feat: V2 alpha import and export of organizations (#3798)

* feat(import): add functionality to import data into an instance * feat(import): move import to admin api and additional checks for nil pointer * fix(export): export implementation with filtered members and grants * fix: export and import implementation * fix: add possibility to export hashed passwords with the user * fix(import): import with structure of v1 and v2 * docs: add v1 proto * fix(import): check im imported user is already existing * fix(import): add otp import function * fix(import): add external idps, domains, custom text and messages * fix(import): correct usage of default values from login policy * fix(export): fix renaming of add project function * fix(import): move checks for unit tests * expect filter * fix(import): move checks for unit tests * fix(import): move checks for unit tests * fix(import): produce prerelease from branch * fix(import): correctly use provided user id for machine user imports * fix(import): corrected otp import and added guide for export and import * fix: import verified and primary domains * fix(import): add reading from gcs, s3 and localfile with tracing * fix(import): gcs and s3, file size correction and error logging * Delete docker-compose.yml * fix(import): progress logging and count of resources * fix(import): progress logging and count of resources * log subscription * fix(import): incorporate review * fix(import): incorporate review * docs: add suggestion for import Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> * fix(import): add verification otp event and handling of deleted but existing users Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-12 00:07:36 +00:00 · 2022-07-28 15:42:35 +02:00
parent d620126aab
commit bc9a85daf3
51 changed files with 4430 additions and 648 deletions
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@@ -386,7 +386,7 @@ all queries need to match (AND)
 > **rpc** SetUpOrg([SetUpOrgRequest](#setuporgrequest))
 [SetUpOrgResponse](#setuporgresponse)

-Creates a new org and user 
+Creates a new org and user
 and adds the user to the orgs members as ORG_OWNER


@@ -1469,7 +1469,7 @@ they represent the delta of the event happend on the objects
 [ListFailedEventsResponse](#listfailedeventsresponse)

 Returns event descriptions which cannot be processed.
-It's possible that some events need some retries. 
+It's possible that some events need some retries.
 For example if the SMTP-API wasn't able to send an email at the first time


@@ -1493,6 +1493,30 @@ failed event. You can find out if it worked on the `failure_count`
    DELETE: /failedevents/{database}/{view_name}/{failed_sequence}


+### ImportData
+
+> **rpc** ImportData([ImportDataRequest](#importdatarequest))
+[ImportDataResponse](#importdataresponse)
+
+Imports data into instance and creates different objects
+
+
+
+    POST: /import
+
+
+### ExportData
+
+> **rpc** ExportData([ExportDataRequest](#exportdatarequest))
+[ExportDataResponse](#exportdataresponse)
+
+Exports data from instance
+
+
+
+    POST: /export
+
+



@@ -1789,6 +1813,49 @@ This is an empty request



+### DataOrg
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| org_id |  string | - |  |
+| org |  zitadel.management.v1.AddOrgRequest | - |  |
+| domain_policy |  AddCustomDomainPolicyRequest | - |  |
+| label_policy |  zitadel.management.v1.AddCustomLabelPolicyRequest | - |  |
+| lockout_policy |  zitadel.management.v1.AddCustomLockoutPolicyRequest | - |  |
+| login_policy |  zitadel.management.v1.AddCustomLoginPolicyRequest | - |  |
+| password_complexity_policy |  zitadel.management.v1.AddCustomPasswordComplexityPolicyRequest | - |  |
+| privacy_policy |  zitadel.management.v1.AddCustomPrivacyPolicyRequest | - |  |
+| projects | repeated zitadel.v1.v1.DataProject | - |  |
+| project_roles | repeated zitadel.management.v1.AddProjectRoleRequest | - |  |
+| api_apps | repeated zitadel.v1.v1.DataAPIApplication | - |  |
+| oidc_apps | repeated zitadel.v1.v1.DataOIDCApplication | - |  |
+| human_users | repeated zitadel.v1.v1.DataHumanUser | - |  |
+| machine_users | repeated zitadel.v1.v1.DataMachineUser | - |  |
+| trigger_actions | repeated zitadel.management.v1.SetTriggerActionsRequest | - |  |
+| actions | repeated zitadel.v1.v1.DataAction | - |  |
+| project_grants | repeated zitadel.v1.v1.DataProjectGrant | - |  |
+| user_grants | repeated zitadel.management.v1.AddUserGrantRequest | - |  |
+| org_members | repeated zitadel.management.v1.AddOrgMemberRequest | - |  |
+| project_members | repeated zitadel.management.v1.AddProjectMemberRequest | - |  |
+| project_grant_members | repeated zitadel.management.v1.AddProjectGrantMemberRequest | - |  |
+| user_metadata | repeated zitadel.management.v1.SetUserMetadataRequest | - |  |
+| login_texts | repeated zitadel.management.v1.SetCustomLoginTextsRequest | - |  |
+| init_messages | repeated zitadel.management.v1.SetCustomInitMessageTextRequest | - |  |
+| password_reset_messages | repeated zitadel.management.v1.SetCustomPasswordResetMessageTextRequest | - |  |
+| verify_email_messages | repeated zitadel.management.v1.SetCustomVerifyEmailMessageTextRequest | - |  |
+| verify_phone_messages | repeated zitadel.management.v1.SetCustomVerifyPhoneMessageTextRequest | - |  |
+| domain_claimed_messages | repeated zitadel.management.v1.SetCustomDomainClaimedMessageTextRequest | - |  |
+| passwordless_registration_messages | repeated zitadel.management.v1.SetCustomPasswordlessRegistrationMessageTextRequest | - |  |
+| oidc_idps | repeated zitadel.v1.v1.DataOIDCIDP | - |  |
+| jwt_idps | repeated zitadel.v1.v1.DataJWTIDP | - |  |
+| user_links | repeated zitadel.idp.v1.IDPUserLink | - |  |
+| domains | repeated zitadel.org.v1.Domain | - |  |
+
+
+
+
 ### DeactivateIDPRequest


@@ -1833,6 +1900,76 @@ This is an empty request



+### ExportDataRequest
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| org_ids | repeated string | - |  |
+| excluded_org_ids | repeated string | - |  |
+| with_passwords |  bool | - |  |
+| with_otp |  bool | - |  |
+| response_output |  bool | - |  |
+| local_output |  ExportDataRequest.LocalOutput | - |  |
+| s3_output |  ExportDataRequest.S3Output | - |  |
+| gcs_output |  ExportDataRequest.GCSOutput | - |  |
+| timeout |  string | - |  |
+
+
+
+
+### ExportDataRequest.GCSOutput
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| bucket |  string | - |  |
+| serviceaccount_json |  string | - |  |
+| path |  string | - |  |
+
+
+
+
+### ExportDataRequest.LocalOutput
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| path |  string | - |  |
+
+
+
+
+### ExportDataRequest.S3Output
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| path |  string | - |  |
+| endpoint |  string | - |  |
+| access_key_id |  string | - |  |
+| secret_access_key |  string | - |  |
+| ssl |  bool | - |  |
+| bucket |  string | - |  |
+
+
+
+
+### ExportDataResponse
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| orgs | repeated DataOrg | - |  |
+
+
+
+
 ### FailedEvent


@@ -2603,6 +2740,218 @@ This is an empty response



+### ImportDataError
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| type |  string | - |  |
+| id |  string | - |  |
+| message |  string | - |  |
+
+
+
+
+### ImportDataOrg
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| orgs | repeated DataOrg | - |  |
+
+
+
+
+### ImportDataRequest
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgs |  ImportDataOrg | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgsv1 |  zitadel.v1.v1.ImportDataOrg | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgs_local |  ImportDataRequest.LocalInput | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgsv1_local |  ImportDataRequest.LocalInput | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgs_s3 |  ImportDataRequest.S3Input | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgsv1_s3 |  ImportDataRequest.S3Input | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgs_gcs |  ImportDataRequest.GCSInput | - |  |
+| [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) data.data_orgsv1_gcs |  ImportDataRequest.GCSInput | - |  |
+| timeout |  string | - |  |
+
+
+
+
+### ImportDataRequest.GCSInput
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| bucket |  string | - |  |
+| serviceaccount_json |  string | - |  |
+| path |  string | - |  |
+
+
+
+
+### ImportDataRequest.LocalInput
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| path |  string | - |  |
+
+
+
+
+### ImportDataRequest.S3Input
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| path |  string | - |  |
+| endpoint |  string | - |  |
+| access_key_id |  string | - |  |
+| secret_access_key |  string | - |  |
+| ssl |  bool | - |  |
+| bucket |  string | - |  |
+
+
+
+
+### ImportDataResponse
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| errors | repeated ImportDataError | - |  |
+| success |  ImportDataSuccess | - |  |
+
+
+
+
+### ImportDataSuccess
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| orgs | repeated ImportDataSuccessOrg | - |  |
+
+
+
+
+### ImportDataSuccessOrg
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| org_id |  string | - |  |
+| project_ids | repeated string | - |  |
+| project_roles | repeated string | - |  |
+| oidc_app_ids | repeated string | - |  |
+| api_app_ids | repeated string | - |  |
+| human_user_ids | repeated string | - |  |
+| machine_user_ids | repeated string | - |  |
+| action_ids | repeated string | - |  |
+| trigger_actions | repeated zitadel.management.v1.SetTriggerActionsRequest | - |  |
+| project_grants | repeated ImportDataSuccessProjectGrant | - |  |
+| user_grants | repeated ImportDataSuccessUserGrant | - |  |
+| org_members | repeated string | - |  |
+| project_members | repeated ImportDataSuccessProjectMember | - |  |
+| project_grant_members | repeated ImportDataSuccessProjectGrantMember | - |  |
+| oidc_ipds | repeated string | - |  |
+| jwt_idps | repeated string | - |  |
+| idp_links | repeated string | - |  |
+| user_links | repeated ImportDataSuccessUserLinks | - |  |
+| user_metadata | repeated ImportDataSuccessUserMetadata | - |  |
+| domains | repeated string | - |  |
+
+
+
+
+### ImportDataSuccessProjectGrant
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| grant_id |  string | - |  |
+| project_id |  string | - |  |
+| org_id |  string | - |  |
+
+
+
+
+### ImportDataSuccessProjectGrantMember
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| project_id |  string | - |  |
+| grant_id |  string | - |  |
+| user_id |  string | - |  |
+
+
+
+
+### ImportDataSuccessProjectMember
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| project_id |  string | - |  |
+| user_id |  string | - |  |
+
+
+
+
+### ImportDataSuccessUserGrant
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| project_id |  string | - |  |
+| user_id |  string | - |  |
+
+
+
+
+### ImportDataSuccessUserLinks
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| user_id |  string | - |  |
+| external_user_id |  string | - |  |
+| display_name |  string | - |  |
+| idp_id |  string | - |  |
+
+
+
+
+### ImportDataSuccessUserMetadata
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| user_id |  string | - |  |
+| key |  string | - |  |
+
+
+
+
 ### IsOrgUniqueRequest
 if name or domain is already in use, org is not unique
 at least one argument has to be provided
--- a/docs/docs/apis/proto/management.md
+++ b/docs/docs/apis/proto/management.md
@@ -5176,8 +5176,10 @@ This is an empty response
 | email |  ImportHumanUserRequest.Email | - | message.required: true<br />  |
 | phone |  ImportHumanUserRequest.Phone | - |  |
 | password |  string | - |  |
+| hashed_password |  ImportHumanUserRequest.HashedPassword | - |  |
 | password_change_required |  bool | - |  |
 | request_passwordless_registration |  bool | - |  |
+| otp_code |  string | - |  |



@@ -5194,6 +5196,18 @@ This is an empty response



+### ImportHumanUserRequest.HashedPassword
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| value |  string | - |  |
+| algorithm |  string | - |  |
+
+
+
+
 ### ImportHumanUserRequest.Phone


--- a/docs/docs/apis/proto/system.md
+++ b/docs/docs/apis/proto/system.md
@@ -150,8 +150,8 @@ they represent the delta of the event happend on the objects
 [ClearViewResponse](#clearviewresponse)

 Truncates the delta of the change stream
-be carefull with this function because ZITADEL has to 
-recompute the deltas after they got cleared. 
+be carefull with this function because ZITADEL has to
+recompute the deltas after they got cleared.
 Search requests will return wrong results until all deltas are recomputed


@@ -165,7 +165,7 @@ Search requests will return wrong results until all deltas are recomputed
 [ListFailedEventsResponse](#listfailedeventsresponse)

 Returns event descriptions which cannot be processed.
-It's possible that some events need some retries. 
+It's possible that some events need some retries.
 For example if the SMTP-API wasn't able to send an email at the first time


@@ -180,7 +180,7 @@ For example if the SMTP-API wasn't able to send an email at the first time

 Deletes the event from failed events view.
 the event is not removed from the change stream
-This call is usefull if the system was able to process the event later. 
+This call is usefull if the system was able to process the event later.
 e.g. if the second try of sending an email was successful. the first try produced a
 failed event. You can find out if it worked on the `failure_count`

--- a/docs/docs/apis/proto/v1.md
+++ b/docs/docs/apis/proto/v1.md
@@ -0,0 +1,261 @@
+---
+title: zitadel/v1.proto
+---
+> This document reflects the state from API 1.0 (available from 20.04.2021)
+
+
+
+
+## Messages
+
+
+### AddCustomOrgIAMPolicyRequest
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| org_id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+| user_login_must_be_domain |  bool | the username has to end with the domain of it's organisation (uniqueness is organisation based) |  |
+
+
+
+
+### DataAPIApplication
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| app_id |  string | - |  |
+| app |  zitadel.management.v1.AddAPIAppRequest | - |  |
+
+
+
+
+### DataAction
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| action_id |  string | - |  |
+| action |  zitadel.management.v1.CreateActionRequest | - |  |
+
+
+
+
+### DataHumanUser
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| user_id |  string | - |  |
+| user |  zitadel.management.v1.ImportHumanUserRequest | - |  |
+
+
+
+
+### DataJWTIDP
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| idp_id |  string | - |  |
+| idp |  zitadel.management.v1.AddOrgJWTIDPRequest | - |  |
+
+
+
+
+### DataMachineUser
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| user_id |  string | - |  |
+| user |  zitadel.management.v1.AddMachineUserRequest | - |  |
+
+
+
+
+### DataOIDCApplication
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| app_id |  string | - |  |
+| app |  zitadel.management.v1.AddOIDCAppRequest | - |  |
+
+
+
+
+### DataOIDCIDP
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| idp_id |  string | - |  |
+| idp |  zitadel.management.v1.AddOrgOIDCIDPRequest | - |  |
+
+
+
+
+### DataOrg
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| org_id |  string | - |  |
+| org |  zitadel.management.v1.AddOrgRequest | - |  |
+| iam_policy |  AddCustomOrgIAMPolicyRequest | - |  |
+| label_policy |  zitadel.management.v1.AddCustomLabelPolicyRequest | - |  |
+| lockout_policy |  zitadel.management.v1.AddCustomLockoutPolicyRequest | - |  |
+| login_policy |  zitadel.management.v1.AddCustomLoginPolicyRequest | - |  |
+| password_complexity_policy |  zitadel.management.v1.AddCustomPasswordComplexityPolicyRequest | - |  |
+| privacy_policy |  zitadel.management.v1.AddCustomPrivacyPolicyRequest | - |  |
+| projects | repeated DataProject | - |  |
+| project_roles | repeated zitadel.management.v1.AddProjectRoleRequest | - |  |
+| api_apps | repeated DataAPIApplication | - |  |
+| oidc_apps | repeated DataOIDCApplication | - |  |
+| human_users | repeated DataHumanUser | - |  |
+| machine_users | repeated DataMachineUser | - |  |
+| trigger_actions | repeated zitadel.management.v1.SetTriggerActionsRequest | - |  |
+| actions | repeated DataAction | - |  |
+| project_grants | repeated DataProjectGrant | - |  |
+| user_grants | repeated zitadel.management.v1.AddUserGrantRequest | - |  |
+| org_members | repeated zitadel.management.v1.AddOrgMemberRequest | - |  |
+| project_members | repeated zitadel.management.v1.AddProjectMemberRequest | - |  |
+| project_grant_members | repeated zitadel.management.v1.AddProjectGrantMemberRequest | - |  |
+| user_metadata | repeated zitadel.management.v1.SetUserMetadataRequest | - |  |
+| login_texts | repeated zitadel.management.v1.SetCustomLoginTextsRequest | - |  |
+| init_messages | repeated zitadel.management.v1.SetCustomInitMessageTextRequest | - |  |
+| password_reset_messages | repeated zitadel.management.v1.SetCustomPasswordResetMessageTextRequest | - |  |
+| verify_email_messages | repeated zitadel.management.v1.SetCustomVerifyEmailMessageTextRequest | - |  |
+| verify_phone_messages | repeated zitadel.management.v1.SetCustomVerifyPhoneMessageTextRequest | - |  |
+| domain_claimed_messages | repeated zitadel.management.v1.SetCustomDomainClaimedMessageTextRequest | - |  |
+| passwordless_registration_messages | repeated zitadel.management.v1.SetCustomPasswordlessRegistrationMessageTextRequest | - |  |
+| oidc_idps | repeated DataOIDCIDP | - |  |
+| jwt_idps | repeated DataJWTIDP | - |  |
+| second_factors | repeated zitadel.management.v1.AddSecondFactorToLoginPolicyRequest | - |  |
+| multi_factors | repeated zitadel.management.v1.AddMultiFactorToLoginPolicyRequest | - |  |
+| idps | repeated zitadel.management.v1.AddIDPToLoginPolicyRequest | - |  |
+| user_links | repeated zitadel.idp.v1.IDPUserLink | - |  |
+| domains | repeated zitadel.org.v1.Domain | - |  |
+
+
+
+
+### DataProject
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| project_id |  string | - |  |
+| project |  zitadel.management.v1.AddProjectRequest | - |  |
+
+
+
+
+### DataProjectGrant
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| grant_id |  string | - |  |
+| project_grant |  zitadel.management.v1.AddProjectGrantRequest | - |  |
+
+
+
+
+### ExportHumanUser
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| user_name |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+| profile |  ExportHumanUser.Profile | - | message.required: true<br />  |
+| email |  ExportHumanUser.Email | - | message.required: true<br />  |
+| phone |  ExportHumanUser.Phone | - |  |
+| password |  string | - |  |
+| hashed_password |  ExportHumanUser.HashedPassword | - |  |
+| password_change_required |  bool | - |  |
+| request_passwordless_registration |  bool | - |  |
+| otp_code |  string | - |  |
+
+
+
+
+### ExportHumanUser.Email
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| email |  string | TODO: check if no value is allowed | string.email: true<br />  |
+| is_email_verified |  bool | - |  |
+
+
+
+
+### ExportHumanUser.HashedPassword
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| value |  string | - |  |
+| algorithm |  string | - |  |
+
+
+
+
+### ExportHumanUser.Phone
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| phone |  string | has to be a global number | string.min_len: 1<br /> string.max_len: 50<br /> string.prefix: +<br />  |
+| is_phone_verified |  bool | - |  |
+
+
+
+
+### ExportHumanUser.Profile
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| first_name |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+| last_name |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+| nick_name |  string | - | string.max_len: 200<br />  |
+| display_name |  string | - | string.max_len: 200<br />  |
+| preferred_language |  string | - | string.max_len: 10<br />  |
+| gender |  zitadel.user.v1.Gender | - |  |
+
+
+
+
+### ImportDataOrg
+
+
+
+| Field | Type | Description | Validation |
+| ----- | ---- | ----------- | ----------- |
+| orgs | repeated DataOrg | - |  |
+
+
+
+
+
+
--- a/docs/docs/guides/api/export-and-import.md
+++ b/docs/docs/guides/api/export-and-import.md
@@ -0,0 +1,129 @@
+---
+title: Export and import with ZITADEL
+---
+
+## Export from V1 to Import into V2
+
+To migrate from ZITADEL V1 to V2 the API provides you with a possibility to export all resources which are under your organizations.
+Currently, this doesn't include the following points:
+
+* Global policies
+* IAM members
+* Global IDPs
+* Global second/multi factors
+* Machine keys
+* PAT's
+* Application keys
+
+Which results in that if you want to import, and you have no defined organization-specific custom policies, the experience for your users will not be exactly like in your old instance.
+```suggestion
+
+::note Note that the ressources will be migrated without the event stream. This means that you will not have the audit trail for the imported objects.
+
+*** With this export and import the current audit trail is not included, the resources will be newly created ***
+
+### Export from V1 to import into V2 directly 
+
+***To use this requests you have to have an access token with enough permissions to export and import.***
+
+To export all necessary data you only have to use one request, as an example:
+
+```bash
+curl  --request POST \
+  --url {your_domain}/admin/v1/export \
+  --header 'Authorization: Bearer XXXX' \
+  --header 'Content-Type: application/json' \
+  --data '{    
+    "org_ids": [ "70669144072186707", "70671105999825752" ],
+    "excluded_org_ids": [ ],
+    "with_passwords": true,
+    "with_otp": true
+	"timeout": "30s",
+	"response_output": true,
+}' -o export.json
+```
+
+* "org_ids": to select which organizations should be exported
+* "excluded_org_ids": to exclude several organization, if for example no organizations are selected
+* "with_passwords": to include the hashed_passwords of the users in the export 
+* "with_otp": to include the OTP-code of the users in the export
+* "timeout": timeout of the call to export the data
+* "response_output": to output the export as response to the call
+
+***To import the exported data into you new instance, you have to have an already existing instance on a ZITADEL V2, with all desired configuration and global resources.***
+
+Then as an example you can use one request for the import:
+
+```bash
+curl --request POST \
+    --url {your_domain}/admin/v1/import \
+    --header 'Authorization: Bearer XXXX' \
+    --header 'Content-Type: application/json' \
+    --data '{
+        "data_orgsv1": '$(cat export.json)'
+}'
+```
+
+## Export from V1 to Import into V2 thorugh GCS
+
+***To use this requests you have to have an access token with enough permissions to export and import.***
+
+***The used serviceaccount has to have at least the role "Storage Object Creator" to create objects on GCS***
+
+To export all necessary data you only have to use one request which results in a file in your GCS, as an example:
+
+```bash
+curl  --request POST \
+  --url {your_domain}/admin/v1/export \
+  --header 'Authorization: Bearer XXXX' \
+  --header 'Content-Type: application/json' \
+  --data '	"{
+    "org_ids":  [ "70669144072186707", "70671105999825752" ],
+	"excluded_org_ids": [ ],
+	"with_passwords": true,
+	"with_otp": true,
+	"timeout": "10m",
+	"gcs_output": {
+		"path": "export.json",
+		"bucket": "caos-zitadel-exports",
+		"serviceaccount_json": "XXXX"
+	}' -o export.json
+```
+
+* "org_ids": to select which organizations should be exported
+* "excluded_org_ids": to exclude several organization, if for example no organizations are selected
+* "with_passwords": to include the hashed_passwords of the users in the export
+* "with_otp": to include the OTP-code of the users in the export
+* "timeout": timeout for the call to export the data
+* "gcs_output": to write a file into GCS as output to the call
+  * "path": path to the output file on GCS
+  * "bucket": used bucket for output on GCS
+  * "serviceaccount_json": base64-encoded serviceaccount.json used to output the file on GCS
+
+***To import the exported data into you new instance, you have to have an already existing instance on a ZITADEL V2, with all desired configuration and global resources.***
+
+***The used serviceaccount has to have at least the role "Storage Object Viewer" to create objects on GCS***
+
+Then as an example you can use one request for the import:
+
+```bash
+curl --request POST \
+    --url {your_domain}/admin/v1/import \
+    --header 'Authorization: Bearer XXXX' \
+    --header 'Content-Type: application/json' \
+    --data '{
+	    "timeout": "10m",
+        "data_orgsv1_gcs": {
+		  "path": "export.json",
+		  "bucket": "caos-zitadel-exports",
+		  "serviceaccount_json": "XXXX"
+	}
+}'
+```
+
+* "timeout": timeout for the import task
+* "data_orgsv1_gcs": to read the export from GCS directly
+    * "path": path to the exported file on GCS
+    * "bucket": used bucket to read from GCS
+    * "serviceaccount_json": base64-encoded serviceaccount.json used to read the file from GCS
+
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -100,7 +100,10 @@ module.exports = {
      type: "category",
      label: "API",
      collapsed: false,
-      items: ["guides/api/access-zitadel-apis"],
+      items: [
+          "guides/api/access-zitadel-apis",
+          "guides/api/export-and-import"
+      ],
    },
    {
      type: "category",