diff --git a/cmd/defaults.yaml b/cmd/defaults.yaml
index c95170e2bd..2d1d171b92 100644
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -595,7 +595,7 @@ DefaultInstance:
MaxAgeDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS
DomainPolicy:
UserLoginMustBeDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN
- ValidateOrgDomains: true # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
+ ValidateOrgDomains: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
SMTPSenderAddressMatchesInstanceDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN
LoginPolicy:
AllowUsernamePassword: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD
@@ -604,7 +604,7 @@ DefaultInstance:
ForceMFA: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA
HidePasswordReset: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET
IgnoreUnknownUsernames: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES
- AllowDomainDiscovery: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
+ AllowDomainDiscovery: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
# 1 is allowed, 0 is not allowed
PasswordlessType: 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE
# DefaultRedirectURL is empty by default because we use the Console UI
diff --git a/console/src/assets/i18n/bg.json b/console/src/assets/i18n/bg.json
index 01a19176c3..9ac62d642a 100644
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@@ -789,7 +789,7 @@
},
"PAGES": {
"STATE": "Статус",
- "DOMAINLIST": "Домейни"
+ "DOMAINLIST": "Лични домейни"
},
"STATE": {
"0": "Неуточнено",
@@ -1344,7 +1344,7 @@
"MAXAGEDAYS": "Максимална възраст в дни",
"USERLOGINMUSTBEDOMAIN": "Добавяне на домейн на организация като суфикс към имената за вход",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако активирате тази настройка, всички имена за вход ще имат суфикс с домейна на организацията. ",
- "VALIDATEORGDOMAINS": "Валидиране на организационни домейни",
+ "VALIDATEORGDOMAINS": "Верификация на домейна на организацията е необходима (DNS или HTTP предизвикателство)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресът на изпращача съвпада с домейна на екземпляра",
"ALLOWUSERNAMEPASSWORD": "Потребителско име Паролата е разрешена",
"ALLOWEXTERNALIDP": "Допуска се външен IDP",
diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json
index f5071e29e3..c5642f507c 100644
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Status",
- "DOMAINLIST": "Domains"
+ "DOMAINLIST": "Custom Domains"
},
"STATE": {
"0": "Unspezifisch",
@@ -953,15 +953,15 @@
"DOMAINS": {
"NEW": "Domain hinzufügen",
"TITLE": "Domänen",
- "DESCRIPTION": "Konfiguriere die Domains, mit denen sich Deine Benutzer anmelden können.",
+ "DESCRIPTION": "Konfiguriere die Domains, die für Domain discovery und als Suffix für die Benutzer verwendet werden können.",
"SETPRIMARY": "Primäre Domain setzen",
"DELETE": {
"TITLE": "Domain löschen?",
- "DESCRIPTION": "Du bist im Begriff, eine Domain aus Deiner Organisation zu löschen. Deine Benutzer können diese nach dem Löschen nicht mehr für den Login nutzen."
+ "DESCRIPTION": "Du bist im Begriff, eine Domain aus deiner Organisation zu löschen."
},
"ADD": {
"TITLE": "Domain hinzufügen",
- "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Deine Benutzer können diese nach der erfolgreichen Ausführung für den Login nutzen."
+ "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Die Domain kann für Domain discovery genutzt werden und als Suffix für deine Benutzernamen."
}
},
"STATE": {
@@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Maximale Gültigkeit in Tagen",
"USERLOGINMUSTBEDOMAIN": "Organisationsdomain dem Loginname hinzufügen",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
- "VALIDATEORGDOMAINS": "Org Domains validieren",
+ "VALIDATEORGDOMAINS": "Verifizierung des Organisations Domain erforderlich (DNS- oder HTTP-Herausforderung)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Adresse entspricht Instanzdomain",
"ALLOWUSERNAMEPASSWORD": "Benutzername Passwort erlaubt",
"ALLOWEXTERNALIDP": "Externer IDP erlaubt",
diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json
index 4bfe90fb4d..acb82883fb 100644
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Status",
- "DOMAINLIST": "Domains"
+ "DOMAINLIST": "Custom Domains"
},
"STATE": {
"0": "Unspecified",
@@ -954,15 +954,15 @@
"DOMAINS": {
"NEW": "Add Domain",
"TITLE": "Domains",
- "DESCRIPTION": "Configure your domains. This domain can be used to log in with your users.",
+ "DESCRIPTION": "Configure your organization domains. This domain can be used for domain discovery and username suffixing.",
"SETPRIMARY": "Set as Primary",
"DELETE": {
"TITLE": "Delete Domain",
- "DESCRIPTION": "You are about to delete one of your domains. Note that your users can no longer use this domain for their login."
+ "DESCRIPTION": "You are about to delete one of your domains."
},
"ADD": {
"TITLE": "Add Domain",
- "DESCRIPTION": "You are about to add a domain for your organization. After successful process, you users will be able to use the domain for their login."
+ "DESCRIPTION": "You are about to add a domain for your organization. After successful process, the domain can be used for domain discovery and as suffix for your users."
}
},
"STATE": {
@@ -1351,7 +1351,7 @@
"MAXAGEDAYS": "Max Age in days",
"USERLOGINMUSTBEDOMAIN": "Add organization domain as suffix to loginnames",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
- "VALIDATEORGDOMAINS": "Validate Org domains",
+ "VALIDATEORGDOMAINS": "Organization domain verification required (DNS or HTTP challenge)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Address matches Instance Domain",
"ALLOWUSERNAMEPASSWORD": "Username Password allowed",
"ALLOWEXTERNALIDP": "External IDP allowed",
diff --git a/console/src/assets/i18n/es.json b/console/src/assets/i18n/es.json
index 9095642e0f..c7c378cba2 100644
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Estado",
- "DOMAINLIST": "Dominios"
+ "DOMAINLIST": "Dominios personalizados"
},
"STATE": {
"0": "No especificado",
@@ -1351,7 +1351,7 @@
"MAXAGEDAYS": "Antigüedad máxima en días",
"USERLOGINMUSTBEDOMAIN": "Añadir el dominio de la organización como sufijo de los nombres de inicio de sesión",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si activas esta opción, todos los nombres de inicio de sesión tendrán como sufijo el dominio de esta organización. Si esta opción está desactivada, tendrás que asegurarte de que los nombres de usuario son únicos para todas las organizaciones.",
- "VALIDATEORGDOMAINS": "Validar los dominios de la organización",
+ "VALIDATEORGDOMAINS": "Verificación de dominio de la organización requerida (desafío DNS o HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "La dirección del remitente SMTP coincide con el dominio de la instancia",
"ALLOWUSERNAMEPASSWORD": "Nombre de usuario y contraseña permitido",
"ALLOWEXTERNALIDP": "Permitido IDP externo",
diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json
index 6afdd14707..558ac6d0ed 100644
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Statut",
- "DOMAINLIST": "Domaines"
+ "DOMAINLIST": "Domaines personnalisés"
},
"STATE": {
"0": "Inconnu",
@@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Âge maximum en jours",
"USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.",
- "VALIDATEORGDOMAINS": "Valider les domaines d'Org",
+ "VALIDATEORGDOMAINS": "Vérification du domaine de l'organisation requise (challenge DNS ou HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'adresse de l'expéditeur SMTP correspond au domaine de l'instance",
"ALLOWUSERNAMEPASSWORD": "Nom d'utilisateur Mot de passe autorisé",
"ALLOWEXTERNALIDP": "IDP externe autorisé",
diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json
index 0840f6ab25..eaa3c4b4b9 100644
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@@ -794,7 +794,7 @@
},
"PAGES": {
"STATE": "Stato",
- "DOMAINLIST": "Domini"
+ "DOMAINLIST": "Domini personalizzati"
},
"STATE": {
"0": "Non specifico",
@@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Lunghezza massima in giorni",
"USERLOGINMUSTBEDOMAIN": "Nome utente deve contenere il dominio dell' organizzazione",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se abiliti questa impostazione, a tutti i nomi di accesso verrà aggiunto il suffisso del dominio dell'organizzazione. Se questa impostazione è disabilitata, devi assicurarti che i nomi utente siano univoci per tutte le organizzazioni.",
- "VALIDATEORGDOMAINS": "Verifica domini dell' organizzazione",
+ "VALIDATEORGDOMAINS": "Verifica del dominio dell'organizzazione richiesta (challenge DNS o HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'indirizzo mittente SMTP corrisponde al dominio dell'istanza",
"ALLOWUSERNAMEPASSWORD": "Autenticazione classica con password consentita",
"ALLOWEXTERNALIDP": "IDP esterno consentito",
diff --git a/console/src/assets/i18n/ja.json b/console/src/assets/i18n/ja.json
index 623f802469..68b75c2b9b 100644
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "ステータス",
- "DOMAINLIST": "ドメイン"
+ "DOMAINLIST": "カスタムドメイン"
},
"STATE": {
"0": "未定義",
@@ -1346,7 +1346,7 @@
"MAXAGEDAYS": "最大有効期限",
"USERLOGINMUSTBEDOMAIN": "ログイン名の接尾辞として組織ドメインを追加する",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "この設定を有効にすると、すべてのログイン名が組織ドメインで接尾辞が付けられます。この設定が無効になっている場合、ユーザー名がすべての組織で一意であることを確認する必要があります。",
- "VALIDATEORGDOMAINS": "組織ドメインを認証する",
+ "VALIDATEORGDOMAINS": "組織のドメイン検証が必要です (DNSまたはHTTPチャレンジ)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP送信者アドレスはインスタンスドメインに一致しています",
"ALLOWUSERNAMEPASSWORD": "ユーザー名とパスワードを許可",
"ALLOWEXTERNALIDP": "外部IDPを許可",
diff --git a/console/src/assets/i18n/mk.json b/console/src/assets/i18n/mk.json
index 65af79503c..4acda6725d 100644
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Статус",
- "DOMAINLIST": "Домени"
+ "DOMAINLIST": "Прилагодени домени"
},
"STATE": {
"0": "Ненаведено",
@@ -1352,7 +1352,7 @@
"MAXAGEDAYS": "Максимална возраст во денови",
"USERLOGINMUSTBEDOMAIN": "Додади организациски домен како суфикс на корисничките имиња",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако го овозможите ова подесување, сите кориснички имиња ќе имаат суфикс на организацискиот домен. Доколку ова подесување е оневозможено, морате да се осигурате дека корисничките имиња се уникатни низ сите организации.",
- "VALIDATEORGDOMAINS": "Валидирај организациски домени",
+ "VALIDATEORGDOMAINS": "Потврда на доменот на организацијата е неопходна (DNS или HTTP предизвик)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресата на испраќачот се поклопува со доменот на инстанцата",
"ALLOWUSERNAMEPASSWORD": "Дозволено корисничко име и лозинка",
"ALLOWEXTERNALIDP": "Дозволен надворешен IDP",
diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json
index f594d9993a..a1e064b693 100644
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Status",
- "DOMAINLIST": "Domeny"
+ "DOMAINLIST": "Własne domeny"
},
"STATE": {
"0": "Nieokreślony",
@@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Maksymalny wiek w dniach",
"USERLOGINMUSTBEDOMAIN": "Dodaj domenę organizacji jako przyrostek do nazw logowania",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Jeśli włączysz to ustawienie, wszystkie nazwy logowania będą miały przyrostek z domeną organizacji. Jeśli to ustawienie jest wyłączone, musisz zapewnić unikalność nazw użytkowników we wszystkich organizacjach.",
- "VALIDATEORGDOMAINS": "Sprawdzanie ważności domen organizacji",
+ "VALIDATEORGDOMAINS": "Weryfikacja domeny organizacji jest wymagana (wyzwanie DNS lub HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "Adres nadawcy SMTP pasuje do domeny instancji",
"ALLOWUSERNAMEPASSWORD": "Zezwól na użycie nazwy użytkownika i hasła",
"ALLOWEXTERNALIDP": "Zezwól na zewnętrznego dostawcę tożsamości",
diff --git a/console/src/assets/i18n/pt.json b/console/src/assets/i18n/pt.json
index 29e9e34f61..6a3b89c221 100644
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Status",
- "DOMAINLIST": "Domínios"
+ "DOMAINLIST": "Domínios personalizados"
},
"STATE": {
"0": "Não especificado",
@@ -1352,7 +1352,7 @@
"MAXAGEDAYS": "Idade máxima em dias",
"USERLOGINMUSTBEDOMAIN": "Adicionar domínio da organização como sufixo aos nomes de login",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se você habilitar essa configuração, todos os nomes de login serão sufixados com o domínio da organização. Se essa configuração estiver desabilitada, você deve garantir que os nomes de usuário sejam exclusivos em todas as organizações.",
- "VALIDATEORGDOMAINS": "Validar domínios da organização",
+ "VALIDATEORGDOMAINS": "Verificação de domínio da organização necessária (desafio DNS ou HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "O endereço do remetente do SMTP corresponde ao domínio da Instância",
"ALLOWUSERNAMEPASSWORD": "Permitir usuário e senha",
"ALLOWEXTERNALIDP": "Permitir provedor de ID externo",
diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json
index 23cacbc444..b311e9aa11 100644
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "状态",
- "DOMAINLIST": "域名"
+ "DOMAINLIST": "自定义域名"
},
"STATE": {
"0": "未指定",
@@ -1349,7 +1349,7 @@
"MAXAGEDAYS": "Max Age in days",
"USERLOGINMUSTBEDOMAIN": "用户名必须包含组织域名",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "如果启用此设置,所有登录名都将以组织域为后缀。如果禁用此设置,您必须确保用户名在所有组织中都是唯一的。",
- "VALIDATEORGDOMAINS": "验证组织域名",
+ "VALIDATEORGDOMAINS": "组织域名验证需要 (DNS 或 HTTP 挑战)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP 发件人地址与实例域名匹配",
"ALLOWUSERNAMEPASSWORD": "允许用户名密码",
"ALLOWEXTERNALIDP": "允许外部身份提供者",
diff --git a/docs/docs/apis/openidoauth/authn-methods.md b/docs/docs/apis/openidoauth/authn-methods.md
index d0b038daa6..7e9566fd0e 100644
--- a/docs/docs/apis/openidoauth/authn-methods.md
+++ b/docs/docs/apis/openidoauth/authn-methods.md
@@ -46,7 +46,7 @@ JWT
| Claim | Example | Description |
|:------|:---------------------------|:----------------------------------------------------------------------------------------------------------------|
-| aud | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
+| aud | `"https://$CUSTOM-DOMAIN"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | `1605183582` | Unix timestamp of the expiry |
| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file |
@@ -56,7 +56,7 @@ JWT
{
"iss": "78366401571920522@acme",
"sub": "78366401571920522@acme",
- "aud": "https://{your_domain}",
+ "aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982
}
diff --git a/docs/docs/apis/openidoauth/claims.md b/docs/docs/apis/openidoauth/claims.md
index 8e5145c350..fb006765e2 100644
--- a/docs/docs/apis/openidoauth/claims.md
+++ b/docs/docs/apis/openidoauth/claims.md
@@ -43,7 +43,7 @@ Please check below the matrix for an overview where which scope is asserted.
| Claims | Example | Description |
|:-------------------|:-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| acr | TBA | TBA |
-| address | `Lerchenfeldstrasse 3, 9014 St. Gallen` | TBA |
+| address | `Lerchenfeldstrasse 3, 9014 St. Gallen` | TBA |
| amr | `pwd mfa` | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176)
`password` value is deprecated, please check `pwd` |
| aud | `69234237810729019` | The audience of the token, by default all client id's and the project id are included |
| auth_time | `1311280969` | Unix time of the authentication |
@@ -55,7 +55,7 @@ Please check below the matrix for an overview where which scope is asserted.
| gender | `other` | Gender of the subject |
| given_name | `Road` | Given name of the subject |
| iat | `1311280970` | Time of the token was issued at (as unix time) |
-| iss | `{your_domain}` | Issuing domain of a token |
+| iss | `$CUSTOM-DOMAIN` | Issuing domain of a token |
| jti | `69234237813329048` | Unique id of the token |
| locale | `en` | Language from the subject |
| name | `Road Runner` | The subjects full name |
diff --git a/docs/docs/apis/openidoauth/grant-types.md b/docs/docs/apis/openidoauth/grant-types.md
index 1f8ee6b8b6..be4ce95545 100644
--- a/docs/docs/apis/openidoauth/grant-types.md
+++ b/docs/docs/apis/openidoauth/grant-types.md
@@ -76,19 +76,19 @@ Key JSON
JWT
-| Claim | Example | Description |
-|:------|:--------------------------|:--------------------------------------------------------------------------------------------------------------|
-| aud | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
-| exp | `1605183582` | Unix timestamp of the expiry |
-| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
-| iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
-| sub | `"77479219772321307"` | The subject ID of the service user, normally the `userId` from the json key file |
+| Claim | Example | Description |
+|:------|:-------------------------|:--------------------------------------------------------------------------------------------------------------|
+| aud | `"https://$CUSTOM-DOMAIN"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
+| exp | `1605183582` | Unix timestamp of the expiry |
+| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
+| iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
+| sub | `"77479219772321307"` | The subject ID of the service user, normally the `userId` from the json key file |
```JSON
{
"iss": "77479219772321307",
"sub": "77479219772321307",
- "aud": "https://{your_domain}",
+ "aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982
}
diff --git a/docs/docs/apis/saml/endpoints.md b/docs/docs/apis/saml/endpoints.md
index a2cc2b996e..bb0e765da0 100644
--- a/docs/docs/apis/saml/endpoints.md
+++ b/docs/docs/apis/saml/endpoints.md
@@ -4,7 +4,7 @@ title: SAML Endpoints in ZITADEL
## SAML 2.0 metadata
-The SAML Metadata is located within the issuer domain. This would give us {your_domain}/saml/v2/metadata.
+The SAML Metadata is located within the issuer domain. This would give us $CUSTOM-DOMAIN/saml/v2/metadata.
This metadata contains all the information defined in the spec.
@@ -13,14 +13,14 @@ spec.** [Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0
## Certificate endpoint
-{your_domain}/saml/v2/certificate
+$CUSTOM-DOMAIN/saml/v2/certificate
The certificate endpoint provides the certificate which is used to sign the responses for download, for easier use with
different service providers which want the certificate separately instead of inside the metadata.
## SSO endpoint
-{your_domain}/saml/v2/SSO
+$CUSTOM-DOMAIN/saml/v2/SSO
The SSO endpoint is the starting point for all initial user authentications. The user agent (browser) will be redirected
to this endpoint to authenticate the user.
diff --git a/docs/docs/concepts/features/audit-trail.md b/docs/docs/concepts/features/audit-trail.md
index 5a08298872..bad91b01d0 100644
--- a/docs/docs/concepts/features/audit-trail.md
+++ b/docs/docs/concepts/features/audit-trail.md
@@ -27,7 +27,7 @@ The same view is available on several other objects such as organization or proj
### Event View
Administrators can see all events across an instance and filter them directly in [Console](/docs/guides/manage/console/overview).
-Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $YOUR_DOMAIN/ui/console/events
+Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $CUSTOM-DOMAIN/ui/console/events
diff --git a/docs/docs/concepts/features/selfservice.md b/docs/docs/concepts/features/selfservice.md
index 42508e8692..1376699928 100644
--- a/docs/docs/concepts/features/selfservice.md
+++ b/docs/docs/concepts/features/selfservice.md
@@ -139,7 +139,7 @@ A client can also implement this, by calling the [specific endpoint](/apis/openi
## Profile
These actions are available for authenticated users only.
-ZITADEL provides a self-service UI for the user profile out-of-the box under the path _{your_domain}/ui/console/users/me_.
+ZITADEL provides a self-service UI for the user profile out-of-the box under the path _$CUSTOM-DOMAIN/ui/console/users/me_.
You can also implement your own version in your application by using our APIs.
### Change password
diff --git a/docs/docs/examples/identity-proxy/oauth2-proxy.md b/docs/docs/examples/identity-proxy/oauth2-proxy.md
index b1a470df5c..e63f91230e 100644
--- a/docs/docs/examples/identity-proxy/oauth2-proxy.md
+++ b/docs/docs/examples/identity-proxy/oauth2-proxy.md
@@ -43,7 +43,7 @@ provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
-oidc_issuer_url = "https://{your_domain}.zitadel.cloud"
+oidc_issuer_url = "https://$CUSTOM-DOMAIN"
upstreams = [
"https://example.corp.com"
]
diff --git a/docs/docs/guides/integrate/access-zitadel-apis.md b/docs/docs/guides/integrate/access-zitadel-apis.md
index 2509c07243..545e9d75a1 100644
--- a/docs/docs/guides/integrate/access-zitadel-apis.md
+++ b/docs/docs/guides/integrate/access-zitadel-apis.md
@@ -44,7 +44,7 @@ Use the scope `urn:zitadel:iam:org:project:id:zitadel:aud` to include the ZITADE
```bash
curl --request POST \
- --url {your_domain}/oauth/v2/token \
+ --url $CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
--data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
diff --git a/docs/docs/guides/integrate/access-zitadel-system-api.md b/docs/docs/guides/integrate/access-zitadel-system-api.md
index 598a096dc7..08bef3656c 100644
--- a/docs/docs/guides/integrate/access-zitadel-system-api.md
+++ b/docs/docs/guides/integrate/access-zitadel-system-api.md
@@ -59,7 +59,7 @@ The JWT payload will need to contain the following claims:
{
"iss": "",
"sub": "",
- "aud": "",
+ "aud": "",
"exp": ,
"iat":
}
@@ -95,7 +95,7 @@ Now that you configured ZITADEL and created a JWT, you can call the System API a
```bash
curl --request POST \
- --url {your_domain}/system/v1/instances/_search \
+ --url $CUSTOM-DOMAIN/system/v1/instances/_search \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json'
```
diff --git a/docs/docs/guides/integrate/authenticated-mongodb-charts.md b/docs/docs/guides/integrate/authenticated-mongodb-charts.md
index 3a668a37bb..ed6a72bca5 100644
--- a/docs/docs/guides/integrate/authenticated-mongodb-charts.md
+++ b/docs/docs/guides/integrate/authenticated-mongodb-charts.md
@@ -29,7 +29,7 @@ Configure ZITADEL as your _Custom JWT Provider_ following the [MongoDB docs](htt
Configure the following values:
- Signing Algorithm: RS256
- Signing Key: JWK or JWKS URL
-- JWKS: https://{your_domain}.zitadel.cloud/oauth/v2/keys
+- JWKS: https://$CUSTOM-DOMAIN/oauth/v2/keys
- Audience: Your app's client ID which you copied when you created the ZITADEL app
Your configuration should look similar to this:
diff --git a/docs/docs/guides/integrate/client-credentials.md b/docs/docs/guides/integrate/client-credentials.md
index 584ce82406..bd0ccf85f3 100644
--- a/docs/docs/guides/integrate/client-credentials.md
+++ b/docs/docs/guides/integrate/client-credentials.md
@@ -41,7 +41,7 @@ You will need to craft a POST request to ZITADEL's token endpoint:
```bash
curl --request POST \
- --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+ --url https://$CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic ${BASIC_AUTH}' \
--data grant_type=client_credentials \
@@ -72,7 +72,7 @@ In this example we read the organization of the service user.
```bash
curl --request GET \
- --url {your-domain}/management/v1/orgs/me \
+ --url $CUSTOM-DOMAIN/management/v1/orgs/me \
--header 'Authorization: Bearer ${TOKEN}'
```
diff --git a/docs/docs/guides/integrate/event-api.md b/docs/docs/guides/integrate/event-api.md
index fc70c16484..44f9aaef11 100644
--- a/docs/docs/guides/integrate/event-api.md
+++ b/docs/docs/guides/integrate/event-api.md
@@ -24,7 +24,7 @@ To further restrict your result you can add the following filters:
```bash
curl --request POST \
- --url $YOUR-DOMAIN/admin/v1/events/_search \
+ --url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN"
```
@@ -34,7 +34,7 @@ To be able to filter for the different event types ZITADEL knows, you can reques
```bash
curl --request POST \
---url $YOUR-DOMAIN/admin/v1/events/types/_search \
+--url $CUSTOM-DOMAIN/admin/v1/events/types/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
'
@@ -70,7 +70,7 @@ To be able to filter for the different aggregate types (resources) ZITADEL knows
```bash
curl --request POST \
- --url $YOUR-DOMAIN/admin/v1/aggregates/types/_search \
+ --url $CUSTOM-DOMAIN/admin/v1/aggregates/types/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json'
```
@@ -101,7 +101,7 @@ This example shows you how to get all events from users, filtered with the creat
```bash
curl --request POST \
- --url $YOUR-DOMAIN/admin/v1/events/_search \
+ --url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{
@@ -121,7 +121,7 @@ Also we include the refresh tokens in this example to know when the user has bec
```bash
curl --request POST \
- --url $YOUR-DOMAIN/admin/v1/events/_search \
+ --url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{
@@ -147,7 +147,7 @@ In this case this are the following events:
```bash
curl --request POST \
- --url $YOUR-DOMAIN/admin/v1/events/_search \
+ --url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{
diff --git a/docs/docs/guides/integrate/logout.md b/docs/docs/guides/integrate/logout.md
index c9679c4ad8..71c139bb9f 100644
--- a/docs/docs/guides/integrate/logout.md
+++ b/docs/docs/guides/integrate/logout.md
@@ -37,7 +37,7 @@ If you have specified some post_logout_redirect_uris on your client you have to
So ZITADEL is able to read the configured redirect uris.
```
-GET {your_domain}/oidc/v1/end_session
+GET $CUSTOM-DOMAIN/oidc/v1/end_session
?id_token_hint={id_token}
&post_logout_redirect_uri=https://rp.example.com/logged_out
&state=random_string
diff --git a/docs/docs/guides/integrate/pat.md b/docs/docs/guides/integrate/pat.md
index fe2abcb6ea..e3be879c26 100644
--- a/docs/docs/guides/integrate/pat.md
+++ b/docs/docs/guides/integrate/pat.md
@@ -41,6 +41,6 @@ In this example we read the organization of the service user.
```bash
curl --request GET \
- --url {your-domain}/management/v1/orgs/me \
+ --url $CUSTOM-DOMAIN/management/v1/orgs/me \
--header 'Authorization: Bearer {PAT}'
```
\ No newline at end of file
diff --git a/docs/docs/guides/integrate/private-key-jwt.md b/docs/docs/guides/integrate/private-key-jwt.md
index 0c5a2caf08..54288382e9 100644
--- a/docs/docs/guides/integrate/private-key-jwt.md
+++ b/docs/docs/guides/integrate/private-key-jwt.md
@@ -68,7 +68,7 @@ Payload
{
"iss": "100507859606888466",
"sub": "100507859606888466",
- "aud": "https://{your_domain}.zitadel.cloud",
+ "aud": "https://$CUSTOM-DOMAIN",
"iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
"exp": [UTC timestamp, e.g. 1605183582]
}
@@ -90,7 +90,7 @@ With the encoded JWT from the prior step, you will need to craft a POST request
```bash
curl --request POST \
- --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+ --url https:/$CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
--data scope='openid profile email' \
@@ -122,7 +122,7 @@ For this example let's call the userinfo endpoint to verify that our access toke
```bash
curl --request POST \
- --url https://{your_domain}.zitadel.cloud/oidc/v1/userinfo \
+ --url $CUSTOM-DOMAIN/oidc/v1/userinfo \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
```
@@ -135,7 +135,7 @@ Content-Type: application/json
{
"name": "MyServiceUser",
- "preferred_username": "service_user@{your_domain}.zitadel.cloud",
+ "preferred_username": "service_user@$CUSTOM-DOMAIN",
"updated_at": 1616417938
}
```
diff --git a/docs/docs/guides/integrate/retrieve-user-roles.md b/docs/docs/guides/integrate/retrieve-user-roles.md
index 5a70635647..30f6609ea9 100644
--- a/docs/docs/guides/integrate/retrieve-user-roles.md
+++ b/docs/docs/guides/integrate/retrieve-user-roles.md
@@ -83,7 +83,7 @@ Alternatively, you can include the claims `urn:iam:org:project:roles` or/and `ur
### Retrieve roles from the userinfo endpoint
-The user info endpoint is **ZITADEL_DOMAIN/oidc/v1/userinfo**.
+The user info endpoint is **$CUSTOM-DOMAIN/oidc/v1/userinfo**.
This endpoint will return information about the authenticated user.
Send the access token of the user as `Bearer Token` in the `Authorization` header:
@@ -91,7 +91,7 @@ Send the access token of the user as `Bearer Token` in the `Authorization` heade
**cURL Request:**
```bash
curl --request GET \
- --url $ZITADEL_DOMAIN/oidc/v1/userinfo
+ --url $CUSTOM-DOMAIN/oidc/v1/userinfo
--header 'Authorization: Bearer '
```
@@ -206,11 +206,11 @@ Let’s start with a user who has multiple roles in different organizations in a
Returns a list of roles for the authenticated user and for the requesting project (based on the token).
-**URL: https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search**
**cURL request:**
```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer '
```
@@ -231,12 +231,12 @@ Returns a list of permissions the authenticated user has in ZITADEL based on the
This request can be used if you are building a management UI. For instance, if the UI is managing users, you can show the management functionality based on the permissions the user has. Here’s an example: if the user has `user.read` and `user.write` permission you can show the edit buttons, if the user only has `user.read` permission, you can hide the edit buttons.
-**URL: https://ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search**
**cURL Request:**
```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer '
```
@@ -277,12 +277,12 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search'
Returns a list of user grants the authenticated user has. User grants consist of an organization, a project and roles.
-**URL: https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search**
**cURL request:**
```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer ' \
@@ -379,7 +379,7 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
### Retrieve roles using the management API
Now we will use the management API to retrieve user roles under an admin user.
-The base URL is: **https://$ZITADEL_DOMAIN/management/v1**
+The base URL is: **https://$CUSTOM-DOMAIN/management/v1**
In [APIs listed under user grants in the management API](/docs/category/apis/resources/mgmt/user-grants), you will see that you can use the management API to retrieve and modify user grants. The two API paths that we are interested in to fetch user roles are given below.
@@ -389,12 +389,12 @@ In [APIs listed under user grants in the management API](/docs/category/apis/res
Returns a list of user roles that match the search queries. A user with manager permissions will call this API and will also have to reside in the same organization as the user.
-**URL: https://$ZITADEL_DOMAIN/management/v1/users/grants/_search**
+**URL: https://$CUSTOM-DOMAIN/management/v1/users/grants/_search**
**cURL request:**
```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/management/v1/users/grants/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/users/grants/_search' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer ' \
diff --git a/docs/docs/guides/integrate/services/gitlab-saml.md b/docs/docs/guides/integrate/services/gitlab-saml.md
index a4c5fd1725..ae6bb04a71 100644
--- a/docs/docs/guides/integrate/services/gitlab-saml.md
+++ b/docs/docs/guides/integrate/services/gitlab-saml.md
@@ -51,7 +51,7 @@ Check your application, if everything is correct, press "Create".
Complete the configuration as follows:
-- `Identity provider single sign-on URL`: {your_instance_domain}/saml/v2/SSO
+- `Identity provider single sign-on URL`: $CUSTOM-DOMAIN/saml/v2/SSO
- `Certificate fingerprint`: You need to download the certificate from {your_instance_domain}/saml/v2/certificate and create a SHA1 fingerprint
Save the changes.
diff --git a/docs/docs/guides/manage/cloud/instances.md b/docs/docs/guides/manage/cloud/instances.md
index c958f89f2a..fd1faf3b98 100644
--- a/docs/docs/guides/manage/cloud/instances.md
+++ b/docs/docs/guides/manage/cloud/instances.md
@@ -56,7 +56,7 @@ A free instance can be upgraded to a "pay as you go" instance. By upgrading your
### Add Custom Domain
We recommend register a custom domain to access your ZITADEL instance.
-The primary domain of your ZITADEL instance will be the issuer of the instance. All other domains can be used to access the instance itself
+The primary custom domain of your ZITADEL instance will be the issuer of the instance. All other custom domains can be used to access the instance itself
1. Browse to your instance
2. Click **Add custom domain**
@@ -73,7 +73,7 @@ Be aware that it has some impacts if you change the primary domain of your insta
-#### Verify Domain
+#### Verify Custom Domain
If you need a custom domain for your ZITADEL instance, you need to verify the domain.
diff --git a/docs/docs/guides/manage/console/organizations.mdx b/docs/docs/guides/manage/console/organizations.mdx
index d117954fea..c6d7c8985b 100644
--- a/docs/docs/guides/manage/console/organizations.mdx
+++ b/docs/docs/guides/manage/console/organizations.mdx
@@ -23,7 +23,7 @@ If you choose your logged in user as organization manager, a membership for the
alt="Select Organization"
/>
-If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `