fix: Domains problematic (#6564)

* docs: disable validate org domains per default, and have a better label * docs: rename to $CUSTOM-DOMAIN * docs: translation * docs: tranlsations * docs: tranlsations * docs: allow domain discovery --------- Co-authored-by: Max Peintner <max@caos.ch>
2025-02-28 21:07:22 +00:00 · 2023-09-20 12:45:11 +02:00 · 2023-09-20 12:45:11 +02:00 · 7edc73bd5e
commit 7edc73bd5e
parent 57d8ff1ef6
41 changed files with 109 additions and 109 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -595,7 +595,7 @@ DefaultInstance:
    MaxAgeDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS
  DomainPolicy:
    UserLoginMustBeDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN
-    ValidateOrgDomains: true # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
+    ValidateOrgDomains: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
    SMTPSenderAddressMatchesInstanceDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN
  LoginPolicy:
    AllowUsernamePassword: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD
@ -604,7 +604,7 @@ DefaultInstance:
    ForceMFA: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA
    HidePasswordReset: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET
    IgnoreUnknownUsernames: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES
-    AllowDomainDiscovery: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
+    AllowDomainDiscovery: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
    # 1 is allowed, 0 is not allowed
    PasswordlessType: 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE
    # DefaultRedirectURL is empty by default because we use the Console UI
--- a/console/src/assets/i18n/bg.json
+++ b/console/src/assets/i18n/bg.json
@ -789,7 +789,7 @@
    },
    "PAGES": {
      "STATE": "Статус",
-      "DOMAINLIST": "Домейни"
+      "DOMAINLIST": "Лични домейни"
    },
    "STATE": {
      "0": "Неуточнено",
@ -1344,7 +1344,7 @@
      "MAXAGEDAYS": "Максимална възраст в дни",
      "USERLOGINMUSTBEDOMAIN": "Добавяне на домейн на организация като суфикс към имената за вход",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако активирате тази настройка, всички имена за вход ще имат суфикс с домейна на организацията. ",
-      "VALIDATEORGDOMAINS": "Валидиране на организационни домейни",
+      "VALIDATEORGDOMAINS": "Верификация на домейна на организацията е необходима (DNS или HTTP предизвикателство)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресът на изпращача съвпада с домейна на екземпляра",
      "ALLOWUSERNAMEPASSWORD": "Потребителско име Паролата е разрешена",
      "ALLOWEXTERNALIDP": "Допуска се външен IDP",
--- a/console/src/assets/i18n/de.json
+++ b/console/src/assets/i18n/de.json
@ -795,7 +795,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domains"
+      "DOMAINLIST": "Custom Domains"
    },
    "STATE": {
      "0": "Unspezifisch",
@ -953,15 +953,15 @@
    "DOMAINS": {
      "NEW": "Domain hinzufügen",
      "TITLE": "Domänen",
-      "DESCRIPTION": "Konfiguriere die Domains, mit denen sich Deine Benutzer anmelden können.",
+      "DESCRIPTION": "Konfiguriere die Domains, die für Domain discovery und als Suffix für die Benutzer verwendet werden können.",
      "SETPRIMARY": "Primäre Domain setzen",
      "DELETE": {
        "TITLE": "Domain löschen?",
-        "DESCRIPTION": "Du bist im Begriff, eine Domain aus Deiner Organisation zu löschen. Deine Benutzer können diese nach dem Löschen nicht mehr für den Login nutzen."
+        "DESCRIPTION": "Du bist im Begriff, eine Domain aus deiner Organisation zu löschen."
      },
      "ADD": {
        "TITLE": "Domain hinzufügen",
-        "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Deine Benutzer können diese nach der erfolgreichen Ausführung für den Login nutzen."
+        "DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Die Domain kann für Domain discovery genutzt werden und als Suffix für deine Benutzernamen."
      }
    },
    "STATE": {
@ -1350,7 +1350,7 @@
      "MAXAGEDAYS": "Maximale Gültigkeit in Tagen",
      "USERLOGINMUSTBEDOMAIN": "Organisationsdomain dem Loginname hinzufügen",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
-      "VALIDATEORGDOMAINS": "Org Domains validieren",
+      "VALIDATEORGDOMAINS": "Verifizierung des Organisations Domain erforderlich (DNS- oder HTTP-Herausforderung)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Adresse entspricht Instanzdomain",
      "ALLOWUSERNAMEPASSWORD": "Benutzername Passwort erlaubt",
      "ALLOWEXTERNALIDP": "Externer IDP erlaubt",
--- a/console/src/assets/i18n/en.json
+++ b/console/src/assets/i18n/en.json
@ -796,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domains"
+      "DOMAINLIST": "Custom Domains"
    },
    "STATE": {
      "0": "Unspecified",
@ -954,15 +954,15 @@
    "DOMAINS": {
      "NEW": "Add Domain",
      "TITLE": "Domains",
-      "DESCRIPTION": "Configure your domains. This domain can be used to log in with your users.",
+      "DESCRIPTION": "Configure your organization domains. This domain can be used for domain discovery and username suffixing.",
      "SETPRIMARY": "Set as Primary",
      "DELETE": {
        "TITLE": "Delete Domain",
-        "DESCRIPTION": "You are about to delete one of your domains. Note that your users can no longer use this domain for their login."
+        "DESCRIPTION": "You are about to delete one of your domains."
      },
      "ADD": {
        "TITLE": "Add Domain",
-        "DESCRIPTION": "You are about to add a domain for your organization. After successful process, you users will be able to use the domain for their login."
+        "DESCRIPTION": "You are about to add a domain for your organization. After successful process, the domain can be used for domain discovery and as suffix for your users."
      }
    },
    "STATE": {
@ -1351,7 +1351,7 @@
      "MAXAGEDAYS": "Max Age in days",
      "USERLOGINMUSTBEDOMAIN": "Add organization domain as suffix to loginnames",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
-      "VALIDATEORGDOMAINS": "Validate Org domains",
+      "VALIDATEORGDOMAINS": "Organization domain verification required (DNS or HTTP challenge)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Address matches Instance Domain",
      "ALLOWUSERNAMEPASSWORD": "Username Password allowed",
      "ALLOWEXTERNALIDP": "External IDP allowed",
--- a/console/src/assets/i18n/es.json
+++ b/console/src/assets/i18n/es.json
@ -796,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Estado",
-      "DOMAINLIST": "Dominios"
+      "DOMAINLIST": "Dominios personalizados"
    },
    "STATE": {
      "0": "No especificado",
@ -1351,7 +1351,7 @@
      "MAXAGEDAYS": "Antigüedad máxima en días",
      "USERLOGINMUSTBEDOMAIN": "Añadir el dominio de la organización como sufijo de los nombres de inicio de sesión",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si activas esta opción, todos los nombres de inicio de sesión tendrán como sufijo el dominio de esta organización. Si esta opción está desactivada, tendrás que asegurarte de que los nombres de usuario son únicos para todas las organizaciones.",
-      "VALIDATEORGDOMAINS": "Validar los dominios de la organización",
+      "VALIDATEORGDOMAINS": "Verificación de dominio de la organización requerida (desafío DNS o HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "La dirección del remitente SMTP coincide con el dominio de la instancia",
      "ALLOWUSERNAMEPASSWORD": "Nombre de usuario y contraseña permitido",
      "ALLOWEXTERNALIDP": "Permitido IDP externo",
--- a/console/src/assets/i18n/fr.json
+++ b/console/src/assets/i18n/fr.json
@ -795,7 +795,7 @@
    },
    "PAGES": {
      "STATE": "Statut",
-      "DOMAINLIST": "Domaines"
+      "DOMAINLIST": "Domaines personnalisés"
    },
    "STATE": {
      "0": "Inconnu",
@ -1350,7 +1350,7 @@
      "MAXAGEDAYS": "Âge maximum en jours",
      "USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.",
-      "VALIDATEORGDOMAINS": "Valider les domaines d'Org",
+      "VALIDATEORGDOMAINS": "Vérification du domaine de l'organisation requise (challenge DNS ou HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'adresse de l'expéditeur SMTP correspond au domaine de l'instance",
      "ALLOWUSERNAMEPASSWORD": "Nom d'utilisateur Mot de passe autorisé",
      "ALLOWEXTERNALIDP": "IDP externe autorisé",
--- a/console/src/assets/i18n/it.json
+++ b/console/src/assets/i18n/it.json
@ -794,7 +794,7 @@
    },
    "PAGES": {
      "STATE": "Stato",
-      "DOMAINLIST": "Domini"
+      "DOMAINLIST": "Domini personalizzati"
    },
    "STATE": {
      "0": "Non specifico",
@ -1350,7 +1350,7 @@
      "MAXAGEDAYS": "Lunghezza massima in giorni",
      "USERLOGINMUSTBEDOMAIN": "Nome utente deve contenere il dominio dell' organizzazione",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se abiliti questa impostazione, a tutti i nomi di accesso verrà aggiunto il suffisso del dominio dell'organizzazione. Se questa impostazione è disabilitata, devi assicurarti che i nomi utente siano univoci per tutte le organizzazioni.",
-      "VALIDATEORGDOMAINS": "Verifica domini dell' organizzazione",
+      "VALIDATEORGDOMAINS": "Verifica del dominio dell'organizzazione richiesta (challenge DNS o HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'indirizzo mittente SMTP corrisponde al dominio dell'istanza",
      "ALLOWUSERNAMEPASSWORD": "Autenticazione classica con password consentita",
      "ALLOWEXTERNALIDP": "IDP esterno consentito",
--- a/console/src/assets/i18n/ja.json
+++ b/console/src/assets/i18n/ja.json
@ -796,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "ステータス",
-      "DOMAINLIST": "ドメイン"
+      "DOMAINLIST": "カスタムドメイン"
    },
    "STATE": {
      "0": "未定義",
@ -1346,7 +1346,7 @@
      "MAXAGEDAYS": "最大有効期限",
      "USERLOGINMUSTBEDOMAIN": "ログイン名の接尾辞として組織ドメインを追加する",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "この設定を有効にすると、すべてのログイン名が組織ドメインで接尾辞が付けられます。この設定が無効になっている場合、ユーザー名がすべての組織で一意であることを確認する必要があります。",
-      "VALIDATEORGDOMAINS": "組織ドメインを認証する",
+      "VALIDATEORGDOMAINS": "組織のドメイン検証が必要です (DNSまたはHTTPチャレンジ)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP送信者アドレスはインスタンスドメインに一致しています",
      "ALLOWUSERNAMEPASSWORD": "ユーザー名とパスワードを許可",
      "ALLOWEXTERNALIDP": "外部IDPを許可",
--- a/console/src/assets/i18n/mk.json
+++ b/console/src/assets/i18n/mk.json
@ -796,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Статус",
-      "DOMAINLIST": "Домени"
+      "DOMAINLIST": "Прилагодени домени"
    },
    "STATE": {
      "0": "Ненаведено",
@ -1352,7 +1352,7 @@
      "MAXAGEDAYS": "Максимална возраст во денови",
      "USERLOGINMUSTBEDOMAIN": "Додади организациски домен како суфикс на корисничките имиња",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако го овозможите ова подесување, сите кориснички имиња ќе имаат суфикс на организацискиот домен. Доколку ова подесување е оневозможено, морате да се осигурате дека корисничките имиња се уникатни низ сите организации.",
-      "VALIDATEORGDOMAINS": "Валидирај организациски домени",
+      "VALIDATEORGDOMAINS": "Потврда на доменот на организацијата е неопходна (DNS или HTTP предизвик)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресата на испраќачот се поклопува со доменот на инстанцата",
      "ALLOWUSERNAMEPASSWORD": "Дозволено корисничко име и лозинка",
      "ALLOWEXTERNALIDP": "Дозволен надворешен IDP",
--- a/console/src/assets/i18n/pl.json
+++ b/console/src/assets/i18n/pl.json
@ -795,7 +795,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domeny"
+      "DOMAINLIST": "Własne domeny"
    },
    "STATE": {
      "0": "Nieokreślony",
@ -1350,7 +1350,7 @@
      "MAXAGEDAYS": "Maksymalny wiek w dniach",
      "USERLOGINMUSTBEDOMAIN": "Dodaj domenę organizacji jako przyrostek do nazw logowania",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Jeśli włączysz to ustawienie, wszystkie nazwy logowania będą miały przyrostek z domeną organizacji. Jeśli to ustawienie jest wyłączone, musisz zapewnić unikalność nazw użytkowników we wszystkich organizacjach.",
-      "VALIDATEORGDOMAINS": "Sprawdzanie ważności domen organizacji",
+      "VALIDATEORGDOMAINS": "Weryfikacja domeny organizacji jest wymagana (wyzwanie DNS lub HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "Adres nadawcy SMTP pasuje do domeny instancji",
      "ALLOWUSERNAMEPASSWORD": "Zezwól na użycie nazwy użytkownika i hasła",
      "ALLOWEXTERNALIDP": "Zezwól na zewnętrznego dostawcę tożsamości",
--- a/console/src/assets/i18n/pt.json
+++ b/console/src/assets/i18n/pt.json
@ -796,7 +796,7 @@
    },
    "PAGES": {
      "STATE": "Status",
-      "DOMAINLIST": "Domínios"
+      "DOMAINLIST": "Domínios personalizados"
    },
    "STATE": {
      "0": "Não especificado",
@ -1352,7 +1352,7 @@
      "MAXAGEDAYS": "Idade máxima em dias",
      "USERLOGINMUSTBEDOMAIN": "Adicionar domínio da organização como sufixo aos nomes de login",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se você habilitar essa configuração, todos os nomes de login serão sufixados com o domínio da organização. Se essa configuração estiver desabilitada, você deve garantir que os nomes de usuário sejam exclusivos em todas as organizações.",
-      "VALIDATEORGDOMAINS": "Validar domínios da organização",
+      "VALIDATEORGDOMAINS": "Verificação de domínio da organização necessária (desafio DNS ou HTTP)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "O endereço do remetente do SMTP corresponde ao domínio da Instância",
      "ALLOWUSERNAMEPASSWORD": "Permitir usuário e senha",
      "ALLOWEXTERNALIDP": "Permitir provedor de ID externo",
--- a/console/src/assets/i18n/zh.json
+++ b/console/src/assets/i18n/zh.json
@ -795,7 +795,7 @@
    },
    "PAGES": {
      "STATE": "状态",
-      "DOMAINLIST": "域名"
+      "DOMAINLIST": "自定义域名"
    },
    "STATE": {
      "0": "未指定",
@ -1349,7 +1349,7 @@
      "MAXAGEDAYS": "Max Age in days",
      "USERLOGINMUSTBEDOMAIN": "用户名必须包含组织域名",
      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "如果启用此设置，所有登录名都将以组织域为后缀。如果禁用此设置，您必须确保用户名在所有组织中都是唯一的。",
-      "VALIDATEORGDOMAINS": "验证组织域名",
+      "VALIDATEORGDOMAINS": "组织域名验证需要 (DNS 或 HTTP 挑战)",
      "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP 发件人地址与实例域名匹配",
      "ALLOWUSERNAMEPASSWORD": "允许用户名密码",
      "ALLOWEXTERNALIDP": "允许外部身份提供者",
--- a/docs/docs/apis/openidoauth/authn-methods.md
+++ b/docs/docs/apis/openidoauth/authn-methods.md
@ -46,7 +46,7 @@ JWT
 | Claim | Example                    | Description                                                                                                     |
 |:------|:---------------------------|:----------------------------------------------------------------------------------------------------------------|
-| aud   | `"https://{your_domain}"`  | String or Array of intended audiences MUST include ZITADEL's issuing domain                                     |
+| aud   | `"https://$CUSTOM-DOMAIN"`  | String or Array of intended audiences MUST include ZITADEL's issuing domain                                     |
 | exp   | `1605183582`               | Unix timestamp of the expiry                                                                                    |
 | iat   | `1605179982`               | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                               |
 | iss   | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file |
@ -56,7 +56,7 @@ JWT
 {
 	"iss": "78366401571920522@acme",
 	"sub": "78366401571920522@acme",
-	"aud": "https://{your_domain}",
+	"aud": "https://$CUSTOM-DOMAIN",
 	"exp": 1605183582,
 	"iat": 1605179982
 }
--- a/docs/docs/apis/openidoauth/claims.md
+++ b/docs/docs/apis/openidoauth/claims.md
@ -43,7 +43,7 @@ Please check below the matrix for an overview where which scope is asserted.
 | Claims             | Example                                  | Description                                                                                                                                            |
 |:-------------------|:-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
 | acr                | TBA                                      | TBA                                                                                                                                                    |
-| address            | `Lerchenfeldstrasse 3, 9014 St. Gallen`   | TBA                                                                                                                                                    |
+| address            | `Lerchenfeldstrasse 3, 9014 St. Gallen`  | TBA                                                                                                                                                    |
 | amr                | `pwd mfa`                                | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) <br/> `password` value is deprecated, please check `pwd` |
 | aud                | `69234237810729019`                      | The audience of the token, by default all client id's and the project id are included                                                                  |
 | auth_time          | `1311280969`                             | Unix time of the authentication                                                                                                                        |
@ -55,7 +55,7 @@ Please check below the matrix for an overview where which scope is asserted.
 | gender             | `other`                                  | Gender of the subject                                                                                                                                  |
 | given_name         | `Road`                                   | Given name of the subject                                                                                                                              |
 | iat                | `1311280970`                             | Time of the token was issued at (as unix time)                                                                                                         |
-| iss                | `{your_domain}`                          | Issuing domain of a token                                                                                                                              |
+| iss                | `$CUSTOM-DOMAIN`                                      | Issuing domain of a token                                                                                                                              |
 | jti                | `69234237813329048`                      | Unique id of the token                                                                                                                                 |
 | locale             | `en`                                     | Language from the subject                                                                                                                              |
 | name               | `Road Runner`                            | The subjects full name                                                                                                                                 |
--- a/docs/docs/apis/openidoauth/grant-types.md
+++ b/docs/docs/apis/openidoauth/grant-types.md
@ -76,19 +76,19 @@ Key JSON
 JWT
-| Claim | Example                   | Description                                                                                                   |
+| Claim | Example                  | Description                                                                                                   |
-|:------|:--------------------------|:--------------------------------------------------------------------------------------------------------------|
+|:------|:-------------------------|:--------------------------------------------------------------------------------------------------------------|
-| aud   | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain                                   |
+| aud   | `"https://$CUSTOM-DOMAIN"`            | String or Array of intended audiences MUST include ZITADEL's issuing domain                                   |
-| exp   | `1605183582`              | Unix timestamp of the expiry                                                                                  |
+| exp   | `1605183582`             | Unix timestamp of the expiry                                                                                  |
-| iat   | `1605179982`              | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                             |
+| iat   | `1605179982`             | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h                             |
-| iss   | `"77479219772321307"`     | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
+| iss   | `"77479219772321307"`    | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
-| sub   | `"77479219772321307"`     | The subject ID of the service user, normally the `userId` from the json key file                              |
+| sub   | `"77479219772321307"`    | The subject ID of the service user, normally the `userId` from the json key file                              |
 ```JSON
 {
 	"iss": "77479219772321307",
 	"sub": "77479219772321307",
-	"aud": "https://{your_domain}",
+	"aud": "https://$CUSTOM-DOMAIN",
 	"exp": 1605183582,
 	"iat": 1605179982
 }
--- a/docs/docs/apis/saml/endpoints.md
+++ b/docs/docs/apis/saml/endpoints.md
@ -4,7 +4,7 @@ title: SAML Endpoints in ZITADEL
 ## SAML 2.0 metadata
-The SAML Metadata is located within the issuer domain. This would give us {your_domain}/saml/v2/metadata.
+The SAML Metadata is located within the issuer domain. This would give us $CUSTOM-DOMAIN/saml/v2/metadata.
 This metadata contains all the information defined in the spec.
@ -13,14 +13,14 @@ spec.** [Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0
 ## Certificate endpoint
-{your_domain}/saml/v2/certificate
+$CUSTOM-DOMAIN/saml/v2/certificate
 The certificate endpoint provides the certificate which is used to sign the responses for download, for easier use with
 different service providers which want the certificate separately instead of inside the metadata.
 ## SSO endpoint
-{your_domain}/saml/v2/SSO
+$CUSTOM-DOMAIN/saml/v2/SSO
 The SSO endpoint is the starting point for all initial user authentications. The user agent (browser) will be redirected
 to this endpoint to authenticate the user.
--- a/docs/docs/concepts/features/audit-trail.md
+++ b/docs/docs/concepts/features/audit-trail.md
@ -27,7 +27,7 @@ The same view is available on several other objects such as organization or proj
 ### Event View
 Administrators can see all events across an instance and filter them directly in [Console](/docs/guides/manage/console/overview).
-Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $YOUR_DOMAIN/ui/console/events  
+Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $CUSTOM-DOMAIN/ui/console/events  
 ![Event viewer](/img/concepts/audit-trail/event-viewer.png)
--- a/docs/docs/concepts/features/selfservice.md
+++ b/docs/docs/concepts/features/selfservice.md
@ -139,7 +139,7 @@ A client can also implement this, by calling the [specific endpoint](/apis/openi
 ## Profile
 These actions are available for authenticated users only.
-ZITADEL provides a self-service UI for the user profile out-of-the box under the path _{your_domain}/ui/console/users/me_.
+ZITADEL provides a self-service UI for the user profile out-of-the box under the path _$CUSTOM-DOMAIN/ui/console/users/me_.
 You can also implement your own version in your application by using our APIs.
 ### Change password
--- a/docs/docs/examples/identity-proxy/oauth2-proxy.md
+++ b/docs/docs/examples/identity-proxy/oauth2-proxy.md
@ -43,7 +43,7 @@ provider = "oidc"
 user_id_claim = "sub" #uses the subject as ID instead of the email
 provider_display_name = "ZITADEL"
 redirect_url = "http://127.0.0.1:4180/oauth2/callback"
-oidc_issuer_url = "https://{your_domain}.zitadel.cloud"
+oidc_issuer_url = "https://$CUSTOM-DOMAIN"
 upstreams = [
    "https://example.corp.com"
 ]
--- a/docs/docs/guides/integrate/access-zitadel-apis.md
+++ b/docs/docs/guides/integrate/access-zitadel-apis.md
@ -44,7 +44,7 @@ Use the scope `urn:zitadel:iam:org:project:id:zitadel:aud` to include the ZITADE
 ```bash
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url $CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \
--- a/docs/docs/guides/integrate/access-zitadel-system-api.md
+++ b/docs/docs/guides/integrate/access-zitadel-system-api.md
@ -59,7 +59,7 @@ The JWT payload will need to contain the following claims:
 {
  "iss": "<userid>",
  "sub": "<userid>",
-  "aud": "<https://your_domain>",
+  "aud": "<https://$CUSTOM-DOMAIN>",
  "exp": <now+1h>,
  "iat": <now>
 }
@ -95,7 +95,7 @@ Now that you configured ZITADEL and created a JWT, you can call the System API a
 ```bash
 curl --request POST \
-  --url {your_domain}/system/v1/instances/_search \
+  --url $CUSTOM-DOMAIN/system/v1/instances/_search \
  --header 'Authorization: Bearer {token}' \
  --header 'Content-Type: application/json'
 ```
--- a/docs/docs/guides/integrate/authenticated-mongodb-charts.md
+++ b/docs/docs/guides/integrate/authenticated-mongodb-charts.md
@ -29,7 +29,7 @@ Configure ZITADEL as your _Custom JWT Provider_ following the [MongoDB docs](htt
 Configure the following values:
 - Signing Algorithm: RS256
 - Signing Key: JWK or JWKS URL
- JWKS: https://{your_domain}.zitadel.cloud/oauth/v2/keys
+- JWKS: https://$CUSTOM-DOMAIN/oauth/v2/keys
 - Audience: Your app's client ID which you copied when you created the ZITADEL app
 Your configuration should look similar to this:
--- a/docs/docs/guides/integrate/client-credentials.md
+++ b/docs/docs/guides/integrate/client-credentials.md
@ -41,7 +41,7 @@ You will need to craft a POST request to ZITADEL's token endpoint:
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+  --url https://$CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic ${BASIC_AUTH}' \
  --data grant_type=client_credentials \
@ -72,7 +72,7 @@ In this example we read the organization of the service user.
 ```bash
 curl --request GET \
-  --url {your-domain}/management/v1/orgs/me \
+  --url $CUSTOM-DOMAIN/management/v1/orgs/me \
  --header 'Authorization: Bearer ${TOKEN}' 
 ```
--- a/docs/docs/guides/integrate/event-api.md
+++ b/docs/docs/guides/integrate/event-api.md
@ -24,7 +24,7 @@ To further restrict your result you can add the following filters:
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN"
 ```
@ -34,7 +34,7 @@ To be able to filter for the different event types ZITADEL knows, you can reques
 ```bash
 curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/types/_search \
+--url $CUSTOM-DOMAIN/admin/v1/events/types/_search \
 --header "Authorization: Bearer $TOKEN" \
 --header 'Content-Type: application/json' \
 '
@ -70,7 +70,7 @@ To be able to filter for the different aggregate types (resources) ZITADEL knows
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/aggregates/types/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/aggregates/types/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json'
 ```
@ -101,7 +101,7 @@ This example shows you how to get all events from users, filtered with the creat
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
@ -121,7 +121,7 @@ Also we include the refresh tokens in this example to know when the user has bec
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
@ -147,7 +147,7 @@ In this case this are the following events:
 ```bash
 curl --request POST \
-  --url $YOUR-DOMAIN/admin/v1/events/_search \
+  --url $CUSTOM-DOMAIN/admin/v1/events/_search \
  --header "Authorization: Bearer $TOKEN" \
  --header 'Content-Type: application/json' \
  --data '{
--- a/docs/docs/guides/integrate/logout.md
+++ b/docs/docs/guides/integrate/logout.md
@ -37,7 +37,7 @@ If you have specified some post_logout_redirect_uris on your client you have to
 So ZITADEL is able to read the configured redirect uris.
 ```
-GET {your_domain}/oidc/v1/end_session
+GET $CUSTOM-DOMAIN/oidc/v1/end_session
    ?id_token_hint={id_token}
    &post_logout_redirect_uri=https://rp.example.com/logged_out
    &state=random_string
--- a/docs/docs/guides/integrate/pat.md
+++ b/docs/docs/guides/integrate/pat.md
@ -41,6 +41,6 @@ In this example we read the organization of the service user.
 ```bash
 curl --request GET \
-  --url {your-domain}/management/v1/orgs/me \
+  --url $CUSTOM-DOMAIN/management/v1/orgs/me \
  --header 'Authorization: Bearer {PAT}' 
 ```
--- a/docs/docs/guides/integrate/private-key-jwt.md
+++ b/docs/docs/guides/integrate/private-key-jwt.md
@ -68,7 +68,7 @@ Payload
 {
    "iss": "100507859606888466",
    "sub": "100507859606888466",
-    "aud": "https://{your_domain}.zitadel.cloud",
+    "aud": "https://$CUSTOM-DOMAIN",
    "iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
    "exp": [UTC timestamp, e.g. 1605183582]
 }
@ -90,7 +90,7 @@ With the encoded JWT from the prior step, you will need to craft a POST request
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oauth/v2/token \
+  --url https:/$CUSTOM-DOMAIN/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid profile email' \
@ -122,7 +122,7 @@ For this example let's call the userinfo endpoint to verify that our access toke
 ```bash
 curl --request POST \
-  --url https://{your_domain}.zitadel.cloud/oidc/v1/userinfo \
+  --url $CUSTOM-DOMAIN/oidc/v1/userinfo \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Bearer MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
 ```
@ -135,7 +135,7 @@ Content-Type: application/json
 {
  "name": "MyServiceUser",
-  "preferred_username": "service_user@{your_domain}.zitadel.cloud",
+  "preferred_username": "service_user@$CUSTOM-DOMAIN",
  "updated_at": 1616417938
 }
 ```
--- a/docs/docs/guides/integrate/retrieve-user-roles.md
+++ b/docs/docs/guides/integrate/retrieve-user-roles.md
@ -83,7 +83,7 @@ Alternatively, you can include the claims `urn:iam:org:project:roles` or/and `ur
 ### Retrieve roles from the userinfo endpoint
-The user info endpoint is  **ZITADEL_DOMAIN/oidc/v1/userinfo**.
+The user info endpoint is  **$CUSTOM-DOMAIN/oidc/v1/userinfo**.
 This endpoint will return information about the authenticated user.
 Send the access token of the user as `Bearer Token` in the `Authorization` header:
@ -91,7 +91,7 @@ Send the access token of the user as `Bearer Token` in the `Authorization` heade
 **cURL Request:**
 ```bash
 curl --request GET \
- --url $ZITADEL_DOMAIN/oidc/v1/userinfo
+ --url $CUSTOM-DOMAIN/oidc/v1/userinfo
 --header 'Authorization: Bearer <TOKEN>'
 ```
@ -206,11 +206,11 @@ Let’s start with a user who has multiple roles in different organizations in a
 Returns a list of roles for the authenticated user and for the requesting project (based on the token).
-**URL: https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search**
 **cURL request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>'
 ```
@ -231,12 +231,12 @@ Returns a list of permissions the authenticated user has in ZITADEL based on the
 This request can be used if you are building a management UI. For instance, if the UI is managing users, you can show the management functionality based on the permissions the user has. Here’s an example: if the user has `user.read` and `user.write` permission you can show the edit buttons, if the user only has `user.read` permission, you can hide the edit buttons.
-**URL: https://ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search**
 **cURL Request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>'
 ```
@ -277,12 +277,12 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search'
 Returns a list of user grants the authenticated user has. User grants consist of an organization, a project and roles.
-**URL: https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search**
+**URL: https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search**
 **cURL request:**
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search' \
 -H 'Content-Type: application/json' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>' \
@ -379,7 +379,7 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
 ### Retrieve roles using the management API
 Now we will use the management API to retrieve user roles under an admin user. 
-The base URL is: **https://$ZITADEL_DOMAIN/management/v1**
+The base URL is: **https://$CUSTOM-DOMAIN/management/v1**
 In [APIs listed under user grants in the management API](/docs/category/apis/resources/mgmt/user-grants), you will see that you can use the management API to retrieve and modify user grants. The two API paths that we are interested in to fetch user roles are given below.
@ -389,12 +389,12 @@ In [APIs listed under user grants in the management API](/docs/category/apis/res
 Returns a list of user roles that match the search queries. A user with manager permissions will call this API and will also have to reside in the same organization as the user. 
-**URL: https://$ZITADEL_DOMAIN/management/v1/users/grants/_search**
+**URL: https://$CUSTOM-DOMAIN/management/v1/users/grants/_search**
 **cURL request:** 
 ```bash
-curl -L -X POST 'https://$ZITADEL_DOMAIN/management/v1/users/grants/_search' \
+curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/users/grants/_search' \
 -H 'Content-Type: application/json' \
 -H 'Accept: application/json' \
 -H 'Authorization: Bearer <TOKEN>' \
--- a/docs/docs/guides/integrate/services/gitlab-saml.md
+++ b/docs/docs/guides/integrate/services/gitlab-saml.md
@ -51,7 +51,7 @@ Check your application, if everything is correct, press "Create".
 Complete the configuration as follows:
- `Identity provider single sign-on URL`: {your_instance_domain}/saml/v2/SSO
+- `Identity provider single sign-on URL`: $CUSTOM-DOMAIN/saml/v2/SSO
 - `Certificate fingerprint`: You need to download the certificate from {your_instance_domain}/saml/v2/certificate and create a SHA1 fingerprint
 Save the changes.
--- a/docs/docs/guides/manage/cloud/instances.md
+++ b/docs/docs/guides/manage/cloud/instances.md
@ -56,7 +56,7 @@ A free instance can be upgraded to a "pay as you go" instance. By upgrading your
 ### Add Custom Domain
 We recommend register a custom domain to access your ZITADEL instance.
-The primary domain of your ZITADEL instance will be the issuer of the instance. All other domains can be used to access the instance itself
+The primary custom domain of your ZITADEL instance will be the issuer of the instance. All other custom domains can be used to access the instance itself
 1. Browse to your instance
 2. Click **Add custom domain**
@ -73,7 +73,7 @@ Be aware that it has some impacts if you change the primary domain of your insta
 ![Add custom domain](/img/manuals/portal/portal_add_domain.png)
-#### Verify Domain
+#### Verify Custom Domain
 If you need a custom domain for your ZITADEL instance, you need to verify the domain.
--- a/docs/docs/guides/manage/console/organizations.mdx
+++ b/docs/docs/guides/manage/console/organizations.mdx
@ -23,7 +23,7 @@ If you choose your logged in user as organization manager, a membership for the
  alt="Select Organization"
 />
-If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `<https://{your-domain}-{random string}.zitadel.cloud/ui/login/register/org`
+If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `<https://$CUSTOM-DOMAIN/ui/login/register/org`
 The customer needs to fill in the form with the organization name and the contact details.
 <img
--- a/docs/docs/guides/manage/customize/user-metadata.md
+++ b/docs/docs/guides/manage/customize/user-metadata.md
@ -50,7 +50,7 @@ Request the user information by calling the [userinfo endpoint](/docs/apis/openi
 ```bash
 curl --request GET \
-  --url "https://$ZITADEL_DOMAIN/oidc/v1/userinfo" \
+  --url "https://$CUSTOM-DOMAIN/oidc/v1/userinfo" \
  --header "Authorization: Bearer $ACCESS_TOKEN"
 ```
@ -166,7 +166,7 @@ If you get the error "invalid audience (APP-Zxfako)", then you need to add the r
 You can request the user's metadata with the [List My Metadata](/docs/apis/resources/auth/auth-service-list-my-metadata) method:
 ```bash
-curl -L -X POST "https://$ZITADEL_DOMAIN/auth/v1/users/me/metadata/_search" \
+curl -L -X POST "https://$CUSTOM-DOMAIN/auth/v1/users/me/metadata/_search" \
 -H 'Content-Type: application/json' \
 -H 'Accept: application/json' \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
@ -188,7 +188,7 @@ curl -L -X POST "https://$ZITADEL_DOMAIN/auth/v1/users/me/metadata/_search" \
 ```
 Replace `$ACCESS_TOKEN` with your user's access token.  
-Replace `$ZITADEL_DOMAIN` with your ZITADEL instance's url.  
+Replace `$CUSTOM-DOMAIN` with your ZITADEL instance's url.  
 Replace `$METADATA_KEY` with they key you want to search for (f.e. "ContractNumber")
 :::info Get all metadata
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -130,7 +130,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
    consumes: "application/grpc-web+proto";
    produces: "application/grpc-web+proto";
-    host: "$ZITADEL_DOMAIN";
+    host: "$CUSTOM-DOMAIN";
    base_path: "/admin/v1";
    external_docs: {
@ -150,8 +150,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
 			value: {
 				type: TYPE_OAUTH2;
 				flow: FLOW_ACCESS_CODE;
-				authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+				authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-				token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+				token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
 					scope: {
 						key: "openid";
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@ -77,7 +77,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
    produces: "application/grpc";
    produces: "application/grpc-web+proto";
-    host: "$ZITADEL_DOMAIN";
+    host: "$CUSTOM-DOMAIN";
    base_path: "/auth/v1";
    external_docs: {
@ -97,8 +97,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
            value: {
                type: TYPE_OAUTH2;
                flow: FLOW_ACCESS_CODE;
-                authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+                authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-                token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+                token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
                scopes: {
                    scope: {
                        key: "openid";
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@ -146,7 +146,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
    consumes: "application/grpc-web+proto";
    produces: "application/grpc-web+proto";
-    host: "$ZITADEL_DOMAIN";
+    host: "$CUSTOM-DOMAIN";
    base_path: "/management/v1";
    external_docs: {
@ -166,8 +166,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
            value: {
                type: TYPE_OAUTH2;
                flow: FLOW_ACCESS_CODE;
-                authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+                authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-                token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+                token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
                scopes: {
                    scope: {
                        key: "openid";
--- a/proto/zitadel/oidc/v2beta/oidc_service.proto
+++ b/proto/zitadel/oidc/v2beta/oidc_service.proto
@ -39,7 +39,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/";
  external_docs: {
@ -52,8 +52,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
      value: {
        type: TYPE_OAUTH2;
        flow: FLOW_ACCESS_CODE;
-        authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+        authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-        token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+        token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
          scope: {
            key: "openid";
--- a/proto/zitadel/org/v2beta/org_service.proto
+++ b/proto/zitadel/org/v2beta/org_service.proto
@ -48,7 +48,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/";
  external_docs: {
@ -61,8 +61,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
      value: {
        type: TYPE_OAUTH2;
        flow: FLOW_ACCESS_CODE;
-        authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+        authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-        token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+        token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
          scope: {
            key: "openid";
--- a/proto/zitadel/session/v2beta/session_service.proto
+++ b/proto/zitadel/session/v2beta/session_service.proto
@ -42,7 +42,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/";
  external_docs: {
@ -55,8 +55,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
      value: {
        type: TYPE_OAUTH2;
        flow: FLOW_ACCESS_CODE;
-        authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+        authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-        token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+        token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
          scope: {
            key: "openid";
--- a/proto/zitadel/settings/v2beta/settings_service.proto
+++ b/proto/zitadel/settings/v2beta/settings_service.proto
@ -44,7 +44,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/";
  external_docs: {
@ -57,8 +57,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
      value: {
        type: TYPE_OAUTH2;
        flow: FLOW_ACCESS_CODE;
-        authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+        authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-        token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+        token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
          scope: {
            key: "openid";
--- a/proto/zitadel/system.proto
+++ b/proto/zitadel/system.proto
@ -49,7 +49,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/system/v1";
  external_docs: {
--- a/proto/zitadel/user/v2beta/user_service.proto
+++ b/proto/zitadel/user/v2beta/user_service.proto
@ -46,7 +46,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
  consumes: "application/grpc-web+proto";
  produces: "application/grpc-web+proto";
-  host: "$ZITADEL_DOMAIN";
+  host: "$CUSTOM-DOMAIN";
  base_path: "/";
  external_docs: {
@ -59,8 +59,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
      value: {
        type: TYPE_OAUTH2;
        flow: FLOW_ACCESS_CODE;
-        authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
+        authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
-        token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
+        token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
        scopes: {
          scope: {
            key: "openid";