docs: rename instance settings to default settings (#7484)

* docs: rename instance settings to default settings

* docs: correct local reference to docs

* docs: correct local reference to docs

---------

Co-authored-by: Max Peintner <max@caos.ch>

SECURITY.md

@@ -42,7 +42,7 @@ We will not publish this information by default to protect your privacy.
 ### When should I NOT report a vulnerability
 
 - Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
-- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
+- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/default-settings#lockout)
 - You need help applying security related settings
 
 ## Disclosure Process

docs/docs/concepts/features/custom-domain.md

@@ -10,4 +10,4 @@ By configuring a custom domain within ZITADEL, organizations can replace the def
 
 This not only enhances the overall user experience but also reinforces the organization's brand presence. Additionally, custom domains can contribute to trust and credibility, as users are more likely to recognize and trust URLs associated with the organization rather than generic domains. Overall, ZITADEL's custom domain feature empowers organizations to tailor the authentication process to align with their brand identity and user expectations.
 
-Learn how to [configure a custom domain in ZITADEL Cloud](/guides/manage/cloud/instances#add-custom-domain) or how to configure [custom domain when self-hosting](/self-hosting/manage/custom-domain).
+Learn how to [configure a custom domain in ZITADEL Cloud](/docs/guides/manage/cloud/instances#add-custom-domain) or how to configure [custom domain when self-hosting](/docs/self-hosting/manage/custom-domain).

docs/docs/concepts/features/identity-brokering.md

@@ -17,7 +17,7 @@ For example, if Google is configured as an identity provider in your organizatio
 
 ## How to use external identity providers in ZITADEL
 
-Configure external identity providers on the instance level or just for one organization via the [Console](/guides/manage/console/instance-settings#identity-providers) or ZITADEL APIs.
+Configure external identity providers on the instance level or just for one organization via the [Console](/guides/manage/console/default-settings#identity-providers) or ZITADEL APIs.
 
 You will find [detailed integration guides for many Identity Providers](/guides/integrate/identity-providers) in our docs.
 ZITADEL also provides templates to configure generic identity providers, which don't have templates.

docs/docs/concepts/structure/instance.mdx

@@ -13,7 +13,7 @@ One instance normally runs on one domain and represents one issuer (e.g login.cu
 One instance can contain multiple [organizations](/concepts/structure/organizations),
 which in turn can represent your own company (e.g. departments), your business customers or a consumer organization.
 
-Read more about how to configure your instance in our [instance guide](/guides/manage/console/instance-settings).
+Read more about how to configure your instance in our [instance guide](/guides/manage/console/default-settings).
 
 ![Overview](/img/concepts/objects/object_overview.png)
 

docs/docs/concepts/structure/policies.md

@@ -4,6 +4,6 @@ sidebar_label: Setting and Policies
 ---
 
 Settings and policies are configurations of all the different parts of the instance or an organization. For all parts we have a suitable default in the instance.
-The default configuration can be overridden for each organization, some policies are currently only available on the instance level. Learn more about our different policies [here](/guides/manage/console/instance-settings.mdx).
+The default configuration can be overridden for each organization, some policies are currently only available on the instance level. Learn more about our different policies [here](/guides/manage/console/default-settings.mdx).
 
 API wise, settings are often called policies. You can read the proto and swagger definitions [here](../../apis/introduction.mdx).

docs/docs/guides/integrate/identity-providers/_test_setup.mdx

@@ -3,8 +3,8 @@ To test the setup, use incognito mode and browse to your login page.
 You see a new button which redirects you to {props.loginscreen} screen.
 </p>
 
-By default, ZITADEL shows what you define in the instance settings.
+By default, ZITADEL shows what you define in the default settings.
-If you overwrite the instance settings for an organization, you need to send the organization scope in your auth request.
+If you overwrite the default settings for an organization, you need to send the organization scope in your auth request.
 
 The organization scope looks like this: ```urn:zitadel:iam:org:id:{id}```.
 You can [read more about the reserved scopes](/apis/openidoauth/scopes#reserved-scopes)

docs/docs/guides/integrate/login-ui/mfa.mdx

@@ -165,7 +165,7 @@ When the user has decided to register the phone number to get a code as a second
 If the user already has a verified phone number you can skip this step.
 
 When adding a new phone number, you can choose if you want ZITADEL to send the verification code to the number, or if you want to send it by yourself.
-If ZITADEL should do it, make sure that you have registered an [SMS Provider](/docs/guides/manage/console/instance-settings#sms) and send an empty sendCode object in the request.
+If ZITADEL should do it, make sure that you have registered an [SMS Provider](/docs/guides/manage/console/default-settings#sms) and send an empty sendCode object in the request.
 With an empty returnCode object in the request, ZITADEL will not send the code, but return it in the response.
 
 If you don't want the user to verify the phone number, you can also create it directly as verified, by sending the isVerified attribute.

docs/docs/guides/integrate/login/login-users.mdx

@@ -143,7 +143,7 @@ ZITADEL simplifies multi-tenancy authentication by securely managing authenticat
 Key features include:
 
 1. **Secure Tenant Isolation**: Ensures robust security measures to prevent unauthorized access between tenants, maintaining data privacy and compliance. [Managers](/docs/concepts/structure/managers) for an organization have only access to data and configuration within their Organization.
-2. **Custom Authentication Configurations**: Allows tailored [authentication settings](/docs/guides/manage/console/instance-settings#login-behavior-and-access), [branding](/docs/guides/manage/customize/branding), and policies for each tenant.
+2. **Custom Authentication Configurations**: Allows tailored [authentication settings](/docs/guides/manage/console/default-settings#login-behavior-and-access), [branding](/docs/guides/manage/customize/branding), and policies for each tenant.
 3. **Centralized Management**: Provides [centralized administration](/docs/guides/manage/console/managers) for efficient management across all tenants.
 4. **Scalability and Flexibility**: Scales seamlessly to accommodate growing organizations of all sizes.
 5. **Domain Discovery**: Starting on a central login page, route users to their tenant based on their email address or other user attributes. Authentication settings will be applied automatically based on the organization's policies, this includes routing users seamlessly to third party identity providers like [Entra ID](/docs/guides/integrate/identity-providers/azure-ad).
@@ -195,7 +195,7 @@ Users are automatically prompted to provide a second factor, when
 When a multi-factor is required, but not set up, then the user is requested to set up an additional factor.
 
 :::info Disabling multifactor prompt
-You can disable the prompt, in case multifactor authentication is not enforced by setting the [**Multifactor Init Lifetime**](/docs/guides/manage/console/instance-settings#login-lifetimes) to 0.
+You can disable the prompt, in case multifactor authentication is not enforced by setting the [**Multifactor Init Lifetime**](/docs/guides/manage/console/default-settings#login-lifetimes) to 0.
 :::
 
 #### Enroll passkeys
@@ -210,7 +210,8 @@ The user experience depends mainly on the operating system and browser.
 ## Build a custom Login UI to authenticate users
 
 In certain cases, you want to build your own login UI to optimize your user experience.
-We have dedicated guides on [how to build your custom login UI](../login-ui) with ZITADEL.
+
+We have dedicated guides on [how to build your custom login UI](/docs/guides/integrate/login-ui) with ZITADEL.
 
 When building your own login UI, you will leverage the [Session API](#zitadels-session-api) to authenticate users and manage user sessions.
 

docs/docs/guides/manage/console/_create-user.mdx

@@ -20,7 +20,7 @@ After a human user is created, by default, an initialization mail with a code is
 If you want to omit this mail, you can check the **email verified** and **set initial password** toggle.
 If no password is set initially, the initialization mail prompting the user to set his password is sent.
 
-You can prompt the user to add a second factor method too by checking the **Force MFA** toggle in [Login behaviour settings](/docs/guides/manage/console/instance-settings#login-behavior-and-access).
+You can prompt the user to add a second factor method too by checking the **Force MFA** toggle in [Login behaviour settings](/docs/guides/manage/console/default-settings#login-behavior-and-access).
 
 When logged in, a user can then manage the profile in the console, adding a profile picture, external IDPs and Passwordless authentication devices.
 

docs/docs/guides/manage/console/default-settings.mdx

@@ -1,11 +1,11 @@
 ---
-title: ZITADEL Instance Settings
+title: ZITADEL Default Settings
-sidebar_label: Instance Settings
+sidebar_label: Default Settings
 ---
 
-Instance settings work as default or fallback settings for your organizational settings. Most of the time you only have to set instance settings for the cases where you don't need specific behavior in the organizations themselves or you only have one organization.
+Default settings work as default or fallback settings for your organizational settings. Most of the time you only have to set default settings for the cases where you don't need specific behavior in the organizations themselves or you only have one organization.
 
-To access instance settings, use the instance page at `{instanceDomain}/ui/console/settings` or click at the instance button on the **top-right** of the page and then navigate to settings in the navigation.
+To access default settings, use the settomgs page at `{instanceDomain}/ui/console/settings` or click at the default settings button on the **top-right** of the page and then navigate to settings in the navigation.
 
 <img
   src="/docs/img/guides/console/instancebutton.png"
@@ -13,7 +13,7 @@ To access instance settings, use the instance page at `{instanceDomain}/ui/conso
   width="450px"
 />
 
-When you configure your instance, you can set the following:
+When you configure your default settings, you can set the following:
 
 - **General**: Default Language for the UI
 - [**Notification settings**](#notification-providers-and-smtp): Notification and Email Server settings, so initialization-, verification- and other mails are sent from your own domain. For SMS, Twilio is supported as notification provider.

docs/docs/guides/manage/console/organizations.mdx

@@ -40,7 +40,7 @@ At the moment the username only allows e-mail formatted input. (This will be cha
 ### User Loginname must contain orgdomain
 
 If this behavior is not suitable for you, ZITADEL has the option to suffix the usernames with the organization domain.
-This setting is called **User Loginname must contain orgdomain** and is part of your [Domain settings](./instance-settings#domain-settings).
+This setting is called **User Loginname must contain orgdomain** and is part of your [Domain settings](./default-settings#domain-settings).
 
 Those loginnames consist of the format `{username}@{domainname}.{zitadeldomain}`.
 If your user had the username `john.doe`, the generated loginname would be `john.doe@acme.zitadel.cloud`.
@@ -58,7 +58,7 @@ Once you have successfully registered your organization, ZITADEL will automatica
 Users that you create within your organization will be suffixed with this domain name.
 
 You can improve the user experience, by suffixing users with a domain name that is in your control.
-If the "validate org domains" settings in the [Domain Settings](./instance-settings#domain-settings) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
+If the "validate org domains" settings in the [Domain Settings](./default-settings#domain-settings) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
 If the setting is set to false, the created domain will automatically be set to verifed.
 
 An organization can have multiple domain names, but only one domain can be primary.
@@ -71,7 +71,7 @@ ZITADEL will notify users affected by this change.
 ## Verify your domain name
 
 :::info
-You can also disable domain verification with DNS challenge in the [instance settings](/docs/guides/manage/console/instance-settings#domain-settings).
+You can also disable domain verification with DNS challenge in the [instance settings](/docs/guides/manage/console/default-settings#domain-settings).
 :::
 
 1. Browse to your organization settings
@@ -105,16 +105,16 @@ Those settings are the same as on your instance.
 
 > Note: that the following links, redirect to instance settings to omit redundancy.
 
-- [**Login Behavior and Access**](./instance-settings#login-behaviour-and-access): Multifactor Authentication Options and Enforcement, Define whether Passwordless authentication methods are allowed or not, Set Login Lifetimes and advanced behavour for the login interface.
+- [**Login Behavior and Access**](./default-settings#login-behaviour-and-access): Multifactor Authentication Options and Enforcement, Define whether Passwordless authentication methods are allowed or not, Set Login Lifetimes and advanced behavour for the login interface.
-- [**Identity Providers**](./instance-settings#identity-providers): Define IDPs which are available for all organizations
+- [**Identity Providers**](./default-settings#identity-providers): Define IDPs which are available for all organizations
-- [**Password Complexity**](./instance-settings#password-complexity): Requirements for Passwords ex. Symbols, Numbers, min length and more.
+- [**Password Complexity**](./default-settings#password-complexity): Requirements for Passwords ex. Symbols, Numbers, min length and more.
-- [**Lockout**](./instance-settings#lockout): Set the maximum attempts a user can try to enter the password. When the number is exceeded, the user gets locked out and has to be unlocked.
+- [**Lockout**](./default-settings#lockout): Set the maximum attempts a user can try to enter the password. When the number is exceeded, the user gets locked out and has to be unlocked.
 - [**Verified domains**](/docs/guides/manage/console/organizations#verify-your-domain-name): This is where you manage your organization specific domains which can be used to build usernames
-- [**Domain settings**](./instance-settings#domain-settings): Whether users use their email or the generated username to login. Other Validation, SMTP settings
+- [**Domain settings**](./default-settings#domain-settings): Whether users use their email or the generated username to login. Other Validation, SMTP settings
-- [**Branding**](./instance-settings#branding): Appearance of the login interface.
+- [**Branding**](./default-settings#branding): Appearance of the login interface.
-- [**Message Texts**](./instance-settings#message-texts): Text and internationalization for emails
+- [**Message Texts**](./default-settings#message-texts): Text and internationalization for emails
-- [**Login Interface Texts**](./instance-settings#login-interface-texts): Text and internationalization for the login interface
+- [**Login Interface Texts**](./default-settings#login-interface-texts): Text and internationalization for the login interface
-- [**Privacy Policy**](./instance-settings#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page.
+- [**Privacy Policy**](./default-settings#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page.
 
 If you need custom branding on a organization (for example in a B2B scenario, where organizations are allowed to use their custom design), navigate back to the home page, choose your organization in the header above, navigate to the organization settings and set the custom design here.
 
@@ -123,7 +123,7 @@ The behavior of the login page, applying custom design, is then defined on your
 ## Show Organization Login
 
 As you should know by now ZITADEL knows the concept of Organizations.
-You can define [default settings](/docs/guides/manage/console/instance-settings) for your ZITADEL, or you can overwrite them for an [Organization](#organization-settings).
+You can define [default settings](/docs/guides/manage/console/default-settings) for your ZITADEL, or you can overwrite them for an [Organization](#organization-settings).
 Per default the ZITADEL Login will always show what is defined per default. As soon as the Organization context is given, the settings defined on the specific organization can be triggered.
 This means when you want to trigger the settings of an organization directly, make sure to send the organization scope in the authentication request.
 

docs/docs/guides/manage/console/overview.mdx

@@ -6,7 +6,7 @@ sidebar_label: Overview
 ## What is console?
 
 Console is the Dashboard UI for your instance. It can be accessed from all configured instance domains, defined in the Customer Portal.
-The console is used to configure global instance settings and can be used by multiple Managers.
+The console is used to configure global default settings and can be used by multiple Managers.
 Read more about [Console Managers](./managers) here.
 
 It can also be used by your application users to modify their profile, although we recommend that you build your own User Interface.

docs/docs/guides/manage/customize/texts.md

@@ -60,6 +60,6 @@ If you only want to enable a subset of the supported languages, you can configur
 The login UI and notification messages are only rendered in one of the allowed languages and fallback to the instances default language.
 Also, the instances OIDC discovery endpoint will only list the allowed languages in the *ui_locales_supported* field.
 
-All language settings are also configurable in the consoles *Languages* instance settings.
+All language settings are also configurable in the consoles *Languages* default settings.
 
 ![Languages](/img/guides/console/languages.png)

docs/docs/guides/migrate/users.md

@@ -191,7 +191,7 @@ Currently it is not possible to migrate passkeys directly from another system.
 
 ## Users linked to an external IDP
 
-A users `sub` is bound to the external [IDP's Client ID](https://zitadel.com/docs/guides/manage/console/instance-settings#identity-providers).
+A users `sub` is bound to the external [IDP's Client ID](https://zitadel.com/docs/guides/manage/console/default-settings#identity-providers).
 This means that the IDP Client ID configured in ZITADEL must be the same ID as in the legacy system.
 
 Users should be imported with their `externalUserId`.

docs/docs/guides/solution-scenarios/configurations.mdx

@@ -122,7 +122,7 @@ This change can make you vulnerable to clickjacking attacks.
 
 If your applications need to load ZITADEL inside an iframe, e.g. for a silent login or silent refresh, you can enable the use on an instance level.
 
-1. Navigate to the Instance Settings.
+1. Navigate to the Default Settings.
 2. Click on the Security Policy tab.
 3. Enable the "Allow IFrame" and add the host(s) you load the iframe from.
 

docs/docs/guides/solution-scenarios/domain-discovery.mdx

@@ -28,7 +28,7 @@ Follow this guide to configure your ZITADEL instance for this scenario.
 
 You will use the instance default settings for the login for the organization **CIAM**.
 When opening `login.mycompany.com` then the login policy of the instance will be applied.
-This means that you have to configure the [Login and Access](/docs/guides/manage/console/instance-settings#login-behavior-and-access) Policy and [Identity Providers](/docs/guides/manage/console/instance-settings#identity-providers) for the **CIAM** users on the instance itself.
+This means that you have to configure the [Login and Access](/docs/guides/manage/console/default-settings#login-behavior-and-access) Policy and [Identity Providers](/docs/guides/manage/console/default-settings#identity-providers) for the **CIAM** users on the instance itself.
 
 :::info
 You can also configure these settings on the default organization (see below) and send the scope `urn:zitadel:iam:org:id:{id}` with every [auth request](/docs/apis/openidoauth/authrequest#organization-policies-and-branding).
@@ -37,13 +37,13 @@ You can also configure these settings on the default organization (see below) an
 ### Default Organization
 
 Set **CIAM** as [default organization](/docs/guides/manage/console/organizations#default-organization).
-You will find the overview of all organizations under the "Organizations" tab on the Instance Settings.
+You will find the overview of all organizations under the "Organizations" tab on the Default Settings.
 
 The default organization will hold all unmatched users, ie. all users that are not specifically in the organizations **Alpha** or **Beta** in the example.
 
 ### Enable Domain Discovery
 
-In the [Login Behavior and Security Settings](/docs/guides/manage/console/instance-settings#login-behavior-and-access) enable "Domain discovery allowed"
+In the [Login Behavior and Security Settings](/docs/guides/manage/console/default-settings#login-behavior-and-access) enable "Domain discovery allowed"
 
 ### Configure login with email
 
@@ -53,7 +53,7 @@ Follow this [configuration guide](/docs/guides/solution-scenarios/configurations
 
 You can also have multiple custom domains pointing to the same instance as described in this [configuration guide](/docs/guides/solution-scenarios/configurations#custom-application-domain-per-organization). In our example you could also use `alpha.mycompany.com` to show the login page of your instance.
 
-The domain of your email notification can be changed by [setting up your SMTP](/docs/guides/manage/console/instance-settings#smtp).
+The domain of your email notification can be changed by [setting up your SMTP](/docs/guides/manage/console/default-settings#smtp).
 
 ## Organization
 
@@ -67,7 +67,7 @@ In the organization settings under Login Behavior and Access make sure the follo
 - **Register allowed**: Disabled - we will configure this on the external identity provider
 - **External IDP allowed**: Enabled
 
-Now you can configure an [external identity provider](/docs/guides/manage/console/instance-settings#identity-providers).
+Now you can configure an [external identity provider](/docs/guides/manage/console/default-settings#identity-providers).
 
 :::info
 Given you have only one external identity provider configured, when a user tries to login on that organization, then the user will be automatically redirected to the external identity provider.  
@@ -84,7 +84,7 @@ In the organization settings under Login Behavior and Access make sure the follo
 - **Register allowed**: Disabled - you may want [Managers](/docs/concepts/structure/managers) to setup accounts.
 - **External IDP allowed**: Disabled
 
-Make sure to [Force MFA](/docs/guides/manage/console/instance-settings#multifactor-mfa) so that users must setup a second factor for authentication.
+Make sure to [Force MFA](/docs/guides/manage/console/default-settings#multifactor-mfa) so that users must setup a second factor for authentication.
 
 ### Verify domains
 
@@ -94,7 +94,7 @@ Verify the domain alpha.com following the [organization guide](/docs/guides/mana
 Do the same for the **Beta** organization.
 
 :::info
-You can also disable domain verification with acme challenge in the [instance settings](/docs/guides/manage/console/instance-settings#domain-settings).
+You can also disable domain verification with acme challenge in the [default settings](/docs/guides/manage/console/default-settings#domain-settings).
 :::
 
 ## Conclusion

docs/docs/guides/solution-scenarios/restrict-console.mdx

@@ -23,7 +23,7 @@ One goal is to never send the end user to the ZITADEL management console.
 This does make sense if you build your own user profile page within your application.
 In that case you probably want to redirect the user to your own application, instead of to the console.
 
-Read more about how to set the default redirect URI: [Settings - Default Redirect URI](/docs/guides/manage/console/instance-settings#default-redirect-uri)
+Read more about how to set the default redirect URI: [Settings - Default Redirect URI](/docs/guides/manage/console/default-settings#default-redirect-uri)
 
 ### Restricting Console in default-project
 

docs/docs/legal/policies/vulnerability-disclosure-policy.mdx

@@ -57,7 +57,7 @@ We will not publish this information by default to protect your privacy.
 ### What not to report
 
 - Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
-- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/instance-settings#lockout)
+- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/default-settings#lockout)
 - Suggestions on Certificate Authority Authorization (CAA) rules
 - Suggestions on DMARC/DKIM/SPF settings
 - Suggestions on DNSSEC settings

docs/docs/self-hosting/manage/productionchecklist.md

@@ -37,9 +37,9 @@ To apply best practices to your production setup we created a step by step check
 
 ### ZITADEL configuration
 
-- [ ] Configure a valid [SMTP Server](/docs/guides/manage/console/instance-settings#smtp) and test the email delivery
+- [ ] Configure a valid [SMTP Server](/docs/guides/manage/console/default-settings#smtp) and test the email delivery
 - [ ] Add [Custom Branding](/docs/guides/manage/customize/branding) if required
-- [ ] Configure a valid [SMS Service](/docs/guides/manage/console/instance-settings#sms) such as Twilio if needed
+- [ ] Configure a valid [SMS Service](/docs/guides/manage/console/default-settings#sms) such as Twilio if needed
 - [ ] Configure your privacy policy, terms of service and a help Link if needed
 - [ ] Keep your [masterkey](https://zitadel.com/docs/self-hosting/manage/configure) in a secure storage
 - [ ] Declare and apply zitadel configuration using the zitadel terraform [provider](https://github.com/zitadel/terraform-provider-zitadel) 

docs/docs/support/technical_advisory.mdx

@@ -78,7 +78,7 @@ We understand that these advisories may include breaking changes, and we aim to
     <td>Breaking Behavior Change</td>
     <td>
         When users are redirected to the ZITADEL Login-UI without any organizational context,
-        they're currently presented a login screen, based on the instance settings,
+        they're currently presented a login screen, based on the default settings,
         e.g. available IDPs and possible login mechanisms. If the user will then register themselves,
         by the registration form or through an IDP, the user will always be created on the default organization.
         With the introduced change, the settings will no longer be loaded from the instance, but rather the default organization directly.

docs/sidebars.js

@@ -134,7 +134,7 @@ module.exports = {
           },
           items: [
             "guides/manage/console/overview",
-            "guides/manage/console/instance-settings",
+            "guides/manage/console/default-settings",
             "guides/manage/console/organizations",
             "guides/manage/console/projects",
             "guides/manage/console/roles",