode.CodeCreationDate,
+		existingCode.CodeExpiry,
+		existingCode.Code,
+		existingCode.GeneratorID,
+		existingCode.VerificationID,
+		code,
+		phoneCodeGenerator.Alg(),
+		c.phoneCodeVerifier,
+	)
 	if err == nil {
 		pushedEvents, err := c.eventstore.Push(ctx, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
 		if err != nil {
@@ -92,10 +105,47 @@ func (c *Commands) VerifyHumanPhone(ctx context.Context, userID, code, resourceo
 		return writeModelToObjectDetails(&existingCode.WriteModel), nil
 	}
 	_, err = c.eventstore.Push(ctx, user.NewHumanPhoneVerificationFailedEvent(ctx, userAgg))
-	logging.LogWithFields("COMMAND-5M9ds", "userID", userAgg.ID).OnError(err).Error("NewHumanPhoneVerificationFailedEvent push failed")
+	logging.WithFields("userID", userAgg.ID).OnError(err).Error("NewHumanPhoneVerificationFailedEvent push failed")
 	return nil, zerrors.ThrowInvalidArgument(err, "COMMAND-sM0cs", "Errors.User.Code.Invalid")
 }
 
+func (c *Commands) phoneCodeVerifierFromConfig(ctx context.Context, id string) (senders.CodeGenerator, error) {
+	config, err := c.getSMSConfig(ctx, authz.GetInstance(ctx).InstanceID(), id)
+	if err != nil {
+		return nil, err
+	}
+	if config.State != domain.SMSConfigStateActive {
+		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-M0odsf", "Errors.SMSConfig.NotFound")
+	}
+	if config.Twilio != nil {
+		if config.Twilio.VerifyServiceSID == "" {
+			return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Sgb4h", "Errors.SMSConfig.NotExternalVerification")
+		}
+		token, err := crypto.DecryptString(config.Twilio.Token, c.smsEncryption)
+		if err != nil {
+			return nil, err
+		}
+		return &twilio.Config{
+			SID:              config.Twilio.SID,
+			Token:            token,
+			SenderNumber:     config.Twilio.SenderNumber,
+			VerifyServiceSID: config.Twilio.VerifyServiceSID,
+		}, nil
+	}
+	return nil, nil
+}
+
+func (c *Commands) activeSMSProvider(ctx context.Context) (string, error) {
+	config, err := c.getActiveSMSConfig(ctx, authz.GetInstance(ctx).InstanceID())
+	if err != nil {
+		return "", err
+	}
+	if config.State == domain.SMSConfigStateActive && config.Twilio != nil && config.Twilio.VerifyServiceSID != "" {
+		return config.ID, nil
+	}
+	return "", err
+}
+
 func (c *Commands) CreateHumanPhoneVerificationCode(ctx context.Context, userID, resourceowner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
@@ -115,23 +165,19 @@ func (c *Commands) CreateHumanPhoneVerificationCode(ctx context.Context, userID,
 	if existingPhone.IsPhoneVerified {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-2M9sf", "Errors.User.Phone.AlreadyVerified")
 	}
-	config, err := cryptoGeneratorConfig(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode) //nolint:staticcheck
-	if err != nil {
-		return nil, err
-	}
-	phoneCode, err := domain.NewPhoneCode(crypto.NewEncryptionGenerator(*config, c.userEncryption))
+	phoneCode, generatorID, err := c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 	if err != nil {
 		return nil, err
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingPhone.WriteModel)
-	if err = c.pushAppendAndReduce(ctx, existingPhone, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry)); err != nil {
+	if err = c.pushAppendAndReduce(ctx, existingPhone, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.CryptedCode(), phoneCode.CodeExpiry(), generatorID)); err != nil {
 		return nil, err
 	}
 	return writeModelToObjectDetails(&existingPhone.WriteModel), nil
 }
 
-func (c *Commands) HumanPhoneVerificationCodeSent(ctx context.Context, orgID, userID string) (err error) {
+func (c *Commands) HumanPhoneVerificationCodeSent(ctx context.Context, orgID, userID string, generatorInfo *senders.CodeGeneratorInfo) (err error) {
 	if userID == "" {
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-3m9Fs", "Errors.User.UserIDMissing")
 	}
@@ -148,7 +194,7 @@ func (c *Commands) HumanPhoneVerificationCodeSent(ctx context.Context, orgID, us
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingPhone.WriteModel)
-	_, err = c.eventstore.Push(ctx, user.NewHumanPhoneCodeSentEvent(ctx, userAgg))
+	_, err = c.eventstore.Push(ctx, user.NewHumanPhoneCodeSentEvent(ctx, userAgg, generatorInfo))
 	return err
 }
 
diff --git a/internal/command/user_human_phone_model.go b/internal/command/user_human_phone_model.go
index ddac65f4bb..41e8e84570 100644
--- a/internal/command/user_human_phone_model.go
+++ b/internal/command/user_human_phone_model.go
@@ -19,6 +19,8 @@ type HumanPhoneWriteModel struct {
 	Code             *crypto.CryptoValue
 	CodeCreationDate time.Time
 	CodeExpiry       time.Duration
+	GeneratorID      string
+	VerificationID   string
 
 	State     domain.PhoneState
 	UserState domain.UserState
@@ -64,6 +66,10 @@ func (wm *HumanPhoneWriteModel) Reduce() error {
 			wm.Code = e.Code
 			wm.CodeCreationDate = e.CreationDate()
 			wm.CodeExpiry = e.Expiry
+			wm.GeneratorID = e.GeneratorID
+		case *user.HumanPhoneCodeSentEvent:
+			wm.GeneratorID = e.GeneratorInfo.GetID()
+			wm.VerificationID = e.GeneratorInfo.GetVerificationID()
 		case *user.HumanPhoneRemovedEvent:
 			wm.State = domain.PhoneStateRemoved
 			wm.IsPhoneVerified = false
@@ -90,6 +96,7 @@ func (wm *HumanPhoneWriteModel) Query() *eventstore.SearchQueryBuilder {
 			user.HumanPhoneChangedType,
 			user.HumanPhoneVerifiedType,
 			user.HumanPhoneCodeAddedType,
+			user.HumanPhoneCodeSentType,
 			user.HumanPhoneRemovedType,
 			user.UserRemovedType,
 			user.UserV1AddedType,
diff --git a/internal/command/user_human_phone_test.go b/internal/command/user_human_phone_test.go
index 9ee3fcbdd2..66835ef3fd 100644
--- a/internal/command/user_human_phone_test.go
+++ b/internal/command/user_human_phone_test.go
@@ -13,14 +13,29 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/internal/notification/senders"
+	"github.com/zitadel/zitadel/internal/notification/senders/mock"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestCommandSide_ChangeHumanPhone(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		userEncryption              crypto.EncryptionAlgorithm
+		defaultSecretGenerators     *SecretGenerators
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type args struct {
 		ctx             context.Context
@@ -41,9 +56,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "invalid phone, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx: context.Background(),
@@ -61,8 +74,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "user not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -83,8 +95,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "phone not changed, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -126,8 +137,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "verified phone changed, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -186,8 +196,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "phone changed to verified, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -242,8 +251,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "phone changed to verified, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -298,8 +306,7 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 		{
 			name: "phone changed with code, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -316,6 +323,36 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanPhoneChangedEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -330,9 +367,100 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 								Crypted:    []byte("a"),
 							},
 							time.Hour*1,
+							"",
 						),
 					),
 				),
+				userEncryption:              crypto.NewMockEncryptionAlgorithm(gomock.NewController(t)),
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+			},
+			args: args{
+				ctx: context.Background(),
+				email: &domain.Phone{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "user1",
+					},
+					PhoneNumber: "+41711234567",
+				},
+				resourceOwner:   "org1",
+				secretGenerator: GetMockSecretGenerator(t),
+			},
+			res: res{
+				want: &domain.Phone{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID:   "user1",
+						ResourceOwner: "org1",
+					},
+					PhoneNumber: "+41711234567",
+				},
+			},
+		},
+		{
+			name: "phone changed with code (external), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSID",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneChangedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							"+41711234567",
+						),
+						user.NewHumanPhoneCodeAddedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							"id",
+						),
+					),
+				),
+				userEncryption:          crypto.NewMockEncryptionAlgorithm(gomock.NewController(t)),
+				defaultSecretGenerators: defaultGenerators,
 			},
 			args: args{
 				ctx: context.Background(),
@@ -359,7 +487,10 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:                  tt.fields.eventstore(t),
+				userEncryption:              tt.fields.userEncryption,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
 			}
 			got, err := r.ChangeHumanPhone(tt.args.ctx, tt.args.email, tt.args.resourceOwner, tt.args.secretGenerator)
 			if tt.res.err == nil {
@@ -377,7 +508,8 @@ func TestCommandSide_ChangeHumanPhone(t *testing.T) {
 
 func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore        func(*testing.T) *eventstore.Eventstore
+		phoneCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error)
 	}
 	type args struct {
 		ctx             context.Context
@@ -399,9 +531,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "userid missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -415,9 +545,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "code missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -431,8 +559,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "user not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -449,8 +576,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "code not existing, not found error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -482,8 +608,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "invalid code, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -515,6 +640,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 									Crypted:    []byte("a"),
 								},
 								time.Hour*1,
+								"",
 							),
 						),
 					),
@@ -539,8 +665,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 		{
 			name: "valid code, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -572,6 +697,7 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 									Crypted:    []byte("a"),
 								},
 								time.Hour*1,
+								"",
 							),
 						),
 					),
@@ -595,11 +721,80 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid code (external), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneChangedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"+411234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanPhoneCodeAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								"id",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							user.NewHumanPhoneCodeSentEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								&senders.CodeGeneratorInfo{
+									ID:             "id",
+									VerificationID: "verificationID",
+								},
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneVerifiedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+						),
+					),
+				),
+				phoneCodeVerifier: func(ctx context.Context, id string) (senders.CodeGenerator, error) {
+					sender := mock.NewMockCodeGenerator(gomock.NewController(t))
+					sender.EXPECT().VerifyCode("verificationID", "a")
+					return sender, nil
+				},
+			},
+			args: args{
+				ctx:             context.Background(),
+				userID:          "user1",
+				code:            "a",
+				resourceOwner:   "org1",
+				secretGenerator: GetMockSecretGenerator(t),
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore:        tt.fields.eventstore(t),
+				phoneCodeVerifier: tt.fields.phoneCodeVerifier,
 			}
 			got, err := r.VerifyHumanPhone(tt.args.ctx, tt.args.userID, tt.args.code, tt.args.resourceOwner, tt.args.secretGenerator)
 			if tt.res.err == nil {
@@ -616,9 +811,21 @@ func TestCommandSide_VerifyHumanPhone(t *testing.T) {
 }
 
 func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore     *eventstore.Eventstore
-		userEncryption crypto.EncryptionAlgorithm
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		userEncryption              crypto.EncryptionAlgorithm
+		defaultSecretGenerators     *SecretGenerators
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type args struct {
 		ctx           context.Context
@@ -638,9 +845,7 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 		{
 			name: "userid missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -653,8 +858,7 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 		{
 			name: "user not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -670,8 +874,7 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 		{
 			name: "phone already verified, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -713,8 +916,7 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 		{
 			name: "new code, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -739,16 +941,33 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 					),
 					expectFilter(
 						eventFromEventPusher(
-							instance.NewSecretGeneratorAddedEvent(context.Background(),
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
 								&instance.NewAggregate("instanceID").Aggregate,
-								domain.SecretGeneratorTypeVerifyPhoneCode,
-								8,
-								time.Hour,
-								true,
-								true,
-								true,
-								true,
-							)),
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
 					),
 					expectPush(
 						user.NewHumanPhoneCodeAddedEvent(context.Background(),
@@ -760,10 +979,92 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 								Crypted:    []byte("12345678"),
 							},
 							time.Hour*1,
+							"",
 						),
 					),
 				),
-				userEncryption: crypto.CreateMockEncryptionAlgWithCode(gomock.NewController(t), "12345678"),
+				userEncryption:              crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				defaultSecretGenerators:     defaultGenerators,
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("12345678", time.Hour),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			name: "new code (external), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneChangedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"+411234567",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSID",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneCodeAddedEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							"id",
+						),
+					),
+				),
+				userEncryption:          crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				defaultSecretGenerators: defaultGenerators,
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -780,8 +1081,10 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:     tt.fields.eventstore,
-				userEncryption: tt.fields.userEncryption,
+				eventstore:                  tt.fields.eventstore(t),
+				userEncryption:              tt.fields.userEncryption,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
 			}
 			got, err := r.CreateHumanPhoneVerificationCode(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
 			if tt.res.err == nil {
@@ -799,12 +1102,13 @@ func TestCommandSide_CreateVerificationCodeHumanPhone(t *testing.T) {
 
 func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx           context.Context
 		userID        string
 		resourceOwner string
+		generatorInfo *senders.CodeGeneratorInfo
 	}
 	type res struct {
 		err func(error) bool
@@ -818,9 +1122,7 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 		{
 			name: "userid missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -833,8 +1135,7 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 		{
 			name: "user not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -850,8 +1151,7 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 		{
 			name: "code sent, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -877,6 +1177,7 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 					expectPush(
 						user.NewHumanPhoneCodeSentEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{},
 						),
 					),
 				),
@@ -885,6 +1186,55 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 				ctx:           context.Background(),
 				userID:        "user1",
 				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{},
+			},
+			res: res{},
+		},
+		{
+			name: "code sent (external), ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneChangedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"+411234567",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneCodeSentEvent(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							&senders.CodeGeneratorInfo{
+								ID:             "generatorID",
+								VerificationID: "verificationID",
+							},
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				generatorInfo: &senders.CodeGeneratorInfo{
+					ID:             "generatorID",
+					VerificationID: "verificationID",
+				},
 			},
 			res: res{},
 		},
@@ -892,9 +1242,9 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
-			err := r.HumanPhoneVerificationCodeSent(tt.args.ctx, tt.args.resourceOwner, tt.args.userID)
+			err := r.HumanPhoneVerificationCodeSent(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.generatorInfo)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -907,7 +1257,7 @@ func TestCommandSide_PhoneVerificationCodeSent(t *testing.T) {
 
 func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 	type fields struct {
-		eventstore *eventstore.Eventstore
+		eventstore func(*testing.T) *eventstore.Eventstore
 	}
 	type args struct {
 		ctx           context.Context
@@ -927,9 +1277,7 @@ func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 		{
 			name: "userid missing, invalid argument error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
-				),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -942,8 +1290,7 @@ func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 		{
 			name: "user not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(),
 				),
 			},
@@ -959,8 +1306,7 @@ func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 		{
 			name: "phone not existing, precondition error",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -991,8 +1337,7 @@ func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 		{
 			name: "remove phone, ok",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							user.NewHumanAddedEvent(context.Background(),
@@ -1037,7 +1382,7 @@ func TestCommandSide_RemoveHumanPhone(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore: tt.fields.eventstore,
+				eventstore: tt.fields.eventstore(t),
 			}
 			got, err := r.RemoveHumanPhone(tt.args.ctx, tt.args.userID, tt.args.resourceOwner)
 			if tt.res.err == nil {
diff --git a/internal/command/user_human_test.go b/internal/command/user_human_test.go
index 468a27e8b8..fbf3523fc9 100644
--- a/internal/command/user_human_test.go
+++ b/internal/command/user_human_test.go
@@ -19,18 +19,31 @@ import (
 	"github.com/zitadel/zitadel/internal/id"
 	id_mock "github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/idp"
+	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestCommandSide_AddHuman(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore         func(t *testing.T) *eventstore.Eventstore
-		idGenerator        id.Generator
-		userPasswordHasher *crypto.Hasher
-		codeAlg            crypto.EncryptionAlgorithm
-		newCode            encrypedCodeFunc
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		idGenerator                 id.Generator
+		userPasswordHasher          *crypto.Hasher
+		codeAlg                     crypto.EncryptionAlgorithm
+		newCode                     encrypedCodeFunc
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx             context.Context
@@ -660,7 +673,6 @@ func TestCommandSide_AddHuman(t *testing.T) {
 				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
 				userPasswordHasher: mockPasswordHasher("x"),
 				codeAlg:            crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				newCode:            mockEncryptedCode("emailCode", time.Hour),
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1042,6 +1054,36 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						newAddHumanEvent("$plain$x$password", false, true, "+41711234567", AllowedLanguage),
 						user.NewHumanEmailVerifiedEvent(
@@ -1057,13 +1099,15 @@ func TestCommandSide_AddHuman(t *testing.T) {
 								Crypted:    []byte("phonecode"),
 							},
 							time.Hour*1,
+							"",
 						),
 					),
 				),
-				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				userPasswordHasher: mockPasswordHasher("x"),
-				codeAlg:            crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				newCode:            mockEncryptedCode("phonecode", time.Hour),
+				idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				userPasswordHasher:          mockPasswordHasher("x"),
+				codeAlg:                     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phonecode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1183,6 +1227,36 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						newAddHumanEvent("$plain$x$password", false, true, "+41711234567", AllowedLanguage),
 						user.NewHumanEmailVerifiedEvent(context.Background(),
@@ -1198,13 +1272,15 @@ func TestCommandSide_AddHuman(t *testing.T) {
 							},
 							1*time.Hour,
 							true,
+							"",
 						),
 					),
 				),
-				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				userPasswordHasher: mockPasswordHasher("x"),
-				codeAlg:            crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
-				newCode:            mockEncryptedCode("phoneCode", time.Hour),
+				idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				userPasswordHasher:          mockPasswordHasher("x"),
+				codeAlg:                     crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneCode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1307,11 +1383,13 @@ func TestCommandSide_AddHuman(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:         tt.fields.eventstore(t),
-				userPasswordHasher: tt.fields.userPasswordHasher,
-				userEncryption:     tt.fields.codeAlg,
-				idGenerator:        tt.fields.idGenerator,
-				newEncryptedCode:   tt.fields.newCode,
+				eventstore:                  tt.fields.eventstore(t),
+				userPasswordHasher:          tt.fields.userPasswordHasher,
+				userEncryption:              tt.fields.codeAlg,
+				idGenerator:                 tt.fields.idGenerator,
+				newEncryptedCode:            tt.fields.newCode,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
 			}
 			err := r.AddHuman(tt.args.ctx, tt.args.orgID, tt.args.human, tt.args.allowInitMail)
 			if tt.res.err == nil {
@@ -1332,10 +1410,22 @@ func TestCommandSide_AddHuman(t *testing.T) {
 }
 
 func TestCommandSide_ImportHuman(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore         func(*testing.T) *eventstore.Eventstore
-		idGenerator        id.Generator
-		userPasswordHasher *crypto.Hasher
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		idGenerator                 id.Generator
+		userPasswordHasher          *crypto.Hasher
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx                  context.Context
@@ -1889,6 +1979,36 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 									),
 								),
 							),
+							expectFilter(
+								eventFromEventPusher(
+									instance.NewSMSConfigActivatedEvent(
+										context.Background(),
+										&instance.NewAggregate("instanceID").Aggregate,
+										"id",
+									),
+								),
+							),
+							expectFilter(
+								eventFromEventPusher(
+									instance.NewSMSConfigTwilioAddedEvent(
+										context.Background(),
+										&instance.NewAggregate("instanceID").Aggregate,
+										"id",
+										"",
+										"sid",
+										"senderNumber",
+										&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+										"",
+									),
+								),
+								eventFromEventPusher(
+									instance.NewSMSConfigActivatedEvent(
+										context.Background(),
+										&instance.NewAggregate("instanceID").Aggregate,
+										"id",
+									),
+								),
+							),
 							expectPush(
 								newAddHumanEvent("$plain$x$password", false, true, "+41711234567", AllowedLanguage),
 								user.NewHumanInitialCodeAddedEvent(context.Background(),
@@ -1910,11 +2030,15 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 										KeyID:      "id",
 										Crypted:    []byte("a"),
 									},
-									time.Hour*1),
+									time.Hour*1,
+									"",
+								),
 							),
 						),
-						idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-						userPasswordHasher: mockPasswordHasher("x"),
+						idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+						userPasswordHasher:          mockPasswordHasher("x"),
+						newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+						defaultSecretGenerators:     defaultGenerators,
 					},
 					args{
 						ctx:   context.Background(),
@@ -2866,9 +2990,11 @@ func TestCommandSide_ImportHuman(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			f, a := tt.given(t)
 			r := &Commands{
-				eventstore:         f.eventstore(t),
-				idGenerator:        f.idGenerator,
-				userPasswordHasher: f.userPasswordHasher,
+				eventstore:                  f.eventstore(t),
+				idGenerator:                 f.idGenerator,
+				userPasswordHasher:          f.userPasswordHasher,
+				newEncryptedCodeWithDefault: f.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     f.defaultSecretGenerators,
 			}
 			gotHuman, gotCode, err := r.ImportHuman(a.ctx, a.orgID, a.human, a.passwordless, a.links, a.secretGenerator, a.secretGenerator, a.secretGenerator, a.secretGenerator)
 			if tt.res.err == nil {
diff --git a/internal/command/user_v2_human.go b/internal/command/user_v2_human.go
index 08b8da72b5..a85f905e05 100644
--- a/internal/command/user_v2_human.go
+++ b/internal/command/user_v2_human.go
@@ -352,11 +352,11 @@ func (c *Commands) changeUserPhone(ctx context.Context, cmds []eventstore.Comman
 		if phone.Verified {
 			return append(cmds, user.NewHumanPhoneVerifiedEvent(ctx, &wm.Aggregate().Aggregate)), code, nil
 		} else {
-			cryptoCode, err := c.newPhoneCode(ctx, c.eventstore.Filter, alg) //nolint:staticcheck
+			cryptoCode, generatorID, err := c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, alg, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 			if err != nil {
 				return cmds, code, err
 			}
-			cmds = append(cmds, user.NewHumanPhoneCodeAddedEventV2(ctx, &wm.Aggregate().Aggregate, cryptoCode.Crypted, cryptoCode.Expiry, phone.ReturnCode))
+			cmds = append(cmds, user.NewHumanPhoneCodeAddedEventV2(ctx, &wm.Aggregate().Aggregate, cryptoCode.CryptedCode(), cryptoCode.CodeExpiry(), phone.ReturnCode, generatorID))
 			if phone.ReturnCode {
 				code = &cryptoCode.Plain
 			}
@@ -389,7 +389,14 @@ func (c *Commands) changeUserPassword(ctx context.Context, cmds []eventstore.Com
 	verification := c.setPasswordWithPermission(wm.AggregateID, wm.ResourceOwner)
 	// otherwise check the password code...
 	if password.PasswordCode != "" {
-		verification = c.setPasswordWithVerifyCode(wm.PasswordCodeCreationDate, wm.PasswordCodeExpiry, wm.PasswordCode, password.PasswordCode)
+		verification = c.setPasswordWithVerifyCode(
+			wm.PasswordCodeCreationDate,
+			wm.PasswordCodeExpiry,
+			wm.PasswordCode,
+			wm.PasswordCodeGeneratorID,
+			wm.PasswordCodeVerificationID,
+			password.PasswordCode,
+		)
 	}
 	// ...or old password
 	if password.OldPassword != "" {
diff --git a/internal/command/user_v2_human_test.go b/internal/command/user_v2_human_test.go
index 37cd2837e7..24899a9301 100644
--- a/internal/command/user_v2_human_test.go
+++ b/internal/command/user_v2_human_test.go
@@ -18,18 +18,31 @@ import (
 	"github.com/zitadel/zitadel/internal/id"
 	id_mock "github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/idp"
+	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestCommandSide_AddUserHuman(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore         func(t *testing.T) *eventstore.Eventstore
-		idGenerator        id.Generator
-		userPasswordHasher *crypto.Hasher
-		newCode            encrypedCodeFunc
-		checkPermission    domain.PermissionCheck
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		idGenerator                 id.Generator
+		userPasswordHasher          *crypto.Hasher
+		newCode                     encrypedCodeFunc
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		checkPermission             domain.PermissionCheck
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx             context.Context
@@ -1027,6 +1040,36 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						newAddHumanEvent("$plain$x$password", false, true, "+41711234567", language.English),
 						user.NewHumanEmailVerifiedEvent(
@@ -1042,13 +1085,120 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 								Crypted:    []byte("phonecode"),
 							},
 							time.Hour*1,
+							"",
 						),
 					),
 				),
-				checkPermission:    newMockPermissionCheckAllowed(),
-				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockEncryptedCode("phonecode", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				userPasswordHasher:          mockPasswordHasher("x"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phonecode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &AddHuman{
+					Username:  "username",
+					FirstName: "firstname",
+					LastName:  "lastname",
+					Password:  "password",
+					Email: Email{
+						Address:  "email@test.ch",
+						Verified: true,
+					},
+					Phone: Phone{
+						Number: "+41711234567",
+					},
+					PreferredLanguage: language.English,
+				},
+				secretGenerator: GetMockSecretGenerator(t),
+				allowInitMail:   true,
+				codeAlg:         crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+				wantID: "user1",
+			},
+		},
+		{
+			name: "add human (with phone), ok (external)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewDomainPolicyAddedEvent(context.Background(),
+								&userAgg.Aggregate,
+								true,
+								true,
+								true,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							org.NewPasswordComplexityPolicyAddedEvent(context.Background(),
+								&userAgg.Aggregate,
+								1,
+								false,
+								false,
+								false,
+								false,
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifiyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						newAddHumanEvent("$plain$x$password", false, true, "+41711234567", language.English),
+						user.NewHumanEmailVerifiedEvent(
+							context.Background(),
+							&userAgg.Aggregate,
+						),
+						user.NewHumanPhoneCodeAddedEvent(context.Background(),
+							&userAgg.Aggregate,
+							nil,
+							0,
+							"id",
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				userPasswordHasher:          mockPasswordHasher("x"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phonecode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1171,6 +1321,36 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						newAddHumanEvent("$plain$x$password", false, true, "+41711234567", language.English),
 						user.NewHumanEmailVerifiedEvent(context.Background(),
@@ -1186,13 +1366,15 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 							},
 							1*time.Hour,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission:    newMockPermissionCheckAllowed(),
-				idGenerator:        id_mock.NewIDGeneratorExpectIDs(t, "user1"),
-				userPasswordHasher: mockPasswordHasher("x"),
-				newCode:            mockEncryptedCode("phoneCode", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				idGenerator:                 id_mock.NewIDGeneratorExpectIDs(t, "user1"),
+				userPasswordHasher:          mockPasswordHasher("x"),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneCode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -1547,11 +1729,13 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:         tt.fields.eventstore(t),
-				userPasswordHasher: tt.fields.userPasswordHasher,
-				idGenerator:        tt.fields.idGenerator,
-				newEncryptedCode:   tt.fields.newCode,
-				checkPermission:    tt.fields.checkPermission,
+				eventstore:                  tt.fields.eventstore(t),
+				userPasswordHasher:          tt.fields.userPasswordHasher,
+				idGenerator:                 tt.fields.idGenerator,
+				newEncryptedCode:            tt.fields.newCode,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				checkPermission:             tt.fields.checkPermission,
 				multifactors: domain.MultifactorConfigs{
 					OTP: domain.OTPConfig{
 						Issuer:    "zitadel.com",
@@ -1578,11 +1762,23 @@ func TestCommandSide_AddUserHuman(t *testing.T) {
 }
 
 func TestCommandSide_ChangeUserHuman(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore         func(t *testing.T) *eventstore.Eventstore
-		userPasswordHasher *crypto.Hasher
-		newCode            encrypedCodeFunc
-		checkPermission    domain.PermissionCheck
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		userPasswordHasher          *crypto.Hasher
+		newCode                     encrypedCodeFunc
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		checkPermission             domain.PermissionCheck
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx     context.Context
@@ -2107,6 +2303,36 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							newAddHumanEvent("$plain$x$password", true, true, "", language.English),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanPhoneChangedEvent(context.Background(),
 							&userAgg.Aggregate,
@@ -2122,11 +2348,13 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							},
 							time.Hour,
 							false,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneCode", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneCode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -2145,7 +2373,83 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 					ResourceOwner: "org1",
 				},
 			},
-		}, {
+		},
+		{
+			name: "change human phone, ok (external)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							newAddHumanEvent("$plain$x$password", true, true, "", language.English),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneChangedEvent(context.Background(),
+							&userAgg.Aggregate,
+							"+41791234567",
+						),
+						user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							false,
+							"id",
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneCode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
+			},
+			args: args{
+				ctx:   context.Background(),
+				orgID: "org1",
+				human: &ChangeHuman{
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+				codeAlg: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			res: res{
+				want: &domain.ObjectDetails{
+					Sequence:      0,
+					EventDate:     time.Time{},
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
 			name: "change human phone verified, not allowed",
 			fields: fields{
 				eventstore: expectEventstore(
@@ -2255,6 +2559,36 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							newAddHumanEvent("$plain$x$password", true, true, "", language.English),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanPhoneChangedEvent(context.Background(),
 							&userAgg.Aggregate,
@@ -2270,11 +2604,13 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 							},
 							time.Hour,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneCode", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneCode", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				ctx:   context.Background(),
@@ -2929,11 +3265,13 @@ func TestCommandSide_ChangeUserHuman(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
-				eventstore:         tt.fields.eventstore(t),
-				userPasswordHasher: tt.fields.userPasswordHasher,
-				newEncryptedCode:   tt.fields.newCode,
-				checkPermission:    tt.fields.checkPermission,
-				userEncryption:     tt.args.codeAlg,
+				eventstore:                  tt.fields.eventstore(t),
+				userPasswordHasher:          tt.fields.userPasswordHasher,
+				newEncryptedCode:            tt.fields.newCode,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				checkPermission:             tt.fields.checkPermission,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				userEncryption:              tt.args.codeAlg,
 			}
 			err := r.ChangeUserHuman(tt.args.ctx, tt.args.human, tt.args.codeAlg)
 			if tt.res.err == nil {
diff --git a/internal/command/user_v2_model.go b/internal/command/user_v2_model.go
index d31c3e6676..25150ab655 100644
--- a/internal/command/user_v2_model.go
+++ b/internal/command/user_v2_model.go
@@ -42,13 +42,15 @@ type UserV2WriteModel struct {
 	InitCodeExpiry       time.Duration
 	InitCheckFailedCount uint64
 
-	PasswordWriteModel       bool
-	PasswordEncodedHash      string
-	PasswordChangeRequired   bool
-	PasswordCode             *crypto.CryptoValue
-	PasswordCodeCreationDate time.Time
-	PasswordCodeExpiry       time.Duration
-	PasswordCheckFailedCount uint64
+	PasswordWriteModel         bool
+	PasswordEncodedHash        string
+	PasswordChangeRequired     bool
+	PasswordCode               *crypto.CryptoValue
+	PasswordCodeCreationDate   time.Time
+	PasswordCodeExpiry         time.Duration
+	PasswordCheckFailedCount   uint64
+	PasswordCodeGeneratorID    string
+	PasswordCodeVerificationID string
 
 	EmailWriteModel       bool
 	Email                 domain.EmailAddress
@@ -270,7 +272,9 @@ func (wm *UserV2WriteModel) Reduce() error {
 			wm.PasswordChangeRequired = e.ChangeRequired
 			wm.EmptyPasswordCode()
 		case *user.HumanPasswordCodeAddedEvent:
-			wm.SetPasswordCode(e.Code, e.Expiry, e.CreationDate())
+			wm.SetPasswordCode(e)
+		case *user.HumanPasswordCodeSentEvent:
+			wm.SetPasswordCodeSent(e)
 		case *user.UserIDPLinkAddedEvent:
 			wm.AddIDPLink(e.IDPConfigID, e.DisplayName, e.ExternalUserID)
 		case *user.UserIDPLinkRemovedEvent:
@@ -337,10 +341,16 @@ func (wm *UserV2WriteModel) EmptyPasswordCode() {
 	wm.PasswordCodeExpiry = 0
 	wm.PasswordCodeCreationDate = time.Time{}
 }
-func (wm *UserV2WriteModel) SetPasswordCode(code *crypto.CryptoValue, expiry time.Duration, creationDate time.Time) {
-	wm.PasswordCode = code
-	wm.PasswordCodeExpiry = expiry
-	wm.PasswordCodeCreationDate = creationDate
+func (wm *UserV2WriteModel) SetPasswordCode(e *user.HumanPasswordCodeAddedEvent) {
+	wm.PasswordCode = e.Code
+	wm.PasswordCodeExpiry = e.Expiry
+	wm.PasswordCodeCreationDate = e.CreationDate()
+	wm.PasswordCodeGeneratorID = e.GeneratorID
+}
+
+func (wm *UserV2WriteModel) SetPasswordCodeSent(e *user.HumanPasswordCodeSentEvent) {
+	wm.PasswordCodeGeneratorID = e.GeneratorInfo.GetID()
+	wm.PasswordCodeVerificationID = e.GeneratorInfo.GetVerificationID()
 }
 
 func (wm *UserV2WriteModel) Query() *eventstore.SearchQueryBuilder {
diff --git a/internal/command/user_v2_model_test.go b/internal/command/user_v2_model_test.go
index a62bf4546a..ba5180cae3 100644
--- a/internal/command/user_v2_model_test.go
+++ b/internal/command/user_v2_model_test.go
@@ -1021,6 +1021,7 @@ func TestCommandSide_userHumanWriteModel_phone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 					),
@@ -1064,6 +1065,65 @@ func TestCommandSide_userHumanWriteModel_phone(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "user added with phone code external",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							newRegisterHumanEvent("username", "$plain$x$password", true, true, "", language.English),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneChangedEvent(context.Background(),
+								&userAgg.Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+								&userAgg.Aggregate,
+								nil,
+								0,
+								false,
+								"id",
+							),
+						),
+					),
+				),
+			},
+			args: args{
+				ctx:    context.Background(),
+				userID: "user1",
+			},
+			res: res{
+				want: &UserV2WriteModel{
+					HumanWriteModel: true,
+					PhoneWriteModel: true,
+					StateWriteModel: true,
+					WriteModel: eventstore.WriteModel{
+						AggregateID:       "user1",
+						Events:            []eventstore.Event{},
+						ProcessedSequence: 0,
+						ResourceOwner:     "org1",
+					},
+					UserName:               "username",
+					FirstName:              "firstname",
+					LastName:               "lastname",
+					DisplayName:            "firstname lastname",
+					PreferredLanguage:      language.English,
+					PasswordEncodedHash:    "$plain$x$password",
+					PasswordChangeRequired: true,
+					Email:                  "email@test.ch",
+					IsEmailVerified:        false,
+					Phone:                  "+41791234567",
+					IsPhoneVerified:        false,
+					PhoneCode:              nil,
+					PhoneCodeCreationDate:  time.Time{},
+					PhoneCodeExpiry:        0,
+					UserState:              domain.UserStateActive,
+				},
+			},
+		},
 		{
 			name: "user added with phone code verified",
 			fields: fields{
@@ -1089,6 +1149,7 @@ func TestCommandSide_userHumanWriteModel_phone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -1155,6 +1216,7 @@ func TestCommandSide_userHumanWriteModel_phone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -1229,6 +1291,7 @@ func TestCommandSide_userHumanWriteModel_phone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 						eventFromEventPusher(
diff --git a/internal/command/user_v2_phone.go b/internal/command/user_v2_phone.go
index 7ebbd4b4d5..8b754b36f3 100644
--- a/internal/command/user_v2_phone.go
+++ b/internal/command/user_v2_phone.go
@@ -6,9 +6,11 @@ import (
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
@@ -88,7 +90,7 @@ func (c *Commands) changeUserPhoneWithGenerator(ctx context.Context, userID, pho
 	if err = cmd.Change(ctx, domain.PhoneNumber(phone)); err != nil {
 		return nil, err
 	}
-	if err = cmd.AddGeneratedCode(ctx, gen, returnCode); err != nil {
+	if err = cmd.AddGeneratedCode(ctx, returnCode); err != nil {
 		return nil, err
 	}
 	return cmd.Push(ctx)
@@ -107,10 +109,10 @@ func (c *Commands) resendUserPhoneCodeWithGenerator(ctx context.Context, userID
 			return nil, err
 		}
 	}
-	if cmd.model.Code == nil {
+	if cmd.model.Code == nil && cmd.model.GeneratorID == "" {
 		return nil, zerrors.ThrowPreconditionFailed(err, "PHONE-5xrra88eq8", "Errors.User.Code.Empty")
 	}
-	if err = cmd.AddGeneratedCode(ctx, gen, returnCode); err != nil {
+	if err = cmd.AddGeneratedCode(ctx, returnCode); err != nil {
 		return nil, err
 	}
 	return cmd.Push(ctx)
@@ -166,10 +168,12 @@ func (c *Commands) removeUserPhone(ctx context.Context, userID string) (*domain.
 // UserPhoneEvents allows step-by-step additions of events,
 // operating on the Human Phone Model.
 type UserPhoneEvents struct {
-	eventstore *eventstore.Eventstore
-	aggregate  *eventstore.Aggregate
-	events     []eventstore.Command
-	model      *HumanPhoneWriteModel
+	eventstore      *eventstore.Eventstore
+	aggregate       *eventstore.Aggregate
+	events          []eventstore.Command
+	model           *HumanPhoneWriteModel
+	generateCode    func(ctx context.Context, filter preparation.FilterToQueryReducer) (*EncryptedCode, string, error)
+	getCodeVerifier func(ctx context.Context, id string) (senders.CodeGenerator, error)
 
 	plainCode *string
 }
@@ -196,6 +200,10 @@ func (c *Commands) NewUserPhoneEvents(ctx context.Context, userID string) (*User
 		eventstore: c.eventstore,
 		aggregate:  UserAggregateFromWriteModel(&model.WriteModel),
 		model:      model,
+		generateCode: func(ctx context.Context, filter preparation.FilterToQueryReducer) (*EncryptedCode, string, error) {
+			return c.newPhoneCode(ctx, filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode)
+		},
+		getCodeVerifier: c.phoneCodeVerifier,
 	}, nil
 }
 
@@ -229,15 +237,14 @@ func (c *UserPhoneEvents) SetVerified(ctx context.Context) {
 
 // AddGeneratedCode generates a new encrypted code and sets it to the phone number.
 // When returnCode a plain text of the code will be returned from Push.
-func (c *UserPhoneEvents) AddGeneratedCode(ctx context.Context, gen crypto.Generator, returnCode bool) error {
-	value, plain, err := crypto.NewCode(gen)
+func (c *UserPhoneEvents) AddGeneratedCode(ctx context.Context, returnCode bool) error {
+	code, generatorID, err := c.generateCode(ctx, c.eventstore.Filter) //nolint:staticcheck
 	if err != nil {
 		return err
 	}
-
-	c.events = append(c.events, user.NewHumanPhoneCodeAddedEventV2(ctx, c.aggregate, value, gen.Expiry(), returnCode))
+	c.events = append(c.events, user.NewHumanPhoneCodeAddedEventV2(ctx, c.aggregate, code.CryptedCode(), code.CodeExpiry(), returnCode, generatorID))
 	if returnCode {
-		c.plainCode = &plain
+		c.plainCode = &code.Plain
 	}
 	return nil
 }
@@ -247,7 +254,17 @@ func (c *UserPhoneEvents) VerifyCode(ctx context.Context, code string, gen crypt
 		return zerrors.ThrowInvalidArgument(nil, "COMMAND-Fia4a", "Errors.User.Code.Empty")
 	}
 
-	err := crypto.VerifyCode(c.model.CodeCreationDate, c.model.CodeExpiry, c.model.Code, code, gen.Alg())
+	err := verifyCode(
+		ctx,
+		c.model.CodeCreationDate,
+		c.model.CodeExpiry,
+		c.model.Code,
+		c.model.GeneratorID,
+		c.model.VerificationID,
+		code,
+		gen.Alg(),
+		c.getCodeVerifier,
+	)
 	if err == nil {
 		c.events = append(c.events, user.NewHumanPhoneVerifiedEvent(ctx, c.aggregate))
 		return nil
diff --git a/internal/command/user_v2_phone_test.go b/internal/command/user_v2_phone_test.go
index d64960efd9..cba3b6d38c 100644
--- a/internal/command/user_v2_phone_test.go
+++ b/internal/command/user_v2_phone_test.go
@@ -22,7 +22,7 @@ import (
 
 func TestCommands_ChangeUserPhone(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -38,8 +38,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -81,8 +80,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 		{
 			name: "missing phone",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -124,8 +122,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 		{
 			name: "not changed",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -168,7 +165,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			_, err := c.ChangeUserPhone(context.Background(), tt.args.userID, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
@@ -180,7 +177,7 @@ func TestCommands_ChangeUserPhone(t *testing.T) {
 
 func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -196,8 +193,7 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -239,8 +235,7 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 		{
 			name: "missing phone",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -283,7 +278,7 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			_, err := c.ChangeUserPhoneReturnCode(context.Background(), tt.args.userID, tt.args.phone, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
@@ -295,7 +290,7 @@ func TestCommands_ChangeUserPhoneReturnCode(t *testing.T) {
 
 func TestCommands_ResendUserPhoneCode(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -310,8 +305,7 @@ func TestCommands_ResendUserPhoneCode(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -352,8 +346,7 @@ func TestCommands_ResendUserPhoneCode(t *testing.T) {
 		{
 			name: "no code",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -395,7 +388,7 @@ func TestCommands_ResendUserPhoneCode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			_, err := c.ResendUserPhoneCode(context.Background(), tt.args.userID, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
@@ -407,7 +400,7 @@ func TestCommands_ResendUserPhoneCode(t *testing.T) {
 
 func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -422,8 +415,7 @@ func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -464,8 +456,7 @@ func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
 		{
 			name: "no code",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							instance.NewSecretGeneratorAddedEvent(context.Background(),
@@ -507,7 +498,7 @@ func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			_, err := c.ResendUserPhoneCodeReturnCode(context.Background(), tt.args.userID, crypto.CreateMockEncryptionAlg(gomock.NewController(t)))
@@ -519,7 +510,7 @@ func TestCommands_ResendUserPhoneCodeReturnCode(t *testing.T) {
 
 func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 	type fields struct {
-		eventstore      *eventstore.Eventstore
+		eventstore      func(*testing.T) *eventstore.Eventstore
 		checkPermission domain.PermissionCheck
 	}
 	type args struct {
@@ -536,7 +527,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 		{
 			name: "missing userID",
 			fields: fields{
-				eventstore:      eventstoreExpect(t),
+				eventstore:      expectEventstore(),
 				checkPermission: newMockPermissionCheckNotAllowed(),
 			},
 			args: args{
@@ -548,8 +539,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -582,8 +572,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 		{
 			name: "missing phone",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -616,8 +605,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 		{
 			name: "phone changed",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -667,7 +655,7 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
+				eventstore:      tt.fields.eventstore(t),
 				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := c.ChangeUserPhoneVerified(context.Background(), tt.args.userID, tt.args.phone)
@@ -678,9 +666,22 @@ func TestCommands_ChangeUserPhoneVerified(t *testing.T) {
 }
 
 func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore      *eventstore.Eventstore
-		checkPermission domain.PermissionCheck
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		checkPermission             domain.PermissionCheck
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		userEncryption              crypto.EncryptionAlgorithm
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		userID     string
@@ -697,7 +698,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "missing user",
 			fields: fields{
-				eventstore: eventstoreExpect(t),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				userID:     "",
@@ -709,8 +710,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -744,8 +744,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "missing phone",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -779,8 +778,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "not changed",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -814,8 +812,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "phone changed",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -836,6 +833,36 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 							}(),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanPhoneChangedEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -851,10 +878,13 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 							},
 							time.Hour*1,
 							false,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				userID:     "user1",
@@ -873,8 +903,7 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 		{
 			name: "phone changed, return code",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -895,6 +924,36 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 							}(),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						user.NewHumanPhoneChangedEvent(context.Background(),
 							&user.NewAggregate("user1", "org1").Aggregate,
@@ -910,10 +969,13 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 							},
 							time.Hour*1,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				userID:     "user1",
@@ -934,8 +996,11 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
-				checkPermission: tt.fields.checkPermission,
+				eventstore:                  tt.fields.eventstore(t),
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				userEncryption:              tt.fields.userEncryption,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
 			}
 			got, err := c.changeUserPhoneWithGenerator(context.Background(), tt.args.userID, tt.args.phone, GetMockSecretGenerator(t), tt.args.returnCode)
 			require.ErrorIs(t, err, tt.wantErr)
@@ -945,9 +1010,21 @@ func TestCommands_changeUserPhoneWithGenerator(t *testing.T) {
 }
 
 func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore      *eventstore.Eventstore
-		checkPermission domain.PermissionCheck
+		eventstore                  func(*testing.T) *eventstore.Eventstore
+		checkPermission             domain.PermissionCheck
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		userID     string
@@ -963,7 +1040,7 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 		{
 			name: "missing user",
 			fields: fields{
-				eventstore: eventstoreExpect(t),
+				eventstore: expectEventstore(),
 			},
 			args: args{
 				userID:     "",
@@ -974,8 +1051,7 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 		{
 			name: "missing permission",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -1008,8 +1084,7 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 		{
 			name: "no code",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -1042,8 +1117,7 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 		{
 			name: "resend",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -1074,6 +1148,37 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 								},
 								time.Hour*1,
 								true,
+								"",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
 							),
 						),
 					),
@@ -1088,10 +1193,103 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 							},
 							time.Hour*1,
 							false,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
+			},
+			args: args{
+				userID:     "user1",
+				returnCode: false,
+			},
+			want: &domain.Phone{
+				ObjectRoot: models.ObjectRoot{
+					AggregateID:   "user1",
+					ResourceOwner: "org1",
+				},
+				PhoneNumber:     "+41791234567",
+				IsPhoneVerified: false,
+			},
+		},
+		{
+			name: "resend (external)",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							func() eventstore.Command {
+								event := user.NewHumanAddedEvent(context.Background(),
+									&user.NewAggregate("user1", "org1").Aggregate,
+									"username",
+									"firstname",
+									"lastname",
+									"nickname",
+									"displayname",
+									language.German,
+									domain.GenderUnspecified,
+									"email@test.ch",
+									true,
+								)
+								event.AddPhoneData("+41791234567")
+								return event
+							}(),
+						),
+						eventFromEventPusher(
+							user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								true,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						user.NewHumanPhoneCodeAddedEventV2(context.Background(),
+							&user.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							false,
+							"id",
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				userID:     "user1",
@@ -1109,8 +1307,7 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 		{
 			name: "return code",
 			fields: fields{
-				eventstore: eventstoreExpect(
-					t,
+				eventstore: expectEventstore(
 					expectFilter(
 						eventFromEventPusher(
 							func() eventstore.Command {
@@ -1141,6 +1338,37 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 								},
 								time.Hour*1,
 								true,
+								"",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
 							),
 						),
 					),
@@ -1155,10 +1383,13 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 							},
 							time.Hour*1,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("a", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args: args{
 				userID:     "user1",
@@ -1178,8 +1409,10 @@ func TestCommands_resendUserPhoneCodeWithGenerator(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:      tt.fields.eventstore,
-				checkPermission: tt.fields.checkPermission,
+				eventstore:                  tt.fields.eventstore(t),
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
 			}
 			got, err := c.resendUserPhoneCodeWithGenerator(context.Background(), tt.args.userID, GetMockSecretGenerator(t), tt.args.returnCode)
 			require.ErrorIs(t, err, tt.wantErr)
diff --git a/internal/command/user_v3.go b/internal/command/user_v3.go
index 2251baa136..2dede584a6 100644
--- a/internal/command/user_v3.go
+++ b/internal/command/user_v3.go
@@ -114,6 +114,9 @@ func (c *Commands) CreateSchemaUser(ctx context.Context, user *CreateSchemaUser)
 		func(ctx context.Context) (*EncryptedCode, error) {
 			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
 		},
+		func(ctx context.Context) (*EncryptedCode, string, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
+		},
 	)
 	if err != nil {
 		return nil, err
@@ -220,6 +223,9 @@ func (c *Commands) ChangeSchemaUser(ctx context.Context, user *ChangeSchemaUser)
 		func(ctx context.Context) (*EncryptedCode, error) {
 			return c.newEmailCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
 		},
+		func(ctx context.Context) (*EncryptedCode, string, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
+		},
 	)
 	if err != nil {
 		return nil, err
diff --git a/internal/command/user_v3_model.go b/internal/command/user_v3_model.go
index 574ed6cd63..46568df87f 100644
--- a/internal/command/user_v3_model.go
+++ b/internal/command/user_v3_model.go
@@ -222,7 +222,8 @@ func (wm *UserV3WriteModel) NewCreated(
 	data json.RawMessage,
 	email *Email,
 	phone *Phone,
-	code func(context.Context) (*EncryptedCode, error),
+	emailCode func(context.Context) (*EncryptedCode, error),
+	phoneCode func(context.Context) (*EncryptedCode, string, error),
 ) (_ []eventstore.Command, codeEmail string, codePhone string, err error) {
 	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
 		return nil, "", "", err
@@ -239,7 +240,7 @@ func (wm *UserV3WriteModel) NewCreated(
 	if email != nil {
 		emailEvents, plainCodeEmail, err := wm.NewEmailCreate(ctx,
 			email,
-			code,
+			emailCode,
 		)
 		if err != nil {
 			return nil, "", "", err
@@ -253,7 +254,7 @@ func (wm *UserV3WriteModel) NewCreated(
 	if phone != nil {
 		phoneEvents, plainCodePhone, err := wm.NewPhoneCreate(ctx,
 			phone,
-			code,
+			phoneCode,
 		)
 		if err != nil {
 			return nil, "", "", err
@@ -310,7 +311,8 @@ func (wm *UserV3WriteModel) NewUpdate(
 	user *SchemaUser,
 	email *Email,
 	phone *Phone,
-	code func(context.Context) (*EncryptedCode, error),
+	emailCode func(context.Context) (*EncryptedCode, error),
+	phoneCode func(context.Context) (*EncryptedCode, string, error),
 ) (_ []eventstore.Command, codeEmail string, codePhone string, err error) {
 	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
 		return nil, "", "", err
@@ -334,7 +336,7 @@ func (wm *UserV3WriteModel) NewUpdate(
 	if email != nil {
 		emailEvents, plainCodeEmail, err := wm.NewEmailUpdate(ctx,
 			email,
-			code,
+			emailCode,
 		)
 		if err != nil {
 			return nil, "", "", err
@@ -348,7 +350,7 @@ func (wm *UserV3WriteModel) NewUpdate(
 	if phone != nil {
 		phoneEvents, plainCodePhone, err := wm.NewPhoneCreate(ctx,
 			phone,
-			code,
+			phoneCode,
 		)
 		if err != nil {
 			return nil, "", "", err
@@ -564,7 +566,7 @@ func (wm *UserV3WriteModel) newEmailCodeAddedEvent(
 func (wm *UserV3WriteModel) NewPhoneCreate(
 	ctx context.Context,
 	phone *Phone,
-	code func(context.Context) (*EncryptedCode, error),
+	code func(context.Context) (*EncryptedCode, string, error),
 ) (_ []eventstore.Command, plainCode string, err error) {
 	if err := wm.checkPermissionWrite(ctx, wm.ResourceOwner, wm.AggregateID); err != nil {
 		return nil, "", err
@@ -596,7 +598,7 @@ func (wm *UserV3WriteModel) NewPhoneCreate(
 func (wm *UserV3WriteModel) NewPhoneUpdate(
 	ctx context.Context,
 	phone *Phone,
-	code func(context.Context) (*EncryptedCode, error),
+	code func(context.Context) (*EncryptedCode, string, error),
 ) (_ []eventstore.Command, plainCode string, err error) {
 	if !wm.PhoneWM {
 		return nil, "", nil
@@ -637,7 +639,7 @@ func (wm *UserV3WriteModel) newPhoneVerifiedEvent(
 
 func (wm *UserV3WriteModel) NewResendPhoneCode(
 	ctx context.Context,
-	code func(context.Context) (*EncryptedCode, error),
+	code func(context.Context) (*EncryptedCode, string, error),
 	isReturnCode bool,
 ) (_ []eventstore.Command, plainCode string, err error) {
 	if !wm.PhoneWM {
@@ -661,10 +663,10 @@ func (wm *UserV3WriteModel) NewResendPhoneCode(
 
 func (wm *UserV3WriteModel) newPhoneCodeAddedEvent(
 	ctx context.Context,
-	code func(context.Context) (*EncryptedCode, error),
+	code func(context.Context) (*EncryptedCode, string, error),
 	isReturnCode bool,
 ) (_ *schemauser.PhoneCodeAddedEvent, plainCode string, err error) {
-	cryptoCode, err := code(ctx)
+	cryptoCode, generatorID, err := code(ctx)
 	if err != nil {
 		return nil, "", err
 	}
@@ -673,8 +675,9 @@ func (wm *UserV3WriteModel) newPhoneCodeAddedEvent(
 	}
 	return schemauser.NewPhoneCodeAddedEvent(ctx,
 		UserV3AggregateFromWriteModel(&wm.WriteModel),
-		cryptoCode.Crypted,
-		cryptoCode.Expiry,
+		cryptoCode.CryptedCode(),
+		cryptoCode.CodeExpiry(),
 		isReturnCode,
+		generatorID,
 	), plainCode, nil
 }
diff --git a/internal/command/user_v3_phone.go b/internal/command/user_v3_phone.go
index 65ca36a0ee..fa6ed1baba 100644
--- a/internal/command/user_v3_phone.go
+++ b/internal/command/user_v3_phone.go
@@ -41,8 +41,8 @@ func (c *Commands) ChangeSchemaUserPhone(ctx context.Context, user *ChangeSchema
 
 	events, plainCode, err := writeModel.NewPhoneUpdate(ctx,
 		user.Phone,
-		func(ctx context.Context) (*EncryptedCode, error) {
-			return c.newPhoneCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		func(ctx context.Context) (*EncryptedCode, string, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 		},
 	)
 	if err != nil {
@@ -92,8 +92,8 @@ func (c *Commands) ResendSchemaUserPhoneCode(ctx context.Context, user *ResendSc
 	}
 
 	events, plainCode, err := writeModel.NewResendPhoneCode(ctx,
-		func(ctx context.Context) (*EncryptedCode, error) {
-			return c.newPhoneCode(ctx, c.eventstore.Filter, c.userEncryption) //nolint:staticcheck
+		func(ctx context.Context) (*EncryptedCode, string, error) {
+			return c.newPhoneCode(ctx, c.eventstore.Filter, domain.SecretGeneratorTypeVerifyPhoneCode, c.userEncryption, c.defaultSecretGenerators.PhoneVerificationCode) //nolint:staticcheck
 		},
 		user.ReturnCode,
 	)
diff --git a/internal/command/user_v3_phone_test.go b/internal/command/user_v3_phone_test.go
index 8a5a1ae0b0..1d45bade49 100644
--- a/internal/command/user_v3_phone_test.go
+++ b/internal/command/user_v3_phone_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/user/schema"
 	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -21,9 +22,9 @@ import (
 
 func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 	type fields struct {
-		eventstore      func(t *testing.T) *eventstore.Eventstore
-		checkPermission domain.PermissionCheck
-		newCode         encrypedCodeFunc
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		checkPermission             domain.PermissionCheck
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type args struct {
 		ctx  context.Context
@@ -187,6 +188,36 @@ func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 							),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("user1", "org1").Aggregate,
@@ -202,11 +233,12 @@ func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 							},
 							time.Hour*1,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -239,6 +271,36 @@ func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 						"name": "user"
 					}`),
 						)),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("user1", "org1").Aggregate,
@@ -253,11 +315,87 @@ func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 								Crypted:    []byte("phoneverify"),
 							}, time.Hour*1,
 							false,
+							"",
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUserPhone{
+					ID: "user1",
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, phone to verify (external)",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						)),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifiyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							false,
+							"id",
 						),
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -321,10 +459,20 @@ func TestCommands_ChangeSchemaUserPhone(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:       tt.fields.eventstore(t),
-				checkPermission:  tt.fields.checkPermission,
-				newEncryptedCode: tt.fields.newCode,
-				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				eventstore:                  tt.fields.eventstore(t),
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				userEncryption:              crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				defaultSecretGenerators: &SecretGenerators{
+					PhoneVerificationCode: &crypto.GeneratorConfig{
+						Length:              8,
+						Expiry:              time.Hour,
+						IncludeLowerLetters: true,
+						IncludeUpperLetters: true,
+						IncludeDigits:       true,
+						IncludeSymbols:      true,
+					},
+				},
 			}
 			details, err := c.ChangeSchemaUserPhone(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
@@ -463,6 +611,7 @@ func TestCommands_VerifySchemaUserPhone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -520,6 +669,7 @@ func TestCommands_VerifySchemaUserPhone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 					),
@@ -571,6 +721,7 @@ func TestCommands_VerifySchemaUserPhone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 					),
@@ -622,6 +773,7 @@ func TestCommands_VerifySchemaUserPhone(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 					),
@@ -671,9 +823,9 @@ func TestCommands_VerifySchemaUserPhone(t *testing.T) {
 
 func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 	type fields struct {
-		eventstore      func(t *testing.T) *eventstore.Eventstore
-		checkPermission domain.PermissionCheck
-		newCode         encrypedCodeFunc
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		checkPermission             domain.PermissionCheck
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
 	}
 	type args struct {
 		ctx  context.Context
@@ -793,6 +945,7 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 						eventFromEventPusher(
@@ -852,6 +1005,7 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
 							),
 						),
 					),
@@ -905,6 +1059,37 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
 							),
 						),
 					),
@@ -921,12 +1106,104 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
+							),
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify2", time.Hour),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ResendSchemaUserPhoneCode{
+					ID: "user1",
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"phone code resend, ok (external)",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schemauser.NewCreatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"id1",
+								1,
+								json.RawMessage(`{
+						"name": "user1"
+					}`),
+							),
+						),
+						eventFromEventPusher(
+							schemauser.NewPhoneUpdatedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								"+41791234567",
+							),
+						),
+						eventFromEventPusherWithCreationDateNow(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								false,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						eventFromEventPusher(
+							schemauser.NewPhoneCodeAddedEvent(
+								context.Background(),
+								&schemauser.NewAggregate("user1", "org1").Aggregate,
+								nil,
+								0,
+								false,
+								"id",
 							),
 						),
 					),
 				),
 				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify2", time.Hour),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -975,6 +1252,37 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								false,
+								"",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
 							),
 						),
 					),
@@ -991,12 +1299,13 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 								},
 								time.Hour*1,
 								true,
+								"",
 							),
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify2", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify2", time.Hour),
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -1016,10 +1325,20 @@ func TestCommands_ResendSchemaUserPhoneCode(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:       tt.fields.eventstore(t),
-				checkPermission:  tt.fields.checkPermission,
-				newEncryptedCode: tt.fields.newCode,
-				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				eventstore:                  tt.fields.eventstore(t),
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				userEncryption:              crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				defaultSecretGenerators: &SecretGenerators{
+					PhoneVerificationCode: &crypto.GeneratorConfig{
+						Length:              8,
+						Expiry:              time.Hour,
+						IncludeLowerLetters: true,
+						IncludeUpperLetters: true,
+						IncludeDigits:       true,
+						IncludeSymbols:      true,
+					},
+				},
 			}
 			details, err := c.ResendSchemaUserPhoneCode(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
diff --git a/internal/command/user_v3_test.go b/internal/command/user_v3_test.go
index 4825626b15..34ac7bc1e0 100644
--- a/internal/command/user_v3_test.go
+++ b/internal/command/user_v3_test.go
@@ -16,17 +16,30 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/user/schema"
 	"github.com/zitadel/zitadel/internal/repository/user/schemauser"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestCommands_CreateSchemaUser(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore      func(t *testing.T) *eventstore.Eventstore
-		idGenerator     id.Generator
-		checkPermission domain.PermissionCheck
-		newCode         encrypedCodeFunc
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		idGenerator                 id.Generator
+		checkPermission             domain.PermissionCheck
+		newCode                     encrypedCodeFunc
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx  context.Context
@@ -663,6 +676,36 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 						),
 					),
 					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewCreatedEvent(
 							context.Background(),
@@ -687,12 +730,14 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 							},
 							time.Hour*1,
 							true,
+							"",
 						),
 					),
 				),
-				idGenerator:     mock.ExpectID(t, "id1"),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -741,6 +786,36 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 						),
 					),
 					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewCreatedEvent(
 							context.Background(),
@@ -765,12 +840,117 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 							},
 							time.Hour*1,
 							false,
+							"",
 						),
 					),
 				),
-				idGenerator:     mock.ExpectID(t, "id1"),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &CreateSchemaUser{
+					ResourceOwner:  "org1",
+					SchemaID:       "type",
+					schemaRevision: 1,
+					Data: json.RawMessage(`{
+						"name": "user"
+					}`),
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+					ID:            "id1",
+				},
+			},
+		},
+		{
+			"user created, phone to verify (external)",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							schema.NewCreatedEvent(
+								context.Background(),
+								&schema.NewAggregate("id1", "instanceID").Aggregate,
+								"type",
+								json.RawMessage(`{
+								"$schema": "urn:zitadel:schema:v1",
+								"type": "object",
+								"properties": {
+									"name": {
+										"type": "string"
+									}
+								}
+							}`),
+								[]domain.AuthenticatorType{domain.AuthenticatorTypeUsername},
+							),
+						),
+					),
+					expectFilter(),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("id1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("id1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("id1", "org1").Aggregate,
+							nil,
+							0,
+							false,
+							"id",
+						),
+					),
+				),
+				idGenerator:                 mock.ExpectID(t, "id1"),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -870,11 +1050,13 @@ func TestCommands_CreateSchemaUser(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:       tt.fields.eventstore(t),
-				idGenerator:      tt.fields.idGenerator,
-				checkPermission:  tt.fields.checkPermission,
-				newEncryptedCode: tt.fields.newCode,
-				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				eventstore:                  tt.fields.eventstore(t),
+				idGenerator:                 tt.fields.idGenerator,
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCode:            tt.fields.newCode,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				userEncryption:              crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			}
 			details, err := c.CreateSchemaUser(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
@@ -1949,10 +2131,22 @@ func TestCommandSide_ReactivateSchemaUser(t *testing.T) {
 }
 
 func TestCommands_ChangeSchemaUser(t *testing.T) {
+	defaultGenerators := &SecretGenerators{
+		OTPSMS: &crypto.GeneratorConfig{
+			Length:              8,
+			Expiry:              time.Hour,
+			IncludeLowerLetters: true,
+			IncludeUpperLetters: true,
+			IncludeDigits:       true,
+			IncludeSymbols:      true,
+		},
+	}
 	type fields struct {
-		eventstore      func(t *testing.T) *eventstore.Eventstore
-		checkPermission domain.PermissionCheck
-		newCode         encrypedCodeFunc
+		eventstore                  func(t *testing.T) *eventstore.Eventstore
+		checkPermission             domain.PermissionCheck
+		newCode                     encrypedCodeFunc
+		newEncryptedCodeWithDefault encryptedCodeWithDefaultFunc
+		defaultSecretGenerators     *SecretGenerators
 	}
 	type args struct {
 		ctx  context.Context
@@ -3016,6 +3210,36 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 					}`),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("user1", "org1").Aggregate,
@@ -3031,11 +3255,13 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							},
 							time.Hour*1,
 							true,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -3069,6 +3295,36 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 					}`),
 						),
 					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
 					expectPush(
 						schemauser.NewPhoneUpdatedEvent(context.Background(),
 							&schemauser.NewAggregate("user1", "org1").Aggregate,
@@ -3084,11 +3340,91 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 							},
 							time.Hour*1,
 							false,
+							"",
 						),
 					),
 				),
-				checkPermission: newMockPermissionCheckAllowed(),
-				newCode:         mockEncryptedCode("phoneverify", time.Hour),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &ChangeSchemaUser{
+					ID: "user1",
+					Phone: &Phone{
+						Number: "+41791234567",
+					},
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"user updated, phone to verify (external)",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						schemauser.NewCreatedEvent(
+							context.Background(),
+							&schemauser.NewAggregate("id1", "org1").Aggregate,
+							"type",
+							1,
+							json.RawMessage(`{
+						"name": "user"
+					}`),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							instance.NewSMSConfigTwilioAddedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+								"",
+								"sid",
+								"senderNumber",
+								&crypto.CryptoValue{CryptoType: crypto.TypeEncryption, Algorithm: "enc", KeyID: "id", Crypted: []byte("crypted")},
+								"verifyServiceSid",
+							),
+						),
+						eventFromEventPusher(
+							instance.NewSMSConfigActivatedEvent(
+								context.Background(),
+								&instance.NewAggregate("instanceID").Aggregate,
+								"id",
+							),
+						),
+					),
+					expectPush(
+						schemauser.NewPhoneUpdatedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							"+41791234567",
+						),
+						schemauser.NewPhoneCodeAddedEvent(context.Background(),
+							&schemauser.NewAggregate("user1", "org1").Aggregate,
+							nil,
+							0,
+							false,
+							"id",
+						),
+					),
+				),
+				checkPermission:             newMockPermissionCheckAllowed(),
+				newEncryptedCodeWithDefault: mockEncryptedCodeWithDefault("phoneverify", time.Hour),
+				defaultSecretGenerators:     defaultGenerators,
 			},
 			args{
 				ctx: authz.NewMockContext("instanceID", "", ""),
@@ -3157,10 +3493,12 @@ func TestCommands_ChangeSchemaUser(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Commands{
-				eventstore:       tt.fields.eventstore(t),
-				checkPermission:  tt.fields.checkPermission,
-				newEncryptedCode: tt.fields.newCode,
-				userEncryption:   crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+				eventstore:                  tt.fields.eventstore(t),
+				checkPermission:             tt.fields.checkPermission,
+				newEncryptedCode:            tt.fields.newCode,
+				newEncryptedCodeWithDefault: tt.fields.newEncryptedCodeWithDefault,
+				defaultSecretGenerators:     tt.fields.defaultSecretGenerators,
+				userEncryption:              crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			}
 			details, err := c.ChangeSchemaUser(tt.args.ctx, tt.args.user)
 			if tt.res.err == nil {
diff --git a/internal/domain/human_phone.go b/internal/domain/human_phone.go
index f350ea72a0..2bf60bca89 100644
--- a/internal/domain/human_phone.go
+++ b/internal/domain/human_phone.go
@@ -54,17 +54,6 @@ func (p *Phone) Normalize() error {
 	return nil
 }
 
-func NewPhoneCode(phoneGenerator crypto.Generator) (*PhoneCode, error) {
-	phoneCodeCrypto, _, err := crypto.NewCode(phoneGenerator)
-	if err != nil {
-		return nil, err
-	}
-	return &PhoneCode{
-		Code:   phoneCodeCrypto,
-		Expiry: phoneGenerator.Expiry(),
-	}, nil
-}
-
 type PhoneState int32
 
 const (
diff --git a/internal/notification/channels/twilio/channel.go b/internal/notification/channels/twilio/channel.go
index da04b20f5e..e3e2767a0e 100644
--- a/internal/notification/channels/twilio/channel.go
+++ b/internal/notification/channels/twilio/channel.go
@@ -1,7 +1,9 @@
 package twilio
 
 import (
-	"github.com/kevinburke/twilio-go"
+	newTwilio "github.com/twilio/twilio-go"
+	openapi "github.com/twilio/twilio-go/rest/api/v2010"
+	verify "github.com/twilio/twilio-go/rest/verify/v2"
 	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/notification/channels"
@@ -10,8 +12,7 @@ import (
 )
 
 func InitChannel(config Config) channels.NotificationChannel {
-	client := twilio.NewClient(config.SID, config.Token, nil)
-
+	client := newTwilio.NewRestClientWithParams(newTwilio.ClientParams{Username: config.SID, Password: config.Token})
 	logging.Debug("successfully initialized twilio sms channel")
 
 	return channels.HandleMessageFunc(func(message channels.Message) error {
@@ -19,11 +20,30 @@ func InitChannel(config Config) channels.NotificationChannel {
 		if !ok {
 			return zerrors.ThrowInternal(nil, "TWILI-s0pLc", "message is not SMS")
 		}
+		if config.VerifyServiceSID != "" {
+			params := &verify.CreateVerificationParams{}
+			params.SetTo(twilioMsg.RecipientPhoneNumber)
+			params.SetChannel("sms")
+
+			resp, err := client.VerifyV2.CreateVerification(config.VerifyServiceSID, params)
+			if err != nil {
+				return zerrors.ThrowInternal(err, "TWILI-0s9f2", "could not send verification")
+			}
+			logging.WithFields("sid", resp.Sid, "status", resp.Status).Debug("verification sent")
+
+			twilioMsg.VerificationID = resp.Sid
+			return nil
+		}
+
 		content, err := twilioMsg.GetContent()
 		if err != nil {
 			return err
 		}
-		m, err := client.Messages.SendMessage(twilioMsg.SenderPhoneNumber, twilioMsg.RecipientPhoneNumber, content, nil)
+		params := &openapi.CreateMessageParams{}
+		params.SetTo(twilioMsg.RecipientPhoneNumber)
+		params.SetFrom(twilioMsg.SenderPhoneNumber)
+		params.SetBody(content)
+		m, err := client.Api.CreateMessage(params)
 		if err != nil {
 			return zerrors.ThrowInternal(err, "TWILI-osk3S", "could not send message")
 		}
diff --git a/internal/notification/channels/twilio/config.go b/internal/notification/channels/twilio/config.go
index dc9550d766..02da0ad00c 100644
--- a/internal/notification/channels/twilio/config.go
+++ b/internal/notification/channels/twilio/config.go
@@ -1,11 +1,40 @@
 package twilio
 
+import (
+	newTwilio "github.com/twilio/twilio-go"
+	verify "github.com/twilio/twilio-go/rest/verify/v2"
+
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
 type Config struct {
-	SID          string
-	Token        string
-	SenderNumber string
+	SID              string
+	Token            string
+	SenderNumber     string
+	VerifyServiceSID string
 }
 
 func (t *Config) IsValid() bool {
 	return t.SID != "" && t.Token != "" && t.SenderNumber != ""
 }
+
+func (t *Config) VerifyCode(verificationID, code string) error {
+	client := newTwilio.NewRestClientWithParams(newTwilio.ClientParams{Username: t.SID, Password: t.Token})
+	checkParams := &verify.CreateVerificationCheckParams{}
+	checkParams.SetVerificationSid(verificationID)
+	checkParams.SetCode(code)
+	resp, err := client.VerifyV2.CreateVerificationCheck(t.VerifyServiceSID, checkParams)
+	if err != nil || resp.Status == nil {
+		return zerrors.ThrowInvalidArgument(err, "TWILI-JK3ta", "Errors.User.Code.NotFound")
+	}
+	switch *resp.Status {
+	case "approved":
+		return nil
+	case "expired":
+		return zerrors.ThrowInvalidArgument(nil, "TWILI-SF3ba", "Errors.User.Code.Expired")
+	case "max_attempts_reached":
+		return zerrors.ThrowInvalidArgument(nil, "TWILI-Ok39a", "Errors.User.Code.NotFound")
+	default:
+		return zerrors.ThrowInvalidArgument(nil, "TWILI-Skwe4", "Errors.User.Code.Invalid")
+	}
+}
diff --git a/internal/notification/handlers/commands.go b/internal/notification/handlers/commands.go
index 3d8546f800..a50abe18a7 100644
--- a/internal/notification/handlers/commands.go
+++ b/internal/notification/handlers/commands.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"context"
 
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/repository/milestone"
 	"github.com/zitadel/zitadel/internal/repository/quota"
 )
@@ -10,15 +11,15 @@ import (
 type Commands interface {
 	HumanInitCodeSent(ctx context.Context, orgID, userID string) error
 	HumanEmailVerificationCodeSent(ctx context.Context, orgID, userID string) error
-	PasswordCodeSent(ctx context.Context, orgID, userID string) error
-	HumanOTPSMSCodeSent(ctx context.Context, userID, resourceOwner string) error
+	PasswordCodeSent(ctx context.Context, orgID, userID string, generatorInfo *senders.CodeGeneratorInfo) error
+	HumanOTPSMSCodeSent(ctx context.Context, userID, resourceOwner string, generatorInfo *senders.CodeGeneratorInfo) error
 	HumanOTPEmailCodeSent(ctx context.Context, userID, resourceOwner string) error
-	OTPSMSSent(ctx context.Context, sessionID, resourceOwner string) error
+	OTPSMSSent(ctx context.Context, sessionID, resourceOwner string, generatorInfo *senders.CodeGeneratorInfo) error
 	OTPEmailSent(ctx context.Context, sessionID, resourceOwner string) error
 	UserDomainClaimedSent(ctx context.Context, orgID, userID string) error
 	HumanPasswordlessInitCodeSent(ctx context.Context, userID, resourceOwner, codeID string) error
 	PasswordChangeSent(ctx context.Context, orgID, userID string) error
-	HumanPhoneVerificationCodeSent(ctx context.Context, orgID, userID string) error
+	HumanPhoneVerificationCodeSent(ctx context.Context, orgID, userID string, generatorInfo *senders.CodeGeneratorInfo) error
 	InviteCodeSent(ctx context.Context, orgID, userID string) error
 	UsageNotificationSent(ctx context.Context, dueEvent *quota.NotificationDueEvent) error
 	MilestonePushed(ctx context.Context, msType milestone.Type, endpoints []string, primaryDomain string) error
diff --git a/internal/notification/handlers/config_sms.go b/internal/notification/handlers/config_sms.go
index 4698772eae..1962824c9a 100644
--- a/internal/notification/handlers/config_sms.go
+++ b/internal/notification/handlers/config_sms.go
@@ -31,9 +31,10 @@ func (n *NotificationQueries) GetActiveSMSConfig(ctx context.Context) (*sms.Conf
 		return &sms.Config{
 			ProviderConfig: provider,
 			TwilioConfig: &twilio.Config{
-				SID:          config.TwilioConfig.SID,
-				Token:        token,
-				SenderNumber: config.TwilioConfig.SenderNumber,
+				SID:              config.TwilioConfig.SID,
+				Token:            token,
+				SenderNumber:     config.TwilioConfig.SenderNumber,
+				VerifyServiceSID: config.TwilioConfig.VerifyServiceSID,
 			},
 		}, nil
 	}
diff --git a/internal/notification/handlers/mock/commands.mock.go b/internal/notification/handlers/mock/commands.mock.go
index ab94eda2cc..51942be42a 100644
--- a/internal/notification/handlers/mock/commands.mock.go
+++ b/internal/notification/handlers/mock/commands.mock.go
@@ -13,35 +13,36 @@ import (
 	context "context"
 	reflect "reflect"
 
+	senders "github.com/zitadel/zitadel/internal/notification/senders"
 	milestone "github.com/zitadel/zitadel/internal/repository/milestone"
 	quota "github.com/zitadel/zitadel/internal/repository/quota"
 	gomock "go.uber.org/mock/gomock"
 )
 
-// MockCommands is a mock of Commands interface
+// MockCommands is a mock of Commands interface.
 type MockCommands struct {
 	ctrl     *gomock.Controller
 	recorder *MockCommandsMockRecorder
 }
 
-// MockCommandsMockRecorder is the mock recorder for MockCommands
+// MockCommandsMockRecorder is the mock recorder for MockCommands.
 type MockCommandsMockRecorder struct {
 	mock *MockCommands
 }
 
-// NewMockCommands creates a new mock instance
+// NewMockCommands creates a new mock instance.
 func NewMockCommands(ctrl *gomock.Controller) *MockCommands {
 	mock := &MockCommands{ctrl: ctrl}
 	mock.recorder = &MockCommandsMockRecorder{mock}
 	return mock
 }
 
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockCommands) EXPECT() *MockCommandsMockRecorder {
 	return m.recorder
 }
 
-// HumanEmailVerificationCodeSent mocks base method
+// HumanEmailVerificationCodeSent mocks base method.
 func (m *MockCommands) HumanEmailVerificationCodeSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "HumanEmailVerificationCodeSent", arg0, arg1, arg2)
@@ -49,13 +50,13 @@ func (m *MockCommands) HumanEmailVerificationCodeSent(arg0 context.Context, arg1
 	return ret0
 }
 
-// HumanEmailVerificationCodeSent indicates an expected call of HumanEmailVerificationCodeSent
-func (mr *MockCommandsMockRecorder) HumanEmailVerificationCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// HumanEmailVerificationCodeSent indicates an expected call of HumanEmailVerificationCodeSent.
+func (mr *MockCommandsMockRecorder) HumanEmailVerificationCodeSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanEmailVerificationCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanEmailVerificationCodeSent), arg0, arg1, arg2)
 }
 
-// HumanInitCodeSent mocks base method
+// HumanInitCodeSent mocks base method.
 func (m *MockCommands) HumanInitCodeSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "HumanInitCodeSent", arg0, arg1, arg2)
@@ -63,13 +64,13 @@ func (m *MockCommands) HumanInitCodeSent(arg0 context.Context, arg1, arg2 string
 	return ret0
 }
 
-// HumanInitCodeSent indicates an expected call of HumanInitCodeSent
-func (mr *MockCommandsMockRecorder) HumanInitCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// HumanInitCodeSent indicates an expected call of HumanInitCodeSent.
+func (mr *MockCommandsMockRecorder) HumanInitCodeSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanInitCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanInitCodeSent), arg0, arg1, arg2)
 }
 
-// HumanOTPEmailCodeSent mocks base method
+// HumanOTPEmailCodeSent mocks base method.
 func (m *MockCommands) HumanOTPEmailCodeSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "HumanOTPEmailCodeSent", arg0, arg1, arg2)
@@ -77,27 +78,27 @@ func (m *MockCommands) HumanOTPEmailCodeSent(arg0 context.Context, arg1, arg2 st
 	return ret0
 }
 
-// HumanOTPEmailCodeSent indicates an expected call of HumanOTPEmailCodeSent
-func (mr *MockCommandsMockRecorder) HumanOTPEmailCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// HumanOTPEmailCodeSent indicates an expected call of HumanOTPEmailCodeSent.
+func (mr *MockCommandsMockRecorder) HumanOTPEmailCodeSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanOTPEmailCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanOTPEmailCodeSent), arg0, arg1, arg2)
 }
 
-// HumanOTPSMSCodeSent mocks base method
-func (m *MockCommands) HumanOTPSMSCodeSent(arg0 context.Context, arg1, arg2 string) error {
+// HumanOTPSMSCodeSent mocks base method.
+func (m *MockCommands) HumanOTPSMSCodeSent(arg0 context.Context, arg1, arg2 string, arg3 *senders.CodeGeneratorInfo) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "HumanOTPSMSCodeSent", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "HumanOTPSMSCodeSent", arg0, arg1, arg2, arg3)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
-// HumanOTPSMSCodeSent indicates an expected call of HumanOTPSMSCodeSent
-func (mr *MockCommandsMockRecorder) HumanOTPSMSCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// HumanOTPSMSCodeSent indicates an expected call of HumanOTPSMSCodeSent.
+func (mr *MockCommandsMockRecorder) HumanOTPSMSCodeSent(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanOTPSMSCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanOTPSMSCodeSent), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanOTPSMSCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanOTPSMSCodeSent), arg0, arg1, arg2, arg3)
 }
 
-// HumanPasswordlessInitCodeSent mocks base method
+// HumanPasswordlessInitCodeSent mocks base method.
 func (m *MockCommands) HumanPasswordlessInitCodeSent(arg0 context.Context, arg1, arg2, arg3 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "HumanPasswordlessInitCodeSent", arg0, arg1, arg2, arg3)
@@ -105,27 +106,27 @@ func (m *MockCommands) HumanPasswordlessInitCodeSent(arg0 context.Context, arg1,
 	return ret0
 }
 
-// HumanPasswordlessInitCodeSent indicates an expected call of HumanPasswordlessInitCodeSent
-func (mr *MockCommandsMockRecorder) HumanPasswordlessInitCodeSent(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+// HumanPasswordlessInitCodeSent indicates an expected call of HumanPasswordlessInitCodeSent.
+func (mr *MockCommandsMockRecorder) HumanPasswordlessInitCodeSent(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanPasswordlessInitCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanPasswordlessInitCodeSent), arg0, arg1, arg2, arg3)
 }
 
-// HumanPhoneVerificationCodeSent mocks base method
-func (m *MockCommands) HumanPhoneVerificationCodeSent(arg0 context.Context, arg1, arg2 string) error {
+// HumanPhoneVerificationCodeSent mocks base method.
+func (m *MockCommands) HumanPhoneVerificationCodeSent(arg0 context.Context, arg1, arg2 string, arg3 *senders.CodeGeneratorInfo) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "HumanPhoneVerificationCodeSent", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "HumanPhoneVerificationCodeSent", arg0, arg1, arg2, arg3)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
-// HumanPhoneVerificationCodeSent indicates an expected call of HumanPhoneVerificationCodeSent
-func (mr *MockCommandsMockRecorder) HumanPhoneVerificationCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// HumanPhoneVerificationCodeSent indicates an expected call of HumanPhoneVerificationCodeSent.
+func (mr *MockCommandsMockRecorder) HumanPhoneVerificationCodeSent(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanPhoneVerificationCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanPhoneVerificationCodeSent), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "HumanPhoneVerificationCodeSent", reflect.TypeOf((*MockCommands)(nil).HumanPhoneVerificationCodeSent), arg0, arg1, arg2, arg3)
 }
 
-// InviteCodeSent mocks base method
+// InviteCodeSent mocks base method.
 func (m *MockCommands) InviteCodeSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "InviteCodeSent", arg0, arg1, arg2)
@@ -133,13 +134,13 @@ func (m *MockCommands) InviteCodeSent(arg0 context.Context, arg1, arg2 string) e
 	return ret0
 }
 
-// InviteCodeSent indicates an expected call of InviteCodeSent
-func (mr *MockCommandsMockRecorder) InviteCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// InviteCodeSent indicates an expected call of InviteCodeSent.
+func (mr *MockCommandsMockRecorder) InviteCodeSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InviteCodeSent", reflect.TypeOf((*MockCommands)(nil).InviteCodeSent), arg0, arg1, arg2)
 }
 
-// MilestonePushed mocks base method
+// MilestonePushed mocks base method.
 func (m *MockCommands) MilestonePushed(arg0 context.Context, arg1 milestone.Type, arg2 []string, arg3 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "MilestonePushed", arg0, arg1, arg2, arg3)
@@ -147,13 +148,13 @@ func (m *MockCommands) MilestonePushed(arg0 context.Context, arg1 milestone.Type
 	return ret0
 }
 
-// MilestonePushed indicates an expected call of MilestonePushed
-func (mr *MockCommandsMockRecorder) MilestonePushed(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+// MilestonePushed indicates an expected call of MilestonePushed.
+func (mr *MockCommandsMockRecorder) MilestonePushed(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MilestonePushed", reflect.TypeOf((*MockCommands)(nil).MilestonePushed), arg0, arg1, arg2, arg3)
 }
 
-// OTPEmailSent mocks base method
+// OTPEmailSent mocks base method.
 func (m *MockCommands) OTPEmailSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "OTPEmailSent", arg0, arg1, arg2)
@@ -161,27 +162,27 @@ func (m *MockCommands) OTPEmailSent(arg0 context.Context, arg1, arg2 string) err
 	return ret0
 }
 
-// OTPEmailSent indicates an expected call of OTPEmailSent
-func (mr *MockCommandsMockRecorder) OTPEmailSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// OTPEmailSent indicates an expected call of OTPEmailSent.
+func (mr *MockCommandsMockRecorder) OTPEmailSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OTPEmailSent", reflect.TypeOf((*MockCommands)(nil).OTPEmailSent), arg0, arg1, arg2)
 }
 
-// OTPSMSSent mocks base method
-func (m *MockCommands) OTPSMSSent(arg0 context.Context, arg1, arg2 string) error {
+// OTPSMSSent mocks base method.
+func (m *MockCommands) OTPSMSSent(arg0 context.Context, arg1, arg2 string, arg3 *senders.CodeGeneratorInfo) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OTPSMSSent", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "OTPSMSSent", arg0, arg1, arg2, arg3)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
-// OTPSMSSent indicates an expected call of OTPSMSSent
-func (mr *MockCommandsMockRecorder) OTPSMSSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// OTPSMSSent indicates an expected call of OTPSMSSent.
+func (mr *MockCommandsMockRecorder) OTPSMSSent(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OTPSMSSent", reflect.TypeOf((*MockCommands)(nil).OTPSMSSent), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OTPSMSSent", reflect.TypeOf((*MockCommands)(nil).OTPSMSSent), arg0, arg1, arg2, arg3)
 }
 
-// PasswordChangeSent mocks base method
+// PasswordChangeSent mocks base method.
 func (m *MockCommands) PasswordChangeSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "PasswordChangeSent", arg0, arg1, arg2)
@@ -189,27 +190,27 @@ func (m *MockCommands) PasswordChangeSent(arg0 context.Context, arg1, arg2 strin
 	return ret0
 }
 
-// PasswordChangeSent indicates an expected call of PasswordChangeSent
-func (mr *MockCommandsMockRecorder) PasswordChangeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// PasswordChangeSent indicates an expected call of PasswordChangeSent.
+func (mr *MockCommandsMockRecorder) PasswordChangeSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PasswordChangeSent", reflect.TypeOf((*MockCommands)(nil).PasswordChangeSent), arg0, arg1, arg2)
 }
 
-// PasswordCodeSent mocks base method
-func (m *MockCommands) PasswordCodeSent(arg0 context.Context, arg1, arg2 string) error {
+// PasswordCodeSent mocks base method.
+func (m *MockCommands) PasswordCodeSent(arg0 context.Context, arg1, arg2 string, arg3 *senders.CodeGeneratorInfo) error {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "PasswordCodeSent", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "PasswordCodeSent", arg0, arg1, arg2, arg3)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 
-// PasswordCodeSent indicates an expected call of PasswordCodeSent
-func (mr *MockCommandsMockRecorder) PasswordCodeSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// PasswordCodeSent indicates an expected call of PasswordCodeSent.
+func (mr *MockCommandsMockRecorder) PasswordCodeSent(arg0, arg1, arg2, arg3 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PasswordCodeSent", reflect.TypeOf((*MockCommands)(nil).PasswordCodeSent), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "PasswordCodeSent", reflect.TypeOf((*MockCommands)(nil).PasswordCodeSent), arg0, arg1, arg2, arg3)
 }
 
-// UsageNotificationSent mocks base method
+// UsageNotificationSent mocks base method.
 func (m *MockCommands) UsageNotificationSent(arg0 context.Context, arg1 *quota.NotificationDueEvent) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UsageNotificationSent", arg0, arg1)
@@ -217,13 +218,13 @@ func (m *MockCommands) UsageNotificationSent(arg0 context.Context, arg1 *quota.N
 	return ret0
 }
 
-// UsageNotificationSent indicates an expected call of UsageNotificationSent
-func (mr *MockCommandsMockRecorder) UsageNotificationSent(arg0, arg1 interface{}) *gomock.Call {
+// UsageNotificationSent indicates an expected call of UsageNotificationSent.
+func (mr *MockCommandsMockRecorder) UsageNotificationSent(arg0, arg1 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UsageNotificationSent", reflect.TypeOf((*MockCommands)(nil).UsageNotificationSent), arg0, arg1)
 }
 
-// UserDomainClaimedSent mocks base method
+// UserDomainClaimedSent mocks base method.
 func (m *MockCommands) UserDomainClaimedSent(arg0 context.Context, arg1, arg2 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "UserDomainClaimedSent", arg0, arg1, arg2)
@@ -231,8 +232,8 @@ func (m *MockCommands) UserDomainClaimedSent(arg0 context.Context, arg1, arg2 st
 	return ret0
 }
 
-// UserDomainClaimedSent indicates an expected call of UserDomainClaimedSent
-func (mr *MockCommandsMockRecorder) UserDomainClaimedSent(arg0, arg1, arg2 interface{}) *gomock.Call {
+// UserDomainClaimedSent indicates an expected call of UserDomainClaimedSent.
+func (mr *MockCommandsMockRecorder) UserDomainClaimedSent(arg0, arg1, arg2 any) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UserDomainClaimedSent", reflect.TypeOf((*MockCommands)(nil).UserDomainClaimedSent), arg0, arg1, arg2)
 }
diff --git a/internal/notification/handlers/user_notifier.go b/internal/notification/handlers/user_notifier.go
index 57aa3a9251..799a006abf 100644
--- a/internal/notification/handlers/user_notifier.go
+++ b/internal/notification/handlers/user_notifier.go
@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/notification/types"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/repository/session"
@@ -258,9 +259,12 @@ func (u *userNotifier) reducePasswordCodeAdded(event eventstore.Event) (*handler
 		if alreadyHandled {
 			return nil
 		}
-		code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
-		if err != nil {
-			return err
+		var code string
+		if e.Code != nil {
+			code, err = crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+			if err != nil {
+				return err
+			}
 		}
 		colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
 		if err != nil {
@@ -285,15 +289,16 @@ func (u *userNotifier) reducePasswordCodeAdded(event eventstore.Event) (*handler
 		if err != nil {
 			return err
 		}
+		generatorInfo := new(senders.CodeGeneratorInfo)
 		notify := types.SendEmail(ctx, u.channels, string(template.Template), translator, notifyUser, colors, e)
 		if e.NotificationType == domain.NotificationTypeSms {
-			notify = types.SendSMS(ctx, u.channels, translator, notifyUser, colors, e)
+			notify = types.SendSMS(ctx, u.channels, translator, notifyUser, colors, e, generatorInfo)
 		}
 		err = notify.SendPasswordCode(ctx, notifyUser, code, e.URLTemplate, e.AuthRequestID)
 		if err != nil {
 			return err
 		}
-		return u.commands.PasswordCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+		return u.commands.PasswordCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID, generatorInfo)
 	}), nil
 }
 
@@ -345,7 +350,7 @@ func (u *userNotifier) reduceOTPSMS(
 	expiry time.Duration,
 	userID,
 	resourceOwner string,
-	sentCommand func(ctx context.Context, userID string, resourceOwner string) (err error),
+	sentCommand func(ctx context.Context, userID, resourceOwner string, generatorInfo *senders.CodeGeneratorInfo) (err error),
 	eventTypes ...eventstore.EventType,
 ) (*handler.Statement, error) {
 	ctx := HandlerContext(event.Aggregate())
@@ -356,9 +361,12 @@ func (u *userNotifier) reduceOTPSMS(
 	if alreadyHandled {
 		return handler.NewNoOpStatement(event), nil
 	}
-	plainCode, err := crypto.DecryptString(code, u.queries.UserDataCrypto)
-	if err != nil {
-		return nil, err
+	var plainCode string
+	if code != nil {
+		plainCode, err = crypto.DecryptString(code, u.queries.UserDataCrypto)
+		if err != nil {
+			return nil, err
+		}
 	}
 	colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, resourceOwner, false)
 	if err != nil {
@@ -377,12 +385,13 @@ func (u *userNotifier) reduceOTPSMS(
 	if err != nil {
 		return nil, err
 	}
-	notify := types.SendSMS(ctx, u.channels, translator, notifyUser, colors, event)
+	generatorInfo := new(senders.CodeGeneratorInfo)
+	notify := types.SendSMS(ctx, u.channels, translator, notifyUser, colors, event, generatorInfo)
 	err = notify.SendOTPSMSCode(ctx, plainCode, expiry)
 	if err != nil {
 		return nil, err
 	}
-	err = sentCommand(ctx, event.Aggregate().ID, event.Aggregate().ResourceOwner)
+	err = sentCommand(ctx, event.Aggregate().ID, event.Aggregate().ResourceOwner, generatorInfo)
 	if err != nil {
 		return nil, err
 	}
@@ -691,9 +700,12 @@ func (u *userNotifier) reducePhoneCodeAdded(event eventstore.Event) (*handler.St
 		if alreadyHandled {
 			return nil
 		}
-		code, err := crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
-		if err != nil {
-			return err
+		var code string
+		if e.Code != nil {
+			code, err = crypto.DecryptString(e.Code, u.queries.UserDataCrypto)
+			if err != nil {
+				return err
+			}
 		}
 		colors, err := u.queries.ActiveLabelPolicyByOrg(ctx, e.Aggregate().ResourceOwner, false)
 		if err != nil {
@@ -713,12 +725,12 @@ func (u *userNotifier) reducePhoneCodeAdded(event eventstore.Event) (*handler.St
 		if err != nil {
 			return err
 		}
-		err = types.SendSMS(ctx, u.channels, translator, notifyUser, colors, e).
-			SendPhoneVerificationCode(ctx, code)
-		if err != nil {
+		generatorInfo := new(senders.CodeGeneratorInfo)
+		if err = types.SendSMS(ctx, u.channels, translator, notifyUser, colors, e, generatorInfo).
+			SendPhoneVerificationCode(ctx, code); err != nil {
 			return err
 		}
-		return u.commands.HumanPhoneVerificationCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID)
+		return u.commands.HumanPhoneVerificationCodeSent(ctx, e.Aggregate().ResourceOwner, e.Aggregate().ID, generatorInfo)
 	}), nil
 }
 
@@ -778,7 +790,7 @@ func (u *userNotifier) reduceInviteCodeAdded(event eventstore.Event) (*handler.S
 }
 
 func (u *userNotifier) checkIfCodeAlreadyHandledOrExpired(ctx context.Context, event eventstore.Event, expiry time.Duration, data map[string]interface{}, eventTypes ...eventstore.EventType) (bool, error) {
-	if event.CreatedAt().Add(expiry).Before(time.Now().UTC()) {
+	if expiry > 0 && event.CreatedAt().Add(expiry).Before(time.Now().UTC()) {
 		return true, nil
 	}
 	return u.queries.IsAlreadyHandled(ctx, event, data, eventTypes...)
diff --git a/internal/notification/handlers/user_notifier_test.go b/internal/notification/handlers/user_notifier_test.go
index c18ddc1df3..d0151b6d7e 100644
--- a/internal/notification/handlers/user_notifier_test.go
+++ b/internal/notification/handlers/user_notifier_test.go
@@ -7,11 +7,13 @@ import (
 	"testing"
 	"time"
 
+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 	"golang.org/x/text/language"
 
 	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/repository"
 	es_repo_mock "github.com/zitadel/zitadel/internal/eventstore/repository/mock"
@@ -19,6 +21,7 @@ import (
 	channel_mock "github.com/zitadel/zitadel/internal/notification/channels/mock"
 	"github.com/zitadel/zitadel/internal/notification/channels/sms"
 	"github.com/zitadel/zitadel/internal/notification/channels/smtp"
+	"github.com/zitadel/zitadel/internal/notification/channels/twilio"
 	"github.com/zitadel/zitadel/internal/notification/channels/webhook"
 	"github.com/zitadel/zitadel/internal/notification/handlers/mock"
 	"github.com/zitadel/zitadel/internal/notification/messages"
@@ -36,10 +39,13 @@ const (
 	codeID                  = "event1"
 	logoURL                 = "logo.png"
 	eventOrigin             = "https://triggered.here"
+	eventOriginDomain       = "triggered.here"
 	assetsPath              = "/assets/v1"
 	preferredLoginName      = "loginName1"
 	lastEmail               = "last@email.com"
 	verifiedEmail           = "verified@email.com"
+	lastPhone               = "+41797654321"
+	verifiedPhone           = "+41791234567"
 	instancePrimaryDomain   = "primary.domain"
 	externalDomain          = "external.domain"
 	externalPort            = 3000
@@ -47,6 +53,9 @@ const (
 	externalProtocol        = "http"
 	defaultOTPEmailTemplate = "/otp/verify?loginName={{.LoginName}}&code={{.Code}}"
 	authRequestID           = "authRequestID"
+	smsProviderID           = "smsProviderID"
+	emailProviderID         = "emailProviderID"
+	verificationID          = "verificationID"
 )
 
 func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
@@ -59,7 +68,7 @@ func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -92,7 +101,7 @@ func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -131,7 +140,7 @@ func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s/ui/login/user/init?authRequestID=%s&code=%s&loginname=%s&orgID=%s&passwordset=%t&userID=%s", eventOrigin, "", testCode, preferredLoginName, orgID, false, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -165,7 +174,7 @@ func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/user/init?authRequestID=%s&code=%s&loginname=%s&orgID=%s&passwordset=%t&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, "", testCode, preferredLoginName, orgID, false, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -204,7 +213,7 @@ func Test_userNotifier_reduceInitCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/user/init?authRequestID=%s&code=%s&loginname=%s&orgID=%s&passwordset=%t&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, authRequestID, testCode, preferredLoginName, orgID, false, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -272,7 +281,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -307,7 +316,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -348,7 +357,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s/ui/login/mail/verification?authRequestID=%s&code=%s&orgID=%s&userID=%s", eventOrigin, "", testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -385,7 +394,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/mail/verification?authRequestID=%s&code=%s&orgID=%s&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, "", testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -426,7 +435,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/mail/verification?authRequestID=%s&code=%s&orgID=%s&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, authRequestID, testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -469,7 +478,7 @@ func Test_userNotifier_reduceEmailCodeAdded(t *testing.T) {
 			urlTemplate := "https://my.custom.url/org/{{.OrgID}}/user/{{.UserID}}/verify/{{.Code}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("https://my.custom.url/org/%s/user/%s/verify/%s", orgID, userID, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -533,14 +542,14 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
 			}
 			codeAlg, code := cryptoValue(t, ctrl, "testcode")
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -568,7 +577,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -581,7 +590,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 				}},
 			}, nil)
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -609,14 +618,14 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s/ui/login/password/init?authRequestID=%s&code=%s&orgID=%s&userID=%s", eventOrigin, "", testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
 			}
 			codeAlg, code := cryptoValue(t, ctrl, testCode)
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -646,7 +655,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/password/init?authRequestID=%s&code=%s&orgID=%s&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, "", testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -659,7 +668,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 				}},
 			}, nil)
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -687,7 +696,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/password/init?authRequestID=%s&code=%s&orgID=%s&userID=%s", externalProtocol, instancePrimaryDomain, externalPort, authRequestID, testCode, orgID, userID)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -700,7 +709,7 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 				}},
 			}, nil)
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -730,14 +739,14 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 			urlTemplate := "https://my.custom.url/org/{{.OrgID}}/user/{{.UserID}}/verify/{{.Code}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("https://my.custom.url/org/%s/user/%s/verify/%s", orgID, userID, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
 			}
 			codeAlg, code := cryptoValue(t, ctrl, testCode)
 			expectTemplateQueries(queries, givenTemplate)
-			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID).Return(nil)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{}).Return(nil)
 			return fields{
 					queries:  queries,
 					commands: commands,
@@ -761,7 +770,44 @@ func Test_userNotifier_reducePasswordCodeAdded(t *testing.T) {
 					},
 				}, w
 		},
-	}}
+	}, {
+		name: "external code",
+		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
+			givenTemplate := "{{.URL}}"
+			expectContent := "We received a password reset request. Please use the button below to reset your password. (Code ) If you didn't ask for this mail, please ignore it."
+			w.messageSMS = &messages.SMS{
+				SenderPhoneNumber:    "senderNumber",
+				RecipientPhoneNumber: lastPhone,
+				Content:              expectContent,
+			}
+			expectTemplateQueries(queries, givenTemplate)
+			commands.EXPECT().PasswordCodeSent(gomock.Any(), orgID, userID, &senders.CodeGeneratorInfo{ID: smsProviderID, VerificationID: verificationID}).Return(nil)
+			return fields{
+					queries:  queries,
+					commands: commands,
+					es: eventstore.NewEventstore(&eventstore.Config{
+						Querier: es_repo_mock.NewRepo(t).ExpectFilterEvents().MockQuerier,
+					}),
+					SMSTokenCrypto: nil,
+				}, args{
+					event: &user.HumanPasswordCodeAddedEvent{
+						BaseEvent: *eventstore.BaseEventFromRepo(&repository.Event{
+							AggregateID:   userID,
+							ResourceOwner: sql.NullString{String: orgID},
+							CreationDate:  time.Now().UTC(),
+						}),
+						Code:              nil,
+						Expiry:            0,
+						URLTemplate:       "",
+						CodeReturned:      false,
+						NotificationType:  domain.NotificationTypeSms,
+						GeneratorID:       smsProviderID,
+						TriggeredAtOrigin: eventOrigin,
+					},
+				}, w
+		},
+	},
+	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctrl := gomock.NewController(t)
@@ -794,7 +840,7 @@ func Test_userNotifier_reduceDomainClaimed(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -823,7 +869,7 @@ func Test_userNotifier_reduceDomainClaimed(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -885,7 +931,7 @@ func Test_userNotifier_reducePasswordlessCodeRequested(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -921,7 +967,7 @@ func Test_userNotifier_reducePasswordlessCodeRequested(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -964,7 +1010,7 @@ func Test_userNotifier_reducePasswordlessCodeRequested(t *testing.T) {
 			testCode := "testcode"
 			codeAlg, code := cryptoValue(t, ctrl, testCode)
 			expectContent := fmt.Sprintf("%s/ui/login/login/passwordless/init?userID=%s&orgID=%s&codeID=%s&code=%s", eventOrigin, userID, orgID, codeID, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1002,7 +1048,7 @@ func Test_userNotifier_reducePasswordlessCodeRequested(t *testing.T) {
 			testCode := "testcode"
 			codeAlg, code := cryptoValue(t, ctrl, testCode)
 			expectContent := fmt.Sprintf("%s://%s:%d/ui/login/login/passwordless/init?userID=%s&orgID=%s&codeID=%s&code=%s", externalProtocol, instancePrimaryDomain, externalPort, userID, orgID, codeID, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1044,7 +1090,7 @@ func Test_userNotifier_reducePasswordlessCodeRequested(t *testing.T) {
 			urlTemplate := "https://my.custom.url/org/{{.OrgID}}/user/{{.UserID}}/verify/{{.Code}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("https://my.custom.url/org/%s/user/%s/verify/%s", orgID, userID, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1109,7 +1155,7 @@ func Test_userNotifier_reducePasswordChanged(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1141,7 +1187,7 @@ func Test_userNotifier_reducePasswordChanged(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{lastEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1206,7 +1252,7 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s%s/%s/%s", eventOrigin, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{verifiedEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1242,7 +1288,7 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
 			givenTemplate := "{{.LogoURL}}"
 			expectContent := fmt.Sprintf("%s://%s:%d%s/%s/%s", externalProtocol, instancePrimaryDomain, externalPort, assetsPath, policyID, logoURL)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{verifiedEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1284,7 +1330,7 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s/otp/verify?loginName=%s&code=%s", eventOrigin, preferredLoginName, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{verifiedEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1322,7 +1368,7 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 			givenTemplate := "{{.URL}}"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("%s://%s:%d/otp/verify?loginName=%s&code=%s", externalProtocol, instancePrimaryDomain, externalPort, preferredLoginName, testCode)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{verifiedEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1364,7 +1410,7 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 			urlTemplate := "https://my.custom.url/user/{{.LoginName}}/verify"
 			testCode := "testcode"
 			expectContent := fmt.Sprintf("https://my.custom.url/user/%s/verify", preferredLoginName)
-			w.message = messages.Email{
+			w.message = &messages.Email{
 				Recipients: []string{verifiedEmail},
 				Subject:    expectMailSubject,
 				Content:    expectContent,
@@ -1413,6 +1459,107 @@ func Test_userNotifier_reduceOTPEmailChallenged(t *testing.T) {
 	}
 }
 
+func Test_userNotifier_reduceOTPSMSChallenged(t *testing.T) {
+	tests := []struct {
+		name string
+		test func(*gomock.Controller, *mock.MockQueries, *mock.MockCommands) (fields, args, want)
+	}{{
+		name: "asset url with event trigger url",
+		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
+			givenTemplate := "{{.LogoURL}}"
+			testCode := ""
+			expiry := 0 * time.Hour
+			expectContent := fmt.Sprintf(`%[1]s is your one-time-password for %[2]s. Use it within the next %[3]s.
+@%[2]s #%[1]s`, testCode, eventOriginDomain, expiry)
+			w.messageSMS = &messages.SMS{
+				SenderPhoneNumber:    "senderNumber",
+				RecipientPhoneNumber: verifiedPhone,
+				Content:              expectContent,
+			}
+			expectTemplateQueriesSMS(queries, givenTemplate)
+			queries.EXPECT().SessionByID(gomock.Any(), gomock.Any(), userID, gomock.Any()).Return(&query.Session{}, nil)
+			commands.EXPECT().OTPSMSSent(gomock.Any(), userID, orgID, &senders.CodeGeneratorInfo{ID: smsProviderID, VerificationID: verificationID}).Return(nil)
+			return fields{
+					queries:  queries,
+					commands: commands,
+					es: eventstore.NewEventstore(&eventstore.Config{
+						Querier: es_repo_mock.NewRepo(t).ExpectFilterEvents().MockQuerier,
+					}),
+				}, args{
+					event: &session.OTPSMSChallengedEvent{
+						BaseEvent: *eventstore.BaseEventFromRepo(&repository.Event{
+							AggregateID:   userID,
+							ResourceOwner: sql.NullString{String: orgID},
+							CreationDate:  time.Now().UTC(),
+						}),
+						Code:              nil,
+						Expiry:            expiry,
+						CodeReturned:      false,
+						GeneratorID:       smsProviderID,
+						TriggeredAtOrigin: eventOrigin,
+					},
+				}, w
+		},
+	}, {
+		name: "asset url without event trigger url",
+		test: func(ctrl *gomock.Controller, queries *mock.MockQueries, commands *mock.MockCommands) (f fields, a args, w want) {
+			givenTemplate := "{{.LogoURL}}"
+			testCode := ""
+			expiry := 0 * time.Hour
+			expectContent := fmt.Sprintf(`%[1]s is your one-time-password for %[2]s. Use it within the next %[3]s.
+@%[2]s #%[1]s`, testCode, instancePrimaryDomain, expiry)
+			w.messageSMS = &messages.SMS{
+				SenderPhoneNumber:    "senderNumber",
+				RecipientPhoneNumber: verifiedPhone,
+				Content:              expectContent,
+			}
+			expectTemplateQueriesSMS(queries, givenTemplate)
+			queries.EXPECT().SessionByID(gomock.Any(), gomock.Any(), userID, gomock.Any()).Return(&query.Session{}, nil)
+			queries.EXPECT().SearchInstanceDomains(gomock.Any(), gomock.Any()).Return(&query.InstanceDomains{
+				Domains: []*query.InstanceDomain{{
+					Domain:    instancePrimaryDomain,
+					IsPrimary: true,
+				}},
+			}, nil)
+			commands.EXPECT().OTPSMSSent(gomock.Any(), userID, orgID, &senders.CodeGeneratorInfo{ID: smsProviderID, VerificationID: verificationID}).Return(nil)
+			return fields{
+					queries:  queries,
+					commands: commands,
+					es: eventstore.NewEventstore(&eventstore.Config{
+						Querier: es_repo_mock.NewRepo(t).ExpectFilterEvents().MockQuerier,
+					}),
+				}, args{
+					event: &session.OTPSMSChallengedEvent{
+						BaseEvent: *eventstore.BaseEventFromRepo(&repository.Event{
+							AggregateID:   userID,
+							ResourceOwner: sql.NullString{String: orgID},
+							CreationDate:  time.Now().UTC(),
+						}),
+						Code:         nil,
+						Expiry:       expiry,
+						CodeReturned: false,
+						GeneratorID:  smsProviderID,
+					},
+				}, w
+		},
+	},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			queries := mock.NewMockQueries(ctrl)
+			commands := mock.NewMockCommands(ctrl)
+			f, a, w := tt.test(ctrl, queries, commands)
+			_, err := newUserNotifier(t, ctrl, queries, f, a, w).reduceSessionOTPSMSChallenged(a.event)
+			if w.err != nil {
+				w.err(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
 type fields struct {
 	queries        *mock.MockQueries
 	commands       *mock.MockCommands
@@ -1424,8 +1571,9 @@ type args struct {
 	event eventstore.Event
 }
 type want struct {
-	message messages.Email
-	err     assert.ErrorAssertionFunc
+	message    *messages.Email
+	messageSMS *messages.SMS
+	err        assert.ErrorAssertionFunc
 }
 
 func newUserNotifier(t *testing.T, ctrl *gomock.Controller, queries *mock.MockQueries, f fields, a args, w want) *userNotifier {
@@ -1433,8 +1581,17 @@ func newUserNotifier(t *testing.T, ctrl *gomock.Controller, queries *mock.MockQu
 	smtpAlg, _ := cryptoValue(t, ctrl, "smtppw")
 	channel := channel_mock.NewMockNotificationChannel(ctrl)
 	if w.err == nil {
-		w.message.TriggeringEvent = a.event
-		channel.EXPECT().HandleMessage(&w.message).Return(nil)
+		if w.message != nil {
+			w.message.TriggeringEvent = a.event
+			channel.EXPECT().HandleMessage(w.message).Return(nil)
+		}
+		if w.messageSMS != nil {
+			w.messageSMS.TriggeringEvent = a.event
+			channel.EXPECT().HandleMessage(w.messageSMS).DoAndReturn(func(message *messages.SMS) error {
+				message.VerificationID = gu.Ptr(verificationID)
+				return nil
+			})
+		}
 	}
 	return &userNotifier{
 		commands: f.commands,
@@ -1454,8 +1611,8 @@ func newUserNotifier(t *testing.T, ctrl *gomock.Controller, queries *mock.MockQu
 			Chain: *senders.ChainChannels(channel),
 			EmailConfig: &email.Config{
 				ProviderConfig: &email.Provider{
-					ID:          "ID",
-					Description: "Description",
+					ID:          "emailProviderID",
+					Description: "description",
 				},
 				SMTPConfig: &smtp.Config{
 					SMTP: smtp.SMTP{
@@ -1470,6 +1627,18 @@ func newUserNotifier(t *testing.T, ctrl *gomock.Controller, queries *mock.MockQu
 				},
 				WebhookConfig: nil,
 			},
+			SMSConfig: &sms.Config{
+				ProviderConfig: &sms.Provider{
+					ID:          "smsProviderID",
+					Description: "description",
+				},
+				TwilioConfig: &twilio.Config{
+					SID:              "sid",
+					Token:            "token",
+					SenderNumber:     "senderNumber",
+					VerifyServiceSID: "verifyServiceSID",
+				},
+			},
 		},
 	}
 }
@@ -1479,6 +1648,7 @@ var _ types.ChannelChains = (*channels)(nil)
 type channels struct {
 	senders.Chain
 	EmailConfig *email.Config
+	SMSConfig   *sms.Config
 }
 
 func (c *channels) Email(context.Context) (*senders.Chain, *email.Config, error) {
@@ -1486,7 +1656,7 @@ func (c *channels) Email(context.Context) (*senders.Chain, *email.Config, error)
 }
 
 func (c *channels) SMS(context.Context) (*senders.Chain, *sms.Config, error) {
-	return &c.Chain, nil, nil
+	return &c.Chain, c.SMSConfig, nil
 }
 
 func (c *channels) Webhook(context.Context, webhook.Config) (*senders.Chain, error) {
@@ -1510,6 +1680,31 @@ func expectTemplateQueries(queries *mock.MockQueries, template string) {
 		LastEmail:          lastEmail,
 		VerifiedEmail:      verifiedEmail,
 		PreferredLoginName: preferredLoginName,
+		LastPhone:          lastPhone,
+		VerifiedPhone:      verifiedPhone,
+	}, nil)
+	queries.EXPECT().GetDefaultLanguage(gomock.Any()).Return(language.English)
+	queries.EXPECT().CustomTextListByTemplate(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return(&query.CustomTexts{}, nil)
+}
+
+func expectTemplateQueriesSMS(queries *mock.MockQueries, template string) {
+	queries.EXPECT().GetInstanceRestrictions(gomock.Any()).Return(query.Restrictions{
+		AllowedLanguages: []language.Tag{language.English},
+	}, nil)
+	queries.EXPECT().ActiveLabelPolicyByOrg(gomock.Any(), gomock.Any(), gomock.Any()).Return(&query.LabelPolicy{
+		ID: policyID,
+		Light: query.Theme{
+			LogoURL: logoURL,
+		},
+	}, nil)
+	queries.EXPECT().GetNotifyUserByID(gomock.Any(), gomock.Any(), gomock.Any()).Return(&query.NotifyUser{
+		ID:                 userID,
+		ResourceOwner:      orgID,
+		LastEmail:          lastEmail,
+		VerifiedEmail:      verifiedEmail,
+		PreferredLoginName: preferredLoginName,
+		LastPhone:          lastPhone,
+		VerifiedPhone:      verifiedPhone,
 	}, nil)
 	queries.EXPECT().GetDefaultLanguage(gomock.Any()).Return(language.English)
 	queries.EXPECT().CustomTextListByTemplate(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Times(2).Return(&query.CustomTexts{}, nil)
diff --git a/internal/notification/messages/sms.go b/internal/notification/messages/sms.go
index 72c377b337..0dfaea8772 100644
--- a/internal/notification/messages/sms.go
+++ b/internal/notification/messages/sms.go
@@ -12,6 +12,9 @@ type SMS struct {
 	RecipientPhoneNumber string
 	Content              string
 	TriggeringEvent      eventstore.Event
+
+	// VerificationID is set by the sender
+	VerificationID *string
 }
 
 func (msg *SMS) GetContent() (string, error) {
diff --git a/internal/notification/senders/code_verifier.go b/internal/notification/senders/code_verifier.go
new file mode 100644
index 0000000000..3aa9ec2e0e
--- /dev/null
+++ b/internal/notification/senders/code_verifier.go
@@ -0,0 +1,24 @@
+package senders
+
+type CodeGenerator interface {
+	VerifyCode(verificationID, code string) error
+}
+
+type CodeGeneratorInfo struct {
+	ID             string `json:"id,omitempty"`
+	VerificationID string `json:"verificationId,omitempty"`
+}
+
+func (c *CodeGeneratorInfo) GetID() string {
+	if c == nil {
+		return ""
+	}
+	return c.ID
+}
+
+func (c *CodeGeneratorInfo) GetVerificationID() string {
+	if c == nil {
+		return ""
+	}
+	return c.VerificationID
+}
diff --git a/internal/notification/senders/gen_mock.go b/internal/notification/senders/gen_mock.go
new file mode 100644
index 0000000000..5a0f472859
--- /dev/null
+++ b/internal/notification/senders/gen_mock.go
@@ -0,0 +1,3 @@
+package senders
+
+//go:generate mockgen -package mock -destination ./mock/code_generator.mock.go github.com/zitadel/zitadel/internal/notification/senders CodeGenerator
diff --git a/internal/notification/senders/mock/code_generator.mock.go b/internal/notification/senders/mock/code_generator.mock.go
new file mode 100644
index 0000000000..15bdd2cc31
--- /dev/null
+++ b/internal/notification/senders/mock/code_generator.mock.go
@@ -0,0 +1,53 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/zitadel/zitadel/internal/notification/senders (interfaces: CodeGenerator)
+//
+// Generated by this command:
+//
+//	mockgen -package mock -destination ./mock/code_generator.mock.go github.com/zitadel/zitadel/internal/notification/senders CodeGenerator
+//
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	reflect "reflect"
+
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockCodeGenerator is a mock of CodeGenerator interface.
+type MockCodeGenerator struct {
+	ctrl     *gomock.Controller
+	recorder *MockCodeGeneratorMockRecorder
+}
+
+// MockCodeGeneratorMockRecorder is the mock recorder for MockCodeGenerator.
+type MockCodeGeneratorMockRecorder struct {
+	mock *MockCodeGenerator
+}
+
+// NewMockCodeGenerator creates a new mock instance.
+func NewMockCodeGenerator(ctrl *gomock.Controller) *MockCodeGenerator {
+	mock := &MockCodeGenerator{ctrl: ctrl}
+	mock.recorder = &MockCodeGeneratorMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockCodeGenerator) EXPECT() *MockCodeGeneratorMockRecorder {
+	return m.recorder
+}
+
+// VerifyCode mocks base method.
+func (m *MockCodeGenerator) VerifyCode(arg0, arg1 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "VerifyCode", arg0, arg1)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// VerifyCode indicates an expected call of VerifyCode.
+func (mr *MockCodeGeneratorMockRecorder) VerifyCode(arg0, arg1 any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyCode", reflect.TypeOf((*MockCodeGenerator)(nil).VerifyCode), arg0, arg1)
+}
diff --git a/internal/notification/types/notification.go b/internal/notification/types/notification.go
index 8d1b013164..49a437ff18 100644
--- a/internal/notification/types/notification.go
+++ b/internal/notification/types/notification.go
@@ -87,6 +87,7 @@ func SendSMS(
 	user *query.NotifyUser,
 	colors *query.LabelPolicy,
 	triggeringEvent eventstore.Event,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) Notify {
 	return func(
 		url string,
@@ -104,6 +105,7 @@ func SendSMS(
 			args,
 			allowUnverifiedNotificationChannel,
 			triggeringEvent,
+			generatorInfo,
 		)
 	}
 }
diff --git a/internal/notification/types/user_phone.go b/internal/notification/types/user_phone.go
index 8e79f73718..0016f0f7a4 100644
--- a/internal/notification/types/user_phone.go
+++ b/internal/notification/types/user_phone.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/notification/messages"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/notification/templates"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -27,6 +28,7 @@ func generateSms(
 	args map[string]interface{},
 	lastPhone bool,
 	triggeringEvent eventstore.Event,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) error {
 	smsChannels, config, err := channels.SMS(ctx)
 	logging.OnError(err).Error("could not create sms channel")
@@ -48,7 +50,15 @@ func generateSms(
 			Content:              data.Text,
 			TriggeringEvent:      triggeringEvent,
 		}
-		return smsChannels.HandleMessage(message)
+		err = smsChannels.HandleMessage(message)
+		if err != nil {
+			return err
+		}
+		if config.TwilioConfig.VerifyServiceSID != "" {
+			generatorInfo.ID = config.ProviderConfig.ID
+			generatorInfo.VerificationID = *message.VerificationID
+		}
+		return nil
 	}
 	if config.WebhookConfig != nil {
 		caseArgs := make(map[string]interface{}, len(args))
diff --git a/internal/query/projection/sms.go b/internal/query/projection/sms.go
index 9b157ff992..eb54d7afac 100644
--- a/internal/query/projection/sms.go
+++ b/internal/query/projection/sms.go
@@ -25,12 +25,13 @@ const (
 	SMSColumnInstanceID    = "instance_id"
 	SMSColumnDescription   = "description"
 
-	smsTwilioTableSuffix        = "twilio"
-	SMSTwilioColumnSMSID        = "sms_id"
-	SMSTwilioColumnInstanceID   = "instance_id"
-	SMSTwilioColumnSID          = "sid"
-	SMSTwilioColumnSenderNumber = "sender_number"
-	SMSTwilioColumnToken        = "token"
+	smsTwilioTableSuffix            = "twilio"
+	SMSTwilioColumnSMSID            = "sms_id"
+	SMSTwilioColumnInstanceID       = "instance_id"
+	SMSTwilioColumnSID              = "sid"
+	SMSTwilioColumnSenderNumber     = "sender_number"
+	SMSTwilioColumnToken            = "token"
+	SMSTwilioColumnVerifyServiceSID = "verify_service_sid"
 
 	smsHTTPTableSuffix      = "http"
 	SMSHTTPColumnSMSID      = "sms_id"
@@ -69,6 +70,7 @@ func (*smsConfigProjection) Init() *old_handler.Check {
 			handler.NewColumn(SMSTwilioColumnSID, handler.ColumnTypeText),
 			handler.NewColumn(SMSTwilioColumnSenderNumber, handler.ColumnTypeText),
 			handler.NewColumn(SMSTwilioColumnToken, handler.ColumnTypeJSONB),
+			handler.NewColumn(SMSTwilioColumnVerifyServiceSID, handler.ColumnTypeText),
 		},
 			handler.NewPrimaryKey(SMSTwilioColumnInstanceID, SMSTwilioColumnSMSID),
 			smsTwilioTableSuffix,
@@ -172,6 +174,7 @@ func (p *smsConfigProjection) reduceSMSConfigTwilioAdded(event eventstore.Event)
 				handler.NewCol(SMSTwilioColumnSID, e.SID),
 				handler.NewCol(SMSTwilioColumnToken, e.Token),
 				handler.NewCol(SMSTwilioColumnSenderNumber, e.SenderNumber),
+				handler.NewCol(SMSTwilioColumnVerifyServiceSID, e.VerifyServiceSID),
 			},
 			handler.WithTableSuffix(smsTwilioTableSuffix),
 		),
@@ -202,13 +205,16 @@ func (p *smsConfigProjection) reduceSMSConfigTwilioChanged(event eventstore.Even
 		))
 	}
 
-	twilioColumns := make([]handler.Column, 0)
+	twilioColumns := make([]handler.Column, 0, 3)
 	if e.SID != nil {
 		twilioColumns = append(twilioColumns, handler.NewCol(SMSTwilioColumnSID, *e.SID))
 	}
 	if e.SenderNumber != nil {
 		twilioColumns = append(twilioColumns, handler.NewCol(SMSTwilioColumnSenderNumber, *e.SenderNumber))
 	}
+	if e.VerifyServiceSID != nil {
+		twilioColumns = append(twilioColumns, handler.NewCol(SMSTwilioColumnVerifyServiceSID, *e.VerifyServiceSID))
+	}
 	if len(twilioColumns) > 0 {
 		stmts = append(stmts, handler.AddUpdateStatement(
 			twilioColumns,
diff --git a/internal/query/projection/sms_test.go b/internal/query/projection/sms_test.go
index 88ce6e4417..7a083c2234 100644
--- a/internal/query/projection/sms_test.go
+++ b/internal/query/projection/sms_test.go
@@ -38,7 +38,8 @@ func TestSMSProjection_reduces(t *testing.T) {
 							"crypted": "Y3J5cHRlZA=="
 						},
 						"senderNumber": "sender-number",
-						"description": "description"
+						"description": "description",
+						"verifyServiceSid": "verify-service-sid"
 					}`),
 					), eventstore.GenericEventMapper[instance.SMSConfigTwilioAddedEvent]),
 			},
@@ -63,7 +64,7 @@ func TestSMSProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.sms_configs3_twilio (sms_id, instance_id, sid, token, sender_number) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.sms_configs3_twilio (sms_id, instance_id, sid, token, sender_number, verify_service_sid) VALUES ($1, $2, $3, $4, $5, $6)",
 							expectedArgs: []interface{}{
 								"id",
 								"instance-id",
@@ -75,6 +76,7 @@ func TestSMSProjection_reduces(t *testing.T) {
 									Crypted:    []byte("crypted"),
 								},
 								"sender-number",
+								"verify-service-sid",
 							},
 						},
 					},
@@ -92,7 +94,8 @@ func TestSMSProjection_reduces(t *testing.T) {
 						"id": "id",
 						"sid": "sid",
 						"senderNumber": "sender-number",
-						"description": "description"
+						"description": "description",
+						"verifyServiceSid": "verify-service-sid"
 					}`),
 					), eventstore.GenericEventMapper[instance.SMSConfigTwilioChangedEvent]),
 			},
@@ -113,10 +116,11 @@ func TestSMSProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.sms_configs3_twilio SET (sid, sender_number) = ($1, $2) WHERE (sms_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.sms_configs3_twilio SET (sid, sender_number, verify_service_sid) = ($1, $2, $3) WHERE (sms_id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								"sid",
 								"sender-number",
+								"verify-service-sid",
 								"id",
 								"instance-id",
 							},
@@ -248,6 +252,46 @@ func TestSMSProjection_reduces(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "instance reduceSMSConfigTwilioChanged, only sid",
+			args: args{
+				event: getEvent(
+					testEvent(
+						instance.SMSConfigTwilioChangedEventType,
+						instance.AggregateType,
+						[]byte(`{
+						"id": "id",
+						"verifyServiceSid": "verify-service-sid"
+					}`),
+					), eventstore.GenericEventMapper[instance.SMSConfigTwilioChangedEvent]),
+			},
+			reduce: (&smsConfigProjection{}).reduceSMSConfigTwilioChanged,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("instance"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE projections.sms_configs3 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedArgs: []interface{}{
+								anyArg{},
+								uint64(15),
+								"id",
+								"instance-id",
+							},
+						},
+						{
+							expectedStmt: "UPDATE projections.sms_configs3_twilio SET verify_service_sid = $1 WHERE (sms_id = $2) AND (instance_id = $3)",
+							expectedArgs: []interface{}{
+								"verify-service-sid",
+								"id",
+								"instance-id",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "instance reduceSMSHTTPAdded",
 			args: args{
diff --git a/internal/query/sms.go b/internal/query/sms.go
index 6f0555634f..ef4d1cfca2 100644
--- a/internal/query/sms.go
+++ b/internal/query/sms.go
@@ -37,9 +37,10 @@ type SMSConfig struct {
 }
 
 type Twilio struct {
-	SID          string
-	Token        *crypto.CryptoValue
-	SenderNumber string
+	SID              string
+	Token            *crypto.CryptoValue
+	SenderNumber     string
+	VerifyServiceSID string
 }
 
 type HTTP struct {
@@ -123,6 +124,10 @@ var (
 		name:  projection.SMSTwilioColumnSenderNumber,
 		table: smsTwilioTable,
 	}
+	SMSTwilioColumnVerifyServiceSID = Column{
+		name:  projection.SMSTwilioColumnVerifyServiceSID,
+		table: smsTwilioTable,
+	}
 )
 
 var (
@@ -227,6 +232,7 @@ func prepareSMSConfigQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 			SMSTwilioColumnSID.identifier(),
 			SMSTwilioColumnToken.identifier(),
 			SMSTwilioColumnSenderNumber.identifier(),
+			SMSTwilioColumnVerifyServiceSID.identifier(),
 
 			SMSHTTPColumnSMSID.identifier(),
 			SMSHTTPColumnEndpoint.identifier(),
@@ -255,6 +261,7 @@ func prepareSMSConfigQuery(ctx context.Context, db prepareDatabase) (sq.SelectBu
 				&twilioConfig.sid,
 				&twilioConfig.token,
 				&twilioConfig.senderNumber,
+				&twilioConfig.verifyServiceSid,
 
 				&httpConfig.id,
 				&httpConfig.endpoint,
@@ -289,6 +296,7 @@ func prepareSMSConfigsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 			SMSTwilioColumnSID.identifier(),
 			SMSTwilioColumnToken.identifier(),
 			SMSTwilioColumnSenderNumber.identifier(),
+			SMSTwilioColumnVerifyServiceSID.identifier(),
 
 			SMSHTTPColumnSMSID.identifier(),
 			SMSHTTPColumnEndpoint.identifier(),
@@ -321,6 +329,7 @@ func prepareSMSConfigsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 					&twilioConfig.sid,
 					&twilioConfig.token,
 					&twilioConfig.senderNumber,
+					&twilioConfig.verifyServiceSid,
 
 					&httpConfig.id,
 					&httpConfig.endpoint,
@@ -343,10 +352,11 @@ func prepareSMSConfigsQuery(ctx context.Context, db prepareDatabase) (sq.SelectB
 }
 
 type sqlTwilioConfig struct {
-	smsID        sql.NullString
-	sid          sql.NullString
-	token        *crypto.CryptoValue
-	senderNumber sql.NullString
+	smsID            sql.NullString
+	sid              sql.NullString
+	token            *crypto.CryptoValue
+	senderNumber     sql.NullString
+	verifyServiceSid sql.NullString
 }
 
 func (c sqlTwilioConfig) set(smsConfig *SMSConfig) {
@@ -354,9 +364,10 @@ func (c sqlTwilioConfig) set(smsConfig *SMSConfig) {
 		return
 	}
 	smsConfig.TwilioConfig = &Twilio{
-		SID:          c.sid.String,
-		Token:        c.token,
-		SenderNumber: c.senderNumber.String,
+		SID:              c.sid.String,
+		Token:            c.token,
+		SenderNumber:     c.senderNumber.String,
+		VerifyServiceSID: c.verifyServiceSid.String,
 	}
 }
 
diff --git a/internal/query/sms_test.go b/internal/query/sms_test.go
index 20cf62f8cb..82c3659f2c 100644
--- a/internal/query/sms_test.go
+++ b/internal/query/sms_test.go
@@ -28,6 +28,7 @@ var (
 		` projections.sms_configs3_twilio.sid,` +
 		` projections.sms_configs3_twilio.token,` +
 		` projections.sms_configs3_twilio.sender_number,` +
+		` projections.sms_configs3_twilio.verify_service_sid,` +
 
 		// http config
 		` projections.sms_configs3_http.sms_id,` +
@@ -50,6 +51,7 @@ var (
 		` projections.sms_configs3_twilio.sid,` +
 		` projections.sms_configs3_twilio.token,` +
 		` projections.sms_configs3_twilio.sender_number,` +
+		` projections.sms_configs3_twilio.verify_service_sid,` +
 
 		// http config
 		` projections.sms_configs3_http.sms_id,` +
@@ -74,6 +76,7 @@ var (
 		"sid",
 		"token",
 		"sender-number",
+		"verify_sid",
 		// http config
 		"sms_id",
 		"endpoint",
@@ -126,6 +129,7 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 							"sid",
 							&crypto.CryptoValue{},
 							"sender-number",
+							"",
 							// http config
 							nil,
 							nil,
@@ -148,9 +152,10 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 						Sequence:      20211109,
 						Description:   "description",
 						TwilioConfig: &Twilio{
-							SID:          "sid",
-							Token:        &crypto.CryptoValue{},
-							SenderNumber: "sender-number",
+							SID:              "sid",
+							Token:            &crypto.CryptoValue{},
+							SenderNumber:     "sender-number",
+							VerifyServiceSID: "",
 						},
 					},
 				},
@@ -178,6 +183,7 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// http config
 							"sms-id",
 							"endpoint",
@@ -228,6 +234,7 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 							"sid",
 							&crypto.CryptoValue{},
 							"sender-number",
+							"verify-service-sid",
 							// http config
 							nil,
 							nil,
@@ -246,6 +253,7 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 							"sid2",
 							&crypto.CryptoValue{},
 							"sender-number2",
+							"verify-service-sid2",
 							// http config
 							nil,
 							nil,
@@ -264,6 +272,7 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 							nil,
 							nil,
 							nil,
+							nil,
 							// http config
 							"sms-id3",
 							"endpoint3",
@@ -286,9 +295,10 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 						Sequence:      20211109,
 						Description:   "description",
 						TwilioConfig: &Twilio{
-							SID:          "sid",
-							Token:        &crypto.CryptoValue{},
-							SenderNumber: "sender-number",
+							SID:              "sid",
+							Token:            &crypto.CryptoValue{},
+							SenderNumber:     "sender-number",
+							VerifyServiceSID: "verify-service-sid",
 						},
 					},
 					{
@@ -301,9 +311,10 @@ func Test_SMSConfigsPrepare(t *testing.T) {
 						Sequence:      20211109,
 						Description:   "description",
 						TwilioConfig: &Twilio{
-							SID:          "sid2",
-							Token:        &crypto.CryptoValue{},
-							SenderNumber: "sender-number2",
+							SID:              "sid2",
+							Token:            &crypto.CryptoValue{},
+							SenderNumber:     "sender-number2",
+							VerifyServiceSID: "verify-service-sid2",
 						},
 					},
 					{
@@ -397,6 +408,7 @@ func Test_SMSConfigPrepare(t *testing.T) {
 						"sid",
 						&crypto.CryptoValue{},
 						"sender-number",
+						"verify-service-sid",
 						// http config
 						nil,
 						nil,
@@ -413,9 +425,10 @@ func Test_SMSConfigPrepare(t *testing.T) {
 				Sequence:      20211109,
 				Description:   "description",
 				TwilioConfig: &Twilio{
-					SID:          "sid",
-					SenderNumber: "sender-number",
-					Token:        &crypto.CryptoValue{},
+					SID:              "sid",
+					SenderNumber:     "sender-number",
+					Token:            &crypto.CryptoValue{},
+					VerifyServiceSID: "verify-service-sid",
 				},
 			},
 		},
@@ -440,6 +453,7 @@ func Test_SMSConfigPrepare(t *testing.T) {
 						nil,
 						nil,
 						nil,
+						nil,
 						// http config
 						"sms-id",
 						"endpoint",
diff --git a/internal/repository/instance/sms.go b/internal/repository/instance/sms.go
index 309ce9aa46..7a402e67fe 100644
--- a/internal/repository/instance/sms.go
+++ b/internal/repository/instance/sms.go
@@ -28,11 +28,12 @@ const (
 type SMSConfigTwilioAddedEvent struct {
 	*eventstore.BaseEvent `json:"-"`
 
-	ID           string              `json:"id,omitempty"`
-	Description  string              `json:"description,omitempty"`
-	SID          string              `json:"sid,omitempty"`
-	Token        *crypto.CryptoValue `json:"token,omitempty"`
-	SenderNumber string              `json:"senderNumber,omitempty"`
+	ID               string              `json:"id,omitempty"`
+	Description      string              `json:"description,omitempty"`
+	SID              string              `json:"sid,omitempty"`
+	Token            *crypto.CryptoValue `json:"token,omitempty"`
+	SenderNumber     string              `json:"senderNumber,omitempty"`
+	VerifyServiceSID string              `json:"verifyServiceSid,omitempty"`
 }
 
 func NewSMSConfigTwilioAddedEvent(
@@ -43,6 +44,7 @@ func NewSMSConfigTwilioAddedEvent(
 	sid,
 	senderNumber string,
 	token *crypto.CryptoValue,
+	verifyServiceSid string,
 ) *SMSConfigTwilioAddedEvent {
 	return &SMSConfigTwilioAddedEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
@@ -50,11 +52,12 @@ func NewSMSConfigTwilioAddedEvent(
 			aggregate,
 			SMSConfigTwilioAddedEventType,
 		),
-		ID:           id,
-		Description:  description,
-		SID:          sid,
-		Token:        token,
-		SenderNumber: senderNumber,
+		ID:               id,
+		Description:      description,
+		SID:              sid,
+		Token:            token,
+		SenderNumber:     senderNumber,
+		VerifyServiceSID: verifyServiceSid,
 	}
 }
 
@@ -73,10 +76,11 @@ func (e *SMSConfigTwilioAddedEvent) UniqueConstraints() []*eventstore.UniqueCons
 type SMSConfigTwilioChangedEvent struct {
 	*eventstore.BaseEvent `json:"-"`
 
-	ID           string  `json:"id,omitempty"`
-	Description  *string `json:"description,omitempty"`
-	SID          *string `json:"sid,omitempty"`
-	SenderNumber *string `json:"senderNumber,omitempty"`
+	ID               string  `json:"id,omitempty"`
+	Description      *string `json:"description,omitempty"`
+	SID              *string `json:"sid,omitempty"`
+	SenderNumber     *string `json:"senderNumber,omitempty"`
+	VerifyServiceSID *string `json:"verifyServiceSid,omitempty"`
 }
 
 func NewSMSConfigTwilioChangedEvent(
@@ -122,6 +126,12 @@ func ChangeSMSConfigTwilioSenderNumber(senderNumber string) func(event *SMSConfi
 	}
 }
 
+func ChangeSMSConfigTwilioVerifyServiceSID(verifyServiceSID string) func(event *SMSConfigTwilioChangedEvent) {
+	return func(e *SMSConfigTwilioChangedEvent) {
+		e.VerifyServiceSID = &verifyServiceSID
+	}
+}
+
 func (e *SMSConfigTwilioChangedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 	e.BaseEvent = event
 }
diff --git a/internal/repository/session/session.go b/internal/repository/session/session.go
index 3e9b727f5a..f5622fd4b4 100644
--- a/internal/repository/session/session.go
+++ b/internal/repository/session/session.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -323,6 +324,7 @@ type OTPSMSChallengedEvent struct {
 	Code              *crypto.CryptoValue `json:"code"`
 	Expiry            time.Duration       `json:"expiry"`
 	CodeReturned      bool                `json:"codeReturned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }
 
@@ -348,6 +350,7 @@ func NewOTPSMSChallengedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *OTPSMSChallengedEvent {
 	return &OTPSMSChallengedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -358,12 +361,15 @@ func NewOTPSMSChallengedEvent(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }
 
 type OTPSMSSentEvent struct {
 	eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }
 
 func (e *OTPSMSSentEvent) Payload() interface{} {
@@ -381,6 +387,7 @@ func (e *OTPSMSSentEvent) SetBaseEvent(base *eventstore.BaseEvent) {
 func NewOTPSMSSentEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) *OTPSMSSentEvent {
 	return &OTPSMSSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -388,6 +395,7 @@ func NewOTPSMSSentEvent(
 			aggregate,
 			OTPSMSSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
 
diff --git a/internal/repository/user/eventstore.go b/internal/repository/user/eventstore.go
index 2b726d378a..42bc96280f 100644
--- a/internal/repository/user/eventstore.go
+++ b/internal/repository/user/eventstore.go
@@ -14,7 +14,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1SignedOutType, HumanSignedOutEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordChangedType, HumanPasswordChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeAddedType, HumanPasswordCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeSentType, HumanPasswordCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCodeSentType, eventstore.GenericEventMapper[HumanPasswordCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PasswordCheckFailedType, HumanPasswordCheckFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1EmailChangedType, HumanEmailChangedEventMapper)
@@ -27,7 +27,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneVerifiedType, HumanPhoneVerifiedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeAddedType, HumanPhoneCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeSentType, HumanPhoneCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, UserV1PhoneCodeSentType, eventstore.GenericEventMapper[HumanPhoneCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1ProfileChangedType, HumanProfileChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1AddressChangedType, HumanAddressChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, UserV1MFAInitSkippedType, HumanMFAInitSkippedEventMapper)
@@ -60,7 +60,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanSignedOutType, HumanSignedOutEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordChangedType, HumanPasswordChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeAddedType, HumanPasswordCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeSentType, HumanPasswordCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCodeSentType, eventstore.GenericEventMapper[HumanPasswordCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordChangeSentType, HumanPasswordChangeSentEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPasswordCheckFailedType, HumanPasswordCheckFailedEventMapper)
@@ -81,7 +81,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneVerifiedType, HumanPhoneVerifiedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeAddedType, HumanPhoneCodeAddedEventMapper)
-	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeSentType, HumanPhoneCodeSentEventMapper)
+	eventstore.RegisterFilterEventMapper(AggregateType, HumanPhoneCodeSentType, eventstore.GenericEventMapper[HumanPhoneCodeSentEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanProfileChangedType, HumanProfileChangedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanAvatarAddedType, HumanAvatarAddedEventMapper)
 	eventstore.RegisterFilterEventMapper(AggregateType, HumanAvatarRemovedType, HumanAvatarRemovedEventMapper)
diff --git a/internal/repository/user/human_mfa_otp.go b/internal/repository/user/human_mfa_otp.go
index f0f3762c81..93706d714e 100644
--- a/internal/repository/user/human_mfa_otp.go
+++ b/internal/repository/user/human_mfa_otp.go
@@ -7,6 +7,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -280,6 +281,7 @@ type HumanOTPSMSCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	*AuthRequestInfo
 }
 
@@ -305,6 +307,7 @@ func NewHumanOTPSMSCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	info *AuthRequestInfo,
+	generatorID string,
 ) *HumanOTPSMSCodeAddedEvent {
 	return &HumanOTPSMSCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -316,15 +319,14 @@ func NewHumanOTPSMSCodeAddedEvent(
 		Expiry:            expiry,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 		AuthRequestInfo:   info,
+		GeneratorID:       generatorID,
 	}
 }
 
 type HumanOTPSMSCodeSentEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	Code   *crypto.CryptoValue `json:"code,omitempty"`
-	Expiry time.Duration       `json:"expiry,omitempty"`
-	*AuthRequestInfo
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }
 
 func (e *HumanOTPSMSCodeSentEvent) Payload() interface{} {
@@ -342,6 +344,7 @@ func (e *HumanOTPSMSCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 func NewHumanOTPSMSCodeSentEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
+	generatorInfo *senders.CodeGeneratorInfo,
 ) *HumanOTPSMSCodeSentEvent {
 	return &HumanOTPSMSCodeSentEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -349,6 +352,7 @@ func NewHumanOTPSMSCodeSentEvent(
 			aggregate,
 			HumanOTPSMSCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
 
diff --git a/internal/repository/user/human_password.go b/internal/repository/user/human_password.go
index c425c144b2..4251a7987f 100644
--- a/internal/repository/user/human_password.go
+++ b/internal/repository/user/human_password.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -89,6 +90,7 @@ type HumanPasswordCodeAddedEvent struct {
 	TriggeredAtOrigin string                  `json:"triggerOrigin,omitempty"`
 	// AuthRequest is only used in V1 Login UI
 	AuthRequestID string `json:"authRequestID,omitempty"`
+	GeneratorID   string `json:"generatorId,omitempty"`
 }
 
 func (e *HumanPasswordCodeAddedEvent) Payload() interface{} {
@@ -109,7 +111,8 @@ func NewHumanPasswordCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	notificationType domain.NotificationType,
-	authRequestID string,
+	authRequestID,
+	generatorID string,
 ) *HumanPasswordCodeAddedEvent {
 	return &HumanPasswordCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -122,6 +125,7 @@ func NewHumanPasswordCodeAddedEvent(
 		NotificationType:  notificationType,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 		AuthRequestID:     authRequestID,
+		GeneratorID:       generatorID,
 	}
 }
 
@@ -162,33 +166,34 @@ func HumanPasswordCodeAddedEventMapper(event eventstore.Event) (eventstore.Event
 }
 
 type HumanPasswordCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
+}
+
+func (e *HumanPasswordCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
 }
 
 func (e *HumanPasswordCodeSentEvent) Payload() interface{} {
-	return nil
+	return e
 }
 
 func (e *HumanPasswordCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
 	return nil
 }
 
-func NewHumanPasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCodeSentEvent {
+func NewHumanPasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *HumanPasswordCodeSentEvent {
 	return &HumanPasswordCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			HumanPasswordCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
 
-func HumanPasswordCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &HumanPasswordCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
-
 type HumanPasswordChangeSentEvent struct {
 	eventstore.BaseEvent `json:"-"`
 }
diff --git a/internal/repository/user/human_phone.go b/internal/repository/user/human_phone.go
index 5655b1b3d3..b86cbf93ef 100644
--- a/internal/repository/user/human_phone.go
+++ b/internal/repository/user/human_phone.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
@@ -151,6 +152,7 @@ type HumanPhoneCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	CodeReturned      bool                `json:"code_returned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }
 
@@ -171,15 +173,18 @@ func NewHumanPhoneCodeAddedEvent(
 	aggregate *eventstore.Aggregate,
 	code *crypto.CryptoValue,
 	expiry time.Duration,
+	generatorID string,
 ) *HumanPhoneCodeAddedEvent {
-	return NewHumanPhoneCodeAddedEventV2(ctx, aggregate, code, expiry, false)
+	return NewHumanPhoneCodeAddedEventV2(ctx, aggregate, code, expiry, false, generatorID)
 }
+
 func NewHumanPhoneCodeAddedEventV2(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *HumanPhoneCodeAddedEvent {
 	return &HumanPhoneCodeAddedEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@@ -190,6 +195,7 @@ func NewHumanPhoneCodeAddedEventV2(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }
@@ -207,7 +213,13 @@ func HumanPhoneCodeAddedEventMapper(event eventstore.Event) (eventstore.Event, e
 }
 
 type HumanPhoneCodeSentEvent struct {
-	eventstore.BaseEvent `json:"-"`
+	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
+}
+
+func (e *HumanPhoneCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
+	e.BaseEvent = event
 }
 
 func (e *HumanPhoneCodeSentEvent) Payload() interface{} {
@@ -218,18 +230,13 @@ func (e *HumanPhoneCodeSentEvent) UniqueConstraints() []*eventstore.UniqueConstr
 	return nil
 }
 
-func NewHumanPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneCodeSentEvent {
+func NewHumanPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *HumanPhoneCodeSentEvent {
 	return &HumanPhoneCodeSentEvent{
-		BaseEvent: *eventstore.NewBaseEventForPush(
+		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			HumanPhoneCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
-
-func HumanPhoneCodeSentEventMapper(event eventstore.Event) (eventstore.Event, error) {
-	return &HumanPhoneCodeSentEvent{
-		BaseEvent: *eventstore.BaseEventFromRepo(event),
-	}, nil
-}
diff --git a/internal/repository/user/schemauser/phone.go b/internal/repository/user/schemauser/phone.go
index a491dab776..9a68168198 100644
--- a/internal/repository/user/schemauser/phone.go
+++ b/internal/repository/user/schemauser/phone.go
@@ -8,6 +8,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/notification/senders"
 )
 
 const (
@@ -107,6 +108,7 @@ type PhoneCodeAddedEvent struct {
 	Code              *crypto.CryptoValue `json:"code,omitempty"`
 	Expiry            time.Duration       `json:"expiry,omitempty"`
 	CodeReturned      bool                `json:"code_returned,omitempty"`
+	GeneratorID       string              `json:"generatorId,omitempty"`
 	TriggeredAtOrigin string              `json:"triggerOrigin,omitempty"`
 }
 
@@ -132,6 +134,7 @@ func NewPhoneCodeAddedEvent(
 	code *crypto.CryptoValue,
 	expiry time.Duration,
 	codeReturned bool,
+	generatorID string,
 ) *PhoneCodeAddedEvent {
 	return &PhoneCodeAddedEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
@@ -142,12 +145,15 @@ func NewPhoneCodeAddedEvent(
 		Code:              code,
 		Expiry:            expiry,
 		CodeReturned:      codeReturned,
+		GeneratorID:       generatorID,
 		TriggeredAtOrigin: http.DomainContext(ctx).Origin(),
 	}
 }
 
 type PhoneCodeSentEvent struct {
 	*eventstore.BaseEvent `json:"-"`
+
+	GeneratorInfo *senders.CodeGeneratorInfo `json:"generatorInfo,omitempty"`
 }
 
 func (e *PhoneCodeSentEvent) Payload() interface{} {
@@ -162,12 +168,13 @@ func (e *PhoneCodeSentEvent) SetBaseEvent(event *eventstore.BaseEvent) {
 	e.BaseEvent = event
 }
 
-func NewPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *PhoneCodeSentEvent {
+func NewPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate, generatorInfo *senders.CodeGeneratorInfo) *PhoneCodeSentEvent {
 	return &PhoneCodeSentEvent{
 		BaseEvent: eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			PhoneCodeSentType,
 		),
+		GeneratorInfo: generatorInfo,
 	}
 }
diff --git a/internal/static/i18n/en.yaml b/internal/static/i18n/en.yaml
index 4f4e06fd7f..110a8d71e0 100644
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -53,6 +53,7 @@ Errors:
     NotFound: SMS configuration not found
     AlreadyActive: SMS configuration already active
     AlreadyDeactivated: SMS configuration already deactivated
+    NotExternalVerification: SMS configuration does not support code verification
   SMTP:
     NotEmailMessage: message is not EmailMessage
     RequiredAttributes: subject, recipients and content must be set but some or all of them are empty
diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto
index 6e1020cf5e..d3cf774f41 100644
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -5176,11 +5176,10 @@ message AddSMSProviderTwilioRequest {
         }
     ];
     string sender_number = 3 [
-        (validate.rules).string = {min_len: 1, max_len: 200},
-        (google.api.field_behavior) = REQUIRED,
+        (validate.rules).string = {min_len: 0, max_len: 200},
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             example: "\"AB123b9e61d238abae7d3be7b65ecbc987\"";
-            min_length: 1;
+            min_length: 0;
             max_length: 200;
         }
     ];
@@ -5192,6 +5191,14 @@ message AddSMSProviderTwilioRequest {
             max_length: 200;
         }
     ];
+    string verify_service_sid = 5 [
+        (validate.rules).string = {min_len: 0, max_len: 200},
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"AB123b9e61d238abae7d3be7b65ecbc987\"";
+            min_length: 0;
+            max_length: 200;
+        }
+    ];
 }
 
 message AddSMSProviderTwilioResponse {
@@ -5211,8 +5218,7 @@ message UpdateSMSProviderTwilioRequest {
         }
     ];
     string sender_number = 3 [
-        (validate.rules).string = {min_len: 1, max_len: 200},
-        (google.api.field_behavior) = REQUIRED,
+        (validate.rules).string = {min_len: 0, max_len: 200},
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             example: "\"AB123b9e61d238abae7d3be7b65ecbc987\"";
             min_length: 1;
@@ -5227,6 +5233,14 @@ message UpdateSMSProviderTwilioRequest {
             max_length: 200;
         }
     ];
+    string verify_service_sid = 5 [
+        (validate.rules).string = {min_len: 0, max_len: 200},
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"AB123b9e61d238abae7d3be7b65ecbc987\"";
+            min_length: 0;
+            max_length: 200;
+        }
+    ];
 }
 
 message UpdateSMSProviderTwilioResponse {
diff --git a/proto/zitadel/settings.proto b/proto/zitadel/settings.proto
index a2a6806c65..c761e1c841 100644
--- a/proto/zitadel/settings.proto
+++ b/proto/zitadel/settings.proto
@@ -161,6 +161,7 @@ message SMSProvider {
 message TwilioConfig {
   string sid = 1;
   string sender_number = 2;
+  string verify_service_sid = 3;
 }
 
 message HTTPConfig {

From 7247f62006a8bdd6fef7b5fcae1b2a193db9d00c Mon Sep 17 00:00:00 2001
From: Mostafa Galal <77402549+MostafaGalal1@users.noreply.github.com>
Date: Thu, 26 Sep 2024 15:54:36 +0300
Subject: [PATCH 18/19] docs(guides): Fixing incorrect placement of hyphen in
 overview (#8681)

# Which Problems Are Solved

- There was an incorrect placement of a hyphen in a sentence.

# How the Problems Are Solved

- Corrected by replacing the hyphen with a comma and adding a verb
(ready to go, offering a)

Co-authored-by: Fabi <fabienne@zitadel.com>
---
 docs/docs/guides/overview.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/docs/guides/overview.mdx b/docs/docs/guides/overview.mdx
index d01a4a6903..7fd7c2aa70 100644
--- a/docs/docs/guides/overview.mdx
+++ b/docs/docs/guides/overview.mdx
@@ -23,7 +23,7 @@ If you're unsure, consider the generous free tier of [ZITADEL Cloud](./manage/cl
 
 Choose [ZITADEL Cloud](./manage/cloud/overview) if you want:
 
-- A turnkey solution that's ready to go- A generous free tier with an excellent pay-as-you-go option
+- A turnkey solution that's ready to go, offering a generous free tier with an excellent pay-as-you-go option.
 - Global scalability without the hassle of managing it yourself
 - Data-residency compliance for your customers
 
@@ -47,4 +47,4 @@ ZITADEL holds bi-weekly community calls. To join the community calls use [this l
 
 ZITADEL is open source — and so is the documentation.
 
-If you find any inaccuracies, spelling mistakes, or unclear text passages, please don't hesitate to leave a comment or [contribute a corresponding change](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md).
\ No newline at end of file
+If you find any inaccuracies, spelling mistakes, or unclear text passages, please don't hesitate to leave a comment or [contribute a corresponding change](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md).

From 63d733b3a2e3ceeec4c27f71836695c6ff6a82ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= <tim+github@zitadel.com>
Date: Thu, 26 Sep 2024 15:55:41 +0200
Subject: [PATCH 19/19] perf(oidc): disable push of user token meta-event
 (#8691)

# Which Problems Are Solved

When executing many concurrent authentication requests on a single
machine user, there were performance issues. As the same aggregate is
being searched and written to concurrently, we traced it down to a
locking issue on the used index.
We already optimized the token endpoint by creating a separate OIDC
aggregate.

At the time we decided to push a single event to the user aggregate, for
the user audit log. See [technical advisory
10010](https://zitadel.com/docs/support/advisory/a10010) for more
details.

However, a recent security fix introduced an additional search query on
the user aggregate, causing the locking issue we found.

# How the Problems Are Solved

Add a feature flag which disables pushing of the `user.token.v2.added`.
The event has no importance and was only added for informational
purposes on the user objects. The `oidc_session.access_token.added` is
the actual payload event and is pushed on the OIDC session aggregate and
can still be used for audit trail.

# Additional Changes

- Fix an event mapper type for
`SystemOIDCSingleV1SessionTerminationEventType`

# Additional Context

- Reported by support request
- https://github.com/zitadel/zitadel/pull/7822 changed the token
aggregate
- https://github.com/zitadel/zitadel/pull/8631 introduced user state
check

Load test trace graph with `user.token.v2.added` **enabled**. Query
times are steadily increasing:


![image](https://github.com/user-attachments/assets/4aa25055-8721-4e93-b695-625560979909)

Load test trace graph with `user.token.v2.added` **disabled**. Query
times constant:


![image](https://github.com/user-attachments/assets/a7657f6c-0c55-401b-8291-453da5d5caf9)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
---
 internal/api/grpc/feature/v2/converter.go     |   4 +
 .../api/grpc/feature/v2/converter_test.go     |   8 +
 internal/command/instance_features.go         |   4 +-
 internal/command/instance_features_model.go   |   5 +
 internal/command/oidc_session.go              |   8 +-
 internal/command/oidc_session_test.go         | 239 ++++++++++++++++++
 internal/command/system_features.go           |   4 +-
 internal/command/system_features_model.go     |   5 +
 internal/feature/feature.go                   |   2 +
 internal/feature/key_enumer.go                |  18 +-
 internal/query/instance_features.go           |   1 +
 internal/query/instance_features_model.go     |   4 +
 .../query/projection/instance_features.go     |   4 +
 internal/query/projection/system_features.go  |   4 +
 internal/query/system_features.go             |   1 +
 internal/query/system_features_model.go       |   3 +
 .../feature/feature_v2/eventstore.go          |   4 +-
 .../repository/feature/feature_v2/feature.go  |   2 +
 proto/zitadel/feature/v2/instance.proto       |  14 +
 proto/zitadel/feature/v2/system.proto         |  14 +
 20 files changed, 334 insertions(+), 14 deletions(-)

diff --git a/internal/api/grpc/feature/v2/converter.go b/internal/api/grpc/feature/v2/converter.go
index 5817b47c44..e8b57a2885 100644
--- a/internal/api/grpc/feature/v2/converter.go
+++ b/internal/api/grpc/feature/v2/converter.go
@@ -18,6 +18,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
 		TokenExchange:                   req.OidcTokenExchange,
 		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
 		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
+		DisableUserTokenEvent:           req.DisableUserTokenEvent,
 	}
 }
 
@@ -32,6 +33,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
 		Actions:                             featureSourceToFlagPb(&f.Actions),
 		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
 		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
+		DisableUserTokenEvent:               featureSourceToFlagPb(&f.DisableUserTokenEvent),
 	}
 }
 
@@ -47,6 +49,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
 		WebKey:                          req.WebKey,
 		DebugOIDCParentError:            req.DebugOidcParentError,
 		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
+		DisableUserTokenEvent:           req.DisableUserTokenEvent,
 	}
 }
 
@@ -63,6 +66,7 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
 		WebKey:                              featureSourceToFlagPb(&f.WebKey),
 		DebugOidcParentError:                featureSourceToFlagPb(&f.DebugOIDCParentError),
 		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
+		DisableUserTokenEvent:               featureSourceToFlagPb(&f.DisableUserTokenEvent),
 	}
 }
 
diff --git a/internal/api/grpc/feature/v2/converter_test.go b/internal/api/grpc/feature/v2/converter_test.go
index b0b21c3c24..79bfa34839 100644
--- a/internal/api/grpc/feature/v2/converter_test.go
+++ b/internal/api/grpc/feature/v2/converter_test.go
@@ -119,6 +119,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_SYSTEM,
 		},
+		DisableUserTokenEvent: &feature_pb.FeatureFlag{
+			Enabled: false,
+			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -243,6 +247,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_INSTANCE,
 		},
+		DisableUserTokenEvent: &feature_pb.FeatureFlag{
+			Enabled: false,
+			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)
diff --git a/internal/command/instance_features.go b/internal/command/instance_features.go
index 9517c148b6..79d3d25ffe 100644
--- a/internal/command/instance_features.go
+++ b/internal/command/instance_features.go
@@ -26,6 +26,7 @@ type InstanceFeatures struct {
 	WebKey                          *bool
 	DebugOIDCParentError            *bool
 	OIDCSingleV1SessionTermination  *bool
+	DisableUserTokenEvent           *bool
 }
 
 func (m *InstanceFeatures) isEmpty() bool {
@@ -39,7 +40,8 @@ func (m *InstanceFeatures) isEmpty() bool {
 		m.ImprovedPerformance == nil &&
 		m.WebKey == nil &&
 		m.DebugOIDCParentError == nil &&
-		m.OIDCSingleV1SessionTermination == nil
+		m.OIDCSingleV1SessionTermination == nil &&
+		m.DisableUserTokenEvent == nil
 }
 
 func (c *Commands) SetInstanceFeatures(ctx context.Context, f *InstanceFeatures) (*domain.ObjectDetails, error) {
diff --git a/internal/command/instance_features_model.go b/internal/command/instance_features_model.go
index 218b62864d..5ed0b9c24b 100644
--- a/internal/command/instance_features_model.go
+++ b/internal/command/instance_features_model.go
@@ -70,6 +70,7 @@ func (m *InstanceFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.InstanceWebKeyEventType,
 			feature_v2.InstanceDebugOIDCParentErrorEventType,
 			feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
+			feature_v2.InstanceDisableUserTokenEvent,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -112,6 +113,9 @@ func reduceInstanceFeature(features *InstanceFeatures, key feature.Key, value an
 	case feature.KeyOIDCSingleV1SessionTermination:
 		v := value.(bool)
 		features.OIDCSingleV1SessionTermination = &v
+	case feature.KeyDisableUserTokenEvent:
+		v := value.(bool)
+		features.DisableUserTokenEvent = &v
 	}
 }
 
@@ -128,5 +132,6 @@ func (wm *InstanceFeaturesWriteModel) setCommands(ctx context.Context, f *Instan
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.WebKey, f.WebKey, feature_v2.InstanceWebKeyEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.DebugOIDCParentError, f.DebugOIDCParentError, feature_v2.InstanceDebugOIDCParentErrorEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.OIDCSingleV1SessionTermination, f.OIDCSingleV1SessionTermination, feature_v2.InstanceOIDCSingleV1SessionTerminationEventType)
+	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.DisableUserTokenEvent, f.DisableUserTokenEvent, feature_v2.InstanceDisableUserTokenEvent)
 	return cmds
 }
diff --git a/internal/command/oidc_session.go b/internal/command/oidc_session.go
index 1ad46ba7d6..95a5934b91 100644
--- a/internal/command/oidc_session.go
+++ b/internal/command/oidc_session.go
@@ -423,10 +423,10 @@ func (c *OIDCSessionEvents) AddAccessToken(ctx context.Context, scope []string,
 		return err
 	}
 	c.accessTokenID = AccessTokenPrefix + accessTokenID
-	c.events = append(c.events,
-		oidcsession.NewAccessTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.accessTokenID, scope, c.accessTokenLifetime, reason, actor),
-		user.NewUserTokenV2AddedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, c.accessTokenID), // for user audit log
-	)
+	c.events = append(c.events, oidcsession.NewAccessTokenAddedEvent(ctx, c.oidcSessionWriteModel.aggregate, c.accessTokenID, scope, c.accessTokenLifetime, reason, actor))
+	if !authz.GetFeatures(ctx).DisableUserTokenEvent {
+		c.events = append(c.events, user.NewUserTokenV2AddedEvent(ctx, &user.NewAggregate(userID, resourceOwner).Aggregate, c.accessTokenID))
+	}
 	return nil
 }
 
diff --git a/internal/command/oidc_session_test.go b/internal/command/oidc_session_test.go
index 6d9ee6e32e..4df173c7d5 100644
--- a/internal/command/oidc_session_test.go
+++ b/internal/command/oidc_session_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/feature"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/authrequest"
@@ -436,6 +437,144 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
 				state: "state",
 			},
 		},
+		{
+			"disable user token event",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							authrequest.NewAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate,
+								"loginClient",
+								"clientID",
+								"redirectURI",
+								"state",
+								"nonce",
+								[]string{"openid", "offline_access"},
+								[]string{"audience"},
+								domain.OIDCResponseTypeCode,
+								domain.OIDCResponseModeQuery,
+								&domain.OIDCCodeChallenge{
+									Challenge: "challenge",
+									Method:    domain.CodeChallengeMethodS256,
+								},
+								[]domain.Prompt{domain.PromptNone},
+								[]string{"en", "de"},
+								gu.Ptr(time.Duration(0)),
+								gu.Ptr("loginHint"),
+								gu.Ptr("hintUserID"),
+								true,
+							),
+						),
+						eventFromEventPusher(
+							authrequest.NewCodeAddedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate),
+						),
+						eventFromEventPusher(
+							authrequest.NewSessionLinkedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate,
+								"sessionID",
+								"userID",
+								testNow,
+								[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+							),
+						),
+					),
+					expectFilter(
+						eventFromEventPusher(
+							session.NewAddedEvent(context.Background(),
+								&session.NewAggregate("sessionID", "instance1").Aggregate,
+								&domain.UserAgent{
+									FingerprintID: gu.Ptr("fp1"),
+									IP:            net.ParseIP("1.2.3.4"),
+									Description:   gu.Ptr("firefox"),
+									Header:        http.Header{"foo": []string{"bar"}},
+								},
+							),
+						),
+						eventFromEventPusher(
+							session.NewUserCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+								"userID", "org1", testNow, &language.Afrikaans),
+						),
+						eventFromEventPusher(
+							session.NewPasswordCheckedEvent(context.Background(), &session.NewAggregate("sessionID", "instanceID").Aggregate,
+								testNow),
+						),
+					),
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
+					expectFilter(), // token lifetime
+					expectPush(
+						authrequest.NewCodeExchangedEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate),
+						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+							"userID", "org1", "sessionID", "clientID", []string{"audience"}, []string{"openid", "offline_access"},
+							[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans,
+							&domain.UserAgent{
+								FingerprintID: gu.Ptr("fp1"),
+								IP:            net.ParseIP("1.2.3.4"),
+								Description:   gu.Ptr("firefox"),
+								Header:        http.Header{"foo": []string{"bar"}},
+							},
+						),
+						oidcsession.NewAccessTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+							"at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest, nil),
+						oidcsession.NewRefreshTokenAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+							"rt_refreshTokenID", 7*24*time.Hour, 24*time.Hour),
+						authrequest.NewSucceededEvent(context.Background(), &authrequest.NewAggregate("V2_authRequestID", "instanceID").Aggregate),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID", "refreshTokenID"),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args{
+				ctx: authz.WithFeatures(
+					authz.WithInstanceID(context.Background(), "instanceID"),
+					feature.Features{
+						DisableUserTokenEvent: true,
+					},
+				),
+				authRequestID:    "V2_authRequestID",
+				complianceCheck:  mockAuthRequestComplianceChecker(nil),
+				needRefreshToken: true,
+			},
+			res{
+				session: &OIDCSession{
+					SessionID:         "sessionID",
+					TokenID:           "V2_oidcSessionID-at_accessTokenID",
+					ClientID:          "clientID",
+					UserID:            "userID",
+					Audience:          []string{"audience"},
+					Expiration:        time.Time{}.Add(time.Hour),
+					Scope:             []string{"openid", "offline_access"},
+					AuthMethods:       []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+					AuthTime:          testNow,
+					Nonce:             "nonce",
+					PreferredLanguage: &language.Afrikaans,
+					UserAgent: &domain.UserAgent{
+						FingerprintID: gu.Ptr("fp1"),
+						IP:            net.ParseIP("1.2.3.4"),
+						Description:   gu.Ptr("firefox"),
+						Header:        http.Header{"foo": []string{"bar"}},
+					},
+					Reason:       domain.TokenReasonAuthRequest,
+					RefreshToken: "VjJfb2lkY1Nlc3Npb25JRC1ydF9yZWZyZXNoVG9rZW5JRDp1c2VySUQ", //V2_oidcSessionID-rt_refreshTokenID:userID
+				},
+				state: "state",
+			},
+		},
 		{
 			"without ID token only (implicit)",
 			fields{
@@ -800,6 +939,106 @@ func TestCommands_CreateOIDCSession(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "disable user token event",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						user.NewHumanAddedEvent(
+							context.Background(),
+							&user.NewAggregate("userID", "org1").Aggregate,
+							"username",
+							"firstname",
+							"lastname",
+							"nickname",
+							"displayname",
+							language.Afrikaans,
+							domain.GenderUnspecified,
+							"email",
+							false,
+						),
+					),
+					expectFilter(), // token lifetime
+					expectPush(
+						oidcsession.NewAddedEvent(context.Background(), &oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+							"userID", "org1", "", "clientID", []string{"audience"}, []string{"openid", "offline_access"},
+							[]domain.UserAuthMethodType{domain.UserAuthMethodTypePassword}, testNow, "nonce", &language.Afrikaans,
+							&domain.UserAgent{
+								FingerprintID: gu.Ptr("fp1"),
+								IP:            net.ParseIP("1.2.3.4"),
+								Description:   gu.Ptr("firefox"),
+								Header:        http.Header{"foo": []string{"bar"}},
+							},
+						),
+						oidcsession.NewAccessTokenAddedEvent(context.Background(),
+							&oidcsession.NewAggregate("V2_oidcSessionID", "org1").Aggregate,
+							"at_accessTokenID", []string{"openid", "offline_access"}, time.Hour, domain.TokenReasonAuthRequest,
+							&domain.TokenActor{
+								UserID: "user2",
+								Issuer: "foo.com",
+							},
+						),
+					),
+				),
+				idGenerator:                     mock.NewIDGeneratorExpectIDs(t, "oidcSessionID", "accessTokenID"),
+				defaultAccessTokenLifetime:      time.Hour,
+				defaultRefreshTokenLifetime:     7 * 24 * time.Hour,
+				defaultRefreshTokenIdleLifetime: 24 * time.Hour,
+				keyAlgorithm:                    crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
+			},
+			args: args{
+				ctx: authz.WithFeatures(
+					authz.WithInstanceID(context.Background(), "instanceID"),
+					feature.Features{
+						DisableUserTokenEvent: true,
+					},
+				),
+				userID:            "userID",
+				resourceOwner:     "org1",
+				clientID:          "clientID",
+				audience:          []string{"audience"},
+				scope:             []string{"openid", "offline_access"},
+				authMethods:       []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+				authTime:          testNow,
+				nonce:             "nonce",
+				preferredLanguage: &language.Afrikaans,
+				userAgent: &domain.UserAgent{
+					FingerprintID: gu.Ptr("fp1"),
+					IP:            net.ParseIP("1.2.3.4"),
+					Description:   gu.Ptr("firefox"),
+					Header:        http.Header{"foo": []string{"bar"}},
+				},
+				reason: domain.TokenReasonAuthRequest,
+				actor: &domain.TokenActor{
+					UserID: "user2",
+					Issuer: "foo.com",
+				},
+				needRefreshToken: false,
+			},
+			want: &OIDCSession{
+				TokenID:           "V2_oidcSessionID-at_accessTokenID",
+				ClientID:          "clientID",
+				UserID:            "userID",
+				Audience:          []string{"audience"},
+				Expiration:        time.Time{}.Add(time.Hour),
+				Scope:             []string{"openid", "offline_access"},
+				AuthMethods:       []domain.UserAuthMethodType{domain.UserAuthMethodTypePassword},
+				AuthTime:          testNow,
+				Nonce:             "nonce",
+				PreferredLanguage: &language.Afrikaans,
+				UserAgent: &domain.UserAgent{
+					FingerprintID: gu.Ptr("fp1"),
+					IP:            net.ParseIP("1.2.3.4"),
+					Description:   gu.Ptr("firefox"),
+					Header:        http.Header{"foo": []string{"bar"}},
+				},
+				Reason: domain.TokenReasonAuthRequest,
+				Actor: &domain.TokenActor{
+					UserID: "user2",
+					Issuer: "foo.com",
+				},
+			},
+		},
 		{
 			name: "with refresh token",
 			fields: fields{
diff --git a/internal/command/system_features.go b/internal/command/system_features.go
index 1dcb3765a6..e024a6dd18 100644
--- a/internal/command/system_features.go
+++ b/internal/command/system_features.go
@@ -18,6 +18,7 @@ type SystemFeatures struct {
 	Actions                         *bool
 	ImprovedPerformance             []feature.ImprovedPerformanceType
 	OIDCSingleV1SessionTermination  *bool
+	DisableUserTokenEvent           *bool
 }
 
 func (m *SystemFeatures) isEmpty() bool {
@@ -29,7 +30,8 @@ func (m *SystemFeatures) isEmpty() bool {
 		m.Actions == nil &&
 		// nil check to allow unset improvements
 		m.ImprovedPerformance == nil &&
-		m.OIDCSingleV1SessionTermination == nil
+		m.OIDCSingleV1SessionTermination == nil &&
+		m.DisableUserTokenEvent == nil
 }
 
 func (c *Commands) SetSystemFeatures(ctx context.Context, f *SystemFeatures) (*domain.ObjectDetails, error) {
diff --git a/internal/command/system_features_model.go b/internal/command/system_features_model.go
index 4c169ec69e..5cc70338bb 100644
--- a/internal/command/system_features_model.go
+++ b/internal/command/system_features_model.go
@@ -61,6 +61,7 @@ func (m *SystemFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.SystemActionsEventType,
 			feature_v2.SystemImprovedPerformanceEventType,
 			feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
+			feature_v2.SystemDisableUserTokenEvent,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -96,6 +97,9 @@ func reduceSystemFeature(features *SystemFeatures, key feature.Key, value any) {
 	case feature.KeyOIDCSingleV1SessionTermination:
 		v := value.(bool)
 		features.OIDCSingleV1SessionTermination = &v
+	case feature.KeyDisableUserTokenEvent:
+		v := value.(bool)
+		features.DisableUserTokenEvent = &v
 	}
 }
 
@@ -110,6 +114,7 @@ func (wm *SystemFeaturesWriteModel) setCommands(ctx context.Context, f *SystemFe
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.Actions, f.Actions, feature_v2.SystemActionsEventType)
 	cmds = appendFeatureSliceUpdate(ctx, cmds, aggregate, wm.ImprovedPerformance, f.ImprovedPerformance, feature_v2.SystemImprovedPerformanceEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.OIDCSingleV1SessionTermination, f.OIDCSingleV1SessionTermination, feature_v2.SystemOIDCSingleV1SessionTerminationEventType)
+	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.DisableUserTokenEvent, f.DisableUserTokenEvent, feature_v2.SystemDisableUserTokenEvent)
 	return cmds
 }
 
diff --git a/internal/feature/feature.go b/internal/feature/feature.go
index de7cdd8027..3104f6ed59 100644
--- a/internal/feature/feature.go
+++ b/internal/feature/feature.go
@@ -17,6 +17,7 @@ const (
 	KeyWebKey
 	KeyDebugOIDCParentError
 	KeyOIDCSingleV1SessionTermination
+	KeyDisableUserTokenEvent
 )
 
 //go:generate enumer -type Level -transform snake -trimprefix Level
@@ -43,6 +44,7 @@ type Features struct {
 	WebKey                          bool                      `json:"web_key,omitempty"`
 	DebugOIDCParentError            bool                      `json:"debug_oidc_parent_error,omitempty"`
 	OIDCSingleV1SessionTermination  bool                      `json:"terminate_single_v1_session,omitempty"`
+	DisableUserTokenEvent           bool                      `json:"disable_user_token_event,omitempty"`
 }
 
 type ImprovedPerformanceType int32
diff --git a/internal/feature/key_enumer.go b/internal/feature/key_enumer.go
index cbe3c5bf7a..46d8613fbc 100644
--- a/internal/feature/key_enumer.go
+++ b/internal/feature/key_enumer.go
@@ -7,11 +7,11 @@ import (
 	"strings"
 )
 
-const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_errorterminate_single_v1_session"
+const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_erroroidc_single_v1_session_terminationdisable_user_token_event"
 
-var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113, 133, 140, 163, 190}
+var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113, 133, 140, 163, 197, 221}
 
-const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_errorterminate_single_v1_session"
+const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_erroroidc_single_v1_session_terminationdisable_user_token_event"
 
 func (i Key) String() string {
 	if i < 0 || i >= Key(len(_KeyIndex)-1) {
@@ -35,9 +35,10 @@ func _KeyNoOp() {
 	_ = x[KeyWebKey-(8)]
 	_ = x[KeyDebugOIDCParentError-(9)]
 	_ = x[KeyOIDCSingleV1SessionTermination-(10)]
+	_ = x[KeyDisableUserTokenEvent-(11)]
 }
 
-var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions, KeyImprovedPerformance, KeyWebKey, KeyDebugOIDCParentError, KeyOIDCSingleV1SessionTermination}
+var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions, KeyImprovedPerformance, KeyWebKey, KeyDebugOIDCParentError, KeyOIDCSingleV1SessionTermination, KeyDisableUserTokenEvent}
 
 var _KeyNameToValueMap = map[string]Key{
 	_KeyName[0:11]:         KeyUnspecified,
@@ -60,8 +61,10 @@ var _KeyNameToValueMap = map[string]Key{
 	_KeyLowerName[133:140]: KeyWebKey,
 	_KeyName[140:163]:      KeyDebugOIDCParentError,
 	_KeyLowerName[140:163]: KeyDebugOIDCParentError,
-	_KeyName[163:190]:      KeyOIDCSingleV1SessionTermination,
-	_KeyLowerName[163:190]: KeyOIDCSingleV1SessionTermination,
+	_KeyName[163:197]:      KeyOIDCSingleV1SessionTermination,
+	_KeyLowerName[163:197]: KeyOIDCSingleV1SessionTermination,
+	_KeyName[197:221]:      KeyDisableUserTokenEvent,
+	_KeyLowerName[197:221]: KeyDisableUserTokenEvent,
 }
 
 var _KeyNames = []string{
@@ -75,7 +78,8 @@ var _KeyNames = []string{
 	_KeyName[113:133],
 	_KeyName[133:140],
 	_KeyName[140:163],
-	_KeyName[163:190],
+	_KeyName[163:197],
+	_KeyName[197:221],
 }
 
 // KeyString retrieves an enum value from the enum constants string name.
diff --git a/internal/query/instance_features.go b/internal/query/instance_features.go
index 5f501faea0..1616d9b366 100644
--- a/internal/query/instance_features.go
+++ b/internal/query/instance_features.go
@@ -19,6 +19,7 @@ type InstanceFeatures struct {
 	WebKey                          FeatureSource[bool]
 	DebugOIDCParentError            FeatureSource[bool]
 	OIDCSingleV1SessionTermination  FeatureSource[bool]
+	DisableUserTokenEvent           FeatureSource[bool]
 }
 
 func (q *Queries) GetInstanceFeatures(ctx context.Context, cascade bool) (_ *InstanceFeatures, err error) {
diff --git a/internal/query/instance_features_model.go b/internal/query/instance_features_model.go
index d1a0833192..80515b4773 100644
--- a/internal/query/instance_features_model.go
+++ b/internal/query/instance_features_model.go
@@ -70,6 +70,7 @@ func (m *InstanceFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.InstanceWebKeyEventType,
 			feature_v2.InstanceDebugOIDCParentErrorEventType,
 			feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
+			feature_v2.InstanceDisableUserTokenEvent,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -94,6 +95,7 @@ func (m *InstanceFeaturesReadModel) populateFromSystem() bool {
 	m.instance.Actions = m.system.Actions
 	m.instance.ImprovedPerformance = m.system.ImprovedPerformance
 	m.instance.OIDCSingleV1SessionTermination = m.system.OIDCSingleV1SessionTermination
+	m.instance.DisableUserTokenEvent = m.system.DisableUserTokenEvent
 	return true
 }
 
@@ -125,6 +127,8 @@ func reduceInstanceFeatureSet[T any](features *InstanceFeatures, event *feature_
 		features.DebugOIDCParentError.set(level, event.Value)
 	case feature.KeyOIDCSingleV1SessionTermination:
 		features.OIDCSingleV1SessionTermination.set(level, event.Value)
+	case feature.KeyDisableUserTokenEvent:
+		features.DisableUserTokenEvent.set(level, event.Value)
 	}
 	return nil
 }
diff --git a/internal/query/projection/instance_features.go b/internal/query/projection/instance_features.go
index 3eb2073c0f..1b18e42e76 100644
--- a/internal/query/projection/instance_features.go
+++ b/internal/query/projection/instance_features.go
@@ -100,6 +100,10 @@ func (*instanceFeatureProjection) Reducers() []handler.AggregateReducer {
 				Event:  feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
 				Reduce: reduceInstanceSetFeature[bool],
 			},
+			{
+				Event:  feature_v2.InstanceDisableUserTokenEvent,
+				Reduce: reduceInstanceSetFeature[bool],
+			},
 			{
 				Event:  instance.InstanceRemovedEventType,
 				Reduce: reduceInstanceRemovedHelper(InstanceDomainInstanceIDCol),
diff --git a/internal/query/projection/system_features.go b/internal/query/projection/system_features.go
index 158da7a616..cf3013e57c 100644
--- a/internal/query/projection/system_features.go
+++ b/internal/query/projection/system_features.go
@@ -80,6 +80,10 @@ func (*systemFeatureProjection) Reducers() []handler.AggregateReducer {
 				Event:  feature_v2.SystemImprovedPerformanceEventType,
 				Reduce: reduceSystemSetFeature[[]feature.ImprovedPerformanceType],
 			},
+			{
+				Event:  feature_v2.SystemDisableUserTokenEvent,
+				Reduce: reduceSystemSetFeature[bool],
+			},
 		},
 	}}
 }
diff --git a/internal/query/system_features.go b/internal/query/system_features.go
index 940cb8fece..ddbd0a08ea 100644
--- a/internal/query/system_features.go
+++ b/internal/query/system_features.go
@@ -28,6 +28,7 @@ type SystemFeatures struct {
 	Actions                         FeatureSource[bool]
 	ImprovedPerformance             FeatureSource[[]feature.ImprovedPerformanceType]
 	OIDCSingleV1SessionTermination  FeatureSource[bool]
+	DisableUserTokenEvent           FeatureSource[bool]
 }
 
 func (q *Queries) GetSystemFeatures(ctx context.Context) (_ *SystemFeatures, err error) {
diff --git a/internal/query/system_features_model.go b/internal/query/system_features_model.go
index efb18f43bb..f8670c87fe 100644
--- a/internal/query/system_features_model.go
+++ b/internal/query/system_features_model.go
@@ -58,6 +58,7 @@ func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.SystemActionsEventType,
 			feature_v2.SystemImprovedPerformanceEventType,
 			feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
+			feature_v2.SystemDisableUserTokenEvent,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -91,6 +92,8 @@ func reduceSystemFeatureSet[T any](features *SystemFeatures, event *feature_v2.S
 		features.ImprovedPerformance.set(level, event.Value)
 	case feature.KeyOIDCSingleV1SessionTermination:
 		features.OIDCSingleV1SessionTermination.set(level, event.Value)
+	case feature.KeyDisableUserTokenEvent:
+		features.DisableUserTokenEvent.set(level, event.Value)
 	}
 	return nil
 }
diff --git a/internal/repository/feature/feature_v2/eventstore.go b/internal/repository/feature/feature_v2/eventstore.go
index 09988bb975..866d331db4 100644
--- a/internal/repository/feature/feature_v2/eventstore.go
+++ b/internal/repository/feature/feature_v2/eventstore.go
@@ -14,7 +14,8 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemActionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]])
-	eventstore.RegisterFilterEventMapper(AggregateType, InstanceOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, SystemOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, SystemDisableUserTokenEvent, eventstore.GenericEventMapper[SetEvent[bool]])
 
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
@@ -27,4 +28,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceWebKeyEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceDebugOIDCParentErrorEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceDisableUserTokenEvent, eventstore.GenericEventMapper[SetEvent[bool]])
 }
diff --git a/internal/repository/feature/feature_v2/feature.go b/internal/repository/feature/feature_v2/feature.go
index b88fba1a3a..95f7e44360 100644
--- a/internal/repository/feature/feature_v2/feature.go
+++ b/internal/repository/feature/feature_v2/feature.go
@@ -20,6 +20,7 @@ var (
 	SystemActionsEventType                         = setEventTypeFromFeature(feature.LevelSystem, feature.KeyActions)
 	SystemImprovedPerformanceEventType             = setEventTypeFromFeature(feature.LevelSystem, feature.KeyImprovedPerformance)
 	SystemOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelSystem, feature.KeyOIDCSingleV1SessionTermination)
+	SystemDisableUserTokenEvent                    = setEventTypeFromFeature(feature.LevelSystem, feature.KeyDisableUserTokenEvent)
 
 	InstanceResetEventType                           = resetEventTypeFromFeature(feature.LevelInstance)
 	InstanceLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg)
@@ -32,6 +33,7 @@ var (
 	InstanceWebKeyEventType                          = setEventTypeFromFeature(feature.LevelInstance, feature.KeyWebKey)
 	InstanceDebugOIDCParentErrorEventType            = setEventTypeFromFeature(feature.LevelInstance, feature.KeyDebugOIDCParentError)
 	InstanceOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelInstance, feature.KeyOIDCSingleV1SessionTermination)
+	InstanceDisableUserTokenEvent                    = setEventTypeFromFeature(feature.LevelInstance, feature.KeyDisableUserTokenEvent)
 )
 
 const (
diff --git a/proto/zitadel/feature/v2/instance.proto b/proto/zitadel/feature/v2/instance.proto
index 4dc261f06b..ee41c313f2 100644
--- a/proto/zitadel/feature/v2/instance.proto
+++ b/proto/zitadel/feature/v2/instance.proto
@@ -79,6 +79,13 @@ message SetInstanceFeaturesRequest{
       description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
     }
   ];
+
+  optional bool disable_user_token_event = 11 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
+    }
+  ];
 }
 
 message SetInstanceFeaturesResponse {
@@ -171,4 +178,11 @@ message GetInstanceFeaturesResponse {
       description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
     }
   ];
+
+  FeatureFlag disable_user_token_event = 12 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
+    }
+  ];
 }
diff --git a/proto/zitadel/feature/v2/system.proto b/proto/zitadel/feature/v2/system.proto
index 29d8824da6..70ff3c6506 100644
--- a/proto/zitadel/feature/v2/system.proto
+++ b/proto/zitadel/feature/v2/system.proto
@@ -68,6 +68,13 @@ message SetSystemFeaturesRequest{
       description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
     }
   ];
+
+  optional bool disable_user_token_event = 9 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
+    }
+  ];
 }
 
 message SetSystemFeaturesResponse {
@@ -139,4 +146,11 @@ message GetSystemFeaturesResponse {
       description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
     }
   ];
+
+  FeatureFlag disable_user_token_event = 10 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
+    }
+  ];
 }