docs: console guide (#4468)

* console guide * org * orgs, projects * applications * project, roles, authz * users, roles * app config, imgs * policy imgs * users, metadata, imgs * actions, projects, structure * css * rm overview component * rm manager from sidebar * fix some broken links, update 🦖 * fix broken links * fix img shadow * Update docs/docs/concepts/structure/applications.md Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * policy link * link to projects guide * Update docs/docs/guides/integrate/application/review-config.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * add external org authz guide * Update docs/docs/guides/manage/console/users.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * link to example * readd manager structure * punto * docs: domain settings email as username * docs: links * project, application settings, screenshots * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/instance-settings.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/organizations.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * iam role * Update docs/docs/guides/manage/console/managers.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * Update docs/docs/guides/manage/console/managers.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * change username text * Update docs/docs/guides/manage/console/roles.mdx Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * link example * branding changes * Update docs/docs/guides/manage/console/organizations.mdx good point 👍 Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * docs: loginnames Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
2025-02-28 20:37:23 +00:00 · 2022-10-06 16:22:46 +02:00 · 2022-10-06 16:22:46 +02:00 · a4bbc756d8
commit a4bbc756d8
parent c9870113f5
138 changed files with 1296 additions and 779 deletions
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@ -7,7 +7,7 @@ ZITADEL supports the usage of scopes as way of requesting information from the I
 ## Standard Scopes
 | Scopes         | Description                                                                    |
-|:---------------|--------------------------------------------------------------------------------|
+| :------------- | ------------------------------------------------------------------------------ |
 | openid         | When using openid connect this is a mandatory scope                            |
 | profile        | Optional scope to request the profile of the subject                           |
 | email          | Optional scope to request the email of the subject                             |
@ -24,7 +24,7 @@ In addition to the standard compliant scopes we utilize the following scopes.
 | Scopes                                            | Example                                                | Description                                                                                                                                                                                                                                                           |
 |:--------------------------------------------------|:-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `urn:zitadel:iam:org:project:role:{rolekey}`      | `urn:zitadel:iam:org:project:role:user`                | By using this scope a client can request the claim urn:zitadel:iam:roles to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/manage/console/projects) a client belongs to.               |
+| `urn:zitadel:iam:org:project:role:{rolekey}`      | `urn:zitadel:iam:org:project:role:user`                | By using this scope a client can request the claim urn:zitadel:iam:roles to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/manage/console/roles#authorizations) a client belongs to.               |
 | `urn:zitadel:iam:org:id:{id}`                     | `urn:zitadel:iam:org:id:178204173316174381`            | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed. It will assert the `urn:zitadel:iam:user:resourceowner` claims.                                |
 | `urn:zitadel:iam:org:domain:primary:{domainname}` | `urn:zitadel:iam:org:domain:primary:acme.ch`           | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed                                                                                                 |
 | `urn:zitadel:iam:role:{rolename}`                 |                                                        |                                                                                                                                                                                                                                                                       |
--- a/docs/docs/concepts/features/selfservice.md
+++ b/docs/docs/concepts/features/selfservice.md
@ -5,10 +5,10 @@ title: Self-Service
 ZITADEL allows users to perform many tasks themselves.
 For these tasks we either provide an user interface, or the tasks can be initiated or completed through ZITADEL's APIs.
-It is important to understand that, depending on your use case, there will exist different user-types that want to perform different actions:  
+It is important to understand that, depending on your use case, there will exist different user-types that want to perform different actions:
 - `Users` are the end-users of your application. Like with any CIAM solution, users should be able to perform tasks like register/join, update their profile, manage authenticators etc. There are certain actions that can be executed pre-login, yet others require the user to have a valid session.
- `Managers` are users with a [special manager role within ZITADEL](/docs/concepts/structure/managers) and can perform administrative actions such as system configuration or granting access rights to users.
+- `Managers` are users with a [special manager role](../../guides/manage/console/managers) within ZITADEL and can perform administrative actions such as system configuration or granting access rights to users.
 All self-service interfaces are available in different [languages](/docs/guides/manage/customize/texts#internationalization).
@ -49,7 +49,7 @@ An external identity provider can be a Social Login Provider or a pre-configured
 #### Account Linking
-When you login with an external identity provider, and the user does not exist in ZITADEL, then an autoregister flow is triggered. The user is presented with two options: 
+When you login with an external identity provider, and the user does not exist in ZITADEL, then an autoregister flow is triggered. The user is presented with two options:
 - Create a new account: A new account will be created as stated above
 - Autolinking: The user is prompted to login with an existing [local account](#local-account). If successful, the existing identity from the external identity provider will be linked with the local account. A user can now login with either the local account or any of the linked external accounts.
@ -138,7 +138,7 @@ A client can also implement this, by calling the [specific endpoint](/docs/apis/
 ## Profile
 These actions are available for authenticated users only.
-ZITADEL provides a self-service UI for the user profile out-of-the box under the path *{your_domain}/ui/console/users/me*.
+ZITADEL provides a self-service UI for the user profile out-of-the box under the path _{your_domain}/ui/console/users/me_.
 You can also implement your own version in your application by using our APIs.
 ### Change password
@ -193,7 +193,7 @@ Thus we will explain service for two very common scenarios in ZITADEL:
 - `Managers in isolation`: Granting administrative permissions within a single organization context.
 - `Managers in delegation`: Granting administrative permissions to a user from a different organization where the organizations depend on each other
-A list of [Manager Roles](/docs/concepts/structure/managers#roles) is available with a description of permissions.
+A list of [Manager Roles](../../guides/manage/console/managers#roles) is available with a description of permissions.
 Managers can be assigned to both human users and service users eg, for managing certain tasks programmatically.
 ### Managers in isolation
--- a/docs/docs/concepts/structure/_granted_project_description.mdx
+++ b/docs/docs/concepts/structure/_granted_project_description.mdx
@ -1,17 +0,0 @@
 ![Organization Grant](/img/concepts/objects/organization_grants.png)
 With ZITADEL you can grant selected roles within your project to an organization. The receiving organization can then create authorizations for their users on their own (self-service).
 An example could be a service provider that offers a SaaS solution that has different permissions for employees working in Sales and Accounting. As soon as a new client purchases the service, the provider could grant the roles ‘sales’ and ‘accounting’ to that organization, allowing them to self-manage how they want to allocate the roles to their users.
 The process of assigning certain roles by default or according to rules can be further automated by utilizing Service Users in the service provider’s business process.
 Obviously, your organization can grant projects and receive projects. When you are granting, then the receiving organization will be displayed in the section GRANTED ORGANIZATIONS of your project.
 ![Project granted to organization](/img/console_projects_granted.png)
 A granted project, on the other hand, belongs to a third party, granting you some rights to manage certain roles of their project. ZITADEL Console shows granted projects in a dedicated navigation menu, to clearly separate from your organization’s projects.
 ![Granted Projects Overview](/img/console_granted_projects_overview.png)
 Please note that you can also grant selected roles of a project to an individual user, instead of an organization. We will discuss this in more detail in a later section.
--- a/docs/docs/concepts/structure/_manager_description.mdx
+++ b/docs/docs/concepts/structure/_manager_description.mdx
@ -0,0 +1,7 @@
 ZITADEL Managers are Users who have permission to manage ZITADEL itself. This means that those users are allowed to login into your instance console and edit certain parts of the configuration.
 There are some different levels for managers.
 - **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole Instance.
 - **Org Managers**: Managers in the Organization Level are able to manage everything within the granted Organization.
 - **Project Mangers**: In this level the user is able to manage a project.
 - **Project Grant Manager**: The project grant manager is for projects, which are granted of another organization.
--- a/docs/docs/concepts/structure/_project_description.mdx
+++ b/docs/docs/concepts/structure/_project_description.mdx
@ -4,9 +4,7 @@ The idea of projects is to have a vessel for all components who are closely rela
 All applications within a project share the same roles, grants, and authorizations:
-* **Applications** is your software that initiates the authorization flow. This could be a web app and a mobile app that share the same roles.
+- **Applications** is your software that initiates the authorization flow. This could be a web app and a mobile app that share the same roles.
-* **Roles** are a means of managing user access rights for a project.
+- **Roles** are a means of managing user access rights for a project.
-* **Authorizations** define which users have which roles. Authorizations are also called “user grants”.
+- **Authorizations** define which users have which roles. Authorizations are also called “user grants”.
-* **Granted Organizations** can manage selected roles for your project on their own.
+- **Granted Organizations** can manage selected roles for your project on their own.
 ![Organization grant](/img/console_projects_overview.png)
--- a/docs/docs/concepts/structure/applications.md
+++ b/docs/docs/concepts/structure/applications.md
@ -2,21 +2,8 @@
 title: Applications
 ---
 # Applications
-Applications are the entry point to your project. Users either login into one of your clients and interact with them directly or use one of your API, maybe without even knowing. All applications share the roles and authorizations of their project.
+Applications are the entry point to your project. Users either login into one of your clients and interact with them directly or use one of your APIs. All applications share the roles and authorizations of their project.
-## Application Types 
+To read more about available authentication types and how to setup applications, read this guide [here](../../guides/manage/console/applications)
 At the moment ZITADEL differs between three client types (with user interaction):
 - Web (Server-side web applications such as java, .net, ...)
 - Native (native, mobile or desktop applications)
 - User Agent (single page applications / SPA, generally JavaScript executed in the browser)
 As a fourth option there's the API (OAuth Resource Server), which generally has no direct user-interaction.
 Depending on the app type registered, there are small differences in the possible settings.
 Please read the following guide about the
 [different-client-profiles](../../guides/integrate/oauth-recommended-flows.md#different-client-profiles).
--- a/docs/docs/concepts/structure/granted_projects.md
+++ b/docs/docs/concepts/structure/granted_projects.md
@ -4,6 +4,10 @@ title: Granted Projects
 # Granted Project
-import GrantedProjectDescription from './_granted_project_description.mdx';
+![Organization Grant](/img/concepts/objects/organization_grants.png)
-<GrantedProjectDescription name="GrantedProjectDescription" />
+With ZITADEL you can grant selected roles within your project to an organization. The receiving organization can then create authorizations for their users on their own (self-service).
 An example could be a service provider that offers a SaaS solution that has different permissions for employees working in Sales and Accounting. As soon as a new client purchases the service, the provider could grant the roles ‘sales’ and ‘accounting’ to that organization, allowing them to self-manage how they want to allocate the roles to their users.
 To learn more about how to setup Project grants, read this guide [here](../../guides/manage/console/projects#grant-a-project)
--- a/docs/docs/concepts/structure/instance.md
+++ b/docs/docs/concepts/structure/instance.md
@ -1,8 +0,0 @@
 ---
 title: Instance
 ---
 import InstanceDescription from './_instance_description.mdx';
 <InstanceDescription name="InstanceDescription" />
--- a/docs/docs/concepts/structure/instance.mdx
+++ b/docs/docs/concepts/structure/instance.mdx
@ -0,0 +1,9 @@
 ---
 title: Instance
 ---
 import InstanceDescription from './\_instance_description.mdx';
 <InstanceDescription name="InstanceDescription" />
 More about how to configure your instance read our [instance guide](../../guides/manage/console/instance-settings).
--- a/docs/docs/concepts/structure/managers.md
+++ b/docs/docs/concepts/structure/managers.md
@ -1,33 +0,0 @@
 ---
 title: Managers
 ---
 ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers.
 - **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole IAM.
 - **Org Managers**: Managers in the Organization Level are able to manage everything within the granted Organization.
 - **Project Mangers**: In this level the user is able to manage a project.
 - **Project Grant Manager**: The project grant manager is for projects, which are granted of another organization.
 To configure managers in ZITADEL go to the resource where you like to add it (e.g IAM, Organization, Project, GrantedProject).
 In the right part of the console you can finde **MANAGERS** in the details part. Here you have a list of the current managers and can add a new one.
 ## Roles
 | Role   | Description   |
 |---|---|
 | IAM_OWNER  | Manage the IAM, manage all organizations with their content  |
 | IAM_OWNER_VIEWER  | View the IAM and view all organizations with their content |
 | IAM_ORG_MANAGER  | Manage all organizations including their policies, projects and users |
 | IAM_USER_MANAGER  | Manage all users and their authorizations over all organizations |
 | ORG_OWNER  | Manage everything within an organization  |
 | ORG_OWNER_VIEWER  | View everything within an organization  |
 | ORG_USER_MANAGER  | Manage users and their authorizations within an organization |
 | ORG_USER_PERMISSION_EDITOR  | Manage user grants and view everything needed for this  |
 | ORG_PROJECT_PERMISSION_EDITOR  | Grant Projects to other organizations and view everything needed for this  |
 | ORG_PROJECT_CREATOR  | This role is used for users in the global organization. They are allowed to create projects and manage them.  |
 | PROJECT_OWNER  | Manage everything within a project. This includes to grant users for the project.  |
 | PROJECT_OWNER_VIEWER  | View everything within a project.|
 | PROJECT_OWNER_GLOBAL  | Same as PROJECT_OWNER, but in the global organization. |
 | PROJECT_OWNER_VIEWER_GLOBAL  | Same as PROJECT_OWNER_VIEWER, but in the global organization. |
 | PROJECT_GRANT_OWNER  | Same as PROJECT_OWNER but for a granted proejct. |
--- a/docs/docs/concepts/structure/managers.mdx
+++ b/docs/docs/concepts/structure/managers.mdx
@ -0,0 +1,9 @@
 ---
 title: Managers
 ---
 import ManagerDescription from "./_manager_description.mdx";
 <ManagerDescription name="ManagerDescription" />
 To read more on how managers are created and which roles exist read the console guide [here](../../guides/manage/console/managers).
--- a/docs/docs/concepts/structure/organizations.md
+++ b/docs/docs/concepts/structure/organizations.md
@ -6,7 +6,4 @@ import OrgDescription from './_org_description.mdx';
 <OrgDescription name="OrgDescription" />
-## Global Organization
+More about how to configure your organization read our [organization guide](../../guides/manage/console/organizations).
 In each ZITADEL system you will have a Global organization. If a user registers himself and no specific domain is given he will land in the Global organization.
 Users in the Global Organization are managed by themselves and not by the organization manager.
--- a/docs/docs/concepts/structure/overview.md
+++ b/docs/docs/concepts/structure/overview.md
@ -15,4 +15,3 @@ More details on the specific objects:
 - [Applications](./applications)
 - [Granted Projects](./granted_projects)
 - [Users](./users)
 - [Managers](./managers)
--- a/docs/docs/concepts/structure/policies.md
+++ b/docs/docs/concepts/structure/policies.md
@ -3,170 +3,6 @@ title: Settings/Policies
 ---
 Settings and policies are configurations of all the different parts of the Instance or an organization. For all parts we have a suitable default in the Instance.
-The default configuration can be overridden for each organization, some policies are currently only available on the instance level. If thats the case it will be mentioned on the descriptions below.
+The default configuration can be overridden for each organization, some policies are currently only available on the instance level. Learn more about our different policies [here](../../guides/manage/console/instance-settings.mdx).
-You can find these settings in the instance page under settings, or on a specific organization menu organization in the section policies.
+API wise, settings are often called policies. You can read the proto and swagger definitions [here](../../apis/introduction.mdx).
 Each policy can be overridden and reset to the default.
 ## General
 :::info
 Only available on the instance settings
 :::
 At the moment general settings is only one configuration. This defines the default language of the whole instance.
 ![General Settings](/img/console_instance_policy_general.png)
 ## Notification
 :::info
 Only available on the instance settings
 :::
 In the notification settings you can configure your SMTP and an SMS Provider. At the moment only Twilio is available as SMS provider.
 ### SMTP 
 On each instance we configure our default SMTP provider. To make sure, that you only send some E-Mails from domains you own. You need to add a custom domain on your instance.
 Go to the ZITADEL [customer portal](https://zitadel.cloud) to configure a custom domain. 
 ![Notification Providers](/img/console_instance_policy_notification.png)
 ### SMS
 No default provider is configured to send some sms to your users. If you like to validate the phone numbers of your users make sure to add your twilio configuration.
 ![Notification Providers](/img/console_instance_policy_notification_twilio.png)
 ## Login Policy
 The Login Policy defines how the login process should look like and which authentication options a user has to authenticate.
 | Setting | Description |
 | --- | --- |
 | Register allowed | Enable self register possibility in the login ui |
 | Username Password allowed | Possibility to login with username and password |
 | External IDP allowed | Possibility to login with an external identity (e.g Google, Microsoft, Apple, etc)|
 | Force MFA | Force a user to register and use a multifactor authentication |
 | Passwordless | Choose if passwordless login is allowed or not |
 ![Login Policy](/img/manuals/policies/console_org_login.png)
 ### Passwordless
 Passwordless authentication means that the user doesn't need to enter a password to login. In our case the user has to enter his loginname and as the next step proof the identity through a registered device or token.
 There are two different types one is depending on the device (e.g. Fingerprint, Face recognition, WindowsHello) and the other is independent (eg. Yubikey, Solokey).
 ### Multifactor
 In the multifactors section you can configure what kind of multifactors should be allowed. For passwordless to work, it's required to enable U2F (Universial Second Factor) with PIN. There is no other option at the moment.
 Multifactors:
 - U2F (Universal Second Factor) with PIN
 Secondfactors:
 - OTP (One Time Password)
 - U2F (Universal Second Factor)
 ![Second- and Multifactors](/img/manuals/policies/console_org_second_and_multi_factors.png)
 ## Password Complexity
 With the password complexity policy you can define the requirements for a users password.
 The following properties can be set:
 - Minimum Length
 - Has Uppercase
 - Has Lowercase
 - Has Number
 - Has Symbol
 ![Password Complexity Policy](/img/manuals/policies/console_org_pw_complexity.png)
 ## Lockout Policy
 Define when an account should be locked.
 The following settings are available:
 - Maximum Password Attempts: When the user has reached the maximum password attempts the account will be locked
 If an account is locked, the administrator has to unlock it in the ZITADEL console
 ## Identity Providers
 You can configure all kinds of external identity providers for identity brokering, which support OIDC (OpenID Connect).
 Create a new identity provider configuration and enable it in the list afterwards.
 For a detailed guide about how to configure a new identity provider for identity brokering have a look at our guide:
 [Identity Brokering](../../guides/integrate/identity-brokering)
 ## Domain policy
 In the domain policy you have two different settings.
 One is the "user_login_must_be_domain", by setting this all the users within an organisation will be suffixed with the domain of the organisation.
 The second is "validate_org_domains" if this is set to true all created domains on an organisation must be verified per acme challenge.
 More about how to verify a domain [here](../../guides/manage/console/organizations#domain-verification-and-primary-domain).
 If it is set to false, all registered domain will automatically be created as verified and the users will be able to use the domain for login.
 ## Branding
 With private labeling you can brand and customize your login page and emails, that it matches your CI/CD.
 You can configure a light and a dark design.
 Make sure you click the "Set preview as current configuration" button after you finish your configuration. Before this it will only be set as your preview configuration.
 | Setting | Description |
 | --- | --- |
 | Logo | Upload your logo for the light and the dark design. |
 | Colors | You can set four different colors to design your login page and email. (Background-, Primary-, Warn- and Font Color) |
 | Font | Upload your custom font |
 | Hide Loginname suffix | If enabled,  your loginname suffix (Domain) will not be shown in the login page |
 | Disable Watermark | If you disable the watermark you will not see the "Powered by ZITADEL" in the login page |
 ![Private Labeling](/img/console_private_labeling.png)
 ## Privacy Policy and TOS
 Each organization is able to configure its own privacy policy, terms of service and help.
 A link to the current policies can be provided. On register each user has to accept these policies.
 By clicking on an input field you can see the language attribute to integrate into a link, for the possibility to have different links for different languages.
 The language of the user will be set into the url.
 Example:
 https://demo.com/tos-{{.Lang}}
 ![Privacy Policy](/img/manuals/policies/console_org_privacy.png)
 ## OIDC token lifetime and expiration
 :::info
 Only available on the instance settings
 :::
 Configure how long the different oidc tokens should life.
 You can set the following times:
 - Access Token Lifetime
 - ID Token Lifetime
 - Refresh Token Expiration
 - Refresh Token Idle Expiration
 ![OIDC Token Lifetimes](/img/manuals/policies/console_policy_oidc.png)
 ## Secret appearance
 :::info
 Only available on the instance settings
 :::
 ZITADEL has some different codes and secrets, that can be specified.
 You can configure what kind of characters should be included, how long the secret should be and the expiration.
 The following secrets can be configured:
 - Initialization Mail Code
 - Email verification code
 - Phone verification code
 - Password reset code
 - Passwordless initialization code
 - Application secrets
 ![OIDC Token Lifetimes](/img/manuals/policies/console_policy_secrets.png)
--- a/docs/docs/concepts/structure/projects.md
+++ b/docs/docs/concepts/structure/projects.md
@ -4,27 +4,15 @@ title: Projects
 # Project
-import ProjectDescription from './_project_description.mdx';
+import ProjectDescription from './\_project_description.mdx';
 <ProjectDescription name="ProjectDescription" />
-## Project Settings
+To learn how to set up a project read this console guide [here](../../guides/manage/console/projects.mdx).
 On default the login screen will be shown in the private labeling settings of the system.
 With the [primary domain scope](../../apis/openidoauth/scopes#reserves-scopes) it is possible to trigger the setting of the given organization. 
 But this will also restrict, the login to user of the given organization.  
 With the private labeling setting it is possible to choose which settings should trigger.
 | Setting | Description |
 | --- | --- |
 | Unspecified | If nothing is specified the default will trigger. (System settings) |
 | Enforce project resource owner policy | This setting will enforce the private labeling of the organization (resource owner) of the project through the whole login process. |
 | Allow Login User resource owner policy | With this setting first the private labeling of the organization (resource owner) of the project will trigger. As soon as the user and its organization (resource owner) is identified by ZITADEL, the settings will change to the organization of the user. |
 ## Applications
-Applications define the different clients, that share the same roles. 
+Applications define the different clients, that share the same roles.
 At the moment we support OIDC and almost every OAuth2 client. We'll be expanding this with SAML shortly.
 Go to [Applications](./applications) for more details.
@ -40,15 +28,7 @@ More about granted projects: [Granted Projects](./granted_projects)
 ## Roles
 A role consists of different attributes. Only the key is relevant to the authorization and must therefore be unique.
-The display name is only to provide a human-readable name if needed. 
+The display name is only to provide a human-readable name if needed.
 And the group should enable a better handling in ZITADEL console, like give a user all the roles of a specific group. (Not implemented yet)
-All applications in a project share the roles.
+All applications in a project share the roles. Read more about roles [here](../../guides/manage/console/roles)
 ### Role specific Project Settings
 | Setting | Description |
 | --- | --- |
 | Assert roles on authentication | If this setting is enabled role information is sent from userinfo endpoint and depending on your application settings in tokens and other types.  |
 | Check roles on authentication | If set, users are only allowed to authenticate if any role is assigned to their account. |
 | Check for project on authentication | The user will only be able to authenticate if his organization is the owner or has a grant to the project. |
--- a/docs/docs/concepts/structure/users.md
+++ b/docs/docs/concepts/structure/users.md
@ -5,3 +5,6 @@ title: Users
 import UserDescription from './_user_description.mdx';
 <UserDescription name="UserDescription" />
 More about how to manage your users read our [users guide](../../guides/manage/console/users).
--- a/docs/docs/guides/integrate/access-zitadel-apis.md
+++ b/docs/docs/guides/integrate/access-zitadel-apis.md
@ -8,15 +8,14 @@ This guide focuses on the Admin, Auth and Management APIs. To access the ZITADEL
 ## ZITADEL Managers
-ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers. 
+ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers.
- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole instance. 
+- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole instance.
 - **Org Managers**: Managers in the Organization Level are able to manage everything within the granted Organization.
 - **Project Mangers**: In this level the user is able to manage a project.
 - **Project Grant Manager**: The project grant manager is for projects, which are granted of another organization.
-On each level we have some different Roles. Here you can find more about the different roles: [ZITADEL Manager Roles](../../concepts/structure/managers.md)
+On each level we have some different Roles. Here you can find more about the different roles: [ZITADEL Manager Roles](../../guides/manage/console/managers#roles)
 ## Add ORG_OWNER to Service User
@ -52,11 +51,11 @@ curl --request POST \
  --data assertion=eyJ0eXAiOiJKV1QiL...
 ```
-* `grant_type` must be set to `urn:ietf:params:oauth:grant-type:jwt-bearer`
+- `grant_type` must be set to `urn:ietf:params:oauth:grant-type:jwt-bearer`
-* `scope` should contain any [Scopes](../../apis/openidoauth/scopes) you want to include, but must include `openid`. For this example, please include `profile` and `email`
+- `scope` should contain any [Scopes](../../apis/openidoauth/scopes) you want to include, but must include `openid`. For this example, please include `profile` and `email`
-* `assertion` is the encoded value of the JWT that was signed with your private key from the prior step
+- `assertion` is the encoded value of the JWT that was signed with your private key from the prior step
-You should receive a successful response with `access_token`,  `token_type` and time to expiry in seconds as `expires_in`.
+You should receive a successful response with `access_token`, `token_type` and time to expiry in seconds as `expires_in`.
 ```bash
 HTTP/1.1 200 OK
@ -73,10 +72,10 @@ With this token you are allowed to access the [ZITADEL APIs](../../apis/introduc
 ## Summary
-* Grant a user for ZITADEL
+- Grant a user for ZITADEL
-* Because there is no interactive logon, you need to use a JWT signed with your private key to authorize the user
+- Because there is no interactive logon, you need to use a JWT signed with your private key to authorize the user
-* With a custom scope (`urn:zitadel:iam:org:project:id:zitadel:aud`) you can access ZITADEL APIs
+- With a custom scope (`urn:zitadel:iam:org:project:id:zitadel:aud`) you can access ZITADEL APIs
 Where to go from here:
-* [ZITADEL API Documentation](../../apis/introduction)
+- [ZITADEL API Documentation](../../apis/introduction)
--- a/docs/docs/guides/integrate/application/application.mdx
+++ b/docs/docs/guides/integrate/application/application.mdx
@ -1,38 +1,46 @@
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
-import AuthType from './auth-type.mdx';
+import AuthType from "./auth-type.mdx";
-import RedirectURIs from './redirect-uris.mdx';
+import RedirectURIs from "./redirect-uris.mdx";
-import GenerateKey from './generate-key.mdx';
+import GenerateKey from "./generate-key.mdx";
-import ReviewConfig from './review-config.mdx';
+import ReviewConfig from "./review-config.mdx";
 export default function CreateApp(props) {
-    return (
+  return (
-        <div>
+    <div>
-            <h3>Create the {props.appName ? props.appName + " app" : "application"}</h3>
+      <h3>
-            <p>Go to the detail page of your project and click the "+"-button in the application-section. This will lead you to the the creation wizard.</p>
+        Create the {props.appName ? props.appName + " app" : "application"}
-            <ThemedImage
+      </h3>
-                alt={"create " + props.appType + " preview"} 
+      <p>
-                sources={{
+        Go to the detail page of your project and click the "+"-button in the
-                    light: '/img/guides/application/new-app-in-project-light.png',
+        application-section. This will lead you to the the creation wizard.
-                    dark: '/img/guides/application/new-app-in-project-dark.png'
+      </p>
-                }}
+      <img
-            />
+        alt="Add application"
-            <p>Create the app by setting a name and select the application type "Web"</p>
+        src="/img/guides/console/addapplication.png"
-            <ThemedImage
+        width="120px"
-                alt={"create " + props.appType + " preview"} 
+      />
-                sources={{
+      <p>
-                    light: '/img/guides/application/create-' + props.appType + '-app-light.png',
+        Create the app by setting a name and select the application type "Web"
-                    dark: '/img/guides/application/create-' + props.appType + '-app-dark.png'
+      </p>
-                }}
+      <img
-            />
+        alt={"create " + props.appType + " preview"}
-            <h3>Select the authentication method</h3>
+        src={"/img/guides/application/create-" + props.appType + "-app.png"}
-            <p>The authentication method defines the communication flow during a login</p>
+      />
-            <AuthType appType={props.appType} authType={props.authType}/>
+      <h3>Select the authentication method</h3>
-            <h3>Redirect URIs</h3>
+      <p>
-            <RedirectURIs appType={props.appType} redirectURI={props.redirectURI} postLogoutURI={props.postLogoutURI}/>
+        The authentication method defines the communication flow during a login
-            <h3>Review your configuration</h3>
+      </p>
-            <ReviewConfig appType={props.appType} authType={props.authType} />
+      <AuthType appType={props.appType} authType={props.authType} />
-            <h3>Create key for private key JWT</h3>
+      <h3>Redirect URIs</h3>
-            <GenerateKey appType={props.appType} authType={props.authType} />
+      <RedirectURIs
-        </div>
+        appType={props.appType}
-    );
+        redirectURI={props.redirectURI}
-}
+        postLogoutURI={props.postLogoutURI}
      />
      <h3>Review your configuration</h3>
      <ReviewConfig appType={props.appType} authType={props.authType} />
      <h3>Create key for private key JWT</h3>
      <GenerateKey appType={props.appType} authType={props.authType} />
    </div>
  );
 }
--- a/docs/docs/guides/integrate/application/auth-type.mdx
+++ b/docs/docs/guides/integrate/application/auth-type.mdx
@ -1,177 +1,186 @@
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
 export default function AuthType(props) {
-    return (
+  return <div>{defaultAuthTypes(props.appType, props.authType)}</div>;
        <div>
            {defaultAuthTypes(props.appType, props.authType)}
        </div>
    );
 }
 export function defaultAuthTypes(appType, authType) {
-    let rows;
+  let rows;
-    switch (appType) {
+  switch (appType) {
-        case 'web':
+    case "web":
-            rows = web(authType);
+      rows = web(authType);
-            break;
+      break;
-        case 'user-agent':
+    case "user-agent":
-            rows = userAgent(authType);
+      rows = userAgent(authType);
-            break;
+      break;
-        break;
+      break;
-        case 'api':
+    case "api":
-            rows = api(authType);
+      rows = api(authType);
-            break;
+      break;
-        break;
+      break;
-        case 'native':
+    case "native":
-            rows = native();
+      rows = native();
-            break;
+      break;
-        default:
+    default:
-            return null
+      return null;
-            break;
+      break;
-    }
+  }
-    return (
+  return (
-        <table>
+    <table>
-            <tbody>
+      <tbody>{rows.map((fn) => fn())}</tbody>
-                {rows.map((fn) => fn())}
+    </table>
-            </tbody>
+  );
        </table>
    );
 }
 export const web = (typ) => {
-    switch (typ) {
+  switch (typ) {
-        case 'pkce':
+    case "pkce":
-            return [pkce];
+      return [pkce];
-        case 'code':
+    case "code":
-            return [code];
+      return [code];
-        case 'jwt':
+    case "jwt":
-            return [jwt];
+      return [jwt];
-        case 'post':
+    case "post":
-            return [post];
+      return [post];
-    }
+  }
-    return [pkce, code, jwt, post]
+  return [pkce, code, jwt, post];
-}
+};
 export const userAgent = (typ) => {
-    switch (typ) {
+  switch (typ) {
-        case 'pkce':
+    case "pkce":
-            return [pkce];
+      return [pkce];
-        case 'implicit':
+    case "implicit":
-            return [implicit];
+      return [implicit];
-    }
+  }
-    return [pkce, implicit]
+  return [pkce, implicit];
-}
+};
 export const api = (typ) => {
-    switch (typ) {
+  switch (typ) {
-        case 'jwt':
+    case "jwt":
-            return [jwt];
+      return [jwt];
-        case 'basic':
+    case "basic":
-            return [basic];
+      return [basic];
-    }
+  }
-    return [jwt, basic]
+  return [jwt, basic];
-}
+};
 export const native = () => {
-    return [() => <tr key="native">
+  return [
    () => (
      <tr key="native">
        <td>
-            Native only supports code authentication type, that's why you don't have to select any
+          Native only supports code authentication type, that's why you don't
          have to select any
        </td>
-    </tr>]
+      </tr>
-}
+    ),
  ];
 };
-export const pkce = () => <tr key="pkce">
+export const pkce = () => (
-        <td>
+  <tr key="pkce">
-            <ThemedImage
+    <td>
-            alt="pkce preview"
+      <img
-            sources={{
+        width="300px"
-                light: '/img/guides/application/pkce-logo-light.png',
+        src="/img/guides/application/pkce-logo-dark.png"
-                dark: '/img/guides/application/pkce-logo-dark.png'
+        alt="pkce preview"
-            }}
+      />
-            />
+    </td>
-        </td>
+    <td>
-        <td>
+      <h4>PKCE</h4>
-            <h4>PKCE</h4>
+      <p>Recommended because it's the most secure.</p>
-            <p>Recommended because it's the most secure.</p>
+    </td>
-        </td>
+  </tr>
-    </tr>
+);
-export const code = () => <tr key="code">
+export const code = () => (
-      <td>
+  <tr key="code">
-        <ThemedImage
+    <td>
-          alt="code preview"
+      <img
-          sources={{
+        width="300px"
-            light: '/img/guides/application/code-logo-light.png',
+        src="/img/guides/application/code-logo-dark.png"
-            dark: '/img/guides/application/code-logo-dark.png'
+        alt="code preview"
-          }}
+      />
-        />
+    </td>
-      </td>
+    <td>
-      <td>
+      <h4>Code</h4>
-        <h4>Code</h4>
+      <p>Use if your application needs client id and client secret</p>
-        <p>Use if your application needs client id and client secret</p>
+    </td>
-      </td>
+  </tr>
-    </tr>
+);
-export const jwt = () => <tr key="jwt">
+export const jwt = () => (
-      <td>
+  <tr key="jwt">
-        <ThemedImage
+    <td>
-          alt="jwt preview"
+      <img
-          sources={{
+        width="300px"
-            light: '/img/guides/application/jwt-logo-light.png',
+        src="/img/guides/application/jwt-logo-dark.png"
-            dark: '/img/guides/application/jwt-logo-dark.png'
+        alt="jwt preview"
-          }}
+      />
-        />
+    </td>
-      </td>
+    <td>
-      <td>
+      <h4>(Private Key) JWT</h4>
-        <h4>(Private Key) JWT</h4>
+      <p>
-        <p>Key file to authorize your application. You can create keys after created the application see <a href="#create-key-for-private-key-jwt">below</a></p>
+        Key file to authorize your application. You can create keys after
-      </td>
+        created the application see{" "}
-    </tr>
+        <a href="#create-key-for-private-key-jwt">below</a>
      </p>
    </td>
  </tr>
 );
-export const post = () => <tr key="post">
+export const post = () => (
-      <td>
+  <tr key="post">
-        <ThemedImage
+    <td>
-          alt="post preview"
+      <img
-          sources={{
+        width="300px"
-            light: '/img/guides/application/post-logo-light.png',
+        src="/img/guides/application/post-logo-dark.png"
-            dark: '/img/guides/application/post-logo-dark.png'
+        alt="post preview"
-          }}
+      />
-        />
+    </td>
-      </td>
+    <td>
-      <td>
+      <h4>Post</h4>
-        <h4>Post</h4>
+      <p>
-        <p>Only use if you have no other possibilities. Client id and client secret in request body</p>
+        Only use if you have no other possibilities. Client id and client secret
-      </td>
+        in request body
-    </tr>
+      </p>
    </td>
  </tr>
 );
-export const implicit = () => <tr key="implicit">
+export const implicit = () => (
-      <td>
+  <tr key="implicit">
-        <ThemedImage
+    <td>
-          alt="implicit preview"
+      <img
-          sources={{
+        width="300px"
-            light: '/img/guides/application/implicit-logo-light.png',
+        src="/img/guides/application/implicit-logo-dark.png"
-            dark: '/img/guides/application/implicit-logo-dark.png'
+        alt="Implicit preview"
-          }}
+      />
-        />
+    </td>
-      </td>
+    <td>
-      <td>
+      <h4>Implicit</h4>
-        <h4>Implicit</h4>
+      <p>
-        <p>Only use if you have no other possibilities. The flow is objective to be removed.</p>
+        Only use if you have no other possibilities. The flow is objective to be
-      </td>
+        removed.
-    </tr>
+      </p>
    </td>
  </tr>
 );
-export const basic = () => <tr key="basic">
+export const basic = () => (
-      <td>
+  <tr key="basic">
-        <ThemedImage
+    <td>
-          alt="basic preview"
+      <img
-          sources={{
+        width="300px"
-            light: '/img/guides/application/basic-logo-light.png',
+        src="/img/guides/application/basic-logo-dark.png"
-            dark: '/img/guides/application/basic-logo-dark.png'
+        alt="Basic preview"
-          }}
+      />
-        />
+    </td>
-      </td>
+    <td>
-      <td>
+      <h4>Basic</h4>
-        <h4>Basic</h4>
+      <p>The application sends username and password</p>
-        <p>The application sends username and password</p>
+    </td>
-      </td>
+  </tr>
-    </tr>
+);
--- a/docs/docs/guides/integrate/application/generate-key.mdx
+++ b/docs/docs/guides/integrate/application/generate-key.mdx
@ -1,18 +1,18 @@
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
 export default function GenerateKey(props) {
-    return (props.appType == 'api' || props.authType == 'jwt') ? (
+  return props.appType == "api" || props.authType == "jwt" ? (
-        <div>
+    <div>
-            <p>
+      <p>
-                After you successfully created your application with authentication type JWT your can create keys in the "KEYS" section of the app details like following video shows:
+        After you successfully created your application with authentication type
-            </p>
+        JWT your can create keys in the Configuration section and Keys Card of
-            <ThemedImage
+        the app details like following image shows:
-                alt="Generate key preview"
+      </p>
-                sources={{
+      <img
-                    light: '/img/guides/application/generate-key-light.gif',
+        width="400px"
-                    dark: '/img/guides/application/generate-key-dark.gif'
+        alt="Generate key"
-                }}
+        src="/img/guides/application/generate-key.png"
-            />
+      />
-        </div>
+    </div>
-    ) : null;
+  ) : null;
-}
+}
--- a/docs/docs/guides/integrate/application/redirect-uris.mdx
+++ b/docs/docs/guides/integrate/application/redirect-uris.mdx
@ -1,38 +1,51 @@
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
-import Admonition from '@theme/Admonition'
+import Admonition from "@theme/Admonition";
-export default function RedirectURIs(props) { 
+export default function RedirectURIs(props) {
-    return ['web', 'native', 'user-agent'].includes(props.appType) ? (
+  return ["web", "native", "user-agent"].includes(props.appType) ? (
-        <div>
+    <div>
-            <p>
+      <p>
-                During the login flow the application defines where a user is redirected to after login or logout.
+        During the login flow the application defines where a user is redirected
-                <br/>
+        to after login or logout.
-                ZITADEL verifies if the URL the user gets redirected to is valid by checking if one of the redirect URIs match.
+        <br />
-            </p>
+        ZITADEL verifies if the URL the user gets redirected to is valid by
-            <ul>
+        checking if one of the redirect URIs match.
-                <li><b>Redirect URIs</b> are verified during the login process.</li>
+      </p>
-                {
+      <ul>
-                    props.redirectURI ?
+        <li>
-                        <ul><li>The default redirect uri of your app is <code>{props.redirectURI}</code></li></ul>
+          <b>Redirect URIs</b> are verified during the login process.
-                        : null
+        </li>
-                }
+        {props.redirectURI ? (
-                <li><b>Post Logout URIs</b> are verified during the logout process.</li>
+          <ul>
-                {
+            <li>
-                    props.postLogoutURI ?
+              The default redirect uri of your app is{" "}
-                        <ul><li>The default post logout uri of your app is <code>{props.postLogoutURI}</code></li></ul>
+              <code>{props.redirectURI}</code>
-                        : null
+            </li>
-                }
+          </ul>
-            </ul>
+        ) : null}
-            <Admonition type="note">
+        <li>
-                <p>The default redirect uri of your app is <code>{props.redirectURI}</code></p>
+          <b>Post Logout URIs</b> are verified during the logout process.
-            </Admonition>
+        </li>
-            <ThemedImage
+        {props.postLogoutURI ? (
-                alt="Redirect URIs configuration"
+          <ul>
-                sources={{
+            <li>
-                    light: '/img/guides/application/redirect-uris-light.png',
+              The default post logout uri of your app is{" "}
-                    dark: '/img/guides/application/redirect-uris-dark.png'
+              <code>{props.postLogoutURI}</code>
-                }}
+            </li>
-            />
+          </ul>
-        </div>
+        ) : null}
-    ) : null;
+      </ul>
      <Admonition type="note">
        <p>
          The default redirect uri of your app is{" "}
          <code>{props.redirectURI}</code>
        </p>
      </Admonition>
      <img
        width="600px"
        alt="Redirect URIs configuration"
        src={"/img/guides/application/redirect-uris.png"}
      />
    </div>
  ) : null;
 }
--- a/docs/docs/guides/integrate/application/review-config.mdx
+++ b/docs/docs/guides/integrate/application/review-config.mdx
@ -1,33 +1,41 @@
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
 export default function ReviewConfig(props) {
-    let clientObjects = []
+  let clientObjects = [];
-    if (clientID(props.appType, props.authType)) {
+  if (clientID(props.appType, props.authType)) {
-        clientObjects.push('id')
+    clientObjects.push("id");
-    }
+  }
-    if (clientSecret(props.appType, props.authType)) {
+  if (clientSecret(props.appType, props.authType)) {
-        clientObjects.push('secret')
+    clientObjects.push("secret");
-    }
+  }
-    return clientObjects.length > 0 ? (
+  return clientObjects.length > 0 ? (
-        <div>
+    <div>
-            <p>This page shows what will be created. After you have reviewed the configuration you can create the application.</p>
+      <p>
-            <h3>Client information</h3>
+        The last page of the stepper shows a summary of what will be created.
-            <p>Please make sure to safe the <b>client {clientObjects.join(' and ')}</b> for later user in the application.</p>
+        After you have reviewed the configuration you can create the
-            <ThemedImage
+        application.
-                alt="client infos"
+      </p>
-                sources={{
+      <h3>Client information</h3>
-                    light: '/img/guides/application/client-' + clientObjects.join('-') + '-light.png',
+      <p>
-                    dark: '/img/guides/application/client-' + clientObjects.join('-') + '-dark.png'
+        Please make sure to safe the <b>client {clientObjects.join(" and ")}</b>{" "}
-                }}
+        for later use in the application.
-            />
+      </p>
-        </div>
+      <img
-    ): null;
+        alt="client infos"
        src={`/img/guides/application/client-${clientObjects.join("-")}.png`}
        width="700px"
      />
    </div>
  ) : null;
 }
 export function clientID(appType, authType) {
-    return ['pkce', 'code', 'jwt', 'post', 'implicit', 'basic'].includes(authType) || appType === 'native'
+  return (
    ["pkce", "code", "jwt", "post", "implicit", "basic"].includes(authType) ||
    appType === "native"
  );
 }
 export function clientSecret(appType, authType) {
-    return ['code', 'post', 'basic'].includes(authType)
+  return ["code", "post", "basic"].includes(authType);
-}
+}
--- a/docs/docs/guides/integrate/identity-brokering.md
+++ b/docs/docs/guides/integrate/identity-brokering.md
@ -67,14 +67,15 @@ This case describes how to change it on the organization.
 ![Configure identity provider](/img/console_org_identity_provider.gif)
 ### 4. Send the primary domain scope on the authorization request
 ZITADEL will show a set of identity providers by default. This configuration can be changed by users with the [manager role](../../concepts/structure/managers) `IAM_OWNER`.
-An organization's login settings will be shown 
+ZITADEL will show a set of identity providers by default. This configuration can be changed by users with the [manager role](../../guides/manage/console/managers#roles) `IAM_OWNER`.
 An organization's login settings will be shown
 - as soon as the user has entered the loginname and ZITADEL can identify to which organization he belongs; or
 - by sending a primary domain scope.
-To get your own configuration you will have to send the [primary domain scope](../../apis/openidoauth/scopes#reserved-scopes) in your [authorization request](../../guides/integrate/login-users#auth-request) .
+  To get your own configuration you will have to send the [primary domain scope](../../apis/openidoauth/scopes#reserved-scopes) in your [authorization request](../../guides/integrate/login-users#auth-request) .
-The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
+  The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
 :::note
 You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](../../guides/integrate/login-users#auth-request).
--- a/docs/docs/guides/manage/cloud/instances.md
+++ b/docs/docs/guides/manage/cloud/instances.md
@ -14,6 +14,7 @@ With a click on a instance row you get to the detail of the chosen instance.
 ## New instance
 Click on the new button above the instance table to create a new instance.
 1. Enter the name of your new instance
 2. Choose if you like to start with the free or the pay as you go tier
 3. Choose your options (pay as you go)
@ -27,6 +28,10 @@ Click on the new button above the instance table to create a new instance.
 You will get an email to initialize your first user of the instance and to access the new created ZITADEL instance.
 :::info
 Every new instance gets a generated domain of the form [instancename][randomnumber].zitadel.cloud
 :::
 ![New Instance](/img/manuals/portal/customer_portal_new_instance.gif)
 ## Detail
@ -61,6 +66,7 @@ The primary domain of your ZITADEL instance will be the issuer of the instance.
 > **_Please note:_** Do not delete the verification code, as ZITADEL Customer Portal will re-check the ownership of your domain from time to time
 Be aware that it has some impacts if you change the primary domain of your instance.
 1. The urls and issuer have to change in your app
 2. Passwordless authentication is based on the domain, if you change it, your users will not be able to login with the registered passwordless authentication
@ -78,7 +84,7 @@ You will now be able to use the added custom domain to access your ZITADEL insta
 ### Change Options
-You can change your selected options in the detail of your instance. 
+You can change your selected options in the detail of your instance.
 This can have an impact on your instance cost.
 1. Go to the detail of your instance
@ -101,7 +107,6 @@ The data region will be set to "Global", if you have selected something else.
 :::
 1. Go to the detail of your instance
-2. Click "Change to free tier" in the General Information 
+2. Click "Change to free tier" in the General Information
 3. You will see an overview of what happens when downgrading, click "Downgrade anyway"
 4. In the popup you need to confirm by clicking "I am sure"
--- a/docs/docs/guides/manage/cloud/overview.md
+++ b/docs/docs/guides/manage/cloud/overview.md
@ -11,4 +11,4 @@ More details on the specific objects:
 - [Instances](./instances)
 - [Billing](./billing)
 - [Users](./users)
- [Support](./support)
+- [Support](./support)
--- a/docs/docs/guides/manage/cloud/start.md
+++ b/docs/docs/guides/manage/cloud/start.md
@ -4,11 +4,15 @@ title: Getting Started
 If you are new to ZITADEL your first action is to create your first ZITADEL instance and an account to access the ZITADEL Customer Portal.
-Got to [ZITADEL Customer Portal](https://zitadel.cloud) and enter all the detail information.
+The ZITADEL customer Portal is used to manage all your different ZITADEL instances.
 You can also manage your subscriptions, billing, newsletters and support requests.
 Go to [ZITADEL Customer Portal](https://zitadel.cloud) and enter all the detail information.
 As soon as you click "Let's go" you will get two initialization mails to finish your registration.
 One is for your Customer Portal account and the other for your new created ZITADEL instance, verify both to be able to login to the systems.
 To get started, enter the following data:
 - Firstname
 - Lastname
 - Email
--- a/docs/docs/guides/manage/console/actions.mdx
+++ b/docs/docs/guides/manage/console/actions.mdx
@ -0,0 +1,25 @@
 ---
 title: Actions
 ---
 An Identity and Management system is a very interactive place. ZITADEL has built in functionality to react to its events. This functionality is called **Actions** and can be accessed from your organizations top navigation.
 <img
  src="/img/guides/console/actionsmenu.png"
  width="700px"
  alt="Actions menu"
 />
 Actions allow you to define scripts which are then run on certain triggers.
 To add an action, click at the **new** button and provide a script and a name.
 You can specify a timeout and whether the action is allowed to fail too.
 <img src="/img/guides/console/action.png" alt="Create Action" width="450px" />
 To run those scripts, a flow with a trigger has to be created.
 This could for example be a **External Authentication** Flow, with a **Post Authentication** trigger.
 <img src="/img/guides/console/flow.png" alt="Flow" width="400px" />
 Now whenever a user gets authenticated externally with an IDP, a action is triggered after the authentication itself.
 If you want to know more where actions can be useful, take a look at the feature [here](/docs/concepts/features/actions) or directly jump to an example of a custom behaviour [here](/docs/guides/manage/customize/behavior).
--- a/docs/docs/guides/manage/console/applications.mdx
+++ b/docs/docs/guides/manage/console/applications.mdx
@ -2,73 +2,161 @@
 title: Applications
 ---
-import ThemedImage from '@theme/ThemedImage';
+import ThemedImage from "@theme/ThemedImage";
-import AuthType from '../../integrate/application/auth-type.mdx';
+import AuthType from "../../integrate/application/auth-type.mdx";
-import RedirectURIs from '../../integrate/application/redirect-uris.mdx';
+import RedirectURIs from "../../integrate/application/redirect-uris.mdx";
-import GenerateKey from '../../integrate/application/generate-key.mdx';
+import GenerateKey from "../../integrate/application/generate-key.mdx";
-import ReviewConfig from '../../integrate/application/review-config.mdx';
+import ReviewConfig from "../../integrate/application/review-config.mdx";
-## What is an application?
+# What is an application?
-Applications are the entry point to your project. Users either login into one of your clients and interact with them directly or use one of your API, maybe without even knowing. All applications share the roles and authorizations of their project.
+Applications are the entry point to your project.
 Users either login into one of your clients and interact with them directly or use one of your APIs.
 All applications share the roles and authorizations of their project.
 To access your applications, navigate to your project and select your application.
 <img
  alt="Granted project"
  src="/img/guides/console/applications.png"
  width="750px"
 />
 <!-- TODO: oidc vs saml --->
-## Application types
+## Create application
-If you create a new application in ZITADEL Console you have to choose the type of your application. But which one do you have to choose?
+To add an application to your project, click on the add button and select your application type.
-Detailed information about authentication types can be found [here](../../integrate/login-users#create-application).
+<img
-
+  alt="Add application"
-<ThemedImage
+  src="/img/guides/console/addapplication.png"
-  alt="Redirect URIs configuration"
+  width="120px"
  sources={{
    light: '/img/guides/app-types-light.png',
    dark: '/img/guides/app-types-dark.png'
  }}
 />
 ## Application Types
 At the moment ZITADEL offers four client types:
 - [**Web**](#web) (Server-side web applications such as java, .net, ...)
 - [**Native**](#native) (native, mobile or desktop applications)
 - [**User Agent**](#user-agent) (single page applications / SPA, generally JavaScript executed in the browser)
 - [**API**](#api) (OAuth Resource Server)
 The first three options (Web, Native and User Agent) require user interaction, the fourth option (API) has no direct user-interaction.
 Depending on the app type, there are small differences in the possible settings.
 To get a good understanding about user profiles and recommended flows, read the following [guide](../../integrate/oauth-recommended-flows.md#different-client-profiles).
 ### Web
-Server side rendered applications users interact with. For example if you develop an application using Thymeleaf in Java or Razor in .NET or want to enable SSO in Gitlab.
+Web applications are **server side rendered** applications users interact with. For example if you develop an application using Thymeleaf in Java or Razor in .NET or want to enable SSO in Gitlab.
 Typical **React or Angular** apps **are not** a Web applications in this case.
 A **NextJS** on the contrary would be because it allows you to implement server side code.
 Following authentication types can be used:
-<AuthType appType="web"/>
+<AuthType appType="web" />
 ### Native
-Applications installed on a thin client. For example on a smartphone or computer. 
+Native Applications installed on a thin client. For example on a smartphone or computer. This can for example be Android and iOS Applications.
 These applications uses the Key file generated by ZITADEL to authenticate.
-<AuthType appType="native"/>
+<AuthType appType="native" />
 ### User Agent
-Applications that are executed in a web browser, for example single page applications executed in the browser developed with JavaScript frameworks like [Angular](../../../examples/login/angular) or [React](../../../examples/login/react)
+User Agent Applications that are executed in a web browser, for example single page applications executed in the browser developed with JavaScript frameworks like [Angular](../../../examples/login/angular) or [React](../../../examples/login/react)
-Following authentication types can be used:
+Following **authentication methods** can be used:
-<AuthType appType="user-agent"/>
+<AuthType appType="user-agent" />
 ### API
-Applications without human interaction. These applications are accessed by other applications, so called machine to machine communication.
+These are Applications without human interaction. These applications are accessed by other applications, so called machine to machine communication.
 Following authentication types can be used:
-<AuthType appType="api"/>
+<AuthType appType="api" />
 After selecting your Apps Type and Authentication Method, you may need to specify redirect URIs.
 ## Redirect URIs
-<RedirectURIs appType="web"/>
+App Types with User interaction (Web, Native and User Agent) require redirect URIs.
 Those redirects URIs are used to redirect the user back to your application on successful login.
 These URIs are defined in your application code and are checked by ZITADEL if they correspond to your applications configuration.
 Redirect URIs are checked during the login process.
 Native applications can use a different protocol than http or https in order to redirect your user.
 <img
  alt="Redirect URIs"
  src="/img/guides/console/redirecturis.png"
  width="600px"
 />
 In order to **develop locally** and due to the fact that any ZITADEL configuration is secure by default, ZITADEL requires you enable **dev mode** if you want to redirect users to URIs other than https://.
 ## Review Configuration
-<ReviewConfig authType="code"/>
+<ReviewConfig authType="code" />
-## Generate key for private key JWT
+## Application settings
-<GenerateKey appType="api"/>
+After creating the application, you can still change its configuration if you for example need a offline_access support (Refresh token).
 You can easily change your authentication method via the colored toggle on top or directly change configuration via the input and dropdown fields.
 > Note: Changing application type is not possible. In this case you have to create a new application.
 <img
  alt="Redirect URIs"
  src="/img/guides/console/application.png"
  width="800px"
 />
 On the top of the page you can check if your application is OIDC compliant.
 Tasks for completion are shown in the field.
 <img
  alt="OIDC Compliance"
  src="/img/guides/console/oidc-compliance.png"
  width="600px"
 />
 ### Token settings
 In the token settings you can change the type from **Bearer Token** to **JWT**, and check some settings whether you need user roles and user information in the ID Token or not.
 On the bottom you can optionally set a **ClockSkew** time which is added to the expiration time of the issued token.
 <img
  alt="Token settings"
  src="/img/guides/console/app-token-settings.png"
  width="600px"
 />
 ### Redirect settings
 Like on creation, you can modify you redirect settings here.
 Note that for local development you most likely have to enable development mode, as redirects to http:// are otherwise blocked.
 <img
  alt="Redirect URIs"
  src="/img/guides/console/redirect-uris.png"
  width="500px"
 />
 ### Additional origins
 If you need to allow additional origins which should **NOT** be used as redirect you can specify them in the **Additional origins** section.
 <img
  alt="Additional origins"
  src="/img/guides/console/additional-origins.png"
  width="500px"
 />
--- a/docs/docs/guides/manage/console/instance-settings.mdx
+++ b/docs/docs/guides/manage/console/instance-settings.mdx
@ -0,0 +1,246 @@
 ---
 title: Instance Settings
 ---
 Instance settings work as default or fallback settings for your organizational settings. Most of the time you only have to set instance settings for the cases where you don't need specific behaviour in the organizations themselves or you only have one organization.
 To access instance settings, use the instance page at `{instanceDomain}/ui/console/settings` or click at the instance button on the **top-right** of the page and then navigate to settings in the navigation.
 <img
  src="/img/guides/console/instancebutton.png"
  alt="Instance Button"
  width="450px"
 />
 When you configure your instance, you can set the following:
 - **General**: Default Language for the UI
 - [**Notification providers and SMTP**](#notification-providers-and-smtp): Email Server settings, so initialization-, verification- and other mails are sent from your own domain. For SMS, Twilio is supported as notification provider.
 - [**Login Behaviour and Access**](#login-behaviour-and-access): Multifactor Authentication Options and Enforcement, Define whether Passwordless authentication methods are allowed or not, Set Login Lifetimes and advanced behavour for the login interface.
 - [**Identity Providers**](#identity-providers): Define IDPs which are available for all organizations
 - [**Password Complexity**](#password-complexity): Requirements for Passwords ex. Symbols, Numbers, min length and more.
 - [**Lockout**](#lockout): Set the maximum attempts a user can try to enter the password. When the number is exceeded, the user gets locked out and has to be unlocked.
 - [**Domain settings**](#domain-settings): Whether users use their email or the generated username to login. Other Validation, SMTP settings
 - [**Branding**](#branding): Appearance of the login interface.
 - [**Message Texts**](#message-texts): Text and internationalization for emails
 - [**Login Interface Texts**](#login-interface-texts): Text and internationalization for the login interface
 - [**Privacy Policy**](#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page.
 - [**OIDC Token Lifetimes and Expiration**](#oidc-token-lifetimes-and-expiration): Token lifetime and expiration settings.
 - [**Secret Appearance**](#secret-appearance): Appearance of the generated codes and secrets used in mails for verification etc.
 ## Branding
 We recommend setting your Branding and SMTP settings initially as it will comfort your customers having a familiar UI for login and receiving notifications from your domain and mail addresses.
 ![Private Labeling](/img/console_private_labeling.png)
 In the Branding settings, you can upload you Logo for the login interface, set your own colors for buttons, background, links, and choose between multiple behavours. You don't need to be an expert as those settings can all be set without any knowledge of CSS.
 | Setting            | Description                                                                                                                                                                                                                |
 | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Logo               | Upload your logo for the light and the dark design. This is used mainly in the login interface.                                                                                                                            |
 | Icon               | Upload your icon for the light and the dark design. Icons are used for smaller components. For example in console on the top left as the home button.                                                                      |
 | Colors             | You can set four different colors to design your login page and email. (Background-, Primary-, Warn- and Font Color)                                                                                                       |
 | Font               | Upload your custom font                                                                                                                                                                                                    |
 | Advanced Behaviour | **Hide Loginname suffix**: If enabled, your loginname suffix (Domain) will not be shown in the login page. **Disable Watermark**: If you disable the watermark you will not see the "Powered by ZITADEL" in the login page |
 Make sure you click the "Apply configuration" button after you finish your configuration. This will ensure your design is visible for your customers.
 Branding settings applied on you instance act as a default for all your organizations. If you need custom branding on a organization take a look at our guide under [organization settiong](./organizations#branding).
 ## Notification providers and SMTP
 In the notification settings you can configure your SMTP Server settings and your SMS Provider. At the moment Twilio is available as SMS provider.
 ### SMTP
 On each instance we configure our default SMTP provider. To make sure, that you only send some E-Mails from domains you own. You need to add a custom domain on your instance.
 Go to the ZITADEL [customer portal](https://zitadel.cloud) to configure a custom domain.
 To configure your custom SMTP please fill the following fields:
 - Sender email address
 - Sender name
 - Enable or Disable Transport Layer Security (TLS)
 - Host
 - User
 - SMTP Password
 <img src="/img/guides/console/smtp.png" alt="SMTP" width="400px" />
 ### SMS
 No default provider is configured to send some SMS to your users. If you like to validate the phone numbers of your users make sure to add your twilio configuration by adding your Sid, Token and Sender Number.
 <img src="/img/guides/console/twilio.png" alt="Twilio" width="400px" />
 ## Login Behaviour and Access
 The Login Policy defines how the login process should look like and which authentication options a user has to authenticate.
 | Setting                   | Description                                                                                                                                                         |
 | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Register allowed          | Enable self register possibility in the login ui, this enables username password registration as well as registration with configured external identity providers   |
 | Username Password allowed | Possibility to login with username and password. If this is disabled only login with external identity providers will be allowed                                    |
 | External IDP allowed      | Possibility to login with an external identity (e.g Google, Microsoft, Apple, etc), If you like to allow external Identity providers add them to the providers list |
 | Force MFA                 | Force a user to register and use a multifactor authentication, Ensure that you have added the MFA methods you want to allow.                                        |
 | Passwordless              | Choose if passwordless login is allowed or not                                                                                                                      |
 <img
  src="/img/guides/console/loginpolicy.png"
  alt="Login Bahaviour and Access"
  width="600px"
 />
 ### Passwordless
 Passwordless authentication means that the user doesn't need to enter a password to login. In our case the user has to enter his loginname and as the next step proof the identity through a registered device or token.
 There are two different types one is depending on the device (e.g. Fingerprint, Face recognition, WindowsHello) and the other is independent (eg. Yubikey, Solokey).
 ### Multifactor
 In the multifactors section you can configure what kind of multifactors should be allowed. For passwordless to work, it's required to enable U2F (Universial Second Factor) with PIN. There is no other option at the moment.
 Multifactors:
 - U2F (Universal Second Factor) with PIN, e.g FaceID, WindowsHello, Fingerprint, Hardwaretokens like Yubikey
 Secondfactors:
 - OTP (One Time Password), Authenticator Apps like Google/Microsoft Authenticator, Authy, etc.
 - U2F (Universal Second Factor), e.g FaceID, WindowsHello, Fingerprint, Hardwaretokens like Yubikey
 ## Identity Providers
 You can configure all kinds of external identity providers for identity brokering, which support OIDC (OpenID Connect).
 Create a new identity provider configuration and enable it in the list afterwards.
 For a detailed guide about how to configure a new identity provider for identity brokering have a look at our guide:
 [Identity Brokering](../../../guides/integrate/identity-brokering)
 ## Password Complexity
 With the password complexity policy you can define the requirements for a users password.
 The following properties can be set:
 - Minimum Length
 - Has Uppercase
 - Has Lowercase
 - Has Number
 - Has Symbol
 <img
  src="/img/guides/console/complexity.png"
  alt="Password Complexity"
  width="600px"
 />
 ## Lockout
 Define when an account should be locked.
 The following settings are available:
 - Maximum Password Attempts: When the user has reached the maximum password attempts the account will be locked, If this is set to 0 the lockout will not trigger.
 If an account is locked, the administrator has to unlock it in the ZITADEL console
 <img src="/img/guides/console/lockout.png" alt="Lockout" width="600px" />
 ## Domain settings
 In the domain policy you have two different settings.
 One is the "user_login_must_be_domain", by setting this all the users within an organisation will be suffixed with the domain of the organisation.
 The second is "validate_org_domains" if this is set to true all created domains on an organisation must be verified per acme challenge.
 More about how to verify a domain [here](../../../guides/manage/console/organizations#domain-verification-and-primary-domain).
 If it is set to false, all registered domain will automatically be created as verified and the users will be able to use the domain for login.
 ### Use email as username
 To be able to use the email as username you have to disable the attribute "User Loginname must contain orgdomain" on your domain settings.
 This means that all your users will not be suffixed with the domain of your organization and you can enter the email as username.
 All usernames will then be globally unique within your instance.
 You can either set this attribute on your whole ZITADEL instance or just on some specific orgnizations.
 ## Privacy Policy and TOS
 With this setting you are able to configure your privacy policy, terms of service and help links.
 On register each user has to accept these policies.
 This policy can be also be overriden by your organizations.
 When focused on an input field you can see the language attribute, which can then be integrated into your link.
 Example:
 `https://demo.com/tos-{{.Lang}}`
 <img
  src="/img/guides/console/privacypolicy.png"
  alt="Privacy Policy"
  width="600px"
 />
 ## Message texts
 These are the texts for your notification mails. Available for change are:
 | Message Text   | Description                                                                                                      |
 | -------------- | ---------------------------------------------------------------------------------------------------------------- |
 | Domain Claim   | Enable self register possibility in the login ui                                                                 |
 | Initialization | The mail after a user has been created. A code is part of the message which then must be verified on first login |
 | Passwordless   | Possibility to login with an external identity (e.g Google, Microsoft, Apple, etc)                               |
 | Password Reset | Force a user to register and use a multifactor authentication                                                    |
 | Verify Email   | Choose if passwordless login is allowed or not                                                                   |
 You can set the locale of the translations on the right.
 <img
  src="/img/guides/console/messagetexts.png"
  alt="Message texts"
  width="600px"
 />
 ## Login interface texts
 These are the texts for the login. Just like for message texts, you can select the locale on the right.
 <img src="/img/guides/console/logintexts.png" alt="Login texts" width="600px" />
 ## OIDC token lifetimes and expiration
 Configure how long the different oidc tokens should life.
 You can set the following times:
 - Access Token Lifetime
 - ID Token Lifetime
 - Refresh Token Expiration
 - Refresh Token Idle Expiration
 <img
  src="/img/guides/console/oidcsettings.png"
  alt="OIDC Token Lifetimes"
  width="400px"
 />
 ## Secret appearance
 ZITADEL has some different codes and secrets, that can be specified.
 You can configure what kind of characters should be included, how long the secret should be and the expiration.
 The following secrets can be configured:
 - Initialization Mail Code
 - Email verification code
 - Phone verification code
 - Password reset code
 - Passwordless initialization code
 - Application secrets
 <img
  src="/img/guides/console/secretappearance.png"
  alt="Secret appearance"
  width="400px"
 />
 If your done with your instance settings, you can proceed setting up your organizations. Again, make sure you get an understanding on how your project is structured and then continue.
--- a/docs/docs/guides/manage/console/managers.mdx
+++ b/docs/docs/guides/manage/console/managers.mdx
@ -0,0 +1,55 @@
 ---
 title: Managers
 ---
 import ManagerDescription from "../../../concepts/structure/_manager_description.mdx";
 <ManagerDescription name="ManagerDescription" />
 To configure managers in ZITADEL go to the resource where you like to add it (e.g Instance, Organization, Project, GrantedProject).
 In the right part of the console you can finde **MANAGERS** in the details part. Here you have a list of the current managers and can add a new one.
 <img alt="Managers" src="/img/guides/console/managers.png" width="200px" />
 When adding a new manager, you can select multiple roles some of which are only allowed to read data.
 This can be especially useful if you add service users for one of your projects where you only need read access.
 Per default you will only search for users within the selected organization. If you like to give a role to a user outside the organization you need to switch to the global search and type the exact loginname of the users. This will prevent allowing users to guess users from other organizations.
 <img alt="Managers" src="/img/guides/console/addmanager.png" width="390px" />
 ## Roles
 | Name                          | Role                          | Description                                                                                                  |
 | ----------------------------- | ----------------------------- | ------------------------------------------------------------------------------------------------------------ |
 | IAM Owner                     | IAM_OWNER                     | Manage the IAM, manage all organizations with their content                                                  |
 | IAM Owner Viewer              | IAM_OWNER_VIEWER              | View the IAM and view all organizations with their content                                                   |
 | IAM Org Manager               | IAM_ORG_MANAGER               | Manage all organizations including their policies, projects and users                                        |
 | IAM User Manager              | IAM_USER_MANAGER              | Manage all users and their authorizations over all organizations                                             |
 | Org Owner                     | ORG_OWNER                     | Manage everything within an organization                                                                     |
 | Org Owner Viewer              | ORG_OWNER_VIEWER              | View everything within an organization                                                                       |
 | Org User Manager              | ORG_USER_MANAGER              | Manage users and their authorizations within an organization                                                 |
 | Org User Permission Editor    | ORG_USER_PERMISSION_EDITOR    | Manage user grants and view everything needed for this                                                       |
 | Org Project Permission Editor | ORG_PROJECT_PERMISSION_EDITOR | Grant Projects to other organizations and view everything needed for this                                    |
 | Org Project Creator           | ORG_PROJECT_CREATOR           | This role is used for users in the global organization. They are allowed to create projects and manage them. |
 | Project Owner                 | PROJECT_OWNER                 | Manage everything within a project. This includes to grant users for the project.                            |
 | Project Owner Viewer          | PROJECT_OWNER_VIEWER          | View everything within a project.                                                                            |
 | Project Owner Global          | PROJECT_OWNER_GLOBAL          | Same as PROJECT_OWNER, but in the global organization.                                                       |
 | Project Owner Viewer Global   | PROJECT_OWNER_VIEWER_GLOBAL   | Same as PROJECT_OWNER_VIEWER, but in the global organization.                                                |
 | Project Grant Owner           | PROJECT_GRANT_OWNER           | Same as PROJECT_OWNER but for a granted proejct.                                                             |
 ## Configure roles
 If you run a self hosted ZITADEL istance you can define your custom roles by overwriting the defaults.yaml
 In the InternalAuthZ section you will find all the roles and which permissions the have.
 Example:
 ```bash
 InternalAuthZ:
  RolePermissionMappings:
    - Role: "IAM_OWNER"
      Permissions:
        - "iam.read"
        - "iam.write"
 ```
--- a/docs/docs/guides/manage/console/organizations.mdx
+++ b/docs/docs/guides/manage/console/organizations.mdx
@ -4,43 +4,64 @@ title: Organizations
 ## What is an organization?
-import OrgDescription from '../../../concepts/structure/_org_description.mdx';
+import OrgDescription from "../../../concepts/structure/_org_description.mdx";
-import Column from '../../../../src/components/column';
+import Column from "../../../../src/components/column";
-<OrgDescription name="OrgDescription" />
+An Organization is where your projects and users live. Looking at a B2B use case, an organization represents a business partner who typically has its own branding and has different access settings like additional federated login providers.
-
+Users from one organization are seperated from others.
 There are several more modules in our documentation to go into more detail regarding organization management, projects, clients, and users. But first let’s create a new organization and verify your domain name.
 ## Create a new organization
-To create a new organization login to your ZITADEL instance ({your-domain}-{random string}.zitadel.cloud or your custom domain).
+To create a new organization, click on the organizations dropdown and then select “New organization”.
-Click the organization drop down in the name in the upper left corner in the header, and then select “New organization”.
+You can either create a new organization with your logged in user as the organization manager or directly create another account.
-You can either create a new organization with yourself as the organization manger or directly add another account.
+If you choose your logged in user as organization manager, a membership for the new organization will be added to the account.
-![Select Organization](/img/console_org_select.png)
+<img
  width="400px"
  src="/img/console_org_select.png"
  alt="Select Organization"
 />
-
+If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `<https://{your-domain}-{random string}.zitadel.cloud/ui/login/register/org`
 If you want to enable you customers to create their organization by themself, we provide a creation form for a organization. <https://{your-domain}-{random string}.zitadel.cloud/ui/login/register/org>
 The customer needs to fill in the form with the organization name and the contact details.
-![Register new Organization](/img/console_org_register.png)
+<img
  width="400px"
  src="/img/console_org_register.png"
  alt="Register new organization"
 />
 ## How ZITADEL handles usernames
-As we mentioned before, each organization has its own pool of usernames, which includes human and service.
+If you domain setting "user loginname must contain orgdomain" is disabled. Your username will be unique withing the whole instance.
 At the moment the username only allowes e-mail formatted input. (This will be changed soon)
-This means that, for example a user with the username road.runner, can only exist once in an organization called ACME. ZITADEL will automatically generate a "logonname" for each  consisting of `{username}@{domainname}.{zitadeldomain}`, in our example road.runner@acme.zitadel.cloud.
+### User Loginname must contain orgdomain
-When you verify your domain name, then ZITADEL will generate additional logonames for each user with the verified domain. If our example organization would own the domain acme.ch and verify within the organization ACME, then the resulting logonname in our example would be road.runner@acme.ch in addition to the already generated road.runner@acme.zitadel.cloud. The user can now use either logonname to authenticate with your application.
+If this behaviour is not suitable for you, ZITADEL has the option to suffix the usernames with the organization domain.
 This setting is called **User Loginname must contain orgdomain** and is part of your [Domain settings](./instance-settings#domain-settings).
 Those loginnames consist of the format `{username}@{domainname}.{zitadeldomain}`.
 If your user had the username `john.doe`, the generated loginname would be `john.doe@acme.zitadel.cloud`.
 This also means that only one user with the username `john.doe` can exist in your organization called `ACME`.
 If you verify your domain name or add additional domains, ZITADEL will generate those additional logonames for you.
 If the organization would own the domain `acme.ch` and verify it, then the resulting loginname would be `john.doe@acme.ch` in addition to the already generated `john.doe@acme.zitadel.cloud`.
 The user can now use either logonname to authenticate with your application.
 > Note: You can set this setting on your instance as well as your organizations. All available usernames are shown on the top of the user pages.
 ## Domain verification and primary domain
-Once you have successfully registered your organization, ZITADEL will automatically generate a domain name for your organization (eg, acme.zitadel.cloud). Users that you create within your organization will be suffixed with this domain name.
+Once you have successfully registered your organization, ZITADEL will automatically generate a domain name for your organization (eg, acme.zitadel.cloud).
 Users that you create within your organization will be suffixed with this domain name.
-You can improve the user experience, by suffixing users with a domain name that is in your control. If the "validate ord domains" settings in the [Domain Policy](../../../concepts/structure/policies) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
+You can improve the user experience, by suffixing users with a domain name that is in your control.
 If the "validate org domains" settings in the [Domain Settings](./instance-settings#domain-settings) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
 If the settings is set to false, the created domain will automatically be set to verifed.
-An organization can have multiple domain names, but only one domain can be primary. The primary domain defines which login name ZITADEL displays to the user, and what information gets asserted in access_tokens (`preferred_username`).
+An organization can have multiple domain names, but only one domain can be primary.
 The primary domain defines which login name ZITADEL displays to the user, and what information gets asserted in access_tokens (`preferred_username`).
 Please note that domain verification also removes the logonname from all users, who might have used this combination in the global organization (ie. users not belonging to a specific organization). Relating to our example with acme.ch: If a user ‘coyote’ exists in the global organization with the logonname coyote@acme.ch, then after verification of acme.ch, this logonname will be replaced with `coyote@{randomvalue.tld}`. ZITADEL will notify users affected by this change.
@ -56,4 +77,23 @@ Please note that domain verification also removes the logonname from all users,
 > **_Please note:_** Do not delete the verification code, as ZITADEL will re-check the ownership of your domain from time to time
-<!-- //TODO Add whats next again -->
+## Organization Settings
 In organizations you also have settings that have higher priority then on your instance, and therefore override its instance.
 Those settings are the same as on your instance.
 > Note: that the following links, redirect to instance settings to omit redundancy.
 - [**Login Behaviour and Access**](./instance-settings#login-behaviour-and-access): Multifactor Authentication Options and Enforcement, Define whether Passwordless authentication methods are allowed or not, Set Login Lifetimes and advanced behavour for the login interface.
 - [**Identity Providers**](./instance-settings#identity-providers): Define IDPs which are available for all organizations
 - [**Password Complexity**](./instance-settings#password-complexity): Requirements for Passwords ex. Symbols, Numbers, min length and more.
 - [**Lockout**](./instance-settings#lockout): Set the maximum attempts a user can try to enter the password. When the number is exceeded, the user gets locked out and has to be unlocked.
 - [**Domain settings**](./instance-settings#domain-settings): Whether users use their email or the generated username to login. Other Validation, SMTP settings
 - [**Branding**](./instance-settings#branding): Appearance of the login interface.
 - [**Message Texts**](./instance-settings#message-texts): Text and internationalization for emails
 - [**Login Interface Texts**](./instance-settings#login-interface-texts): Text and internationalization for the login interface
 - [**Privacy Policy**](./instance-settings#privacy-policy-and-tos): Links to your own Terms of Service and Privacy Policy regulations. Link to Help Page.
 If you need custom branding on a organization (for example in a B2B scenario, where organizations are allowed to use their custom design), navigate back to the home page, choose your organization in the header above, navigate to the organization settings and set the custom design here.
 The behaviour of the login page, applyling custom design, is then defined on your projects detail page. Read more about it [here](./projects#branding)
--- a/docs/docs/guides/manage/console/overview.mdx
+++ b/docs/docs/guides/manage/console/overview.mdx
@ -0,0 +1,23 @@
 ---
 title: Overview
 ---
 ## What is console?
 Console is the Dashboard UI for your instance. It can be accessed from all configured instance domains, defined in the Customer Portal.
 The console is used to configure global instance settings and can be used by multiple Managers.
 Read more about [Console Managers](./managers) here.
 It can also be used by your application users to modify their profile, although we recommend that you build your own User Interface.
 When you are logged in, you are greeted by the home page. This page allows you to set shortcuts to settings and projects.
 The console has a context switcher on the **top-left** where your current organization is set.
 Depending on your use case, multiple organizations can be created (B2B) or you can stick to your global organization (B2C). To get an understanding of your use cases and how we recommend setting up your organizations, read the [Solution Scenario](../../solution-scenarios/introduction) guides.
 <img
  src="/img/guides/console/contextswitcher.png"
  alt="Context switcher"
  width="400px"
 />
 If your new to console, you'll probably want to set some settings initially. Continue reading instance settings on the next page.
--- a/docs/docs/guides/manage/console/projects.mdx
+++ b/docs/docs/guides/manage/console/projects.mdx
@ -4,63 +4,101 @@ title: Projects
 ## What is a project?
-import ProjectDescription from '../../../concepts/structure/_project_description.mdx';
+import ProjectDescription from "../../../concepts/structure/_project_description.mdx";
 <ProjectDescription name="ProjectDescription" />
-The goal of this module is to give you an overview, but not dive too deep into details around managing access rights and delegating management of roles to third parties. So let’s create a straightforward example project first.
+### Example
 If you'd build a Point of Sales Platform, you would have one Project (maybe called `POS`) and all your applications (one Webapplication for administration, and your mobile applications for your users iOS and Android), would be part of it.
 You would have to create roles for administration and your clients in this very project, and then create authorizations based on them.
 ![POS Project](/img/guides/console/posproject.png)
 ## Create a project
-Visit <https://{your_domain}.zitadel.cloud/ui/console/projects> or select “Projects” within your organization, then click the button to create a new project.
+To create a project, navigate to your organization, then projects or directly via <https://{your_domain}.zitadel.cloud/ui/console/projects>, and then click the button to create a new project.
-![Empty Project](/img/console_projects_empty.png)
+<img alt="Empty Project" src="/img/console_projects_empty.png" width="270px" />
-Enter the name “ My first project” and continue.
+then enter your project name and continue.
 Let’s make this more interesting and add some basic roles and authorizations to your project and then confirm the scope of the roles and authorizations.
 Jump to the section ROLES and create two new roles with the following values
 * Key: reader
 * Display Name: Reader
 * Group: user
 and
 * Key: editor
 * Display Name: Editor
 * Group: user
 ![Add New Roles](/img/console_projects_add_new_roles.gif)
 Now, you can add roles to your own user, or you can create a new user. To create a new user, go to Users and click “New”. Enter the required contact details and save by clicking “Create”.
 ![Create new user](/img/console_users_create_new_user.gif)
 To grant users certain roles, you need to create authorizations. Go back to the project, and jump to the section AUTHORIZATIONS.
 ![Verify your authorization](/img/console_projects_create_authorization.gif)
 You can verify the role grant on the user. Select Users from the navigation menu and click on the user Coyote. Scroll down to the section AUTHORIZATION, there you should be able to verify that the user has the role ‘reader’ for your project ‘My first project’.
 ![Organization grant](/img/console_projects_authorization_created.png)
 Now create another project (eg. “My second project”) and verify that there are no roles or authorizations on your second project.
 ## What is a granted project?
-import GrantedProjectDescription from '../../../concepts/structure/_granted_project_description.mdx';
+Now imagine you could use the POS platform from the example not only for yourself but sell it to other business partners too.
 Those partners would maybe have the need to have their own domain, their own branding and add additional social login options.
 Setting this up in ZITADEL is very easy since all organizations can overwrite their settings.
 You would only need a method to grant them access.
-<GrantedProjectDescription name="GrantedProjectDescription" />
+To add a grant to another organization is done from the project itself. Navigate to grants and hit the new button.
 Now, enter the domain of the partner organization (if you can't remember it, navigate to the organization and pick it up from the detail page), hit search and then continue.
 Now select the roles you want this organization to use and save.
 This enables you to lock a certain organization out of a feature if you don't want their users to use it.
 You can learn more about roles [here](./roles).
 Organizations can then create authorizations for their users on their own. The project is shown them seperated from their own projects.
 <img
  alt="Granted project"
  src="/img/guides/console/grantedprojectgrid.png"
  width="320px"
 />
 ## Grant a project
-1. Visit the project that you have created before, then in the section GRANTED ORGANIZATIONS click New.
+1. Visit the project `POS` that you have created before, then in the section **Grants** click **New**.
 2. Enter the domain ‘acme.caos.ch’, search the organization and continue to the next step.
 3. Select some roles you would like to grant to the organization ACME and confirm.
 4. You should now see ACME-CAOS in the section GRANTED ORGANIZATIONS
-![Grant a project](/img/projects_create_org_grant.gif)
+<img src="/img/guides/console/grantsmenu.png" alt="Grants" width="170px" />
-<!-- //TODO Add whats next again -->
+2. Enter the domain of the organization you want to grant (go to the organization detail page if you can't remember it), hit the search button and continue.
 3. Select some roles you would like to grant to the organization and confirm.
 4. You should now see the granted organization in the section **grants**.
 ## Project Settings
 ### Branding
 If you have different designs for your organizations or probably and use project grants, you can define the login behaviour on the project detail page.
 <img
  src="/img/guides/console/projectbranding.png"
  alt="Project branding"
  width="400px"
 />
 You can choose from
 | Setting                                | Description                                                                                                                                                                                                                                                  |
 | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | Unspecified                            | If nothing is specified the default will trigger. (System settings)                                                                                                                                                                                          |
 | Enforce project resource owner policy  | This setting will enforce the private labeling of the organization (resource owner) of the project through the whole login process.                                                                                                                          |
 | Allow Login User resource owner policy | With this setting first the private labeling of the organization (resource owner) of the project will trigger. As soon as the user and its organization (resource owner) is identified by ZITADEL, the settings will change to the organization of the user. |
 In a B2B use case, you would typically use the organization setting. If you want to omit organization detection, you can preselect an organization with the [primary domain scope](/docs/apis/openidoauth/scopes#reserved-scopes) (ex. `urn:zitadel:iam:org:domain:primary:{domainname}`).
 ### Role settings
 Below the branding settings, you can check different checkboxes to get even more custom behaviour on authentication.
 - **Assert Roles on Authentication**:
  Role information is sent from Userinfo endpoint and depending on your application settings in tokens and other types.
 - **Check authorization on Authentication**: If set, users are only allowed to authenticate if any role is assigned to their account.
 - **Check for Project on Authentication**:
  It is checked whether the user's organization has this project. If not, the user cannot be authenticated.
 <img
  src="/img/guides/console/rolesettings.png"
  width="700px"
  alt="Role settings"
 />
 If you want to have roles in your token, this has to be set in your applications as this is dependent on your application type. Navigate to your application and check this setting if you want so.
 <img
  src="/img/guides/console/tokenroles.png"
  width="700px"
  alt="Roles in token"
 />
 You can learn more about [Application and Token settings](./applications#token-settings) in the next section.
--- a/docs/docs/guides/manage/console/roles.mdx
+++ b/docs/docs/guides/manage/console/roles.mdx
@ -0,0 +1,53 @@
 ---
 title: Roles and Authorizations
 ---
 If you would build out the [POS use case example](./projects#example) you would probably need an application for administration.
 In this application you would probably have somebody accessing as an accountant and somebody as an administrator, who is somebody with enhanced rights.
 To build this out, you would have to add this distinction as roles.
 To add roles, jump to the section **Roles** and create those new roles with the following values
 - Key: admin
 - Display Name: Administrator
 - Group: Administration
 and
 - Key: account
 - Display Name: Accountant
 - Group: Administration
 <img src="/img/guides/console/addrole.png" alt="Add roles" />
 The **Key** is used for coding (can then for example be requested in the ID Token).
 The **Display Name** is just for you remembering its use case
 The **Group** is for making multiple roles selectable more easy.
 <img src="/img/guides/console/roles.png" width="750px" alt="Roles" />
 > The role client is for an other application of the project `POS`, as all possible roles from your POS applications are defined in your project.
 ## Authorizations
 Now to make use of this roles, add an authorization.
 An authorization combines a user of your organization with one or multiple roles.
 > You can also add users of other organizations, if you want to do so click on the hint below the username field.
 <img src="/img/guides/console/authusers.png" width="500px" alt="Auth users" />
 If your wanted to test your application with your own user, navigate to the **Authorizations** section under your project and click on **new**.
 Type your username, hit continue, select the roles you want your user to have and save. If you want to add all roles of the Administration group, you can click on the group to select all.
 <img
  src="/img/guides/console/authorization.png"
  width="750px"
  alt="Authorization"
 />
 Now you can retrieve those roles in your application. ZITADEL has [multiple settings](./projects#project-settings) for you to access them more easily. Navigate to the **General** section of your project and check your needed ones.
 > Note: We did set up our authorizations from projects, but this can be achieved from multiple locations in console. You can view and add authorizations from your organization, your projects, or from your users page.
--- a/docs/docs/guides/manage/console/users.mdx
+++ b/docs/docs/guides/manage/console/users.mdx
@ -0,0 +1,80 @@
 ---
 title: Users
 ---
 ZITADEL differs two different types of users:
 - Users (Humans)
 - Service Users (Machine Accounts)
 <img src="/img/guides/console/usersmenu.png" width="420px" alt="User types" />
 A human user has an email address and a password, and can additionally save information about phone, nickname, gender, language.
 A service user only has a name and a description aside his username.
 A service user can be authenticated with JWT profile or Personal Access Tokens. Both methods can specify an expiry.
 A human user can authenticate itself with his password, add multiple factors for additional security, and enable passwordless authentication.
 Service users are primarily used to gain access for a backend service or iot device. The fact that service users can also be ZITADEL managers is used to restrict access to specific projects or organizations.
 To get an understanding on how service users are used, take a look at our NextJS B2B Demo application.
 ## Create User
 To create a new user, go to Users and click on **New**. Enter the required contact details and save by clicking “Create”.
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
 <Tabs>
  <TabItem value="human" label="Human User" default>
    <img src="/img/guides/console/addhuman.png" width="680px" alt="Add Human" />
  </TabItem>
  <TabItem value="service" label="Service User">
    <img
      src="/img/guides/console/addmachine.png"
      width="540px"
      alt="Add Service User"
    />
  </TabItem>
 </Tabs>
 After a human user is created, by default, an initialization mail with a code is sent to the registered email. This code then has to be verified on first login.
 If you want to omit this mail, you can check the **email verified** and **set initial password** toggle.
 If no password is set initially, the initialization mail prompting the user to set his password is sent.
 You can prompt the user to add a second factor method too by checking the **Force MFA** toggle in [Login behaviour settings](./instance-settings#login-behaviour-and-access).
 When logged in, a user can then manage his profile in console himself, adding a profile picture, external IDPs and Passwordless authentication devices.
 <img src="/img/guides/console/myprofile.png" alt="Profile Self Manage" />
 ## Metadata
 When building complex applications, having the possibility to add metadata is essential.
 ZITADEL provides a key value storage for users on the user pages.
 Just navigate to the section **Metadata** and click on **edit**.
 > In our [Point of Sales example](./projects#example) from the projects guide, you could add a `stripeCustomerId` as a metadata key. In your client application you could then easily fetch the customer from Stripe APIs for your payments.
 <img
  width="460px"
  src="/img/guides/console/usermetadata.png"
  alt="User Metadata"
 />
 Metadata can requested via our auth and management APIs, from userinfo endpoint or ID Token.
 To get your metadata from the userinfo endpoint, add `urn:zitadel:iam:user:metadata` to your authentication request. Take a look at our reserved scopes [here](/docs/apis/openidoauth/scopes#reserved-scopes) or take a look at our [metadata guide](../customize/user-metadata).
 You can then toggle **User Info inside ID Token** in your application settings, if you need this information in the ID Token too.
 <img
  src="/img/guides/console/appidtokensettings.png"
  width="650px"
  alt="ID Token settings"
 />
 ## Authorizations
 As described in [Roles and Authorizations](./roles), authorizations are shown on user profile pages too.
 If you need user roles in the user info endpoint, check the **Assert roles on authentication** checkbox in your project as described in [Authorizations](./roles#authorizations).
 If you need them in your ID Token, toggle **User roles inside ID Token** in application settings.
--- a/docs/docs/guides/overview.mdx
+++ b/docs/docs/guides/overview.mdx
@ -2,9 +2,6 @@
 title: Overview
 ---
 import { ListElement, ListWrapper, ICONTYPE } from "../../src/components/list";
 import Column from "../../src/components/column";
 With our guides you will learn everything you need to know about specific topics. You get step-by-step instructions for certain tasks and have a knowledge check at the end.
 You can either use our cloud-instance [zitadel.com](https://zitadel.com) or deploy your own **ZITADEL** instance. To get started, we recommend you to try out our free tier first. Jump directly to the [get started](./start/quickstart) docs.
--- a/docs/docs/manuals/user-profile.md
+++ b/docs/docs/manuals/user-profile.md
@ -3,7 +3,7 @@ title: User Profile
 ---
 To get to your user profile you have to login to your ZITADEL Console {your-domain}-{randomstring}.zitadel.cloud or {your-custom-domain}.
-If you have no special permissions in the ZITADEL Console, you will get directly to your profile page. 
+If you have no special permissions in the ZITADEL Console, you will get directly to your profile page.
 Otherwise click on your user avatar in the top right of the console. A menu will open, with the "Edit Account" button you will be redirected to your profile page.
 ## Loginname
@ -15,6 +15,7 @@ You are able to login with some different login names. The login name consists o
 In the general section you can find your profile data and contact information.
 In the profile data you can change the following data:
 - Avatar
 - Username
 - Firstname
@ -27,6 +28,7 @@ In the profile data you can change the following data:
 In the contact information you can change your password, email and phone number. The Email and Phone number need to be verified.
 ![Profile](/img/manuals/console_profile.png)
 ### Change Password
 Change your password by entering your old, new and new confirmation password.
@ -36,17 +38,17 @@ Change your password by entering your old, new and new confirmation password.
 ### Change Email
 Click on the edit button next to the email to change your email address.
-You will now get an email to verify that this is your account. This can take a moment. 
+You will now get an email to verify that this is your account. This can take a moment.
 Click on the button in the mail to verify the address. If you now reload your profile page the email address should be shown as verified.
-If you wait to long to verify the email, your code will probably be expired. 
+If you wait to long to verify the email, your code will probably be expired.
 The get a new verification mail click on "resend code" next to the "not verified" label.
 The email doesn't need to be unique within the whole system.
 ### Change Phone number
-The phone number is not mandatory withing ZITADEL. If you like to add it, you have to verify it. 
+The phone number is not mandatory withing ZITADEL. If you like to add it, you have to verify it.
 1. Click "edit button" and add your number
 2. Get an SMS with a verification code to the added number
@ -67,14 +69,15 @@ ZITADEL provides some different authentication methods, passwordless is one of t
 Passwordless has two different types, system based or system independent.
 If you use system based methods make sure to register all the different devices you need to login. (e.g. Notebook, Mobile Phone, etc)
- 
+
 Examples for passwordless authentication methods are: Fingerprint, Windows Hello, Face Recognition, etc.
 For device independent authentication you can use some hardware tokens. e.g. Yubikey, Solokey, etc.
 There are different options how to add a passwordless autehntication.
 1. Add directly on the current device
 2. Send a registration link to your email. You can open this email and use the link on any device you like to register
-3. Generate a qr code with a registration link and scann the QR Code with the device where you like to register 
+3. Generate a qr code with a registration link and scann the QR Code with the device where you like to register
 Make sure to add at least to different devices or a device independent method
@ -111,8 +114,6 @@ For One time password (OTP) you will need an Authenticator app of your choice th
 You will now be able to use otp as a second factor during the login process
 ## Authorization
 In the authorization section you can see all the permissions and roles you have to some different applications.
@ -121,12 +122,13 @@ In the authorization section you can see all the permissions and roles you have
 Membership is the role model ZITADEL provides for itself. If you have any permissions to manage something within ZITADEL you will have a membership.
 This memeberships are hierarchical and have the following layers:
 - System
 - Organization
 - Project
 - Granted Project
-To read more about the different roles withing ZITADEL click [here](../concepts/structure/managers.md).
+To read more about the different roles withing ZITADEL click [here](../guides/manage/console/managers.mdx).
 ## Metadata
--- a/docs/package.json
+++ b/docs/package.json
@ -36,17 +36,17 @@
    "@colors/colors": "1.5.0",
    "@docsearch/css": "3.0.0",
    "@docsearch/react": "3.0.0",
-    "@docusaurus/core": "2.1.0",
+    "@docusaurus/core": "^2.1.0",
-    "@docusaurus/cssnano-preset": "2.1.0",
+    "@docusaurus/cssnano-preset": "^2.1.0",
-    "@docusaurus/module-type-aliases": "2.1.0",
+    "@docusaurus/module-type-aliases": "^2.1.0",
-    "@docusaurus/plugin-debug": "2.1.0",
+    "@docusaurus/plugin-debug": "^2.1.0",
-    "@docusaurus/plugin-google-analytics": "2.1.0",
+    "@docusaurus/plugin-google-analytics": "^2.1.0",
-    "@docusaurus/plugin-google-gtag": "2.1.0",
+    "@docusaurus/plugin-google-gtag": "^2.1.0",
-    "@docusaurus/plugin-sitemap": "2.1.0",
+    "@docusaurus/plugin-sitemap": "^2.1.0",
-    "@docusaurus/preset-classic": "2.1.0",
+    "@docusaurus/preset-classic": "^2.1.0",
-    "@docusaurus/theme-classic": "2.1.0",
+    "@docusaurus/theme-classic": "^2.1.0",
-    "@docusaurus/theme-search-algolia": "2.1.0",
+    "@docusaurus/theme-search-algolia": "^2.1.0",
-    "@docusaurus/types": "2.1.0",
+    "@docusaurus/types": "^2.1.0",
    "@jridgewell/resolve-uri": "3.0.7",
    "@jridgewell/set-array": "1.1.1",
    "@jridgewell/trace-mapping": "0.3.11",
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -15,9 +15,7 @@ module.exports = {
    {
      type: "category",
      label: "Secure your API",
-      items: [
+      items: ["examples/secure-api/go", "examples/secure-api/dot-net"],
        "examples/secure-api/go",
        "examples/secure-api/dot-net"],
      collapsed: false,
    },
    {
@ -42,9 +40,7 @@ module.exports = {
      type: "category",
      label: "Get started",
      collapsed: false,
-      items: [
+      items: ["guides/start/quickstart"],
        "guides/start/quickstart",
      ],
    },
    {
      type: "category",
@ -66,8 +62,8 @@ module.exports = {
      collapsed: false,
      items: [
        {
-          type: 'category',
+          type: "category",
-          label: 'Cloud',
+          label: "Cloud",
          items: [
            "guides/manage/cloud/overview",
            "guides/manage/cloud/start",
@ -75,11 +71,11 @@ module.exports = {
            "guides/manage/cloud/billing",
            "guides/manage/cloud/users",
            "guides/manage/cloud/support",
-          ]
+          ],
        },
        {
-          type: 'category',
+          type: "category",
-          label: 'Self-Hosted',
+          label: "Self-Hosted",
          items: [
            "guides/manage/self-hosted/configure/configure",
            "guides/manage/self-hosted/proxy/proxy",
@ -87,34 +83,38 @@ module.exports = {
            "guides/manage/self-hosted/http2",
            "guides/manage/self-hosted/tls_modes",
            "guides/manage/self-hosted/database/database",
-          ]
+          ],
        },
        {
-          type: 'category',
+          type: "category",
-          label: 'Console',
+          label: "Console",
          items: [
            "guides/manage/console/overview",
            "guides/manage/console/instance-settings",
            "guides/manage/console/organizations",
            "guides/manage/console/projects",
            "guides/manage/console/roles",
            "guides/manage/console/applications",
-          ]
+            "guides/manage/console/users",
            "guides/manage/console/managers",
            "guides/manage/console/actions",
          ],
        },
        {
-          type: 'category',
+          type: "category",
-          label: 'Customize',
+          label: "Customize",
          items: [
            "guides/manage/customize/branding",
            "guides/manage/customize/texts",
            "guides/manage/customize/behavior",
            "guides/manage/customize/user-metadata",
-          ]
+          ],
        },
        {
-          type: 'category',
+          type: "category",
-          label: 'Terraform',
+          label: "Terraform",
-          items: [
+          items: ["guides/manage/terraform/basics"],
-            "guides/manage/terraform/basics",
+        },
          ]
        }
      ],
    },
    {
@ -223,7 +223,7 @@ module.exports = {
          collapsed: true,
          items: ["apis/assets/assets"],
        },
-          "apis/actions"
+        "apis/actions",
      ],
    },
    {
@ -242,27 +242,19 @@ module.exports = {
      type: "category",
      label: "SAML",
      collapsed: false,
-      items: [
+      items: ["apis/saml/endpoints"],
        "apis/saml/endpoints",
      ],
    },
    {
      type: "category",
      label: "Observability",
      collapsed: false,
-      items: [
+      items: ["apis/observability/metrics", "apis/observability/health"],
        "apis/observability/metrics",
        "apis/observability/health",
      ],
    },
    {
      type: "category",
      label: "Rate Limits",
      collapsed: false,
-      items: [
+      items: ["apis/ratelimits/ratelimits", "legal/rate-limit-policy"],
        "apis/ratelimits/ratelimits",
        "legal/rate-limit-policy",
      ],
    },
  ],
  concepts: [
@ -295,12 +287,12 @@ module.exports = {
        "concepts/structure/overview",
        "concepts/structure/instance",
        "concepts/structure/organizations",
        "concepts/structure/policies",
        "concepts/structure/projects",
        "concepts/structure/applications",
        "concepts/structure/granted_projects",
        "concepts/structure/users",
        "concepts/structure/managers",
        "concepts/structure/policies",
        "concepts/structure/jwt_idp",
      ],
    },
@ -314,10 +306,7 @@ module.exports = {
      type: "category",
      label: "Features",
      collapsed: false,
-      items: [
+      items: ["concepts/features/actions", "concepts/features/selfservice"],
        "concepts/features/actions",
        "concepts/features/selfservice"
      ],
    },
  ],
  manuals: [
@ -334,7 +323,11 @@ module.exports = {
      type: "category",
      label: "Service Description",
      collapsed: false,
-      items: ["legal/cloud-service-description", "legal/service-level-description", "legal/support-services"],
+      items: [
        "legal/cloud-service-description",
        "legal/service-level-description",
        "legal/support-services",
      ],
    },
    {
      type: "category",
--- a/docs/src/css/apicard.module.css
+++ b/docs/src/css/apicard.module.css
@ -1,12 +1,12 @@
 .apicard {
-  border-radius: .5rem;
+  border-radius: 0.5rem;
  display: flex;
  flex-direction: column;
  min-width: 200px;
  background: var(--card-background);
  padding: 1rem;
  text-decoration: none;
-  transition: all .2 ease-in-out;
+  transition: all 0.2 ease-in-out;
  margin: 1rem 0;
 }
@ -32,7 +32,8 @@
 .apicard:hover {
  text-decoration: none;
-  box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
+  box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1),
    0 2px 4px -1px rgba(0, 0, 0, 0.06);
 }
 /* .apicard h2 {
@ -43,7 +44,9 @@
  color: #bfc1cc;
 } */
-.apicard h3, h4, h5 {
+.apicard h3,
 h4,
 h5 {
  /* color: white; */
  margin: 0.5rem 0 0 0;
 }
@ -64,7 +67,7 @@
 .bottomicon {
  width: 24px;
-  margin-right: .5rem;
+  margin-right: 0.5rem;
  color: var(--ifm-font-color-base);
 }
--- a/docs/src/css/card.module.css
+++ b/docs/src/css/card.module.css
@ -1,17 +1,19 @@
 .card {
-  border-radius: .5rem;
+  border-radius: 0.5rem;
  display: flex;
  flex-direction: column;
  min-width: 200px;
  background: var(--card-background);
  padding: 1rem;
  text-decoration: none;
-  transition: all .2 ease-in-out;
+  transition: all 0.2 ease-in-out;
  border: 1px solid var(--card-border);
 }
 .card:hover {
  text-decoration: none;
-  box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
+  box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1),
    0 2px 4px -1px rgba(0, 0, 0, 0.06);
 }
 .card p {
@ -25,7 +27,7 @@
  background-size: cover;
  object-fit: contain;
  background-position: center;
-  padding: .5rem 0;
+  padding: 0.5rem 0;
  pointer-events: none;
 }
@ -40,7 +42,7 @@
 .bottomicon {
  width: 24px;
-  margin-right: .5rem;
+  margin-right: 0.5rem;
  color: var(--ifm-font-color-base);
 }
@ -68,4 +70,4 @@
  .cardWrapper {
    grid-template-columns: 1fr 1fr 1fr;
  }
-}
+}
--- a/docs/src/css/column.module.css
+++ b/docs/src/css/column.module.css
@ -4,6 +4,19 @@
  grid-gap: 1rem;
 }
 .item {
  border-radius: 1rem;
  transition: all 0.2s ease;
  padding: 1rem;
  display: flex;
  flex-direction: column;
 }
 .item:hover {
  border-radius: 1rem;
  box-shadow: 0 30px 60px rgba(0, 0, 0, 0.12);
 }
@media (min-width: 1180px) {
  .column {
    grid-template-columns: 1fr 1fr;
--- a/docs/src/css/custom.css
+++ b/docs/src/css/custom.css
@ -70,16 +70,17 @@
 /* You can override the default Infima variables here. */
 :root {
  --ifm-background-color: #fafafa;
  --ifm-navbar-background-color: #ffffff;
  --ifm-footer-background-color: #f4f4f4;
-  --ifm-menu-color-background-active: #7e21ce10;
+  --ifm-menu-color-background-active: #00000010;
-  --ifm-menu-color-active: #7e21ce;
+  --ifm-menu-color-active: #000000;
  --ifm-menu-color-background-hover: #f7fafc;
  --ifm-font-color-base: #6b7280;
  --ifm-link-color: #5469d4;
  --ifm-menu-color: #697386;
  --ifm-footer-link-color: #000000;
-  --ifm-color-primary: #7e21ce;
+  --ifm-color-primary: #5469d4;
  --ifm-color-primary-dark: #4d61cf;
  --ifm-color-primary-darker: #4356c9;
  --ifm-color-primary-darkest: #3a4cc3; /* 293bb9 */
@ -88,7 +89,7 @@
  --ifm-color-primary-lightest: #aab4ea;
  --ifm-code-font-size: 95%;
  --ifm-font-family-base: "Lato", sans-serif;
-  --ifm-hero-background-color: var(--ifm-color-primary);
+  --ifm-hero-background-color: #7e21ce;
  --ifm-hero-text-color: var(--ifm-font-color-base-inverse);
  --get-started: #ff2069;
  --get-started-bg-hover: var(--ifm-hero-background-color);
@ -99,7 +100,8 @@
  --ifm-footer-padding-vertical: 50px;
  --ifm-heading-font-weight: 500;
  --ifm-heading-color: #000000;
-  --ifm-font-color-base: #6b7280;
+  --ifm-font-color-base: #000000dd; /*#6b7280;*/
  --font-color-strong: #000000;
  --ifm-navbar-link-hover-color: #000000;
  --ifm-heading-color: #000000;
  --ifm-color-success-contrast-foreground: #0e6245;
@ -113,7 +115,7 @@
  --ifm-color-warning-contrast-background: #ffc1c1;
  --ifm-color-warning-contrast-foreground: #620e0e;
  --card-background: #fafafa;
-  --list-background: #f7fafc;
+  --list-background: #ffffff;
  --ifm-spacing-horizontal: 1.5rem;
  --apiauthbackground: linear-gradient(40deg, #a9d9ca 30%, #b4d5cb);
  --apimgmtbackground: linear-gradient(40deg, #c6d7f3 30%, #c7c6e3);
@ -124,6 +126,9 @@
  --ifm-hero-text-color: #ffffff;
  --gigibannerbackground: white;
  --gigibannerforeground: black;
  --footer-border: rgba(0, 0, 0, 0.12);
  --card-border: rgba(135, 149, 161, 0.2);
  --ifm-pagination-nav-color-hover: #000000;
 }
 .get-started {
@ -163,7 +168,7 @@
 }
 :root[data-theme="dark"] .navbar:not(.navbar-sidebar--show) {
-  background-color: #15173580;
+  background-color: rgba(var(--ifm-background-color, 0.2));
  backdrop-filter: saturate(110%) blur(5px);
 }
@ -233,22 +238,20 @@ h2 {
 }
 :root[data-theme="dark"] {
-  /* --ifm-menu-color-active: #ffd0df;  */
+  --ifm-navbar-background-color: #1b2036; /*#141c2d;*/
-  /* 6e80da */
+  --ifm-footer-background-color: #00000020; /* #121430; */
  --ifm-navbar-background-color: #1b2036;
  --ifm-footer-background-color: #121430;
  --ifm-menu-color-background-active: #ffffff10;
  --ifm-menu-color-active: #ffffff;
  --ifm-menu-color-background-hover: #3c405850;
  --ifm-font-color-base: #dddddd;
-  --ifm-menu-color: #dddddd;
+  --ifm-menu-color: #c1c9d2;
  --ifm-link-color: #ff2069;
  --docsearch-searchbox-background: #454a66;
  --docsearch-searchbox-focus-background: #454a66;
  --docsearch-searchbox-shadow: inset 0 0 0 1px var(--docsearch-primary-color);
  --docsearch-hit-background: #454a66;
  --docsearch-highlight-color: #5469d4;
-  --ifm-navbar-shadow: inset 0 -1px #303031;
+  --ifm-navbar-shadow: inset 0 -1px rgba(255, 255, 255, 0.12);
  --ifm-footer-link-color: #ffffff;
  --ifm-color-emphasis-300: #ffffff20;
  --ifm-color-primary: #ff2069;
@ -258,29 +261,33 @@ h2 {
  --ifm-color-primary-light: #ff4180;
  --ifm-color-primary-lighter: #ff6396;
  --ifm-color-primary-lightest: #ff90b4;
-  --ifm-background-color: #141735;
+  --ifm-background-color: #141735; /* #141c2d; */
  --ifm-hero-background-color: #0f1022;
  --ifm-hero-text-color: #ffffff;
  --get-started-bg: var(--ifm-font-color-base);
  --get-started: #ff1f69;
  --ifm-footer-color: #ffffff50;
  --ifm-heading-color: #ffffff;
-  --ifm-font-color-base: #c1c9d2;
+  --ifm-font-color-base: #ffffffdd; /* #c1c9d2; */
  --font-color-strong: #ffffff;
  --ifm-navbar-link-hover-color: #ffffff;
  --ifm-color-success-contrast-foreground: #cbf4c9;
  --ifm-color-success-contrast-background: #4f566b;
  --ifm-color-success-dark: #cbf4c9;
  --ifm-color-info-dark: #6c8eef;
  --ifm-color-info-contrast-background: #3c4257;
-  --ifm-table-stripe-background: #3c4257;
+  --ifm-table-stripe-background: #1a253c; /* #1a1d46; */
  --ifm-color-secondary-contrast-background: #3c4257;
  --ifm-code-background: #3c4257;
-  --ifm-alert-background-color-highlight: #ffc1c1;
+  --ifm-alert-background-color: #92400e50;
  --ifm-alert-background-color-highlight: #fbbf24;
  --ifm-color-warning-contrast-background: #92400e50;
  --ifm-color-warning-contrast-foreground: #fbbf24;
  --ifm-color-warning-dark: #4f566b;
-  --ifm-color-warning-contrast-background: #4f566b;
+  --ifm-toc-border-color: rgba(135, 149, 161, 0.2);
-  --ifm-color-warning-contrast-foreground: #ffc1c1;
+  --ifm-table-border-color: rgba(135, 149, 161, 0.2);
-  --card-background: #454a66;
+  --card-background: #1a253c; /* #1a1d46; */
-  --list-background: #3c405850;
+  --list-background: #1a253c; /* #1a1d46; */
  --apiauthbackground: linear-gradient(40deg, #506e6e90 30%, #506e6e90);
  --apimgmtbackground: linear-gradient(40deg, #595d8090 30%, #595d8090);
  --apiadminbackground: linear-gradient(40deg, #6a506e90, #6a506e90);
@ -289,6 +296,9 @@ h2 {
  --overlaycolor: #ffffff15;
  --gigibannerbackground: #7e21ce;
  --gigibannerforeground: white;
  --footer-border: rgba(255, 255, 255, 0.12);
  --card-border: rgba(135, 149, 161, 0.2);
  --ifm-pagination-nav-color-hover: #ffffff;
 }
 .get-started:hover {
@ -307,6 +317,8 @@ i {
 main .container img {
  border-radius: 0.5rem;
  margin: 1.5rem 0;
  box-shadow: 0 30px 60px rgba(0, 0, 0, 0.12);
 }
 .rounded {
@ -453,3 +465,29 @@ main .container img {
 .footer__link-item svg {
  margin-left: 0.5rem;
 }
 .footer {
  border-top: 1px solid var(--footer-border);
 }
 table th {
  padding: 0.5rem 1rem;
  text-transform: uppercase;
  font-size: 12px;
  letter-spacing: 0.05em;
  font-weight: 700;
 }
 a {
  transition: all 1s ease;
 }
 .alert {
  font-size: 14px;
  border: none;
  font-weight: 600;
 }
 p strong {
  color: var(--font-color-strong);
 }
--- a/docs/src/css/list.module.css
+++ b/docs/src/css/list.module.css
@ -2,10 +2,10 @@
  display: flex;
  flex-direction: row;
  align-items: center;
-  padding: .5rem 0;
+  padding: 0.5rem 0;
  text-decoration: none;
-  transition: all .2 ease-in-out;
+  transition: all 0.2 ease-in-out;
-  margin: .5rem 0;
+  margin: 0.5rem 0;
 }
 .listelement:hover {
@ -28,7 +28,7 @@
 }
 .icon {
-  padding: .5rem 1rem .5rem .5rem;
+  padding: 0.5rem 1rem 0.5rem 0.5rem;
 }
 .listlabel {
@ -41,12 +41,13 @@
  background: var(--list-background);
  border-radius: 1rem;
  padding: 1rem;
  border: 1px solid var(--card-border);
 }
 .listWrapperTitle {
  color: var(--ifm-heading-color);
  font-size: 16px;
-  margin-bottom: .5rem;
+  margin-bottom: 0.5rem;
  display: block;
 }
@ -62,4 +63,4 @@
  flex-direction: column;
  align-items: stretch;
  padding: 1rem 0;
-}
+}
--- a/docs/src/pages/styles.module.css
+++ b/docs/src/pages/styles.module.css
@ -74,6 +74,7 @@
  height: 70px;
  width: 70px;
  margin: 1rem 1rem 1rem 0 !important;
  border-radius: 50% !important;
 }
 .homelink:hover,
@ -103,6 +104,7 @@
  align-items: center;
  background: var(--list-background);
  border-radius: 1rem;
  border: 1px solid var(--card-border);
 }
 .quickstart p {
--- a/docs/static/img/console_instance_policy_notification_twilio.png
+++ b/docs/static/img/console_instance_policy_notification_twilio.png
--- a/docs/static/img/console_org_register.png
+++ b/docs/static/img/console_org_register.png
--- a/docs/static/img/console_projects_authorization_created.png
+++ b/docs/static/img/console_projects_authorization_created.png
--- a/docs/static/img/console_projects_create_authorization.gif
+++ b/docs/static/img/console_projects_create_authorization.gif
--- a/docs/static/img/console_projects_empty.png
+++ b/docs/static/img/console_projects_empty.png
--- a/docs/static/img/console_projects_overview.png
+++ b/docs/static/img/console_projects_overview.png
--- a/docs/static/img/guides/application/basic-logo-dark.png
+++ b/docs/static/img/guides/application/basic-logo-dark.png
--- a/docs/static/img/guides/application/basic-logo-light.png
+++ b/docs/static/img/guides/application/basic-logo-light.png
--- a/docs/static/img/guides/application/client-id-dark.png
+++ b/docs/static/img/guides/application/client-id-dark.png
--- a/docs/static/img/guides/application/client-id-light.png
+++ b/docs/static/img/guides/application/client-id-light.png
--- a/docs/static/img/guides/application/client-id-secret-dark.png
+++ b/docs/static/img/guides/application/client-id-secret-dark.png
--- a/docs/static/img/guides/application/client-id-secret-light.png
+++ b/docs/static/img/guides/application/client-id-secret-light.png
--- a/docs/static/img/guides/application/client-id-secret.png
+++ b/docs/static/img/guides/application/client-id-secret.png
--- a/docs/static/img/guides/application/client-id.png
+++ b/docs/static/img/guides/application/client-id.png
--- a/docs/static/img/guides/application/code-logo-dark.png
+++ b/docs/static/img/guides/application/code-logo-dark.png
--- a/docs/static/img/guides/application/code-logo-light.png
+++ b/docs/static/img/guides/application/code-logo-light.png
--- a/docs/static/img/guides/application/create-api-app-dark.png
+++ b/docs/static/img/guides/application/create-api-app-dark.png
--- a/docs/static/img/guides/application/create-api-app-light.png
+++ b/docs/static/img/guides/application/create-api-app-light.png
--- a/docs/static/img/guides/application/create-api-app.png
+++ b/docs/static/img/guides/application/create-api-app.png
--- a/docs/static/img/guides/application/create-native-app-dark.png
+++ b/docs/static/img/guides/application/create-native-app-dark.png
--- a/docs/static/img/guides/application/create-native-app-light.png
+++ b/docs/static/img/guides/application/create-native-app-light.png
--- a/docs/static/img/guides/application/create-native-app.png
+++ b/docs/static/img/guides/application/create-native-app.png
--- a/docs/static/img/guides/application/create-saml-app.png
+++ b/docs/static/img/guides/application/create-saml-app.png
--- a/docs/static/img/guides/application/create-user-agent-app-dark.png
+++ b/docs/static/img/guides/application/create-user-agent-app-dark.png
--- a/docs/static/img/guides/application/create-user-agent-app-light.png
+++ b/docs/static/img/guides/application/create-user-agent-app-light.png
--- a/docs/static/img/guides/application/create-user-agent-app.png
+++ b/docs/static/img/guides/application/create-user-agent-app.png
--- a/docs/static/img/guides/application/create-web-app-dark.png
+++ b/docs/static/img/guides/application/create-web-app-dark.png
--- a/docs/static/img/guides/application/create-web-app-light.png
+++ b/docs/static/img/guides/application/create-web-app-light.png
--- a/docs/static/img/guides/application/create-web-app.png
+++ b/docs/static/img/guides/application/create-web-app.png
--- a/docs/static/img/guides/application/generate-key-dark.gif
+++ b/docs/static/img/guides/application/generate-key-dark.gif
--- a/docs/static/img/guides/application/generate-key-light.gif
+++ b/docs/static/img/guides/application/generate-key-light.gif
--- a/docs/static/img/guides/application/generate-key.png
+++ b/docs/static/img/guides/application/generate-key.png
--- a/docs/static/img/guides/application/implicit-logo-dark.png
+++ b/docs/static/img/guides/application/implicit-logo-dark.png
--- a/docs/static/img/guides/application/implicit-logo-light.png
+++ b/docs/static/img/guides/application/implicit-logo-light.png
--- a/docs/static/img/guides/application/jwt-logo-dark.png
+++ b/docs/static/img/guides/application/jwt-logo-dark.png
--- a/docs/static/img/guides/application/jwt-logo-light.png
+++ b/docs/static/img/guides/application/jwt-logo-light.png
--- a/docs/static/img/guides/application/new-app-in-project-dark.png
+++ b/docs/static/img/guides/application/new-app-in-project-dark.png
--- a/docs/static/img/guides/application/new-app-in-project-light.png
+++ b/docs/static/img/guides/application/new-app-in-project-light.png
--- a/docs/static/img/guides/application/pkce-logo-dark.png
+++ b/docs/static/img/guides/application/pkce-logo-dark.png
--- a/docs/static/img/guides/application/post-logo-dark.png
+++ b/docs/static/img/guides/application/post-logo-dark.png
--- a/docs/static/img/guides/application/post-logo-light.png
+++ b/docs/static/img/guides/application/post-logo-light.png
--- a/docs/static/img/guides/application/redirect-uris-dark.png
+++ b/docs/static/img/guides/application/redirect-uris-dark.png
--- a/docs/static/img/guides/application/redirect-uris-light.png
+++ b/docs/static/img/guides/application/redirect-uris-light.png
--- a/docs/static/img/guides/application/redirect-uris.png
+++ b/docs/static/img/guides/application/redirect-uris.png
--- a/docs/static/img/guides/console/action.png
+++ b/docs/static/img/guides/console/action.png
--- a/docs/static/img/guides/console/actionsmenu.png
+++ b/docs/static/img/guides/console/actionsmenu.png
--- a/docs/static/img/guides/console/addapplication.png
+++ b/docs/static/img/guides/console/addapplication.png
--- a/docs/static/img/guides/console/addhuman.png
+++ b/docs/static/img/guides/console/addhuman.png
--- a/docs/static/img/guides/console/additional-origins.png
+++ b/docs/static/img/guides/console/additional-origins.png
--- a/docs/static/img/guides/console/addmachine.png
+++ b/docs/static/img/guides/console/addmachine.png
--- a/docs/static/img/guides/console/addmanager.png
+++ b/docs/static/img/guides/console/addmanager.png
--- a/docs/static/img/guides/console/addrole.png
+++ b/docs/static/img/guides/console/addrole.png
--- a/docs/static/img/guides/console/app-token-settings.png
+++ b/docs/static/img/guides/console/app-token-settings.png
--- a/docs/static/img/guides/console/appidtokensettings.png
+++ b/docs/static/img/guides/console/appidtokensettings.png
--- a/docs/static/img/guides/console/application.png
+++ b/docs/static/img/guides/console/application.png
--- a/Show More
+++ b/Show More