diff --git a/cmd/admin/start/start.go b/cmd/admin/start/start.go
index a5272eabe8..3b68e349cf 100644
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@@ -151,7 +151,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		authZRepo,
 		queries,
 	}
-	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)+oidc.HandlerPrefix, systemAPIKeys)
+	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), systemAPIKeys)
 
 	apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader, config.HTTP1HostHeader)
 	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User)
@@ -168,7 +168,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.Database, commands, queries, adminRepo, config.ExternalSecure, keys.User)); err != nil {
 		return err
 	}
-	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, oidc.HandlerPrefix, config.AuditLogRetention)); err != nil {
+	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
 		return err
 	}
 	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
@@ -183,18 +183,17 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		return err
 	}
 
-	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
-	if err != nil {
-		return fmt.Errorf("unable to start oidc provider: %w", err)
-	}
-	apis.RegisterHandler(oidc.HandlerPrefix, oidcProvider.HttpHandler())
-
 	openAPIHandler, err := openapi.Start()
 	if err != nil {
 		return fmt.Errorf("unable to start openapi handler: %w", err)
 	}
 	apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)
 
+	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
+	if err != nil {
+		return fmt.Errorf("unable to start oidc provider: %w", err)
+	}
+
 	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
@@ -207,6 +206,12 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	}
 	apis.RegisterHandler(login.HandlerPrefix, l.Handler())
 
+	//handle oidc at last, to be able to handle the root
+	//we might want to change that in the future
+	//esp. if we want to have multiple well-known endpoints
+	//it might make sense to handle the discovery endpoint and oauth and oidc prefixes individually
+	//but this will require a change in the oidc lib
+	apis.RegisterHandler("", oidcProvider.HttpHandler())
 	return nil
 }
 
diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index c77d1b7a88..de1a51496e 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -114,6 +114,20 @@ OIDC:
     MaxAge: 12h
     SharedMaxAge: 168h #7d
   CustomEndpoints:
+    Auth:
+      Path: /oauth/v2/authorize
+    Token:
+      Path: /oauth/v2/token
+    Introspection:
+      Path: /oauth/v2/introspect
+    Userinfo:
+      Path: /oidc/v1/userinfo
+    Revocation:
+      Path: /oauth/v2/revoke
+    EndSession:
+      Path: /oidc/v1/end_session
+    Keys:
+      Path: /oauth/v2/keys
 
 Login:
   LanguageCookieName: zitadel.login.lang
diff --git a/docs/docs/apis/openidoauth/endpoints.md b/docs/docs/apis/openidoauth/endpoints.md
index 90492f033a..7b5b217e89 100644
--- a/docs/docs/apis/openidoauth/endpoints.md
+++ b/docs/docs/apis/openidoauth/endpoints.md
@@ -387,14 +387,14 @@ If the authorization fails, an HTTP 401 with `invalid_client` will be returned.
 
 ## userinfo_endpoint
 
-{your_domain}/oauth/v2/userinfo
+{your_domain}/oidc/v1/userinfo
 
 This endpoint will return information about the authorized user.
 
 Send the `access_token` of the **user** (not the client) as Bearer Token in the `authorization` header:
 ```BASH
 curl --request GET \
-  --url {your_domain}/oauth/v2/userinfo
+  --url {your_domain}/oidc/v1/userinfo
   --header 'Authorization: Bearer dsfdsjk29fm2as...'
 ```
 
@@ -482,7 +482,7 @@ curl --request POST \
 
 ## end_session_endpoint
 
-{your_domain}/oauth/v2/endsession
+{your_domain}/oidc/v1/endsession
 
 > The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain
 
diff --git a/internal/api/grpc/management/information.go b/internal/api/grpc/management/information.go
index e8b040de63..29ce6ac01c 100644
--- a/internal/api/grpc/management/information.go
+++ b/internal/api/grpc/management/information.go
@@ -15,7 +15,7 @@ func (s *Server) Healthz(context.Context, *mgmt_pb.HealthzRequest) (*mgmt_pb.Hea
 }
 
 func (s *Server) GetOIDCInformation(ctx context.Context, _ *mgmt_pb.GetOIDCInformationRequest) (*mgmt_pb.GetOIDCInformationResponse, error) {
-	issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedDomain(), s.externalSecure) + s.issuerPath
+	issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), s.externalSecure)
 	return &mgmt_pb.GetOIDCInformationResponse{
 		Issuer:            issuer,
 		DiscoveryEndpoint: issuer + oidc.DiscoveryEndpoint,
diff --git a/internal/api/grpc/management/server.go b/internal/api/grpc/management/server.go
index aac4a80e4b..30d177a5e8 100644
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -31,7 +31,6 @@ type Server struct {
 	passwordHashAlg   crypto.HashAlgorithm
 	userCodeAlg       crypto.EncryptionAlgorithm
 	externalSecure    bool
-	issuerPath        string
 	auditLogRetention time.Duration
 }
 
@@ -41,7 +40,6 @@ func CreateServer(
 	sd systemdefaults.SystemDefaults,
 	userCodeAlg crypto.EncryptionAlgorithm,
 	externalSecure bool,
-	issuerPath string,
 	auditLogRetention time.Duration,
 ) *Server {
 	return &Server{
@@ -52,7 +50,6 @@ func CreateServer(
 		passwordHashAlg:   crypto.NewBCrypt(sd.SecretGenerators.PasswordSaltCost),
 		userCodeAlg:       userCodeAlg,
 		externalSecure:    externalSecure,
-		issuerPath:        issuerPath,
 		auditLogRetention: auditLogRetention,
 	}
 }
diff --git a/internal/api/oidc/op.go b/internal/api/oidc/op.go
index e8e94444bd..a194fa0c40 100644
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -26,10 +26,6 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/metrics"
 )
 
-const (
-	HandlerPrefix = "/oauth/v2"
-)
-
 type Config struct {
 	CodeMethodS256                    bool
 	AuthMethodPost                    bool
@@ -89,7 +85,7 @@ func NewProvider(ctx context.Context, config Config, defaultLogoutRedirectURI st
 	}
 	provider, err := op.NewDynamicOpenIDProvider(
 		ctx,
-		HandlerPrefix,
+		"",
 		opConfig,
 		storage,
 		options...,