diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json
index 7e1b0c5cb7f..787a5b65645 100644
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -2133,17 +2133,17 @@
       "CHANGEDATE": "Last Modified",
       "SELECTGROUPTOOLTIP": "Select all Roles of the group {{group}}.",
       "OPTIONS": "Options",
-      "ASSERTION": "Assert Roles on Authentication",
-      "ASSERTION_DESCRIPTION": "Role information is sent from Userinfo endpoint and depending on your application settings in tokens and other types.",
-      "CHECK": "Check authorization on Authentication",
-      "CHECK_DESCRIPTION": "If set, users are only allowed to authenticate if any role is assigned to their account.",
+      "ASSERTION": "Return user roles during authentication",
+      "ASSERTION_DESCRIPTION": "When a user authenticates, their role information is provided to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.",
+      "CHECK": "Only authorized users can authenticate",
+      "CHECK_DESCRIPTION": "Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.",
       "DIALOG": {
         "DELETE_TITLE": "Delete role",
         "DELETE_DESCRIPTION": "You are about to delete a project role. Are you sure?"
       }
     },
-    "HAS_PROJECT": "Check for Project on Authentication",
-    "HAS_PROJECT_DESCRIPTION": "It is checked whether the user's organization has this project. If not, the user cannot be authenticated.",
+    "HAS_PROJECT": "Authentication is restricted to users from organizations that have been granted access to this project",
+    "HAS_PROJECT_DESCRIPTION": "Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.",
     "TABLE": {
       "TOTAL": "Entries total:",
       "SELECTION": "Selected Elements",
@@ -2649,8 +2649,8 @@
       "ACCESSTOKENROLEASSERTION": "Add user roles to the access token",
       "ACCESSTOKENROLEASSERTION_DESCRIPTION": "If selected, the requested roles of the authenticated user are added to the access token.",
       "IDTOKENROLEASSERTION": "User roles inside ID Token",
-      "IDTOKENROLEASSERTION_DESCRIPTION": "If selected, the requested roles of the authenticated user are added to the ID token.",
-      "IDTOKENUSERINFOASSERTION": "User Info inside ID Token",
+      "IDTOKENROLEASSERTION_DESCRIPTION": "When this option is enabled, the authenticated user's assigned roles will be added directly to their ID token. Ensure to enable the Project setting 'Assign user roles during authentication' or request via custom scope.",
+      "IDTOKENUSERINFOASSERTION": "Include user's roles in the ID Token",
       "IDTOKENUSERINFOASSERTION_DESCRIPTION": "Enables clients to retrieve profile, email, phone and address claims from ID token.",
       "CLOCKSKEW": "Enables clients to handle clock skew of OP and client. The duration (0-5s) will be added to exp claim and subtracted from iats, auth_time and nbf.",
       "RECOMMENDED": "recommended",
diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto
index 31ce827f872..60dbaf60ce0 100644
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -9861,17 +9861,17 @@ message AddProjectRequest {
     ];
     bool project_role_assertion = 2 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.";
+            description: "Enable this setting to provide role information to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.";
         }
     ];
     bool project_role_check = 3 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.";
+            description: "Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.";
         }
     ];
     bool has_project_check = 4 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.";
+            description: "Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.";
         }
     ];
     zitadel.project.v1.PrivateLabelingSetting private_labeling_setting = 5 [
diff --git a/proto/zitadel/project/v2beta/project_service.proto b/proto/zitadel/project/v2beta/project_service.proto
index 3fd1513d2d8..6d7088f5ff1 100644
--- a/proto/zitadel/project/v2beta/project_service.proto
+++ b/proto/zitadel/project/v2beta/project_service.proto
@@ -697,11 +697,11 @@ message CreateProjectRequest {
       example: "\"MyProject\"";
     }
   ];
-  // Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
+  // Enable this setting to provide role information to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.
   bool project_role_assertion = 4;
-  // When enabled ZITADEL will check if a user has an authorization to use this project assigned when login into an application of this project.
+  //Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.
   bool authorization_required = 5;
-  // When enabled ZITADEL will check if the organization of the user, that is trying to log in, has access to this project (either owns the project or is granted).
+  // Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.
   bool project_access_required = 6;
   // Define which private labeling/branding should trigger when getting to a login of this project.
   PrivateLabelingSetting private_labeling_setting = 7 [
@@ -1234,4 +1234,4 @@ message ListProjectGrantsRequest {
 message ListProjectGrantsResponse {
   zitadel.filter.v2beta.PaginationResponse pagination = 1;
   repeated ProjectGrant project_grants = 2;
-}
\ No newline at end of file
+}