diff --git a/internal/command/project_application_api.go b/internal/command/project_application_api.go
index 35b2e7a8c7..9770dcba62 100644
--- a/internal/command/project_application_api.go
+++ b/internal/command/project_application_api.go
@@ -80,6 +80,9 @@ func (c *Commands) ChangeAPIApplication(ctx context.Context, apiApp *domain.APIA
 	if existingAPI.State == domain.AppStateUnspecified || existingAPI.State == domain.AppStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2n8uU", "Errors.Project.App.NotExisting")
 	}
+	if !existingAPI.IsAPI() {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Gnwt3", "Errors.Project.App.IsNotAPI")
+	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingAPI.WriteModel)
 	changedEvent, hasChanged, err := existingAPI.NewChangedEvent(
 		ctx,
@@ -117,6 +120,9 @@ func (c *Commands) ChangeAPIApplicationSecret(ctx context.Context, projectID, ap
 	if existingAPI.State == domain.AppStateUnspecified || existingAPI.State == domain.AppStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2g66f", "Errors.Project.App.NotExisting")
 	}
+	if !existingAPI.IsAPI() {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-aeH4", "Errors.Project.App.IsNotAPI")
+	}
 	cryptoSecret, stringPW, err := domain.NewClientSecret(c.applicationSecretGenerator)
 	if err != nil {
 		return nil, err
diff --git a/internal/command/project_application_api_model.go b/internal/command/project_application_api_model.go
index be0ef0d241..37ae2c8cb7 100644
--- a/internal/command/project_application_api_model.go
+++ b/internal/command/project_application_api_model.go
@@ -19,6 +19,7 @@ type APIApplicationWriteModel struct {
 	ClientSecretString string
 	AuthMethodType     domain.APIAuthMethodType
 	State              domain.AppState
+	api                bool
 }
 
 func NewAPIApplicationWriteModelWithAppID(projectID, appID, resourceOwner string) *APIApplicationWriteModel {
@@ -122,6 +123,7 @@ func (wm *APIApplicationWriteModel) Reduce() error {
 }
 
 func (wm *APIApplicationWriteModel) appendAddAPIEvent(e *project.APIConfigAddedEvent) {
+	wm.api = true
 	wm.ClientID = e.ClientID
 	wm.ClientSecret = e.ClientSecret
 	wm.AuthMethodType = e.AuthMethodType
@@ -171,3 +173,7 @@ func (wm *APIApplicationWriteModel) NewChangedEvent(
 	}
 	return changeEvent, true, nil
 }
+
+func (wm *APIApplicationWriteModel) IsAPI() bool {
+	return wm.api
+}
diff --git a/internal/command/project_application_oidc.go b/internal/command/project_application_oidc.go
index 1453401715..9bc9436ff1 100644
--- a/internal/command/project_application_oidc.go
+++ b/internal/command/project_application_oidc.go
@@ -99,6 +99,9 @@ func (c *Commands) ChangeOIDCApplication(ctx context.Context, oidc *domain.OIDCA
 	if existingOIDC.State == domain.AppStateUnspecified || existingOIDC.State == domain.AppStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2n8uU", "Errors.Project.App.NotExisting")
 	}
+	if !existingOIDC.IsOIDC() {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GBr34", "Errors.Project.App.IsNotOIDC")
+	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingOIDC.WriteModel)
 	changedEvent, hasChanged, err := existingOIDC.NewChangedEvent(
 		ctx,
@@ -151,6 +154,9 @@ func (c *Commands) ChangeOIDCApplicationSecret(ctx context.Context, projectID, a
 	if existingOIDC.State == domain.AppStateUnspecified || existingOIDC.State == domain.AppStateRemoved {
 		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2g66f", "Errors.Project.App.NotExisting")
 	}
+	if !existingOIDC.IsOIDC() {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-Ghrh3", "Errors.Project.App.IsNotOIDC")
+	}
 	cryptoSecret, stringPW, err := domain.NewClientSecret(c.applicationSecretGenerator)
 	if err != nil {
 		return nil, err
@@ -183,6 +189,9 @@ func (c *Commands) VerifyOIDCClientSecret(ctx context.Context, projectID, appID,
 	if !app.State.Exists() {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-D6hba", "Errors.Project.App.NoExisting")
 	}
+	if !app.IsOIDC() {
+		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-BHgn2", "Errors.Project.App.IsNotOIDC")
+	}
 	if app.ClientSecret == nil {
 		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-D6hba", "Errors.Project.App.OIDCConfigInvalid")
 	}
diff --git a/internal/command/project_application_oidc_model.go b/internal/command/project_application_oidc_model.go
index 7b9ac23df2..343d379f8d 100644
--- a/internal/command/project_application_oidc_model.go
+++ b/internal/command/project_application_oidc_model.go
@@ -34,6 +34,7 @@ type OIDCApplicationWriteModel struct {
 	ClockSkew                time.Duration
 	State                    domain.AppState
 	AdditionalOrigins        []string
+	oidc                     bool
 }
 
 func NewOIDCApplicationWriteModelWithAppID(projectID, appID, resourceOwner string) *OIDCApplicationWriteModel {
@@ -137,6 +138,7 @@ func (wm *OIDCApplicationWriteModel) Reduce() error {
 }
 
 func (wm *OIDCApplicationWriteModel) appendAddOIDCEvent(e *project.OIDCConfigAddedEvent) {
+	wm.oidc = true
 	wm.ClientID = e.ClientID
 	wm.ClientSecret = e.ClientSecret
 	wm.RedirectUris = e.RedirectUris
@@ -290,3 +292,7 @@ func (wm *OIDCApplicationWriteModel) NewChangedEvent(
 	}
 	return changeEvent, true, nil
 }
+
+func (wm *OIDCApplicationWriteModel) IsOIDC() bool {
+	return wm.oidc
+}
diff --git a/internal/project/repository/eventsourcing/model/api_config.go b/internal/project/repository/eventsourcing/model/api_config.go
index a8be0c11d3..fe666dfba2 100644
--- a/internal/project/repository/eventsourcing/model/api_config.go
+++ b/internal/project/repository/eventsourcing/model/api_config.go
@@ -6,6 +6,7 @@ import (
 	"github.com/caos/logging"
 
 	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/project/model"
 )
@@ -72,6 +73,9 @@ func (p *Project) appendChangeAPIConfigEvent(event *es_models.Event) error {
 	}
 
 	if i, a := GetApplication(p.Applications, config.AppID); a != nil {
+		if p.Applications[i].OIDCConfig == nil {
+			return errors.ThrowInvalidArgument(nil, "MODEL-ADbsd", "api config is nil")
+		}
 		return p.Applications[i].APIConfig.setData(event)
 	}
 	return nil
diff --git a/internal/project/repository/eventsourcing/model/oidc_config.go b/internal/project/repository/eventsourcing/model/oidc_config.go
index a6d7e9b15d..f7cc7c3f29 100644
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -165,6 +165,9 @@ func (p *Project) appendChangeOIDCConfigEvent(event *es_models.Event) error {
 	}
 
 	if i, a := GetApplication(p.Applications, config.AppID); a != nil {
+		if p.Applications[i].OIDCConfig == nil {
+			return errors.ThrowInvalidArgument(nil, "MODEL-aBR5G", "oidc config is nil")
+		}
 		return p.Applications[i].OIDCConfig.setData(event)
 	}
 	return nil