zitadel.ts adaptations

apps/login/next-env-vars.d.ts

@@ -3,17 +3,32 @@ declare namespace NodeJS {
     /**
      * Multitenancy: The system api url
      */
-    AUDIENCE: string;
+    QA_AUDIENCE: string;
 
     /**
      * Multitenancy: The service user id
      */
-    SYSTEM_USER_ID: string;
+    QA_SYSTEM_USER_ID: string;
 
     /**
      * Multitenancy: The service user private key
      */
-    SYSTEM_USER_PRIVATE_KEY: string;
+    QA_SYSTEM_USER_PRIVATE_KEY: string;
+
+    /**
+     * Multitenancy: The system api url for prod environment
+     */
+    PROD_AUDIENCE: string;
+
+    /**
+     * Multitenancy: The service user id for prod environment
+     */
+    PROD_SYSTEM_USER_ID: string;
+
+    /**
+     * Multitenancy: The service user private key for prod environment
+     */
+    PROD_SYSTEM_USER_PRIVATE_KEY: string;
 
     /**
      * Self hosting: The instance url

apps/login/src/app/(login)/accounts/page.tsx

@@ -39,7 +39,7 @@ export default async function Page(props: {
   const organization = searchParams?.organization;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   let defaultOrganization;
   if (!organization) {

apps/login/src/app/(login)/authenticator/set/page.tsx

@@ -30,7 +30,7 @@ export default async function Page(props: {
   const { loginName, authRequestId, organization, sessionId } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionWithData = sessionId
     ? await loadSessionById(serviceUrl, sessionId, organization)

apps/login/src/app/(login)/idp/[provider]/failure/page.tsx

@@ -25,7 +25,7 @@ export default async function Page(props: {
   const { organization } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const branding = await getBrandingSettings({ serviceUrl, organization });
 

apps/login/src/app/(login)/idp/[provider]/success/page.tsx

@@ -40,7 +40,7 @@ export default async function Page(props: {
   const { provider } = params;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const branding = await getBrandingSettings({ serviceUrl, organization });
 

apps/login/src/app/(login)/idp/page.tsx

@@ -16,7 +16,7 @@ export default async function Page(props: {
   const organization = searchParams?.organization;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const identityProviders = await getActiveIdentityProviders({
     serviceUrl,

apps/login/src/app/(login)/invite/page.tsx

@@ -21,7 +21,7 @@ export default async function Page(props: {
   let { firstname, lastname, email, organization } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   if (!organization) {
     const org = await getDefaultOrg({ serviceUrl });

apps/login/src/app/(login)/invite/success/page.tsx

@@ -19,7 +19,7 @@ export default async function Page(props: {
   let { userId, organization } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   if (!organization) {
     const org = await getDefaultOrg({ serviceUrl });

apps/login/src/app/(login)/loginname/page.tsx

@@ -26,7 +26,7 @@ export default async function Page(props: {
   const submit: boolean = searchParams?.submit === "true";
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   let defaultOrganization;
   if (!organization) {

apps/login/src/app/(login)/mfa/page.tsx

@@ -25,7 +25,7 @@ export default async function Page(props: {
   const { loginName, authRequestId, organization, sessionId } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionFactors = sessionId
     ? await loadSessionById(serviceUrl, sessionId, organization)

apps/login/src/app/(login)/mfa/set/page.tsx

@@ -52,7 +52,7 @@ export default async function Page(props: {
   } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionWithData = sessionId
     ? await loadSessionById(serviceUrl, sessionId, organization)

apps/login/src/app/(login)/otp/[method]/page.tsx

@@ -24,7 +24,7 @@ export default async function Page(props: {
   const tError = await getTranslations({ locale, namespace: "error" });
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {

apps/login/src/app/(login)/otp/[method]/set/page.tsx

@@ -34,7 +34,7 @@ export default async function Page(props: {
   const { method } = params;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const branding = await getBrandingSettings({ serviceUrl, organization });
   const loginSettings = await getLoginSettings({ serviceUrl, organization });

apps/login/src/app/(login)/passkey/page.tsx

@@ -25,7 +25,7 @@ export default async function Page(props: {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionFactors = sessionId
     ? await loadSessionById(serviceUrl, sessionId, organization)

apps/login/src/app/(login)/passkey/set/page.tsx

@@ -20,7 +20,7 @@ export default async function Page(props: {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const session = await loadMostRecentSession({
     serviceUrl,

apps/login/src/app/(login)/password/change/page.tsx

@@ -16,7 +16,7 @@ export default async function Page(props: {
   searchParams: Promise<Record<string | number | symbol, string | undefined>>;
 }) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const searchParams = await props.searchParams;
   const locale = getLocale();

apps/login/src/app/(login)/password/page.tsx

@@ -25,7 +25,7 @@ export default async function Page(props: {
   let { loginName, organization, authRequestId, alt } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   let defaultOrganization;
   if (!organization) {

apps/login/src/app/(login)/password/set/page.tsx

@@ -27,7 +27,7 @@ export default async function Page(props: {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   // also allow no session to be found (ignoreUnkownUsername)
   let session: Session | undefined;

apps/login/src/app/(login)/register/page.tsx

@@ -23,7 +23,7 @@ export default async function Page(props: {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   if (!organization) {
     const org: Organization | null = await getDefaultOrg({ serviceUrl });

apps/login/src/app/(login)/register/password/page.tsx

@@ -23,7 +23,7 @@ export default async function Page(props: {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   if (!organization) {
     const org: Organization | null = await getDefaultOrg({ serviceUrl });

apps/login/src/app/(login)/signedin/page.tsx

@@ -61,7 +61,7 @@ export default async function Page(props: { searchParams: Promise<any> }) {
   const t = await getTranslations({ locale, namespace: "signedin" });
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const { loginName, authRequestId, organization } = searchParams;
   const sessionFactors = await loadSession(

apps/login/src/app/(login)/u2f/page.tsx

@@ -20,7 +20,7 @@ export default async function Page(props: {
   const { loginName, authRequestId, sessionId, organization } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {

apps/login/src/app/(login)/u2f/set/page.tsx

@@ -19,7 +19,7 @@ export default async function Page(props: {
   const { loginName, organization, authRequestId, checkAfter } = searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionFactors = await loadMostRecentSession({
     serviceUrl,

apps/login/src/app/(login)/verify/page.tsx

@@ -26,7 +26,7 @@ export default async function Page(props: { searchParams: Promise<any> }) {
     searchParams;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {

apps/login/src/app/login/route.ts

@@ -199,7 +199,7 @@ export async function GET(request: NextRequest) {
   const sessionId = searchParams.get("sessionId");
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   // TODO: find a better way to handle _rsc (react server components) requests and block them to avoid conflicts when creating oidc callback
   const _rsc = searchParams.get("_rsc");

apps/login/src/lib/api.ts

@@ -1,17 +1,52 @@
 import { newSystemToken } from "@zitadel/client/node";
 
-export async function systemAPIToken() {
+export async function systemAPIToken({
-  const audience = process.env.AUDIENCE;
+  serviceRegion,
-  const userID = process.env.SYSTEM_USER_ID;
+}: {
-  const key = process.env.SYSTEM_USER_PRIVATE_KEY;
+  serviceRegion: string;
+}) {
+  const QA = {
+    audience: process.env.QA_AUDIENCE,
+    userID: process.env.QA_SYSTEM_USER_ID,
+    token: Buffer.from(
+      process.env.QA_SYSTEM_USER_PRIVATE_KEY,
+      "base64",
+    ).toString("utf-8"),
+  };
 
-  const decodedToken = Buffer.from(key, "base64").toString("utf-8");
+  const PROD = {
+    audience: process.env.QA_AUDIENCE,
+    userID: process.env.QA_SYSTEM_USER_ID,
+    token: Buffer.from(
+      process.env.PROD_SYSTEM_USER_PRIVATE_KEY,
+      "base64",
+    ).toString("utf-8"),
+  };
 
-  const token = newSystemToken({
+  let token;
-    audience: audience,
+
-    subject: userID,
+  switch (serviceRegion) {
-    key: decodedToken,
+    case "eu1":
-  });
+      token = newSystemToken({
+        audience: QA.audience,
+        subject: QA.userID,
+        key: QA.token,
+      });
+      break;
+    case "us1":
+      token = newSystemToken({
+        audience: PROD.audience,
+        subject: PROD.userID,
+        key: PROD.token,
+      });
+      break;
+    default:
+      token = newSystemToken({
+        audience: QA.audience,
+        subject: QA.userID,
+        key: QA.token,
+      });
+  }
 
   return token;
 }

apps/login/src/lib/self.ts

@@ -26,7 +26,7 @@ export async function setMyPassword({
   password: string;
 }) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionCookie = await getSessionCookieById({ sessionId });
 

apps/login/src/lib/server/cookie.ts

@@ -35,7 +35,7 @@ export async function createSessionAndUpdateCookie(
   lifetime?: Duration,
 ): Promise<Session> {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const createdSession = await createSessionFromChecks({
     serviceUrl,
@@ -97,7 +97,7 @@ export async function createSessionForIdpAndUpdateCookie(
   lifetime?: Duration,
 ): Promise<Session> {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const createdSession = await createSessionForUserIdAndIdpIntent({
     serviceUrl,
@@ -159,7 +159,7 @@ export async function setSessionAndUpdateCookie(
   lifetime?: Duration,
 ) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   return setSession({
     serviceUrl,

apps/login/src/lib/server/idp.ts

@@ -19,7 +19,7 @@ export type StartIDPFlowCommand = {
 
 export async function startIDPFlow(command: StartIDPFlowCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {
@@ -60,7 +60,7 @@ export async function createNewSessionFromIdpIntent(
   command: CreateNewSessionCommand,
 ) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {

apps/login/src/lib/server/invite.ts

@@ -22,7 +22,7 @@ export type RegisterUserResponse = {
 
 export async function inviteUser(command: InviteUserCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {

apps/login/src/lib/server/loginname.ts

@@ -34,7 +34,7 @@ const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 
 export async function sendLoginname(command: SendLoginnameCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {
@@ -80,7 +80,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
 
     if (identityProviders.length === 1) {
       const _headers = await headers();
-      const serviceUrl = getServiceUrlFromHeaders(_headers);
+      const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
       const host = _headers.get("host");
 
       if (!host) {
@@ -129,7 +129,7 @@ export async function sendLoginname(command: SendLoginnameCommand) {
 
     if (identityProviders.length === 1) {
       const _headers = await headers();
-      const serviceUrl = getServiceUrlFromHeaders(_headers);
+      const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
       const host = _headers.get("host");
 
       if (!host) {

apps/login/src/lib/server/otp.ts

@@ -27,7 +27,7 @@ export type SetOTPCommand = {
 
 export async function setOTP(command: SetOTPCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const recentSession = command.sessionId
     ? await getSessionCookieById({ sessionId: command.sessionId }).catch(

apps/login/src/lib/server/passkeys.ts

@@ -43,7 +43,7 @@ export async function registerPasskeyLink(
   const { sessionId } = command;
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {
@@ -90,7 +90,7 @@ export async function registerPasskeyLink(
 
 export async function verifyPasskeyRegistration(command: VerifyPasskeyCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   // if no name is provided, try to generate one from the user agent
   let passkeyName = command.passkeyName;
@@ -153,7 +153,7 @@ export async function sendPasskey(command: SendPasskeyCommand) {
   }
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const loginSettings = await getLoginSettings({ serviceUrl, organization });
 

apps/login/src/lib/server/password.ts

@@ -45,7 +45,7 @@ type ResetPasswordCommand = {
 
 export async function resetPassword(command: ResetPasswordCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {
@@ -85,7 +85,7 @@ export type UpdateSessionCommand = {
 
 export async function sendPassword(command: UpdateSessionCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   let sessionCookie = await getSessionCookieByLoginName({
     loginName: command.loginName,
@@ -255,7 +255,7 @@ export async function changePassword(command: {
   password: string;
 }) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   // check for init state
   const { user } = await getUserByID({ serviceUrl, userId: command.userId });
@@ -284,7 +284,7 @@ export async function checkSessionAndSetPassword({
   password,
 }: CheckSessionAndSetPasswordCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionCookie = await getSessionCookieById({ sessionId });
 

apps/login/src/lib/server/register.ts

@@ -29,7 +29,7 @@ export type RegisterUserResponse = {
 };
 export async function registerUser(command: RegisterUserCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {

apps/login/src/lib/server/session.ts

@@ -25,7 +25,7 @@ export async function continueWithSession({
   ...session
 }: Session & { authRequestId?: string }) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const loginSettings = await getLoginSettings({
     serviceUrl,
@@ -88,7 +88,7 @@ export async function updateSession(options: UpdateSessionCommand) {
   }
 
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {
@@ -152,7 +152,7 @@ type ClearSessionOptions = {
 
 export async function clearSession(options: ClearSessionOptions) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const { sessionId } = options;
 
@@ -175,7 +175,7 @@ type CleanupSessionCommand = {
 
 export async function cleanupSession({ sessionId }: CleanupSessionCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const sessionCookie = await getSessionCookieById({ sessionId });
 

apps/login/src/lib/server/u2f.ts

@@ -21,7 +21,7 @@ type VerifyU2FCommand = {
 
 export async function addU2F(command: RegisterU2FCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {
@@ -59,7 +59,7 @@ export async function addU2F(command: RegisterU2FCommand) {
 
 export async function verifyU2F(command: VerifyU2FCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host || typeof host !== "string") {

apps/login/src/lib/server/verify.ts

@@ -30,7 +30,7 @@ export async function verifyTOTP(
   organization?: string,
 ) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   return loadMostRecentSession({
     serviceUrl,
@@ -62,7 +62,7 @@ type VerifyUserByEmailCommand = {
 
 export async function sendVerification(command: VerifyUserByEmailCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const verifyResponse = command.isInvite
     ? await verifyInviteCode({
@@ -244,7 +244,7 @@ type resendVerifyEmailCommand = {
 
 export async function resendVerification(command: resendVerifyEmailCommand) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
   const host = _headers.get("host");
 
   if (!host) {
@@ -290,7 +290,7 @@ export async function sendVerificationRedirectWithoutCheck(
   command: SendVerificationRedirectWithoutCheckCommand,
 ) {
   const _headers = await headers();
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   if (!("loginName" in command || "userId" in command)) {
     return { error: "No userId, nor loginname provided" };

apps/login/src/lib/service.ts

@@ -20,16 +20,17 @@ type ServiceClass =
 export async function createServiceForHost<T extends ServiceClass>(
   service: T,
   serviceUrl: string,
+  serviceRegion: string,
 ) {
   let token;
 
   // if we are running in a multitenancy context, use the system user token
   if (
-    process.env.AUDIENCE &&
+    process.env.QA_AUDIENCE &&
-    process.env.SYSTEM_USER_ID &&
+    process.env.QA_SYSTEM_USER_ID &&
-    process.env.SYSTEM_USER_PRIVATE_KEY
+    process.env.QA_SYSTEM_USER_PRIVATE_KEY
   ) {
-    token = await systemAPIToken();
+    token = await systemAPIToken(serviceRegion);
   } else if (process.env.ZITADEL_SERVICE_USER_TOKEN) {
     token = process.env.ZITADEL_SERVICE_USER_TOKEN;
   }
@@ -49,7 +50,10 @@ export async function createServiceForHost<T extends ServiceClass>(
   return createClientFor<T>(service)(transport);
 }
 
-export function getServiceUrlFromHeaders(headers: ReadonlyHeaders): string {
+export function getServiceUrlFromHeaders(headers: ReadonlyHeaders): {
+  serviceUrl: string;
+  serviceRegion: string;
+} {
   let instanceUrl: string = process.env.ZITADEL_API_URL;
 
   const forwardedHost = headers.get("x-zitadel-forward-host");
@@ -70,5 +74,8 @@ export function getServiceUrlFromHeaders(headers: ReadonlyHeaders): string {
     }
   }
 
-  return instanceUrl;
+  return {
+    serviceUrl: instanceUrl,
+    serviceRegion: headers.get("x-zitadel-region") || "",
+  };
 }

apps/login/src/lib/zitadel.ts

@@ -55,13 +55,15 @@ async function cacheWrapper<T>(callback: Promise<T>) {
 
 export async function getBrandingSettings({
   serviceUrl,
+  serviceRegion,
   organization,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   organization?: string;
 }) {
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   const callback = settingsService
     .getBrandingSettings({ ctx: makeReqCtx(organization) }, {})
@@ -72,13 +74,15 @@ export async function getBrandingSettings({
 
 export async function getLoginSettings({
   serviceUrl,
+  serviceRegion,
   organization,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   organization?: string;
 }) {
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   const callback = settingsService
     .getLoginSettings({ ctx: makeReqCtx(organization) }, {})
@@ -89,14 +93,17 @@ export async function getLoginSettings({
 
 export async function listIDPLinks({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.listIDPLinks({ userId }, {});
@@ -104,14 +111,17 @@ export async function listIDPLinks({
 
 export async function addOTPEmail({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.addOTPEmail({ userId }, {});
@@ -119,14 +129,17 @@ export async function addOTPEmail({
 
 export async function addOTPSMS({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.addOTPSMS({ userId }, {});
@@ -134,14 +147,17 @@ export async function addOTPSMS({
 
 export async function registerTOTP({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.registerTOTP({ userId }, {});
@@ -149,11 +165,13 @@ export async function registerTOTP({
 
 export async function getGeneralSettings({
   serviceUrl,
+  serviceRegion,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
 }) {
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   const callback = settingsService
     .getGeneralSettings({}, {})
@@ -164,13 +182,15 @@ export async function getGeneralSettings({
 
 export async function getLegalAndSupportSettings({
   serviceUrl,
+  serviceRegion,
   organization,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   organization?: string;
 }) {
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   const callback = settingsService
     .getLegalAndSupportSettings({ ctx: makeReqCtx(organization) }, {})
@@ -181,13 +201,15 @@ export async function getLegalAndSupportSettings({
 
 export async function getPasswordComplexitySettings({
   serviceUrl,
+  serviceRegion,
   organization,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   organization?: string;
 }) {
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   const callback = settingsService
     .getPasswordComplexitySettings({ ctx: makeReqCtx(organization) })
@@ -198,28 +220,32 @@ export async function getPasswordComplexitySettings({
 
 export async function createSessionFromChecks({
   serviceUrl,
+  serviceRegion,
   checks,
   challenges,
   lifetime,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   checks: Checks;
   challenges: RequestChallenges | undefined;
   lifetime?: Duration;
 }) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.createSession({ checks, challenges, lifetime }, {});
 }
 
 export async function createSessionForUserIdAndIdpIntent({
   serviceUrl,
+  serviceRegion,
   userId,
   idpIntent,
   lifetime,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   idpIntent: {
     idpIntentId?: string | undefined;
@@ -228,7 +254,7 @@ export async function createSessionForUserIdAndIdpIntent({
   lifetime?: Duration;
 }) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.createSession({
     checks: {
@@ -246,6 +272,7 @@ export async function createSessionForUserIdAndIdpIntent({
 
 export async function setSession({
   serviceUrl,
+  serviceRegion,
   sessionId,
   sessionToken,
   challenges,
@@ -253,6 +280,7 @@ export async function setSession({
   lifetime,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   sessionId: string;
   sessionToken: string;
   challenges: RequestChallenges | undefined;
@@ -260,7 +288,7 @@ export async function setSession({
   lifetime?: Duration;
 }) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.setSession(
     {
@@ -277,42 +305,51 @@ export async function setSession({
 
 export async function getSession({
   serviceUrl,
+  serviceRegion,
   sessionId,
   sessionToken,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   sessionId: string;
   sessionToken: string;
 }) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.getSession({ sessionId, sessionToken }, {});
 }
 
 export async function deleteSession({
   serviceUrl,
+  serviceRegion,
   sessionId,
   sessionToken,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   sessionId: string;
   sessionToken: string;
 }) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.deleteSession({ sessionId, sessionToken }, {});
 }
 
 type ListSessionsCommand = {
   serviceUrl: string;
+  serviceRegion: string;
   ids: string[];
 };
 
-export async function listSessions({ serviceUrl, ids }: ListSessionsCommand) {
+export async function listSessions({
+  serviceUrl,
+  serviceRegion,
+  ids,
+}: ListSessionsCommand) {
   const sessionService: Client<typeof SessionService> =
-    await createServiceForHost(SessionService, serviceUrl);
+    await createServiceForHost(SessionService, serviceUrl, serviceRegion);
 
   return sessionService.listSessions(
     {
@@ -331,6 +368,7 @@ export async function listSessions({ serviceUrl, ids }: ListSessionsCommand) {
 
 export type AddHumanUserData = {
   serviceUrl: string;
+  serviceRegion: string;
   firstName: string;
   lastName: string;
   email: string;
@@ -340,6 +378,7 @@ export type AddHumanUserData = {
 
 export async function addHumanUser({
   serviceUrl,
+  serviceRegion,
   email,
   firstName,
   lastName,
@@ -349,6 +388,7 @@ export async function addHumanUser({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.addHumanUser({
@@ -372,14 +412,17 @@ export async function addHumanUser({
 
 export async function addHuman({
   serviceUrl,
+  serviceRegion,
   request,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   request: AddHumanUserRequest;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.addHumanUser(request);
@@ -387,16 +430,19 @@ export async function addHuman({
 
 export async function verifyTOTPRegistration({
   serviceUrl,
+  serviceRegion,
   code,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   code: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.verifyTOTPRegistration({ code, userId }, {});
@@ -404,14 +450,17 @@ export async function verifyTOTPRegistration({
 
 export async function getUserByID({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.getUserByID({ userId }, {});
@@ -419,16 +468,19 @@ export async function getUserByID({
 
 export async function verifyInviteCode({
   serviceUrl,
+  serviceRegion,
   userId,
   verificationCode,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   verificationCode: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.verifyInviteCode({ userId, verificationCode }, {});
@@ -436,14 +488,17 @@ export async function verifyInviteCode({
 
 export async function resendInviteCode({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.resendInviteCode({ userId }, {});
@@ -451,10 +506,12 @@ export async function resendInviteCode({
 
 export async function sendEmailCode({
   serviceUrl,
+  serviceRegion,
   userId,
   urlTemplate,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   urlTemplate: string;
 }) {
@@ -473,6 +530,7 @@ export async function sendEmailCode({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.sendEmailCode(medium, {});
@@ -480,10 +538,12 @@ export async function sendEmailCode({
 
 export async function createInviteCode({
   serviceUrl,
+  serviceRegion,
   urlTemplate,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   urlTemplate: string;
   userId: string;
 }) {
@@ -499,6 +559,7 @@ export async function createInviteCode({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.createInviteCode(
@@ -515,6 +576,7 @@ export async function createInviteCode({
 
 export type ListUsersCommand = {
   serviceUrl: string;
+  serviceRegion: string;
   loginName?: string;
   userName?: string;
   email?: string;
@@ -524,6 +586,7 @@ export type ListUsersCommand = {
 
 export async function listUsers({
   serviceUrl,
+  serviceRegion,
   loginName,
   userName,
   phone,
@@ -615,6 +678,7 @@ export async function listUsers({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.listUsers({ queries });
@@ -622,6 +686,7 @@ export async function listUsers({
 
 export type SearchUsersCommand = {
   serviceUrl: string;
+  serviceRegion: string;
   searchValue: string;
   loginSettings: LoginSettings;
   organizationId?: string;
@@ -667,6 +732,7 @@ const EmailQuery = (searchValue: string) =>
  *  */
 export async function searchUsers({
   serviceUrl,
+  serviceRegion,
   searchValue,
   loginSettings,
   organizationId,
@@ -700,6 +766,7 @@ export async function searchUsers({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   const loginNameResult = await userService.listUsers({ queries });
@@ -786,11 +853,13 @@ export async function searchUsers({
 
 export async function getDefaultOrg({
   serviceUrl,
+  serviceRegion,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
 }): Promise<Organization | null> {
   const orgService: Client<typeof OrganizationService> =
-    await createServiceForHost(OrganizationService, serviceUrl);
+    await createServiceForHost(OrganizationService, serviceUrl, serviceRegion);
 
   return orgService
     .listOrganizations(
@@ -811,13 +880,15 @@ export async function getDefaultOrg({
 
 export async function getOrgsByDomain({
   serviceUrl,
+  serviceRegion,
   domain,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   domain: string;
 }) {
   const orgService: Client<typeof OrganizationService> =
-    await createServiceForHost(OrganizationService, serviceUrl);
+    await createServiceForHost(OrganizationService, serviceUrl, serviceRegion);
 
   return orgService.listOrganizations(
     {
@@ -836,16 +907,19 @@ export async function getOrgsByDomain({
 
 export async function startIdentityProviderFlow({
   serviceUrl,
+  serviceRegion,
   idpId,
   urls,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   idpId: string;
   urls: RedirectURLsJson;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.startIdentityProviderIntent({
@@ -859,16 +933,19 @@ export async function startIdentityProviderFlow({
 
 export async function retrieveIdentityProviderInformation({
   serviceUrl,
+  serviceRegion,
   idpIntentId,
   idpIntentToken,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   idpIntentId: string;
   idpIntentToken: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.retrieveIdentityProviderIntent({
@@ -879,12 +956,18 @@ export async function retrieveIdentityProviderInformation({
 
 export async function getAuthRequest({
   serviceUrl,
+  serviceRegion,
   authRequestId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   authRequestId: string;
 }) {
-  const oidcService = await createServiceForHost(OIDCService, serviceUrl);
+  const oidcService = await createServiceForHost(
+    OIDCService,
+    serviceUrl,
+    serviceRegion,
+  );
 
   return oidcService.getAuthRequest({
     authRequestId,
@@ -893,28 +976,37 @@ export async function getAuthRequest({
 
 export async function createCallback({
   serviceUrl,
+  serviceRegion,
   req,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   req: CreateCallbackRequest;
 }) {
-  const oidcService = await createServiceForHost(OIDCService, serviceUrl);
+  const oidcService = await createServiceForHost(
+    OIDCService,
+    serviceUrl,
+    serviceRegion,
+  );
 
   return oidcService.createCallback(req);
 }
 
 export async function verifyEmail({
   serviceUrl,
+  serviceRegion,
   userId,
   verificationCode,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   verificationCode: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.verifyEmail(
@@ -928,10 +1020,12 @@ export async function verifyEmail({
 
 export async function resendEmailCode({
   serviceUrl,
+  serviceRegion,
   userId,
   urlTemplate,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   urlTemplate: string;
 }) {
@@ -948,6 +1042,7 @@ export async function resendEmailCode({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.resendEmailCode(request, {});
@@ -955,16 +1050,19 @@ export async function resendEmailCode({
 
 export async function retrieveIDPIntent({
   serviceUrl,
+  serviceRegion,
   id,
   token,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   id: string;
   token: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.retrieveIdentityProviderIntent(
@@ -975,29 +1073,38 @@ export async function retrieveIDPIntent({
 
 export async function getIDPByID({
   serviceUrl,
+  serviceRegion,
   id,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   id: string;
 }) {
   const idpService: Client<typeof IdentityProviderService> =
-    await createServiceForHost(IdentityProviderService, serviceUrl);
+    await createServiceForHost(
+      IdentityProviderService,
+      serviceUrl,
+      serviceRegion,
+    );
 
   return idpService.getIDPByID({ id }, {}).then((resp) => resp.idp);
 }
 
 export async function addIDPLink({
   serviceUrl,
+  serviceRegion,
   idp,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   idp: { id: string; userId: string; userName: string };
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.addIDPLink(
@@ -1015,10 +1122,12 @@ export async function addIDPLink({
 
 export async function passwordReset({
   serviceUrl,
+  serviceRegion,
   userId,
   urlTemplate,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   urlTemplate?: string;
 }) {
@@ -1034,6 +1143,7 @@ export async function passwordReset({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.passwordReset(
@@ -1050,12 +1160,14 @@ export async function passwordReset({
 
 export async function setUserPassword({
   serviceUrl,
+  serviceRegion,
   userId,
   password,
   user,
   code,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   password: string;
   user: User;
@@ -1097,6 +1209,7 @@ export async function setUserPassword({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.setPassword(payload, {}).catch((error) => {
@@ -1111,14 +1224,17 @@ export async function setUserPassword({
 
 export async function setPassword({
   serviceUrl,
+  serviceRegion,
   payload,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   payload: SetPasswordRequest;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.setPassword(payload, {});
@@ -1132,14 +1248,17 @@ export async function setPassword({
  */
 export async function createPasskeyRegistrationLink({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.createPasskeyRegistrationLink({
@@ -1160,16 +1279,19 @@ export async function createPasskeyRegistrationLink({
  */
 export async function registerU2F({
   serviceUrl,
+  serviceRegion,
   userId,
   domain,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   domain: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.registerU2F({
@@ -1186,14 +1308,17 @@ export async function registerU2F({
  */
 export async function verifyU2FRegistration({
   serviceUrl,
+  serviceRegion,
   request,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   request: VerifyU2FRegistrationRequest;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.verifyU2FRegistration(request, {});
@@ -1208,10 +1333,12 @@ export async function verifyU2FRegistration({
  */
 export async function getActiveIdentityProviders({
   serviceUrl,
+  serviceRegion,
   orgId,
   linking_allowed,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   orgId?: string;
   linking_allowed?: boolean;
 }) {
@@ -1220,7 +1347,7 @@ export async function getActiveIdentityProviders({
     props.linkingAllowed = linking_allowed;
   }
   const settingsService: Client<typeof SettingsService> =
-    await createServiceForHost(SettingsService, serviceUrl);
+    await createServiceForHost(SettingsService, serviceUrl, serviceRegion);
 
   return settingsService.getActiveIdentityProviders(props, {});
 }
@@ -1233,14 +1360,17 @@ export async function getActiveIdentityProviders({
  */
 export async function verifyPasskeyRegistration({
   serviceUrl,
+  serviceRegion,
   request,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   request: VerifyPasskeyRegistrationRequest;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.verifyPasskeyRegistration(request, {});
@@ -1256,11 +1386,13 @@ export async function verifyPasskeyRegistration({
  */
 export async function registerPasskey({
   serviceUrl,
+  serviceRegion,
   userId,
   code,
   domain,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
   code: { id: string; code: string };
   domain: string;
@@ -1268,6 +1400,7 @@ export async function registerPasskey({
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.registerPasskey({
@@ -1285,14 +1418,17 @@ export async function registerPasskey({
  */
 export async function listAuthenticationMethodTypes({
   serviceUrl,
+  serviceRegion,
   userId,
 }: {
   serviceUrl: string;
+  serviceRegion: string;
   userId: string;
 }) {
   const userService: Client<typeof UserService> = await createServiceForHost(
     UserService,
     serviceUrl,
+    serviceRegion,
   );
 
   return userService.listAuthenticationMethodTypes({

apps/login/src/middleware.ts

@@ -23,7 +23,7 @@ export async function middleware(request: NextRequest) {
 
   const _headers = await headers();
 
-  const serviceUrl = getServiceUrlFromHeaders(_headers);
+  const { serviceUrl, serviceRegion } = getServiceUrlFromHeaders(_headers);
 
   const instanceHost = `${serviceUrl}`.replace("https://", "");
 

turbo.json

@@ -6,9 +6,12 @@
     "DEBUG",
     "VERCEL_URL",
     "EMAIL_VERIFICATION",
-    "AUDIENCE",
+    "QA_AUDIENCE",
-    "SYSTEM_USER_ID",
+    "QA_SYSTEM_USER_ID",
-    "SYSTEM_USER_PRIVATE_KEY",
+    "QA_SYSTEM_USER_PRIVATE_KEY",
+    "PROD_AUDIENCE",
+    "PROD_SYSTEM_USER_ID",
+    "PROD_SYSTEM_USER_PRIVATE_KEY",
     "ZITADEL_API_URL",
     "ZITADEL_SERVICE_USER_ID",
     "ZITADEL_SERVICE_USER_TOKEN",