diff --git a/cmd/admin/start/start.go b/cmd/admin/start/start.go
index 6ae353617a..2b40dc7e01 100644
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@@ -157,7 +157,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting auth repo: %w", err)
 	}
-	adminRepo, err := admin_es.Start(config.Admin, store, dbClient, login.HandlerPrefix)
+	adminRepo, err := admin_es.Start(config.Admin, store, dbClient)
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
diff --git a/docs/docs/apis/proto/admin.md b/docs/docs/apis/proto/admin.md
index ba8845d9eb..a7f99da429 100644
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@@ -3405,7 +3405,7 @@ This is an empty request
 
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
 
 
diff --git a/docs/docs/apis/proto/app.md b/docs/docs/apis/proto/app.md
index 2cdd192492..8b9cf53b73 100644
--- a/docs/docs/apis/proto/app.md
+++ b/docs/docs/apis/proto/app.md
@@ -16,7 +16,6 @@ title: zitadel/app.proto
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | client_id |  string | - |  |
-| client_secret |  string | - |  |
 | auth_method_type |  APIAuthMethodType | - |  |
 
 
@@ -72,7 +71,6 @@ title: zitadel/app.proto
 | grant_types | repeated OIDCGrantType | - |  |
 | app_type |  OIDCAppType | - |  |
 | client_id |  string | - |  |
-| client_secret |  string | - |  |
 | auth_method_type |  OIDCAuthMethodType | - |  |
 | post_logout_redirect_uris | repeated string | - |  |
 | version |  OIDCVersion | - |  |
diff --git a/docs/docs/apis/proto/auth.md b/docs/docs/apis/proto/auth.md
index 6a580b2e19..5bae5d0192 100644
--- a/docs/docs/apis/proto/auth.md
+++ b/docs/docs/apis/proto/auth.md
@@ -1341,7 +1341,7 @@ This is an empty request
 
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 
 
 
diff --git a/docs/docs/apis/proto/management.md b/docs/docs/apis/proto/management.md
index 2492057eda..5bdeb35668 100644
--- a/docs/docs/apis/proto/management.md
+++ b/docs/docs/apis/proto/management.md
@@ -3155,7 +3155,7 @@ This is an empty request
 
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
 
 
@@ -5159,7 +5159,7 @@ This is an empty response
 
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| email |  string | - | string.email: true<br />  |
 | is_email_verified |  bool | - |  |
 
 
diff --git a/internal/admin/repository/eventsourcing/handler/handler.go b/internal/admin/repository/eventsourcing/handler/handler.go
index 28e3f8a4d4..4a89030a09 100644
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@@ -28,13 +28,12 @@ func (h *handler) Eventstore() v1.Eventstore {
 	return h.es
 }
 
-func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, static static.Storage, loginPrefix string) []query.Handler {
+func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, es v1.Eventstore, static static.Storage) []query.Handler {
 	handlers := []query.Handler{}
 	if static != nil {
 		handlers = append(handlers, newStyling(
 			handler{view, bulkLimit, configs.cycleDuration("Styling"), errorCount, es},
-			static,
-			loginPrefix))
+			static))
 	}
 	return handlers
 }
diff --git a/internal/admin/repository/eventsourcing/handler/styling.go b/internal/admin/repository/eventsourcing/handler/styling.go
index 9d3f650baf..dffe511b8c 100644
--- a/internal/admin/repository/eventsourcing/handler/styling.go
+++ b/internal/admin/repository/eventsourcing/handler/styling.go
@@ -11,6 +11,7 @@ import (
 	"github.com/muesli/gamut"
 	"github.com/zitadel/logging"
 
+	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	v1 "github.com/zitadel/zitadel/internal/eventstore/v1"
@@ -31,16 +32,13 @@ type Styling struct {
 	handler
 	static       static.Storage
 	subscription *v1.Subscription
-	resourceUrl  string
 }
 
-func newStyling(handler handler, static static.Storage, loginPrefix string) *Styling {
+func newStyling(handler handler, static static.Storage) *Styling {
 	h := &Styling{
 		handler: handler,
 		static:  static,
 	}
-	h.resourceUrl = loginPrefix + "/resources/dynamic" //TODO: ?
-
 	h.subscribe()
 
 	return h
@@ -218,7 +216,7 @@ func (m *Styling) writeFile(policy *iam_model.LabelPolicyView) (io.Reader, int64
 	}
 	cssContent += "}"
 	if policy.FontURL != "" {
-		cssContent += fmt.Sprintf(fontFaceTemplate, fontname, m.resourceUrl, policy.AggregateID, policy.FontURL)
+		cssContent += fmt.Sprintf(fontFaceTemplate, fontname, login.HandlerPrefix+login.EndpointDynamicResources, policy.AggregateID, policy.FontURL)
 	}
 	cssContent += ".lgn-dark-theme {"
 	if policy.PrimaryColorDark != "" {
diff --git a/internal/admin/repository/eventsourcing/repository.go b/internal/admin/repository/eventsourcing/repository.go
index f766146495..0d8167cca8 100644
--- a/internal/admin/repository/eventsourcing/repository.go
+++ b/internal/admin/repository/eventsourcing/repository.go
@@ -22,7 +22,7 @@ type EsRepository struct {
 	eventstore.AdministratorRepo
 }
 
-func Start(conf Config, static static.Storage, dbClient *sql.DB, loginPrefix string) (*EsRepository, error) {
+func Start(conf Config, static static.Storage, dbClient *sql.DB) (*EsRepository, error) {
 	es, err := v1.Start(dbClient)
 	if err != nil {
 		return nil, err
@@ -32,7 +32,7 @@ func Start(conf Config, static static.Storage, dbClient *sql.DB, loginPrefix str
 		return nil, err
 	}
 
-	spool := spooler.StartSpooler(conf.Spooler, es, view, dbClient, static, loginPrefix)
+	spool := spooler.StartSpooler(conf.Spooler, es, view, dbClient, static)
 
 	return &EsRepository{
 		spooler: spool,
diff --git a/internal/admin/repository/eventsourcing/spooler/spooler.go b/internal/admin/repository/eventsourcing/spooler/spooler.go
index cee7323cc5..1722fb61b9 100644
--- a/internal/admin/repository/eventsourcing/spooler/spooler.go
+++ b/internal/admin/repository/eventsourcing/spooler/spooler.go
@@ -18,12 +18,12 @@ type SpoolerConfig struct {
 	Handlers              handler.Configs
 }
 
-func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, static static.Storage, loginPrefix string) *spooler.Spooler {
+func StartSpooler(c SpoolerConfig, es v1.Eventstore, view *view.View, sql *sql.DB, static static.Storage) *spooler.Spooler {
 	spoolerConfig := spooler.Config{
 		Eventstore:        es,
 		Locker:            &locker{dbClient: sql},
 		ConcurrentWorkers: c.ConcurrentWorkers,
-		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, static, loginPrefix),
+		ViewHandlers:      handler.Register(c.Handlers, c.BulkLimit, c.FailureCountUntilSkip, view, es, static),
 	}
 	spool := spoolerConfig.New()
 	spool.Start()
diff --git a/internal/api/assets/asset.go b/internal/api/assets/asset.go
index cf9e36842c..e559eed585 100644
--- a/internal/api/assets/asset.go
+++ b/internal/api/assets/asset.go
@@ -81,7 +81,7 @@ func NewHandler(commands *command.Commands, verifier *authz.TokenVerifier, authC
 		query:           queries,
 	}
 
-	verifier.RegisterServer("Management-API", "assets", AssetsService_AuthMethods) //TODO: separate api?
+	verifier.RegisterServer("Assets-API", "assets", AssetsService_AuthMethods)
 	router := mux.NewRouter()
 	router.Use(sentryhttp.New(sentryhttp.Options{}).Handle, instanceInterceptor)
 	RegisterRoutes(router, h)
diff --git a/internal/api/grpc/action/action.go b/internal/api/grpc/action/action.go
index 07b68daa18..bf5c3d3820 100644
--- a/internal/api/grpc/action/action.go
+++ b/internal/api/grpc/action/action.go
@@ -1,11 +1,12 @@
 package action
 
 import (
+	"google.golang.org/protobuf/types/known/durationpb"
+
 	object_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	action_pb "github.com/zitadel/zitadel/pkg/grpc/action"
-	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 func FlowTypeToDomain(flowType action_pb.FlowType) domain.FlowType {
diff --git a/internal/api/grpc/admin/domain_policy.go b/internal/api/grpc/admin/domain_policy.go
index de3352603d..f06d211a5f 100644
--- a/internal/api/grpc/admin/domain_policy.go
+++ b/internal/api/grpc/admin/domain_policy.go
@@ -86,9 +86,6 @@ func domainPolicyToDomain(userLoginMustBeDomain, validateOrgDomains, smtpSenderA
 
 func updateDomainPolicyToDomain(req *admin_pb.UpdateDomainPolicyRequest) *domain.DomainPolicy {
 	return &domain.DomainPolicy{
-		// ObjectRoot: models.ObjectRoot{
-		// 	// AggreagateID: //TODO: there should only be ONE default
-		// },
 		UserLoginMustBeDomain:                  req.UserLoginMustBeDomain,
 		ValidateOrgDomains:                     req.ValidateOrgDomains,
 		SMTPSenderAddressMatchesInstanceDomain: req.SmtpSenderAddressMatchesInstanceDomain,
diff --git a/internal/api/grpc/admin/idp_converter_test.go b/internal/api/grpc/admin/idp_converter_test.go
index 779913d212..23d378b888 100644
--- a/internal/api/grpc/admin/idp_converter_test.go
+++ b/internal/api/grpc/admin/idp_converter_test.go
@@ -45,7 +45,7 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
 				"State",
 				"OIDCConfig.AuthorizationEndpoint",
 				"OIDCConfig.TokenEndpoint",
-				"Type", //TODO: default (0) is oidc
+				"Type",
 				"JWTConfig",
 			)
 		})
@@ -79,7 +79,7 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
 			got := addOIDCIDPRequestToDomainOIDCIDPConfig(tt.args.req)
 			test.AssertFieldsMapped(t, got,
 				"ObjectRoot",
-				"ClientSecret", //TODO: is client secret string enough for backend?
+				"ClientSecret",
 				"IDPConfigID",
 				"AuthorizationEndpoint",
 				"TokenEndpoint",
@@ -116,7 +116,7 @@ func Test_updateIDPToDomain(t *testing.T) {
 				"OIDCConfig",
 				"JWTConfig",
 				"State",
-				"Type", //TODO: type should not be changeable
+				"Type",
 			)
 		})
 	}
diff --git a/internal/api/grpc/admin/instance_converter.go b/internal/api/grpc/admin/instance_converter.go
index d91d77854d..0443d8bb8e 100644
--- a/internal/api/grpc/admin/instance_converter.go
+++ b/internal/api/grpc/admin/instance_converter.go
@@ -5,6 +5,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/query"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
+	"github.com/zitadel/zitadel/pkg/grpc/instance"
 )
 
 func ListInstanceDomainsRequestToModel(req *admin_pb.ListInstanceDomainsRequest) (*query.InstanceDomainSearchQueries, error) {
@@ -15,11 +16,26 @@ func ListInstanceDomainsRequestToModel(req *admin_pb.ListInstanceDomainsRequest)
 	}
 	return &query.InstanceDomainSearchQueries{
 		SearchRequest: query.SearchRequest{
-			Offset: offset,
-			Limit:  limit,
-			Asc:    asc,
+			Offset:        offset,
+			Limit:         limit,
+			Asc:           asc,
+			SortingColumn: fieldNameToInstanceDomainColumn(req.SortingColumn),
 		},
-		//SortingColumn: //TODO: sorting
 		Queries: queries,
 	}, nil
 }
+
+func fieldNameToInstanceDomainColumn(fieldName instance.DomainFieldName) query.Column {
+	switch fieldName {
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_DOMAIN:
+		return query.InstanceDomainDomainCol
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_PRIMARY:
+		return query.InstanceDomainIsPrimaryCol
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_GENERATED:
+		return query.InstanceDomainIsGeneratedCol
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_CREATION_DATE:
+		return query.InstanceDomainCreationDateCol
+	default:
+		return query.Column{}
+	}
+}
diff --git a/internal/api/grpc/admin/org.go b/internal/api/grpc/admin/org.go
index cb232781e5..8e85e3e032 100644
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -52,15 +52,13 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 	if err != nil {
 		return nil, err
 	}
-	_ = userIDs                                                                        //TODO: handle userIDs
 	human := setUpOrgHumanToCommand(req.User.(*admin_pb.SetUpOrgRequest_Human_).Human) //TODO: handle machine
-	org := setUpOrgOrgToDomain(req.Org)                                                //TODO: handle domain
-	_ = org
 
 	userID, objectDetails, err := s.command.SetUpOrg(ctx, &command.OrgSetup{
-		Name:  req.Org.Name,
-		Human: human,
-	})
+		Name:         req.Org.Name,
+		CustomDomain: req.Org.Domain,
+		Human:        human,
+	}, userIDs...)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/admin/org_converter.go b/internal/api/grpc/admin/org_converter.go
index 438b425188..7f3066925e 100644
--- a/internal/api/grpc/admin/org_converter.go
+++ b/internal/api/grpc/admin/org_converter.go
@@ -3,7 +3,6 @@ package admin
 import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	org_grpc "github.com/zitadel/zitadel/internal/api/grpc/org"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/org"
@@ -34,14 +33,3 @@ func fieldNameToOrgColumn(fieldName org.OrgFieldName) query.Column {
 		return query.Column{}
 	}
 }
-
-func setUpOrgOrgToDomain(req *admin.SetUpOrgRequest_Org) *domain.Org {
-	org := &domain.Org{
-		Name:    req.Name,
-		Domains: []*domain.OrgDomain{},
-	}
-	if req.Domain != "" {
-		org.Domains = append(org.Domains, &domain.OrgDomain{Domain: req.Domain})
-	}
-	return org
-}
diff --git a/internal/api/grpc/idp/converter.go b/internal/api/grpc/idp/converter.go
index e313ac93c8..7624523b87 100644
--- a/internal/api/grpc/idp/converter.go
+++ b/internal/api/grpc/idp/converter.go
@@ -190,8 +190,6 @@ func IDPViewToConfigPb(config *query.IDP) idp_pb.IDPConfig {
 
 func FieldNameToModel(fieldName idp_pb.IDPFieldName) query.Column {
 	switch fieldName {
-	// case admin.IdpSearchKey_IDPSEARCHKEY_IDP_CONFIG_ID: //TODO: not implemented in proto
-	// 	return iam_model.IDPConfigSearchKeyIdpConfigID
 	case idp_pb.IDPFieldName_IDP_FIELD_NAME_NAME:
 		return query.IDPNameCol
 	default:
diff --git a/internal/api/grpc/management/idp_converter_test.go b/internal/api/grpc/management/idp_converter_test.go
index 36368c2bfd..7e5bbf0cb5 100644
--- a/internal/api/grpc/management/idp_converter_test.go
+++ b/internal/api/grpc/management/idp_converter_test.go
@@ -45,7 +45,7 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
 				"State",
 				"OIDCConfig.AuthorizationEndpoint",
 				"OIDCConfig.TokenEndpoint",
-				"Type", //TODO: default (0) is oidc
+				"Type",
 				"JWTConfig",
 			)
 		})
@@ -79,7 +79,7 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
 			got := addOIDCIDPRequestToDomainOIDCIDPConfig(tt.args.req)
 			test.AssertFieldsMapped(t, got,
 				"ObjectRoot",
-				"ClientSecret", //TODO: is client secret string enough for backend?
+				"ClientSecret",
 				"IDPConfigID",
 				"AuthorizationEndpoint",
 				"TokenEndpoint",
@@ -116,7 +116,7 @@ func Test_updateIDPToDomain(t *testing.T) {
 				"OIDCConfig",
 				"JWTConfig",
 				"State",
-				"Type", //TODO: type should not be changeable
+				"Type",
 			)
 		})
 	}
diff --git a/internal/api/grpc/project/application.go b/internal/api/grpc/project/application.go
index b121c88a97..426093cfdf 100644
--- a/internal/api/grpc/project/application.go
+++ b/internal/api/grpc/project/application.go
@@ -65,7 +65,6 @@ func AppAPIConfigToPb(app *query.APIApp) app_pb.AppConfig {
 	return &app_pb.App_ApiConfig{
 		ApiConfig: &app_pb.APIConfig{
 			ClientId:       app.ClientID,
-			ClientSecret:   "", //TODO: remove from proto
 			AuthMethodType: APIAuthMethodeTypeToPb(app.AuthMethodType),
 		},
 	}
diff --git a/internal/api/grpc/user/membership.go b/internal/api/grpc/user/membership.go
index 43f17ead10..4aaa213090 100644
--- a/internal/api/grpc/user/membership.go
+++ b/internal/api/grpc/user/membership.go
@@ -2,10 +2,8 @@ package user
 
 import (
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query"
-	user_model "github.com/zitadel/zitadel/internal/user/model"
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
 )
 
@@ -36,62 +34,6 @@ func MembershipQueryToQuery(req *user_pb.MembershipQuery) (query.SearchQuery, er
 	}
 }
 
-func MembershipIAMQueryToModel(q *user_pb.MembershipIAMQuery) []*user_model.UserMembershipSearchQuery {
-	return []*user_model.UserMembershipSearchQuery{
-		{
-			Key:    user_model.UserMembershipSearchKeyMemberType,
-			Method: domain.SearchMethodEquals,
-			Value:  user_model.MemberTypeIam,
-		},
-		//TODO: q.IAM?
-	}
-}
-
-func MembershipOrgQueryToModel(q *user_pb.MembershipOrgQuery) []*user_model.UserMembershipSearchQuery {
-	return []*user_model.UserMembershipSearchQuery{
-		{
-			Key:    user_model.UserMembershipSearchKeyMemberType,
-			Method: domain.SearchMethodEquals,
-			Value:  user_model.MemberTypeOrganisation,
-		},
-		{
-			Key:    user_model.UserMembershipSearchKeyObjectID,
-			Method: domain.SearchMethodEquals,
-			Value:  q.OrgId,
-		},
-	}
-}
-
-func MembershipProjectQueryToModel(q *user_pb.MembershipProjectQuery) []*user_model.UserMembershipSearchQuery {
-	return []*user_model.UserMembershipSearchQuery{
-		{
-			Key:    user_model.UserMembershipSearchKeyMemberType,
-			Method: domain.SearchMethodEquals,
-			Value:  user_model.MemberTypeProject,
-		},
-		{
-			Key:    user_model.UserMembershipSearchKeyObjectID,
-			Method: domain.SearchMethodEquals,
-			Value:  q.ProjectId,
-		},
-	}
-}
-
-func MembershipProjectGrantQueryToModel(q *user_pb.MembershipProjectGrantQuery) []*user_model.UserMembershipSearchQuery {
-	return []*user_model.UserMembershipSearchQuery{
-		{
-			Key:    user_model.UserMembershipSearchKeyMemberType,
-			Method: domain.SearchMethodEquals,
-			Value:  user_model.MemberTypeProjectGrant,
-		},
-		{
-			Key:    user_model.UserMembershipSearchKeyObjectID,
-			Method: domain.SearchMethodEquals,
-			Value:  q.ProjectGrantId,
-		},
-	}
-}
-
 func MembershipsToMembershipsPb(memberships []*query.Membership) []*user_pb.Membership {
 	converted := make([]*user_pb.Membership, len(memberships))
 	for i, membership := range memberships {
diff --git a/internal/api/http/middleware/auth_interceptor.go b/internal/api/http/middleware/auth_interceptor.go
index d2419d8372..9af48a274e 100644
--- a/internal/api/http/middleware/auth_interceptor.go
+++ b/internal/api/http/middleware/auth_interceptor.go
@@ -62,7 +62,7 @@ func authorize(r *http.Request, verifier *authz.TokenVerifier, authConfig authz.
 		return nil, errors.New("auth header missing")
 	}
 
-	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), verifier, authConfig, authOpt, r.RequestURI) //TODO: permission
+	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), verifier, authConfig, authOpt, r.RequestURI)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go
index 0836bc0bcf..2e69ad7497 100644
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -29,7 +29,6 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest
 		return nil, errors.ThrowPreconditionFailed(err, "OIDC-Gqrfg", "Errors.Internal")
 	}
 	authRequest := CreateAuthRequestToBusiness(ctx, req, userAgentID, userID)
-	//TODO: ensure splitting of command and query side durring auth request and login refactoring
 	resp, err := o.repo.CreateAuthRequest(ctx, authRequest)
 	if err != nil {
 		return nil, err
diff --git a/internal/api/ui/login/register_org_handler.go b/internal/api/ui/login/register_org_handler.go
index e25b38ce0d..fb5d7b19f5 100644
--- a/internal/api/ui/login/register_org_handler.go
+++ b/internal/api/ui/login/register_org_handler.go
@@ -66,8 +66,7 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
 	}
-	_ = userIDs //TODO: handle userIDs
-	_, _, err = l.command.SetUpOrg(ctx, data.toCommandOrg())
+	_, _, err = l.command.SetUpOrg(ctx, data.toCommandOrg(), userIDs...)
 	if err != nil {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
diff --git a/internal/api/ui/login/renderer.go b/internal/api/ui/login/renderer.go
index c9db228159..32045421a9 100644
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -432,7 +432,7 @@ func (l *Login) getErrorMessage(r *http.Request, err error) (errID, errMsg strin
 }
 
 func (l *Login) getTheme(r *http.Request) string {
-	return "zitadel" //TODO: impl
+	return "zitadel"
 }
 
 func (l *Login) getThemeMode(r *http.Request) string {
diff --git a/internal/command/org.go b/internal/command/org.go
index 2d1f04c5fb..2d2a0282ca 100644
--- a/internal/command/org.go
+++ b/internal/command/org.go
@@ -17,11 +17,12 @@ import (
 )
 
 type OrgSetup struct {
-	Name  string
-	Human AddHuman
+	Name         string
+	CustomDomain string
+	Human        AddHuman
 }
 
-func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.ObjectDetails, error) {
+func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup, userIDs ...string) (string, *domain.ObjectDetails, error) {
 	orgID, err := id.SonyFlakeGenerator.Next()
 	if err != nil {
 		return "", nil, err
@@ -35,11 +36,19 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.O
 	orgAgg := org.NewAggregate(orgID)
 	userAgg := user_repo.NewAggregate(userID, orgID)
 
-	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter,
-		AddOrgCommand(ctx, orgAgg, o.Name),
+	validations := []preparation.Validation{
+		AddOrgCommand(ctx, orgAgg, o.Name, userIDs...),
 		AddHumanCommand(userAgg, &o.Human, c.userPasswordAlg, c.userEncryption),
 		c.AddOrgMemberCommand(orgAgg, userID, domain.RoleOrgOwner),
-	)
+	}
+	if o.CustomDomain != "" {
+		validations = append(validations, AddOrgDomain(orgAgg, o.CustomDomain))
+		for _, userID := range userIDs {
+			validations = append(validations, c.prepareUserDomainClaimed(userID))
+		}
+	}
+
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
 	if err != nil {
 		return "", nil, err
 	}
@@ -57,7 +66,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, o *OrgSetup) (string, *domain.O
 
 //AddOrgCommand defines the commands to create a new org,
 // this includes the verified default domain
-func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string) preparation.Validation {
+func AddOrgCommand(ctx context.Context, a *org.Aggregate, name string, userIDs ...string) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if name = strings.TrimSpace(name); name == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "ORG-mruNY", "Errors.Invalid.Argument")
diff --git a/internal/command/project_application_api.go b/internal/command/project_application_api.go
index 2b60135df6..969416d0e0 100644
--- a/internal/command/project_application_api.go
+++ b/internal/command/project_application_api.go
@@ -44,8 +44,6 @@ func AddAPIAppCommand(app *addAPIApp, clientSecretAlg crypto.HashAlgorithm) prep
 				return nil, errors.ThrowInternal(err, "V2-f0pgP", "Errors.Internal")
 			}
 
-			//requires client secret
-			// TODO(release blocking):we have to return the secret
 			if app.AuthMethodType == domain.APIAuthMethodTypeBasic {
 				app.ClientSecret, app.ClientSecretPlain, err = newAppClientSecret(ctx, filter, clientSecretAlg)
 				if err != nil {
diff --git a/internal/command/user.go b/internal/command/user.go
index 29fe672413..be5b8bec94 100644
--- a/internal/command/user.go
+++ b/internal/command/user.go
@@ -340,6 +340,38 @@ func (c *Commands) userDomainClaimed(ctx context.Context, userID string) (events
 	}, changedUserGrant, nil
 }
 
+func (c *Commands) prepareUserDomainClaimed(userID string) preparation.Validation {
+	return func() (_ preparation.CreateCommands, err error) {
+		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			userWriteModel, err := userWriteModelByID(ctx, filter, userID, "")
+			if err != nil {
+				return nil, err
+			}
+			if !userWriteModel.UserState.Exists() {
+				return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ii9K0", "Errors.User.NotFound")
+			}
+			domainPolicy, err := domainPolicyWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+			userAgg := UserAggregateFromWriteModel(&userWriteModel.WriteModel)
+
+			id, err := c.idGenerator.Next()
+			if err != nil {
+				return nil, err
+			}
+
+			return []eventstore.Command{user.NewDomainClaimedEvent(
+				ctx,
+				userAgg,
+				fmt.Sprintf("%s@temporary.%s", id, authz.GetInstance(ctx).RequestedDomain()),
+				userWriteModel.UserName,
+				domainPolicy.UserLoginMustBeDomain),
+			}, nil
+		}, nil
+	}
+}
+
 func (c *Commands) UserDomainClaimedSent(ctx context.Context, orgID, userID string) (err error) {
 	if userID == "" {
 		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-5m0fs", "Errors.IDMissing")
@@ -414,3 +446,17 @@ func ExistsUser(ctx context.Context, filter preparation.FilterToQueryReducer, id
 func newUserInitCode(ctx context.Context, filter preparation.FilterToQueryReducer, alg crypto.EncryptionAlgorithm) (value *crypto.CryptoValue, expiry time.Duration, err error) {
 	return newCryptoCodeWithExpiry(ctx, filter, domain.SecretGeneratorTypeInitCode, alg)
 }
+
+func userWriteModelByID(ctx context.Context, filter preparation.FilterToQueryReducer, userID, resourceOwner string) (*UserWriteModel, error) {
+	user := NewUserWriteModel(userID, resourceOwner)
+	events, err := filter(ctx, user.Query())
+	if err != nil {
+		return nil, err
+	}
+	if len(events) == 0 {
+		return nil, nil
+	}
+	user.AppendEvents(events...)
+	err = user.Reduce()
+	return user, err
+}
diff --git a/internal/eventstore/handler/crdb/init.go b/internal/eventstore/handler/crdb/init.go
index 175a5f24bd..eed08b8bdc 100644
--- a/internal/eventstore/handler/crdb/init.go
+++ b/internal/eventstore/handler/crdb/init.go
@@ -344,7 +344,7 @@ func columnType(columnType ColumnType) string {
 	case ColumnTypeBytes:
 		return "BYTES"
 	default:
-		panic("") //TODO: remove?
+		panic("unknown column type")
 		return ""
 	}
 }
diff --git a/internal/query/instance.go b/internal/query/instance.go
index 9d17a2cdd4..3953457225 100644
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@@ -248,7 +248,6 @@ func prepareInstancesQuery() (sq.SelectBuilder, func(*sql.Rows) (*Instances, err
 			for rows.Next() {
 				instance := new(Instance)
 				lang := ""
-				//TODO: Get Host
 				err := rows.Scan(
 					&instance.ID,
 					&instance.CreationDate,
diff --git a/internal/query/project.go b/internal/query/project.go
index 9a8dcc6a8c..92cc969623 100644
--- a/internal/query/project.go
+++ b/internal/query/project.go
@@ -59,10 +59,6 @@ var (
 		name:  projection.ProjectColumnInstanceID,
 		table: projectsTable,
 	}
-	ProjectColumnCreator = Column{
-		name:  projection.ProjectColumnCreator,
-		table: projectsTable,
-	}
 	ProjectColumnSequence = Column{
 		name:  projection.ProjectColumnSequence,
 		table: projectsTable,
diff --git a/internal/query/project_grant.go b/internal/query/project_grant.go
index 242e1e43d7..1fcf70c2cf 100644
--- a/internal/query/project_grant.go
+++ b/internal/query/project_grant.go
@@ -65,10 +65,6 @@ var (
 		name:  projection.ProjectGrantColumnRoleKeys,
 		table: projectGrantsTable,
 	}
-	ProjectGrantColumnCreator = Column{
-		name:  projection.ProjectGrantColumnCreator,
-		table: projectGrantsTable,
-	}
 	ProjectGrantColumnGrantedOrgName = Column{
 		name:  projection.OrgColumnName,
 		table: orgsTable.setAlias(ProjectGrantGrantedOrgTableAlias),
diff --git a/internal/query/project_role.go b/internal/query/project_role.go
index e0d4607135..db4653b1a4 100644
--- a/internal/query/project_role.go
+++ b/internal/query/project_role.go
@@ -53,10 +53,6 @@ var (
 		name:  projection.ProjectRoleColumnGroupName,
 		table: projectRolesTable,
 	}
-	ProjectRoleColumnCreator = Column{
-		name:  projection.ProjectRoleColumnCreator,
-		table: projectRolesTable,
-	}
 )
 
 type ProjectRoles struct {
diff --git a/internal/query/projection/app.go b/internal/query/projection/app.go
index 75dc7f9b6f..404aaa8b1b 100644
--- a/internal/query/projection/app.go
+++ b/internal/query/projection/app.go
@@ -94,17 +94,17 @@ func NewAppProjection(ctx context.Context, config crdb.StatementHandlerConfig) *
 			crdb.NewColumn(AppOIDCConfigColumnClientID, crdb.ColumnTypeText),
 			crdb.NewColumn(AppOIDCConfigColumnClientSecret, crdb.ColumnTypeJSONB, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnRedirectUris, crdb.ColumnTypeTextArray, crdb.Nullable()),
-			crdb.NewColumn(AppOIDCConfigColumnResponseTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()), //TODO: null?
-			crdb.NewColumn(AppOIDCConfigColumnGrantTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),    //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnResponseTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),
+			crdb.NewColumn(AppOIDCConfigColumnGrantTypes, crdb.ColumnTypeEnumArray, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnApplicationType, crdb.ColumnTypeEnum),
 			crdb.NewColumn(AppOIDCConfigColumnAuthMethodType, crdb.ColumnTypeEnum),
 			crdb.NewColumn(AppOIDCConfigColumnPostLogoutRedirectUris, crdb.ColumnTypeTextArray, crdb.Nullable()),
 			crdb.NewColumn(AppOIDCConfigColumnDevMode, crdb.ColumnTypeBool),
 			crdb.NewColumn(AppOIDCConfigColumnAccessTokenType, crdb.ColumnTypeEnum),
-			crdb.NewColumn(AppOIDCConfigColumnAccessTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Nullable()), //TODO: null?
-			crdb.NewColumn(AppOIDCConfigColumnIDTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Nullable()),     //TODO: null?
-			crdb.NewColumn(AppOIDCConfigColumnIDTokenUserinfoAssertion, crdb.ColumnTypeBool, crdb.Nullable()), //TODO: null?
-			crdb.NewColumn(AppOIDCConfigColumnClockSkew, crdb.ColumnTypeInt64, crdb.Nullable()),               //TODO: null?
+			crdb.NewColumn(AppOIDCConfigColumnAccessTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
+			crdb.NewColumn(AppOIDCConfigColumnIDTokenRoleAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
+			crdb.NewColumn(AppOIDCConfigColumnIDTokenUserinfoAssertion, crdb.ColumnTypeBool, crdb.Default(false)),
+			crdb.NewColumn(AppOIDCConfigColumnClockSkew, crdb.ColumnTypeInt64, crdb.Default(0)),
 			crdb.NewColumn(AppOIDCConfigColumnAdditionalOrigins, crdb.ColumnTypeTextArray, crdb.Nullable()),
 		},
 			crdb.NewPrimaryKey(AppOIDCConfigColumnAppID),
diff --git a/internal/query/projection/project.go b/internal/query/projection/project.go
index 0d3af82ea1..c075e67dea 100644
--- a/internal/query/projection/project.go
+++ b/internal/query/projection/project.go
@@ -26,7 +26,6 @@ const (
 	ProjectColumnProjectRoleCheck       = "project_role_check"
 	ProjectColumnHasProjectCheck        = "has_project_check"
 	ProjectColumnPrivateLabelingSetting = "private_labeling_setting"
-	ProjectColumnCreator                = "creator_id" //TODO: necessary?
 )
 
 type ProjectProjection struct {
@@ -51,7 +50,6 @@ func NewProjectProjection(ctx context.Context, config crdb.StatementHandlerConfi
 			crdb.NewColumn(ProjectColumnProjectRoleCheck, crdb.ColumnTypeBool),
 			crdb.NewColumn(ProjectColumnHasProjectCheck, crdb.ColumnTypeBool),
 			crdb.NewColumn(ProjectColumnPrivateLabelingSetting, crdb.ColumnTypeEnum),
-			crdb.NewColumn(ProjectColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectColumnInstanceID, ProjectColumnID),
 			crdb.WithIndex(crdb.NewIndex("ro_idx", []string{ProjectColumnResourceOwner})),
@@ -111,7 +109,6 @@ func (p *ProjectProjection) reduceProjectAdded(event eventstore.Event) (*handler
 			handler.NewCol(ProjectColumnHasProjectCheck, e.HasProjectCheck),
 			handler.NewCol(ProjectColumnPrivateLabelingSetting, e.PrivateLabelingSetting),
 			handler.NewCol(ProjectColumnState, domain.ProjectStateActive),
-			handler.NewCol(ProjectColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
diff --git a/internal/query/projection/project_grant.go b/internal/query/projection/project_grant.go
index 9468919f99..b0a669e9b1 100644
--- a/internal/query/projection/project_grant.go
+++ b/internal/query/projection/project_grant.go
@@ -26,7 +26,6 @@ const (
 	ProjectGrantColumnProjectID     = "project_id"
 	ProjectGrantColumnGrantedOrgID  = "granted_org_id"
 	ProjectGrantColumnRoleKeys      = "granted_role_keys"
-	ProjectGrantColumnCreator       = "creator_id" //TODO: necessary?
 )
 
 type ProjectGrantProjection struct {
@@ -49,7 +48,6 @@ func NewProjectGrantProjection(ctx context.Context, config crdb.StatementHandler
 			crdb.NewColumn(ProjectGrantColumnProjectID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectGrantColumnGrantedOrgID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectGrantColumnRoleKeys, crdb.ColumnTypeTextArray),
-			crdb.NewColumn(ProjectGrantColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectGrantColumnInstanceID, ProjectGrantColumnGrantID),
 			crdb.WithIndex(crdb.NewIndex("ro_idx", []string{ProjectGrantColumnResourceOwner})),
@@ -116,7 +114,6 @@ func (p *ProjectGrantProjection) reduceProjectGrantAdded(event eventstore.Event)
 			handler.NewCol(ProjectGrantColumnSequence, e.Sequence()),
 			handler.NewCol(ProjectGrantColumnGrantedOrgID, e.GrantedOrgID),
 			handler.NewCol(ProjectGrantColumnRoleKeys, pq.StringArray(e.RoleKeys)),
-			handler.NewCol(ProjectGrantColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
diff --git a/internal/query/projection/project_grant_test.go b/internal/query/projection/project_grant_test.go
index 2a74048068..0ed1566e57 100644
--- a/internal/query/projection/project_grant_test.go
+++ b/internal/query/projection/project_grant_test.go
@@ -220,7 +220,7 @@ func TestProjectGrantProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.project_grants (grant_id, project_id, creation_date, change_date, resource_owner, instance_id, state, sequence, granted_org_id, granted_role_keys, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)",
+							expectedStmt: "INSERT INTO projections.project_grants (grant_id, project_id, creation_date, change_date, resource_owner, instance_id, state, sequence, granted_org_id, granted_role_keys) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"grant-id",
 								"agg-id",
@@ -232,7 +232,6 @@ func TestProjectGrantProjection_reduces(t *testing.T) {
 								uint64(15),
 								"granted-org-id",
 								pq.StringArray{"admin", "user"},
-								"editor-user",
 							},
 						},
 					},
diff --git a/internal/query/projection/project_role.go b/internal/query/projection/project_role.go
index 2fbd2d78b0..fab707660b 100644
--- a/internal/query/projection/project_role.go
+++ b/internal/query/projection/project_role.go
@@ -22,7 +22,6 @@ const (
 	ProjectRoleColumnInstanceID    = "instance_id"
 	ProjectRoleColumnDisplayName   = "display_name"
 	ProjectRoleColumnGroupName     = "group_name"
-	ProjectRoleColumnCreator       = "creator_id" //TODO: necessary?
 )
 
 type ProjectRoleProjection struct {
@@ -44,7 +43,6 @@ func NewProjectRoleProjection(ctx context.Context, config crdb.StatementHandlerC
 			crdb.NewColumn(ProjectRoleColumnInstanceID, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectRoleColumnDisplayName, crdb.ColumnTypeText),
 			crdb.NewColumn(ProjectRoleColumnGroupName, crdb.ColumnTypeText),
-			crdb.NewColumn(ProjectRoleColumnCreator, crdb.ColumnTypeText),
 		},
 			crdb.NewPrimaryKey(ProjectRoleColumnInstanceID, ProjectRoleColumnProjectID, ProjectRoleColumnKey),
 		),
@@ -96,7 +94,6 @@ func (p *ProjectRoleProjection) reduceProjectRoleAdded(event eventstore.Event) (
 			handler.NewCol(ProjectRoleColumnSequence, e.Sequence()),
 			handler.NewCol(ProjectRoleColumnDisplayName, e.DisplayName),
 			handler.NewCol(ProjectRoleColumnGroupName, e.Group),
-			handler.NewCol(ProjectRoleColumnCreator, e.EditorUser()),
 		},
 	), nil
 }
diff --git a/internal/query/projection/project_role_test.go b/internal/query/projection/project_role_test.go
index 2028e630d9..f476535e6a 100644
--- a/internal/query/projection/project_role_test.go
+++ b/internal/query/projection/project_role_test.go
@@ -143,7 +143,7 @@ func TestProjectRoleProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.project_roles (role_key, project_id, creation_date, change_date, resource_owner, instance_id, sequence, display_name, group_name, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.project_roles (role_key, project_id, creation_date, change_date, resource_owner, instance_id, sequence, display_name, group_name) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"key",
 								"agg-id",
@@ -154,7 +154,6 @@ func TestProjectRoleProjection_reduces(t *testing.T) {
 								uint64(15),
 								"Key",
 								"Group",
-								"editor-user",
 							},
 						},
 					},
diff --git a/internal/query/projection/project_test.go b/internal/query/projection/project_test.go
index 42baa2ea11..b04b56c524 100644
--- a/internal/query/projection/project_test.go
+++ b/internal/query/projection/project_test.go
@@ -178,7 +178,7 @@ func TestProjectProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.projects (id, creation_date, change_date, resource_owner, instance_id, sequence, name, project_role_assertion, project_role_check, has_project_check, private_labeling_setting, state, creator_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)",
+							expectedStmt: "INSERT INTO projections.projects (id, creation_date, change_date, resource_owner, instance_id, sequence, name, project_role_assertion, project_role_check, has_project_check, private_labeling_setting, state) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -192,7 +192,6 @@ func TestProjectProjection_reduces(t *testing.T) {
 								true,
 								domain.PrivateLabelingSettingEnforceProjectResourceOwnerPolicy,
 								domain.ProjectStateActive,
-								"editor-user",
 							},
 						},
 					},
diff --git a/internal/query/user_test.go b/internal/query/user_test.go
index 3a9b0998f7..82958053d6 100644
--- a/internal/query/user_test.go
+++ b/internal/query/user_test.go
@@ -88,7 +88,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
-		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.first_name,` +
 		` projections.users_humans.last_name,` +
@@ -105,7 +104,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
-		//"state", //TODO:
 		"user_id",
 		"first_name",
 		"last_name",
@@ -120,7 +118,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
-		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.email,` +
 		` projections.users_humans.is_email_verified` +
@@ -132,7 +129,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
-		//"state", //TODO:
 		"user_id",
 		"email",
 		"is_email_verified",
@@ -142,7 +138,6 @@ var (
 		` projections.users.change_date,` +
 		` projections.users.resource_owner,` +
 		` projections.users.sequence,` +
-		//` projections.users.state,` + //TODO:
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.phone,` +
 		` projections.users_humans.is_phone_verified` +
@@ -154,7 +149,6 @@ var (
 		"change_date",
 		"resource_owner",
 		"sequence",
-		//"state", //TODO:
 		"user_id",
 		"phone",
 		"is_phone_verified",
@@ -163,28 +157,15 @@ var (
 	userUniqueQuery = `SELECT projections.users.id,` +
 		` projections.users.state,` +
 		` projections.users.username,` +
-		//` login_names.login_names,` +
-		//` preferred_login_name.login_name,` +
 		` projections.users_humans.user_id,` +
 		` projections.users_humans.email,` +
 		` projections.users_humans.is_email_verified` +
 		` FROM projections.users` +
 		` LEFT JOIN projections.users_humans ON projections.users.id = projections.users_humans.user_id`
-	//` LEFT JOIN` +
-	//` (SELECT login_names.user_id, ARRAY_AGG(login_names.login_name) as login_names` +
-	//` FROM projections.login_names as login_names` +
-	//` GROUP BY login_names.user_id) as login_names` +
-	//` on login_names.user_id = projections.users.id` +
-	//` LEFT JOIN` +
-	//` (SELECT preferred_login_name.user_id, preferred_login_name.login_name FROM projections.login_names as preferred_login_name WHERE preferred_login_name.is_primary = $1) as preferred_login_name` +
-	//` on preferred_login_name.user_id = projections.users.id`
 	userUniqueCols = []string{
 		"id",
 		"state",
 		"username",
-		//"login_names",
-		//"login_name",
-		//human
 		"user_id",
 		"email",
 		"is_email_verified",
diff --git a/internal/repository/policy/policy_domain.go b/internal/repository/policy/policy_domain.go
index 6802cd1c39..b6475535e9 100644
--- a/internal/repository/policy/policy_domain.go
+++ b/internal/repository/policy/policy_domain.go
@@ -10,7 +10,6 @@ import (
 )
 
 const (
-	//TODO: use for org events as suffix (when possible)
 	DomainPolicyAddedEventType   = "policy.domain.added"
 	DomainPolicyChangedEventType = "policy.domain.changed"
 	DomainPolicyRemovedEventType = "policy.domain.removed"
diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto
index 0302905bc5..64096b55c6 100644
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -2892,7 +2892,7 @@ message SetUpOrgRequest {
                     min_length: 1;
                     example: "\"gigi@caos.ch\"";
                 }
-            ];  //TODO: check if no value is allowed
+            ];
             bool is_email_verified = 2;
         }
         message Phone {
diff --git a/proto/zitadel/app.proto b/proto/zitadel/app.proto
index a966de4c60..d4fe2fe0d6 100644
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@@ -63,6 +63,8 @@ message AppNameQuery {
 }
 
 message OIDCConfig {
+    reserved "client_secret";
+    reserved 6;
     repeated string redirect_uris = 1 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             example: "[\"https://console.zitadel.ch/auth/callback\"]";
@@ -90,12 +92,6 @@ message OIDCConfig {
             description: "generated oauth2/oidc client id";
         }
     ];
-    string client_secret = 6 [
-        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            example: "\"gjöq34589uasgh\"";
-            description: "generated secret for this config";
-        }
-    ];
     OIDCAuthMethodType auth_method_type = 7 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             description: "defines how the application passes login credentials";
@@ -208,18 +204,14 @@ enum APIAuthMethodType {
 }
 
 message APIConfig {
+    reserved "client_secret";
+    reserved 2;
     string client_id = 1 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             example: "\"69629023906488334@ZITADEL\"";
             description: "generated oauth2/oidc client_id";
         }
     ];
-    string client_secret = 2 [
-        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            example: "\"gjöq34589uasgh\"";
-            description: "generated secret for this config";
-        }
-    ];
     APIAuthMethodType auth_method_type = 3 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
             description: "defines how the api passes the login credentials";
diff --git a/proto/zitadel/auth.proto b/proto/zitadel/auth.proto
index a9b7a1d5ec..696207b73c 100644
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@@ -771,7 +771,7 @@ message GetMyEmailResponse {
 }
 
 message SetMyEmailRequest {
-    string email = 1 [(validate.rules).string.email = true]; //TODO: check if no value is allowed
+    string email = 1 [(validate.rules).string.email = true];
 }
 
 message SetMyEmailResponse {
diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto
index ca34ca774b..b25ab3d44d 100644
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -138,7 +138,6 @@ service ManagementService {
                 value: {
                     description: "OK";
                 }
-                //TODO: errors
             };
         };
     }
@@ -2952,7 +2951,7 @@ message AddHumanUserRequest {
         zitadel.user.v1.Gender gender = 6;
     }
     message Email {
-        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+        string email = 1 [(validate.rules).string.email = true];
         bool is_email_verified = 2;
     }
     message Phone {
@@ -2984,7 +2983,7 @@ message ImportHumanUserRequest {
         zitadel.user.v1.Gender gender = 6;
     }
     message Email {
-        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+        string email = 1 [(validate.rules).string.email = true];
         bool is_email_verified = 2;
     }
     message Phone {