feat: add domain verification (#560)

* feat: add domain verification * add checks * add and fix tests * fix go.mod * regenerate proto
2025-02-28 22:47:23 +00:00 · 2020-08-06 15:03:03 +02:00 · 2020-08-06 15:03:03 +02:00 · 7015b226ef
commit 7015b226ef
parent f80367b49a
26 changed files with 15815 additions and 14883 deletions
--- a/cmd/zitadel/caos_local.sh
+++ b/cmd/zitadel/caos_local.sh
@ -25,6 +25,7 @@ export ZITADEL_OTP_VERIFICATION_KEY=OTPVerificationKey_1
 export ZITADEL_OIDC_KEYS_ID=OIDCKey_1
 export ZITADEL_COOKIE_KEY=CookieKey_1
 export ZITADEL_CSRF_KEY=CookieKey_1
+export ZITADEL_DOMAIN_VERIFICATION_KEY=DomainVerificationKey_1

 # Notifications
 export DEBUG_MODE=TRUE
--- a/cmd/zitadel/system-defaults.yaml
+++ b/cmd/zitadel/system-defaults.yaml
@ -71,6 +71,15 @@ SystemDefaults:
      Description: Standard org policy
      UserLoginMustBeDomain: true
  IamID: 'IAM'
+  DomainVerification:
+    VerificationKey:
+      EncryptionKeyID: $ZITADEL_DOMAIN_VERIFICATION_KEY
+    VerificationGenerator:
+      Length: 32
+      IncludeLowerLetters: true
+      IncludeUpperLetters: true
+      IncludeDigits: true
+      IncludeSymbols: false
  SetUp:
    GlobalOrg: 'Global'
    IAMProject: 'Zitadel'
--- a/go.sum
+++ b/go.sum
@ -64,8 +64,6 @@ github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9Pq
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
 github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.33.12 h1:eydMoSwfrSTD9PWKUJOiDL7+/UwDW8AjInUGVE5Llh4=
-github.com/aws/aws-sdk-go v1.33.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.33.13 h1:3+AsCrxxnhiUQEhWV+j3kEs7aBCIn2qkDjA+elpxYPU=
 github.com/aws/aws-sdk-go v1.33.13/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
@ -286,8 +284,6 @@ github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.4.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
-github.com/lib/pq v1.7.1 h1:FvD5XTVTDt+KON6oIoOmHq6B6HzGuYEhuTMpEG0yuBQ=
-github.com/lib/pq v1.7.1/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lyft/protoc-gen-star v0.4.10/go.mod h1:mE8fbna26u7aEA2QCVvvfBU/ZrPgocG1206xAFPcs94=
@ -517,8 +513,6 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121 h1:rITEj+UZHYC927n8GT97eC3zrpzXdb/voyeOuVKS46o=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200727154430-2d971f7391a4 h1:gtF+PUC1CD1a9ocwQHbVNXuTp6RQsAYt6tpi6zjT81Y=
-golang.org/x/sys v0.0.0-20200727154430-2d971f7391a4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 h1:sIky/MyNRSHTrdxfsiUSS4WIAMvInbeXljJz+jDjeYE=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -577,8 +571,6 @@ golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200713011307-fd294ab11aed/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200725200936-102e7d357031 h1:VtIxiVHWPhnny2ZTi4f9/2diZKqyLaq3FUTuud5+khA=
-golang.org/x/tools v0.0.0-20200725200936-102e7d357031/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200727233628-55644ead90ce h1:HEwYEPqqa3/M0N2Q6IgtBaf2CaxvmRiVdAhX6LR7uE4=
 golang.org/x/tools v0.0.0-20200727233628-55644ead90ce/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -647,8 +639,6 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaR
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
 google.golang.org/genproto v0.0.0-20200711021454-869866162049/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d h1:HJaAqDnKreMkv+AQyf1Mcw0jEmL9kKBNL07RDJu1N/k=
-google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20200728010541-3dc8dca74b7b h1:FWkel6k8GbR7SbBY200Cz8tA58/KtMrfpVZwOOSjOvQ=
 google.golang.org/genproto v0.0.0-20200728010541-3dc8dca74b7b/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@ -65,6 +65,26 @@ func (s *Server) AddMyOrgDomain(ctx context.Context, in *management.AddOrgDomain
 	return orgDomainFromModel(domain), nil
 }

+func (s *Server) GenerateMyOrgDomainValidation(ctx context.Context, in *management.OrgDomainValidationRequest) (*management.OrgDomainValidationResponse, error) {
+	token, url, err := s.org.GenerateMyOrgDomainValidation(ctx, orgDomainValidationToModel(in))
+	if err != nil {
+		return nil, err
+	}
+	return &management.OrgDomainValidationResponse{
+		Token: token,
+		Url:   url,
+	}, nil
+}
+
+func (s *Server) ValidateMyOrgDomain(ctx context.Context, in *management.ValidateOrgDomainRequest) (*empty.Empty, error) {
+	err := s.org.ValidateMyOrgDomain(ctx, validateOrgDomainToModel(in))
+	return &empty.Empty{}, err
+}
+func (s *Server) SetMyPrimaryOrgDomain(ctx context.Context, in *management.PrimaryOrgDomainRequest) (*empty.Empty, error) {
+	err := s.org.SetMyPrimaryOrgDomain(ctx, primaryOrgDomainToModel(in))
+	return &empty.Empty{}, err
+}
+
 func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *management.RemoveOrgDomainRequest) (*empty.Empty, error) {
 	err := s.org.RemoveMyOrgDomain(ctx, in.Domain)
 	return &empty.Empty{}, err
--- a/internal/api/grpc/management/org_converter.go
+++ b/internal/api/grpc/management/org_converter.go
@ -68,6 +68,32 @@ func addOrgDomainToModel(domain *management.AddOrgDomainRequest) *org_model.OrgD
 	return &org_model.OrgDomain{Domain: domain.Domain}
 }

+func orgDomainValidationToModel(domain *management.OrgDomainValidationRequest) *org_model.OrgDomain {
+	return &org_model.OrgDomain{
+		Domain:         domain.Domain,
+		ValidationType: orgDomainValidationTypeToModel(domain.Type),
+	}
+}
+
+func validateOrgDomainToModel(domain *management.ValidateOrgDomainRequest) *org_model.OrgDomain {
+	return &org_model.OrgDomain{Domain: domain.Domain}
+}
+
+func orgDomainValidationTypeToModel(key management.OrgDomainValidationType) org_model.OrgDomainValidationType {
+	switch key {
+	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_HTTP:
+		return org_model.OrgDomainValidationTypeHTTP
+	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_DNS:
+		return org_model.OrgDomainValidationTypeDNS
+	default:
+		return org_model.OrgDomainValidationTypeUnspecified
+	}
+}
+
+func primaryOrgDomainToModel(domain *management.PrimaryOrgDomainRequest) *org_model.OrgDomain {
+	return &org_model.OrgDomain{Domain: domain.Domain}
+}
+
 func orgDomainFromModel(domain *org_model.OrgDomain) *management.OrgDomain {
 	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
 	logging.Log("GRPC-u8Ksj").OnError(err).Debug("unable to get timestamp from time")
--- a/internal/api/http/domain_check.go
+++ b/internal/api/http/domain_check.go
@ -0,0 +1,83 @@
+package http
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+type CheckType int
+
+const (
+	CheckTypeHTTP CheckType = iota
+	CheckTypeDNS
+
+	HTTPPattern = "https://%s/.well-known/zitadel-challenge/%s"
+	DNSPattern  = "_zitadel-challenge.%s"
+)
+
+func ValidateDomain(domain, token, verifier string, checkType CheckType) error {
+	switch checkType {
+	case CheckTypeHTTP:
+		return ValidateDomainHTTP(domain, token, verifier)
+	case CheckTypeDNS:
+		return ValidateDomainDNS(domain, verifier)
+	default:
+		return errors.ThrowInvalidArgument(nil, "HTTP-Iqd11", "Errors.Internal")
+	}
+}
+
+func ValidateDomainHTTP(domain, token, verifier string) error {
+	resp, err := http.Get(tokenUrlHTTP(domain, token))
+	if err != nil {
+		return errors.ThrowInternal(err, "HTTP-BH42h", "Errors.Internal")
+	}
+	if resp.StatusCode != 200 {
+		return errors.ThrowInternal(err, "HTTP-G2zsw", "Errors.Internal")
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return errors.ThrowInternal(err, "HTTP-HB432", "Errors.Internal")
+	}
+	if string(body) == verifier {
+		return nil
+	}
+	return errors.ThrowInvalidArgument(err, "HTTP-GH422", "Errors.Internal")
+}
+
+func ValidateDomainDNS(domain, verifier string) error {
+	txtRecords, err := net.LookupTXT(tokenUrlDNS(domain))
+	if err != nil {
+		return errors.ThrowInternal(err, "HTTP-Hwsw2", "Errors.Internal")
+	}
+
+	for _, record := range txtRecords {
+		if record == verifier {
+			return nil
+		}
+	}
+	return errors.ThrowInvalidArgument(err, "HTTP-G241f", "Errors.Internal")
+}
+
+func TokenUrl(domain, token string, checkType CheckType) (string, error) {
+	switch checkType {
+	case CheckTypeHTTP:
+		return tokenUrlHTTP(domain, token), nil
+	case CheckTypeDNS:
+		return tokenUrlDNS(domain), nil
+	default:
+		return "", errors.ThrowInvalidArgument(nil, "HTTP-Iqd11", "")
+	}
+}
+
+func tokenUrlHTTP(domain, token string) string {
+	return fmt.Sprintf(HTTPPattern, domain, token)
+}
+
+func tokenUrlDNS(domain string) string {
+	return fmt.Sprintf(DNSPattern, domain)
+}
--- a/internal/config/systemdefaults/system_defaults.go
+++ b/internal/config/systemdefaults/system_defaults.go
@ -1,6 +1,8 @@
 package systemdefaults

 import (
+	"golang.org/x/text/language"
+
 	"github.com/caos/zitadel/internal/config/types"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/notification/providers/chat"
@ -9,7 +11,6 @@ import (
 	"github.com/caos/zitadel/internal/notification/templates"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	pol "github.com/caos/zitadel/internal/policy"
-	"golang.org/x/text/language"
 )

 type SystemDefaults struct {
@ -20,6 +21,7 @@ type SystemDefaults struct {
 	Multifactors          MultifactorConfig
 	VerificationLifetimes VerificationLifetimes
 	DefaultPolicies       DefaultPolicies
+	DomainVerification    DomainVerification
 	IamID                 string
 	SetUp                 types.IAMSetUp
 	Notifications         Notifications
@ -62,6 +64,11 @@ type DefaultPolicies struct {
 	OrgIam     org_model.OrgIamPolicy
 }

+type DomainVerification struct {
+	VerificationKey       *crypto.KeyConfig
+	VerificationGenerator crypto.GeneratorConfig
+}
+
 type Notifications struct {
 	DebugMode    bool
 	Endpoints    Endpoints
--- a/internal/management/repository/eventsourcing/eventstore/org.go
+++ b/internal/management/repository/eventsourcing/eventstore/org.go
@ -2,19 +2,21 @@ package eventstore

 import (
 	"context"
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore/sdk"
-	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 	"strings"
+	"github.com/caos/logging"

 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/sdk"
 	mgmt_view "github.com/caos/zitadel/internal/management/repository/eventsourcing/view"
 	global_model "github.com/caos/zitadel/internal/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_es "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
 	"github.com/caos/zitadel/internal/org/repository/view/model"
 	usr_es "github.com/caos/zitadel/internal/user/repository/eventsourcing"
+
+
 )

 const (
@ -109,6 +111,21 @@ func (repo *OrgRepository) AddMyOrgDomain(ctx context.Context, domain *org_model
 	return repo.OrgEventstore.AddOrgDomain(ctx, domain)
 }

+func (repo *OrgRepository) GenerateMyOrgDomainValidation(ctx context.Context, domain *org_model.OrgDomain) (string, string, error) {
+	domain.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.GenerateOrgDomainValidation(ctx, domain)
+}
+
+func (repo *OrgRepository) ValidateMyOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	domain.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.ValidateOrgDomain(ctx, domain)
+}
+
+func (repo *OrgRepository) SetMyPrimaryOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	domain.AggregateID = authz.GetCtxData(ctx).OrgID
+	return repo.OrgEventstore.SetPrimaryOrgDomain(ctx, domain)
+}
+
 func (repo *OrgRepository) RemoveMyOrgDomain(ctx context.Context, domain string) error {
 	d := org_model.NewOrgDomain(authz.GetCtxData(ctx).OrgID, domain)
 	return repo.OrgEventstore.RemoveOrgDomain(ctx, d)
--- a/internal/management/repository/org.go
+++ b/internal/management/repository/org.go
@ -17,6 +17,9 @@ type OrgRepository interface {

 	SearchMyOrgDomains(ctx context.Context, request *org_model.OrgDomainSearchRequest) (*org_model.OrgDomainSearchResponse, error)
 	AddMyOrgDomain(ctx context.Context, domain *org_model.OrgDomain) (*org_model.OrgDomain, error)
+	GenerateMyOrgDomainValidation(ctx context.Context, domain *org_model.OrgDomain) (string, string, error)
+	ValidateMyOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error
+	SetMyPrimaryOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error
 	RemoveMyOrgDomain(ctx context.Context, domain string) error

 	SearchMyOrgMembers(ctx context.Context, request *org_model.OrgMemberSearchRequest) (*org_model.OrgMemberSearchResponse, error)
--- a/internal/notification/repository/eventsourcing/handler/notify_user.go
+++ b/internal/notification/repository/eventsourcing/handler/notify_user.go
@ -119,7 +119,7 @@ func (u *NotifyUser) fillLoginNamesOnOrgUsers(event *models.Event) error {
 			return err
 		}
 	}
-	return nil
+	return u.view.ProcessedNotifyUserSequence(event.Sequence)
 }

 func (u *NotifyUser) fillPreferredLoginNamesOnOrgUsers(event *models.Event) error {
--- a/internal/org/model/domain.go
+++ b/internal/org/model/domain.go
@ -1,12 +1,41 @@
 package model

-import es_models "github.com/caos/zitadel/internal/eventstore/models"
+import (
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/crypto"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+)

 type OrgDomain struct {
 	es_models.ObjectRoot
 	Domain         string
 	Primary        bool
 	Verified       bool
+	ValidationType OrgDomainValidationType
+	ValidationCode *crypto.CryptoValue
+}
+
+type OrgDomainValidationType int32
+
+const (
+	OrgDomainValidationTypeUnspecified OrgDomainValidationType = iota
+	OrgDomainValidationTypeHTTP
+	OrgDomainValidationTypeDNS
+)
+
+func (t OrgDomainValidationType) CheckType() (http_util.CheckType, bool) {
+	switch t {
+	case OrgDomainValidationTypeHTTP:
+		return http_util.CheckTypeHTTP, true
+	case OrgDomainValidationTypeDNS:
+		return http_util.CheckTypeDNS, true
+	default:
+		return -1, false
+	}
+}
+
+func (t OrgDomainValidationType) IsDNS() bool {
+	return t == OrgDomainValidationTypeDNS
 }

 func NewOrgDomain(orgID, domain string) *OrgDomain {
@ -16,3 +45,12 @@ func NewOrgDomain(orgID, domain string) *OrgDomain {
 func (domain *OrgDomain) IsValid() bool {
 	return domain.AggregateID != "" && domain.Domain != ""
 }
+
+func (domain *OrgDomain) GenerateVerificationCode(codeGenerator crypto.Generator) (string, error) {
+	validationCodeCrypto, validationCode, err := crypto.NewCode(codeGenerator)
+	if err != nil {
+		return "", err
+	}
+	domain.ValidationCode = validationCodeCrypto
+	return validationCode, nil
+}
--- a/internal/org/repository/eventsourcing/eventstore.go
+++ b/internal/org/repository/eventsourcing/eventstore.go
@ -4,9 +4,12 @@ import (
 	"context"
 	"encoding/json"

-	"github.com/caos/zitadel/internal/config/systemdefaults"
-
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	http_utils "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
@ -14,28 +17,37 @@ import (
 	"github.com/caos/zitadel/internal/id"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
-	"github.com/golang/protobuf/ptypes"
 )

 type OrgEventstore struct {
 	eventstore.Eventstore
 	IAMDomain             string
 	idGenerator           id.Generator
+	verificationAlgorithm crypto.EncryptionAlgorithm
+	verificationGenerator crypto.Generator
 	defaultOrgIamPolicy   *org_model.OrgIamPolicy
+	verificationValidator func(domain string, token string, verifier string, checkType http_utils.CheckType) error
 }

 type OrgConfig struct {
 	eventstore.Eventstore
 	IAMDomain          string
+	VerificationConfig *crypto.KeyConfig
 }

 func StartOrg(conf OrgConfig, defaults systemdefaults.SystemDefaults) *OrgEventstore {
 	policy := defaults.DefaultPolicies.OrgIam
 	policy.Default = true
 	policy.IamDomain = conf.IAMDomain
+	verificationAlg, err := crypto.NewAESCrypto(defaults.DomainVerification.VerificationKey)
+	logging.Log("EVENT-aZ22d").OnError(err).Panic("cannot create verificationAlgorithm for domain verification")
+	verificationGen := crypto.NewEncryptionGenerator(defaults.DomainVerification.VerificationGenerator, verificationAlg)
 	return &OrgEventstore{
 		Eventstore:            conf.Eventstore,
 		idGenerator:           id.SonyFlakeGenerator,
+		verificationAlgorithm: verificationAlg,
+		verificationGenerator: verificationGen,
+		verificationValidator: http_utils.ValidateDomain,
 		IAMDomain:             conf.IAMDomain,
 		defaultOrgIamPolicy:   &policy,
 	}
@ -149,7 +161,7 @@ func (es *OrgEventstore) ReactivateOrg(ctx context.Context, orgID string) (*org_
 }

 func (es *OrgEventstore) AddOrgDomain(ctx context.Context, domain *org_model.OrgDomain) (*org_model.OrgDomain, error) {
-	if !domain.IsValid() {
+	if domain == nil || !domain.IsValid() {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-8sFJW", "Errors.Org.InvalidDomain")
 	}
 	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
@ -171,6 +183,107 @@ func (es *OrgEventstore) AddOrgDomain(ctx context.Context, domain *org_model.Org
 	return nil, errors.ThrowInternal(nil, "EVENT-ISOP0", "Errors.Internal")
 }

+func (es *OrgEventstore) GenerateOrgDomainValidation(ctx context.Context, domain *org_model.OrgDomain) (string, string, error) {
+	if domain == nil || !domain.IsValid() {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-R24hb", "Errors.Org.InvalidDomain")
+	}
+	checkType, ok := domain.ValidationType.CheckType()
+	if !ok {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-Gsw31", "Errors.Org.DomainVerificationTypeInvalid")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return "", "", err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-AGD31", "Errors.Org.DomainNotOnOrg")
+	}
+	if d.Verified {
+		return "", "", errors.ThrowPreconditionFailed(nil, "EVENT-HGw21", "Errors.Org.DomainAlreadyVerified")
+	}
+	token, err := domain.GenerateVerificationCode(es.verificationGenerator)
+	if err != nil {
+		return "", "", err
+	}
+	url, err := http_utils.TokenUrl(domain.Domain, token, checkType)
+	if err != nil {
+		return "", "", errors.ThrowPreconditionFailed(err, "EVENT-Bae21", "Errors.Org.DomainVerificationTypeInvalid")
+	}
+
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	aggregate := OrgDomainValidationGeneratedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)
+
+	err = es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, aggregate)
+	if err != nil {
+		return "", "", err
+	}
+	return token, url, err
+}
+
+func (es *OrgEventstore) ValidateOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	if domain == nil || !domain.IsValid() {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-R24hb", "Errors.Org.InvalidDomain")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-Sjdi3", "Errors.Org.DomainNotOnOrg")
+	}
+	if d.Verified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-4gT342", "Errors.Org.DomainAlreadyVerified")
+	}
+	if d.ValidationCode == nil || d.ValidationType == org_model.OrgDomainValidationTypeUnspecified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-SFBB3", "Errors.Org.DomainVerificationMissing")
+	}
+	validationCode, err := crypto.DecryptString(d.ValidationCode, es.verificationAlgorithm)
+	if err != nil {
+		return err
+	}
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	checkType, _ := d.ValidationType.CheckType()
+	err = es.verificationValidator(d.Domain, validationCode, validationCode, checkType)
+	if err == nil {
+		orgAggregates, err := OrgDomainVerifiedAggregate(ctx, es.Eventstore.AggregateCreator(), repoOrg, repoDomain)
+		if err != nil {
+			return err
+		}
+		return es_sdk.PushAggregates(ctx, es.PushAggregates, repoOrg.AppendEvents, orgAggregates...)
+	}
+	if err := es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, OrgDomainValidationFailedAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)); err != nil {
+		return err
+	}
+	return errors.ThrowInvalidArgument(err, "EVENT-GH3s", "Errors.Org.DomainVerificationFailed")
+}
+
+func (es *OrgEventstore) SetPrimaryOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
+	if domain == nil || !domain.IsValid() {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-SsDG2", "Errors.Org.InvalidDomain")
+	}
+	existing, err := es.OrgByID(ctx, org_model.NewOrg(domain.AggregateID))
+	if err != nil {
+		return err
+	}
+	_, d := existing.GetDomain(domain)
+	if d == nil {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-GDfA3", "Errors.Org.DomainNotOnOrg")
+	}
+	if !d.Verified {
+		return errors.ThrowPreconditionFailed(nil, "EVENT-Ggd32", "Errors.Org.DomainNotVerified")
+	}
+	repoOrg := model.OrgFromModel(existing)
+	repoDomain := model.OrgDomainFromModel(domain)
+	if err := es_sdk.Push(ctx, es.PushAggregates, repoOrg.AppendEvents, OrgDomainSetPrimaryAggregate(es.Eventstore.AggregateCreator(), repoOrg, repoDomain)); err != nil {
+		return err
+	}
+	return nil
+}
+
 func (es *OrgEventstore) RemoveOrgDomain(ctx context.Context, domain *org_model.OrgDomain) error {
 	if domain.Domain == "" {
 		return errors.ThrowPreconditionFailed(nil, "EVENT-SJsK3", "Errors.Org.DomainMissing")
--- a/internal/org/repository/eventsourcing/eventstore_test.go
+++ b/internal/org/repository/eventsourcing/eventstore_test.go
@ -7,8 +7,11 @@ import (
 	"time"

 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"

 	"github.com/caos/zitadel/internal/api/authz"
+	http_util "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	es_mock "github.com/caos/zitadel/internal/eventstore/mock"
@ -23,8 +26,17 @@ type testOrgEventstore struct {
 }

 func newTestEventstore(t *testing.T) *testOrgEventstore {
-	mock := mockEventstore(t)
-	return &testOrgEventstore{OrgEventstore: OrgEventstore{Eventstore: mock}, mockEventstore: mock}
+	ctrl := gomock.NewController(t)
+	mock := es_mock.NewMockEventstore(ctrl)
+	verificationAlgorithm := crypto.NewMockEncryptionAlgorithm(ctrl)
+	verificationGenerator := crypto.NewMockGenerator(ctrl)
+	return &testOrgEventstore{
+		OrgEventstore: OrgEventstore{
+			Eventstore:            mock,
+			verificationAlgorithm: verificationAlgorithm,
+			verificationGenerator: verificationGenerator,
+		},
+		mockEventstore: mock}
 }

 func (es *testOrgEventstore) expectFilterEvents(events []*es_models.Event, err error) *testOrgEventstore {
@ -51,11 +63,49 @@ func (es *testOrgEventstore) expectAggregateCreator() *testOrgEventstore {
 	return es
 }

-func mockEventstore(t *testing.T) *es_mock.MockEventstore {
-	ctrl := gomock.NewController(t)
-	e := es_mock.NewMockEventstore(ctrl)
+func (es *testOrgEventstore) expectGenerateVerification(r rune) *testOrgEventstore {
+	generator, _ := es.verificationGenerator.(*crypto.MockGenerator)
+	generator.EXPECT().Length().Return(uint(2))
+	generator.EXPECT().Runes().Return([]rune("aa"))
+	generator.EXPECT().Alg().Return(es.verificationAlgorithm)
+	return es
+}

-	return e
+func (es *testOrgEventstore) expectEncrypt() *testOrgEventstore {
+	algorithm, _ := es.verificationAlgorithm.(*crypto.MockEncryptionAlgorithm)
+	algorithm.EXPECT().Encrypt(gomock.Any()).DoAndReturn(
+		func(value []byte) (*crypto.CryptoValue, error) {
+			return &crypto.CryptoValue{
+				CryptoType: crypto.TypeEncryption,
+				Algorithm:  "enc",
+				KeyID:      "id",
+				Crypted:    value,
+			}, nil
+		})
+	algorithm.EXPECT().Algorithm().Return("enc")
+	algorithm.EXPECT().EncryptionKeyID().Return("id")
+	return es
+}
+
+func (es *testOrgEventstore) expectDecrypt() *testOrgEventstore {
+	algorithm, _ := es.verificationAlgorithm.(*crypto.MockEncryptionAlgorithm)
+	algorithm.EXPECT().Algorithm().AnyTimes().Return("enc")
+	algorithm.EXPECT().DecryptionKeyIDs().Return([]string{"id"})
+	algorithm.EXPECT().DecryptString(gomock.Any(), gomock.Any()).DoAndReturn(
+		func(value []byte, id string) (string, error) {
+			return string(value), nil
+		})
+	return es
+}
+
+func (es *testOrgEventstore) expectVerification(success bool) *testOrgEventstore {
+	es.verificationValidator = func(_, _, _ string, _ http_util.CheckType) error {
+		if success {
+			return nil
+		}
+		return errors.ThrowInvalidArgument(nil, "id", "invalid token")
+	}
+	return es
 }

 func TestOrgEventstore_OrgByID(t *testing.T) {
@ -351,6 +401,446 @@ func TestOrgEventstore_ReactivateOrg(t *testing.T) {
 	}
 }

+func TestOrgEventstore_GenerateOrgDomainValidation(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		token string
+		url   string
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "validation type invalid error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt(),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org"},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain already verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "",
+				url:   "",
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct http",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				token: "aa",
+				url:   "https://hodor.org/.well-known/zitadel-challenge/aa",
+				isErr: nil,
+			},
+		},
+		{
+			name: "push correct dns",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil).
+				expectGenerateVerification(65).
+				expectEncrypt().
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeDNS},
+			},
+			res: res{
+				token: "aa",
+				url:   "_zitadel-challenge.hodor.org",
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			token, url, err := tt.fields.Eventstore.GenerateOrgDomainValidation(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+			assert.Equal(t, tt.res.token, token)
+			assert.Equal(t, tt.res.url, url)
+		})
+	}
+}
+
+func TestOrgEventstore_ValidateOrgDomain(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain already verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain validation not created error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "verification fails",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(false).
+				expectAggregateCreator().
+				expectPushEvents(0, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "verification and push fails",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(false).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(true).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerificationAddedEvent("token")}, nil).
+				expectDecrypt().
+				expectVerification(true).
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.fields.Eventstore.ValidateOrgDomain(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+		})
+	}
+}
+
+func TestOrgEventstore_SetPrimaryOrgDomain(t *testing.T) {
+	type fields struct {
+		Eventstore *testOrgEventstore
+	}
+	type res struct {
+		isErr func(error) bool
+	}
+	type args struct {
+		ctx    context.Context
+		domain *org_model.OrgDomain
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			name:   "no domain",
+			fields: fields{Eventstore: newTestEventstore(t)},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: nil,
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "org doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsNotFound,
+			},
+		},
+		{
+			name: "domain doesn't exist error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "domain not verified error",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent()}, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsPreconditionFailed,
+			},
+		},
+		{
+			name: "push failed",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil).
+				expectAggregateCreator().
+				expectPushEvents(0, errors.ThrowInternal(nil, "EVENT-S8WzW", "test")),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: errors.IsInternal,
+			},
+		},
+		{
+			name: "push correct",
+			fields: fields{Eventstore: newTestEventstore(t).
+				expectFilterEvents([]*es_models.Event{orgCreatedEvent(), orgDomainAddedEvent(), orgDomainVerifiedEvent()}, nil).
+				expectAggregateCreator().
+				expectPushEvents(6, nil),
+			},
+			args: args{
+				ctx:    authz.NewMockContext("org", "user"),
+				domain: &org_model.OrgDomain{ObjectRoot: es_models.ObjectRoot{AggregateID: "hodor-org"}, Domain: "hodor.org", ValidationType: org_model.OrgDomainValidationTypeHTTP},
+			},
+			res: res{
+				isErr: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.fields.Eventstore.SetPrimaryOrgDomain(tt.args.ctx, tt.args.domain)
+			if tt.res.isErr == nil && err != nil {
+				t.Errorf("no error expected got:%T %v", err, err)
+			}
+			if tt.res.isErr != nil && !tt.res.isErr(err) {
+				t.Errorf("wrong error got %T: %v", err, err)
+			}
+		})
+	}
+}
+
 func TestOrgEventstore_OrgMemberByIDs(t *testing.T) {
 	type fields struct {
 		Eventstore *testOrgEventstore
@ -1003,7 +1493,7 @@ func orgCreatedEvent() *es_models.Event {
 		AggregateType:    model.OrgAggregate,
 		AggregateVersion: "v1",
 		CreationDate:     time.Now().Add(-1 * time.Minute),
-		Data:             []byte(`{"name": "hodor-org", "domain":"hodor.org"}`),
+		Data:             []byte(`{"name": "hodor-org"}`),
 		EditorService:    "testsvc",
 		EditorUser:       "testuser",
 		ID:               "sdlfö4t23kj",
@ -1013,6 +1503,64 @@ func orgCreatedEvent() *es_models.Event {
 	}
 }

+func orgDomainAddedEvent() *es_models.Event {
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             []byte(`{"domain":"hodor.org"}`),
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         33,
+		Type:             model.OrgDomainAdded,
+	}
+}
+
+func orgDomainVerificationAddedEvent(token string) *es_models.Event {
+	data, _ := json.Marshal(&org_model.OrgDomain{
+		Domain:         "hodor.org",
+		ValidationType: org_model.OrgDomainValidationTypeDNS,
+		ValidationCode: &crypto.CryptoValue{
+			CryptoType: crypto.TypeEncryption,
+			Algorithm:  "enc",
+			KeyID:      "id",
+			Crypted:    []byte(token),
+		},
+	})
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             data,
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         34,
+		Type:             model.OrgDomainVerificationAdded,
+	}
+}
+
+func orgDomainVerifiedEvent() *es_models.Event {
+	return &es_models.Event{
+		AggregateID:      "hodor-org",
+		AggregateType:    model.OrgAggregate,
+		AggregateVersion: "v1",
+		CreationDate:     time.Now().Add(-1 * time.Minute),
+		Data:             []byte(`{"domain":"hodor.org"}`),
+		EditorService:    "testsvc",
+		EditorUser:       "testuser",
+		ID:               "sdlfö4t23kj",
+		ResourceOwner:    "hodor-org",
+		Sequence:         35,
+		Type:             model.OrgDomainVerified,
+	}
+}
+
 func orgInactiveEvent() *es_models.Event {
 	return &es_models.Event{
 		AggregateID:      "hodor-org",
--- a/internal/org/repository/eventsourcing/model/domain.go
+++ b/internal/org/repository/eventsourcing/model/domain.go
@ -2,6 +2,8 @@ package model

 import (
 	"encoding/json"
+
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/org/model"
@ -13,6 +15,8 @@ type OrgDomain struct {
 	Domain         string              `json:"domain"`
 	Verified       bool                `json:"-"`
 	Primary        bool                `json:"-"`
+	ValidationType int32               `json:"validationType"`
+	ValidationCode *crypto.CryptoValue `json:"validationCode"`
 }

 func GetDomain(domains []*OrgDomain, domain string) (int, *OrgDomain) {
@ -77,6 +81,21 @@ func (o *Org) appendPrimaryDomainEvent(event *es_models.Event) error {
 	return nil
 }

+func (o *Org) appendVerificationDomainEvent(event *es_models.Event) error {
+	domain := new(OrgDomain)
+	err := domain.SetData(event)
+	if err != nil {
+		return err
+	}
+	for _, d := range o.Domains {
+		if d.Domain == domain.Domain {
+			d.ValidationType = domain.ValidationType
+			d.ValidationCode = domain.ValidationCode
+		}
+	}
+	return nil
+}
+
 func (m *OrgDomain) SetData(event *es_models.Event) error {
 	err := json.Unmarshal(event.Data, m)
 	if err != nil {
@ -99,6 +118,8 @@ func OrgDomainFromModel(domain *model.OrgDomain) *OrgDomain {
 		Domain:         domain.Domain,
 		Verified:       domain.Verified,
 		Primary:        domain.Primary,
+		ValidationType: int32(domain.ValidationType),
+		ValidationCode: domain.ValidationCode,
 	}
 }

@ -114,7 +135,9 @@ func OrgDomainToModel(domain *OrgDomain) *model.OrgDomain {
 	return &model.OrgDomain{
 		ObjectRoot:     domain.ObjectRoot,
 		Domain:         domain.Domain,
-		Verified:   domain.Verified,
 		Primary:        domain.Primary,
+		Verified:       domain.Verified,
+		ValidationType: model.OrgDomainValidationType(domain.ValidationType),
+		ValidationCode: domain.ValidationCode,
 	}
 }
--- a/internal/org/repository/eventsourcing/model/org.go
+++ b/internal/org/repository/eventsourcing/model/org.go
@ -2,6 +2,7 @@ package model

 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 	org_model "github.com/caos/zitadel/internal/org/model"
@ -112,6 +113,8 @@ func (o *Org) AppendEvent(event *es_models.Event) error {
 		o.removeMember(member.UserID)
 	case OrgDomainAdded:
 		o.appendAddDomainEvent(event)
+	case OrgDomainVerificationAdded:
+		o.appendVerificationDomainEvent(event)
 	case OrgDomainVerified:
 		o.appendVerifyDomainEvent(event)
 	case OrgDomainPrimarySet:
--- a/internal/org/repository/eventsourcing/model/types.go
+++ b/internal/org/repository/eventsourcing/model/types.go
@ -13,6 +13,8 @@ const (
 	OrgReactivated              models.EventType = "org.reactivated"
 	OrgRemoved                  models.EventType = "org.removed"
 	OrgDomainAdded              models.EventType = "org.domain.added"
+	OrgDomainVerificationAdded  models.EventType = "org.domain.verification.added"
+	OrgDomainVerificationFailed models.EventType = "org.domain.verification.failed"
 	OrgDomainVerified           models.EventType = "org.domain.verified"
 	OrgDomainRemoved            models.EventType = "org.domain.removed"
 	OrgDomainPrimarySet         models.EventType = "org.domain.primary.set"
--- a/internal/org/repository/eventsourcing/org.go
+++ b/internal/org/repository/eventsourcing/org.go
@ -247,8 +247,33 @@ func OrgDomainAddedAggregate(aggCreator *es_models.AggregateCreator, existing *m
 	}
 }

-func OrgDomainVerifiedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) ([]*es_models.Aggregate, error) {
-	return func(ctx context.Context) ([]*es_models.Aggregate, error) {
+func OrgDomainValidationGeneratedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if domain == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-GD2gq", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.OrgDomainVerificationAdded, domain)
+	}
+}
+
+func OrgDomainValidationFailedAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
+	return func(ctx context.Context) (*es_models.Aggregate, error) {
+		if domain == nil {
+			return nil, errors.ThrowPreconditionFailed(nil, "EVENT-BHF52", "Errors.Internal")
+		}
+		agg, err := OrgAggregate(ctx, aggCreator, existing.AggregateID, existing.Sequence)
+		if err != nil {
+			return nil, err
+		}
+		return agg.AppendEvent(model.OrgDomainVerificationFailed, domain)
+	}
+}
+
+func OrgDomainVerifiedAggregate(ctx context.Context, aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) ([]*es_models.Aggregate, error) {
 	if domain == nil {
 		return nil, errors.ThrowPreconditionFailed(nil, "EVENT-DHs7s", "Errors.Internal")
 	}
@ -268,7 +293,6 @@ func OrgDomainVerifiedAggregate(aggCreator *es_models.AggregateCreator, existing
 	aggregates = append(aggregates, domainAgregate)
 	return append(aggregates, agg), nil
 }
-}

 func OrgDomainSetPrimaryAggregate(aggCreator *es_models.AggregateCreator, existing *model.Org, domain *model.OrgDomain) func(ctx context.Context) (*es_models.Aggregate, error) {
 	return func(ctx context.Context) (*es_models.Aggregate, error) {
--- a/internal/org/repository/eventsourcing/org_test.go
+++ b/internal/org/repository/eventsourcing/org_test.go
@ -676,8 +676,7 @@ func TestOrgDomainVerifiedAggregates(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			agg := OrgDomainVerifiedAggregate(tt.args.aggCreator, tt.args.org, tt.args.domain)
-			got, err := agg(tt.args.ctx)
+			got, err := OrgDomainVerifiedAggregate(tt.args.ctx, tt.args.aggCreator, tt.args.org, tt.args.domain)
 			if tt.res.isErr == nil && err != nil {
 				t.Errorf("no error expected got %T: %v", err, err)
 			}
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@ -55,6 +55,11 @@ Errors:
    InvalidDomain: Domäne ist ungültig
    DomainMissing: Domäne fehlt
    DomainNotOnOrg: Domäne fehlt auf Organisation
+    DomainNotVerified: Domäne ist nicht verifiziert
+    DomainAlreadyVerified: Domain ist bereits verifiziert
+    DomainVerificationTypeInvalid: Verifikationstyp der Domäne ist ungültig
+    DomainVerificationMissing: Verifikation der Domäne noch nicht erstellt
+    DomainVerificationFailed: Verifikation der Domäne ist fehlgeschlagen
    PrimaryDomainNotDeletable: Primäre Domäne kann nicht gelöscht werden
    DomainNotFound: Domäne konnte nicht gefunden werden
    MemberIDMissing: Member ID fehlt
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@ -55,6 +55,11 @@ Errors:
    InvalidDomain: Invalid domain
    DomainMissing: Domain missing
    DomainNotOnOrg: Domain doesn't exist on organisation
+    DomainNotVerified: Domain is not verified
+    DomainAlreadyVerified: Domain is already verified
+    DomainVerificationTypeInvalid: Domain verification type is invalid
+    DomainVerificationMissing: Domain verification not yet startet
+    DomainVerificationFailed: Domain verification failed
    PrimaryDomainNotDeletable: Primary domain must not be deleted
    DomainNotFound: Domain not found
    MemberIDMissing: Member ID missing
--- a/internal/user/repository/view/model/notify_user.go
+++ b/internal/user/repository/view/model/notify_user.go
@ -14,7 +14,7 @@ import (

 const (
 	NotifyUserKeyUserID        = "id"
-	NotifyUserKeyResourceOwner = "id"
+	NotifyUserKeyResourceOwner = "resource_owner"
 )

 type NotifyUser struct {
--- a/pkg/grpc/management/management.pb.authoptions.go
+++ b/pkg/grpc/management/management.pb.authoptions.go
@ -264,6 +264,21 @@ var ManagementService_AuthMethods = authz.MethodMapping{
 		CheckParam: "",
 	},

+	"/caos.zitadel.management.api.v1.ManagementService/GenerateMyOrgDomainValidation": authz.Option{
+		Permission: "org.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ValidateMyOrgDomain": authz.Option{
+		Permission: "org.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SetMyPrimaryOrgDomain": authz.Option{
+		Permission: "org.write",
+		CheckParam: "",
+	},
+
 	"/caos.zitadel.management.api.v1.ManagementService/RemoveMyOrgDomain": authz.Option{
 		Permission: "org.write",
 		CheckParam: "",
--- a/pkg/grpc/management/management.pb.go
+++ b/pkg/grpc/management/management.pb.go
--- a/pkg/grpc/management/management.pb.gw.go
+++ b/pkg/grpc/management/management.pb.gw.go
--- a/pkg/grpc/management/mock/management.proto.mock.go
+++ b/pkg/grpc/management/mock/management.proto.mock.go
@ -797,6 +797,26 @@ func (mr *MockManagementServiceClientMockRecorder) DeleteUser(arg0, arg1 interfa
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteUser", reflect.TypeOf((*MockManagementServiceClient)(nil).DeleteUser), varargs...)
 }

+// GenerateMyOrgDomainValidation mocks base method
+func (m *MockManagementServiceClient) GenerateMyOrgDomainValidation(arg0 context.Context, arg1 *management.OrgDomainValidationRequest, arg2 ...grpc.CallOption) (*management.OrgDomainValidationResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GenerateMyOrgDomainValidation", varargs...)
+	ret0, _ := ret[0].(*management.OrgDomainValidationResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GenerateMyOrgDomainValidation indicates an expected call of GenerateMyOrgDomainValidation
+func (mr *MockManagementServiceClientMockRecorder) GenerateMyOrgDomainValidation(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateMyOrgDomainValidation", reflect.TypeOf((*MockManagementServiceClient)(nil).GenerateMyOrgDomainValidation), varargs...)
+}
+
 // GetDefaultPasswordComplexityPolicy mocks base method
 func (m *MockManagementServiceClient) GetDefaultPasswordComplexityPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordComplexityPolicy, error) {
 	m.ctrl.T.Helper()
@ -2137,6 +2157,26 @@ func (mr *MockManagementServiceClientMockRecorder) SetInitialPassword(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetInitialPassword", reflect.TypeOf((*MockManagementServiceClient)(nil).SetInitialPassword), varargs...)
 }

+// SetMyPrimaryOrgDomain mocks base method
+func (m *MockManagementServiceClient) SetMyPrimaryOrgDomain(arg0 context.Context, arg1 *management.PrimaryOrgDomainRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "SetMyPrimaryOrgDomain", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SetMyPrimaryOrgDomain indicates an expected call of SetMyPrimaryOrgDomain
+func (mr *MockManagementServiceClientMockRecorder) SetMyPrimaryOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetMyPrimaryOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).SetMyPrimaryOrgDomain), varargs...)
+}
+
 // UnlockUser mocks base method
 func (m *MockManagementServiceClient) UnlockUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@ -2456,3 +2496,23 @@ func (mr *MockManagementServiceClientMockRecorder) Validate(arg0, arg1 interface
 	varargs := append([]interface{}{arg0, arg1}, arg2...)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockManagementServiceClient)(nil).Validate), varargs...)
 }
+
+// ValidateMyOrgDomain mocks base method
+func (m *MockManagementServiceClient) ValidateMyOrgDomain(arg0 context.Context, arg1 *management.ValidateOrgDomainRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ValidateMyOrgDomain", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ValidateMyOrgDomain indicates an expected call of ValidateMyOrgDomain
+func (mr *MockManagementServiceClientMockRecorder) ValidateMyOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateMyOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).ValidateMyOrgDomain), varargs...)
+}
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@ -599,6 +599,38 @@ service ManagementService {
        };
    }

+    rpc GenerateMyOrgDomainValidation(OrgDomainValidationRequest) returns (OrgDomainValidationResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/validation/create"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc ValidateMyOrgDomain(ValidateOrgDomainRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/validation/check"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc SetMyPrimaryOrgDomain(PrimaryOrgDomainRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/_primary"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
    rpc RemoveMyOrgDomain(RemoveOrgDomainRequest) returns (google.protobuf.Empty) {
        option (google.api.http) = {
            delete: "/orgs/me/domains/{domain}"
@ -1933,6 +1965,30 @@ message AddOrgDomainRequest {
    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }

+message OrgDomainValidationRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    OrgDomainValidationType type = 2 [(validate.rules).enum = {not_in: [0]}];
+}
+
+enum OrgDomainValidationType {
+    ORGDOMAINVALIDATIONTYPE_UNSPECIFIED = 0;
+    ORGDOMAINVALIDATIONTYPE_HTTP = 1;
+    ORGDOMAINVALIDATIONTYPE_DNS = 2;
+}
+
+message OrgDomainValidationResponse {
+    string token = 1;
+    string url = 2;
+}
+
+message ValidateOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message PrimaryOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
 message RemoveOrgDomainRequest {
    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }