Merge pull request #20 from caos/proto-files

Proto files
2024-12-12 02:54:20 +00:00 · 2020-03-31 14:18:59 +02:00 · 2020-03-31 14:18:59 +02:00 · ceace305b5
commit ceace305b5
parent e644280196 2c5c2917f1
60 changed files with 38428 additions and 50 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,7 @@ debug
 # IDE
 .idea
 .vscode
+
+# credential
+google-credentials
+key.json
--- a/cmd/zitadel/main.go
+++ b/cmd/zitadel/main.go
@ -44,20 +44,17 @@ func main() {

 	ctx := context.Background()
 	if *managementEnabled {
-		err = management.Start(ctx, conf.Mgmt, conf.AuthZ)
-		logging.Log("MAIN-39Nv5").OnError(err).Fatal("error starting management api")
+		management.Start(ctx, conf.Mgmt, conf.AuthZ)
 	}
 	if *authEnabled {
-		err = auth.Start(ctx, conf.Auth, conf.AuthZ)
-		logging.Log("MAIN-x0nD2").OnError(err).Fatal("error starting auth api")
+		auth.Start(ctx, conf.Auth, conf.AuthZ)
 	}
 	if *loginEnabled {
 		err = login.Start(ctx, conf.Login)
 		logging.Log("MAIN-53RF2").OnError(err).Fatal("error starting login ui")
 	}
 	if *adminEnabled {
-		err = admin.Start(ctx, conf.Admin, conf.AuthZ)
-		logging.Log("MAIN-0na71").OnError(err).Fatal("error starting admin api")
+		admin.Start(ctx, conf.Admin, conf.AuthZ)
 	}
 	if *consoleEnabled {
 		err = console.Start(ctx, conf.Console)
--- a/go.mod
+++ b/go.mod
@ -11,10 +11,11 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/aws/aws-sdk-go v1.29.16 // indirect
 	github.com/caos/logging v0.0.1
+	github.com/envoyproxy/protoc-gen-validate v0.1.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.4.3
-	github.com/golang/protobuf v1.3.5
+	github.com/golang/protobuf v1.4.0-rc.4
 	github.com/google/uuid v1.1.1 // indirect
 	github.com/gorilla/schema v1.1.0
 	github.com/gorilla/securecookie v1.1.1
@ -34,7 +35,8 @@ require (
 	golang.org/x/text v0.3.2
 	golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56
 	google.golang.org/api v0.20.0 // indirect
-	google.golang.org/genproto v0.0.0-20200319113533-08878b785e9c // indirect
+	google.golang.org/genproto v0.0.0-20200319113533-08878b785e9c
 	google.golang.org/grpc v1.28.0
+	google.golang.org/protobuf v1.20.1
 	gopkg.in/yaml.v2 v2.2.8 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -47,6 +47,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@ -75,6 +76,11 @@ github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.5 h1:F768QJ1E9tib+q5Sc8MkdJi1RxLTbRcTf8LJV56aRls=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4 h1:+EOh4OY6tjM6ZueeUKinl1f0U2820HzQOuf1iqMnsks=
+github.com/golang/protobuf v1.4.0-rc.4/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@ -323,6 +329,12 @@ google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4=
 google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.20.1 h1:ESRXHgpUBG5D2I5mmsQIyYxB/tQIZfSZ8wLyFDf/N/U=
+google.golang.org/protobuf v1.20.1/go.mod h1:KqelGeouBkcbcuB3HCk4/YH2tmNLk6YSWA5LIWeI/lY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/internal/protoc/protoc-gen-authoption/templates.go
+++ b/internal/protoc/protoc-gen-authoption/templates.go
@ -68,7 +68,7 @@ func (fi bindataFileInfo) Sys() interface{} {
 	return nil
 }

-var _templatesAuth_method_mappingGoTmpl = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x52\xc1\x6a\xe3\x30\x10\x3d\xaf\xbe\x62\x30\x3e\xb4\x21\x95\xd8\x6b\xa0\x87\x25\xdd\x2e\x3d\xb4\x09\x6c\x76\xaf\x41\xb5\x27\xb2\x88\x2d\x19\x49\x0e\xb4\x42\xff\xbe\x8c\xed\xac\x9d\xb4\x0b\xeb\x93\xac\x99\x37\xef\xbd\xd1\x13\x02\xd6\xb6\x44\x50\x68\xd0\xc9\x80\x25\xbc\xbe\x41\xeb\x6c\xb0\xc5\x9d\x42\x73\x27\xbb\x50\x35\x18\x2a\x5b\x72\x78\xd8\xc0\xcb\x66\x07\xdf\x1f\x9e\x76\x9c\xb1\x56\x16\x47\xa9\x10\x62\xe4\x8f\xba\x46\xfe\xc3\x6e\x8f\x8a\xbf\xc8\x06\x53\x62\x8c\xe9\xa6\xb5\x2e\xc0\x0d\x03\x00\xc8\x94\xb5\xaa\x46\xae\x6c\x2d\x8d\xe2\xd6\x29\xa1\x5c\x5b\x64\x7d\x91\x7d\xe9\x82\xae\xfd\x9e\xa8\x20\x53\x3a\x54\xdd\x2b\x2f\x6c\x23\x0a\x69\xbd\x78\xd7\x41\x96\x58\x0b\x6d\x02\x3a\x23\x6b\x41\x6d\xd9\x19\x43\x53\xfe\x03\x33\x90\xdd\x32\x16\x23\x38\x69\x14\x42\xee\x61\x75\x0f\x83\xf2\x9f\xe8\x4e\xba\x40\x0f\x24\x5c\x2c\x16\x0c\x16\x10\x63\xee\xcf\x66\x60\x21\x18\x3b\x49\x37\xbf\xdc\x7f\xeb\x42\xf5\xdc\x2f\xc6\xc3\x3d\x4c\x0e\xf8\x54\x78\x96\x6d\xab\x8d\x82\xd8\xdb\x9c\xa8\x1b\xa2\xce\x3d\x1f\xba\x88\x60\xfc\x62\x84\xbc\x21\xfc\xa6\x0d\xd4\x63\xdb\xa0\xad\x81\xbc\xe1\x9b\xfe\xe4\x21\x23\x7f\x7c\xf4\xc7\x7b\x56\x7e\xfa\xca\x89\x78\x3f\x74\x67\x70\x39\x50\x1f\x40\x9a\x72\x36\xf7\xef\x89\x6f\xd1\x35\xda\x7b\xa2\x98\x61\xfa\xf7\x12\x31\xe6\xc3\x72\xb6\xc3\x33\xa7\xc4\x67\xee\x45\x8c\xe3\x29\x5b\x5d\x7b\x1f\xa4\xc6\x8b\x79\xf4\x4d\x6c\x2b\xc8\x62\xfc\x4c\x46\x4a\xd9\xf2\x03\x6e\x5d\x61\x71\xdc\x4a\x27\x9b\x2b\x5c\x5f\x78\xd4\x58\x97\xa3\x94\x4b\x6c\x5a\xce\xd6\x80\xe6\xbc\xe7\x18\x61\xf8\x49\x8c\x1d\x3a\x53\x7c\x78\x54\xeb\xf4\xbb\x24\x0b\xfb\x27\x8a\x4f\x81\x6d\xb0\xee\xe6\x84\x4e\x1f\x34\xba\xb9\xdb\x9d\x3d\xa2\xf9\x3d\x16\x96\x40\x77\x6b\x6b\x0e\xb0\xb8\xda\x08\x5d\x6a\x75\x0b\x94\x42\xfe\xcb\x48\xf7\x46\x89\x43\x37\x9b\x3f\x66\xc4\x61\xe8\x9c\x81\x29\xdb\xfc\x42\xd1\x67\x82\x26\xde\xe5\xbf\xf2\x79\x4b\x5e\x07\xdf\x90\xd2\x9f\x00\x00\x00\xff\xff\xbf\x91\xbb\x3b\xf2\x03\x00\x00")
+var _templatesAuth_method_mappingGoTmpl = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x92\xc1\x6e\xdb\x30\x0c\x86\xcf\xd5\x53\x10\x86\x0f\x4d\x90\x4a\xd8\x35\x40\x0f\x43\xba\x0e\x3d\xb4\x09\xd0\x6c\xd7\x40\xb5\x19\x45\x88\x2d\x09\x94\x9c\xa1\x15\xf4\xee\x83\x6c\x77\x71\xd6\x0e\x98\x4f\x32\x45\xf2\xe7\x47\xfd\x42\xc0\xca\xd6\x08\x0a\x0d\x92\x0c\x58\xc3\xcb\x2b\x38\xb2\xc1\x56\x37\x0a\xcd\x8d\xec\xc2\xa1\xc5\x70\xb0\x35\x87\xbb\x35\x3c\xad\xb7\xf0\xed\xee\x61\xcb\x19\x73\xb2\x3a\x4a\x85\x10\x23\xbf\xd7\x0d\xf2\xef\x76\x73\x54\xfc\x49\xb6\x98\x12\x63\x4c\xb7\xce\x52\x80\x6b\x06\x00\x50\x28\x6b\x55\x83\x5c\xd9\x46\x1a\xc5\x2d\x29\xa1\xc8\x55\x45\x7f\xc9\xae\xba\xa0\x1b\xbf\xcb\x52\x50\x28\x1d\x0e\xdd\x0b\xaf\x6c\x2b\x2a\x69\xbd\x78\xd3\x41\xd6\xd8\x08\x6d\x02\x92\x91\x8d\x90\x4e\x8b\x9c\x5a\xb0\xab\xff\x4b\xce\x4a\xc2\x23\x9d\x90\x44\xab\xeb\xba\xc1\x5f\x92\xb0\x60\x33\xc6\x62\x04\x92\x46\x21\x94\x1e\x96\xb7\x30\x80\x3c\x23\x9d\x74\x85\x1e\x32\x87\x98\xcf\x19\xcc\x21\xc6\xd2\xbf\xb3\xc1\x5c\x30\x76\x92\x34\x0d\xee\xbe\x76\xe1\xf0\xd8\xef\xc9\xc3\x2d\x9c\x81\xf8\x10\x7c\x94\xce\x69\xa3\x20\xf6\xc4\x67\xd9\x36\xcb\x96\x7e\xcc\xca\xcd\xc7\x2f\x46\x28\xdb\xdc\x74\xed\x42\xce\xb1\x2e\x68\x6b\xa0\x6c\xf9\xba\x3f\x79\x28\x32\x31\x1f\x89\x79\xaf\xc8\x4f\x5f\x78\x16\xdd\x0d\xd9\x05\x5c\x36\xd4\x7b\x90\xa6\x9e\xf4\xfd\x73\xe2\x1b\xa4\x56\x7b\x9f\x25\x26\x35\xfd\xd3\x89\x18\xcb\x61\x31\x9b\xe1\xc5\x53\xe2\x13\x72\x11\xe3\x78\x2a\x96\x53\xee\x61\xcc\x78\xd1\x2b\x7f\x67\xa5\x25\x14\x31\x7e\x36\x42\x4a\xc5\xe2\x43\xdd\xea\x80\xd5\x71\x23\x49\xb6\x7f\xd5\xf5\x17\xf7\x1a\x9b\x7a\x1c\xe3\xb2\x36\x2d\x26\x2b\x40\xf3\xbe\xe3\x18\x61\xf8\x49\x8c\xed\x3b\x53\x7d\x78\x4c\x4b\xfa\x4d\x66\x84\xdd\x43\x36\x53\x85\x2e\x58\xba\x3e\x21\xe9\xbd\x46\x9a\x92\x6e\xed\x11\xcd\xcf\xf1\x62\x01\x39\xb6\xb2\x66\x0f\xf3\x49\x4e\x0e\x68\x35\x83\xec\x45\xfe\xc3\x48\x7a\x7d\xee\x0d\x39\xe9\x3d\x7a\x83\x30\x74\x64\xe0\x6c\x54\x7e\x31\xcd\x67\xc3\x9c\x35\x17\xff\xf2\xe4\x2c\x73\x0e\xcc\x90\xd2\xef\x00\x00\x00\xff\xff\xf3\xc0\x3d\x9c\xf5\x03\x00\x00")

 func templatesAuth_method_mappingGoTmplBytes() ([]byte, error) {
 	return bindataRead(
@ -83,7 +83,7 @@ func templatesAuth_method_mappingGoTmpl() (*asset, error) {
 		return nil, err
 	}

-	info := bindataFileInfo{name: "templates/auth_method_mapping.go.tmpl", size: 1010, mode: os.FileMode(420), modTime: time.Unix(1584960713, 0)}
+	info := bindataFileInfo{name: "templates/auth_method_mapping.go.tmpl", size: 1013, mode: os.FileMode(420), modTime: time.Unix(1585129064, 0)}
 	a := &asset{bytes: bytes, info: info}
 	return a, nil
 }
--- a/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl
+++ b/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl
@ -6,8 +6,8 @@ package {{.File.GoPkg.Name}}
 import (
    "google.golang.org/grpc"
    
-	utils_auth "github.com/caos/zitadel/internal/auth"
-	utils_grpc "github.com/caos/zitadel/internal/grpc"
+	utils_auth "github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
 )

 {{ range $s := .File.Services }}
@ -16,11 +16,11 @@ import (
 * {{$s.Name}}
 */

-var {{$s.Name}}_AuthMethods = utils_auth.AuthMethodMapping {
+var {{$s.Name}}_AuthMethods = utils_auth.MethodMapping {
    {{ range $m := $s.Method}}
        {{ $mAuthOpt := option $m.Options "caos.zitadel.utils.v1.auth_option" }}
        {{ if and $mAuthOpt $mAuthOpt.Permission }}
-            "/{{$.File.Package}}.{{$s.Name}}/{{.Name}}": utils_auth.AuthOption{
+            "/{{$.File.Package}}.{{$s.Name}}/{{.Name}}": utils_auth.Option{
                Permission: "{{$mAuthOpt.Permission}}",
                CheckParam: "{{$mAuthOpt.CheckFieldName}}",
            },
@ -28,8 +28,8 @@ var {{$s.Name}}_AuthMethods = utils_auth.AuthMethodMapping {
    {{ end}}
 }

-func {{$s.Name}}_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.AuthConfig) grpc.UnaryServerInterceptor {
-    return utils_grpc.AuthorizationInterceptor(verifier, authConf, {{$s.Name}}_AuthMethods)
+func {{$s.Name}}_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.Config) grpc.UnaryServerInterceptor {
+    return middleware.AuthorizationInterceptor(verifier, authConf, {{$s.Name}}_AuthMethods)
 }

 {{ end }}
--- a/pkg/admin/admin.go
+++ b/pkg/admin/admin.go
@ -2,10 +2,8 @@ package admin

 import (
 	"context"
-
 	app "github.com/caos/zitadel/internal/admin"
 	"github.com/caos/zitadel/internal/api/auth"
-	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/pkg/admin/api"
 )

@ -14,6 +12,6 @@ type Config struct {
 	API api.Config
 }

-func Start(ctx context.Context, config Config, authZ auth.Config) error {
-	return errors.ThrowUnimplemented(nil, "ADMIN-n8vw5", "not implemented yet") //TODO: implement
+func Start(ctx context.Context, config Config, authZ auth.Config) {
+	api.Start(ctx, config.API)
 }
--- a/pkg/admin/api/api.go
+++ b/pkg/admin/api/api.go
@ -0,0 +1,20 @@
+package api
+
+import (
+	"context"
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/admin/api/grpc"
+)
+
+type Config struct {
+	GRPC grpc_util.Config
+}
+
+func Start(ctx context.Context, conf Config) {
+	grpcServer := grpc.StartServer(conf.GRPC.ToServerConfig())
+	grpcGateway := grpc.StartGateway(conf.GRPC.ToGatewayConfig())
+
+	server.StartServer(ctx, grpcServer)
+	server.StartGateway(ctx, grpcGateway)
+}
--- a/pkg/admin/api/config.go
+++ b/pkg/admin/api/config.go
@ -1,7 +0,0 @@
-package api
-
-import "github.com/caos/zitadel/internal/api/grpc"
-
-type Config struct {
-	GRPC grpc.Config
-}
--- a/pkg/admin/api/grpc/admin.pb.authoptions.go
+++ b/pkg/admin/api/grpc/admin.pb.authoptions.go
@ -0,0 +1,41 @@
+// Code generated by protoc-gen-authmethod. DO NOT EDIT.
+
+package grpc
+
+import (
+	"google.golang.org/grpc"
+
+	utils_auth "github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+/**
+ * AdminService
+ */
+
+var AdminService_AuthMethods = utils_auth.MethodMapping{
+
+	"/zitadel.admin.api.v1.AdminService/IsOrgUnique": utils_auth.Option{
+		Permission: "iam.read",
+		CheckParam: "",
+	},
+
+	"/zitadel.admin.api.v1.AdminService/GetOrgByID": utils_auth.Option{
+		Permission: "iam.read",
+		CheckParam: "",
+	},
+
+	"/zitadel.admin.api.v1.AdminService/SearchOrgs": utils_auth.Option{
+		Permission: "iam.read",
+		CheckParam: "",
+	},
+
+	"/zitadel.admin.api.v1.AdminService/SetUpOrg": utils_auth.Option{
+		Permission: "iam.write",
+		CheckParam: "",
+	},
+}
+
+func AdminService_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.Config) grpc.UnaryServerInterceptor {
+	return middleware.AuthorizationInterceptor(verifier, authConf, AdminService_AuthMethods)
+}
--- a/pkg/admin/api/grpc/admin.pb.go
+++ b/pkg/admin/api/grpc/admin.pb.go
--- a/pkg/admin/api/grpc/admin.pb.gw.go
+++ b/pkg/admin/api/grpc/admin.pb.gw.go
@ -0,0 +1,348 @@
+// Code generated by protoc-gen-grpc-gateway. DO NOT EDIT.
+// source: admin.proto
+
+/*
+Package grpc is a reverse proxy.
+
+It translates gRPC into RESTful JSON APIs.
+*/
+package grpc
+
+import (
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/golang/protobuf/proto"
+	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+	"github.com/grpc-ecosystem/grpc-gateway/utilities"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/grpclog"
+	"google.golang.org/grpc/status"
+)
+
+var _ codes.Code
+var _ io.Reader
+var _ status.Status
+var _ = runtime.String
+var _ = utilities.NewDoubleArray
+
+func request_AdminService_Healthz_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq empty.Empty
+	var metadata runtime.ServerMetadata
+
+	msg, err := client.Healthz(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_Ready_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq empty.Empty
+	var metadata runtime.ServerMetadata
+
+	msg, err := client.Ready(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_Validate_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq empty.Empty
+	var metadata runtime.ServerMetadata
+
+	msg, err := client.Validate(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+var (
+	filter_AdminService_IsOrgUnique_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_AdminService_IsOrgUnique_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq UniqueOrgRequest
+	var metadata runtime.ServerMetadata
+
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_AdminService_IsOrgUnique_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.IsOrgUnique(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_GetOrgByID_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgID
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "id")
+	}
+
+	protoReq.Id, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "id", err)
+	}
+
+	msg, err := client.GetOrgByID(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_SearchOrgs_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgSearchRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SearchOrgs(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func request_AdminService_SetUpOrg_0(ctx context.Context, marshaler runtime.Marshaler, client AdminServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq OrgSetUpRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.SetUpOrg(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+// RegisterAdminServiceHandlerFromEndpoint is same as RegisterAdminServiceHandler but
+// automatically dials to "endpoint" and closes the connection when "ctx" gets done.
+func RegisterAdminServiceHandlerFromEndpoint(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) (err error) {
+	conn, err := grpc.Dial(endpoint, opts...)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err != nil {
+			if cerr := conn.Close(); cerr != nil {
+				grpclog.Infof("Failed to close conn to %s: %v", endpoint, cerr)
+			}
+			return
+		}
+		go func() {
+			<-ctx.Done()
+			if cerr := conn.Close(); cerr != nil {
+				grpclog.Infof("Failed to close conn to %s: %v", endpoint, cerr)
+			}
+		}()
+	}()
+
+	return RegisterAdminServiceHandler(ctx, mux, conn)
+}
+
+// RegisterAdminServiceHandler registers the http handlers for service AdminService to "mux".
+// The handlers forward requests to the grpc endpoint over "conn".
+func RegisterAdminServiceHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error {
+	return RegisterAdminServiceHandlerClient(ctx, mux, NewAdminServiceClient(conn))
+}
+
+// RegisterAdminServiceHandlerClient registers the http handlers for service AdminService
+// to "mux". The handlers forward requests to the grpc endpoint over the given implementation of "AdminServiceClient".
+// Note: the gRPC framework executes interceptors within the gRPC handler. If the passed in "AdminServiceClient"
+// doesn't go through the normal gRPC flow (creating a gRPC client etc.) then it will be up to the passed in
+// "AdminServiceClient" to call the correct interceptors.
+func RegisterAdminServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux, client AdminServiceClient) error {
+
+	mux.Handle("GET", pattern_AdminService_Healthz_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_Healthz_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_Healthz_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("GET", pattern_AdminService_Ready_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_Ready_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_Ready_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("GET", pattern_AdminService_Validate_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_Validate_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_Validate_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("GET", pattern_AdminService_IsOrgUnique_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_IsOrgUnique_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_IsOrgUnique_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("GET", pattern_AdminService_GetOrgByID_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_GetOrgByID_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_GetOrgByID_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AdminService_SearchOrgs_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_SearchOrgs_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_SearchOrgs_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	mux.Handle("POST", pattern_AdminService_SetUpOrg_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AdminService_SetUpOrg_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AdminService_SetUpOrg_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
+	return nil
+}
+
+var (
+	pattern_AdminService_Healthz_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"healthz"}, ""))
+
+	pattern_AdminService_Ready_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"ready"}, ""))
+
+	pattern_AdminService_Validate_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0}, []string{"validate"}, ""))
+
+	pattern_AdminService_IsOrgUnique_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_isunique"}, ""))
+
+	pattern_AdminService_GetOrgByID_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 1, 0, 4, 1, 5, 1}, []string{"orgs", "id"}, ""))
+
+	pattern_AdminService_SearchOrgs_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_search"}, ""))
+
+	pattern_AdminService_SetUpOrg_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1}, []string{"orgs", "_setup"}, ""))
+)
+
+var (
+	forward_AdminService_Healthz_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_Ready_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_Validate_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_IsOrgUnique_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_GetOrgByID_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_SearchOrgs_0 = runtime.ForwardResponseMessage
+
+	forward_AdminService_SetUpOrg_0 = runtime.ForwardResponseMessage
+)
--- a/pkg/admin/api/grpc/admin.swagger.json
+++ b/pkg/admin/api/grpc/admin.swagger.json
@ -0,0 +1,530 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "admin service",
+    "version": "0.1",
+    "contact": {
+      "url": "https://github.com/caos/zitadel/pkg/admin"
+    }
+  },
+  "schemes": [
+    "https"
+  ],
+  "consumes": [
+    "application/json",
+    "application/grpc"
+  ],
+  "produces": [
+    "application/json",
+    "application/grpc"
+  ],
+  "paths": {
+    "/healthz": {
+      "get": {
+        "summary": "Healthz returns status OK as soon as the service started",
+        "operationId": "Healthz",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "properties": {}
+            }
+          }
+        },
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/orgs/_isunique": {
+      "get": {
+        "summary": "ORG",
+        "operationId": "IsOrgUnique",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1UniqueOrgResponse"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "name",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          },
+          {
+            "name": "domain",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/orgs/_search": {
+      "post": {
+        "operationId": "SearchOrgs",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1OrgSearchResponse"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1OrgSearchRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/orgs/_setup": {
+      "post": {
+        "operationId": "SetUpOrg",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1OrgSetUpResponse"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1OrgSetUpRequest"
+            }
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/orgs/{id}": {
+      "get": {
+        "operationId": "GetOrgByID",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1Org"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "id",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/ready": {
+      "get": {
+        "summary": "Ready returns status OK as soon as all dependent services are available",
+        "operationId": "Ready",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "properties": {}
+            }
+          }
+        },
+        "tags": [
+          "AdminService"
+        ]
+      }
+    },
+    "/validate": {
+      "get": {
+        "operationId": "Validate",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/protobufStruct"
+            }
+          }
+        },
+        "tags": [
+          "AdminService"
+        ]
+      }
+    }
+  },
+  "definitions": {
+    "protobufListValue": {
+      "type": "object",
+      "properties": {
+        "values": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/protobufValue"
+          },
+          "description": "Repeated field of dynamically typed values."
+        }
+      },
+      "description": "`ListValue` is a wrapper around a repeated field of values.\n\nThe JSON representation for `ListValue` is JSON array."
+    },
+    "protobufNullValue": {
+      "type": "string",
+      "enum": [
+        "NULL_VALUE"
+      ],
+      "default": "NULL_VALUE",
+      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\n The JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
+    },
+    "protobufStruct": {
+      "type": "object",
+      "properties": {
+        "fields": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/protobufValue"
+          },
+          "description": "Unordered map of dynamically typed values."
+        }
+      },
+      "description": "`Struct` represents a structured data value, consisting of fields\nwhich map to dynamically typed values. In some languages, `Struct`\nmight be supported by a native representation. For example, in\nscripting languages like JS a struct is represented as an\nobject. The details of that representation are described together\nwith the proto support for the language.\n\nThe JSON representation for `Struct` is JSON object."
+    },
+    "protobufValue": {
+      "type": "object",
+      "properties": {
+        "null_value": {
+          "$ref": "#/definitions/protobufNullValue",
+          "description": "Represents a null value."
+        },
+        "number_value": {
+          "type": "number",
+          "format": "double",
+          "description": "Represents a double value."
+        },
+        "string_value": {
+          "type": "string",
+          "description": "Represents a string value."
+        },
+        "bool_value": {
+          "type": "boolean",
+          "format": "boolean",
+          "description": "Represents a boolean value."
+        },
+        "struct_value": {
+          "$ref": "#/definitions/protobufStruct",
+          "description": "Represents a structured value."
+        },
+        "list_value": {
+          "$ref": "#/definitions/protobufListValue",
+          "description": "Represents a repeated `Value`."
+        }
+      },
+      "description": "`Value` represents a dynamically typed value which can be either\nnull, a number, a string, a boolean, a recursive struct value, or a\nlist of values. A producer of value is expected to set one of that\nvariants, absence of any variant indicates an error.\n\nThe JSON representation for `Value` is JSON value."
+    },
+    "v1CreateOrgRequest": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "domain": {
+          "type": "string"
+        }
+      }
+    },
+    "v1Gender": {
+      "type": "string",
+      "enum": [
+        "GENDER_UNSPECIFIED",
+        "GENDER_FEMALE",
+        "GENDER_MALE",
+        "GENDER_DIVERSE"
+      ],
+      "default": "GENDER_UNSPECIFIED"
+    },
+    "v1Org": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "state": {
+          "$ref": "#/definitions/v1OrgState"
+        },
+        "creation_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "change_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "name": {
+          "type": "string"
+        },
+        "domain": {
+          "type": "string"
+        }
+      }
+    },
+    "v1OrgSearchKey": {
+      "type": "string",
+      "enum": [
+        "ORGSEARCHKEY_UNSPECIFIED",
+        "ORGSEARCHKEY_ORG_NAME",
+        "ORGSEARCHKEY_DOMAIN",
+        "ORGSEARCHKEY_STATE"
+      ],
+      "default": "ORGSEARCHKEY_UNSPECIFIED"
+    },
+    "v1OrgSearchMethod": {
+      "type": "string",
+      "enum": [
+        "ORGSEARCHMETHOD_EQUALS",
+        "ORGSEARCHMETHOD_STARTS_WITH",
+        "ORGSEARCHMETHOD_CONTAINS"
+      ],
+      "default": "ORGSEARCHMETHOD_EQUALS"
+    },
+    "v1OrgSearchQuery": {
+      "type": "object",
+      "properties": {
+        "key": {
+          "$ref": "#/definitions/v1OrgSearchKey"
+        },
+        "method": {
+          "$ref": "#/definitions/v1OrgSearchMethod"
+        },
+        "value": {
+          "type": "string"
+        }
+      }
+    },
+    "v1OrgSearchRequest": {
+      "type": "object",
+      "properties": {
+        "offset": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "limit": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "sorting_column": {
+          "$ref": "#/definitions/v1OrgSearchKey"
+        },
+        "asc": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "queries": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1OrgSearchQuery"
+          }
+        }
+      }
+    },
+    "v1OrgSearchResponse": {
+      "type": "object",
+      "properties": {
+        "offset": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "limit": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "total_result": {
+          "type": "string",
+          "format": "uint64"
+        },
+        "result": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1Org"
+          }
+        }
+      }
+    },
+    "v1OrgSetUpRequest": {
+      "type": "object",
+      "properties": {
+        "org": {
+          "$ref": "#/definitions/v1CreateOrgRequest"
+        },
+        "user": {
+          "$ref": "#/definitions/v1RegisterUserRequest"
+        }
+      }
+    },
+    "v1OrgSetUpResponse": {
+      "type": "object",
+      "properties": {
+        "org": {
+          "$ref": "#/definitions/v1Org"
+        },
+        "user": {
+          "$ref": "#/definitions/v1User"
+        }
+      }
+    },
+    "v1OrgState": {
+      "type": "string",
+      "enum": [
+        "ORGSTATE_UNSPECIFIED",
+        "ORGSTATE_ACTIVE",
+        "ORGSTATE_INACTIVE"
+      ],
+      "default": "ORGSTATE_UNSPECIFIED"
+    },
+    "v1RegisterUserRequest": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string"
+        },
+        "first_name": {
+          "type": "string"
+        },
+        "last_name": {
+          "type": "string"
+        },
+        "nick_name": {
+          "type": "string"
+        },
+        "display_name": {
+          "type": "string"
+        },
+        "preferred_language": {
+          "type": "string"
+        },
+        "gender": {
+          "$ref": "#/definitions/v1Gender"
+        },
+        "password": {
+          "type": "string"
+        },
+        "org_id": {
+          "type": "string"
+        }
+      }
+    },
+    "v1UniqueOrgResponse": {
+      "type": "object",
+      "properties": {
+        "is_unique": {
+          "type": "boolean",
+          "format": "boolean"
+        }
+      }
+    },
+    "v1User": {
+      "type": "object",
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "state": {
+          "$ref": "#/definitions/v1UserState"
+        },
+        "creation_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "change_date": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "user_name": {
+          "type": "string"
+        },
+        "first_name": {
+          "type": "string"
+        },
+        "last_name": {
+          "type": "string"
+        },
+        "nick_name": {
+          "type": "string"
+        },
+        "display_name": {
+          "type": "string"
+        },
+        "preferred_language": {
+          "type": "string"
+        },
+        "gender": {
+          "$ref": "#/definitions/v1Gender"
+        },
+        "email": {
+          "type": "string"
+        },
+        "isEmailVerified": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "phone": {
+          "type": "string"
+        },
+        "isPhoneVerified": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "country": {
+          "type": "string"
+        },
+        "locality": {
+          "type": "string"
+        },
+        "postal_code": {
+          "type": "string"
+        },
+        "region": {
+          "type": "string"
+        },
+        "street_address": {
+          "type": "string"
+        }
+      }
+    },
+    "v1UserState": {
+      "type": "string",
+      "enum": [
+        "USERSTATE_UNSPECIFIED",
+        "USERSTATE_ACTIVE",
+        "USERSTATE_INACTIVE",
+        "USERSTATE_DELETED",
+        "USERSTATE_LOCKED",
+        "USERSTATE_SUSPEND",
+        "USERSTATE_INITIAL"
+      ],
+      "default": "USERSTATE_UNSPECIFIED"
+    }
+  }
+}
--- a/pkg/admin/api/grpc/gateway.go
+++ b/pkg/admin/api/grpc/gateway.go
@ -0,0 +1,47 @@
+package grpc
+
+import (
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+	"strings"
+)
+
+type Gateway struct {
+	grpcEndpoint string
+	port         string
+	cutomHeaders []string
+}
+
+func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
+	return &Gateway{
+		grpcEndpoint: conf.GRPCEndpoint,
+		port:         conf.Port,
+		cutomHeaders: conf.CustomHeaders,
+	}
+}
+
+func (gw *Gateway) Gateway() server.GatewayFunc {
+	return RegisterAdminServiceHandlerFromEndpoint
+}
+
+func (gw *Gateway) GRPCEndpoint() string {
+	return ":" + gw.grpcEndpoint
+}
+
+func (gw *Gateway) GatewayPort() string {
+	return gw.port
+}
+
+func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
+	return []runtime.ServeMuxOption{
+		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
+			for _, customHeader := range gw.cutomHeaders {
+				if strings.HasPrefix(strings.ToLower(header), customHeader) {
+					return header, true
+				}
+			}
+			return header, false
+		}),
+	}
+}
--- a/pkg/admin/api/grpc/generate.go
+++ b/pkg/admin/api/grpc/generate.go
@ -0,0 +1,6 @@
+package grpc
+
+//go:generate protoc -I$GOPATH/src -I../proto -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I$GOPATH/src/github.com/envoyproxy/protoc-gen-validate -I$GOPATH/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:$GOPATH/src --grpc-gateway_out=logtostderr=true:$GOPATH/src --swagger_out=logtostderr=true:. --authoption_out=. ../proto/admin.proto
+//go:generate mockgen -package api -destination ./mock/admin.proto.mock.go github.com/caos/zitadel/pkg/admin/api/grpc AdminServiceClient
+
+//go:generate ../../../console/etc/generate-grpc.sh
--- a/pkg/admin/api/grpc/mock/admin.proto.mock.go
+++ b/pkg/admin/api/grpc/mock/admin.proto.mock.go
@ -0,0 +1,178 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/caos/zitadel/pkg/admin/api/grpc (interfaces: AdminServiceClient)
+
+// Package api is a generated GoMock package.
+package api
+
+import (
+	context "context"
+	grpc "github.com/caos/zitadel/pkg/admin/api/grpc"
+	gomock "github.com/golang/mock/gomock"
+	empty "github.com/golang/protobuf/ptypes/empty"
+	struct0 "github.com/golang/protobuf/ptypes/struct"
+	grpc0 "google.golang.org/grpc"
+	reflect "reflect"
+)
+
+// MockAdminServiceClient is a mock of AdminServiceClient interface
+type MockAdminServiceClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockAdminServiceClientMockRecorder
+}
+
+// MockAdminServiceClientMockRecorder is the mock recorder for MockAdminServiceClient
+type MockAdminServiceClientMockRecorder struct {
+	mock *MockAdminServiceClient
+}
+
+// NewMockAdminServiceClient creates a new mock instance
+func NewMockAdminServiceClient(ctrl *gomock.Controller) *MockAdminServiceClient {
+	mock := &MockAdminServiceClient{ctrl: ctrl}
+	mock.recorder = &MockAdminServiceClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockAdminServiceClient) EXPECT() *MockAdminServiceClientMockRecorder {
+	return m.recorder
+}
+
+// GetOrgByID mocks base method
+func (m *MockAdminServiceClient) GetOrgByID(arg0 context.Context, arg1 *grpc.OrgID, arg2 ...grpc0.CallOption) (*grpc.Org, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetOrgByID", varargs...)
+	ret0, _ := ret[0].(*grpc.Org)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetOrgByID indicates an expected call of GetOrgByID
+func (mr *MockAdminServiceClientMockRecorder) GetOrgByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgByID", reflect.TypeOf((*MockAdminServiceClient)(nil).GetOrgByID), varargs...)
+}
+
+// Healthz mocks base method
+func (m *MockAdminServiceClient) Healthz(arg0 context.Context, arg1 *empty.Empty, arg2 ...grpc0.CallOption) (*empty.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Healthz", varargs...)
+	ret0, _ := ret[0].(*empty.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Healthz indicates an expected call of Healthz
+func (mr *MockAdminServiceClientMockRecorder) Healthz(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Healthz", reflect.TypeOf((*MockAdminServiceClient)(nil).Healthz), varargs...)
+}
+
+// IsOrgUnique mocks base method
+func (m *MockAdminServiceClient) IsOrgUnique(arg0 context.Context, arg1 *grpc.UniqueOrgRequest, arg2 ...grpc0.CallOption) (*grpc.UniqueOrgResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "IsOrgUnique", varargs...)
+	ret0, _ := ret[0].(*grpc.UniqueOrgResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// IsOrgUnique indicates an expected call of IsOrgUnique
+func (mr *MockAdminServiceClientMockRecorder) IsOrgUnique(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsOrgUnique", reflect.TypeOf((*MockAdminServiceClient)(nil).IsOrgUnique), varargs...)
+}
+
+// Ready mocks base method
+func (m *MockAdminServiceClient) Ready(arg0 context.Context, arg1 *empty.Empty, arg2 ...grpc0.CallOption) (*empty.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Ready", varargs...)
+	ret0, _ := ret[0].(*empty.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Ready indicates an expected call of Ready
+func (mr *MockAdminServiceClientMockRecorder) Ready(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ready", reflect.TypeOf((*MockAdminServiceClient)(nil).Ready), varargs...)
+}
+
+// SearchOrgs mocks base method
+func (m *MockAdminServiceClient) SearchOrgs(arg0 context.Context, arg1 *grpc.OrgSearchRequest, arg2 ...grpc0.CallOption) (*grpc.OrgSearchResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "SearchOrgs", varargs...)
+	ret0, _ := ret[0].(*grpc.OrgSearchResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SearchOrgs indicates an expected call of SearchOrgs
+func (mr *MockAdminServiceClientMockRecorder) SearchOrgs(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchOrgs", reflect.TypeOf((*MockAdminServiceClient)(nil).SearchOrgs), varargs...)
+}
+
+// SetUpOrg mocks base method
+func (m *MockAdminServiceClient) SetUpOrg(arg0 context.Context, arg1 *grpc.OrgSetUpRequest, arg2 ...grpc0.CallOption) (*grpc.OrgSetUpResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "SetUpOrg", varargs...)
+	ret0, _ := ret[0].(*grpc.OrgSetUpResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SetUpOrg indicates an expected call of SetUpOrg
+func (mr *MockAdminServiceClientMockRecorder) SetUpOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUpOrg", reflect.TypeOf((*MockAdminServiceClient)(nil).SetUpOrg), varargs...)
+}
+
+// Validate mocks base method
+func (m *MockAdminServiceClient) Validate(arg0 context.Context, arg1 *empty.Empty, arg2 ...grpc0.CallOption) (*struct0.Struct, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Validate", varargs...)
+	ret0, _ := ret[0].(*struct0.Struct)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Validate indicates an expected call of Validate
+func (mr *MockAdminServiceClientMockRecorder) Validate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockAdminServiceClient)(nil).Validate), varargs...)
+}
--- a/pkg/admin/api/grpc/org.go
+++ b/pkg/admin/api/grpc/org.go
@ -0,0 +1,22 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func (s *Server) GetOrgByID(ctx context.Context, orgID *OrgID) (_ *Org, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mvn3R", "Not implemented")
+}
+
+func (s *Server) SearchOrgs(ctx context.Context, request *OrgSearchRequest) (_ *OrgSearchResponse, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Po9Hd", "Not implemented")
+}
+
+func (s *Server) IsOrgUnique(ctx context.Context, request *UniqueOrgRequest) (org *UniqueOrgResponse, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0p6Fw", "Not implemented")
+}
+
+func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *OrgSetUpRequest) (_ *OrgSetUpResponse, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-hdj5D", "Not implemented")
+}
--- a/pkg/admin/api/grpc/probes.go
+++ b/pkg/admin/api/grpc/probes.go
@ -0,0 +1,20 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+)
+
+func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ruc8e", "Not implemented")
+}
+
+func (s *Server) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-bw3vR", "Not implemented")
+}
+
+func (s *Server) Validate(ctx context.Context, _ *empty.Empty) (*pb_struct.Struct, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-98Gse", "Not implemented")
+}
--- a/pkg/admin/api/grpc/server.go
+++ b/pkg/admin/api/grpc/server.go
@ -0,0 +1,44 @@
+package grpc
+
+import (
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	"google.golang.org/grpc"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+var _ AdminServiceServer = (*Server)(nil)
+
+type Config struct {
+	Port        string
+	SearchLimit int
+}
+
+type Server struct {
+	port        string
+	searchLimit int
+}
+
+func StartServer(conf grpc_util.ServerConfig) *Server {
+	return &Server{
+		port: conf.Port,
+	}
+}
+
+func (s *Server) GRPCPort() string {
+	return s.port
+}
+
+func (s *Server) GRPCServer() (*grpc.Server, error) {
+	gs := grpc.NewServer(
+		middleware.TracingStatsServer("/Healthz", "/Ready", "/Validate"),
+		grpc.UnaryInterceptor(
+			grpc_middleware.ChainUnaryServer(
+				middleware.ErrorHandler(),
+			),
+		),
+	)
+	RegisterAdminServiceServer(gs, s)
+	return gs, nil
+}
--- a/pkg/admin/api/proto/admin.proto
+++ b/pkg/admin/api/proto/admin.proto
@ -0,0 +1,230 @@
+
+syntax = "proto3";
+
+import "google/api/annotations.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/struct.proto";
+import "validate/validate.proto";
+import "protoc-gen-swagger/options/annotations.proto";
+import "authoption/options.proto";
+
+package zitadel.admin.api.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/admin/api/grpc";
+
+option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
+    info: {
+        title: "admin service";
+        version: "0.1";
+        contact:{
+            url: "https://github.com/caos/zitadel/pkg/admin"
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+service AdminService {
+    // ---------
+    // Probes
+    // ---------
+
+    // Healthz returns status OK as soon as the service started
+    rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+           get: "/healthz"
+        };
+    }
+
+    // Ready returns status OK as soon as all dependent services are available
+    rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+           get: "/ready"
+        };
+    }
+
+    rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) {
+        option (google.api.http) = {
+            get: "/validate"
+        };
+    }
+
+//ORG
+    rpc IsOrgUnique(UniqueOrgRequest) returns (UniqueOrgResponse) {
+        option (google.api.http) = {
+            get: "/orgs/_isunique"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc GetOrgByID(OrgID) returns (Org) {
+        option (google.api.http) = {
+            get: "/orgs/{id}"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc SearchOrgs(OrgSearchRequest) returns (OrgSearchResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_search"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc SetUpOrg(OrgSetUpRequest) returns (OrgSetUpResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_setup"
+            body: "*"
+        };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+}
+
+message OrgID {
+    string id = 1;
+}
+
+message UniqueOrgRequest {
+    string name = 1 [(validate.rules).string.min_len = 1];
+    string domain = 2 [(validate.rules).string.min_len = 1];
+}
+
+message UniqueOrgResponse {
+    bool is_unique = 1;
+}
+
+message Org {
+    string id = 1;
+    OrgState state = 2;
+    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 4;
+    string name = 5;
+    string domain = 6;
+}
+
+enum OrgState {
+    ORGSTATE_UNSPECIFIED = 0;
+    ORGSTATE_ACTIVE = 1;
+    ORGSTATE_INACTIVE = 2;
+}
+
+message OrgSearchRequest {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    OrgSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];;
+    bool asc = 4;
+    repeated OrgSearchQuery queries = 5;
+}
+
+message OrgSearchQuery {
+    OrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
+    OrgSearchMethod method = 2;
+    string value = 3;
+}
+
+enum OrgSearchKey {
+    ORGSEARCHKEY_UNSPECIFIED = 0;
+    ORGSEARCHKEY_ORG_NAME = 1;
+    ORGSEARCHKEY_DOMAIN = 2;
+    ORGSEARCHKEY_STATE = 3;
+}
+
+message OrgSearchResponse {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    uint64 total_result = 3;
+    repeated Org result = 4;
+}
+
+enum OrgSearchMethod {
+    ORGSEARCHMETHOD_EQUALS = 0;
+    ORGSEARCHMETHOD_STARTS_WITH = 1;
+    ORGSEARCHMETHOD_CONTAINS = 2;
+}
+
+message OrgSetUpRequest {
+    CreateOrgRequest org = 1;
+    RegisterUserRequest user = 2;
+}
+
+message OrgSetUpResponse {
+    Org org = 1;
+    User user = 2;
+}
+
+message RegisterUserRequest {
+    string email = 1 [(validate.rules).string.email = true];
+    string first_name = 2 [(validate.rules).string.min_len = 1];
+    string last_name = 3 [(validate.rules).string.min_len = 1];
+    string nick_name = 4;
+    string display_name = 5;
+    string preferred_language = 6;
+    Gender gender = 7;
+    string password = 8 [(validate.rules).string.min_len = 1];
+    string org_id = 9 [(validate.rules).string.min_len = 1];
+}
+
+message User {
+    string id = 1;
+    UserState state = 2;
+    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 4;
+    string user_name = 5;
+    string first_name = 6;
+    string last_name = 7;
+    string nick_name = 8;
+    string display_name = 9;
+    string preferred_language = 10;
+    Gender gender = 11;
+    string email = 12;
+    bool isEmailVerified = 13;
+    string phone = 14;
+    bool isPhoneVerified = 15;
+    string country = 16;
+    string locality = 17;
+    string postal_code = 18;
+    string region = 19;
+    string street_address = 20;
+}
+
+enum UserState {
+    USERSTATE_UNSPECIFIED = 0;
+    USERSTATE_ACTIVE = 1;
+    USERSTATE_INACTIVE = 2;
+    USERSTATE_DELETED = 3;
+    USERSTATE_LOCKED = 4;
+    USERSTATE_SUSPEND = 5;
+    USERSTATE_INITIAL= 6;
+}
+
+enum Gender {
+    GENDER_UNSPECIFIED = 0;
+    GENDER_FEMALE = 1;
+    GENDER_MALE = 2;
+    GENDER_DIVERSE = 3;
+}
+
+message CreateOrgRequest {
+    string name = 1 [(validate.rules).string.min_len = 1];
+    string domain = 2 [(validate.rules).string.min_len = 1];
+}
--- a/pkg/auth/api/api.go
+++ b/pkg/auth/api/api.go
@ -0,0 +1,21 @@
+package api
+
+import (
+	"context"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/auth/api/grpc"
+)
+
+type Config struct {
+	GRPC grpc_util.Config
+}
+
+func Start(ctx context.Context, conf Config) {
+	grpcServer := grpc.StartServer(conf.GRPC.ToServerConfig())
+	grpcGateway := grpc.StartGateway(conf.GRPC.ToGatewayConfig())
+
+	server.StartServer(ctx, grpcServer)
+	server.StartGateway(ctx, grpcGateway)
+}
--- a/pkg/auth/api/config.go
+++ b/pkg/auth/api/config.go
@ -1,7 +0,0 @@
-package api
-
-import "github.com/caos/zitadel/internal/api/grpc"
-
-type Config struct {
-	GRPC grpc.Config
-}
--- a/pkg/auth/api/grpc/auth.pb.authoptions.go
+++ b/pkg/auth/api/grpc/auth.pb.authoptions.go
@ -0,0 +1,131 @@
+// Code generated by protoc-gen-authmethod. DO NOT EDIT.
+
+package grpc
+
+import (
+	"google.golang.org/grpc"
+
+	utils_auth "github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+/**
+ * AuthService
+ */
+
+var AuthService_AuthMethods = utils_auth.MethodMapping{
+
+	"/zitadel.auth.api.v1.AuthService/GetMyUserSessions": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyUserProfile": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/UpdateMyUserProfile": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyUserEmail": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/ChangeMyUserEmail": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/VerifyMyUserEmail": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/ResendMyEmailVerificationMail": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyUserPhone": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/ChangeMyUserPhone": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/VerifyMyUserPhone": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/ResendMyPhoneVerificationCode": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyUserAddress": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/UpdateMyUserAddress": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyMfas": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/SetMyPassword": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/ChangeMyPassword": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/AddMfaOTP": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/VerifyMfaOTP": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/RemoveMfaOTP": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/SearchMyProjectOrgs": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/IsIamAdmin": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+
+	"/zitadel.auth.api.v1.AuthService/GetMyZitadelPermissions": utils_auth.Option{
+		Permission: "authenticated",
+		CheckParam: "",
+	},
+}
+
+func AuthService_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.Config) grpc.UnaryServerInterceptor {
+	return middleware.AuthorizationInterceptor(verifier, authConf, AuthService_AuthMethods)
+}
--- a/pkg/auth/api/grpc/auth.pb.go
+++ b/pkg/auth/api/grpc/auth.pb.go
--- a/pkg/auth/api/grpc/auth.pb.gw.go
+++ b/pkg/auth/api/grpc/auth.pb.gw.go
--- a/pkg/auth/api/grpc/auth.swagger.json
+++ b/pkg/auth/api/grpc/auth.swagger.json
--- a/pkg/auth/api/grpc/gateway.go
+++ b/pkg/auth/api/grpc/gateway.go
@ -0,0 +1,49 @@
+package grpc
+
+import (
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+)
+
+type Gateway struct {
+	grpcEndpoint string
+	port         string
+	cutomHeaders []string
+}
+
+func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
+	return &Gateway{
+		grpcEndpoint: conf.GRPCEndpoint,
+		port:         conf.Port,
+		cutomHeaders: conf.CustomHeaders,
+	}
+}
+
+func (gw *Gateway) Gateway() server.GatewayFunc {
+	return RegisterAuthServiceHandlerFromEndpoint
+}
+
+func (gw *Gateway) GRPCEndpoint() string {
+	return ":" + gw.grpcEndpoint
+}
+
+func (gw *Gateway) GatewayPort() string {
+	return gw.port
+}
+
+func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
+	return []runtime.ServeMuxOption{
+		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
+			for _, customHeader := range gw.cutomHeaders {
+				if strings.HasPrefix(strings.ToLower(header), customHeader) {
+					return header, true
+				}
+			}
+			return header, false
+		}),
+	}
+}
--- a/pkg/auth/api/grpc/generate.go
+++ b/pkg/auth/api/grpc/generate.go
@ -0,0 +1,5 @@
+package grpc
+
+//go:generate protoc -I$GOPATH/src -I../proto -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I${GOPATH}/src/github.com/envoyproxy/protoc-gen-validate -I${GOPATH}/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:$GOPATH/src --grpc-gateway_out=logtostderr=true:$GOPATH/src --swagger_out=logtostderr=true:. --authoption_out=. ../proto/auth.proto
+//go:generate mockgen -package api -destination ./mock/auth.proto.mock.go github.com/caos/zitadel/pkg/auth/api/grpc AuthServiceClient
+//go:generate ../../../console/etc/generate-grpc.sh
--- a/pkg/auth/api/grpc/grant.go
+++ b/pkg/auth/api/grpc/grant.go
@ -0,0 +1,15 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) SearchMyProjectOrgs(ctx context.Context, request *MyProjectOrgSearchRequest) (*MyProjectOrgSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-8kdRf", "Not implemented")
+}
+
+func (s *Server) IsIamAdmin(ctx context.Context, _ *empty.Empty) (*IsAdminResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-9odFv", "Not implemented")
+}
--- a/pkg/auth/api/grpc/mock/auth.proto.mock.go
+++ b/pkg/auth/api/grpc/mock/auth.proto.mock.go
@ -0,0 +1,538 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/caos/zitadel/pkg/auth/api/grpc (interfaces: AuthServiceClient)
+
+// Package api is a generated GoMock package.
+package api
+
+import (
+	context "context"
+	grpc "github.com/caos/zitadel/pkg/auth/api/grpc"
+	gomock "github.com/golang/mock/gomock"
+	grpc0 "google.golang.org/grpc"
+	emptypb "google.golang.org/protobuf/types/known/emptypb"
+	structpb "google.golang.org/protobuf/types/known/structpb"
+	reflect "reflect"
+)
+
+// MockAuthServiceClient is a mock of AuthServiceClient interface
+type MockAuthServiceClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockAuthServiceClientMockRecorder
+}
+
+// MockAuthServiceClientMockRecorder is the mock recorder for MockAuthServiceClient
+type MockAuthServiceClientMockRecorder struct {
+	mock *MockAuthServiceClient
+}
+
+// NewMockAuthServiceClient creates a new mock instance
+func NewMockAuthServiceClient(ctrl *gomock.Controller) *MockAuthServiceClient {
+	mock := &MockAuthServiceClient{ctrl: ctrl}
+	mock.recorder = &MockAuthServiceClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockAuthServiceClient) EXPECT() *MockAuthServiceClientMockRecorder {
+	return m.recorder
+}
+
+// AddMfaOTP mocks base method
+func (m *MockAuthServiceClient) AddMfaOTP(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.MfaOtpResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "AddMfaOTP", varargs...)
+	ret0, _ := ret[0].(*grpc.MfaOtpResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// AddMfaOTP indicates an expected call of AddMfaOTP
+func (mr *MockAuthServiceClientMockRecorder) AddMfaOTP(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).AddMfaOTP), varargs...)
+}
+
+// ChangeMyPassword mocks base method
+func (m *MockAuthServiceClient) ChangeMyPassword(arg0 context.Context, arg1 *grpc.PasswordChange, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ChangeMyPassword", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ChangeMyPassword indicates an expected call of ChangeMyPassword
+func (mr *MockAuthServiceClientMockRecorder) ChangeMyPassword(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeMyPassword", reflect.TypeOf((*MockAuthServiceClient)(nil).ChangeMyPassword), varargs...)
+}
+
+// ChangeMyUserEmail mocks base method
+func (m *MockAuthServiceClient) ChangeMyUserEmail(arg0 context.Context, arg1 *grpc.UpdateUserEmailRequest, arg2 ...grpc0.CallOption) (*grpc.UserEmail, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ChangeMyUserEmail", varargs...)
+	ret0, _ := ret[0].(*grpc.UserEmail)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ChangeMyUserEmail indicates an expected call of ChangeMyUserEmail
+func (mr *MockAuthServiceClientMockRecorder) ChangeMyUserEmail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeMyUserEmail", reflect.TypeOf((*MockAuthServiceClient)(nil).ChangeMyUserEmail), varargs...)
+}
+
+// ChangeMyUserPhone mocks base method
+func (m *MockAuthServiceClient) ChangeMyUserPhone(arg0 context.Context, arg1 *grpc.UpdateUserPhoneRequest, arg2 ...grpc0.CallOption) (*grpc.UserPhone, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ChangeMyUserPhone", varargs...)
+	ret0, _ := ret[0].(*grpc.UserPhone)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ChangeMyUserPhone indicates an expected call of ChangeMyUserPhone
+func (mr *MockAuthServiceClientMockRecorder) ChangeMyUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeMyUserPhone", reflect.TypeOf((*MockAuthServiceClient)(nil).ChangeMyUserPhone), varargs...)
+}
+
+// GetMyMfas mocks base method
+func (m *MockAuthServiceClient) GetMyMfas(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.MultiFactors, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyMfas", varargs...)
+	ret0, _ := ret[0].(*grpc.MultiFactors)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyMfas indicates an expected call of GetMyMfas
+func (mr *MockAuthServiceClientMockRecorder) GetMyMfas(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyMfas", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyMfas), varargs...)
+}
+
+// GetMyUserAddress mocks base method
+func (m *MockAuthServiceClient) GetMyUserAddress(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.UserAddress, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyUserAddress", varargs...)
+	ret0, _ := ret[0].(*grpc.UserAddress)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyUserAddress indicates an expected call of GetMyUserAddress
+func (mr *MockAuthServiceClientMockRecorder) GetMyUserAddress(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyUserAddress", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyUserAddress), varargs...)
+}
+
+// GetMyUserEmail mocks base method
+func (m *MockAuthServiceClient) GetMyUserEmail(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.UserEmail, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyUserEmail", varargs...)
+	ret0, _ := ret[0].(*grpc.UserEmail)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyUserEmail indicates an expected call of GetMyUserEmail
+func (mr *MockAuthServiceClientMockRecorder) GetMyUserEmail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyUserEmail", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyUserEmail), varargs...)
+}
+
+// GetMyUserPhone mocks base method
+func (m *MockAuthServiceClient) GetMyUserPhone(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.UserPhone, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyUserPhone", varargs...)
+	ret0, _ := ret[0].(*grpc.UserPhone)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyUserPhone indicates an expected call of GetMyUserPhone
+func (mr *MockAuthServiceClientMockRecorder) GetMyUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyUserPhone", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyUserPhone), varargs...)
+}
+
+// GetMyUserProfile mocks base method
+func (m *MockAuthServiceClient) GetMyUserProfile(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.UserProfile, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyUserProfile", varargs...)
+	ret0, _ := ret[0].(*grpc.UserProfile)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyUserProfile indicates an expected call of GetMyUserProfile
+func (mr *MockAuthServiceClientMockRecorder) GetMyUserProfile(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyUserProfile", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyUserProfile), varargs...)
+}
+
+// GetMyUserSessions mocks base method
+func (m *MockAuthServiceClient) GetMyUserSessions(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.UserSessionViews, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyUserSessions", varargs...)
+	ret0, _ := ret[0].(*grpc.UserSessionViews)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyUserSessions indicates an expected call of GetMyUserSessions
+func (mr *MockAuthServiceClientMockRecorder) GetMyUserSessions(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyUserSessions", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyUserSessions), varargs...)
+}
+
+// GetMyZitadelPermissions mocks base method
+func (m *MockAuthServiceClient) GetMyZitadelPermissions(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.MyPermissions, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "GetMyZitadelPermissions", varargs...)
+	ret0, _ := ret[0].(*grpc.MyPermissions)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetMyZitadelPermissions indicates an expected call of GetMyZitadelPermissions
+func (mr *MockAuthServiceClientMockRecorder) GetMyZitadelPermissions(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyZitadelPermissions", reflect.TypeOf((*MockAuthServiceClient)(nil).GetMyZitadelPermissions), varargs...)
+}
+
+// Healthz mocks base method
+func (m *MockAuthServiceClient) Healthz(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Healthz", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Healthz indicates an expected call of Healthz
+func (mr *MockAuthServiceClientMockRecorder) Healthz(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Healthz", reflect.TypeOf((*MockAuthServiceClient)(nil).Healthz), varargs...)
+}
+
+// IsIamAdmin mocks base method
+func (m *MockAuthServiceClient) IsIamAdmin(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*grpc.IsAdminResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "IsIamAdmin", varargs...)
+	ret0, _ := ret[0].(*grpc.IsAdminResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// IsIamAdmin indicates an expected call of IsIamAdmin
+func (mr *MockAuthServiceClientMockRecorder) IsIamAdmin(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsIamAdmin", reflect.TypeOf((*MockAuthServiceClient)(nil).IsIamAdmin), varargs...)
+}
+
+// Ready mocks base method
+func (m *MockAuthServiceClient) Ready(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Ready", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Ready indicates an expected call of Ready
+func (mr *MockAuthServiceClientMockRecorder) Ready(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Ready", reflect.TypeOf((*MockAuthServiceClient)(nil).Ready), varargs...)
+}
+
+// RemoveMfaOTP mocks base method
+func (m *MockAuthServiceClient) RemoveMfaOTP(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "RemoveMfaOTP", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// RemoveMfaOTP indicates an expected call of RemoveMfaOTP
+func (mr *MockAuthServiceClientMockRecorder) RemoveMfaOTP(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).RemoveMfaOTP), varargs...)
+}
+
+// ResendMyEmailVerificationMail mocks base method
+func (m *MockAuthServiceClient) ResendMyEmailVerificationMail(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ResendMyEmailVerificationMail", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ResendMyEmailVerificationMail indicates an expected call of ResendMyEmailVerificationMail
+func (mr *MockAuthServiceClientMockRecorder) ResendMyEmailVerificationMail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResendMyEmailVerificationMail", reflect.TypeOf((*MockAuthServiceClient)(nil).ResendMyEmailVerificationMail), varargs...)
+}
+
+// ResendMyPhoneVerificationCode mocks base method
+func (m *MockAuthServiceClient) ResendMyPhoneVerificationCode(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "ResendMyPhoneVerificationCode", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// ResendMyPhoneVerificationCode indicates an expected call of ResendMyPhoneVerificationCode
+func (mr *MockAuthServiceClientMockRecorder) ResendMyPhoneVerificationCode(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResendMyPhoneVerificationCode", reflect.TypeOf((*MockAuthServiceClient)(nil).ResendMyPhoneVerificationCode), varargs...)
+}
+
+// SearchMyProjectOrgs mocks base method
+func (m *MockAuthServiceClient) SearchMyProjectOrgs(arg0 context.Context, arg1 *grpc.MyProjectOrgSearchRequest, arg2 ...grpc0.CallOption) (*grpc.MyProjectOrgSearchResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "SearchMyProjectOrgs", varargs...)
+	ret0, _ := ret[0].(*grpc.MyProjectOrgSearchResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SearchMyProjectOrgs indicates an expected call of SearchMyProjectOrgs
+func (mr *MockAuthServiceClientMockRecorder) SearchMyProjectOrgs(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchMyProjectOrgs", reflect.TypeOf((*MockAuthServiceClient)(nil).SearchMyProjectOrgs), varargs...)
+}
+
+// SetMyPassword mocks base method
+func (m *MockAuthServiceClient) SetMyPassword(arg0 context.Context, arg1 *grpc.PasswordRequest, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "SetMyPassword", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// SetMyPassword indicates an expected call of SetMyPassword
+func (mr *MockAuthServiceClientMockRecorder) SetMyPassword(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetMyPassword", reflect.TypeOf((*MockAuthServiceClient)(nil).SetMyPassword), varargs...)
+}
+
+// UpdateMyUserAddress mocks base method
+func (m *MockAuthServiceClient) UpdateMyUserAddress(arg0 context.Context, arg1 *grpc.UpdateUserAddressRequest, arg2 ...grpc0.CallOption) (*grpc.UserAddress, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "UpdateMyUserAddress", varargs...)
+	ret0, _ := ret[0].(*grpc.UserAddress)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateMyUserAddress indicates an expected call of UpdateMyUserAddress
+func (mr *MockAuthServiceClientMockRecorder) UpdateMyUserAddress(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateMyUserAddress", reflect.TypeOf((*MockAuthServiceClient)(nil).UpdateMyUserAddress), varargs...)
+}
+
+// UpdateMyUserProfile mocks base method
+func (m *MockAuthServiceClient) UpdateMyUserProfile(arg0 context.Context, arg1 *grpc.UpdateUserProfileRequest, arg2 ...grpc0.CallOption) (*grpc.UserProfile, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "UpdateMyUserProfile", varargs...)
+	ret0, _ := ret[0].(*grpc.UserProfile)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// UpdateMyUserProfile indicates an expected call of UpdateMyUserProfile
+func (mr *MockAuthServiceClientMockRecorder) UpdateMyUserProfile(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateMyUserProfile", reflect.TypeOf((*MockAuthServiceClient)(nil).UpdateMyUserProfile), varargs...)
+}
+
+// Validate mocks base method
+func (m *MockAuthServiceClient) Validate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc0.CallOption) (*structpb.Struct, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "Validate", varargs...)
+	ret0, _ := ret[0].(*structpb.Struct)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Validate indicates an expected call of Validate
+func (mr *MockAuthServiceClientMockRecorder) Validate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Validate", reflect.TypeOf((*MockAuthServiceClient)(nil).Validate), varargs...)
+}
+
+// VerifyMfaOTP mocks base method
+func (m *MockAuthServiceClient) VerifyMfaOTP(arg0 context.Context, arg1 *grpc.VerifyMfaOtp, arg2 ...grpc0.CallOption) (*grpc.MfaOtpResponse, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMfaOTP", varargs...)
+	ret0, _ := ret[0].(*grpc.MfaOtpResponse)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMfaOTP indicates an expected call of VerifyMfaOTP
+func (mr *MockAuthServiceClientMockRecorder) VerifyMfaOTP(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMfaOTP", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMfaOTP), varargs...)
+}
+
+// VerifyMyUserEmail mocks base method
+func (m *MockAuthServiceClient) VerifyMyUserEmail(arg0 context.Context, arg1 *grpc.VerifyMyUserEmailRequest, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyUserEmail", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyUserEmail indicates an expected call of VerifyMyUserEmail
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyUserEmail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyUserEmail", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyUserEmail), varargs...)
+}
+
+// VerifyMyUserPhone mocks base method
+func (m *MockAuthServiceClient) VerifyMyUserPhone(arg0 context.Context, arg1 *grpc.VerifyUserPhoneRequest, arg2 ...grpc0.CallOption) (*emptypb.Empty, error) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0, arg1}
+	for _, a := range arg2 {
+		varargs = append(varargs, a)
+	}
+	ret := m.ctrl.Call(m, "VerifyMyUserPhone", varargs...)
+	ret0, _ := ret[0].(*emptypb.Empty)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// VerifyMyUserPhone indicates an expected call of VerifyMyUserPhone
+func (mr *MockAuthServiceClientMockRecorder) VerifyMyUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0, arg1}, arg2...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyMyUserPhone", reflect.TypeOf((*MockAuthServiceClient)(nil).VerifyMyUserPhone), varargs...)
+}
--- a/pkg/auth/api/grpc/permissions.go
+++ b/pkg/auth/api/grpc/permissions.go
@ -0,0 +1,50 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetMyZitadelPermissions(ctx context.Context, _ *empty.Empty) (*MyPermissions, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-or67G", "Not implemented")
+	//ctxData := auth.GetCtxData(ctx)
+	//
+	//grants, err := s.processor.ResolveGrants(ctx, ctxData.UserID, ctxData.OrgID)
+	//if err != nil {
+	//	return nil, err
+	//}
+	//
+	//permissions := &MyPermissions{Permissions: []string{}}
+	//
+	//for _, grant := range grants {
+	//	for _, role := range grant.Roles {
+	//		roleName, ctxID := auth.SplitPermission(role)
+	//		for _, mapping := range s.authConf.RolePermissionMappings {
+	//			if mapping.Role == roleName {
+	//				permissions.appendPermissions(ctxID, mapping.Permissions...)
+	//			}
+	//		}
+	//	}
+	//}
+	//
+	//return permissions, nil
+}
+
+func (p *MyPermissions) appendPermissions(ctxID string, permissions ...string) {
+	for _, permission := range permissions {
+		p.appendPermission(ctxID, permission)
+	}
+}
+
+func (p *MyPermissions) appendPermission(ctxID, permission string) {
+	if ctxID != "" {
+		permission = permission + ":" + ctxID
+	}
+	for _, existingPermission := range p.Permissions {
+		if existingPermission == permission {
+			return
+		}
+	}
+	p.Permissions = append(p.Permissions, permission)
+}
--- a/pkg/auth/api/grpc/probes.go
+++ b/pkg/auth/api/grpc/probes.go
@ -0,0 +1,20 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+)
+
+func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-bst5W", "Not implemented")
+}
+
+func (s *Server) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-or0vW", "Not implemented")
+}
+
+func (s *Server) Validate(ctx context.Context, _ *empty.Empty) (*pb_struct.Struct, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-lo6Eg", "Not implemented")
+}
--- a/pkg/auth/api/grpc/server.go
+++ b/pkg/auth/api/grpc/server.go
@ -0,0 +1,39 @@
+package grpc
+
+import (
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	"google.golang.org/grpc"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+var _ AuthServiceServer = (*Server)(nil)
+
+type Server struct {
+	port        string
+	searchLimit int
+}
+
+func StartServer(conf grpc_util.ServerConfig) *Server {
+	return &Server{
+		port: conf.Port,
+	}
+}
+
+func (s *Server) GRPCPort() string {
+	return s.port
+}
+
+func (s *Server) GRPCServer() (*grpc.Server, error) {
+	gs := grpc.NewServer(
+		middleware.TracingStatsServer("/Healthz", "/Ready", "/Validate"),
+		grpc.UnaryInterceptor(
+			grpc_middleware.ChainUnaryServer(
+				middleware.ErrorHandler(),
+			),
+		),
+	)
+	RegisterAuthServiceServer(gs, s)
+	return gs, nil
+}
--- a/pkg/auth/api/grpc/user.go
+++ b/pkg/auth/api/grpc/user.go
@ -0,0 +1,91 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetMyUserProfile(ctx context.Context, _ *empty.Empty) (*UserProfile, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-fis93", "Not implemented")
+}
+
+func (s *Server) GetMyUserEmail(ctx context.Context, _ *empty.Empty) (*UserEmail, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-93j5d", "Not implemented")
+}
+
+func (s *Server) GetMyUserPhone(ctx context.Context, _ *empty.Empty) (*UserPhone, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Hj75G", "Not implemented")
+}
+
+func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*UserAddress, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-21jd4", "Not implemented")
+}
+
+func (s *Server) GetMyMfas(ctx context.Context, _ *empty.Empty) (*MultiFactors, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-vkl9i", "Not implemented")
+}
+
+func (s *Server) UpdateMyUserProfile(ctx context.Context, request *UpdateUserProfileRequest) (*UserProfile, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dlep3", "Not implemented")
+}
+
+func (s *Server) ChangeMyUserEmail(ctx context.Context, request *UpdateUserEmailRequest) (*UserEmail, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-lme45", "Not implemented")
+}
+
+func (s *Server) VerifyMyUserEmail(ctx context.Context, request *VerifyMyUserEmailRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-poru7", "Not implemented")
+}
+
+func (s *Server) VerifyUserEmail(ctx context.Context, request *VerifyUserEmailRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dlep3", "Not implemented")
+}
+
+func (s *Server) ResendMyEmailVerificationMail(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dh69i", "Not implemented")
+}
+
+func (s *Server) ResendEmailVerificationMail(ctx context.Context, id *UserID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mAq23", "Not implemented")
+}
+
+func (s *Server) ChangeMyUserPhone(ctx context.Context, request *UpdateUserPhoneRequest) (*UserPhone, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dk45g", "Not implemented")
+}
+
+func (s *Server) VerifyMyUserPhone(ctx context.Context, request *VerifyUserPhoneRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ol6gE", "Not implemented")
+}
+
+func (s *Server) ResendMyPhoneVerificationCode(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Wk8rf", "Not implemented")
+}
+
+func (s *Server) UpdateMyUserAddress(ctx context.Context, request *UpdateUserAddressRequest) (*UserAddress, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-cmt7F", "Not implemented")
+}
+
+func (s *Server) SetMyPassword(ctx context.Context, request *PasswordRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pl9c2", "Not implemented")
+}
+
+func (s *Server) ChangeMyPassword(ctx context.Context, request *PasswordChange) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dlo6G", "Not implemented")
+}
+
+func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *MfaOtpResponse, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-al35G", "Not implemented")
+}
+
+func (s *Server) VerifyMfaOTP(ctx context.Context, request *VerifyMfaOtp) (_ *MfaOtpResponse, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-kgjZ7", "Not implemented")
+}
+
+func (s *Server) RemoveMfaOTP(ctx context.Context, _ *empty.Empty) (_ *empty.Empty, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-9k46d", "Not implemented")
+}
+
+func (s *Server) ResendUserInitMail(ctx context.Context, request *UserID) (_ *empty.Empty, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dk467", "Not implemented")
+}
--- a/pkg/auth/api/grpc/user_session.go
+++ b/pkg/auth/api/grpc/user_session.go
@ -0,0 +1,11 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetMyUserSessions(ctx context.Context, _ *empty.Empty) (_ *UserSessionViews, err error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-nc52s", "Not implemented")
+}
--- a/pkg/auth/api/proto/auth.proto
+++ b/pkg/auth/api/proto/auth.proto
@ -0,0 +1,521 @@
+syntax = "proto3";
+
+import "google/api/annotations.proto";
+import "google/protobuf/empty.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+import "validate/validate.proto";
+import "protoc-gen-swagger/options/annotations.proto";
+import "authoption/options.proto";
+
+package zitadel.auth.api.v1;
+
+option go_package = "github.com/caos/zitadel/pkg/auth/api/grpc";
+
+option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
+    info: {
+        title: "Auth API";
+        version: "0.1";
+        contact:{
+            url: "https://github.com/caos/zitadel/pkg/auth"
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+service AuthService {
+    // Readiness
+    rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            get: "/healthz"
+            };
+    }
+
+    rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            get: "/ready"
+            };
+    }
+
+    rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) {
+        option (google.api.http) = {
+            get: "/validate"
+            };
+    }
+
+    // Authorization
+    rpc GetMyUserSessions(google.protobuf.Empty) returns (UserSessionViews) {
+        option (google.api.http) = {
+                get: "/me/usersessions"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    //User
+    rpc GetMyUserProfile(google.protobuf.Empty) returns (UserProfile) {
+        option (google.api.http) = {
+                get: "/users/me/profile"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc UpdateMyUserProfile(UpdateUserProfileRequest) returns (UserProfile) {
+        option (google.api.http) = {
+                put: "/users/me/profile"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc GetMyUserEmail(google.protobuf.Empty) returns (UserEmail) {
+        option (google.api.http) = {
+                get: "/users/me/email"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc ChangeMyUserEmail(UpdateUserEmailRequest) returns (UserEmail) {
+        option (google.api.http) = {
+                put: "/users/me/email"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc VerifyMyUserEmail(VerifyMyUserEmailRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                post: "/users/me/email/_verify"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc ResendMyEmailVerificationMail(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                post: "/users/me/email/_resendverification"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc GetMyUserPhone(google.protobuf.Empty) returns (UserPhone) {
+        option (google.api.http) = {
+                get: "/users/me/phone"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc ChangeMyUserPhone(UpdateUserPhoneRequest) returns (UserPhone) {
+        option (google.api.http) = {
+                put: "/users/me/phone"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc VerifyMyUserPhone(VerifyUserPhoneRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                post: "/users/me/phone/_verify"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc ResendMyPhoneVerificationCode(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                post: "/users/me/phone/_resendverification"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc GetMyUserAddress(google.protobuf.Empty) returns (UserAddress) {
+        option (google.api.http) = {
+                get: "/users/me/address"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc UpdateMyUserAddress(UpdateUserAddressRequest) returns (UserAddress) {
+        option (google.api.http) = {
+                put: "/users/me/address"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc GetMyMfas(google.protobuf.Empty) returns (MultiFactors) {
+        option (google.api.http) = {
+                get: "/users/me/mfas"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+    //Password
+
+    rpc SetMyPassword(PasswordRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                put: "/users/me/passwords"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc ChangeMyPassword(PasswordChange) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                put: "/users/me/passwords/_change"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    // MFA
+    rpc AddMfaOTP(google.protobuf.Empty) returns (MfaOtpResponse) {
+        option (google.api.http) = {
+                post: "/users/me/mfa/otp"
+                body: "*"
+            };
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc VerifyMfaOTP(VerifyMfaOtp) returns (MfaOtpResponse) {
+        option (google.api.http) = {
+                put: "/users/me/mfa/otp/_verify"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc RemoveMfaOTP(google.protobuf.Empty) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+                delete: "/users/me/mfa/otp"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc SearchMyProjectOrgs(MyProjectOrgSearchRequest) returns (MyProjectOrgSearchResponse) {
+        option (google.api.http) = {
+                post: "/global/projectorgs/_search"
+                body: "*"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    rpc IsIamAdmin(google.protobuf.Empty) returns (IsAdminResponse) {
+        option (google.api.http) = {
+                get: "/global/_isiamadmin"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+
+    //Permission
+    rpc GetMyZitadelPermissions(google.protobuf.Empty) returns (MyPermissions) {
+        option (google.api.http) = {
+                get: "/permissions/zitadel/me"
+            };
+
+        option (caos.zitadel.utils.v1.auth_option) = {
+                permission: "authenticated"
+            };
+    }
+}
+
+message UserSessionViews {
+    repeated UserSessionView user_sessions = 1;
+}
+message UserSessionView {
+    string id = 1;
+    string agent_id = 2;
+    UserSessionState auth_state = 3;
+    string user_id = 4;
+    string user_name = 5;
+}
+
+enum UserSessionState {
+    USERSESSIONSTATE_UNSPECIFIED = 0;
+    USERSESSIONSTATE_ACTIVE = 1;
+    USERSESSIONSTATE_TERMINATED = 2;
+}
+
+enum OIDCResponseType {
+    OIDCRESPONSETYPE_CODE = 0;
+    OIDCRESPONSETYPE_ID_TOKEN = 1;
+    OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2;
+}
+
+message User {
+    string id = 1;
+    UserState state = 2;
+    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp activation_date = 4;
+    google.protobuf.Timestamp change_date = 5;
+    google.protobuf.Timestamp last_login = 6;
+    google.protobuf.Timestamp password_changed = 7;
+    string user_name = 8;
+    string first_name = 9;
+    string last_name = 10;
+    string nick_name = 11;
+    string display_name = 12;
+    string preferred_language = 13;
+    Gender gender = 14;
+    string email = 15;
+    bool is_email_verified = 16;
+    string phone = 17;
+    bool is_phone_verified = 18;
+    string country = 19;
+    string locality = 20;
+    string postal_code = 21;
+    string region = 22;
+    string street_address = 23;
+    bool password_change_required = 24;
+}
+
+enum UserState {
+    USERSTATE_UNSPECIEFIED = 0;
+    USERSTATE_ACTIVE = 1;
+    USERSTATE_INACTIVE = 2;
+    USERSTATE_DELETED = 3;
+    USERSTATE_LOCKED = 4;
+    USERSTATE_SUSPEND = 5;
+    USERSTATE_INITIAL= 6;
+}
+
+enum Gender {
+    GENDER_UNSPECIFIED = 0;
+    GENDER_FEMALE = 1;
+    GENDER_MALE = 2;
+    GENDER_DIVERSE = 3;
+}
+
+message UserProfile {
+    string id = 1;
+    string user_name = 2;
+    string first_name = 3;
+    string last_name = 4;
+    string nick_name = 5;
+    string display_name = 6;
+    string preferred_language = 7;
+    Gender gender = 8;
+}
+
+message UpdateUserProfileRequest {
+    string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string nick_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string display_name = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string preferred_language = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    Gender gender = 6;
+}
+
+message UserEmail {
+    string id = 1;
+    string email = 2;
+    bool isEmailVerified = 3;
+}
+
+message VerifyMyUserEmailRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyUserEmailRequest {
+    string id = 1;
+    string code = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateUserEmailRequest {
+    string email = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UserPhone {
+    string id = 1;
+    string phone = 2;
+    bool is_phone_verified = 3;
+}
+
+message UpdateUserPhoneRequest {
+    string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 20}];
+}
+
+message VerifyUserPhoneRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UserAddress {
+    string id = 1;
+    string country = 2;
+    string locality = 3;
+    string postal_code = 4;
+    string region = 5;
+    string street_address = 6;
+}
+
+message UpdateUserAddressRequest {
+    string country = 1 [(validate.rules).string = {max_len: 200}];
+    string locality = 2 [(validate.rules).string = {max_len: 200}];
+    string postal_code = 3 [(validate.rules).string = {max_len: 200}];
+    string region = 4 [(validate.rules).string = {max_len: 200}];
+    string street_address = 5 [(validate.rules).string = {max_len: 200}];
+}
+
+message PasswordID {
+    string id = 1;
+}
+
+message PasswordRequest {
+    string password = 1 [(validate.rules).string = {min_len: 1, max_len: 72}];
+}
+
+message PasswordChange {
+    string old_password = 1 [(validate.rules).string = {min_len: 1, max_len: 72}];
+    string new_password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}];
+}
+
+enum MfaType {
+    MFATYPE_UNSPECIFIED = 0;
+    MFATYPE_SMS = 1;
+    MFATYPE_OTP = 2;
+}
+
+message VerifyMfaOtp {
+    string code = 1;
+}
+
+message MultiFactors {
+    repeated MultiFactor mfas = 1;
+}
+
+message MultiFactor {
+    MfaType type = 1;
+    MFAState state = 2;
+}
+
+message MfaOtpResponse {
+    string user_id = 1;
+    string url = 2;
+    string secret = 3;
+    MFAState state = 4;
+}
+
+enum MFAState {
+    MFASTATE_UNSPECIFIED = 0;
+    MFASTATE_NOT_READY = 1;
+    MFASTATE_READY = 2;
+    MFASTATE_REMOVED = 3;
+}
+
+message OIDCClientAuth {
+    string client_id = 1;
+    string client_secret = 2;
+}
+
+message MyProjectOrgSearchRequest {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    bool asc = 4;
+    repeated MyProjectOrgSearchQuery queries = 5;
+}
+
+message MyProjectOrgSearchQuery {
+    MyProjectOrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
+    SearchMethod method = 2;
+    string value = 3;
+}
+
+enum MyProjectOrgSearchKey {
+    MYPROJECTORGSEARCHKEY_UNSPECIFIED = 0;
+    MYPROJECTORGSEARCHKEY_ORG_NAME = 1;
+}
+
+message MyProjectOrgSearchResponse {
+    uint64 offset = 1;
+    uint64 limit = 2;
+    uint64 total_result = 3;
+    repeated Org result = 4;
+}
+
+message IsAdminResponse {
+    bool is_admin = 1;
+}
+
+message Org {
+    string id = 1;
+    string name = 2;
+}
+
+message MyPermissions {
+    repeated string permissions = 1;
+}
+
+enum SearchMethod {
+    SEARCHMETHOD_EQUALS = 0;
+    SEARCHMETHOD_STARTS_WITH = 1;
+    SEARCHMETHOD_CONTAINS = 2;
+}
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -2,10 +2,8 @@ package auth

 import (
 	"context"
-
 	"github.com/caos/zitadel/internal/api/auth"
 	app "github.com/caos/zitadel/internal/auth"
-	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/pkg/auth/api"
 )

@ -14,6 +12,6 @@ type Config struct {
 	API api.Config
 }

-func Start(ctx context.Context, config Config, authZ auth.Config) error {
-	return errors.ThrowUnimplemented(nil, "AUTH-l7Hdx", "not implemented yet") //TODO: implement
+func Start(ctx context.Context, config Config, authZ auth.Config) {
+	api.Start(ctx, config.API)
 }
--- a/pkg/management/api/api.go
+++ b/pkg/management/api/api.go
@ -0,0 +1,21 @@
+package api
+
+import (
+	"context"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/management/api/grpc"
+)
+
+type Config struct {
+	GRPC grpc_util.Config
+}
+
+func Start(ctx context.Context, conf Config) {
+	grpcServer := grpc.StartServer(conf.GRPC.ToServerConfig())
+	grpcGateway := grpc.StartGateway(conf.GRPC.ToGatewayConfig())
+
+	server.StartServer(ctx, grpcServer)
+	server.StartGateway(ctx, grpcGateway)
+}
--- a/pkg/management/api/config.go
+++ b/pkg/management/api/config.go
@ -1,7 +0,0 @@
-package api
-
-import "github.com/caos/zitadel/internal/api/grpc"
-
-type Config struct {
-	GRPC grpc.Config
-}
--- a/pkg/management/api/grpc/application.go
+++ b/pkg/management/api/grpc/application.go
@ -0,0 +1,37 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func (s *Server) SearchApplications(ctx context.Context, request *ApplicationSearchRequest) (*ApplicationSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-yW23f", "Not implemented")
+}
+
+func (s *Server) ApplicationByID(ctx context.Context, request *ApplicationID) (*Application, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-bmr6X", "Not implemented")
+}
+
+func (s *Server) CreateOIDCApplication(ctx context.Context, in *OIDCApplicationCreate) (*Application, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-poe4d", "Not implemented")
+}
+func (s *Server) UpdateApplication(ctx context.Context, in *ApplicationUpdate) (*Application, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-bmt6J", "Not implemented")
+}
+func (s *Server) DeactivateApplication(ctx context.Context, in *ApplicationID) (*Application, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-cD34f", "Not implemented")
+}
+func (s *Server) ReactivateApplication(ctx context.Context, in *ApplicationID) (*Application, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mo98S", "Not implemented")
+}
+func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *OIDCConfigUpdate) (*OIDCConfig, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-xm56g", "Not implemented")
+}
+func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *ApplicationID) (*ClientSecret, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dlwp3", "Not implemented")
+}
+
+func (s *Server) ApplicationChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-due45", "Not implemented")
+}
--- a/pkg/management/api/grpc/auth_grant.go
+++ b/pkg/management/api/grpc/auth_grant.go
@ -0,0 +1,10 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func (s *Server) SearchAuthGrant(ctx context.Context, grantSearch *AuthGrantSearchRequest) (*AuthGrantSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dkwd5", "Not implemented")
+}
--- a/pkg/management/api/grpc/gateway.go
+++ b/pkg/management/api/grpc/gateway.go
@ -0,0 +1,47 @@
+package grpc
+
+import (
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+	"strings"
+)
+
+type Gateway struct {
+	grpcEndpoint string
+	port         string
+	cutomHeaders []string
+}
+
+func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
+	return &Gateway{
+		grpcEndpoint: conf.GRPCEndpoint,
+		port:         conf.Port,
+		cutomHeaders: conf.CustomHeaders,
+	}
+}
+
+func (gw *Gateway) Gateway() server.GatewayFunc {
+	return RegisterManagementServiceHandlerFromEndpoint
+}
+
+func (gw *Gateway) GRPCEndpoint() string {
+	return ":" + gw.grpcEndpoint
+}
+
+func (gw *Gateway) GatewayPort() string {
+	return gw.port
+}
+
+func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
+	return []runtime.ServeMuxOption{
+		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
+			for _, customHeader := range gw.cutomHeaders {
+				if strings.HasPrefix(strings.ToLower(header), customHeader) {
+					return header, true
+				}
+			}
+			return header, false
+		}),
+	}
+}
--- a/pkg/management/api/grpc/generate.go
+++ b/pkg/management/api/grpc/generate.go
@ -0,0 +1,6 @@
+package grpc
+
+//go:generate protoc -I$GOPATH/src -I../proto -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I${GOPATH}/src/github.com/envoyproxy/protoc-gen-validate -I${GOPATH}/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:$GOPATH/src --grpc-gateway_out=logtostderr=true:$GOPATH/src --swagger_out=logtostderr=true:. --authoption_out=. ../proto/management.proto
+//go:generate mockgen -package api -destination ./mock/management.proto.mock.go github.com/caos/zitadel/pkg/management/api/grpc ManagementServiceClient
+
+//go:generate ../../../console/etc/generate-grpc.sh
--- a/pkg/management/api/grpc/management.pb.authoptions.go
+++ b/pkg/management/api/grpc/management.pb.authoptions.go
@ -0,0 +1,521 @@
+// Code generated by protoc-gen-authmethod. DO NOT EDIT.
+
+package grpc
+
+import (
+	"google.golang.org/grpc"
+
+	utils_auth "github.com/caos/zitadel/internal/api/auth"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+/**
+ * ManagementService
+ */
+
+var ManagementService_AuthMethods = utils_auth.MethodMapping{
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserByID": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserByEmailGlobal": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchUsers": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/IsUserUnique": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateUser": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateUser": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateUser": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/LockUser": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UnlockUser": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeleteUser": utils_auth.Option{
+		Permission: "user.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UserChanges": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ApplicationChanges": utils_auth.Option{
+		Permission: "project.app.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/OrgChanges": utils_auth.Option{
+		Permission: "org.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ProjectChanges": utils_auth.Option{
+		Permission: "project.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserProfile": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateUserProfile": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserEmail": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ChangeUserEmail": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ResendEmailVerificationMail": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserPhone": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ChangeUserPhone": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ResendPhoneVerificationCode": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserAddress": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateUserAddress": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetUserMfas": utils_auth.Option{
+		Permission: "user.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SendSetPasswordNotification": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SetInitialPassword": utils_auth.Option{
+		Permission: "user.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetPasswordComplexityPolicy": utils_auth.Option{
+		Permission: "policy.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreatePasswordComplexityPolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdatePasswordComplexityPolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeletePasswordComplexityPolicy": utils_auth.Option{
+		Permission: "policy.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetPasswordAgePolicy": utils_auth.Option{
+		Permission: "policy.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreatePasswordAgePolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdatePasswordAgePolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeletePasswordAgePolicy": utils_auth.Option{
+		Permission: "policy.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetPasswordLockoutPolicy": utils_auth.Option{
+		Permission: "policy.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreatePasswordLockoutPolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdatePasswordLockoutPolicy": utils_auth.Option{
+		Permission: "policy.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeletePasswordLockoutPolicy": utils_auth.Option{
+		Permission: "policy.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetOrgByID": utils_auth.Option{
+		Permission: "org.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetOrgByDomainGlobal": utils_auth.Option{
+		Permission: "org.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateOrg": utils_auth.Option{
+		Permission: "org.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateOrg": utils_auth.Option{
+		Permission: "org.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetOrgMemberRoles": utils_auth.Option{
+		Permission: "org.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/AddOrgMember": utils_auth.Option{
+		Permission: "org.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ChangeOrgMember": utils_auth.Option{
+		Permission: "org.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/RemoveOrgMember": utils_auth.Option{
+		Permission: "org.member.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchOrgMembers": utils_auth.Option{
+		Permission: "org.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjects": utils_auth.Option{
+		Permission: "project.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ProjectByID": utils_auth.Option{
+		Permission: "project.read",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateProject": utils_auth.Option{
+		Permission: "project.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateProject": utils_auth.Option{
+		Permission: "project.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProject": utils_auth.Option{
+		Permission: "project.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProject": utils_auth.Option{
+		Permission: "project.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetGrantedProjectGrantByID": utils_auth.Option{
+		Permission: "project.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetProjectMemberRoles": utils_auth.Option{
+		Permission: "project.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectMembers": utils_auth.Option{
+		Permission: "project.member.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/AddProjectMember": utils_auth.Option{
+		Permission: "project.member.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ChangeProjectMember": utils_auth.Option{
+		Permission: "project.member.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/RemoveProjectMember": utils_auth.Option{
+		Permission: "project.member.delete",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectRoles": utils_auth.Option{
+		Permission: "project.role.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/AddProjectRole": utils_auth.Option{
+		Permission: "project.role.write",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/RemoveProjectRole": utils_auth.Option{
+		Permission: "project.role.delete",
+		CheckParam: "Id",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchApplications": utils_auth.Option{
+		Permission: "project.app.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ApplicationByID": utils_auth.Option{
+		Permission: "project.app.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateOIDCApplication": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateApplication": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateApplication": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateApplication": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateApplicationOIDCConfig": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/RegenerateOIDCClientSecret": utils_auth.Option{
+		Permission: "project.app.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrants": utils_auth.Option{
+		Permission: "project.grant.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ProjectGrantByID": utils_auth.Option{
+		Permission: "project.grant.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectGrant": utils_auth.Option{
+		Permission: "project.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectGrant": utils_auth.Option{
+		Permission: "project.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectGrant": utils_auth.Option{
+		Permission: "project.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectGrant": utils_auth.Option{
+		Permission: "project.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/GetProjectGrantMemberRoles": utils_auth.Option{
+		Permission: "project.grant.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrantMembers": utils_auth.Option{
+		Permission: "project.grant.member.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/AddProjectGrantMember": utils_auth.Option{
+		Permission: "project.grant.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ChangeProjectGrantMember": utils_auth.Option{
+		Permission: "project.grant.member.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/RemoveProjectGrantMember": utils_auth.Option{
+		Permission: "project.grant.member.delete",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchUserGrants": utils_auth.Option{
+		Permission: "user.grant.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UserGrantByID": utils_auth.Option{
+		Permission: "user.grant.read",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateUserGrant": utils_auth.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateUserGrant": utils_auth.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateUserGrant": utils_auth.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateUserGrant": utils_auth.Option{
+		Permission: "user.grant.write",
+		CheckParam: "",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectUserGrants": utils_auth.Option{
+		Permission: "project.user.grant.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ProjectUserGrantByID": utils_auth.Option{
+		Permission: "project.user.grant.read",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectUserGrant": utils_auth.Option{
+		Permission: "project.user.grant.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectUserGrant": utils_auth.Option{
+		Permission: "project.user.grant.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectUserGrant": utils_auth.Option{
+		Permission: "project.user.grant.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectUserGrant": utils_auth.Option{
+		Permission: "project.user.grant.write",
+		CheckParam: "ProjectId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrantUserGrants": utils_auth.Option{
+		Permission: "project.grant.user.grant.read",
+		CheckParam: "ProjectGrantId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ProjectGrantUserGrantByID": utils_auth.Option{
+		Permission: "project.grant.user.grant.read",
+		CheckParam: "ProjectGrantId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectGrantUserGrant": utils_auth.Option{
+		Permission: "project.grant.user.grant.write",
+		CheckParam: "ProjectGrantId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectGrantUserGrant": utils_auth.Option{
+		Permission: "project.grant.user.grant.write",
+		CheckParam: "ProjectGrantId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectGrantUserGrant": utils_auth.Option{
+		Permission: "project.grant.user.grant.write",
+		CheckParam: "ProjectGrantId",
+	},
+
+	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectGrantUserGrant": utils_auth.Option{
+		Permission: "project.grant.user.grant.write",
+		CheckParam: "ProjectGrantId",
+	},
+}
+
+func ManagementService_Authorization_Interceptor(verifier utils_auth.TokenVerifier, authConf *utils_auth.Config) grpc.UnaryServerInterceptor {
+	return middleware.AuthorizationInterceptor(verifier, authConf, ManagementService_AuthMethods)
+}
--- a/pkg/management/api/grpc/management.pb.go
+++ b/pkg/management/api/grpc/management.pb.go
--- a/pkg/management/api/grpc/management.pb.gw.go
+++ b/pkg/management/api/grpc/management.pb.gw.go
--- a/pkg/management/api/grpc/management.swagger.json
+++ b/pkg/management/api/grpc/management.swagger.json
--- a/pkg/management/api/grpc/org.go
+++ b/pkg/management/api/grpc/org.go
@ -0,0 +1,26 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func (s *Server) GetOrgByID(ctx context.Context, in *OrgID) (*Org, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-sdo5g", "Not implemented")
+}
+
+func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *OrgDomain) (*Org, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mop4s", "Not implemented")
+}
+
+func (s *Server) DeactivateOrg(ctx context.Context, in *OrgID) (*Org, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-vel3X", "Not implemented")
+}
+
+func (s *Server) ReactivateOrg(ctx context.Context, in *OrgID) (*Org, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Scmk3", "Not implemented")
+}
+
+func (s *Server) OrgChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mfiF4", "Not implemented")
+}
--- a/pkg/management/api/grpc/org_member.go
+++ b/pkg/management/api/grpc/org_member.go
@ -0,0 +1,27 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetOrgMemberRoles(ctx context.Context, _ *empty.Empty) (*OrgMemberRoles, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-wz4vc", "Not implemented")
+}
+
+func (s *Server) SearchOrgMembers(ctx context.Context, in *OrgMemberSearchRequest) (*OrgMemberSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-wkdl3", "Not implemented")
+}
+
+func (s *Server) AddOrgMember(ctx context.Context, member *AddOrgMemberRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Moe56", "Not implemented")
+}
+
+func (s *Server) ChangeOrgMember(ctx context.Context, member *ChangeOrgMemberRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-eod34", "Not implemented")
+}
+
+func (s *Server) RemoveOrgMember(ctx context.Context, member *RemoveOrgMemberRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-poeSw", "Not implemented")
+}
--- a/pkg/management/api/grpc/policy.go
+++ b/pkg/management/api/grpc/policy.go
@ -0,0 +1,55 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*PasswordComplexityPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-swe5v", "Not implemented")
+}
+
+func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *PasswordComplexityPolicyCreate) (*PasswordComplexityPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-lo34s", "Not implemented")
+}
+
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *PasswordComplexityPolicyUpdate) (*PasswordComplexityPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pl8fs", "Not implemented")
+}
+
+func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *PasswordComplexityPolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-skw3f", "Not implemented")
+}
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*PasswordAgePolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-po9vb", "Not implemented")
+}
+
+func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *PasswordAgePolicyCreate) (*PasswordAgePolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ldp3v", "Not implemented")
+}
+
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *PasswordAgePolicyUpdate) (*PasswordAgePolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ckep3", "Not implemented")
+}
+
+func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *PasswordAgePolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plo67", "Not implemented")
+}
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*PasswordLockoutPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-GHkd9", "Not implemented")
+}
+
+func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *PasswordLockoutPolicyCreate) (*PasswordLockoutPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mdk3c", "Not implemented")
+}
+
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *PasswordLockoutPolicyUpdate) (*PasswordLockoutPolicy, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-8dbN4", "Not implemented")
+}
+
+func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *PasswordLockoutPolicyID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plV53", "Not implemented")
+}
--- a/pkg/management/api/grpc/probes.go
+++ b/pkg/management/api/grpc/probes.go
@ -0,0 +1,20 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+)
+
+func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mkd3y", "Not implemented")
+}
+
+func (s *Server) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pl6BM", "Not implemented")
+}
+
+func (s *Server) Validate(ctx context.Context, _ *empty.Empty) (*pb_struct.Struct, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2wxF", "Not implemented")
+}
--- a/pkg/management/api/grpc/project.go
+++ b/pkg/management/api/grpc/project.go
@ -0,0 +1,47 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) CreateProject(ctx context.Context, in *ProjectCreateRequest) (*Project, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mo34X", "Not implemented")
+}
+func (s *Server) UpdateProject(ctx context.Context, in *ProjectUpdateRequest) (*Project, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0o4fB", "Not implemented")
+}
+func (s *Server) DeactivateProject(ctx context.Context, in *ProjectID) (*Project, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-4Sck8", "Not implemented")
+}
+func (s *Server) ReactivateProject(ctx context.Context, in *ProjectID) (*Project, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0oVre", "Not implemented")
+}
+
+func (s *Server) SearchProjects(ctx context.Context, in *ProjectSearchRequest) (*ProjectSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2sFvd", "Not implemented")
+}
+
+func (s *Server) ProjectByID(ctx context.Context, id *ProjectID) (*Project, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plV5x", "Not implemented")
+}
+
+func (s *Server) GetGrantedProjectGrantByID(ctx context.Context, request *GrantedGrantID) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-974vd", "Not implemented")
+}
+
+func (s *Server) AddProjectRole(ctx context.Context, in *ProjectRoleAdd) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0ow2C", "Not implemented")
+}
+func (s *Server) RemoveProjectRole(ctx context.Context, in *ProjectRoleRemove) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-bm6iB", "Not implemented")
+}
+
+func (s *Server) SearchProjectRoles(ctx context.Context, in *ProjectRoleSearchRequest) (*ProjectRoleSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plV56", "Not implemented")
+}
+
+func (s *Server) ProjectChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mci3f", "Not implemented")
+}
--- a/pkg/management/api/grpc/project_grant.go
+++ b/pkg/management/api/grpc/project_grant.go
@ -0,0 +1,32 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetProjectGrantMemberRoles(ctx context.Context, _ *empty.Empty) (*ProjectGrantMemberRoles, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mGo89", "Not implemented")
+}
+
+func (s *Server) SearchProjectGrants(ctx context.Context, request *ProjectGrantSearchRequest) (*ProjectGrantSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-po9fs", "Not implemented")
+}
+
+func (s *Server) ProjectGrantByID(ctx context.Context, request *ProjectGrantID) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-nmr54", "Not implemented")
+}
+
+func (s *Server) CreateProjectGrant(ctx context.Context, in *ProjectGrantCreate) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-fi45f", "Not implemented")
+}
+func (s *Server) UpdateProjectGrant(ctx context.Context, in *ProjectGrantUpdate) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-nm7Ds", "Not implemented")
+}
+func (s *Server) DeactivateProjectGrant(ctx context.Context, in *ProjectGrantID) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-xkwpr", "Not implemented")
+}
+func (s *Server) ReactivateProjectGrant(ctx context.Context, in *ProjectGrantID) (*ProjectGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mdk23", "Not implemented")
+}
--- a/pkg/management/api/grpc/project_grant_member.go
+++ b/pkg/management/api/grpc/project_grant_member.go
@ -0,0 +1,23 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) SearchProjectGrantMembers(ctx context.Context, request *ProjectGrantMemberSearchRequest) (*ProjectGrantMemberSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pldE4", "Not implemented")
+}
+
+func (s *Server) AddProjectGrantMember(ctx context.Context, in *ProjectGrantMemberAdd) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-po8r3", "Not implemented")
+}
+
+func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *ProjectGrantMemberChange) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-asd3c", "Not implemented")
+}
+
+func (s *Server) RemoveProjectGrantMember(ctx context.Context, in *ProjectGrantMemberRemove) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-04kfs", "Not implemented")
+}
--- a/pkg/management/api/grpc/project_member.go
+++ b/pkg/management/api/grpc/project_member.go
@ -0,0 +1,27 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetProjectMemberRoles(ctx context.Context, _ *empty.Empty) (*ProjectMemberRoles, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-qw34d", "Not implemented")
+}
+
+func (s *Server) SearchProjectMembers(ctx context.Context, request *ProjectMemberSearchRequest) (*ProjectMemberSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-PLr84", "Not implemented")
+}
+
+func (s *Server) AddProjectMember(ctx context.Context, in *ProjectMemberAdd) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-c2dks", "Not implemented")
+}
+
+func (s *Server) ChangeProjectMember(ctx context.Context, in *ProjectMemberChange) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-cms47", "Not implemented")
+}
+
+func (s *Server) RemoveProjectMember(ctx context.Context, in *ProjectMemberRemove) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-olw21", "Not implemented")
+}
--- a/pkg/management/api/grpc/server.go
+++ b/pkg/management/api/grpc/server.go
@ -0,0 +1,37 @@
+package grpc
+
+import (
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	"google.golang.org/grpc"
+)
+
+var _ ManagementServiceServer = (*Server)(nil)
+
+type Server struct {
+	port string
+}
+
+func StartServer(conf grpc_util.ServerConfig) *Server {
+	return &Server{
+		port: conf.Port,
+	}
+}
+
+func (s *Server) GRPCPort() string {
+	return s.port
+}
+
+func (s *Server) GRPCServer() (*grpc.Server, error) {
+	gs := grpc.NewServer(
+		middleware.TracingStatsServer("/Healthz", "/Ready", "/Validate"),
+		grpc.UnaryInterceptor(
+			grpc_middleware.ChainUnaryServer(
+				middleware.ErrorHandler(),
+			),
+		),
+	)
+	RegisterManagementServiceServer(gs, s)
+	return gs, nil
+}
--- a/pkg/management/api/grpc/user.go
+++ b/pkg/management/api/grpc/user.go
@ -0,0 +1,103 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/golang/protobuf/ptypes/empty"
+)
+
+func (s *Server) GetUserByID(ctx context.Context, userID *UserID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0oVbs", "Not implemented")
+}
+
+func (s *Server) GetUserByEmailGlobal(ctx context.Context, email *UserEmailID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-9djSw", "Not implemented")
+}
+
+func (s *Server) SearchUsers(ctx context.Context, userSearch *UserSearchRequest) (*UserSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-as2Dc", "Not implemented")
+}
+
+func (s *Server) UserChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pl6Zu", "Not implemented")
+}
+
+func (s *Server) IsUserUnique(ctx context.Context, request *UniqueUserRequest) (*UniqueUserResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-olF56", "Not implemented")
+}
+
+func (s *Server) CreateUser(ctx context.Context, request *CreateUserRequest) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-sd4fs", "Not implemented")
+}
+
+func (s *Server) DeactivateUser(ctx context.Context, ID *UserID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-Vgh64", "Not implemented")
+}
+
+func (s *Server) ReactivateUser(ctx context.Context, ID *UserID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mCx4f", "Not implemented")
+}
+
+func (s *Server) LockUser(ctx context.Context, ID *UserID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ds4fd", "Not implemented")
+}
+
+func (s *Server) UnlockUser(ctx context.Context, ID *UserID) (*User, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-MV7dd", "Not implemented")
+}
+
+func (s *Server) DeleteUser(ctx context.Context, ID *UserID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-as4fg", "Not implemented")
+}
+
+func (s *Server) GetUserProfile(ctx context.Context, ID *UserID) (*UserProfile, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-mT67d", "Not implemented")
+}
+
+func (s *Server) UpdateUserProfile(ctx context.Context, request *UpdateUserProfileRequest) (*UserProfile, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-asje3", "Not implemented")
+}
+
+func (s *Server) GetUserEmail(ctx context.Context, ID *UserID) (*UserEmail, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-peo9d", "Not implemented")
+}
+
+func (s *Server) ChangeUserEmail(ctx context.Context, request *UpdateUserEmailRequest) (*UserEmail, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-cloeS", "Not implemented")
+}
+
+func (s *Server) ResendEmailVerificationMail(ctx context.Context, ID *UserID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dwsP9", "Not implemented")
+}
+
+func (s *Server) GetUserPhone(ctx context.Context, ID *UserID) (*UserPhone, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-wlf7f", "Not implemented")
+}
+
+func (s *Server) ChangeUserPhone(ctx context.Context, request *UpdateUserPhoneRequest) (*UserPhone, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-pld5g", "Not implemented")
+}
+
+func (s *Server) ResendPhoneVerificationCode(ctx context.Context, ID *UserID) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-98hdE", "Not implemented")
+}
+
+func (s *Server) GetUserAddress(ctx context.Context, ID *UserID) (*UserAddress, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-plt67", "Not implemented")
+}
+
+func (s *Server) UpdateUserAddress(ctx context.Context, request *UpdateUserAddressRequest) (*UserAddress, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dleo3", "Not implemented")
+}
+
+func (s *Server) SendSetPasswordNotification(ctx context.Context, request *SetPasswordNotificationRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-LSe7s", "Not implemented")
+}
+
+func (s *Server) SetInitialPassword(ctx context.Context, request *PasswordRequest) (*empty.Empty, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ldo3s", "Not implemented")
+}
+
+func (s *Server) GetUserMfas(ctx context.Context, userID *UserID) (*MultiFactors, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ldmw3", "Not implemented")
+}
--- a/pkg/management/api/grpc/user_grant.go
+++ b/pkg/management/api/grpc/user_grant.go
@ -0,0 +1,73 @@
+package grpc
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func (s *Server) SearchUserGrants(ctx context.Context, request *UserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dk3ds", "Not implemented")
+}
+
+func (s *Server) UserGrantByID(ctx context.Context, request *UserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-9dksF", "Not implemented")
+}
+
+func (s *Server) CreateUserGrant(ctx context.Context, in *UserGrantCreate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2kdl2", "Not implemented")
+}
+func (s *Server) UpdateUserGrant(ctx context.Context, in *UserGrantUpdate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-83jsF", "Not implemented")
+}
+func (s *Server) DeactivateUserGrant(ctx context.Context, in *UserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-93dj3", "Not implemented")
+}
+func (s *Server) ReactivateUserGrant(ctx context.Context, in *UserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2kSfs", "Not implemented")
+}
+
+func (s *Server) SearchProjectUserGrants(ctx context.Context, request *ProjectUserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-8jdSw", "Not implemented")
+}
+
+func (s *Server) ProjectUserGrantByID(ctx context.Context, request *ProjectUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-dk32s", "Not implemented")
+}
+
+func (s *Server) CreateProjectUserGrant(ctx context.Context, in *UserGrantCreate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-0or5G", "Not implemented")
+}
+func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *ProjectUserGrantUpdate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-asl4D", "Not implemented")
+}
+
+func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *ProjectUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-2fG6h", "Not implemented")
+}
+
+func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *ProjectUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-03kSc", "Not implemented")
+}
+
+func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, request *ProjectGrantUserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-32sFs", "Not implemented")
+}
+
+func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *ProjectGrantUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-9kfSc", "Not implemented")
+}
+
+func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantCreate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-293md", "Not implemented")
+}
+func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantUpdate) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-76fGe", "Not implemented")
+}
+
+func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-sFsi3", "Not implemented")
+}
+
+func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantID) (*UserGrant, error) {
+	return nil, errors.ThrowUnimplemented(nil, "GRPC-ckr56", "Not implemented")
+}
--- a/pkg/management/api/proto/management.proto
+++ b/pkg/management/api/proto/management.proto
--- a/pkg/management/management.go
+++ b/pkg/management/management.go
@ -2,9 +2,7 @@ package management

 import (
 	"context"
-
 	"github.com/caos/zitadel/internal/api/auth"
-	"github.com/caos/zitadel/internal/errors"
 	app "github.com/caos/zitadel/internal/management"
 	"github.com/caos/zitadel/pkg/management/api"
 )
@ -14,6 +12,6 @@ type Config struct {
 	API api.Config
 }

-func Start(ctx context.Context, config Config, authZ auth.Config) error {
-	return errors.ThrowUnimplemented(nil, "MANAG-h3k3x", "not implemented yet") //TODO: implement
+func Start(ctx context.Context, config Config, authZ auth.Config) {
+	api.Start(ctx, config.API)
 }